From 0ecc35ea41a25f4ec89649533b51aa927ad64f85 Mon Sep 17 00:00:00 2001 From: Jan Larwig Date: Mon, 23 Mar 2026 09:38:12 +0100 Subject: [PATCH 01/10] chore(deps): update gomod and golangci/golangci-lint to v2.11.4 (#3382) Signed-off-by: Jan Larwig --- .github/workflows/ci.yml | 2 +- .github/workflows/publish-release.yml | 2 +- CHANGELOG.md | 5 + go.mod | 59 +++++------ go.sum | 138 ++++++++++++++------------ oauthproxy.go | 2 + pkg/apis/options/legacy_options.go | 2 +- pkg/validation/providers.go | 3 +- providers/ms_entra_id.go | 2 + 9 files changed, 116 insertions(+), 99 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e0610cad..1d036ec0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,7 +39,7 @@ jobs: uses: golangci/golangci-lint-action@v9 with: install-only: true - version: v2.8.0 # renovate: datasource=github-tags depName=golangci/golangci-lint + version: v2.11.4 # renovate: datasource=github-tags depName=golangci/golangci-lint - name: Verify Code Generation run: | diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 4a1f2696..ed58edd9 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -59,7 +59,7 @@ jobs: uses: golangci/golangci-lint-action@v9 with: install-only: true - version: v2.8.0 # renovate: datasource=github-tags depName=golangci/golangci-lint + version: v2.11.4 # renovate: datasource=github-tags depName=golangci/golangci-lint - name: Get go dependencies run: | diff --git a/CHANGELOG.md b/CHANGELOG.md index 8da01f83..5d740cb9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## Release Highlights +- Fixes [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186) + - OAuth2 Proxy was not impacted by this vulnerability as it isn't in the path of execution + ## Important Notes ## Breaking Changes @@ -10,6 +13,8 @@ # V7.15.0 +- [#3382](https://github.com/oauth2-proxy/oauth2-proxy/pull/3382) chore(deps): update gomod and golangci/golangci-lint to v2.11.4 (@tuunit) + ## Release Highlights - 🔒 OIDC JWT signing algorithms can now be configured diff --git a/go.mod b/go.mod index 4f54660f..a379e58d 100644 --- a/go.mod +++ b/go.mod @@ -6,42 +6,43 @@ require ( cloud.google.com/go/compute/metadata v0.9.0 github.com/Bose/minisentinel v0.0.0-20200130220412-917c5a9223bb github.com/a8m/envsubst v1.4.3 - github.com/alicebob/miniredis/v2 v2.35.0 + github.com/alicebob/miniredis/v2 v2.37.0 github.com/bitly/go-simplejson v0.5.1 github.com/bsm/redislock v0.9.4 github.com/coreos/go-oidc/v3 v3.17.0 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf github.com/fsnotify/fsnotify v1.9.0 github.com/go-jose/go-jose/v3 v3.0.4 + github.com/go-jose/go-jose/v4 v4.1.3 github.com/go-viper/mapstructure/v2 v2.4.0 - github.com/golang-jwt/jwt/v5 v5.3.0 + github.com/golang-jwt/jwt/v5 v5.3.1 github.com/google/go-cmp v0.7.0 github.com/google/uuid v1.6.0 github.com/gorilla/mux v1.8.1 github.com/justinas/alice v1.2.0 github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25 - github.com/onsi/ginkgo/v2 v2.27.5 - github.com/onsi/gomega v1.39.0 - github.com/pierrec/lz4/v4 v4.1.25 + github.com/onsi/ginkgo/v2 v2.28.1 + github.com/onsi/gomega v1.39.1 + github.com/pierrec/lz4/v4 v4.1.26 github.com/prometheus/client_golang v1.23.2 - github.com/redis/go-redis/v9 v9.17.2 + github.com/redis/go-redis/v9 v9.18.0 github.com/spf13/cast v1.10.0 github.com/spf13/pflag v1.0.10 github.com/spf13/viper v1.21.0 github.com/stretchr/testify v1.11.1 github.com/vmihailenco/msgpack/v5 v5.4.1 go.yaml.in/yaml/v3 v3.0.4 - golang.org/x/crypto v0.47.0 - golang.org/x/net v0.49.0 - golang.org/x/oauth2 v0.34.0 - golang.org/x/sync v0.19.0 - google.golang.org/api v0.260.0 + golang.org/x/crypto v0.49.0 + golang.org/x/net v0.52.0 + golang.org/x/oauth2 v0.36.0 + golang.org/x/sync v0.20.0 + google.golang.org/api v0.272.0 gopkg.in/natefinch/lumberjack.v2 v2.2.1 - k8s.io/apimachinery v0.35.0 + k8s.io/apimachinery v0.35.3 ) require ( - cloud.google.com/go/auth v0.18.0 // indirect + cloud.google.com/go/auth v0.18.2 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/beorn7/perks v1.0.1 // indirect @@ -49,38 +50,38 @@ require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/go-jose/go-jose/v4 v4.1.3 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect - github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect + github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc // indirect github.com/google/s2a-go v0.1.9 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect - github.com/googleapis/gax-go/v2 v2.16.0 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect + github.com/googleapis/gax-go/v2 v2.19.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pelletier/go-toml/v2 v2.2.4 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_model v0.6.2 // indirect github.com/prometheus/common v0.67.5 // indirect - github.com/prometheus/procfs v0.19.2 // indirect + github.com/prometheus/procfs v0.20.1 // indirect github.com/sagikazarmark/locafero v0.12.0 // indirect github.com/spf13/afero v1.15.0 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect github.com/yuin/gopher-lua v1.1.1 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 // indirect - go.opentelemetry.io/otel v1.39.0 // indirect - go.opentelemetry.io/otel/metric v1.39.0 // indirect - go.opentelemetry.io/otel/trace v1.39.0 // indirect - go.yaml.in/yaml/v2 v2.4.3 // indirect - golang.org/x/mod v0.32.0 // indirect - golang.org/x/sys v0.40.0 // indirect - golang.org/x/text v0.33.0 // indirect - golang.org/x/tools v0.41.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260114163908-3f89685c29c3 // indirect - google.golang.org/grpc v1.78.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect + go.opentelemetry.io/otel v1.42.0 // indirect + go.opentelemetry.io/otel/metric v1.42.0 // indirect + go.opentelemetry.io/otel/trace v1.42.0 // indirect + go.uber.org/atomic v1.11.0 // indirect + go.yaml.in/yaml/v2 v2.4.4 // indirect + golang.org/x/mod v0.34.0 // indirect + golang.org/x/sys v0.42.0 // indirect + golang.org/x/text v0.35.0 // indirect + golang.org/x/tools v0.43.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260319201613-d00831a3d3e7 // indirect + google.golang.org/grpc v1.79.3 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index ac6b56d4..48ddf1f2 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -cloud.google.com/go/auth v0.18.0 h1:wnqy5hrv7p3k7cShwAU/Br3nzod7fxoqG+k0VZ+/Pk0= -cloud.google.com/go/auth v0.18.0/go.mod h1:wwkPM1AgE1f2u6dG443MiWoD8C3BtOywNsUMcUTVDRo= +cloud.google.com/go/auth v0.18.2 h1:+Nbt5Ev0xEqxlNjd6c+yYUeosQ5TtEUaNcN/3FozlaM= +cloud.google.com/go/auth v0.18.2/go.mod h1:xD+oY7gcahcu7G2SG2DsBerfFxgPAJz17zz2joOFF3M= cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc= cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c= cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs= @@ -14,8 +14,8 @@ github.com/a8m/envsubst v1.4.3 h1:kDF7paGK8QACWYaQo6KtyYBozY2jhQrTuNNuUxQkhJY= github.com/a8m/envsubst v1.4.3/go.mod h1:4jjHWQlZoaXPoLQUb7H2qT4iLkZDdmEQiOUogdUmqVU= github.com/alicebob/gopher-json v0.0.0-20180125190556-5a6b3ba71ee6/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc= github.com/alicebob/miniredis/v2 v2.11.1/go.mod h1:UA48pmi7aSazcGAvcdKcBB49z521IC9VjTTRz2nIaJE= -github.com/alicebob/miniredis/v2 v2.35.0 h1:QwLphYqCEAo1eu1TqPRN2jgVMPBweeQcR21jeqDCONI= -github.com/alicebob/miniredis/v2 v2.35.0/go.mod h1:TcL7YfarKPGDAthEtl5NBeHZfeUQj6OXMm/+iu5cLMM= +github.com/alicebob/miniredis/v2 v2.37.0 h1:RheObYW32G1aiJIj81XVt78ZHJpHonHLHW7OLIshq68= +github.com/alicebob/miniredis/v2 v2.37.0/go.mod h1:TcL7YfarKPGDAthEtl5NBeHZfeUQj6OXMm/+iu5cLMM= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bitly/go-simplejson v0.5.1 h1:xgwPbetQScXt1gh9BmoJ6j9JMr3TElvuIyjR8pgdoow= @@ -67,8 +67,8 @@ github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9L github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw= github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= -github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo= -github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= +github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY= +github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/gomodule/redigo v1.7.1-0.20190322064113-39e2c31b7ca3 h1:6amM4HsNPOvMLVc2ZnyqrjeQ92YAVWn7T4WBKK87inY= @@ -76,17 +76,17 @@ github.com/gomodule/redigo v1.7.1-0.20190322064113-39e2c31b7ca3/go.mod h1:B4C85q github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= -github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 h1:z2ogiKUYzX5Is6zr/vP9vJGqPwcdqsWjOt+V8J7+bTc= -github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI= +github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc h1:VBbFa1lDYWEeV5FZKUiYKYT0VxCp9twUmmaq9eb8sXw= +github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI= github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0= github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.3.11 h1:vAe81Msw+8tKUxi2Dqh/NZMz7475yUvmRIkXr4oN2ao= -github.com/googleapis/enterprise-certificate-proxy v0.3.11/go.mod h1:RFV7MUdlb7AgEq2v7FmMCfeSMCllAzWxFgRdusoGks8= -github.com/googleapis/gax-go/v2 v2.16.0 h1:iHbQmKLLZrexmb0OSsNGTeSTS0HO4YvFOG8g5E4Zd0Y= -github.com/googleapis/gax-go/v2 v2.16.0/go.mod h1:o1vfQjjNZn4+dPnRdl/4ZD7S9414Y4xA+a/6Icj6l14= +github.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA6RlzjJaT4hi3kII+zYw8wmLb8= +github.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg= +github.com/googleapis/gax-go/v2 v2.19.0 h1:fYQaUOiGwll0cGj7jmHT/0nPlcrZDFPrZRhTsoCr8hE= +github.com/googleapis/gax-go/v2 v2.19.0/go.mod h1:w2ROXVdfGEVFXzmlciUU4EdjHgWvB5h2n6x/8XSTTJA= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE= @@ -95,6 +95,8 @@ github.com/justinas/alice v1.2.0 h1:+MHSA/vccVCF4Uq37S42jwlkvI2Xzl7zTPCN5BnZNVo= github.com/justinas/alice v1.2.0/go.mod h1:fN5HRH/reO/zrUflLfTN43t3vXvKzvZIENsNEe7i7qA= github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= +github.com/klauspost/cpuid/v2 v2.0.9 h1:lgaqFMSdTdQYdZ04uHyN2d/eKdOMyi2YLSvlQIBFYa4= +github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -111,14 +113,14 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25 h1:9bCMuD3TcnjeqjPT2gSlha4asp8NvgcFRYExCaikCxk= github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25/go.mod h1:eDjgYHYDJbPLBLsyZ6qRaugP0mX8vePOhZ5id1fdzJw= -github.com/onsi/ginkgo/v2 v2.27.5 h1:ZeVgZMx2PDMdJm/+w5fE/OyG6ILo1Y3e+QX4zSR0zTE= -github.com/onsi/ginkgo/v2 v2.27.5/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= -github.com/onsi/gomega v1.39.0 h1:y2ROC3hKFmQZJNFeGAMeHZKkjBL65mIZcvrLQBF9k6Q= -github.com/onsi/gomega v1.39.0/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4= +github.com/onsi/ginkgo/v2 v2.28.1 h1:S4hj+HbZp40fNKuLUQOYLDgZLwNUVn19N3Atb98NCyI= +github.com/onsi/ginkgo/v2 v2.28.1/go.mod h1:CLtbVInNckU3/+gC8LzkGUb9oF+e8W8TdUsxPwvdOgE= +github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28= +github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg= github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4= github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY= -github.com/pierrec/lz4/v4 v4.1.25 h1:kocOqRffaIbU5djlIBr7Wh+cx82C0vtFb0fOurZHqD0= -github.com/pierrec/lz4/v4 v4.1.25/go.mod h1:EoQMVJgeeEOMsCqCzqFm2O0cJvljX2nGZjcRIPL34O4= +github.com/pierrec/lz4/v4 v4.1.26 h1:GrpZw1gZttORinvzBdXPUXATeqlJjqUG/D87TKMnhjY= +github.com/pierrec/lz4/v4 v4.1.26/go.mod h1:EoQMVJgeeEOMsCqCzqFm2O0cJvljX2nGZjcRIPL34O4= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -128,10 +130,10 @@ github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNw github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4= github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw= -github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws= -github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw= -github.com/redis/go-redis/v9 v9.17.2 h1:P2EGsA4qVIM3Pp+aPocCJ7DguDHhqrXNhVcEp4ViluI= -github.com/redis/go-redis/v9 v9.17.2/go.mod h1:u410H11HMLoB+TP67dz8rL9s6QW2j76l0//kSOd3370= +github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc= +github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo= +github.com/redis/go-redis/v9 v9.18.0 h1:pMkxYPkEbMPwRdenAzUNyFNrDgHx9U+DrBabWNfSRQs= +github.com/redis/go-redis/v9 v9.18.0/go.mod h1:k3ufPphLU5YXwNTUcCRXGxUoF1fqxnhFQmscfkCoDA0= github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= github.com/sagikazarmark/locafero v0.12.0 h1:/NQhBAkUb4+fH1jivKHWusDYFjMOOKU88eegjfxfHb4= @@ -167,51 +169,55 @@ github.com/yuin/gopher-lua v0.0.0-20190206043414-8bfc7677f583/go.mod h1:gqRgreBU github.com/yuin/gopher-lua v0.0.0-20191213034115-f46add6fdb5c/go.mod h1:gqRgreBUhTSL0GeU64rtZ3Uq3wtjOa/TB2YfrtkCbVQ= github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M= github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw= +github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0= +github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ= -go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= -go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= -go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= -go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= -go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= -go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= -go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= -go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= -go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= -go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 h1:OyrsyzuttWTSur2qN/Lm0m2a8yqyIjUVBZcxFPuXq2o= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0/go.mod h1:C2NGBr+kAB4bk3xtMXfZ94gqFDtg/GkI7e9zqGh5Beg= +go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho= +go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc= +go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4= +go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI= +go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo= +go.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts= +go.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA= +go.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc= +go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY= +go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc= +go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= +go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= -go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= -go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= +go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ= +go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8= -golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A= +golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= +golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= -golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= +golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI= +golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o= -golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8= -golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw= -golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0= +golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw= +golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs= +golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= -golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= +golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= +golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -221,8 +227,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ= -golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= +golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= @@ -234,29 +240,29 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE= -golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8= -golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= -golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= +golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= +golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= +golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U= +golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc= -golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg= +golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s= +golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/api v0.260.0 h1:XbNi5E6bOVEj/uLXQRlt6TKuEzMD7zvW/6tNwltE4P4= -google.golang.org/api v0.260.0/go.mod h1:Shj1j0Phr/9sloYrKomICzdYgsSDImpTxME8rGLaZ/o= -google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217 h1:GvESR9BIyHUahIb0NcTum6itIWtdoglGX+rnGxm2934= -google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:yJ2HH4EHEDTd3JiLmhds6NkJ17ITVYOdV3m3VKOnws0= -google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls= -google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260114163908-3f89685c29c3 h1:C4WAdL+FbjnGlpp2S+HMVhBeCq2Lcib4xZqfPNF6OoQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260114163908-3f89685c29c3/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= -google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc= -google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U= +google.golang.org/api v0.272.0 h1:eLUQZGnAS3OHn31URRf9sAmRk3w2JjMx37d2k8AjJmA= +google.golang.org/api v0.272.0/go.mod h1:wKjowi5LNJc5qarNvDCvNQBn3rVK8nSy6jg2SwRwzIA= +google.golang.org/genproto v0.0.0-20260316180232-0b37fe3546d5 h1:JNfk58HZ8lfmXbYK2vx/UvsqIL59TzByCxPIX4TDmsE= +google.golang.org/genproto v0.0.0-20260316180232-0b37fe3546d5/go.mod h1:x5julN69+ED4PcFk/XWayw35O0lf/nGa4aNgODCmNmw= +google.golang.org/genproto/googleapis/api v0.0.0-20260316180232-0b37fe3546d5 h1:CogIeEXn4qWYzzQU0QqvYBM8yDF9cFYzDq9ojSpv0Js= +google.golang.org/genproto/googleapis/api v0.0.0-20260316180232-0b37fe3546d5/go.mod h1:EIQZ5bFCfRQDV4MhRle7+OgjNtZ6P1PiZBgAKuxXu/Y= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260319201613-d00831a3d3e7 h1:ndE4FoJqsIceKP2oYSnUZqhTdYufCYYkqwtFzfrhI7w= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= +google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= +google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -267,5 +273,5 @@ gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYs gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/apimachinery v0.35.0 h1:Z2L3IHvPVv/MJ7xRxHEtk6GoJElaAqDCCU0S6ncYok8= -k8s.io/apimachinery v0.35.0/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= +k8s.io/apimachinery v0.35.3 h1:MeaUwQCV3tjKP4bcwWGgZ/cp/vpsRnQzqO6J6tJyoF8= +k8s.io/apimachinery v0.35.3/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= diff --git a/oauthproxy.go b/oauthproxy.go index 1610507b..dc3f8b57 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -875,6 +875,8 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) { remoteAddr := ip.GetClientString(p.realClientIPParser, req, true) // finish the oauth cycle + // #nosec G120 -- The default max size in Go is already capped at 10MB so this would be the absolute max and is + // unlikely to be hit in practice. err := req.ParseForm() if err != nil { logger.Errorf("Error while parsing OAuth2 callback: %v", err) diff --git a/pkg/apis/options/legacy_options.go b/pkg/apis/options/legacy_options.go index 99e3679f..e53fd480 100644 --- a/pkg/apis/options/legacy_options.go +++ b/pkg/apis/options/legacy_options.go @@ -694,7 +694,7 @@ func (l LegacyServer) convert() (Server, Server) { } func (l *LegacyProvider) convert() (Providers, error) { - providers := Providers{} + providers := make(Providers, 0, 1) provider := Provider{ ClientID: l.ClientID, diff --git a/pkg/validation/providers.go b/pkg/validation/providers.go index ecc3277a..0c8e28db 100644 --- a/pkg/validation/providers.go +++ b/pkg/validation/providers.go @@ -165,7 +165,8 @@ func validateEntraConfig(provider options.Provider) []string { return msgs } - _, err := os.ReadFile(federatedTokenPath) + // #nosec G703 -- AZURE_FEDERATED_TOKEN_FILE is set by the operator, not user input + _, err := os.Stat(federatedTokenPath) if err != nil { msgs = append(msgs, "could not read entra federated token file") } diff --git a/providers/ms_entra_id.go b/providers/ms_entra_id.go index f9445d69..f30176fd 100644 --- a/providers/ms_entra_id.go +++ b/providers/ms_entra_id.go @@ -110,6 +110,7 @@ func (p *MicrosoftEntraIDProvider) Redeem(ctx context.Context, redirectURL, code // redeemWithFederatedToken performs custom token exchange with federated token instead of client secret func (p *MicrosoftEntraIDProvider) redeemWithFederatedToken(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error) { federatedTokenPath := os.Getenv("AZURE_FEDERATED_TOKEN_FILE") + // #nosec G703 -- AZURE_FEDERATED_TOKEN_FILE is set by the operator, not user input federatedToken, err := os.ReadFile(federatedTokenPath) if err != nil { return nil, fmt.Errorf("error reading federated token file %s: %s", federatedTokenPath, err) @@ -162,6 +163,7 @@ func (p *MicrosoftEntraIDProvider) RefreshSession(ctx context.Context, s *sessio // Refresh Token, Access Token and ID Token func (p *MicrosoftEntraIDProvider) redeemRefreshTokenWithFederatedToken(ctx context.Context, s *sessions.SessionState) error { federatedTokenPath := os.Getenv("AZURE_FEDERATED_TOKEN_FILE") + // #nosec G703 -- AZURE_FEDERATED_TOKEN_FILE is set by the operator, not user input federatedToken, err := os.ReadFile(federatedTokenPath) if err != nil { return fmt.Errorf("error reading federated token file %s: %s", federatedTokenPath, err) From 9f09d54ba4481aa69f336381cd106d058f118930 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 23 Mar 2026 09:39:22 +0100 Subject: [PATCH 02/10] chore(deps): update actions/upload-artifact action to v7 (#3358) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/publish-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index ed58edd9..bac76bee 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -70,7 +70,7 @@ jobs: # Upload artifacts in case of workflow failure - name: Upload Artifacts - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@v7 with: name: oauth2-proxy-artifacts path: | From a4d89036ec102509fbb0d393f77cc90af6d083c8 Mon Sep 17 00:00:00 2001 From: H1net Date: Mon, 23 Mar 2026 09:22:36 +0000 Subject: [PATCH 03/10] fix: handle Unix socket RemoteAddr in IP resolution (#3374) * fix: handle Unix socket RemoteAddr in IP resolution When oauth2-proxy listens on a Unix socket, Go sets RemoteAddr to "@" instead of the usual "host:port" format. This caused net.SplitHostPort to fail on every request, flooding logs with errors: Error obtaining real IP for trusted IP list: unable to get ip and port from http.RemoteAddr (@) Fix by handling the "@" RemoteAddr at the source in getRemoteIP, returning nil without error since Unix sockets have no meaningful client IP. Also simplify the isTrustedIP guard and add a nil check in GetClientString to prevent calling String() on nil net.IP. Fixes #3373 Signed-off-by: h1net * docs: add changelog entry and Unix socket trusted IPs documentation Add changelog entry for #3374. Document that trusted IPs cannot match against RemoteAddr for Unix socket listeners since Go sets it to "@", and that IP-based trust still works via X-Forwarded-For with reverse-proxy. Signed-off-by: Ben Newbery Signed-off-by: h1net * doc: fix changelog entry for #3374 Signed-off-by: Jan Larwig * doc: add trusted ip a section to versioned docs as well Signed-off-by: Jan Larwig --------- Signed-off-by: h1net Signed-off-by: Ben Newbery Signed-off-by: Jan Larwig Co-authored-by: Jan Larwig --- CHANGELOG.md | 2 ++ docs/docs/configuration/systemd_socket.md | 8 ++++++ .../configuration/systemd_socket.md | 8 ++++++ oauthproxy.go | 4 +-- oauthproxy_test.go | 26 +++++++++++++++++++ pkg/ip/realclientip.go | 8 +++++- pkg/ip/realclientip_test.go | 4 +++ 7 files changed, 56 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d740cb9..aabc1385 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ # V7.15.0 - [#3382](https://github.com/oauth2-proxy/oauth2-proxy/pull/3382) chore(deps): update gomod and golangci/golangci-lint to v2.11.4 (@tuunit) +- [#3374](https://github.com/oauth2-proxy/oauth2-proxy/pull/3374) fix: handle Unix socket RemoteAddr in IP resolution (@H1net) + ## Release Highlights diff --git a/docs/docs/configuration/systemd_socket.md b/docs/docs/configuration/systemd_socket.md index 642e6f3f..490dabbf 100644 --- a/docs/docs/configuration/systemd_socket.md +++ b/docs/docs/configuration/systemd_socket.md @@ -40,4 +40,12 @@ the listener it created onto the process, starting with file descriptor 3. --client-secret=... ``` +## Trusted IPs + +When listening on a Unix socket, Go sets `http.Request.RemoteAddr` to `"@"` instead of the usual `"host:port"` format. This means there is no client IP available from the connection itself. + +As a result, `--trusted-ip` entries cannot match against the direct connection address for Unix socket listeners. Requests arriving over a Unix socket will never be considered "trusted" based on their `RemoteAddr`. IP-based trust decisions will still work if a trusted reverse proxy sets `X-Forwarded-For` or `X-Real-IP` headers and `--reverse-proxy=true` is configured. + +## TLS + Currently TLS is not supported (but it's doable). diff --git a/docs/versioned_docs/version-7.15.x/configuration/systemd_socket.md b/docs/versioned_docs/version-7.15.x/configuration/systemd_socket.md index 642e6f3f..490dabbf 100644 --- a/docs/versioned_docs/version-7.15.x/configuration/systemd_socket.md +++ b/docs/versioned_docs/version-7.15.x/configuration/systemd_socket.md @@ -40,4 +40,12 @@ the listener it created onto the process, starting with file descriptor 3. --client-secret=... ``` +## Trusted IPs + +When listening on a Unix socket, Go sets `http.Request.RemoteAddr` to `"@"` instead of the usual `"host:port"` format. This means there is no client IP available from the connection itself. + +As a result, `--trusted-ip` entries cannot match against the direct connection address for Unix socket listeners. Requests arriving over a Unix socket will never be considered "trusted" based on their `RemoteAddr`. IP-based trust decisions will still work if a trusted reverse proxy sets `X-Forwarded-For` or `X-Real-IP` headers and `--reverse-proxy=true` is configured. + +## TLS + Currently TLS is not supported (but it's doable). diff --git a/oauthproxy.go b/oauthproxy.go index dc3f8b57..f260acc6 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -613,9 +613,7 @@ func (p *OAuthProxy) isAPIPath(req *http.Request) bool { // isTrustedIP is used to check if a request comes from a trusted client IP address. func (p *OAuthProxy) isTrustedIP(req *http.Request) bool { - // RemoteAddr @ means unix socket - // https://github.com/golang/go/blob/0fa53e41f122b1661d0678a6d36d71b7b5ad031d/src/syscall/syscall_linux.go#L506-L511 - if p.trustedIPs == nil && req.RemoteAddr != "@" { + if p.trustedIPs == nil { return false } diff --git a/oauthproxy_test.go b/oauthproxy_test.go index 38cdccab..e06f50e9 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -2150,6 +2150,32 @@ func TestTrustedIPs(t *testing.T) { }(), expectTrusted: false, }, + // Check Unix socket with no trusted IPs configured does not error. + { + name: "UnixSocketWithoutTrustedIPs", + trustedIPs: nil, + reverseProxy: false, + realClientIPHeader: "X-Real-IP", + req: func() *http.Request { + req, _ := http.NewRequest("GET", "/", nil) + req.RemoteAddr = "@" + return req + }(), + expectTrusted: false, + }, + // Check Unix socket with trusted IPs configured returns false (no IP to match). + { + name: "UnixSocketWithTrustedIPs", + trustedIPs: []string{"127.0.0.1"}, + reverseProxy: false, + realClientIPHeader: "X-Real-IP", + req: func() *http.Request { + req, _ := http.NewRequest("GET", "/", nil) + req.RemoteAddr = "@" + return req + }(), + expectTrusted: false, + }, // Check using req.RemoteAddr (Options.ReverseProxy == false). { name: "WithRemoteAddr", diff --git a/pkg/ip/realclientip.go b/pkg/ip/realclientip.go index 8bfc7ea3..db8f2595 100644 --- a/pkg/ip/realclientip.go +++ b/pkg/ip/realclientip.go @@ -73,6 +73,12 @@ func GetClientIP(p ipapi.RealClientIPParser, req *http.Request) (net.IP, error) // getRemoteIP obtains the IP of the low-level connected network host func getRemoteIP(req *http.Request) (net.IP, error) { + // Unix domain sockets set RemoteAddr to "@" which has no meaningful IP. + // https://github.com/golang/go/blob/0fa53e41f122b1661d0678a6d36d71b7b5ad031d/src/syscall/syscall_linux.go#L506-L511 + if req.RemoteAddr == "@" { + return nil, nil + } + //revive:disable:indent-error-flow if ipStr, _, err := net.SplitHostPort(req.RemoteAddr); err != nil { return nil, fmt.Errorf("unable to get ip and port from http.RemoteAddr (%s)", req.RemoteAddr) @@ -94,7 +100,7 @@ func GetClientString(p ipapi.RealClientIPParser, req *http.Request, full bool) ( } var remoteIPStr string - if remoteIP, err := getRemoteIP(req); err == nil { + if remoteIP, err := getRemoteIP(req); err == nil && remoteIP != nil { remoteIPStr = remoteIP.String() } diff --git a/pkg/ip/realclientip_test.go b/pkg/ip/realclientip_test.go index c56e0170..3cbca114 100644 --- a/pkg/ip/realclientip_test.go +++ b/pkg/ip/realclientip_test.go @@ -112,6 +112,8 @@ func TestGetRemoteIP(t *testing.T) { errString string expectedIP net.IP }{ + // Unix domain sockets set RemoteAddr to "@" + {"@", "", nil}, {"", "unable to get ip and port from http.RemoteAddr ()", nil}, {"nil", "unable to get ip and port from http.RemoteAddr (nil)", nil}, {"235.28.129.186", "unable to get ip and port from http.RemoteAddr (235.28.129.186)", nil}, @@ -155,6 +157,8 @@ func TestGetClientString(t *testing.T) { }{ // Should fail quietly, only printing warnings to the log {nil, "", "", "", ""}, + // Unix domain socket — no IP available + {nil, "@", "", "", ""}, {p, "127.0.0.1:11950", "", "127.0.0.1", "127.0.0.1"}, {p, "[::1]:28660", "99.103.56.12", "99.103.56.12", "::1 (99.103.56.12)"}, {nil, "10.254.244.165:62750", "", "10.254.244.165", "10.254.244.165"}, From 44236f0314ebaeed8d9f57ece7e2ab05a80b81e6 Mon Sep 17 00:00:00 2001 From: artificiosus Date: Mon, 23 Mar 2026 05:27:49 -0400 Subject: [PATCH 04/10] fix: do not log error for backend logout 204 (#3381) * Don't log error for backend logout 204 Signed-off-by: artificiosus * doc: add changelog entry for #3381 Signed-off-by: Jan Larwig * refactor: use http.StatusOK and http.StatusNoContent instead of integers Signed-off-by: Jan Larwig --------- Signed-off-by: artificiosus Signed-off-by: Jan Larwig Co-authored-by: Jan Larwig --- CHANGELOG.md | 1 + oauthproxy.go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index aabc1385..9cffcc91 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ - [#3382](https://github.com/oauth2-proxy/oauth2-proxy/pull/3382) chore(deps): update gomod and golangci/golangci-lint to v2.11.4 (@tuunit) - [#3374](https://github.com/oauth2-proxy/oauth2-proxy/pull/3374) fix: handle Unix socket RemoteAddr in IP resolution (@H1net) +- [#3381](https://github.com/oauth2-proxy/oauth2-proxy/pull/3381) fix: do not log error for backend logout 204 (@artificiosus) ## Release Highlights diff --git a/oauthproxy.go b/oauthproxy.go index f260acc6..3efe66fd 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -798,7 +798,7 @@ func (p *OAuthProxy) backendLogout(rw http.ResponseWriter, req *http.Request) { } defer resp.Body.Close() - if resp.StatusCode != 200 { + if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusNoContent { logger.Errorf("error while calling backend logout url, returned error code %v", resp.StatusCode) } } From 5ca3012652893d34e41d069fa4156e78ba0b4751 Mon Sep 17 00:00:00 2001 From: Jan Larwig Date: Mon, 23 Mar 2026 10:36:19 +0100 Subject: [PATCH 05/10] doc: update PR template with additional checklist items --- .github/PULL_REQUEST_TEMPLATE.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 20aad512..042a0394 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -20,7 +20,8 @@ -- [ ] My change requires a change to the documentation or CHANGELOG. -- [ ] I have updated the documentation/CHANGELOG accordingly. +- [ ] I have added an entry for my changes to the [CHANGELOG.md](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/CHANGELOG.md). +- [ ] I have [signed off](https://github.com/apps/dco) all my commits. - [ ] I have created a feature (non-master) branch for my PR. +- [ ] I have used [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/#examples) for the PR title. - [ ] I have written tests for my code changes. From e2682f759539fe735b18fc655b677cb0a935637f Mon Sep 17 00:00:00 2001 From: Yosri Barhoumi <44350807+yosri-brh@users.noreply.github.com> Date: Mon, 23 Mar 2026 10:54:32 +0100 Subject: [PATCH 06/10] fix: improve logging when session refresh token is missing (#3327) * Improve logging for session refresh token status Signed-off-by: Yosri Barhoumi * doc: add changelog entry for #3327 Signed-off-by: Jan Larwig * test: fix existing test cases for new behaviour Signed-off-by: Jan Larwig --------- Signed-off-by: Yosri Barhoumi Signed-off-by: Jan Larwig Co-authored-by: Jan Larwig --- CHANGELOG.md | 1 + pkg/apis/sessions/session_state.go | 2 ++ pkg/apis/sessions/session_state_test.go | 39 +++++++++++++++++++++---- pkg/middleware/stored_session.go | 1 + 4 files changed, 38 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9cffcc91..f5d63cd6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ - [#3382](https://github.com/oauth2-proxy/oauth2-proxy/pull/3382) chore(deps): update gomod and golangci/golangci-lint to v2.11.4 (@tuunit) - [#3374](https://github.com/oauth2-proxy/oauth2-proxy/pull/3374) fix: handle Unix socket RemoteAddr in IP resolution (@H1net) - [#3381](https://github.com/oauth2-proxy/oauth2-proxy/pull/3381) fix: do not log error for backend logout 204 (@artificiosus) +- [#3327](https://github.com/oauth2-proxy/oauth2-proxy/pull/3327) fix: improve logging when session refresh token is missing (@yosri-brh) ## Release Highlights diff --git a/pkg/apis/sessions/session_state.go b/pkg/apis/sessions/session_state.go index fef20aab..6c55e2c8 100644 --- a/pkg/apis/sessions/session_state.go +++ b/pkg/apis/sessions/session_state.go @@ -127,6 +127,8 @@ func (s *SessionState) String() string { } if s.RefreshToken != "" { o += " refresh_token:true" + } else { + o += " refresh_token:false" } if len(s.Groups) > 0 { o += fmt.Sprintf(" groups:%v", s.Groups) diff --git a/pkg/apis/sessions/session_state_test.go b/pkg/apis/sessions/session_state_test.go index 1dc6d3ad..ec131393 100644 --- a/pkg/apis/sessions/session_state_test.go +++ b/pkg/apis/sessions/session_state_test.go @@ -4,6 +4,7 @@ import ( "crypto/rand" "fmt" "io" + "strings" "testing" "time" @@ -57,7 +58,7 @@ func TestString(t *testing.T) { User: "some.user", PreferredUsername: "preferred.user", }, - expected: "Session{email:email@email.email user:some.user PreferredUsername:preferred.user}", + expected: "Session{email:email@email.email user:some.user PreferredUsername:preferred.user refresh_token:false}", }, { name: "Full Session", @@ -81,7 +82,7 @@ func TestString(t *testing.T) { PreferredUsername: "preferred.user", CreatedAt: &created, }, - expected: "Session{email:email@email.email user:some.user PreferredUsername:preferred.user created:2000-01-01 00:00:00 +0000 UTC}", + expected: "Session{email:email@email.email user:some.user PreferredUsername:preferred.user created:2000-01-01 00:00:00 +0000 UTC refresh_token:false}", }, { name: "With an ExpiresOn", @@ -91,7 +92,7 @@ func TestString(t *testing.T) { PreferredUsername: "preferred.user", ExpiresOn: &expires, }, - expected: "Session{email:email@email.email user:some.user PreferredUsername:preferred.user expires:2000-01-01 01:00:00 +0000 UTC}", + expected: "Session{email:email@email.email user:some.user PreferredUsername:preferred.user expires:2000-01-01 01:00:00 +0000 UTC refresh_token:false}", }, { name: "With an AccessToken", @@ -101,7 +102,7 @@ func TestString(t *testing.T) { PreferredUsername: "preferred.user", AccessToken: "access.token", }, - expected: "Session{email:email@email.email user:some.user PreferredUsername:preferred.user token:true}", + expected: "Session{email:email@email.email user:some.user PreferredUsername:preferred.user token:true refresh_token:false}", }, { name: "With an IDToken", @@ -111,7 +112,7 @@ func TestString(t *testing.T) { PreferredUsername: "preferred.user", IDToken: "id.token", }, - expected: "Session{email:email@email.email user:some.user PreferredUsername:preferred.user id_token:true}", + expected: "Session{email:email@email.email user:some.user PreferredUsername:preferred.user id_token:true refresh_token:false}", }, { name: "With a RefreshToken", @@ -353,3 +354,31 @@ func TestGetClaim(t *testing.T) { }) } } + +func TestSessionState_String_RefreshTokenFalse(t *testing.T) { + session := &SessionState{ + Email: "test@example.com", + User: "testuser", + // No RefreshToken set + } + + result := session.String() + + if !strings.Contains(result, "refresh_token:false") { + t.Errorf("Expected 'refresh_token:false' in output, got: %s", result) + } +} + +func TestSessionState_String_RefreshTokenTrue(t *testing.T) { + session := &SessionState{ + Email: "test@example.com", + User: "testuser", + RefreshToken: "some-token", + } + + result := session.String() + + if !strings.Contains(result, "refresh_token:true") { + t.Errorf("Expected 'refresh_token:true' in output, got: %s", result) + } +} diff --git a/pkg/middleware/stored_session.go b/pkg/middleware/stored_session.go index f861c756..72c364e7 100644 --- a/pkg/middleware/stored_session.go +++ b/pkg/middleware/stored_session.go @@ -222,6 +222,7 @@ func (s *storedSessionLoader) refreshSession(rw http.ResponseWriter, req *http.R // Session not refreshed, nothing to persist. if !refreshed { + logger.Printf("Session not refreshed - User: %s; no refresh token available or provider returned false", session.User) return nil } From 46be69c276f0ab17cd30d0cc0f309a187a23d92a Mon Sep 17 00:00:00 2001 From: Jan Larwig Date: Mon, 23 Mar 2026 11:25:20 +0100 Subject: [PATCH 07/10] fix: propagate errors during route building (#3383) * Propagate errors during route building This fixes cases such as invalid paths being silently discarded after creation by throwing a visible error in such cases. Due to the way gorilla/mux's fluent API is designed, it is necessary to manually call `.GetError()` to check for errors while building routes. Signed-off-by: Simon Engmann * Add test for route building error propagation Signed-off-by: Simon Engmann * Add route building error propagation to changelog Signed-off-by: Simon Engmann --------- Signed-off-by: Simon Engmann Co-authored-by: Simon Engmann --- CHANGELOG.md | 1 + pkg/upstream/proxy.go | 28 ++++++++++++++-------------- pkg/upstream/proxy_test.go | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5d63cd6..c259b733 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ - [#3374](https://github.com/oauth2-proxy/oauth2-proxy/pull/3374) fix: handle Unix socket RemoteAddr in IP resolution (@H1net) - [#3381](https://github.com/oauth2-proxy/oauth2-proxy/pull/3381) fix: do not log error for backend logout 204 (@artificiosus) - [#3327](https://github.com/oauth2-proxy/oauth2-proxy/pull/3327) fix: improve logging when session refresh token is missing (@yosri-brh) +- [#2767](https://github.com/oauth2-proxy/oauth2-proxy/pull/2767) fix: propagate errors during route building (@sybereal) ## Release Highlights diff --git a/pkg/upstream/proxy.go b/pkg/upstream/proxy.go index af4d2e84..857395ec 100644 --- a/pkg/upstream/proxy.go +++ b/pkg/upstream/proxy.go @@ -58,7 +58,9 @@ func NewProxy(upstreams options.UpstreamConfig, sigData *options.SignatureData, } } - registerTrailingSlashHandler(m.serveMux) + if err := registerTrailingSlashHandler(m.serveMux); err != nil { + return nil, fmt.Errorf("could not register trailing slash handler: %w", err) + } return m, nil } @@ -94,8 +96,7 @@ func (m *multiUpstreamProxy) registerHTTPUpstreamProxy(upstream options.Upstream // registerHandler ensures the given handler is regiestered with the serveMux. func (m *multiUpstreamProxy) registerHandler(upstream options.Upstream, handler http.Handler, writer pagewriter.Writer) error { if upstream.RewriteTarget == "" { - m.registerSimpleHandler(upstream.Path, handler) - return nil + return m.registerSimpleHandler(upstream.Path, handler) } return m.registerRewriteHandler(upstream, handler, writer) @@ -103,12 +104,12 @@ func (m *multiUpstreamProxy) registerHandler(upstream options.Upstream, handler // registerSimpleHandler maintains the behaviour of the go standard serveMux // by ensuring any path with a trailing `/` matches all paths under that prefix. -func (m *multiUpstreamProxy) registerSimpleHandler(path string, handler http.Handler) { +func (m *multiUpstreamProxy) registerSimpleHandler(path string, handler http.Handler) error { if strings.HasSuffix(path, "/") { - m.serveMux.PathPrefix(path).Handler(handler) - } else { - m.serveMux.Path(path).Handler(handler) + return m.serveMux.PathPrefix(path).Handler(handler).GetError() } + + return m.serveMux.Path(path).Handler(handler).GetError() } // registerRewriteHandler ensures the handler is registered for all paths @@ -123,19 +124,18 @@ func (m *multiUpstreamProxy) registerRewriteHandler(upstream options.Upstream, h rewrite := newRewritePath(rewriteRegExp, upstream.RewriteTarget, writer) h := alice.New(rewrite).Then(handler) - m.serveMux.MatcherFunc(func(req *http.Request, _ *mux.RouteMatch) bool { - return rewriteRegExp.MatchString(req.URL.Path) - }).Handler(h) - return nil + return m.serveMux.MatcherFunc(func(req *http.Request, _ *mux.RouteMatch) bool { + return rewriteRegExp.MatchString(req.URL.Path) + }).Handler(h).GetError() } // registerTrailingSlashHandler creates a new matcher that will check if the // requested path would match if it had a trailing slash appended. // If the path matches with a trailing slash, we send back a redirect. // This allows us to be consistent with the built in go servemux implementation. -func registerTrailingSlashHandler(serveMux *mux.Router) { - serveMux.MatcherFunc(func(req *http.Request, _ *mux.RouteMatch) bool { +func registerTrailingSlashHandler(serveMux *mux.Router) error { + return serveMux.MatcherFunc(func(req *http.Request, _ *mux.RouteMatch) bool { if strings.HasSuffix(req.URL.Path, "/") { return false } @@ -149,7 +149,7 @@ func registerTrailingSlashHandler(serveMux *mux.Router) { return serveMux.Match(slashReq, m) }).Handler(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { http.Redirect(rw, req, req.URL.String()+"/", http.StatusMovedPermanently) - })) + })).GetError() } // sortByPathLongest ensures that the upstreams are sorted by longest path. diff --git a/pkg/upstream/proxy_test.go b/pkg/upstream/proxy_test.go index b9b8cf9c..aba4a730 100644 --- a/pkg/upstream/proxy_test.go +++ b/pkg/upstream/proxy_test.go @@ -383,6 +383,38 @@ var _ = Describe("Proxy Suite", func() { ) }) + Context("multiUpstreamProxy errors", func() { + type proxyErrorTableInput struct { + upstreams options.UpstreamConfig + expectedError string + } + + DescribeTable("NewProxy", func(in *proxyErrorTableInput) { + sigData := &options.SignatureData{Hash: crypto.SHA256, Key: "secret"} + + writer := &pagewriter.WriterFuncs{ + ProxyErrorFunc: func(rw http.ResponseWriter, _ *http.Request, _ error) { + rw.WriteHeader(502) + rw.Write([]byte("Proxy Error")) + }, + } + + _, err := NewProxy(in.upstreams, sigData, writer) + Expect(err).To(MatchError(in.expectedError)) + }, + Entry("regex matcher without rewrite target", &proxyErrorTableInput{ + upstreams: options.UpstreamConfig{ + Upstreams: []options.Upstream{{ + ID: "api", + Path: "^/api/$", + URI: "http://example.com", + }}, + }, + expectedError: `could not register http upstream "api": mux: path must start with a slash, got "^/api/$"`, + }), + ) + }) + Context("sortByPathLongest", func() { type sortByPathLongestTableInput struct { input []options.Upstream From 848ec8ba82e8097bf52c16b3ba825dacef8fcbcb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 23 Mar 2026 15:46:15 +0100 Subject: [PATCH 08/10] release v7.15.1 (#3384) * update to release version v7.15.1 * doc: release notes for v7.15.1 Signed-off-by: Jan Larwig --------- Signed-off-by: Jan Larwig Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jan Larwig --- CHANGELOG.md | 16 ++++++++++++++-- .../docker-compose-alpha-config.yaml | 2 +- .../local-environment/docker-compose-gitea.yaml | 2 +- .../docker-compose-keycloak.yaml | 2 +- .../local-environment/docker-compose-nginx.yaml | 2 +- .../docker-compose-traefik.yaml | 2 +- contrib/local-environment/docker-compose.yaml | 2 +- docs/docs/installation.md | 2 +- .../version-7.15.x/installation.md | 2 +- 9 files changed, 22 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c259b733..a3b4018a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,20 @@ ## Release Highlights -- Fixes [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186) - - OAuth2 Proxy was not impacted by this vulnerability as it isn't in the path of execution +## Important Notes + +## Breaking Changes + +## Changes since v7.15.1 + +# V7.15.1 + +## Release Highlights + +- 🐛 Squashed some bugs +- 🕵️‍♀️ Vulnerabilities have been addressed + - [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186) + OAuth2 Proxy was not impacted by this vulnerability as it isn't in the path of execution ## Important Notes diff --git a/contrib/local-environment/docker-compose-alpha-config.yaml b/contrib/local-environment/docker-compose-alpha-config.yaml index aee1af0b..515c42e0 100644 --- a/contrib/local-environment/docker-compose-alpha-config.yaml +++ b/contrib/local-environment/docker-compose-alpha-config.yaml @@ -14,7 +14,7 @@ version: "3.0" services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.0 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 command: --config /oauth2-proxy.cfg --alpha-config /oauth2-proxy-alpha-config.yaml hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose-gitea.yaml b/contrib/local-environment/docker-compose-gitea.yaml index 2ada1062..3e57ef2d 100644 --- a/contrib/local-environment/docker-compose-gitea.yaml +++ b/contrib/local-environment/docker-compose-gitea.yaml @@ -14,7 +14,7 @@ version: '3.0' services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.0 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose-keycloak.yaml b/contrib/local-environment/docker-compose-keycloak.yaml index e6de0744..ba3db49a 100644 --- a/contrib/local-environment/docker-compose-keycloak.yaml +++ b/contrib/local-environment/docker-compose-keycloak.yaml @@ -14,7 +14,7 @@ version: '3.0' services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.0 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose-nginx.yaml b/contrib/local-environment/docker-compose-nginx.yaml index dac1b0b5..ed93d57c 100644 --- a/contrib/local-environment/docker-compose-nginx.yaml +++ b/contrib/local-environment/docker-compose-nginx.yaml @@ -22,7 +22,7 @@ version: "3.0" services: oauth2-proxy: - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.0 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 ports: [] hostname: oauth2-proxy container_name: oauth2-proxy diff --git a/contrib/local-environment/docker-compose-traefik.yaml b/contrib/local-environment/docker-compose-traefik.yaml index d83cf032..94d9239b 100644 --- a/contrib/local-environment/docker-compose-traefik.yaml +++ b/contrib/local-environment/docker-compose-traefik.yaml @@ -23,7 +23,7 @@ version: '3.0' services: oauth2-proxy: - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.0 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 ports: [] hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose.yaml b/contrib/local-environment/docker-compose.yaml index edc5af24..4832eb92 100644 --- a/contrib/local-environment/docker-compose.yaml +++ b/contrib/local-environment/docker-compose.yaml @@ -13,7 +13,7 @@ version: "3.0" services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.0 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/docs/docs/installation.md b/docs/docs/installation.md index 497b3e0d..d329bd55 100644 --- a/docs/docs/installation.md +++ b/docs/docs/installation.md @@ -5,7 +5,7 @@ title: Installation 1. Choose how to deploy: - a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.15.0`) + a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.15.1`) b. Using Go to install the latest release ```bash diff --git a/docs/versioned_docs/version-7.15.x/installation.md b/docs/versioned_docs/version-7.15.x/installation.md index 497b3e0d..d329bd55 100644 --- a/docs/versioned_docs/version-7.15.x/installation.md +++ b/docs/versioned_docs/version-7.15.x/installation.md @@ -5,7 +5,7 @@ title: Installation 1. Choose how to deploy: - a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.15.0`) + a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.15.1`) b. Using Go to install the latest release ```bash From 7bc4b5e5df39349bfe54e0721d161fbebb6b2ebb Mon Sep 17 00:00:00 2001 From: Jan Larwig Date: Mon, 23 Mar 2026 15:54:46 +0100 Subject: [PATCH 09/10] doc: fix changelog for v7.15.0 --- CHANGELOG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3b4018a..fc4c2379 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,14 +23,13 @@ ## Changes since v7.15.0 -# V7.15.0 - - [#3382](https://github.com/oauth2-proxy/oauth2-proxy/pull/3382) chore(deps): update gomod and golangci/golangci-lint to v2.11.4 (@tuunit) - [#3374](https://github.com/oauth2-proxy/oauth2-proxy/pull/3374) fix: handle Unix socket RemoteAddr in IP resolution (@H1net) - [#3381](https://github.com/oauth2-proxy/oauth2-proxy/pull/3381) fix: do not log error for backend logout 204 (@artificiosus) - [#3327](https://github.com/oauth2-proxy/oauth2-proxy/pull/3327) fix: improve logging when session refresh token is missing (@yosri-brh) - [#2767](https://github.com/oauth2-proxy/oauth2-proxy/pull/2767) fix: propagate errors during route building (@sybereal) +# V7.15.0 ## Release Highlights From da9123f740d570374df9bf36ea66d3b94f712284 Mon Sep 17 00:00:00 2001 From: Jan Larwig Date: Mon, 23 Mar 2026 16:05:54 +0100 Subject: [PATCH 10/10] doc: fix config validation formatting (#3386) Signed-off-by: Jan Larwig --- docs/docs/configuration/overview.md | 74 +++++++++---------- .../version-7.15.x/configuration/overview.md | 74 +++++++++---------- 2 files changed, 74 insertions(+), 74 deletions(-) diff --git a/docs/docs/configuration/overview.md b/docs/docs/configuration/overview.md index 37f385c7..a73e3acd 100644 --- a/docs/docs/configuration/overview.md +++ b/docs/docs/configuration/overview.md @@ -72,43 +72,6 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/ | `--config-test` | test configuration and exit (for CI/CD validation) | | `--version` | print version string | -## Configuration Validation - -The `--config-test` flag validates your configuration file without starting the proxy server. This is useful for: -- **CI/CD pipelines**: Pre-deployment validation -- **Configuration management**: Testing before applying changes -- **Debugging**: Verifying syntax and required fields - -### Usage - -```bash -# Test legacy config -oauth2-proxy --config /etc/oauth2-proxy.cfg --config-test - -# Test alpha config -oauth2-proxy --config /etc/core.cfg --alpha-config /etc/alpha.yaml --config-test - -# CI/CD pre-deployment check -# Returns with exit code 1 if any validation errors occur -oauth2-proxy --config new-config.cfg --config-test -``` - -### Exit Codes - -- **0**: Configuration is valid ✅ -- **1**: Configuration is invalid (errors printed to stderr) ❌ - -### Validation Coverage - -The `--config-test` flag performs the **same comprehensive validation** as normal startup, including: -- Required fields (client ID, client secret, cookie secret, etc.) -- Syntax validation (TOML/YAML parsing) -- Provider configuration -- Upstream server definitions -- Session store connectivity (e.g., Redis network checks if configured) - -**Note**: Cannot be combined with `--convert-config-to-alpha`. - ### General Provider Options Provider specific options can be found on their respective subpages. @@ -305,6 +268,43 @@ Provider specific options can be found on their respective subpages. | flag: `--upstream-timeout`
toml: `upstream_timeout` | duration | maximum amount of time the server will wait for a response from the upstream | 30s | | flag: `--upstream`
toml: `upstreams` | string \| list | the http url(s) of the upstream endpoint, file:// paths for static files or `static://` for static response. Routing is based on the path | | +## Configuration Validation + +The `--config-test` flag validates your configuration file without starting the proxy server. This is useful for: +- **CI/CD pipelines**: Pre-deployment validation +- **Configuration management**: Testing before applying changes +- **Debugging**: Verifying syntax and required fields + +### Usage + +```bash +# Test legacy config +oauth2-proxy --config /etc/oauth2-proxy.cfg --config-test + +# Test alpha config +oauth2-proxy --config /etc/core.cfg --alpha-config /etc/alpha.yaml --config-test + +# CI/CD pre-deployment check +# Returns with exit code 1 if any validation errors occur +oauth2-proxy --config new-config.cfg --config-test +``` + +### Exit Codes + +- **0**: Configuration is valid ✅ +- **1**: Configuration is invalid (errors printed to stderr) ❌ + +### Validation Coverage + +The `--config-test` flag performs the **same comprehensive validation** as normal startup, including: +- Required fields (client ID, client secret, cookie secret, etc.) +- Syntax validation (TOML/YAML parsing) +- Provider configuration +- Upstream server definitions +- Session store connectivity (e.g., Redis network checks if configured) + +**Note**: Cannot be combined with `--convert-config-to-alpha`. + ## Upstreams Configuration `oauth2-proxy` supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers, unix socket or serve static files from the file system. diff --git a/docs/versioned_docs/version-7.15.x/configuration/overview.md b/docs/versioned_docs/version-7.15.x/configuration/overview.md index 37f385c7..a73e3acd 100644 --- a/docs/versioned_docs/version-7.15.x/configuration/overview.md +++ b/docs/versioned_docs/version-7.15.x/configuration/overview.md @@ -72,43 +72,6 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/ | `--config-test` | test configuration and exit (for CI/CD validation) | | `--version` | print version string | -## Configuration Validation - -The `--config-test` flag validates your configuration file without starting the proxy server. This is useful for: -- **CI/CD pipelines**: Pre-deployment validation -- **Configuration management**: Testing before applying changes -- **Debugging**: Verifying syntax and required fields - -### Usage - -```bash -# Test legacy config -oauth2-proxy --config /etc/oauth2-proxy.cfg --config-test - -# Test alpha config -oauth2-proxy --config /etc/core.cfg --alpha-config /etc/alpha.yaml --config-test - -# CI/CD pre-deployment check -# Returns with exit code 1 if any validation errors occur -oauth2-proxy --config new-config.cfg --config-test -``` - -### Exit Codes - -- **0**: Configuration is valid ✅ -- **1**: Configuration is invalid (errors printed to stderr) ❌ - -### Validation Coverage - -The `--config-test` flag performs the **same comprehensive validation** as normal startup, including: -- Required fields (client ID, client secret, cookie secret, etc.) -- Syntax validation (TOML/YAML parsing) -- Provider configuration -- Upstream server definitions -- Session store connectivity (e.g., Redis network checks if configured) - -**Note**: Cannot be combined with `--convert-config-to-alpha`. - ### General Provider Options Provider specific options can be found on their respective subpages. @@ -305,6 +268,43 @@ Provider specific options can be found on their respective subpages. | flag: `--upstream-timeout`
toml: `upstream_timeout` | duration | maximum amount of time the server will wait for a response from the upstream | 30s | | flag: `--upstream`
toml: `upstreams` | string \| list | the http url(s) of the upstream endpoint, file:// paths for static files or `static://` for static response. Routing is based on the path | | +## Configuration Validation + +The `--config-test` flag validates your configuration file without starting the proxy server. This is useful for: +- **CI/CD pipelines**: Pre-deployment validation +- **Configuration management**: Testing before applying changes +- **Debugging**: Verifying syntax and required fields + +### Usage + +```bash +# Test legacy config +oauth2-proxy --config /etc/oauth2-proxy.cfg --config-test + +# Test alpha config +oauth2-proxy --config /etc/core.cfg --alpha-config /etc/alpha.yaml --config-test + +# CI/CD pre-deployment check +# Returns with exit code 1 if any validation errors occur +oauth2-proxy --config new-config.cfg --config-test +``` + +### Exit Codes + +- **0**: Configuration is valid ✅ +- **1**: Configuration is invalid (errors printed to stderr) ❌ + +### Validation Coverage + +The `--config-test` flag performs the **same comprehensive validation** as normal startup, including: +- Required fields (client ID, client secret, cookie secret, etc.) +- Syntax validation (TOML/YAML parsing) +- Provider configuration +- Upstream server definitions +- Session store connectivity (e.g., Redis network checks if configured) + +**Note**: Cannot be combined with `--convert-config-to-alpha`. + ## Upstreams Configuration `oauth2-proxy` supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers, unix socket or serve static files from the file system.