[ { "path": ".gitattributes", "content": "# This file is documented at https://git-scm.com/docs/gitattributes.\n# Linguist-specific attributes are documented at\n# https://github.com/github/linguist.\n\ndoc/cosign*.md linguist-generated=true\n" }, { "path": ".github/dependabot.yml", "content": "#\n# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nversion: 2\n\nupdates:\n- package-ecosystem: gomod\n directory: \"/\"\n schedule:\n interval: weekly\n open-pull-requests-limit: 10\n groups:\n sigstore:\n patterns:\n - \"github.com/sigstore/**\"\n minor-patch:\n update-types: [\"minor\", \"patch\"]\n\n- package-ecosystem: \"github-actions\"\n directory: \"/\"\n schedule:\n interval: weekly\n open-pull-requests-limit: 10\n groups:\n minor-patch:\n update-types: [\"minor\", \"patch\"]\n" }, { "path": ".github/workflows/build.yaml", "content": "#\n# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: CI-Container-Build\n\non:\n push:\n branches:\n - main\n - release-*\n\npermissions: {}\n\njobs:\n build:\n name: build\n runs-on: ubuntu-latest\n\n permissions:\n id-token: write\n contents: read\n packages: write\n\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2\n\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n\n # will use the latest release available for ko\n - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9\n\n - uses: chainguard-dev/actions/goimports@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n\n - name: Set up Cloud SDK\n uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0\n with:\n workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-policy-controller'\n service_account: 'gha-policy-controller@projectsigstore.iam.gserviceaccount.com'\n\n - name: creds\n run: gcloud auth configure-docker --quiet\n\n - name: policy-controller\n run: COSIGN_YES=\"true\" KO_PREFIX=ghcr.io/sigstore/policy-controller/policy-controller/ci make build-sign-containers\n" }, { "path": ".github/workflows/codeql-analysis.yml", "content": "#\n# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: CodeQL\n\non:\n push:\n branches: [ main ]\n schedule:\n - cron: '45 10 * * 1'\n\nenv:\n CODEQL_EXTRACTOR_GO_BUILD_TRACING: true\n\njobs:\n analyze:\n name: Analyze\n runs-on: ubuntu-latest\n\n permissions:\n security-events: write\n actions: read\n contents: read\n\n strategy:\n fail-fast: false\n matrix:\n language: [ 'go' ]\n\n steps:\n - name: Checkout repository\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n - name: Utilize Go Module Cache\n uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4\n with:\n path: |\n ~/go/pkg/mod\n ~/.cache/go-build\n key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}\n restore-keys: |\n ${{ runner.os }}-go-\n\n - name: Set correct version of Golang to use during CodeQL run\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n\n # Initializes the CodeQL tools for scanning.\n - name: Initialize CodeQL\n uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5\n with:\n languages: ${{ matrix.language }}\n\n - name: Build policy controller for CodeQL\n run: |\n make policy-controller\n\n - name: Perform CodeQL Analysis\n uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5\n" }, { "path": ".github/workflows/depsreview.yml", "content": "#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\nname: 'Dependency Review'\non: [pull_request]\n\npermissions:\n contents: read\n\njobs:\n dependency-review:\n name: dependency-review\n uses: sigstore/community/.github/workflows/reusable-dependency-review.yml@a38887851a12d604b8441ed09e6ebf6b9fe17cbc # main branch 30/Jun/2025\n" }, { "path": ".github/workflows/donotsubmit.yaml", "content": "name: Do Not Submit\n\non:\n pull_request:\n branches: [ 'main', 'release-*' ]\n\npermissions: read-all\n\njobs:\n\n donotsubmit:\n name: Do Not Submit\n runs-on: ubuntu-latest\n\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2\n\n - name: Do Not Submit\n uses: chainguard-dev/actions/donotsubmit@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n" }, { "path": ".github/workflows/kind-cluster-image-policy-no-tuf.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: Test policy-controller with ClusterImagePolicy TUF disabled\n\non:\n pull_request:\n branches: [ 'main', 'release-*' ]\n\ndefaults:\n run:\n shell: bash\n\npermissions: read-all\n\njobs:\n cip-test-no-tuf:\n name: ClusterImagePolicy e2e tests TUF disabled\n runs-on: ubuntu-latest\n\n strategy:\n fail-fast: false # Keep running if one leg fails.\n matrix:\n k8s-version:\n - v1.31.x\n - v1.32.x\n - v1.33.x\n - v1.34.x\n\n env:\n KO_DOCKER_REPO: \"registry.local:5000/policy-controller\"\n SCAFFOLDING_RELEASE_VERSION: \"v0.7.27\"\n GO111MODULE: on\n GOFLAGS: -ldflags=-s -ldflags=-w\n KOCACHE: ~/ko\n\n steps:\n - name: free up disk space for the release\n run: |\n rm -rf /usr/share/dotnet/\n rm -rf \"$AGENT_TOOLSDIRECTORY\"\n rm -rf \"/usr/local/share/boost\"\n rm -rf /opt/ghc\n docker rmi $(docker image ls -aq) || true\n swapoff /swapfile || true\n rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true\n apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \\\n clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \\\n clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \\\n esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \\\n google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \\\n ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \\\n cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \\\n libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \\\n mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \\\n mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \\\n libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \\\n php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \\\n php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \\\n php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \\\n php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \\\n php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \\\n php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \\\n php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \\\n php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \\\n php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \\\n php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \\\n php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \\\n php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \\\n php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \\\n php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \\\n php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \\\n php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \\\n php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \\\n php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \\\n php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \\\n php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \\\n php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \\\n php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \\\n php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \\\n php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \\\n sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true\n apt-get remove -y 'php.*' || true\n apt-get autoremove -y >/dev/null 2>&1 || true\n apt-get autoclean -y >/dev/null 2>&1 || true\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n\n # will use the latest release available for ko\n - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9\n\n - uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0\n\n - name: Install yq\n uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4\n\n - name: Setup mirror\n uses: chainguard-dev/actions/setup-mirror@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n with:\n mirror: mirror.gcr.io\n\n - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159\n\n - name: Install cluster + sigstore\n uses: sigstore/scaffolding/actions/setup@main\n with:\n k8s-version: ${{ matrix.k8s-version}}\n version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}\n\n - name: Install policy-controller\n env:\n GIT_HASH: ${{ github.sha }}\n GIT_VERSION: ci\n LDFLAGS: \"\"\n POLICY_CONTROLLER_YAML: test/kustomize-no-tuf/policy-controller-e2e.yaml\n KO_PREFIX: registry.local:5000/policy-controller\n POLICY_CONTROLLER_ARCHS: linux/amd64\n run: |\n make ko-policy-controller\n kustomize build test/kustomize-no-tuf | kubectl apply -f -\n\n # Wait for the webhook to come up and become Ready\n kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook\n\n - name: Run Cluster Image Policy Tests that only tests keys, no keyless\n timeout-minutes: 15\n run: |\n ./test/e2e_test_cluster_image_policy_no_tuf.sh\n\n - name: Collect diagnostics\n if: ${{ failure() }}\n uses: chainguard-dev/actions/kind-diag@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n" }, { "path": ".github/workflows/kind-cluster-image-policy-trustroot.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: Test policy-controller with TrustRoot - Bring your own keys\n\non:\n pull_request:\n branches: [ 'main', 'release-*' ]\n\ndefaults:\n run:\n shell: bash\n\npermissions: read-all\n\njobs:\n cip-test-trustroot-bring-your-own-keys:\n name: ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys\n runs-on: ubuntu-latest\n\n strategy:\n fail-fast: false # Keep running if one leg fails.\n matrix:\n k8s-version:\n - v1.31.x\n - v1.32.x\n - v1.33.x\n - v1.34.x\n\n script:\n - repository\n - remote\n - bring_own_keys\n\n env:\n KO_DOCKER_REPO: \"registry.local:5000/policy-controller\"\n SCAFFOLDING_RELEASE_VERSION: \"v0.7.27\"\n GO111MODULE: on\n GOFLAGS: -ldflags=-s -ldflags=-w\n KOCACHE: ~/ko\n\n steps:\n - name: free up disk space for the release\n run: |\n rm -rf /usr/share/dotnet/\n rm -rf \"$AGENT_TOOLSDIRECTORY\"\n rm -rf \"/usr/local/share/boost\"\n rm -rf /opt/ghc\n docker rmi $(docker image ls -aq) || true\n swapoff /swapfile || true\n rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true\n apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \\\n clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \\\n clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \\\n esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \\\n google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \\\n ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \\\n cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \\\n libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \\\n mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \\\n mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \\\n libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \\\n php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \\\n php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \\\n php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \\\n php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \\\n php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \\\n php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \\\n php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \\\n php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \\\n php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \\\n php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \\\n php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \\\n php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \\\n php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \\\n php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \\\n php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \\\n php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \\\n php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \\\n php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \\\n php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \\\n php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \\\n php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \\\n php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \\\n php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \\\n php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \\\n sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true\n apt-get remove -y 'php.*' || true\n apt-get autoremove -y >/dev/null 2>&1 || true\n apt-get autoclean -y >/dev/null 2>&1 || true\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n\n # will use the latest release available for ko\n - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9\n\n - uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0\n\n - name: Install yq\n uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4\n\n - name: Setup mirror\n uses: chainguard-dev/actions/setup-mirror@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n with:\n mirror: mirror.gcr.io\n\n - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159\n\n - name: Install cluster + sigstore\n uses: sigstore/scaffolding/actions/setup@main\n with:\n k8s-version: ${{ matrix.k8s-version}}\n version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}\n\n # Install policy-controller that does not have TUF embedded or installed.\n - name: Install policy-controller\n env:\n GIT_HASH: ${{ github.sha }}\n GIT_VERSION: ci\n LDFLAGS: \"\"\n POLICY_CONTROLLER_YAML: test/kustomize-no-tuf/policy-controller-e2e.yaml\n KO_PREFIX: registry.local:5000/policy-controller\n POLICY_CONTROLLER_ARCHS: linux/amd64\n run: |\n make ko-policy-controller\n kustomize build test/kustomize-no-tuf | kubectl apply -f -\n\n # Wait for the webhook to come up and become Ready\n kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook\n echo \"TUF_ROOT_FILE=./root.json\" >> $GITHUB_ENV\n\n - name: Run Trustroot Tests that tests with different TUF configurations\n timeout-minutes: 5\n run: |\n ./test/e2e_test_cluster_image_policy_with_trustroot_${{ matrix.script }}.sh\n\n - name: Collect diagnostics\n if: ${{ failure() }}\n uses: chainguard-dev/actions/kind-diag@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n" }, { "path": ".github/workflows/kind-cluster-image-policy-tsa.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: Test policy-controller with TSA\n\non:\n pull_request:\n branches: [ 'main', 'release-*' ]\n\ndefaults:\n run:\n shell: bash\n\npermissions: read-all\n\njobs:\n cip-test-trustroot-bring-your-own-keys:\n name: ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys\n runs-on: ubuntu-latest\n\n strategy:\n fail-fast: false # Keep running if one leg fails.\n matrix:\n k8s-version:\n - v1.31.x\n - v1.32.x\n - v1.33.x\n - v1.34.x\n\n env:\n KO_DOCKER_REPO: \"registry.local:5000/policy-controller\"\n SCAFFOLDING_RELEASE_VERSION: \"v0.7.27\"\n GO111MODULE: on\n GOFLAGS: -ldflags=-s -ldflags=-w\n KOCACHE: ~/ko\n\n steps:\n - name: free up disk space for the release\n run: |\n rm -rf /usr/share/dotnet/\n rm -rf \"$AGENT_TOOLSDIRECTORY\"\n rm -rf \"/usr/local/share/boost\"\n rm -rf /opt/ghc\n docker rmi $(docker image ls -aq) || true\n swapoff /swapfile || true\n rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true\n apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \\\n clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \\\n clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \\\n esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \\\n google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \\\n ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \\\n cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \\\n libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \\\n mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \\\n mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \\\n libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \\\n php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \\\n php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \\\n php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \\\n php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \\\n php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \\\n php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \\\n php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \\\n php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \\\n php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \\\n php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \\\n php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \\\n php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \\\n php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \\\n php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \\\n php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \\\n php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \\\n php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \\\n php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \\\n php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \\\n php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \\\n php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \\\n php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \\\n php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \\\n php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \\\n sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true\n apt-get remove -y 'php.*' || true\n apt-get autoremove -y >/dev/null 2>&1 || true\n apt-get autoclean -y >/dev/null 2>&1 || true\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n\n # will use the latest release available for ko\n - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9\n\n - uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0\n\n - name: Install yq\n uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4\n\n - name: Setup mirror\n uses: chainguard-dev/actions/setup-mirror@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n with:\n mirror: mirror.gcr.io\n\n - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v2\n\n - name: Install cluster + sigstore\n uses: sigstore/scaffolding/actions/setup@main\n env:\n INSTALL_TSA: true\n with:\n k8s-version: ${{ matrix.k8s-version}}\n version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}\n\n # Install policy-controller that does not have TUF embedded or installed.\n - name: Install policy-controller\n env:\n GIT_HASH: ${{ github.sha }}\n GIT_VERSION: ci\n LDFLAGS: \"\"\n POLICY_CONTROLLER_YAML: test/kustomize-no-tuf/policy-controller-e2e.yaml\n KO_PREFIX: registry.local:5000/policy-controller\n POLICY_CONTROLLER_ARCHS: linux/amd64\n run: |\n make ko-policy-controller\n kustomize build test/kustomize-no-tuf | kubectl apply -f -\n\n # Wait for the webhook to come up and become Ready\n kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook\n echo \"TUF_ROOT_FILE=./root.json\" >> $GITHUB_ENV\n\n - name: Checkout TSA for testing.\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v3.0.2\n with:\n repository: sigstore/timestamp-authority\n path: ./src/github.com/sigstore/timestamp-authority\n\n - name: Build timestamp-cli\n working-directory: ./src/github.com/sigstore/timestamp-authority\n run: |\n go build -o ./timestamp-cli ./cmd/timestamp-cli\n\n - name: Exercise our local TSA\n working-directory: ./src/github.com/sigstore/timestamp-authority\n run: |\n TSA_URL=$(kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}')\n echo \"TSA_URL=$TSA_URL\" >> $GITHUB_ENV\n\n curl $TSA_URL/api/v1/timestamp/certchain > ts_chain.pem\n echo \"myblob\" > myblob\n if ! ./timestamp-cli --timestamp_server $TSA_URL timestamp --hash sha256 --artifact myblob --out response.tsr ; then\n echo \"failed to timestamp artifact\"\n exit -1\n fi\n if ! ./timestamp-cli verify --timestamp response.tsr --artifact \"myblob\" --certificate-chain ts_chain.pem ; then\n echo \"failed to verify timestamp\"\n exit -1\n fi\n if ! ./timestamp-cli inspect --timestamp response.tsr --format json ; then\n echo \"failed to inspect the timestamp\"\n exit -1\n fi\n\n - name: Run TSA Tests\n timeout-minutes: 5\n run: |\n ./test/e2e_test_cluster_image_policy_with_tsa.sh\n\n - name: Collect diagnostics\n if: ${{ failure() }}\n uses: chainguard-dev/actions/kind-diag@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n" }, { "path": ".github/workflows/kind-cluster-image-policy.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: Test policy-controller with ClusterImagePolicy\n\non:\n pull_request:\n branches: [ 'main', 'release-*' ]\n\ndefaults:\n run:\n shell: bash\n\npermissions: read-all\n\njobs:\n cip-test:\n name: ClusterImagePolicy e2e tests\n runs-on: ubuntu-latest\n\n strategy:\n fail-fast: false # Keep running if one leg fails.\n matrix:\n k8s-version:\n - v1.31.x\n - v1.32.x\n - v1.33.x\n - v1.34.x\n\n script:\n - cluster_image_policy\n - cluster_image_policy_with_attestations\n - cluster_image_policy_with_oci11_attestations\n - cluster_with_scalable\n - cluster_image_policy_with_warn\n - cluster_image_policy_with_source\n - cluster_image_policy_with_fetch_config_file\n - cluster_image_policy_with_include_spec\n - cluster_image_policy_with_include_objectmeta\n - cluster_image_policy_with_attestations_rego\n - cluster_image_policy_with_include_typemeta\n - cluster_image_policy_from_configmap_with_fetch_config_file\n - cluster_image_policy_from_url\n\n env:\n KO_DOCKER_REPO: \"registry.local:5000/policy-controller\"\n SCAFFOLDING_RELEASE_VERSION: \"v0.7.27\"\n GO111MODULE: on\n GOFLAGS: -ldflags=-s -ldflags=-w\n KOCACHE: ~/ko\n\n steps:\n - name: free up disk space for the release\n run: |\n rm -rf /usr/share/dotnet/\n rm -rf \"$AGENT_TOOLSDIRECTORY\"\n rm -rf \"/usr/local/share/boost\"\n rm -rf /opt/ghc\n docker rmi $(docker image ls -aq) || true\n swapoff /swapfile || true\n rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true\n apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \\\n clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \\\n clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \\\n esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \\\n google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \\\n ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \\\n cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \\\n libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \\\n mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \\\n mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \\\n libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \\\n php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \\\n php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \\\n php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \\\n php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \\\n php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \\\n php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \\\n php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \\\n php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \\\n php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \\\n php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \\\n php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \\\n php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \\\n php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \\\n php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \\\n php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \\\n php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \\\n php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \\\n php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \\\n php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \\\n php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \\\n php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \\\n php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \\\n php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \\\n php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \\\n sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true\n apt-get remove -y 'php.*' || true\n apt-get autoremove -y >/dev/null 2>&1 || true\n apt-get autoclean -y >/dev/null 2>&1 || true\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n\n # will use the latest release available for ko\n - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9\n\n - uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0\n\n - name: Install yq\n uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4\n\n - name: Setup mirror\n uses: chainguard-dev/actions/setup-mirror@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n with:\n mirror: mirror.gcr.io\n\n - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159\n\n - name: Install cluster + sigstore\n uses: sigstore/scaffolding/actions/setup@main\n with:\n k8s-version: ${{ matrix.k8s-version}}\n version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}\n\n - name: Copy TUF root to policy-controller namespace\n run: |\n kubectl create ns cosign-system\n kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: cosign-system/' | kubectl create -f -\n echo \"TUF_ROOT_FILE=./root.json\" >> $GITHUB_ENV\n\n - name: Install policy-controller\n env:\n GIT_HASH: ${{ github.sha }}\n GIT_VERSION: ci\n LDFLAGS: \"\"\n POLICY_CONTROLLER_YAML: test/kustomize/policy-controller-e2e.yaml\n KO_PREFIX: registry.local:5000/policy-controller\n POLICY_CONTROLLER_ARCHS: linux/amd64\n run: |\n make ko-policy-controller\n kustomize build test/kustomize | kubectl apply -f -\n\n # Wait for the webhook to come up and become Ready\n kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook\n\n # And make sure everything is up.\n kubectl wait deployment -n cosign-system --for condition=Available=True --timeout=90s --all\n sleep 10\n\n - name: Run Cluster Image Policy Tests\n timeout-minutes: 15\n run: |\n ./test/e2e_test_${{ matrix.script }}.sh\n\n - name: Make sure validatingwebookconfiguration contains no status subresources\n run: |\n if kubectl get validatingwebhookconfigurations -oyaml policy.sigstore.dev | grep -q status; then\n echo Found status resources in the webhook configuration\n exit 1\n fi\n\n - name: Collect diagnostics\n if: ${{ failure() }}\n uses: chainguard-dev/actions/kind-diag@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n" }, { "path": ".github/workflows/kind-e2e-cosigned.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: Policy Controller KinD E2E\n\non:\n pull_request:\n branches:\n - 'main'\n\npermissions: {}\n\njobs:\n e2e-tests:\n name: e2e tests\n runs-on: ubuntu-latest\n\n permissions:\n contents: read # For checking out the code.\n\n strategy:\n fail-fast: false # Keep running if one leg fails.\n matrix:\n k8s-version:\n - v1.31.x\n - v1.32.x\n - v1.33.x\n - v1.34.x\n\n env:\n # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for\n # '*.local' hostnames.\n REGISTRY_NAME: registry.local\n REGISTRY_PORT: 5000\n INSECURE_REGISTRY_NAME: insecure-registry.notlocal\n INSECURE_REGISTRY_PORT: 5001\n KO_DOCKER_REPO: registry.local:5000/policy-controller\n\n steps:\n - name: free up disk space for the release\n run: |\n rm -rf /usr/share/dotnet/\n rm -rf \"$AGENT_TOOLSDIRECTORY\"\n rm -rf \"/usr/local/share/boost\"\n rm -rf /opt/ghc\n docker rmi $(docker image ls -aq) || true\n swapoff /swapfile || true\n rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true\n apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \\\n clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \\\n clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \\\n esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \\\n google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \\\n ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \\\n cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \\\n libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \\\n mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \\\n mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \\\n libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \\\n php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \\\n php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \\\n php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \\\n php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \\\n php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \\\n php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \\\n php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \\\n php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \\\n php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \\\n php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \\\n php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \\\n php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \\\n php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \\\n php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \\\n php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \\\n php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \\\n php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \\\n php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \\\n php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \\\n php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \\\n php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \\\n php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \\\n php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \\\n php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \\\n sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true\n apt-get remove -y 'php.*' || true\n apt-get autoremove -y >/dev/null 2>&1 || true\n apt-get autoclean -y >/dev/null 2>&1 || true\n\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n\n - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9\n\n - uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0\n\n - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2\n\n - name: Setup mirror\n uses: chainguard-dev/actions/setup-mirror@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n with:\n mirror: mirror.gcr.io\n\n - name: Setup kind cluster\n uses: chainguard-dev/actions/setup-kind@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n with:\n k8s-version: ${{ matrix.k8s-version }}\n cluster-suffix: c${{ github.run_id }}.local\n\n - name: Setup local insecure registry\n run: |\n # Create a self-signed SSL cert\n mkdir -p insecure-certs\n openssl req \\\n -subj \"/C=US/ST=WA/L=Flavorton/O=Tests-R-Us/OU=Dept. of Insecurity/CN=example.com/emailAddress=testing@example.com\" \\\n -newkey rsa:4096 -nodes -sha256 -keyout insecure-certs/domain.key \\\n -x509 -days 365 -out insecure-certs/domain.crt\n\n # Run a registry.\n docker run -d --restart=always \\\n --name $INSECURE_REGISTRY_NAME \\\n -v \"$(pwd)\"/insecure-certs:/insecure-certs \\\n -e REGISTRY_HTTP_ADDR=0.0.0.0:$INSECURE_REGISTRY_PORT \\\n -e REGISTRY_HTTP_TLS_CERTIFICATE=/insecure-certs/domain.crt \\\n -e REGISTRY_HTTP_TLS_KEY=/insecure-certs/domain.key \\\n -p $INSECURE_REGISTRY_PORT:$INSECURE_REGISTRY_PORT \\\n registry:2\n\n # Connect the registry to the KinD network.\n docker network connect \"kind\" $INSECURE_REGISTRY_NAME\n\n # Make the $INSECURE_REGISTRY_NAME -> 127.0.0.1, to tell `ko` to publish to\n # local registry, even when pushing $INSECURE_REGISTRY_NAME:$INSECURE_REGISTRY_NAME/some/image\n sudo echo \"127.0.0.1 $INSECURE_REGISTRY_NAME\" | sudo tee -a /etc/hosts\n\n - name: Install policy-controller\n env:\n GIT_HASH: ${{ github.sha }}\n GIT_VERSION: ci\n LDFLAGS: \"\"\n POLICY_CONTROLLER_YAML: policy-controller-e2e.yaml\n KO_PREFIX: registry.local:5000/policy-controller\n POLICY_CONTROLLER_ARCHS: linux/amd64\n run: |\n make ko-policy-controller\n kubectl apply -f policy-controller-e2e.yaml\n\n # Wait for the webhook to come up and become Ready\n kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook\n kubectl wait deployment -n cosign-system --for condition=Available=True --timeout=90s --all\n\n - name: Run Image Policy Tests\n run: |\n ./test/e2e_test_policy_crd.sh\n\n - name: Run Policy Controller Tests\n run: |\n ./test/e2e_test_policy_controller.sh\n\n - name: Collect diagnostics\n if: ${{ failure() }}\n uses: chainguard-dev/actions/kind-diag@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n" }, { "path": ".github/workflows/kind-e2e-trustroot-crd.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: TrustRoot CRD KinD E2E\n\non:\n pull_request:\n branches:\n - 'main'\n\npermissions: {}\n\njobs:\n e2e-crd-tests:\n name: e2e CRD tests\n runs-on: ubuntu-latest\n\n permissions:\n contents: read # For checking out the code.\n\n strategy:\n fail-fast: false # Keep running if one leg fails.\n matrix:\n k8s-version:\n - v1.31.x\n - v1.32.x\n - v1.33.x\n - v1.34.x\n\n env:\n # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for\n # '*.local' hostnames.\n REGISTRY_NAME: registry.local\n REGISTRY_PORT: 5000\n INSECURE_REGISTRY_NAME: insecure-registry.notlocal\n INSECURE_REGISTRY_PORT: 5001\n KO_DOCKER_REPO: registry.local:5000/policy-controller\n\n steps:\n - name: free up disk space for the release\n run: |\n rm -rf /usr/share/dotnet/\n rm -rf \"$AGENT_TOOLSDIRECTORY\"\n rm -rf \"/usr/local/share/boost\"\n rm -rf /opt/ghc\n docker rmi $(docker image ls -aq) || true\n swapoff /swapfile || true\n rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true\n apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \\\n clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \\\n clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \\\n esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \\\n google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \\\n ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \\\n cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \\\n libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \\\n mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \\\n mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \\\n libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \\\n php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \\\n php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \\\n php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \\\n php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \\\n php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \\\n php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \\\n php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \\\n php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \\\n php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \\\n php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \\\n php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \\\n php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \\\n php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \\\n php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \\\n php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \\\n php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \\\n php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \\\n php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \\\n php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \\\n php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \\\n php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \\\n php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \\\n php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \\\n php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \\\n sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true\n apt-get remove -y 'php.*' || true\n apt-get autoremove -y >/dev/null 2>&1 || true\n apt-get autoclean -y >/dev/null 2>&1 || true\n\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n\n - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9\n\n - uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0\n\n - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159\n\n - name: Setup mirror\n uses: chainguard-dev/actions/setup-mirror@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n with:\n mirror: mirror.gcr.io\n\n - name: Setup kind cluster\n uses: chainguard-dev/actions/setup-kind@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n with:\n k8s-version: ${{ matrix.k8s-version }}\n cluster-suffix: c${{ github.run_id }}.local\n\n - name: Install policy-controller\n env:\n GIT_HASH: ${{ github.sha }}\n GIT_VERSION: ci\n LDFLAGS: \"\"\n POLICY_CONTROLLER_YAML: policy-controller-e2e.yaml\n KO_PREFIX: registry.local:5000/policy-controller\n POLICY_CONTROLLER_ARCHS: linux/amd64\n run: |\n make ko-policy-controller\n kubectl apply -f policy-controller-e2e.yaml\n\n # Wait for the webhook to come up and become Ready\n kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook\n\n kubectl wait deployment -n cosign-system --for condition=Available=True --timeout=90s --all\n\n - name: Run TrustRoot CRD e2e tests\n run: |\n ./test/e2e_test_trustroot_crd.sh\n\n - name: Collect diagnostics\n if: ${{ failure() }}\n uses: chainguard-dev/actions/kind-diag@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n" }, { "path": ".github/workflows/lint.yaml", "content": "name: golangci-lint\non:\n push:\n branches:\n - main\n pull_request:\n\npermissions: {}\n\njobs:\n golangci:\n name: lint\n runs-on: ubuntu-latest\n\n permissions:\n contents: read\n pull-requests: read\n\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n\n - name: golangci-lint\n uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0\n with:\n version: v2.6\n" }, { "path": ".github/workflows/milestone.yaml", "content": "name: Milestone\n\non:\n pull_request_target:\n types: [closed]\n branches:\n - main\n\njobs:\n milestone:\n runs-on: ubuntu-latest\n\n permissions:\n actions: none\n checks: none\n contents: read\n deployments: none\n issues: write\n packages: none\n pull-requests: write\n repository-projects: none\n security-events: none\n statuses: none\n\n steps:\n - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0\n with:\n script: |\n if (!context.payload.pull_request.merged) {\n console.log('PR was not merged, skipping.');\n return;\n }\n if (!!context.payload.pull_request.milestone) {\n console.log('PR has existing milestone, skipping.');\n return;\n }\n milestones = await github.rest.issues.listMilestones({\n owner: context.repo.owner,\n repo: context.repo.repo,\n state: 'open',\n sort: 'due_on',\n direction: 'asc'\n })\n if (milestones.data.length === 0) {\n console.log('There are no milestones, skipping.');\n return;\n }\n await github.rest.issues.update({\n owner: context.repo.owner,\n repo: context.repo.repo,\n issue_number: context.payload.pull_request.number,\n milestone: milestones.data[0].number\n });\n" }, { "path": ".github/workflows/policy-tester-examples.yml", "content": "#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: Verify examples using policy-tester\n\non:\n workflow_dispatch:\n push:\n branches: ['main', 'release-*']\n pull_request:\n\njobs:\n verify:\n runs-on: ubuntu-latest\n\n permissions:\n id-token: write\n contents: read\n\n env:\n GOPATH: ${{ github.workspace }}\n COSIGN_YES: \"true\"\n\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n path: ./src/github.com/${{ github.repository }}\n fetch-depth: 0\n\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './src/github.com/${{ github.repository }}/go.mod'\n check-latest: true\n\n - name: Build the policy-tester CLI\n working-directory: ./src/github.com/${{ github.repository }}\n run: |\n make policy-tester\n\n - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159\n\n - name: Setup local registry\n run: |\n docker run -d --restart=always \\\n --name registry.local \\\n -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \\\n -p 5000:5000 \\\n registry:2\n\n - name: Example (custom-key-attestation-sbom-spdxjson)\n working-directory: ./src/github.com/${{ github.repository }}/examples\n run: |\n REF=\"localhost:5000/examples/custom-key-attestation-sbom-spdxjson\"\n\n # Push an image\n docker pull alpine\n docker tag alpine \"${REF}\"\n docker push \"${REF}\"\n\n # Attach attestation to image\n cosign attest --yes --type spdxjson \\\n --predicate sboms/example.spdx.json \\\n --key keys/cosign.key \\\n \"${REF}\"\n\n # Verify the attestation\n cosign verify-attestation \\\n --type spdxjson \\\n --key keys/cosign.pub \\\n \"${REF}\"\n\n # Ensure the image satisfies the policy\n ../policy-tester \\\n --policy policies/custom-key-attestation-sbom-spdxjson.yaml \\\n --image \"${REF}\"\n\n # Make sure we can't run Jobs, exercise metadata CIP matching.\n - name: Example (verify CIP level typemeta policy failure)\n working-directory: ./src/github.com/${{ github.repository }}\n run: |\n REF=\"ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d\"\n\n # Ensure the image does not satisfy the policy\n if ./policy-tester \\\n --policy examples/policies/allow-only-pods.yaml \\\n --image \"${REF}\" \\\n --resource test/testdata/resources/job.yaml ; then\n echo Failed to block Job from running\n exit 1\n fi\n\n # Make sure we can't run Pods, exercise metadata CIP matching.\n - name: Example (verify CIP level typemeta policy success)\n working-directory: ./src/github.com/${{ github.repository }}\n run: |\n REF=\"ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d\"\n\n # Ensure the image satisfies the policy\n ./policy-tester \\\n --policy examples/policies/allow-only-pods.yaml \\\n --image \"${REF}\" \\\n --resource test/testdata/resources/pod.yaml\n\n # This example requires public Fulcio, only run on push to main\n - if: ${{ github.event_name == 'push' }}\n name: Example (keyless-attestation-sbom-spdxjson)\n working-directory: ./src/github.com/${{ github.repository }}/examples\n run: |\n REF=\"localhost:5000/examples/keyless-attestation-sbom-spdxjson\"\n\n # Push an image\n docker pull alpine\n docker tag alpine \"${REF}\"\n docker push \"${REF}\"\n\n # Attach attestation to image\n cosign attest --yes --type spdxjson \\\n --predicate sboms/example.spdx.json \\\n \"${REF}\"\n\n # Ensure the image satisfies the policy\n ../policy-tester \\\n --policy policies/keyless-attestation-sbom-spdxjson.yaml \\\n --image \"${REF}\"\n\n # This example requires public Fulcio, only run on push to main\n - if: ${{ github.event_name == 'push' }}\n name: Example (signed-by-github-actions)\n working-directory: ./src/github.com/${{ github.repository }}/examples\n run: |\n REF=\"localhost:5000/examples/signed-by-github-actions\"\n\n # Push an image\n docker pull alpine\n docker tag alpine \"${REF}\"\n docker push \"${REF}\"\n\n # Sign image\n cosign sign \"${REF}\"\n\n # Ensure the image satisfies the policy\n ../policy-tester \\\n --policy policies/signed-by-github-actions.yaml \\\n --image \"${REF}\"\n" }, { "path": ".github/workflows/release-snapshot.yaml", "content": "name: snapshot\n\non:\n pull_request:\n\npermissions:\n contents: read\n\njobs:\n snapshot:\n\n runs-on: ubuntu-latest\n steps:\n - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1\n with:\n android: true\n dotnet: true\n haskell: true\n large-packages: true\n docker-images: true\n swap-storage: true\n\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n\n - uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0\n\n - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9\n\n - name: Set LDFLAGS\n id: ldflags\n run: |\n source ./release/ldflags.sh\n goflags=$(ldflags)\n echo \"GO_FLAGS=\"${goflags}\"\" >> \"$GITHUB_ENV\"\n\n - name: Run GoReleaser\n id: run-goreleaser\n uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0\n with:\n version: latest\n args: release --snapshot --clean --timeout 120m --skip=sign\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n LDFLAGS: ${{ env.GO_FLAGS }}\n" }, { "path": ".github/workflows/release.yaml", "content": "name: Cut Release\n\non:\n push:\n tags:\n - \"v*\"\n\nconcurrency: cut-release\n\npermissions:\n contents: write # needed to write releases\n id-token: write # needed for keyless signing\n packages: write # needed for pushing the images to ghcr.io\n\njobs:\n release:\n outputs:\n hashes: ${{ steps.hash.outputs.hashes }}\n tag_name: ${{ steps.tag.outputs.tag_name }}\n runs-on: ubuntu-latest\n steps:\n - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1\n with:\n android: true\n dotnet: true\n haskell: true\n large-packages: true\n docker-images: true\n swap-storage: true\n\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 0\n\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n\n - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159\n\n - uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0\n\n - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9\n\n - name: Set up Cloud SDK\n uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0\n with:\n workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-policy-controller'\n service_account: 'gha-policy-controller@projectsigstore.iam.gserviceaccount.com'\n\n - name: 'Set up Cloud SDK'\n uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1\n\n - name: creds\n run: gcloud auth configure-docker --quiet\n\n - name: Set LDFLAGS\n id: ldflags\n run: |\n source ./release/ldflags.sh\n goflags=$(ldflags)\n echo \"GO_FLAGS=\"${goflags}\"\" >> \"$GITHUB_ENV\"\n\n - name: Set tag output\n id: tag\n run: echo \"tag_name=${GITHUB_REF#refs/*/}\" >> \"$GITHUB_OUTPUT\"\n\n - name: Run GoReleaser\n id: run-goreleaser\n uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0\n with:\n version: latest\n args: release --clean --timeout 120m --parallelism 1\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n LDFLAGS: ${{ env.GO_FLAGS }}\n\n - name: Generate subject\n id: hash\n env:\n ARTIFACTS: \"${{ steps.run-goreleaser.outputs.artifacts }}\"\n run: |\n set -euo pipefail\n checksum_file=$(echo \"$ARTIFACTS\" | jq -r '.[] | select (.type==\"Checksum\") | .path')\n echo \"hashes=$(cat $checksum_file | base64 -w0)\" >> \"$GITHUB_OUTPUT\"\n\n - name: build images\n run: |\n make build-sign-release-images\n env:\n LDFLAGS: ${{ env.GO_FLAGS }}\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n\n - name: copy-signed-release-to-ghcr\n run: make copy-signed-release-to-ghcr || true\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n\n provenance:\n needs: [release]\n permissions:\n actions: read # To read the workflow path.\n id-token: write # To sign the provenance.\n contents: write # To add assets to a release.\n uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0\n with:\n base64-subjects: \"${{ needs.release.outputs.hashes }}\"\n upload-assets: true # upload to a new release\n upload-tag-name: \"${{ needs.release.outputs.tag_name }}\"\n" }, { "path": ".github/workflows/scorecard_action.yml", "content": "name: Scorecards supply-chain security\non:\n # Only the default branch is supported.\n branch_protection_rule:\n schedule:\n # Weekly on Saturdays.\n - cron: '30 1 * * 6'\n push:\n branches: [ main ]\n\n# Declare default permissions as read only.\npermissions: read-all\n\njobs:\n analysis:\n name: Scorecards analysis\n runs-on: ubuntu-latest\n permissions:\n # Needed to upload the results to code-scanning dashboard.\n security-events: write\n actions: read\n contents: read\n id-token: write\n\n steps:\n - name: \"Checkout code\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n\n - name: \"Run analysis\"\n uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3\n with:\n results_file: results.sarif\n results_format: sarif\n # Read-only PAT token. To create it,\n # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.\n repo_token: ${{ secrets.SCORECARD_TOKEN }}\n # Publish the results for public repositories to enable scorecard badges. For more details, see\n # https://github.com/ossf/scorecard-action#publishing-results.\n # For private repositories, `publish_results` will automatically be set to `false`, regardless\n # of the value entered here.\n publish_results: true\n\n # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF\n # format to the repository Actions tab.\n - name: \"Upload artifact\"\n uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0\n with:\n name: SARIF file\n path: results.sarif\n retention-days: 5\n\n # Upload the results to GitHub's code scanning dashboard.\n - name: \"Upload to code-scanning\"\n uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5\n with:\n sarif_file: results.sarif\n" }, { "path": ".github/workflows/style.yaml", "content": "name: Code Style\n\non:\n pull_request:\n branches: [ 'main', 'release-*' ]\n\npermissions: read-all\n\njobs:\n gofmt:\n name: check gofmt\n runs-on: ubuntu-latest\n\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n\n - uses: chainguard-dev/actions/gofmt@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n with:\n args: -s\n\n goimports:\n name: check goimports\n runs-on: ubuntu-latest\n\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n\n - uses: chainguard-dev/actions/goimports@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n" }, { "path": ".github/workflows/tests.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: CI-Tests\n\non:\n workflow_dispatch:\n push:\n branches: ['main', 'release-*']\n pull_request:\n\npermissions: read-all\n\njobs:\n unit-tests:\n name: Run unit tests\n permissions:\n contents: read\n runs-on: ${{ matrix.os }}\n strategy:\n matrix:\n os: [ubuntu-latest]\n env:\n OS: ${{ matrix.os }}\n\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds\n - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4\n with:\n # In order:\n # * Module download cache\n # * Build cache (Linux)\n path: |\n ~/go/pkg/mod\n ~/.cache/go-build\n ~/Library/Caches/go-build\n %LocalAppData%\\go-build\n key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}\n restore-keys: |\n ${{ runner.os }}-go-\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n - name: Run Go tests\n run: go test -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/)\n - name: Upload Coverage Report\n uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3\n with:\n env_vars: OS\n - name: Run Go tests w/ `-race`\n if: ${{ runner.os == 'Linux' }}\n run: go test -race $(go list ./... | grep -v third_party/)\n\n license-check:\n name: license boilerplate check\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './go.mod'\n check-latest: true\n - name: Install addlicense\n run: go install github.com/google/addlicense@latest\n - name: Check license headers\n run: |\n set -e\n addlicense -check -l apache -c 'The Sigstore Authors' -ignore \"third_party/**\" -v *\n" }, { "path": ".github/workflows/verify-codegen.yaml", "content": "#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: Codegen\n\non:\n workflow_dispatch:\n push:\n branches: ['main', 'release-*']\n pull_request:\n\npermissions: read-all\n\njobs:\n verify:\n name: Verify codegen\n runs-on: ubuntu-latest\n\n env:\n GOPATH: ${{ github.workspace }}\n\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n path: ./src/github.com/${{ github.repository }}\n fetch-depth: 0\n\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './src/github.com/${{ github.repository }}/go.mod'\n check-latest: true\n\n - shell: bash\n working-directory: ./src/github.com/${{ github.repository }}\n run: |\n ./hack/update-codegen.sh\n\n # For whatever reason running this makes it not complain...\n git status\n\n - uses: chainguard-dev/actions/nodiff@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n with:\n path: ./src/github.com/${{ github.repository }}\n fixup-command: \"./hack/update-codegen.sh\"\n" }, { "path": ".github/workflows/verify-docs.yaml", "content": "#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: API Docs Generator\n\non:\n workflow_dispatch:\n push:\n branches: ['main', 'release-*']\n pull_request:\n\npermissions: read-all\n\njobs:\n verify-docs:\n name: Verify API docs\n runs-on: ubuntu-latest\n\n env:\n GOPATH: ${{ github.workspace }}\n\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n path: ./src/github.com/${{ github.repository }}\n fetch-depth: 0\n\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: './src/github.com/${{ github.repository }}/go.mod'\n check-latest: true\n\n - shell: bash\n working-directory: ./src/github.com/${{ github.repository }}\n run: |\n make docs\n\n # For whatever reason running this makes it not complain...\n git status\n\n - uses: chainguard-dev/actions/nodiff@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n with:\n path: ./src/github.com/${{ github.repository }}\n fixup-command: \"make docs\"\n" }, { "path": ".github/workflows/whitespace.yaml", "content": "name: Whitespace\n\non:\n pull_request:\n branches: [ 'main', 'release-*' ]\n\npermissions: read-all\n\njobs:\n\n whitespace:\n name: Check Whitespace\n runs-on: ubuntu-latest\n\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n - uses: chainguard-dev/actions/trailing-space@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n if: ${{ always() }}\n\n - uses: chainguard-dev/actions/eof-newline@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9\n if: ${{ always() }}\n" }, { "path": ".gitignore", "content": "# Binaries for programs and plugins\n.DS_STORE\n*.exe\n*.exe~\n*.dll\n*.so\n*.dylib\n\n# Test binary, built with `go test -c`\n*.test\n\n# Output of the go coverage tool, specifically when used with LiteIDE\n*.out\n\n# Dependency directories (remove the comment below to include it)\n# vendor/\n\n# cosign stuff\n/cosign*\n.vscode\n.idea\n\n# fuzzing artifacts\n*.libfuzzer\n*fuzz.a\n\nbin*\ndist/\npolicyControllerImagerefs\n\n**verify-experimental*\n\npolicy-controller\npolicy-tester\n\n# Vim\n*.swp\n\ngha-creds-*.json\n\n# Kind cluster configuration produced by the local-dev tool\nkind.yaml\n" }, { "path": ".golangci.yml", "content": "#\n# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\nversion: \"2\"\nrun:\n issues-exit-code: 1\nlinters:\n enable:\n - asciicheck\n - errorlint\n - gocritic\n - gosec\n - importas\n - misspell\n - prealloc\n - revive\n - staticcheck\n - tparallel\n - unconvert\n - unparam\n - whitespace\n settings:\n revive:\n rules:\n - name: dot-imports\n arguments:\n - allowedPackages:\n - knative.dev/pkg/configmap/testing\n - knative.dev/pkg/reconciler/testing\n - github.com/sigstore/policy-controller/pkg/reconciler/testing/v1alpha1\n exclusions:\n generated: lax\n presets:\n - comments\n - common-false-positives\n - legacy\n - std-error-handling\n rules:\n - linters:\n - errcheck\n - gosec\n path: _test\\.go\n paths:\n - ^third_party/\n - ^examples/\nissues:\n max-issues-per-linter: 0\n max-same-issues: 0\nformatters:\n enable:\n - gofmt\n - goimports\n exclusions:\n generated: lax\n paths:\n - ^third_party/\n - ^examples/\n" }, { "path": ".goreleaser.yaml", "content": "project_name: policy-controller\nversion: 2\n\nenv:\n - GO111MODULE=on\n - COSIGN_YES=true\n\nbefore:\n hooks:\n - go mod tidy\n - /bin/bash -c 'if [ -n \"$(git --no-pager diff --exit-code go.mod go.sum)\" ]; then exit 1; fi'\n\nbuilds:\n - id: tester\n binary: tester-{{ .Os }}-{{ .Arch }}\n no_unique_dist_dir: true\n main: ./cmd/tester\n flags:\n - -trimpath\n mod_timestamp: '{{ .CommitTimestamp }}'\n goos:\n - linux\n - darwin\n - windows\n goarch:\n - amd64\n - arm64\n - arm\n - s390x\n - ppc64le\n goarm:\n - 7\n ignore:\n - goos: windows\n goarch: arm64\n - goos: windows\n goarch: arm\n - goos: windows\n goarch: s390x\n - goos: windows\n goarch: ppc64le\n ldflags:\n - \"{{ .Env.LDFLAGS }}\"\n env:\n - CGO_ENABLED=0\n\nsigns:\n # Keyless\n - id: tester\n signature: \"${artifact}-keyless.sig\"\n certificate: \"${artifact}-keyless.pem\"\n cmd: cosign\n args: [\"sign-blob\", \"--output-signature\", \"${artifact}-keyless.sig\", \"--output-certificate\", \"${artifact}-keyless.pem\", \"${artifact}\"]\n artifacts: binary\n - id: checksum-keyless\n signature: \"${artifact}-keyless.sig\"\n certificate: \"${artifact}-keyless.pem\"\n cmd: cosign\n args: [\"sign-blob\", \"--output-signature\", \"${artifact}-keyless.sig\", \"--output-certificate\", \"${artifact}-keyless.pem\", \"${artifact}\"]\n artifacts: checksum\n\narchives:\n - format: binary\n name_template: \"{{ .Binary }}\"\n allow_different_binary_count: true\n\nchecksum:\n name_template: \"{{ .ProjectName }}_checksums.txt\"\n\nsnapshot:\n version_template: SNAPSHOT-{{ .ShortCommit }}\n\nrelease:\n prerelease: allow # remove this when we start publishing non-prerelease or set to auto\n github:\n owner: sigstore\n name: policy-controller\n footer: |\n ### Thanks to all contributors!\n extra_files:\n - glob: \"./policy-controller*.yaml\"\n" }, { "path": ".ko.yaml", "content": "#\n# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\ndefaultBaseImage: cgr.dev/chainguard/static:latest\n\nbuilds:\n - id: policy-controller\n dir: .\n main: ./cmd/webhook\n env:\n - CGO_ENABLED=0\n flags:\n - -trimpath\n - --tags\n - \"{{ .Env.GIT_HASH }}\"\n - --tags\n - \"{{ .Env.GIT_VERSION }}\"\n ldflags:\n - -extldflags \"-static\"\n - \"{{ .Env.LDFLAGS }}\"\n\n" }, { "path": "CHANGELOG.md", "content": "# v0.12.0\n\n* drop 1.27/28 and add 1.30/31/32 k8s\n* fix post submit job\n* Use v0.7.18 for scaffolding, update k8s versions to test with\n\n## Contributors\n\n* Carlos Tadeu Panato Junior\n* Ville Aikas\n\n# v0.1.0\n\n## Enhancements\n\n* Refactor entire policy validation into ValidatePolicy.\n* Set reinvocationPolicy to 'IfNeeded' for the tag resolver webhook\n* Add policy-tester CLI for testing ClusterImagePolicies\n* (tester) Validate CIP before using it.\n* (tester) call SetDefaults on cip before conversion\n* remove v1.21 k8s which is deprecated and add v1.24\n* chore: do not fail to verify signed images if the secret-name flag is not set\n\n## Bug fixes\n\n* Fix issue #38. Do not block status updates.\n* Avoid test race condition.\n* Fix https://github.com/sigstore/cosign/issues/1653\n* Allow for @ symbol on globs to support image refs with digest\n* Validate globs at admission time.\n* fix: add missing conversion to CRD\n* fix: solve vuln from our opa version\n* Fix issue #24\n* Bump some vulnerable dependencies; base on distroless/static\n\n## Others\n\n* Bump mikefarah/yq from 4.25.3 to 4.26.1\n* Bump actions/dependency-review-action from 2.0.2 to 2.0.4\n* Bump google.golang.org/grpc from 1.47.0 to 1.48.0\n* Bump github/codeql-action from 2.1.15 to 2.1.16\n* Bump actions/cache from 3.0.4 to 3.0.5\n* Bump actions/setup-go from 3.2.0 to 3.2.1\n* update knative to use v1.5.0 release\n* update scafolding to use release v0.3.0\n* Bump github.com/aws/aws-sdk-go-v2 from 1.16.6 to 1.16.7\n* Bump sigstore/cosign-installer from 2.4.0 to 2.4.1\n* Bump github.com/aws/aws-sdk-go-v2 from 1.16.5 to 1.16.6\n* increase timeout for golangci-lint\n* Bump github.com/stretchr/testify from 1.7.5 to 1.8.0\n* Bump github/codeql-action from 2.1.14 to 2.1.15\n* Switch to direct returns\n* Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0\n* Bump ossf/scorecard-action from 1.1.1 to 1.1.2\n* chore: skip secret not found\n* Bump github.com/stretchr/testify from 1.7.4 to 1.7.5\n* Bump mikefarah/yq from 4.25.2 to 4.25.3\n* Bump github/codeql-action from 2.1.13 to 2.1.14\n* Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0\n* Bump github.com/stretchr/testify from 1.7.2 to 1.7.4\n* Bump github/codeql-action from 2.1.12 to 2.1.13\n* Bump actions/dependency-review-action from 2.0.1 to 2.0.2\n* Bump actions/dependency-review-action from 1.0.2 to 2.0.1\n* Update tests for OR behaviour wrt authorities.\n* remove unused struct from imports\n* Add policy to make sure signature and attestation is there.\n* Return authoritymatches before errors.\n* remove third_party stuff due to mismatch in go version.\n* Use fulcioroots from sigstore/sigstore\n* Even if some authority returns err, return any other matching authority results.\n* Use public fulcio/rekor to make sure things are not there.\n* hack/update-deps.sh\n\n## Contributors\n\n* Carlos Tadeu Panato Junior\n* Hector Fernandez\n* Jason Hall\n* Josh Dolitsky\n* Matt Moore\n* Ville Aikas\n* Vladimir Nachev\n* cpanato\n* dependabot[bot]\n* dlorenc\n* hectorj2f\n" }, { "path": "CODEOWNERS", "content": "# The CODEOWNERS are managed via a GitHub team, but the current list is (in alphabetical order):\n#\n# lukehinds\n" }, { "path": "CODE_OF_CONDUCT.md", "content": "# Code of Conduct\n\n## Our Pledge\n\nIn the interest of fostering an open and welcoming environment, we as\ncontributors and maintainers pledge to making participation in our project and\nour community a harassment-free experience for everyone, regardless of age, body\nsize, disability, ethnicity, gender identity and expression, level of experience,\nnationality, personal appearance, race, religion, or sexual identity and\norientation.\n\n## Our Standards\n\nExamples of behavior that contributes to creating a positive environment\ninclude:\n\n* Using welcoming and inclusive language\n* Being respectful of differing viewpoints and experiences\n* Gracefully accepting constructive criticism\n* Focusing on what is best for the community\n* Showing empathy towards other community members\n\nExamples of unacceptable behavior by participants include:\n\n* The use of sexualized language or imagery and unwelcome sexual attention or\n advances\n* Trolling, insulting/derogatory comments, and personal or political attacks\n* Public or private harassment\n* Publishing others' private information, such as a physical or electronic\n address, without explicit permission\n* Other conduct which could reasonably be considered inappropriate in a\n professional setting\n\n## Our Responsibilities\n\nProject maintainers are responsible for clarifying the standards of acceptable\nbehavior and are expected to take appropriate and fair corrective action in\nresponse to any instances of unacceptable behavior.\n\nProject maintainers have the right and responsibility to remove, edit, or\nreject comments, commits, code, wiki edits, issues, and other contributions\nthat are not aligned to this Code of Conduct, or to ban temporarily or\npermanently any contributor for other behaviors that they deem inappropriate,\nthreatening, offensive, or harmful.\n\n## Scope\n\nThis Code of Conduct applies both within project spaces and in public spaces\nwhen an individual is representing the project or its community. Examples of\nrepresenting a project or community include using an official project e-mail\naddress, posting via an official social media account, or acting as an appointed\nrepresentative at an online or offline event. Representation of a project may be\nfurther defined and clarified by project maintainers.\n\n## Enforcement\n\nInstances of abusive, harassing, or otherwise unacceptable behavior may be\nreported by contacting the project team at . All\ncomplaints will be reviewed and investigated and will result in a response that\nis deemed necessary and appropriate to the circumstances. The project team is\nobligated to maintain confidentiality with regard to the reporter of an incident.\nFurther details of specific enforcement policies may be posted separately.\n\nProject maintainers who do not follow or enforce the Code of Conduct in good\nfaith may face temporary or permanent repercussions as determined by other\nmembers of the project's leadership.\n\n## Attribution\n\nThis Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,\navailable at [http://contributor-covenant.org/version/1/4][version]\n\n[homepage]: http://contributor-covenant.org\n[version]: http://contributor-covenant.org/version/1/4/" }, { "path": "COPYRIGHT.txt", "content": "\nCopyright 2021 The Sigstore Authors.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n" }, { "path": "LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "Makefile", "content": "#\n# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)\nifeq (,$(shell go env GOBIN))\nGOBIN=$(shell go env GOPATH)/bin\nelse\nGOBIN=$(shell go env GOBIN)\nendif\n\nGOFILES ?= $(shell find . -type f -name '*.go' -not -path \"./vendor/*\")\n\n# Set version variables for LDFLAGS\nPROJECT_ID ?= projectsigstore\nRUNTIME_IMAGE ?= gcr.io/distroless/static\nGIT_VERSION ?= $(shell git describe --tags --always --dirty)\nGIT_HASH ?= $(shell git rev-parse HEAD)\nDATE_FMT = +%Y-%m-%dT%H:%M:%SZ\nSOURCE_DATE_EPOCH ?= $(shell git log -1 --pretty=%ct)\nifdef SOURCE_DATE_EPOCH\n BUILD_DATE ?= $(shell date -u -d \"@$(SOURCE_DATE_EPOCH)\" \"$(DATE_FMT)\" 2>/dev/null || date -u -r \"$(SOURCE_DATE_EPOCH)\" \"$(DATE_FMT)\" 2>/dev/null || date -u \"$(DATE_FMT)\")\nelse\n BUILD_DATE ?= $(shell date \"$(DATE_FMT)\")\nendif\nGIT_TREESTATE = \"clean\"\nDIFF = $(shell git diff --quiet >/dev/null 2>&1; if [ $$? -eq 1 ]; then echo \"1\"; fi)\nifeq ($(DIFF), 1)\n GIT_TREESTATE = \"dirty\"\nendif\n\nPOLICY_CONTROLLER_ARCHS?=all\n\nLDFLAGS=-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$(GIT_VERSION) \\\n -X sigs.k8s.io/release-utils/version.gitCommit=$(GIT_HASH) \\\n -X sigs.k8s.io/release-utils/version.gitTreeState=$(GIT_TREESTATE) \\\n -X sigs.k8s.io/release-utils/version.buildDate=$(BUILD_DATE)\n\nSRCS = $(shell find cmd -iname \"*.go\") $(shell find pkg -iname \"*.go\")\n\nGOLANGCI_LINT_DIR = $(shell pwd)/bin\nGOLANGCI_LINT_BIN = $(GOLANGCI_LINT_DIR)/golangci-lint\n\nKO_PREFIX ?= gcr.io/projectsigstore\nexport KO_DOCKER_REPO=$(KO_PREFIX)\nGHCR_PREFIX ?= ghcr.io/sigstore/policy-controller\nPOLICY_CONTROLLER_YAML ?= policy-controller-$(GIT_VERSION).yaml\nLATEST_TAG ?=\n\n.PHONY: all lint test clean policy-controller cross docs\nall: policy-controller\n\nlog-%:\n\t@grep -h -E '^$*:.*?## .*$$' $(MAKEFILE_LIST) | \\\n\t\tawk \\\n\t\t\t'BEGIN { \\\n\t\t\t\tFS = \":.*?## \" \\\n\t\t\t}; \\\n\t\t\t{ \\\n\t\t\t\tprintf \"\\033[36m==> %s\\033[0m\\n\", $$2 \\\n\t\t\t}'\n\n.PHONY: checkfmt\ncheckfmt: SHELL := /usr/bin/env bash\ncheckfmt: ## Check formatting of all go files\n\t@ $(MAKE) --no-print-directory log-$@\n \t$(shell test -z \"$(shell gofmt -l $(GOFILES) | tee /dev/stderr)\")\n \t$(shell test -z \"$(shell goimports -l $(GOFILES) | tee /dev/stderr)\")\n\n.PHONY: fmt\nfmt: ## Format all go files\n\t@ $(MAKE) --no-print-directory log-$@\n\tgoimports -w $(GOFILES)\n\n## Build policy-controller binary\n.PHONY: policy-controller\npolicy-controller:\n\tCGO_ENABLED=0 go build -trimpath -ldflags \"$(LDFLAGS)\" -o $@ ./cmd/webhook\n\n## Build policy-tester binary\n.PHONY: policy-tester\npolicy-tester:\n\tCGO_ENABLED=0 go build -trimpath -ldflags \"$(LDFLAGS)\" -o $@ ./cmd/tester\n\n## Build local-dev binary\n.PHONY: local-dev\nlocal-dev:\n\tCGO_ENABLED=0 go build -trimpath -ldflags \"$(LDFLAGS)\" -o bin/$@ ./cmd/local-dev\n\n#####################\n# lint / test section\n#####################\n\ngolangci-lint:\n\trm -f $(GOLANGCI_LINT_BIN) || :\n\tset -e ;\\\n\tGOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.6.2 ;\\\n\nlint: golangci-lint ## Run golangci-lint linter\n\t$(GOLANGCI_LINT_BIN) run -n\n\ntest:\n\tgo test $(shell go list ./... | grep -v third_party/)\n\nclean:\n\trm -rf policy-controller\n\nKOCACHE_PATH=/tmp/ko\nARTIFACT_HUB_LABELS=--image-label io.artifacthub.package.readme-url=\"https://raw.githubusercontent.com/sigstore/policy-controller/main/README.md\" \\\n --image-label io.artifacthub.package.license=Apache-2.0 --image-label io.artifacthub.package.vendor=sigstore \\\n --image-label io.artifacthub.package.version=0.1.0 \\\n --image-label io.artifacthub.package.name=policy-controller \\\n --image-label org.opencontainers.image.created=$(BUILD_DATE) \\\n --image-label org.opencontainers.image.description=\"Kubernetes webhook for configuring admission policies\" \\\n --image-label io.artifacthub.package.alternative-locations=\"oci://ghcr.io/sigstore/policy-controller/policy-controller\"\n\ndefine create_kocache_path\n mkdir -p $(KOCACHE_PATH)\nendef\n\n##########\n# ko build\n##########\n.PHONY: ko\nko: ko-policy-controller\n\n.PHONY: ko-policy-controller\nko-policy-controller: kustomize-policy-controller\n\t# policy-controller\n\tLDFLAGS=\"$(LDFLAGS)\" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \\\n\tKOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=$(KO_PREFIX)/policy-controller ko resolve --bare \\\n\t\t--platform=$(POLICY_CONTROLLER_ARCHS) --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \\\n\t\t--image-refs policyControllerImagerefs --filename config/webhook.yaml >> $(POLICY_CONTROLLER_YAML)\n\n.PHONY: ko-local\nko-local:\n\tLDFLAGS=\"$(LDFLAGS)\" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \\\n\tKOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=ko.local ko build --base-import-paths \\\n\t\t--tags $(GIT_VERSION) --tags $(GIT_HASH) \\\n\t\t$(ARTIFACT_HUB_LABELS) \\\n\t\t--platform=all \\\n\t\tgithub.com/sigstore/policy-controller/cmd/webhook\n\n.PHONY: ko-apply\nko-apply:\n\tLDFLAGS=\"$(LDFLAGS)\" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) ko apply -Bf config/\n\n\n.PHONY: kustomize-policy-controller\nkustomize-policy-controller:\n\tkustomize build config/ > $(POLICY_CONTROLLER_YAML)\n\n##################\n# help\n##################\n\nhelp: # Display help\n\t@awk -F ':|##' \\\n\t\t'/^[^\\t].+?:.*?##/ {\\\n\t\t\tprintf \"\\033[36m%-30s\\033[0m %s\\n\", $$1, $$NF \\\n\t\t}' $(MAKEFILE_LIST) | sort\n\ninclude release/release.mk\ninclude test/ci.mk\n\n.PHONY: docs\ndocs: docs/generate-api\n\n.PHONY: docs/generate-api\ndocs/generate-api:\n\tmkdir -p docs/api-types; \\\n\t go run -ldflags \"$(GO_LDFLAGS)\" ./cmd/api-docs/main.go \\\n\t \"v1beta1\" \\\n\t `find ./pkg/apis/policy/v1beta1/ -iname '*types.go' | sort -r | tr '\\n' ' '` \\\n\t > docs/api-types/index.md;\n\t go run -ldflags \"$(GO_LDFLAGS)\" ./cmd/api-docs/main.go \\\n\t \"v1alpha1\" \\\n\t `find ./pkg/apis/policy/v1alpha1/ -iname '*types.go' | sort -r | tr '\\n' ' '` \\\n\t > docs/api-types/index-v1alpha1.md;\n\n.PHONY: generate-testdata\ngenerate-testdata:\n\tgo run hack/gentestdata/gentestdata.go\n" }, { "path": "README.md", "content": "

\n \"Cosign\n

\n\n# Policy Controller\n\nThe `policy-controller` admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from `cosign`.\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/sigstore/policy-controller)](https://goreportcard.com/report/github.com/sigstore/policy-controller)\n[![e2e-tests](https://github.com/sigstore/policy-controller/actions/workflows/kind-e2e-cosigned.yaml/badge.svg)](https://github.com/sigstore/policy-controller/actions/workflows/kind-e2e-cosigned.yaml)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sigstore/policy-controller/badge)](https://api.securityscorecards.dev/projects/github.com/sigstore/policy-controller)\n\n`policy-controller` also resolves the image tags to ensure the image being ran is not different from when it was admitted.\n\nSee the [installation instructions](https://docs.sigstore.dev/policy-controller/installation) for more information.\n\nToday, `policy-controller` can automatically validate signatures and\nattestations on container images.\nEnforcement is configured on a per-namespace basis, and multiple keys are supported.\n\nWe're actively working on more features here.\n\nFor more information about the `policy-controller`, have a look at our documentation website [here](https://docs.sigstore.dev/policy-controller/overview).\n\n## Examples\n\nPlease see the [examples/](./examples/) directory for example policies etc.\n\n## Policy Testing\n\nThis repo includes a `policy-tester` tool which enables checking a policy against\nvarious images.\n\nIn the root of this repo, run the following to build:\n```\nmake policy-tester\n```\n\nThen run it pointing to a YAML file containing a ClusterImagePolicy, and an image to evaluate the policy against:\n```\n(set -o pipefail && \\\n ./policy-tester \\\n --policy=test/testdata/policy-controller/tester/cip-public-keyless.yaml \\\n --image=ghcr.io/sigstore/cosign/cosign:v1.9.0 | jq)\n```\n\n## Local Development\n\nYou can spin up a local [Kind](https://kind.sigs.k8s.io/) K8s cluster to test local changes to the policy controller using the `local-dev`\nCLI tool. Build the tool with `make local-dev` and then run it with `./bin/local-dev setup`.\n\nIt optionally accepts the following:\n\n```\n--cluster-name\n--k8s-version\n--registry-url\n```\n\nYou can clean up the cluster with `./bin/local-dev clean --cluster-name=`.\n\nYou will need to have the following tools installed to use this:\n- [Docker](https://docs.docker.com/get-docker/)\n- [kind](https://kind.sigs.k8s.io/)\n- [ko](https://ko.build/install/)\n- [kubectl](https://kubernetes.io/docs/tasks/tools/)\n\n### Use local registry\n\nIf you would like to use the local Kind registry instead of a live one,\ndo not include the `registry-url` flag when calling the CLI. It will default to using the local registry. But before running the CLI, you must add the following line to your `/etc/hosts` file first:\n`127.0.0.1 registry.local`\n\n## Using Policy Controller with Azure Container Registry (ACR)\n\nTo allow the webhook to make requests to ACR, you must use one of the following\nmethods to authenticate:\n\n1. Managed identities (used with AKS clusters)\n1. Service principals (used with AKS clusters)\n1. Pod imagePullSecrets (used with non AKS clusters)\n\nSee the [official documentation](https://learn.microsoft.com/en-us/azure/container-registry/authenticate-kubernetes-options#scenarios).\n\n### Managed Identities for AKS Clusters\n\nSee the [official documentation](https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?toc=%2Fazure%2Fcontainer-registry%2Ftoc.json&bc=%2Fazure%2Fcontainer-registry%2Fbreadcrumb%2Ftoc.json&tabs=azure-cli) for more details.\n\n1. You must enable managed identities for the cluster using the `--enable-managed-identities` flag with either the `az aks create` or `az aks update` commands\n1. You must attach the ACR to the AKS cluster using the `--attach-acr` with either\nthe `az aks create` or `az aks update` commands. See [here](https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?toc=%2Fazure%2Fcontainer-registry%2Ftoc.json&bc=%2Fazure%2Fcontainer-registry%2Fbreadcrumb%2Ftoc.json&tabs=azure-cli#create-a-new-aks-cluster-and-integrate-with-an-existing-acr) for more details\n1. You must set the `AZURE_CLIENT_ID` environment variable to the managed identity's client ID.\n1. You must set the `AZURE_TENANT_ID` environment\nvariable to the Azure tenant the managed identity\nresides in.\n\nThese will detected by the Azure credential manager.\n\nWhen you create a cluster that has managed identities enabled,\na user assigned managed identity called\n`-agentpool`. Use this identity's client ID\nwhen setting `AZURE_CLIENT_ID`. Make sure the ACR is attached to\nyour cluster.\n\n#### Installing Policy Controller locally from this repository\n\nIf you are deploying policy-controller directly from this repository with\n`make ko-apply`, you will need to add `AZURE_CLIENT_ID` and `AZURE_TENANT_ID` to the list of environment\nvariables in the [webhook deployment configuration](config/webhook.yaml).\n\n#### Installing Policy Controller from the Helm chart\n\nYou can provide the managed identity's client ID as a custom environment\nvariable when installing the Helm chart:\n\n```bash\nhelm install policy-controller sigstore/policy-controller --version 0.9.0 \\\n--set webhook.env.AZURE_CLIENT_ID=my-managed-id-client-id,webhook.env.AZURE_TENANT_ID=tenant-id\n```\n\n### Service Principals for AKS Clusters\n\n#### Installing Policy Controller from the Helm chart\n\nYou should be able to provide the service principal client ID and tenant ID\nas a workload identity annotations:\n\n```bash\nhelm upgrade --install policy-controller sigstore/policy-controller --version 0.9.0 \\\n--set-json webhook.serviceAccount.annotations=\"{\\\"azure.workload.identity/client-id\\\": \\\"${SERVICE_PRINCIPAL_CLIENT_ID}\\\", \\\"azure.workload.identity/tenant-id\\\": \\\"${TENANT_ID}\\\"}\"\n```\n\n## Support Policy\n\nThis policy-controller's versions are able to run in the following versions of Kubernetes:\n\n| | policy-controller `> 0.2.x` | policy-controller `> 0.10.x` |\n|---|:---:|:---:|\n| Kubernetes 1.23 | ✓ | |\n| Kubernetes 1.24 | ✓ | |\n| Kubernetes 1.25 | ✓ | |\n| Kubernetes 1.27 | | ✓ |\n| Kubernetes 1.28 | | ✓ |\n| Kubernetes 1.29 | | ✓ |\n\nnote: not fully tested yet, but can be installed\n\n## Release Cadence\n\nWe are intending to move to a monthly cadence for minor releases.\nMinor releases will be published around the beginning of the month.\nWe may cut a patch release instead, if the changes are small enough not to warrant a minor release.\nWe will also cut patch releases periodically as needed to address bugs.\n\n## Security\n\nShould you discover any security issues, please refer to Sigstore's [security\npolicy](https://github.com/sigstore/policy-controller/security/policy).\n" }, { "path": "cmd/api-docs/main.go", "content": "//\n// Copyright 2021 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage main\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"go/ast\"\n\t\"go/doc\"\n\t\"go/parser\"\n\t\"go/token\"\n\t\"os\"\n\t\"reflect\"\n\t\"strings\"\n\t\"text/template\"\n)\n\nconst (\n\theaderTemplate = `\n\n# API Documentation ({{ .Version }})\n\n> This document is automatically generated from the API definition in the code.\n`\n)\n\nvar (\n\tlinks = map[string]string{\n\t\t\"metav1.ObjectMeta\": \"https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta\",\n\t\t\"metav1.ListMeta\": \"https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#listmeta-v1-meta\",\n\t\t\"metav1.LabelSelector\": \"https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#labelselector-v1-meta\",\n\t\t\"metav1.GroupVersionResource\": \"https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#groupversionresource-v1-meta\",\n\t\t\"v1.SecretReference\": \"https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#secretreference-v1-core\",\n\t\t\"v1.LocalObjectReference\": \"https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#localobjectreference-v1-core\",\n\t}\n\tselfLinks = map[string]string{}\n)\n\nfunc main() {\n\tprintAPIDocs(os.Args[1], os.Args[2:])\n}\n\nfunc toSectionLink(name string) string {\n\tname = strings.ToLower(name)\n\tname = strings.ReplaceAll(name, \" \", \"-\")\n\treturn name\n}\n\nfunc printTOC(types []KubeTypes) {\n\tfmt.Printf(\"\\n## Table of Contents\\n\")\n\tfor _, t := range types {\n\t\tstrukt := t[0]\n\t\tif len(t) > 1 {\n\t\t\tfmt.Printf(\"* [%s](#%s)\\n\", strukt.Name, toSectionLink(strukt.Name))\n\t\t}\n\t}\n}\n\nfunc printAPIDocs(version string, paths []string) {\n\theader := struct {\n\t\tVersion string\n\t}{\n\t\tVersion: version,\n\t}\n\tt, err := template.New(\"header\").Parse(headerTemplate)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\terr = t.Execute(os.Stdout, header)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\ttypes := ParseDocumentationFrom(paths)\n\tfor _, t := range types {\n\t\tstrukt := t[0]\n\t\tselfLinks[strukt.Name] = \"#\" + strings.ToLower(strukt.Name)\n\t}\n\n\t// we need to parse once more to now add the self links\n\ttypes = ParseDocumentationFrom(paths)\n\n\tprintTOC(types)\n\n\tfor _, t := range types {\n\t\tstrukt := t[0]\n\t\tfmt.Printf(\"\\n## %s\\n\\n%s\\n\\n\", strukt.Name, strukt.Doc)\n\t\tif len(t) > 1 {\n\t\t\tfmt.Println(\"| Field | Description | Scheme | Required |\")\n\t\t\tfmt.Println(\"| ----- | ----------- | ------ | -------- |\")\n\t\t\tfields := t[1:]\n\t\t\tfor _, f := range fields {\n\t\t\t\tfmt.Println(\"|\", f.Name, \"|\", f.Doc, \"|\", f.Type, \"|\", f.Mandatory, \"|\")\n\t\t\t}\n\t\t\tfmt.Println(\"\")\n\t\t\tfmt.Println(\"[Back to TOC](#table-of-contents)\")\n\t\t}\n\t}\n}\n\n// Pair of strings. We keed the name of fields and the doc\ntype Pair struct {\n\tName, Doc, Type string\n\tMandatory bool\n}\n\n// KubeTypes is an array to represent all available types in a parsed file. [0] is for the type itself\ntype KubeTypes []Pair\n\n// ParseDocumentationFrom gets all types' documentation and returns them as an\n// array. Each type is again represented as an array (we have to use arrays as we\n// need to be sure for the order of the fields). This function returns fields and\n// struct definitions that have no documentation as {name, \"\"}.\nfunc ParseDocumentationFrom(srcs []string) []KubeTypes {\n\tvar docForTypes []KubeTypes\n\n\tfor _, src := range srcs {\n\t\tpkg := astFrom(src)\n\t\tif pkg == nil {\n\t\t\tcontinue\n\t\t}\n\n\t\tfor _, kubType := range pkg.Types {\n\t\t\tif structType, ok := kubType.Decl.Specs[0].(*ast.TypeSpec).Type.(*ast.StructType); ok {\n\t\t\t\tvar ks KubeTypes\n\t\t\t\tks = append(ks, Pair{kubType.Name, fmtRawDoc(kubType.Doc), \"\", false})\n\n\t\t\t\tfor _, field := range structType.Fields.List {\n\t\t\t\t\ttypeString := fieldType(field.Type)\n\t\t\t\t\tfieldMandatory := fieldRequired(field)\n\t\t\t\t\tif n := fieldName(field); n != \"-\" {\n\t\t\t\t\t\tfieldDoc := fmtRawDoc(field.Doc.Text())\n\t\t\t\t\t\tks = append(ks, Pair{n, fieldDoc, typeString, fieldMandatory})\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tdocForTypes = append(docForTypes, ks)\n\t\t\t}\n\t\t}\n\t}\n\n\treturn docForTypes\n}\n\nfunc astFrom(filePath string) *doc.Package {\n\tfset := token.NewFileSet()\n\tm := make(map[string]*ast.File)\n\n\tf, err := parser.ParseFile(fset, filePath, nil, parser.ParseComments)\n\tif err != nil {\n\t\tfmt.Printf(\"failed to parse file %q: %v\\n\", filePath, err)\n\t\treturn nil\n\t}\n\n\tm[filePath] = f\n\tapkg, _ := ast.NewPackage(fset, m, nil, nil) //nolint:staticcheck\n\n\treturn doc.New(apkg, \"\", 0)\n}\n\nfunc fmtRawDoc(rawDoc string) string {\n\tvar buffer bytes.Buffer\n\tdelPrevChar := func() {\n\t\tif buffer.Len() > 0 {\n\t\t\tbuffer.Truncate(buffer.Len() - 1) // Delete the last \" \" or \"\\n\"\n\t\t}\n\t}\n\n\t// Ignore all lines after ---\n\trawDoc = strings.Split(rawDoc, \"---\")[0]\n\n\tfor _, line := range strings.Split(rawDoc, \"\\n\") {\n\t\tline = strings.TrimRight(line, \" \")\n\t\tleading := strings.TrimLeft(line, \" \")\n\t\tswitch {\n\t\tcase len(line) == 0: // Keep paragraphs\n\t\t\tdelPrevChar()\n\t\t\tbuffer.WriteString(\"\\n\\n\")\n\t\tcase strings.HasPrefix(leading, \"TODO\"): // Ignore one line TODOs\n\t\tcase strings.HasPrefix(leading, \"+\"): // Ignore instructions to go2idl\n\t\tdefault:\n\t\t\tif strings.HasPrefix(line, \" \") || strings.HasPrefix(line, \"\\t\") {\n\t\t\t\tdelPrevChar()\n\t\t\t\tline = \"\\n\" + line + \"\\n\" // Replace it with newline. This is useful when we have a line with: \"Example:\\n\\tJSON-someting...\"\n\t\t\t} else {\n\t\t\t\tline += \" \"\n\t\t\t}\n\t\t\tbuffer.WriteString(line)\n\t\t}\n\t}\n\n\tpostDoc := strings.TrimRight(buffer.String(), \"\\n\")\n\tpostDoc = strings.ReplaceAll(postDoc, \"\\\\\\\"\", \"\\\"\") // replace user's \\\" to \"\n\tpostDoc = strings.ReplaceAll(postDoc, \"\\\"\", \"\\\\\\\"\") // Escape \"\n\tpostDoc = strings.ReplaceAll(postDoc, \"\\n\", \"\\\\n\")\n\tpostDoc = strings.ReplaceAll(postDoc, \"\\t\", \"\\\\t\")\n\tpostDoc = strings.ReplaceAll(postDoc, \"|\", \"\\\\|\")\n\n\treturn postDoc\n}\n\nfunc toLink(typeName string) string {\n\tselfLink, hasSelfLink := selfLinks[typeName]\n\tif hasSelfLink {\n\t\treturn wrapInLink(typeName, selfLink)\n\t}\n\n\tlink, hasLink := links[typeName]\n\tif hasLink {\n\t\treturn wrapInLink(typeName, link)\n\t}\n\n\treturn typeName\n}\n\nfunc wrapInLink(text, link string) string {\n\treturn fmt.Sprintf(\"[%s](%s)\", text, link)\n}\n\n// fieldName returns the name of the field as it should appear in JSON format\n// \"-\" indicates that this field is not part of the JSON representation\nfunc fieldName(field *ast.Field) string {\n\tjsonTag := \"\"\n\tif field.Tag != nil {\n\t\tjsonTag = reflect.StructTag(field.Tag.Value[1 : len(field.Tag.Value)-1]).Get(\"json\") // Delete first and last quotation\n\t\tif strings.Contains(jsonTag, \"inline\") {\n\t\t\treturn \"-\"\n\t\t}\n\t}\n\n\tjsonTag = strings.Split(jsonTag, \",\")[0] // This can return \"-\"\n\tif jsonTag == \"\" {\n\t\tif field.Names != nil {\n\t\t\treturn field.Names[0].Name\n\t\t}\n\t\treturn field.Type.(*ast.Ident).Name\n\t}\n\treturn jsonTag\n}\n\n// fieldRequired returns whether a field is a required field.\nfunc fieldRequired(field *ast.Field) bool {\n\tjsonTag := \"\"\n\tif field.Tag != nil {\n\t\tjsonTag = reflect.StructTag(field.Tag.Value[1 : len(field.Tag.Value)-1]).Get(\"json\") // Delete first and last quotation\n\t\treturn !strings.Contains(jsonTag, \"omitempty\")\n\t}\n\n\treturn false\n}\n\nfunc fieldType(typ ast.Expr) string {\n\tswitch e := typ.(type) {\n\tcase *ast.Ident:\n\t\treturn toLink(e.Name)\n\tcase *ast.StarExpr:\n\t\treturn toLink(fieldType(e.X))\n\tcase *ast.SelectorExpr:\n\t\tpkg := e.X.(*ast.Ident) //nolint:errcheck\n\t\tt := e.Sel\n\t\treturn toLink(pkg.Name + \".\" + t.Name)\n\tcase *ast.ArrayType:\n\t\treturn \"[]\" + toLink(fieldType(e.Elt))\n\tcase *ast.MapType:\n\t\treturn \"map[\" + toLink(fieldType(e.Key)) + \"]\" + toLink(fieldType(e.Value))\n\tdefault:\n\t\treturn \"\"\n\t}\n}\n" }, { "path": "cmd/local-dev/clean.go", "content": "//\n// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage main\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"log\"\n\t\"os/exec\"\n\n\t\"github.com/docker/docker/api/types/container\"\n\t\"github.com/docker/docker/api/types/filters\"\n\t\"github.com/docker/docker/client\"\n\t\"github.com/spf13/cobra\"\n\t\"github.com/spf13/viper\"\n)\n\nfunc addCleanFlags(cmd *cobra.Command) {\n\tcmd.Flags().String(\"cluster-name\", \"policy-controller-demo\", \"name of the dev policy controller cluster\")\n}\n\nfunc init() {\n\taddCleanFlags(cleanCmd)\n\trootCmd.AddCommand(cleanCmd)\n}\n\nvar cleanCmd = &cobra.Command{\n\tUse: \"clean\",\n\tShort: \"cleanup the local k8s cluster\",\n\tLong: \"Cleanup the local k8s cluster\",\n\tPreRunE: func(cmd *cobra.Command, _ []string) error {\n\t\tif err := viper.BindPFlags(cmd.Flags()); err != nil {\n\t\t\tlog.Fatal(\"Error initializing cmd line args: \", err)\n\t\t}\n\t\treturn nil\n\t},\n\tRun: func(_ *cobra.Command, _ []string) {\n\t\tclean()\n\t},\n}\n\nfunc clean() {\n\tvar stderr bytes.Buffer\n\n\t// clean up the local cluster\n\tclusterName := viper.GetString(\"cluster-name\")\n\tfmt.Printf(\"Cleaning up the kind cluster %s...\\n\", clusterName)\n\n\tremoveCluster := exec.Command(\"kind\", \"delete\", \"cluster\", \"--name\", clusterName)\n\tremoveCluster.Stderr = &stderr\n\tif err := removeCluster.Run(); err != nil {\n\t\tlog.Fatal(buildFatalMessage(err, stderr))\n\t}\n\n\tif err := cleanUpRegistry(); err != nil {\n\t\tlog.Fatal(err)\n\t}\n}\n\nfunc cleanUpRegistry() error {\n\tctx := context.Background()\n\tdockerCLI, err := client.NewClientWithOpts(\n\t\tclient.FromEnv,\n\t\tclient.WithAPIVersionNegotiation(),\n\t)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer dockerCLI.Close()\n\n\tcontainers, err := dockerCLI.ContainerList(ctx, container.ListOptions{Filters: filters.NewArgs(filters.KeyValuePair{Key: \"name\", Value: \"registry.local\"})})\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif len(containers) > 0 {\n\t\tfmt.Println(\"Cleaning up registry.local...\")\n\t\tif err := dockerCLI.ContainerStop(ctx, containers[0].ID, container.StopOptions{}); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := dockerCLI.ContainerRemove(ctx, containers[0].ID, container.RemoveOptions{}); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n" }, { "path": "cmd/local-dev/main.go", "content": "//\n// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage main\n\nfunc main() {\n\tExecute()\n}\n" }, { "path": "cmd/local-dev/root.go", "content": "//\n// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage main\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/spf13/cobra\"\n)\n\nvar rootCmd = &cobra.Command{\n\tUse: \"local-dev\",\n\tShort: \"Create, manage, and destroy a local k8s cluster for testing the policy controller\",\n\tLong: \"Create, manage, and destroy a local k8s cluster for testing the policy controller\",\n}\n\nfunc Execute() {\n\tif err := rootCmd.Execute(); err != nil {\n\t\tfmt.Fprintln(os.Stderr, err)\n\t\tos.Exit(1)\n\t}\n}\n" }, { "path": "cmd/local-dev/setup.go", "content": "//\n// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage main\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"log\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"strconv\"\n\n\t\"github.com/docker/docker/api/types/container\"\n\t\"github.com/docker/docker/client\"\n\t\"github.com/docker/go-connections/nat\"\n\t\"github.com/spf13/cobra\"\n\t\"github.com/spf13/viper\"\n)\n\nconst (\n\tlocalRegistryName = \"registry.local\"\n\tlocalRegistryPort = 5001\n\tdefaultKindestNodeVersionTag = \"v1.27.3\"\n)\n\nvar kindClusterConfig = `\napiVersion: kind.x-k8s.io/v1alpha4\nkind: Cluster\nname: \"%s\"\nnodes:\n- role: control-plane\n image: \"%s\"\n# Configure registry for KinD.\ncontainerdConfigPatches:\n- |-\n [plugins.\"io.containerd.grpc.v1.cri\".registry.mirrors.\"%s:%d\"]\n endpoint = [\"http://%s:%d\"]\n`\n\n// check that a supplied image version is in the expected semver format: v..\nvar semverRegexp = regexp.MustCompile(\"^v[0-9]+.[0-9]+.[0-9]+$\")\n\n// check that registry URLs are in the expected format :\nvar registryURLRegexp = regexp.MustCompile(\"^[a-zA-Z0-9]+.[a-z]+:[0-9]+$\")\n\nfunc addSetupFlags(cmd *cobra.Command) {\n\tcmd.Flags().String(\"cluster-name\", \"policy-controller-demo\", \"name of the dev policy controller cluster\")\n\tcmd.Flags().String(\"k8s-version\", defaultKindestNodeVersionTag, \"name of the Ko Docker repository to use\")\n\tcmd.Flags().String(\"registry-url\", \"registry.local\", \"URL and port of the Ko Docker registry to use. Expected format: :. If no registry is provided, the local Kind registry will be used\")\n}\n\nvar setupCmd = &cobra.Command{\n\tUse: \"setup\",\n\tShort: \"setup local k8s cluster for testing policy controller\",\n\tLong: \"Setup a local k8s cluster for testing policy controller\",\n\tPreRunE: func(cmd *cobra.Command, _ []string) error {\n\t\tif err := viper.BindPFlags(cmd.Flags()); err != nil {\n\t\t\tlog.Fatal(\"Error initializing cmd line args: \", err)\n\t\t}\n\t\treturn nil\n\t},\n\tRun: func(_ *cobra.Command, _ []string) {\n\t\tsetup()\n\t},\n}\n\nfunc buildFatalMessage(err error, stderr bytes.Buffer) string {\n\treturn fmt.Sprintf(\"%v: %s\", err, stderr.String())\n}\n\nfunc setup() {\n\tvar stderr bytes.Buffer\n\n\tregistryURL := viper.GetString(\"registry-url\")\n\tif registryURL == localRegistryName {\n\t\tfullLocalRegistryURL := fmt.Sprintf(\"%s:%d/sigstore\", localRegistryName, localRegistryPort)\n\t\terr := os.Setenv(\"KO_DOCKER_REPO\", fullLocalRegistryURL)\n\t\tif err != nil {\n\t\t\tlog.Fatal(buildFatalMessage(err, stderr))\n\t\t}\n\t} else {\n\t\tif !registryURLRegexp.Match([]byte(registryURL)) {\n\t\t\tlog.Fatal(fmt.Errorf(\"provided registry URL is not in the expected format: :\"))\n\t\t}\n\t\terr := os.Setenv(\"KO_DOCKER_REPO\", registryURL)\n\t\tif err != nil {\n\t\t\tlog.Fatal(buildFatalMessage(err, stderr))\n\t\t}\n\t}\n\n\t// Create the new Kind cluster\n\tclusterName := viper.GetString(\"cluster-name\")\n\tfmt.Printf(\"Creating Kind cluster %s...\\n\", clusterName)\n\n\tclusterConfig, err := createKindConfig(clusterName, viper.GetString(\"k8s-version\"))\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\tconfigBytes := []byte(clusterConfig)\n\terr = os.WriteFile(\"kind.yaml\", configBytes, 0600)\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\tstartKindCluster := exec.Command(\"kind\", \"create\", \"cluster\", \"--config\", \"kind.yaml\")\n\tstartKindCluster.Stderr = &stderr\n\tif err := startKindCluster.Run(); err != nil {\n\t\tlog.Fatal(buildFatalMessage(err, stderr))\n\t}\n\n\tif registryURL == localRegistryName {\n\t\tif err = setupLocalRegistry(); err != nil {\n\t\t\tlog.Fatal(err)\n\t\t}\n\t}\n\n\tsetGitHash := exec.Command(\"git\", \"rev-parse\", \"HEAD\")\n\tsetGitHash.Stderr = &stderr\n\toutBytes, err := setGitHash.Output()\n\tif err != nil {\n\t\tlog.Fatal(buildFatalMessage(err, stderr))\n\t}\n\n\terr = os.Setenv(\"GIT_HASH\", string(outBytes))\n\tif err != nil {\n\t\tlog.Fatal(buildFatalMessage(err, stderr))\n\t}\n\n\tsetGitVersion := exec.Command(\"git\", \"describe\", \"--tags\", \"--always\", \"--dirty\")\n\tsetGitVersion.Stderr = &stderr\n\toutBytes, err = setGitVersion.Output()\n\tif err != nil {\n\t\tlog.Fatal(buildFatalMessage(err, stderr))\n\t}\n\n\terr = os.Setenv(\"GIT_VERSION\", string(outBytes))\n\tif err != nil {\n\t\tlog.Fatal(buildFatalMessage(err, stderr))\n\t}\n\n\tvar configFiles []string\n\terr = filepath.WalkDir(\"config\", func(path string, d fs.DirEntry, err error) error {\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tif filepath.Ext(d.Name()) == \".yaml\" && d.Name() != \"kustomization.yaml\" {\n\t\t\tconfigFiles = append(configFiles, path)\n\t\t}\n\t\treturn nil\n\t})\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\tfmt.Println(\"Applying local policy controller manifests...\")\n\tfor _, configFile := range configFiles {\n\t\tkoApply := exec.Command(\"ko\", \"apply\", \"-f\", configFile)\n\t\tkoApply.Stderr = &stderr\n\t\t_, err = koApply.Output()\n\t\tif err != nil {\n\t\t\tlog.Fatal(buildFatalMessage(err, stderr))\n\t\t}\n\t}\n}\n\nfunc createKindConfig(clusterName, k8sVersion string) (string, error) {\n\t// check that the provided version is in the expected format and use it\n\tif !semverRegexp.Match([]byte(k8sVersion)) {\n\t\treturn \"\", fmt.Errorf(\"provided k8s version %s is not in the expected semver format v..\", k8sVersion)\n\t}\n\n\tkindImage := fmt.Sprintf(\"kindest/node:%s\", k8sVersion)\n\treturn fmt.Sprintf(kindClusterConfig, clusterName, kindImage, localRegistryName, localRegistryPort, localRegistryName, localRegistryPort), nil\n}\n\nfunc setupLocalRegistry() error {\n\tdockerCLI, err := client.NewClientWithOpts(\n\t\tclient.FromEnv,\n\t\tclient.WithAPIVersionNegotiation(),\n\t)\n\tif err != nil {\n\t\treturn nil\n\t}\n\tdefer dockerCLI.Close()\n\n\tfmt.Printf(\"\\nStarting local registry %s...\\n\", localRegistryName)\n\n\tctx := context.Background()\n\tresp, err := dockerCLI.ContainerCreate(ctx, &container.Config{\n\t\tImage: \"registry:2\",\n\t\tEnv: []string{fmt.Sprintf(\"REGISTRY_HTTP_ADDR=0.0.0.0:%d\", localRegistryPort)},\n\t\tExposedPorts: nat.PortSet{\"5001/tcp\": struct{}{}},\n\t}, &container.HostConfig{\n\t\tRestartPolicy: container.RestartPolicy{Name: \"always\"},\n\t\tPortBindings: nat.PortMap{\n\t\t\t\"5001/tcp\": []nat.PortBinding{\n\t\t\t\t{HostIP: \"127.0.0.1\", HostPort: strconv.Itoa(localRegistryPort)},\n\t\t\t},\n\t\t},\n\t}, nil, nil, localRegistryName)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif err := dockerCLI.ContainerStart(ctx, resp.ID, container.StartOptions{}); err != nil {\n\t\treturn err\n\t}\n\n\tfmt.Println(\"Connecting network between kind with local registry ...\")\n\n\treturn dockerCLI.NetworkConnect(ctx, \"kind\", localRegistryName, nil)\n}\n\nfunc init() {\n\taddSetupFlags(setupCmd)\n\trootCmd.AddCommand(setupCmd)\n}\n" }, { "path": "cmd/sample/main.go", "content": "//\n// Copyright 2021 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage main\n\nimport \"log\"\n\nfunc main() {\n\tlog.Printf(\"Hello, World!\")\n}\n" }, { "path": "cmd/schema/main.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage main\n\nimport (\n\t\"log\"\n\n\t\"knative.dev/hack/schema/commands\"\n\t\"knative.dev/hack/schema/registry\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n)\n\n// schema is a tool to dump the schema for policy-controller resources.\nfunc main() {\n\tregistry.Register(&v1alpha1.ClusterImagePolicy{})\n\tregistry.Register(&v1alpha1.TrustRoot{})\n\tregistry.Register(&v1beta1.ClusterImagePolicy{})\n\n\tif err := commands.New(\"github.com/sigstore/policy-controller\").Execute(); err != nil {\n\t\tlog.Fatal(\"Error during command execution: \", err)\n\t}\n}\n" }, { "path": "cmd/tester/main.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage main\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"flag\"\n\t\"fmt\"\n\t\"log\"\n\t\"os\"\n\t\"strings\"\n\n\t\"github.com/google/go-containerregistry/pkg/authn\"\n\t\"github.com/google/go-containerregistry/pkg/name\"\n\t\"go.uber.org/zap\"\n\t\"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured\"\n\t\"knative.dev/pkg/apis\"\n\t\"knative.dev/pkg/logging\"\n\t\"sigs.k8s.io/release-utils/version\"\n\t\"sigs.k8s.io/yaml\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tpolicycontrollerconfig \"github.com/sigstore/policy-controller/pkg/config\"\n\t\"github.com/sigstore/policy-controller/pkg/policy\"\n\t\"github.com/sigstore/policy-controller/pkg/webhook\"\n)\n\ntype output struct {\n\tErrors []string `json:\"errors,omitempty\"`\n\tWarnings []string `json:\"warnings,omitempty\"`\n}\n\ntype LogLevel string\n\nconst (\n\tLevelDebug LogLevel = \"debug\"\n\tLevelInfo LogLevel = \"info\"\n\tLevelWarn LogLevel = \"warn\"\n\tLevelError LogLevel = \"error\"\n)\n\nfunc getSugaredLogger(value string) (*zap.SugaredLogger, error) {\n\tll := LogLevel(value)\n\tswitch ll {\n\tcase LevelDebug, LevelInfo, LevelWarn, LevelError:\n\t\treturn setSugaredLogger(ll)\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"invalid log level\")\n\t}\n}\n\nfunc setSugaredLogger(logLevel LogLevel) (*zap.SugaredLogger, error) {\n\tcfg := zap.NewDevelopmentConfig()\n\tswitch logLevel {\n\tcase LevelDebug:\n\t\tcfg.Level.SetLevel(zap.DebugLevel)\n\tcase LevelInfo:\n\t\tcfg.Level.SetLevel(zap.InfoLevel)\n\tcase LevelWarn:\n\t\tcfg = zap.NewProductionConfig()\n\t\tcfg.Level.SetLevel(zap.WarnLevel)\n\tcase LevelError:\n\t\tcfg = zap.NewProductionConfig()\n\t\tcfg.Level.SetLevel(zap.ErrorLevel)\n\tdefault:\n\t\tpanic(\"invalid log level\")\n\t}\n\n\tlogger, err := cfg.Build()\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to build logger: %w\", err)\n\t}\n\treturn logger.Sugar(), nil\n}\n\nfunc main() {\n\tcipFilePath := flag.String(\"policy\", \"\", \"path to ClusterImagePolicy or URL to fetch from (http/https)\")\n\tversionFlag := flag.Bool(\"version\", false, \"return the policy-controller tester version\")\n\timage := flag.String(\"image\", \"\", \"image to compare against policy\")\n\tresourceFilePath := flag.String(\"resource\", \"\", \"path to a kubernetes resource to use with includeSpec, includeObjectMeta\")\n\ttrustRootFilePath := flag.String(\"trustroot\", \"\", \"path to a kubernetes TrustRoot resource to use with the ClusterImagePolicy\")\n\tlogLevelStr := flag.String(\"log-level\", \"info\", \"configure the tool's log level (debug, info, warn, error)\")\n\tenableOCI11 := flag.Bool(\"enable-oci11\", false, \"enable experimental OCI 1.1 referrers API for attestation discovery\")\n\tflag.Parse()\n\n\tlogger, err := getSugaredLogger(*logLevelStr)\n\tif err != nil {\n\t\tflag.Usage()\n\t\tos.Exit(1)\n\t}\n\n\tctx := logging.WithLogger(context.Background(), logger)\n\n\t// Set up policy controller configuration with OCI 1.1 support\n\tif *enableOCI11 {\n\t\tpolicyConfig := &policycontrollerconfig.PolicyControllerConfig{\n\t\t\tNoMatchPolicy: \"deny\",\n\t\t\tFailOnEmptyAuthorities: true,\n\t\t\tEnableOCI11: true,\n\t\t}\n\t\tctx = policycontrollerconfig.ToContext(ctx, policyConfig)\n\t}\n\n\tif *versionFlag {\n\t\tv := version.GetVersionInfo()\n\t\tfmt.Println(v.String())\n\t\tos.Exit(0)\n\t}\n\n\tif *cipFilePath == \"\" || *image == \"\" {\n\t\tflag.Usage()\n\t\tos.Exit(1)\n\t}\n\n\tpols := make([]policy.Source, 0, 1)\n\n\tif strings.HasPrefix(*cipFilePath, \"https://\") || strings.HasPrefix(*cipFilePath, \"http://\") {\n\t\tpols = append(pols, policy.Source{\n\t\t\tURL: *cipFilePath,\n\t\t})\n\t} else {\n\t\tpols = append(pols, policy.Source{\n\t\t\tPath: *cipFilePath,\n\t\t})\n\t}\n\n\tlogging.FromContext(ctx).Infof(\"Validating policy\\n\")\n\n\tv := policy.Verification{\n\t\tNoMatchPolicy: \"deny\",\n\t\tPolicies: &pols,\n\t}\n\tif err := v.Validate(ctx); err != nil {\n\t\t// CIP validation can return Warnings so let's just go through them\n\t\t// and only exit if there are Errors.\n\t\tif warnFE := err.Filter(apis.WarningLevel); warnFE != nil {\n\t\t\tlog.Printf(\"CIP has warnings:\\n%s\\n\", warnFE.Error())\n\t\t}\n\t\tif errorFE := err.Filter(apis.ErrorLevel); errorFE != nil {\n\t\t\tlog.Fatalf(\"CIP is invalid: %s\", errorFE.Error())\n\t\t}\n\t}\n\n\tlogging.FromContext(ctx).Infof(\"Policy was successfully validated\\n\")\n\n\tref, err := name.ParseReference(*image)\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\twarningStrings := []string{}\n\tvfy, err := policy.Compile(ctx, v, func(s string, i ...interface{}) {\n\t\twarningStrings = append(warningStrings, fmt.Sprintf(s, i...))\n\t})\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\tif *resourceFilePath != \"\" {\n\t\tlogging.FromContext(ctx).Infof(\"Parsing the provided Kubernetes resource\\n\")\n\n\t\traw, err := os.ReadFile(*resourceFilePath)\n\t\tif err != nil {\n\t\t\tlog.Fatal(err)\n\t\t}\n\t\tuo := &unstructured.Unstructured{}\n\t\tif err := yaml.Unmarshal(raw, uo); err != nil {\n\t\t\tlog.Fatal(err)\n\t\t}\n\t\tm, ok := uo.Object[\"metadata\"]\n\t\tif !ok {\n\t\t\tlog.Fatal(\"kubernetes resource is missing metadata key\")\n\t\t}\n\t\tctx = webhook.IncludeObjectMeta(ctx, m)\n\t\tspec, ok := uo.Object[\"spec\"]\n\t\tif !ok {\n\t\t\tlog.Fatal(\"kubernetes resource is missing spec key\")\n\t\t}\n\t\tctx = webhook.IncludeSpec(ctx, spec)\n\t\tkind, ok := uo.Object[\"kind\"]\n\t\tif !ok {\n\t\t\tlog.Fatal(\"kubernetes resource is missing kind key\")\n\t\t}\n\t\tapiVersion, ok := uo.Object[\"apiVersion\"]\n\t\tif !ok {\n\t\t\tlog.Fatal(\"kubernetes resource is missing apiVersion key\")\n\t\t}\n\t\ttypeMeta := make(map[string]interface{})\n\t\ttypeMeta[\"kind\"] = kind\n\t\ttypeMeta[\"apiVersion\"] = apiVersion\n\t\tctx = webhook.IncludeTypeMeta(ctx, typeMeta)\n\n\t\tlogging.FromContext(ctx).Infof(\"The Kuberentes resource will be used with includeSpec\\n\")\n\t}\n\n\tif *trustRootFilePath != \"\" {\n\t\tlogging.FromContext(ctx).Infof(\"Parsing the custom trust root\\n\")\n\n\t\tconfigCtx := config.FromContextOrDefaults(ctx)\n\t\traw, err := os.ReadFile(*trustRootFilePath)\n\t\tif err != nil {\n\t\t\tlog.Fatal(err)\n\t\t}\n\n\t\ttr := &v1alpha1.TrustRoot{}\n\t\tif err := yaml.Unmarshal(raw, tr); err != nil {\n\t\t\tlog.Fatal(err)\n\t\t}\n\n\t\tkeys, err := GetKeysFromTrustRoot(ctx, tr)\n\t\tif err != nil {\n\t\t\tlog.Fatal(err)\n\t\t}\n\n\t\tmaps := make(map[string]*config.SigstoreKeys, 0)\n\n\t\tmaps[tr.Name] = keys\n\t\tconfigCtx.SigstoreKeysConfig = &config.SigstoreKeysMap{SigstoreKeys: maps}\n\n\t\tctx = config.ToContext(ctx, configCtx)\n\n\t\tlogging.FromContext(ctx).Infof(\"The custom trust root has been successfully added\\n\")\n\t}\n\n\tlogging.FromContext(ctx).Infof(\"Verifying the provided image against the policy\\n\")\n\n\terrStrings := []string{}\n\tif err := vfy.Verify(ctx, ref, authn.DefaultKeychain); err != nil {\n\t\terrStrings = append(errStrings, strings.Trim(err.Error(), \"\\n\"))\n\t}\n\n\tif len(errStrings) != 0 {\n\t\tlogging.FromContext(ctx).Infof(\"Errors encountered during verification\\n\")\n\n\t\tvar o []byte\n\t\to, err = json.Marshal(&output{\n\t\t\tErrors: errStrings,\n\t\t\tWarnings: warningStrings,\n\t\t})\n\t\tif err != nil {\n\t\t\tlog.Fatal(err)\n\t\t}\n\n\t\tfmt.Println(string(o))\n\t\tos.Exit(1)\n\t}\n\tlogging.FromContext(ctx).Infof(\"Verification was successful!\\n\")\n}\n" }, { "path": "cmd/tester/trustroot.go", "content": "//\n// Copyright 2024 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage main\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\t\"github.com/sigstore/policy-controller/pkg/reconciler/trustroot\"\n\t\"github.com/sigstore/policy-controller/pkg/tuf\"\n)\n\nfunc GetKeysFromTrustRoot(ctx context.Context, tr *v1alpha1.TrustRoot) (*config.SigstoreKeys, error) {\n\tswitch {\n\tcase tr.Spec.Remote != nil:\n\t\tmirror := tr.Spec.Remote.Mirror.String()\n\t\tclient, err := tuf.ClientFromRemote(context.Background(), mirror, tr.Spec.Remote.Root, tr.Spec.Remote.Targets)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to initialize TUF client from remote: %w\", err)\n\t\t}\n\t\treturn trustroot.GetSigstoreKeysFromTuf(ctx, client, \"\")\n\tcase tr.Spec.Repository != nil:\n\t\tclient, err := tuf.ClientFromSerializedMirror(context.Background(), tr.Spec.Repository.MirrorFS, tr.Spec.Repository.Root, tr.Spec.Repository.Targets, v1alpha1.DefaultTUFRepoPrefix)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to initialize TUF client from remote: %w\", err)\n\t\t}\n\n\t\treturn trustroot.GetSigstoreKeysFromTuf(ctx, client, \"\")\n\tcase tr.Spec.SigstoreKeys != nil:\n\t\treturn config.ConvertSigstoreKeys(context.Background(), tr.Spec.SigstoreKeys)\n\t}\n\treturn nil, fmt.Errorf(\"provided trust root configuration is not supported\")\n}\n" }, { "path": "cmd/webhook/depcheck_test.go", "content": "//\n// Copyright 2021 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage main_test\n\nimport (\n\t\"testing\"\n\n\t\"knative.dev/pkg/depcheck\"\n)\n\nfunc TestNoDeps(t *testing.T) {\n\tdepcheck.AssertNoDependency(t, map[string][]string{\n\t\t\"github.com/sigstore/policy-controller/cmd/webhook\": {\n\t\t\t// This conflicts with klog, we error on startup about\n\t\t\t// `-log_dir` being defined multiple times.\n\t\t\t// Note: this dependency has been replaced with a version\n\t\t\t// that does not cause the error\n\t\t\t// \"github.com/golang/glog\",\n\t\t},\n\t})\n}\n" }, { "path": "cmd/webhook/main.go", "content": "//\n// Copyright 2021 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage main\n\nimport (\n\t\"context\"\n\t\"flag\"\n\t\"fmt\"\n\t\"log\"\n\t\"os\"\n\t\"time\"\n\n\tpolicyduckv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/duck/v1beta1\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/common\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\tpolicycontrollerconfig \"github.com/sigstore/policy-controller/pkg/config\"\n\t\"github.com/sigstore/policy-controller/pkg/reconciler/clusterimagepolicy\"\n\t\"github.com/sigstore/policy-controller/pkg/reconciler/trustroot\"\n\tadmissionregistrationv1 \"k8s.io/api/admissionregistration/v1\"\n\tappsv1 \"k8s.io/api/apps/v1\"\n\tbatchv1 \"k8s.io/api/batch/v1\"\n\tbatchv1beta1 \"k8s.io/api/batch/v1beta1\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\t\"k8s.io/apimachinery/pkg/runtime/schema\"\n\t\"k8s.io/apimachinery/pkg/util/sets\"\n\tduckv1 \"knative.dev/pkg/apis/duck/v1\"\n\tkubeclient \"knative.dev/pkg/client/injection/kube/client\"\n\t\"knative.dev/pkg/configmap\"\n\t\"knative.dev/pkg/controller\"\n\t\"knative.dev/pkg/injection/sharedmain\"\n\t\"knative.dev/pkg/logging\"\n\t\"knative.dev/pkg/signals\"\n\t\"knative.dev/pkg/webhook\"\n\t\"knative.dev/pkg/webhook/certificates\"\n\t\"knative.dev/pkg/webhook/resourcesemantics\"\n\t\"knative.dev/pkg/webhook/resourcesemantics/conversion\"\n\t\"knative.dev/pkg/webhook/resourcesemantics/defaulting\"\n\t\"knative.dev/pkg/webhook/resourcesemantics/validation\"\n\t\"sigs.k8s.io/release-utils/version\"\n\n\t\"github.com/sigstore/sigstore/pkg/tuf\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\tpctuf \"github.com/sigstore/policy-controller/pkg/tuf\"\n\tcwebhook \"github.com/sigstore/policy-controller/pkg/webhook\"\n)\n\nvar (\n\t// webhookName holds the name of the validating and mutating webhook\n\t// configuration resources dispatching admission requests to policy-controller.\n\t// It is also the name of the webhook which is injected by the controller\n\t// with the resource types, namespace selectors, CABundle and service path.\n\t// If this changes, you must also change:\n\t//\n\t//\t./config/500-webhook-configuration.yaml\n\t//\thttps://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/webhook/webhook_mutating.yaml\n\t//\thttps://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/webhook/webhook_validating.yaml\n\twebhookName = flag.String(\"webhook-name\", \"policy.sigstore.dev\", \"The name of the validating and mutating webhook configurations as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-controller.\")\n\n\ttufMirror = flag.String(\"tuf-mirror\", tuf.DefaultRemoteRoot, \"Alternate TUF mirror. If left blank, public sigstore one is used\")\n\ttufRoot = flag.String(\"tuf-root\", \"\", \"Alternate TUF root.json. If left blank, public sigstore one is used\")\n\n\t// Do not initialize TUF at all.\n\t// https://github.com/sigstore/policy-controller/issues/354\n\tdisableTUF = flag.Bool(\"disable-tuf\", false, \"Disable TUF support.\")\n\n\t// mutatingCIPWebhookName holds the name of the mutating webhook configuration\n\t// resource dispatching admission requests to policy-webhook.\n\t// It is also the name of the webhook which is injected by the controller\n\t// with the resource types, namespace selectors, CABindle and service path.\n\t// If this changes, you must also change:\n\t// ./config/501-policy-webhook-configurations.yaml\n\t// https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml\n\tmutatingCIPWebhookName = flag.String(\"mutating-webhook-name\", \"defaulting.clusterimagepolicy.sigstore.dev\", \"The name of the mutating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.\")\n\t// validatingCIPWebhookName holds the name of the validating webhook configuration\n\t// resource dispatching admission requests to policy-webhook.\n\t// It is also the name of the webhook which is injected by the controller\n\t// with the resource types, namespace selectors, CABindle and service path.\n\t// If this changes, you must also change:\n\t// ./config/501-policy-webhook-configurations.yaml\n\t// https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml\n\tvalidatingCIPWebhookName = flag.String(\"validating-webhook-name\", \"validating.clusterimagepolicy.sigstore.dev\", \"The name of the validating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.\")\n\n\t// policyResyncPeriod holds the interval which ClusterImagePolicies will resync\n\t// This is essential for triggering a reconcile update for potentially stale KMS authorities.\n\tpolicyResyncPeriod = flag.Duration(\"policy-resync-period\", 10*time.Hour, \"The resync period for ClusterImagePolicies. The default is 10h.\")\n\n\t// trustrootResyncPeriod holds the interval which the TrustRoot will resync\n\t// This is essential for triggering a reconcile update for potentially stale TUF metadata.\n\ttrustrootResyncPeriod = flag.Duration(\"trustroot-resync-period\", 24*time.Hour, \"The resync period for ClusterImagePolicies. The default is 24h.\")\n)\n\nfunc main() {\n\topts := webhook.Options{\n\t\tServiceName: \"webhook\",\n\t\tPort: 8443,\n\t\tSecretName: \"webhook-certs\",\n\t}\n\tctx := webhook.WithOptions(signals.NewContext(), opts)\n\n\t// Allow folks to configure the port the webhook serves on.\n\tflag.IntVar(&opts.Port, \"secure-port\", opts.Port, \"The port on which to serve HTTPS.\")\n\n\tflag.Parse()\n\n\t// If TUF has been disabled do not try to set it up.\n\tif !*disableTUF {\n\t\t// If they provided an alternate TUF root file to use, read it here.\n\t\tvar tufRootBytes []byte\n\t\tvar err error\n\t\tif *tufRoot != \"\" {\n\t\t\ttufRootBytes, err = os.ReadFile(*tufRoot)\n\t\t\tif err != nil {\n\t\t\t\tlogging.FromContext(ctx).Panicf(\"Failed to read alternate TUF root file %s : %v\", *tufRoot, err)\n\t\t\t}\n\t\t}\n\t\tlogging.FromContext(ctx).Infof(\"Initializing TUF root from %s => %s\", *tufRoot, *tufMirror)\n\t\tif err := tuf.Initialize(ctx, *tufMirror, tufRootBytes); err != nil {\n\t\t\tlogging.FromContext(ctx).Panicf(\"Failed to initialize TUF client from %s : %v\", *tufRoot, err)\n\t\t}\n\t}\n\n\t// Set the policy and trust root resync periods\n\tctx = clusterimagepolicy.ToContext(ctx, *policyResyncPeriod)\n\tctx = pctuf.ToContext(ctx, *trustrootResyncPeriod)\n\n\t// This must match the set of resources we configure in\n\t// cmd/webhook/main.go in the \"types\" map.\n\tcommon.ValidResourceNames = sets.NewString(\"replicasets\", \"deployments\",\n\t\t\"pods\", \"cronjobs\", \"jobs\", \"statefulsets\", \"daemonsets\")\n\n\tv := version.GetVersionInfo()\n\tvJSON, _ := v.JSONString()\n\tlog.Printf(\"%v\", vJSON)\n\t// This calls flag.Parse()\n\tsharedmain.MainWithContext(ctx, \"policy-controller\",\n\t\tcertificates.NewController,\n\t\tNewValidatingAdmissionController,\n\t\tNewMutatingAdmissionController,\n\t\ttrustroot.NewController,\n\t\tclusterimagepolicy.NewController,\n\t\tNewPolicyValidatingAdmissionController,\n\t\tNewPolicyMutatingAdmissionController,\n\t\tnewConversionController,\n\t)\n}\n\nvar (\n\t_ resourcesemantics.SubResourceLimited = (*crdNoStatusUpdatesOrDeletes)(nil)\n\t_ resourcesemantics.VerbLimited = (*crdNoStatusUpdatesOrDeletes)(nil)\n\n\t_ resourcesemantics.SubResourceLimited = (*crdEphemeralContainers)(nil)\n\t_ resourcesemantics.VerbLimited = (*crdEphemeralContainers)(nil)\n)\n\ntype crdNoStatusUpdatesOrDeletes struct {\n\tresourcesemantics.GenericCRD\n}\n\ntype crdEphemeralContainers struct {\n\tresourcesemantics.GenericCRD\n}\n\nfunc (c *crdNoStatusUpdatesOrDeletes) SupportedSubResources() []string {\n\t// We do not want any updates that are for status, scale, or anything else.\n\treturn []string{\"\"}\n}\n\nfunc (c *crdEphemeralContainers) SupportedSubResources() []string {\n\treturn []string{\"/ephemeralcontainers\", \"\"}\n}\n\nfunc (c *crdNoStatusUpdatesOrDeletes) SupportedVerbs() []admissionregistrationv1.OperationType {\n\treturn []admissionregistrationv1.OperationType{\n\t\tadmissionregistrationv1.Create,\n\t\tadmissionregistrationv1.Update,\n\t}\n}\n\nfunc (c *crdEphemeralContainers) SupportedVerbs() []admissionregistrationv1.OperationType {\n\treturn []admissionregistrationv1.OperationType{\n\t\tadmissionregistrationv1.Create,\n\t\tadmissionregistrationv1.Update,\n\t}\n}\n\nvar types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{\n\tcorev1.SchemeGroupVersion.WithKind(\"Pod\"): &crdEphemeralContainers{GenericCRD: &duckv1.Pod{}},\n\n\tappsv1.SchemeGroupVersion.WithKind(\"ReplicaSet\"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}},\n\tappsv1.SchemeGroupVersion.WithKind(\"Deployment\"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}},\n\tappsv1.SchemeGroupVersion.WithKind(\"StatefulSet\"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}},\n\tappsv1.SchemeGroupVersion.WithKind(\"DaemonSet\"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.WithPod{}},\n\tbatchv1.SchemeGroupVersion.WithKind(\"Job\"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.WithPod{}},\n\n\tbatchv1.SchemeGroupVersion.WithKind(\"CronJob\"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.CronJob{}},\n\tbatchv1beta1.SchemeGroupVersion.WithKind(\"CronJob\"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.CronJob{}},\n}\n\nvar typesCIP = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{\n\t// v1alpha1\n\tv1alpha1.SchemeGroupVersion.WithKind(\"ClusterImagePolicy\"): &v1alpha1.ClusterImagePolicy{},\n\tv1alpha1.SchemeGroupVersion.WithKind(\"TrustRoot\"): &v1alpha1.TrustRoot{},\n\t// v1beta1\n\tv1beta1.SchemeGroupVersion.WithKind(\"ClusterImagePolicy\"): &v1beta1.ClusterImagePolicy{},\n}\n\nfunc NewValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {\n\t// Decorate contexts with the current state of the config.\n\tstore := config.NewStore(logging.FromContext(ctx).Named(\"config-store\"))\n\tstore.WatchConfigs(cmw)\n\tpolicyControllerConfigStore := policycontrollerconfig.NewStore(logging.FromContext(ctx).Named(\"config-policy-controller\"))\n\tpolicyControllerConfigStore.WatchConfigs(cmw)\n\n\tlogger := logging.FromContext(ctx)\n\twoptions := webhook.GetOptions(ctx)\n\twoptions.ControllerOptions = &controller.ControllerOptions{\n\t\tWorkQueueName: fmt.Sprintf(\"%s-%s\", *webhookName, \"validating\"),\n\t\tLogger: logger.Named(*webhookName),\n\t}\n\tctx = webhook.WithOptions(ctx, *woptions)\n\n\tkc := kubeclient.Get(ctx)\n\tvalidator := cwebhook.NewValidator(ctx)\n\n\treturn validation.NewAdmissionController(ctx,\n\t\t// Name of the resource webhook.\n\t\t*webhookName,\n\n\t\t// The path on which to serve the webhook.\n\t\t\"/validations\",\n\n\t\t// The resources to validate.\n\t\ttypes,\n\n\t\t// A function that infuses the context passed to Validate/SetDefaults with custom metadata.\n\t\tfunc(ctx context.Context) context.Context {\n\t\t\tctx = context.WithValue(ctx, kubeclient.Key{}, kc)\n\t\t\tctx = store.ToContext(ctx)\n\t\t\tctx = policyControllerConfigStore.ToContext(ctx)\n\t\t\tctx = policyduckv1beta1.WithPodScalableValidator(ctx, validator.ValidatePodScalable)\n\t\t\tctx = duckv1.WithPodValidator(ctx, validator.ValidatePod)\n\t\t\tctx = duckv1.WithPodSpecValidator(ctx, validator.ValidatePodSpecable)\n\t\t\tctx = duckv1.WithCronJobValidator(ctx, validator.ValidateCronJob)\n\t\t\treturn ctx\n\t\t},\n\n\t\t// Whether to disallow unknown fields.\n\t\t// We pass false because we're using partial schemas.\n\t\tfalse,\n\n\t\t// Extra validating callbacks to be applied to resources.\n\t\tnil,\n\t)\n}\n\nfunc NewMutatingAdmissionController(ctx context.Context, _ configmap.Watcher) *controller.Impl {\n\tkc := kubeclient.Get(ctx)\n\tlogger := logging.FromContext(ctx)\n\twoptions := webhook.GetOptions(ctx)\n\twoptions.ControllerOptions = &controller.ControllerOptions{\n\t\tWorkQueueName: fmt.Sprintf(\"%s-%s\", *webhookName, \"mutating\"),\n\t\tLogger: logger.Named(*webhookName),\n\t}\n\tctx = webhook.WithOptions(ctx, *woptions)\n\tvalidator := cwebhook.NewValidator(ctx)\n\n\treturn defaulting.NewAdmissionController(ctx,\n\t\t// Name of the resource webhook.\n\t\t*webhookName,\n\n\t\t// The path on which to serve the webhook.\n\t\t\"/mutations\",\n\n\t\t// The resources to validate.\n\t\ttypes,\n\n\t\t// A function that infuses the context passed to Validate/SetDefaults with custom metadata.\n\t\tfunc(ctx context.Context) context.Context {\n\t\t\tctx = context.WithValue(ctx, kubeclient.Key{}, kc)\n\t\t\tctx = policyduckv1beta1.WithPodScalableDefaulter(ctx, validator.ResolvePodScalable)\n\t\t\tctx = duckv1.WithPodDefaulter(ctx, validator.ResolvePod)\n\t\t\tctx = duckv1.WithPodSpecDefaulter(ctx, validator.ResolvePodSpecable)\n\t\t\tctx = duckv1.WithCronJobDefaulter(ctx, validator.ResolveCronJob)\n\t\t\treturn ctx\n\t\t},\n\n\t\t// Whether to disallow unknown fields.\n\t\t// We pass false because we're using partial schemas.\n\t\tfalse,\n\t)\n}\n\nfunc NewPolicyValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {\n\tstore := config.NewStore(logging.FromContext(ctx).Named(\"config-store\"))\n\tstore.WatchConfigs(cmw)\n\tpolicyControllerConfigStore := policycontrollerconfig.NewStore(logging.FromContext(ctx).Named(\"config-policy-controller\"))\n\tpolicyControllerConfigStore.WatchConfigs(cmw)\n\n\tlogger := logging.FromContext(ctx)\n\n\twoptions := webhook.GetOptions(ctx)\n\twoptions.ControllerOptions = &controller.ControllerOptions{\n\t\tWorkQueueName: *validatingCIPWebhookName,\n\t\tLogger: logger.Named(*validatingCIPWebhookName),\n\t}\n\tctx = webhook.WithOptions(ctx, *woptions)\n\n\treturn validation.NewAdmissionController(\n\t\tctx,\n\t\t*validatingCIPWebhookName,\n\t\t\"/validating\",\n\t\ttypesCIP,\n\t\tfunc(ctx context.Context) context.Context {\n\t\t\tctx = policyControllerConfigStore.ToContext(ctx)\n\t\t\treturn ctx\n\t\t},\n\t\ttrue,\n\t)\n}\n\nfunc NewPolicyMutatingAdmissionController(ctx context.Context, _ configmap.Watcher) *controller.Impl {\n\twoptions := webhook.GetOptions(ctx)\n\tlogger := logging.FromContext(ctx)\n\twoptions.ControllerOptions = &controller.ControllerOptions{\n\t\tWorkQueueName: *mutatingCIPWebhookName,\n\t\tLogger: logger.Named(*mutatingCIPWebhookName),\n\t}\n\tctx = webhook.WithOptions(ctx, *woptions)\n\n\treturn defaulting.NewAdmissionController(\n\t\tctx,\n\t\t*mutatingCIPWebhookName,\n\t\t\"/defaulting\",\n\t\ttypesCIP,\n\t\tfunc(ctx context.Context) context.Context {\n\t\t\treturn ctx\n\t\t},\n\t\ttrue,\n\t)\n}\n\nfunc newConversionController(ctx context.Context, _ configmap.Watcher) *controller.Impl {\n\t// nolint: revive\n\tvar (\n\t\tv1alpha1GroupVersion = v1alpha1.SchemeGroupVersion.Version\n\t\tv1beta1GroupVersion = v1beta1.SchemeGroupVersion.Version\n\t)\n\tlogger := logging.FromContext(ctx)\n\twoptions := webhook.GetOptions(ctx)\n\twoptions.ControllerOptions = &controller.ControllerOptions{\n\t\tWorkQueueName: \"resource-conversion\",\n\t\tLogger: logger.Named(\"resource-conversion\"),\n\t}\n\tctx = webhook.WithOptions(ctx, *woptions)\n\n\treturn conversion.NewConversionController(ctx,\n\t\t// The path on which to serve the webhook\n\t\t\"/resource-conversion\",\n\n\t\t// Specify the types of custom resource definitions that should be converted\n\t\tmap[schema.GroupKind]conversion.GroupKindConversion{\n\t\t\tv1beta1.Kind(\"ClusterImagePolicy\"): {\n\t\t\t\tDefinitionName: policy.ClusterImagePolicyResource.String(),\n\t\t\t\tHubVersion: v1alpha1GroupVersion,\n\t\t\t\tZygotes: map[string]conversion.ConvertibleObject{\n\t\t\t\t\tv1alpha1GroupVersion: &v1alpha1.ClusterImagePolicy{},\n\t\t\t\t\tv1beta1GroupVersion: &v1beta1.ClusterImagePolicy{},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\n\t\t// A function that infuses the context passed to ConvertTo/ConvertFrom/SetDefaults with custom metadata\n\t\tfunc(ctx context.Context) context.Context {\n\t\t\treturn ctx\n\t\t},\n\t)\n}\n" }, { "path": "config/100-namespace.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: Namespace\nmetadata:\n name: cosign-system\n labels:\n policy.sigstore.dev/include: \"false\"\n" }, { "path": "config/200-clusterrole.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: policy-controller-rbac\nrules:\n - apiGroups: [\"\"]\n resources: [\"events\"]\n verbs: [\"create\",\"patch\"]\n\n - apiGroups: [\"admissionregistration.k8s.io\"]\n resources: [\"validatingwebhookconfigurations/finalizers\", \"mutatingwebhookconfigurations/finalizers\"]\n resourceNames: [\"policy.sigstore.dev\", \"validating.clusterimagepolicy.sigstore.dev\", \"defaulting.clusterimagepolicy.sigstore.dev\"]\n verbs: [\"update\"]\n # Allow the reconciliation of exactly our validating and mutating webhooks.\n - apiGroups: [\"admissionregistration.k8s.io\"]\n resources: [\"validatingwebhookconfigurations\", \"mutatingwebhookconfigurations\"]\n verbs: [\"list\", \"watch\"]\n - apiGroups: [\"admissionregistration.k8s.io\"]\n resources: [\"validatingwebhookconfigurations\", \"mutatingwebhookconfigurations\"]\n verbs: [\"get\", \"update\", \"delete\"]\n resourceNames: [\"policy.sigstore.dev\", \"validating.clusterimagepolicy.sigstore.dev\", \"defaulting.clusterimagepolicy.sigstore.dev\"]\n\n - apiGroups: [\"\"]\n resources: [\"namespaces\"]\n verbs: [\"get\"]\n # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,\n # which requires we can Get the system namespace.\n resourceNames: [\"cosign-system\"]\n\n - apiGroups: [\"\"]\n resources: [\"namespaces/finalizers\"]\n verbs: [\"update\"]\n resourceNames: [\"cosign-system\"]\n\n # Allow the reconciliation of exactly our CRDs.\n # This is needed for us to patch in conversion webhook information.\n - apiGroups: [\"apiextensions.k8s.io\"]\n resources: [\"customresourcedefinitions\"]\n verbs: [\"list\", \"watch\"]\n - apiGroups: [\"apiextensions.k8s.io\"]\n resources: [\"customresourcedefinitions\"]\n verbs: [\"get\", \"update\"]\n resourceNames: [\"clusterimagepolicies.policy.sigstore.dev\"]\n - apiGroups: [\"apiextensions.k8s.io\"]\n resources: [\"customresourcedefinitions\"]\n verbs: [\"get\", \"update\"]\n resourceNames: [\"trustroots.policy.sigstore.dev\"]\n\n # Allow reconciliation of the ClusterImagePolicy and TrustRoot CRDs.\n - apiGroups: [\"policy.sigstore.dev\"]\n resources: [\"clusterimagepolicies\", \"clusterimagepolicies/status\"]\n verbs: [\"get\", \"list\", \"update\", \"watch\", \"patch\"]\n - apiGroups: [\"policy.sigstore.dev\"]\n resources: [\"trustroots\", \"trustroots/status\"]\n verbs: [\"get\", \"list\", \"update\", \"watch\", \"patch\"]\n\n # This is needed by k8schain to support fetching pull secrets attached to pod specs\n # or their service accounts. If pull secrets aren't used, the \"secrets\" below can\n # be safely dropped, but the logic will fetch the service account to check for pull\n # secrets.\n - apiGroups: [\"\"]\n resources: [\"serviceaccounts\", \"secrets\"]\n verbs: [\"get\"]\n" }, { "path": "config/200-role.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nkind: Role\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: policy-controller-namespace-rbac\n namespace: cosign-system\nrules:\n # Needed to watch and load configuration and secret data.\n - apiGroups: [\"\"]\n resources: [\"configmaps\", \"secrets\"]\n verbs: [\"get\", \"list\", \"update\", \"watch\"]\n\n # Needed for leader election\n - apiGroups: [\"coordination.k8s.io\"]\n resources: [\"leases\"]\n verbs: [\"get\", \"list\", \"create\", \"update\", \"delete\", \"patch\", \"watch\"]\n\n # This is needed to create / patch ConfigMap that is created by the reconciler\n # to consolidate various CIP configuration into a policy ConfigMap.\n - apiGroups: [\"\"]\n resources: [\"configmaps\"]\n resourceNames: [\"config-image-policies\"]\n verbs: [\"get\", \"list\", \"create\", \"update\", \"patch\", \"watch\"]\n\n # This is needed to create / patch ConfigMap that is created by the reconciler\n # to consolidate various TrustRoot configuration into SigstoreKeys ConfigMap.\n - apiGroups: [\"\"]\n resources: [\"configmaps\"]\n resourceNames: [\"config-sigstore-keys\"]\n verbs: [\"get\", \"list\", \"create\", \"update\", \"patch\", \"watch\"]\n" }, { "path": "config/200-serviceaccount.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: webhook\n namespace: cosign-system\n" }, { "path": "config/201-clusterrolebinding.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: policy-controller-webhook\nsubjects:\n - kind: ServiceAccount\n name: webhook\n namespace: cosign-system\nroleRef:\n kind: ClusterRole\n name: policy-controller-rbac\n apiGroup: rbac.authorization.k8s.io\n" }, { "path": "config/201-rolebinding.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: policy-controller-webhook\n namespace: cosign-system\nsubjects:\n - kind: ServiceAccount\n name: webhook\n namespace: cosign-system\nroleRef:\n kind: Role\n name: policy-controller-namespace-rbac\n apiGroup: rbac.authorization.k8s.io\n" }, { "path": "config/300-clusterimagepolicy.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: clusterimagepolicies.policy.sigstore.dev\nspec:\n conversion:\n strategy: Webhook\n webhook:\n conversionReviewVersions: [\"v1beta1\", \"v1alpha1\"]\n clientConfig:\n service:\n name: webhook\n namespace: cosign-system\n group: policy.sigstore.dev\n names:\n kind: ClusterImagePolicy\n plural: clusterimagepolicies\n singular: clusterimagepolicy\n categories:\n - all\n - sigstore\n shortNames:\n - cip\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n spec:\n description: Spec holds the desired state of the ClusterImagePolicy (from the client).\n type: object\n properties:\n authorities:\n description: Authorities defines the rules for discovering and validating signatures.\n type: array\n items:\n type: object\n properties:\n attestations:\n description: Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified.\n type: array\n items:\n type: object\n properties:\n name:\n description: Name of the attestation. These can then be referenced at the CIP level policy.\n type: string\n policy:\n description: Policy defines all of the matching signatures, and all of the matching attestations (whose attestations are verified).\n type: object\n properties:\n configMapRef:\n description: ConfigMapRef defines the reference to a configMap with the policy definition.\n type: object\n properties:\n key:\n description: Key defines the key to pull from the configmap.\n type: string\n name:\n description: Name is unique within a namespace to reference a configmap resource.\n type: string\n namespace:\n description: Namespace defines the space within which the configmap name must be unique.\n type: string\n data:\n description: Data contains the policy definition.\n type: string\n fetchConfigFile:\n description: 'FetchConfigFile controls whether ConfigFile will be fetched and made available for CIP level policy evaluation. Note that this only gets evaluated (and hence fetched) iff at least one authority matches. The ConfigFile will then be available in this format: https://github.com/opencontainers/image-spec/blob/main/config.md'\n type: boolean\n includeObjectMeta:\n description: IncludeObjectMeta controls whether the ObjectMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches.\n type: boolean\n includeSpec:\n description: IncludeSpec controls whether resource `Spec` will be included and made available for CIP level policy evaluation. Note that this only gets evaluated iff at least one authority matches. Also note that because Spec may be of a different shape depending on the resource being evaluatied (see MatchResource for filtering) you might want to configure these to match the policy file to ensure the shape of the Spec is what you expect when evaling the policy.\n type: boolean\n includeTypeMeta:\n description: IncludeTypeMeta controls whether the TypeMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches.\n type: boolean\n remote:\n description: Remote defines the url to a policy.\n type: object\n properties:\n sha256sum:\n description: Sha256sum defines the exact sha256sum computed out of the 'body' of the http response.\n type: string\n url:\n description: URL to the policy data.\n type: string\n type:\n description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :)\n type: string\n predicateType:\n description: PredicateType defines which predicate type to verify. Matches cosign verify-attestation options.\n type: string\n ctlog:\n description: CTLog sets the configuration to verify the authority against a Rekor instance.\n type: object\n properties:\n trustRootRef:\n description: Use the Public Key from the referred TrustRoot.TLog\n type: string\n url:\n description: URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)\n type: string\n key:\n description: Key defines the type of key to validate the image.\n type: object\n properties:\n data:\n description: Data contains the inline public key.\n type: string\n hashAlgorithm:\n description: HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set\n type: string\n kms:\n description: KMS contains the KMS url of the public key Supported formats differ based on the KMS system used.\n type: string\n secretRef:\n description: SecretRef sets a reference to a secret with the key.\n type: object\n properties:\n name:\n description: name is unique within a namespace to reference a secret resource.\n type: string\n namespace:\n description: namespace defines the space within which the secret name must be unique.\n type: string\n keyless:\n description: Keyless sets the configuration to verify the authority against a Fulcio instance.\n type: object\n properties:\n ca-cert:\n description: CACert sets a reference to CA certificate\n type: object\n properties:\n data:\n description: Data contains the inline public key.\n type: string\n hashAlgorithm:\n description: HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set\n type: string\n kms:\n description: KMS contains the KMS url of the public key Supported formats differ based on the KMS system used.\n type: string\n secretRef:\n description: SecretRef sets a reference to a secret with the key.\n type: object\n properties:\n name:\n description: name is unique within a namespace to reference a secret resource.\n type: string\n namespace:\n description: namespace defines the space within which the secret name must be unique.\n type: string\n identities:\n description: Identities sets a list of identities.\n type: array\n items:\n type: object\n properties:\n issuer:\n description: Issuer defines the issuer for this identity.\n type: string\n issuerRegExp:\n description: IssuerRegExp specifies a regular expression to match the issuer for this identity.\n type: string\n subject:\n description: Subject defines the subject for this identity.\n type: string\n subjectRegExp:\n description: SubjectRegExp specifies a regular expression to match the subject for this identity.\n type: string\n insecureIgnoreSCT:\n description: InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT\n type: boolean\n trustRootRef:\n description: Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog\n type: string\n url:\n description: URL defines a url to the keyless instance.\n type: string\n name:\n description: Name is the name for this authority. Used by the CIP Policy validator to be able to reference matching signature or attestation verifications. If not specified, the name will be authority-\n type: string\n rfc3161timestamp:\n description: RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance.\n type: object\n properties:\n trustRootRef:\n description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities\n type: string\n signatureFormat:\n description: SignatureFormat specifies the format the authority expects. Supported formats are \"legacy\" and \"bundle\". If not specified, the default is \"legacy\" (cosign's default).\n type: string\n source:\n description: Sources sets the configuration to specify the sources from where to consume the signatures.\n type: array\n items:\n type: object\n properties:\n oci:\n description: OCI defines the registry from where to pull the signature / attestations.\n type: string\n signaturePullSecrets:\n description: SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source.\n type: array\n items:\n type: object\n properties:\n name:\n description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'\n type: string\n tagPrefix:\n description: TagPrefix is an optional prefix that signature and attestations have. This is the 'tag based discovery' and in the future once references are fully supported that should likely be the preferred way to handle these.\n type: string\n static:\n description: Static specifies that signatures / attestations are not validated but instead a static policy is applied against matching images.\n type: object\n properties:\n action:\n description: Action defines how to handle a matching policy.\n type: string\n message:\n description: For fail actions, emit an optional custom message\n type: string\n images:\n description: Images defines the patterns of image names that should be subject to this policy.\n type: array\n items:\n type: object\n properties:\n glob:\n description: Glob defines a globbing pattern.\n type: string\n match:\n description: Match allows selecting resources based on their properties.\n type: array\n items:\n type: object\n properties:\n group:\n type: string\n resource:\n type: string\n selector:\n type: object\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n type: array\n items:\n type: object\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n type: array\n items:\n type: string\n matchLabels:\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n x-kubernetes-preserve-unknown-fields: true\n version:\n type: string\n mode:\n description: Mode controls whether a failing policy will be rejected (not admitted), or if errors are converted to Warnings. enforce - Reject (default) warn - allow but warn\n type: string\n policy:\n description: Policy is an optional policy that can be applied against all the successfully validated Authorities. If no authorities pass, this does not even get evaluated, as the Policy is considered failed.\n type: object\n properties:\n configMapRef:\n description: ConfigMapRef defines the reference to a configMap with the policy definition.\n type: object\n properties:\n key:\n description: Key defines the key to pull from the configmap.\n type: string\n name:\n description: Name is unique within a namespace to reference a configmap resource.\n type: string\n namespace:\n description: Namespace defines the space within which the configmap name must be unique.\n type: string\n data:\n description: Data contains the policy definition.\n type: string\n fetchConfigFile:\n description: 'FetchConfigFile controls whether ConfigFile will be fetched and made available for CIP level policy evaluation. Note that this only gets evaluated (and hence fetched) iff at least one authority matches. The ConfigFile will then be available in this format: https://github.com/opencontainers/image-spec/blob/main/config.md'\n type: boolean\n includeObjectMeta:\n description: IncludeObjectMeta controls whether the ObjectMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches.\n type: boolean\n includeSpec:\n description: IncludeSpec controls whether resource `Spec` will be included and made available for CIP level policy evaluation. Note that this only gets evaluated iff at least one authority matches. Also note that because Spec may be of a different shape depending on the resource being evaluatied (see MatchResource for filtering) you might want to configure these to match the policy file to ensure the shape of the Spec is what you expect when evaling the policy.\n type: boolean\n includeTypeMeta:\n description: IncludeTypeMeta controls whether the TypeMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches.\n type: boolean\n remote:\n description: Remote defines the url to a policy.\n type: object\n properties:\n sha256sum:\n description: Sha256sum defines the exact sha256sum computed out of the 'body' of the http response.\n type: string\n url:\n description: URL to the policy data.\n type: string\n type:\n description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :)\n type: string\n status:\n description: Status represents the current state of the ClusterImagePolicy. This data may be out of date.\n type: object\n properties:\n annotations:\n description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.\n type: object\n x-kubernetes-preserve-unknown-fields: true\n conditions:\n description: Conditions the latest available observations of a resource's current state.\n type: array\n items:\n type: object\n required:\n - type\n - status\n properties:\n lastTransitionTime:\n description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).\n type: string\n message:\n description: A human readable message indicating details about the transition.\n type: string\n reason:\n description: The reason for the condition's last transition.\n type: string\n severity:\n description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.\n type: string\n status:\n description: Status of the condition, one of True, False, Unknown.\n type: string\n type:\n description: Type of condition.\n type: string\n observedGeneration:\n description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.\n type: integer\n format: int64\n - name: v1beta1\n served: true\n storage: false\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n spec:\n description: Spec holds the desired state of the ClusterImagePolicy (from the client).\n type: object\n properties:\n authorities:\n description: Authorities defines the rules for discovering and validating signatures.\n type: array\n items:\n type: object\n properties:\n attestations:\n description: Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified.\n type: array\n items:\n type: object\n properties:\n name:\n description: Name of the attestation. These can then be referenced at the CIP level policy.\n type: string\n policy:\n description: Policy defines all of the matching signatures, and all of the matching attestations (whose attestations are verified).\n type: object\n properties:\n configMapRef:\n description: ConfigMapRef defines the reference to a configMap with the policy definition.\n type: object\n properties:\n key:\n description: Key defines the key to pull from the configmap.\n type: string\n name:\n description: Name is unique within a namespace to reference a configmap resource.\n type: string\n namespace:\n description: Namespace defines the space within which the configmap name must be unique.\n type: string\n data:\n description: Data contains the policy definition.\n type: string\n fetchConfigFile:\n description: 'FetchConfigFile controls whether ConfigFile will be fetched and made available for CIP level policy evaluation. Note that this only gets evaluated (and hence fetched) iff at least one authority matches. The ConfigFile will then be available in this format: https://github.com/opencontainers/image-spec/blob/main/config.md'\n type: boolean\n includeObjectMeta:\n description: IncludeObjectMeta controls whether the ObjectMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches.\n type: boolean\n includeSpec:\n description: IncludeSpec controls whether resource `Spec` will be included and made available for CIP level policy evaluation. Note that this only gets evaluated iff at least one authority matches. Also note that because Spec may be of a different shape depending on the resource being evaluatied (see MatchResource for filtering) you might want to configure these to match the policy file to ensure the shape of the Spec is what you expect when evaling the policy.\n type: boolean\n includeTypeMeta:\n description: IncludeTypeMeta controls whether the TypeMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches.\n type: boolean\n remote:\n description: Remote defines the url to a policy.\n type: object\n properties:\n sha256sum:\n description: Sha256sum defines the exact sha256sum computed out of the 'body' of the http response.\n type: string\n url:\n description: URL to the policy data.\n type: string\n type:\n description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :)\n type: string\n predicateType:\n description: PredicateType defines which predicate type to verify. Matches cosign verify-attestation options.\n type: string\n ctlog:\n description: CTLog sets the configuration to verify the authority against a Rekor instance.\n type: object\n properties:\n trustRootRef:\n description: Use the Public Key from the referred TrustRoot.TLog\n type: string\n url:\n description: URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)\n type: string\n key:\n description: Key defines the type of key to validate the image.\n type: object\n properties:\n data:\n description: Data contains the inline public key.\n type: string\n hashAlgorithm:\n description: HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set\n type: string\n kms:\n description: KMS contains the KMS url of the public key Supported formats differ based on the KMS system used.\n type: string\n secretRef:\n description: SecretRef sets a reference to a secret with the key.\n type: object\n properties:\n name:\n description: name is unique within a namespace to reference a secret resource.\n type: string\n namespace:\n description: namespace defines the space within which the secret name must be unique.\n type: string\n keyless:\n description: Keyless sets the configuration to verify the authority against a Fulcio instance.\n type: object\n properties:\n ca-cert:\n description: CACert sets a reference to CA certificate\n type: object\n properties:\n data:\n description: Data contains the inline public key.\n type: string\n hashAlgorithm:\n description: HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set\n type: string\n kms:\n description: KMS contains the KMS url of the public key Supported formats differ based on the KMS system used.\n type: string\n secretRef:\n description: SecretRef sets a reference to a secret with the key.\n type: object\n properties:\n name:\n description: name is unique within a namespace to reference a secret resource.\n type: string\n namespace:\n description: namespace defines the space within which the secret name must be unique.\n type: string\n identities:\n description: Identities sets a list of identities.\n type: array\n items:\n type: object\n properties:\n issuer:\n description: Issuer defines the issuer for this identity.\n type: string\n issuerRegExp:\n description: IssuerRegExp specifies a regular expression to match the issuer for this identity.\n type: string\n subject:\n description: Subject defines the subject for this identity.\n type: string\n subjectRegExp:\n description: SubjectRegExp specifies a regular expression to match the subject for this identity.\n type: string\n insecureIgnoreSCT:\n description: InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT\n type: boolean\n trustRootRef:\n description: Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog\n type: string\n url:\n description: URL defines a url to the keyless instance.\n type: string\n name:\n description: Name is the name for this authority. Used by the CIP Policy validator to be able to reference matching signature or attestation verifications. If not specified, the name will be authority-\n type: string\n rfc3161timestamp:\n description: RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance.\n type: object\n properties:\n trustRootRef:\n description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities\n type: string\n signatureFormat:\n description: SignatureFormat specifies the format the authority expects. Supported formats are \"legacy\" and \"bundle\". If not specified, the default is \"legacy\" (cosign's default).\n type: string\n source:\n description: Sources sets the configuration to specify the sources from where to consume the signatures.\n type: array\n items:\n type: object\n properties:\n oci:\n description: OCI defines the registry from where to pull the signature / attestations.\n type: string\n signaturePullSecrets:\n description: SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source.\n type: array\n items:\n type: object\n properties:\n name:\n description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'\n type: string\n tagPrefix:\n description: TagPrefix is an optional prefix that signature and attestations have. This is the 'tag based discovery' and in the future once references are fully supported that should likely be the preferred way to handle these.\n type: string\n static:\n description: Static specifies that signatures / attestations are not validated but instead a static policy is applied against matching images.\n type: object\n properties:\n action:\n description: Action defines how to handle a matching policy.\n type: string\n message:\n description: For fail actions, emit an optional custom message\n type: string\n images:\n description: Images defines the patterns of image names that should be subject to this policy.\n type: array\n items:\n type: object\n properties:\n glob:\n description: Glob defines a globbing pattern.\n type: string\n match:\n description: Match allows selecting resources based on their properties.\n type: array\n items:\n type: object\n properties:\n group:\n type: string\n resource:\n type: string\n selector:\n type: object\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n type: array\n items:\n type: object\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n type: array\n items:\n type: string\n matchLabels:\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n x-kubernetes-preserve-unknown-fields: true\n version:\n type: string\n mode:\n description: Mode controls whether a failing policy will be rejected (not admitted), or if errors are converted to Warnings. enforce - Reject (default) warn - allow but warn\n type: string\n policy:\n description: Policy is an optional policy that can be applied against all the successfully validated Authorities. If no authorities pass, this does not even get evaluated, as the Policy is considered failed.\n type: object\n properties:\n configMapRef:\n description: ConfigMapRef defines the reference to a configMap with the policy definition.\n type: object\n properties:\n key:\n description: Key defines the key to pull from the configmap.\n type: string\n name:\n description: Name is unique within a namespace to reference a configmap resource.\n type: string\n namespace:\n description: Namespace defines the space within which the configmap name must be unique.\n type: string\n data:\n description: Data contains the policy definition.\n type: string\n fetchConfigFile:\n description: 'FetchConfigFile controls whether ConfigFile will be fetched and made available for CIP level policy evaluation. Note that this only gets evaluated (and hence fetched) iff at least one authority matches. The ConfigFile will then be available in this format: https://github.com/opencontainers/image-spec/blob/main/config.md'\n type: boolean\n includeObjectMeta:\n description: IncludeObjectMeta controls whether the ObjectMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches.\n type: boolean\n includeSpec:\n description: IncludeSpec controls whether resource `Spec` will be included and made available for CIP level policy evaluation. Note that this only gets evaluated iff at least one authority matches. Also note that because Spec may be of a different shape depending on the resource being evaluatied (see MatchResource for filtering) you might want to configure these to match the policy file to ensure the shape of the Spec is what you expect when evaling the policy.\n type: boolean\n includeTypeMeta:\n description: IncludeTypeMeta controls whether the TypeMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches.\n type: boolean\n remote:\n description: Remote defines the url to a policy.\n type: object\n properties:\n sha256sum:\n description: Sha256sum defines the exact sha256sum computed out of the 'body' of the http response.\n type: string\n url:\n description: URL to the policy data.\n type: string\n type:\n description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :)\n type: string\n status:\n description: Status represents the current state of the ClusterImagePolicy. This data may be out of date.\n type: object\n properties:\n annotations:\n description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.\n type: object\n x-kubernetes-preserve-unknown-fields: true\n conditions:\n description: Conditions the latest available observations of a resource's current state.\n type: array\n items:\n type: object\n required:\n - type\n - status\n properties:\n lastTransitionTime:\n description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).\n type: string\n message:\n description: A human readable message indicating details about the transition.\n type: string\n reason:\n description: The reason for the condition's last transition.\n type: string\n severity:\n description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.\n type: string\n status:\n description: Status of the condition, one of True, False, Unknown.\n type: string\n type:\n description: Type of condition.\n type: string\n observedGeneration:\n description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.\n type: integer\n format: int64\n" }, { "path": "config/300-trustroot.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: trustroots.policy.sigstore.dev\nspec:\n conversion:\n strategy: None\n group: policy.sigstore.dev\n names:\n kind: TrustRoot\n plural: trustroots\n singular: trustroot\n categories:\n - all\n - sigstore\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n spec:\n description: Spec is the definition for a trust root. This is either a TUF root and remote or local repository. You can also bring your own keys/certs here.\n type: object\n properties:\n remote:\n description: Remote specifies initial root of trust & remote mirror.\n type: object\n properties:\n mirror:\n description: 'Mirror is the remote mirror, for example: https://tuf-repo-cdn.sigstore.dev'\n type: string\n root:\n description: Root is the base64 encoded, json trusted initial root.\n type: string\n targets:\n description: Targets is where the targets live off of the root of the Remote If not specified 'targets' is defaulted.\n type: string\n trustedRootTarget:\n description: TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used.\n type: string\n repository:\n description: Repository contains the serialized TUF remote repository.\n type: object\n properties:\n mirrorFS:\n description: MirrorFS is the base64 tarred, gzipped, and base64 encoded remote repository that can be used for example in air-gap environments. Will not make outbound network connections, and must then be kept up to date in some other manner. The repository must contain metadata as well as targets.\n type: string\n root:\n description: Root is the base64 encoded, json trusted initial root.\n type: string\n targets:\n description: Targets is where the targets live off of the root of the Repository above. If not specified 'targets' is defaulted.\n type: string\n trustedRootTarget:\n description: TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used.\n type: string\n sigstoreKeys:\n description: SigstoreKeys contains the serialized keys.\n type: object\n properties:\n certificateAuthorities:\n description: Trusted certificate authorities (e.g Fulcio).\n type: array\n items:\n type: object\n properties:\n certChain:\n description: The certificate chain for this CA in PEM format. Last entry in this chain is the Root certificate.\n type: string\n subject:\n description: The root certificate MUST be self-signed, and so the subject and issuer are the same.\n type: object\n properties:\n commonName:\n type: string\n organization:\n type: string\n uri:\n description: The URI at which the CA can be accessed.\n type: string\n ctLogs:\n description: Certificate Transparency Log\n type: array\n items:\n type: object\n properties:\n baseURL:\n description: The base URL which can be used for URLs for clients.\n type: string\n hashAlgorithm:\n description: / The hash algorithm used for the Merkle Tree\n type: string\n publicKey:\n description: PEM encoded public key\n type: string\n tLogs:\n description: Rekor log specifications\n type: array\n items:\n type: object\n properties:\n baseURL:\n description: The base URL which can be used for URLs for clients.\n type: string\n hashAlgorithm:\n description: / The hash algorithm used for the Merkle Tree\n type: string\n publicKey:\n description: PEM encoded public key\n type: string\n timestampAuthorities:\n description: Trusted timestamping authorities\n type: array\n items:\n type: object\n properties:\n certChain:\n description: The certificate chain for this CA in PEM format. Last entry in this chain is the Root certificate.\n type: string\n subject:\n description: The root certificate MUST be self-signed, and so the subject and issuer are the same.\n type: object\n properties:\n commonName:\n type: string\n organization:\n type: string\n uri:\n description: The URI at which the CA can be accessed.\n type: string\n status:\n description: Status represents the current state of the TrustRoot. This data may be out of date.\n type: object\n properties:\n annotations:\n description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.\n type: object\n x-kubernetes-preserve-unknown-fields: true\n conditions:\n description: Conditions the latest available observations of a resource's current state.\n type: array\n items:\n type: object\n required:\n - type\n - status\n properties:\n lastTransitionTime:\n description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).\n type: string\n message:\n description: A human readable message indicating details about the transition.\n type: string\n reason:\n description: The reason for the condition's last transition.\n type: string\n severity:\n description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.\n type: string\n status:\n description: Status of the condition, one of True, False, Unknown.\n type: string\n type:\n description: Type of condition.\n type: string\n observedGeneration:\n description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.\n type: integer\n format: int64\n" }, { "path": "config/400-webhook-service.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: Service\nmetadata:\n name: webhook\n namespace: cosign-system\nspec:\n ports:\n - port: 443\n targetPort: 8443\n selector:\n role: webhook\n\n" }, { "path": "config/500-webhook-configuration.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: admissionregistration.k8s.io/v1\nkind: ValidatingWebhookConfiguration\nmetadata:\n name: policy.sigstore.dev\nwebhooks:\n- name: policy.sigstore.dev\n namespaceSelector:\n # The webhook should only apply to things that opt-in\n matchExpressions:\n - key: policy.sigstore.dev/include\n operator: In\n values: [\"true\"]\n admissionReviewVersions: [v1]\n clientConfig:\n service:\n name: webhook\n namespace: cosign-system\n failurePolicy: Fail\n sideEffects: None\n timeoutSeconds: 25\n---\napiVersion: admissionregistration.k8s.io/v1\nkind: MutatingWebhookConfiguration\nmetadata:\n name: policy.sigstore.dev\nwebhooks:\n- name: policy.sigstore.dev\n namespaceSelector:\n # The webhook should only apply to things that opt-in\n matchExpressions:\n - key: policy.sigstore.dev/include\n operator: In\n values: [\"true\"]\n admissionReviewVersions: [v1]\n clientConfig:\n service:\n name: webhook\n namespace: cosign-system\n failurePolicy: Fail\n sideEffects: None\n timeoutSeconds: 25\n reinvocationPolicy: IfNeeded\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: webhook-certs\n namespace: cosign-system\n# The data is populated at install time.\n" }, { "path": "config/501-policy-webhook-configurations.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\napiVersion: admissionregistration.k8s.io/v1\nkind: MutatingWebhookConfiguration\nmetadata:\n name: defaulting.clusterimagepolicy.sigstore.dev\nwebhooks:\n - admissionReviewVersions:\n - v1\n clientConfig:\n service:\n name: webhook\n namespace: cosign-system\n failurePolicy: Fail\n matchPolicy: Equivalent\n name: defaulting.clusterimagepolicy.sigstore.dev\n sideEffects: None\n---\napiVersion: admissionregistration.k8s.io/v1\nkind: ValidatingWebhookConfiguration\nmetadata:\n name: validating.clusterimagepolicy.sigstore.dev\nwebhooks:\n - admissionReviewVersions:\n - v1\n clientConfig:\n service:\n name: webhook\n namespace: cosign-system\n failurePolicy: Fail\n matchPolicy: Equivalent\n name: validating.clusterimagepolicy.sigstore.dev\n sideEffects: None\n---\n" }, { "path": "config/config-image-policies.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-image-policies\n namespace: cosign-system\n\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n cluster-image-policy-json: \"{\\\"images\\\":[{\\\"glob\\\":\\\"ghcr.io/example/*\\\",\\\"regex\\\":\\\"\\\"}],\\\"authorities\\\":[{\\\"key\\\":{\\\"data\\\":\\\"-----BEGIN PUBLIC KEY-----\\\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\\\n-----END PUBLIC KEY-----\\\"}}]}\"\n" }, { "path": "config/config-leader-election.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-leader-election\n namespace: cosign-system\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # leaseDuration is how long non-leaders will wait to try to acquire the\n # lock; 15 seconds is the value used by core kubernetes controllers.\n leaseDuration: \"15s\"\n\n # renewDeadline is how long a leader will try to renew the lease before\n # giving up; 10 seconds is the value used by core kubernetes controllers.\n renewDeadline: \"10s\"\n\n # retryPeriod is how long the leader election client waits between tries of\n # actions; 2 seconds is the value used by core kubernetes controllers.\n retryPeriod: \"2s\"\n\n # buckets is the number of buckets used to partition key space of each\n # Reconciler. If this number is M and the replica number of the controller\n # is N, the N replicas will compete for the M buckets. The owner of a\n # bucket will take care of the reconciling for the keys partitioned into\n # that bucket.\n buckets: \"1\"\n" }, { "path": "config/config-logging.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-logging\n namespace: cosign-system\n\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n zap-logger-config: |\n {\n \"level\": \"info\",\n \"development\": false,\n \"outputPaths\": [\"stdout\"],\n \"errorOutputPaths\": [\"stderr\"],\n \"encoding\": \"json\",\n \"encoderConfig\": {\n \"timeKey\": \"ts\",\n \"levelKey\": \"level\",\n \"nameKey\": \"logger\",\n \"callerKey\": \"caller\",\n \"messageKey\": \"msg\",\n \"stacktraceKey\": \"stacktrace\",\n \"lineEnding\": \"\",\n \"levelEncoder\": \"\",\n \"timeEncoder\": \"iso8601\",\n \"durationEncoder\": \"\",\n \"callerEncoder\": \"\"\n }\n }\n\n # Log level overrides\n # Changes are be picked up immediately.\n loglevel.controller: \"info\"\n loglevel.webhook: \"info\"\n" }, { "path": "config/config-observability.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-observability\n namespace: cosign-system\n\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # metrics.backend-destination field specifies the system metrics destination.\n # It supports either prometheus (the default) or stackdriver.\n # Note: Using stackdriver will incur additional charges\n metrics.backend-destination: prometheus\n\n # metrics.request-metrics-backend-destination specifies the request metrics\n # destination. If non-empty, it enables queue proxy to send request metrics.\n # Currently supported values: prometheus, stackdriver.\n metrics.request-metrics-backend-destination: prometheus\n\n # metrics.stackdriver-project-id field specifies the stackdriver project ID. This\n # field is optional. When running on GCE, application default credentials will be\n # used if this field is not provided.\n metrics.stackdriver-project-id: \"\"\n" }, { "path": "config/config-policy-controller.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-policy-controller\n namespace: cosign-system\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n no-match-policy: warn\n" }, { "path": "config/config-sigstore-keys.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-sigstore-keys\n namespace: cosign-system\n\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n my-custom-sigstore-keys: |-\n {\"certificateAuthority\":[{\"subject\":{\"organization\":\"fulcio-organization\",\"commonName\":\"fulcio-common-name\"},\"uri\":\"https://fulcio.example.com\",\"certChain\":\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCglNSUlGd3pDQ0E2dWdBd0lCQWdJSUs3eGIrcnFZNGdFd0RRWUpLb1pJaHZjTkFRRUxCUUF3ZmpFTU1Bb0dBMVVFCglCaE1EVlZOQk1STXdFUVlEVlFRSUV3cERZV3hwWm05eWJtbGhNUll3RkFZRFZRUUhFdzFUWVc0Z1JuSmhibU5wCgljMk52TVJZd0ZBWURWUVFKRXcwMU5EZ2dUV0Z5YTJWMElGTjBNUTR3REFZRFZRUVJFd1UxTnpJM05ERVpNQmNHCglBMVVFQ2hNUVRHbHVkWGdnUm05MWJtUmhkR2x2YmpBZUZ3MHlNakV5TURnd01qRTNOVEZhRncweU16RXlNRGd3CglNakUzTlRGYU1INHhEREFLQmdOVkJBWVRBMVZUUVRFVE1CRUdBMVVFQ0JNS1EyRnNhV1p2Y201cFlURVdNQlFHCglBMVVFQnhNTlUyRnVJRVp5WVc1amFYTmpiekVXTUJRR0ExVUVDUk1OTlRRNElFMWhjbXRsZENCVGRERU9NQXdHCglBMVVFRVJNRk5UY3lOelF4R1RBWEJnTlZCQW9URUV4cGJuVjRJRVp2ZFc1a1lYUnBiMjR3Z2dJaU1BMEdDU3FHCglTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDMTQyRWpsZzJReEl3cE5qYmFlVy9mdDlzSDFUWFU2Q1dnCglic3ZWcDc3dlJnY2tTbnBNM1JUQy9nd0V3Skh0WCtHT1RyUDlybzZuRkpOM0czaGNGbmFNSExLZEdyb2Y5aUh1Cgkvdy9sWkx3UXpYelZUKzBaeVp4eXRIQVdHRkJ2bVlNNEozM2pINkRqOVB2cU9Od3RTQlNtWkJQYy9ILzhFdllzCglVenhQV3VraE90b3RTSDNWWERxWjRqbDk2TUxlMCs1ZzJXaTdNeFJYNDRYMVJpUFMxNGJhMUVTNTM4YlRoaGNRCgk0U01qM3VoYmRzQ0lrY203ZUY0RVkzcEVYUXBYRUVHblpHZndZZ1FyKzZjVDA3WmQvV0RNME5YM0t4SDZxUms5CglnRGpQbmZjTXVGYk9UYmZEL251dng2Rk5YNk9VcnpyWlNnbGtMdmNQSUJWT1c3TG40MUxBYjdhWG1iV0xGRUpuCgl1TG9vUHBZWXIrNk5obkZETkdwc0JLR0tyL2t2YlF5REtLc3QzQ0tqOW90UFMxMzYzbmk0MXFub0E3WVdTcXh3Cgl6NDE4NWRLS2MrWTd5dkpRc1JscjZxRzFzTkxPK2M3N2ZTUzVWWkltek5vekJjUmt1TEpGbFgrV0IwdXpnUVU1CglzNDVJWlcrZks5Mm5mdThNbUtqekhSK2lkeXI0T3lqUzBZU04zR01nYzBVUDdLNmhWcGhMZWRBcEZweWtCU0ZHCglVZ2lQWndyVCttR1NWZ21PWHE1bjFkUVRDRDE0bEVoMnF0My9yZmY4ek5jMENNQU5XeWJhTUdCR1E0YmhWVlhlCglSS1l4OXUyUFpqUHY1M3A3WWIvRENkcW5HRUR3L0hDQkRpQ3M0b1llNGRhRTM2eFVvanhEU20zRGFlTkc2OHo5CglSTDdnZlVqQXhRSURBUUFCbzBVd1F6QU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCgkvd0lCQVRBZEJnTlZIUTRFRmdRVWYrbGJOWDBXaDRoK1EwU1J0aFJLK0tmTGpxRXdEUVlKS29aSWh2Y05BUUVMCglCUUFEZ2dJQkFFaEpqYTBaU0t3WGNhT1hDWVJYVEUwNitKYnBlekk1TGV2QmhtYlJRSzc4OVJxMTBKZUFYYTdtCglFVG9SR2xHRkxIMnVEVDExbXNGS3lNM3Y2N0tsRTFTWVZjcUttQ2xZZklWRVlIM0xhMHVJKzlySFpuV2diNEJsCgl5MUI4d2JsS0p6aFlRRDlaNEgvZ3MrQkFzb1JYNVZvRnlJZ2tOQmsxcDNmdGFWQ2JrUXZTME9ZdFlzNWl3NGVLCgljSTcxL0lzVElUM1pwcGo5UjhJR3Nxd0xLZ3pmbnlOY0ZKZHorb2hjNlYyMlBqWk1FQkhDc0hQTzRhdjJMbFdLCgk1WTFmbEwrMmJxVHFibU8vYmpmWDB3NFoxRHVvalJjT1pGN1NINE8zUXUyWTcvNjlnSDdDcDBuaVZDbTV6K1M1CgkwMTFWNlB2TWpybWlFK3hWa3hMSGJZRWdvY2JGaGQ1RGNpTUNYcHZzdURab2phSTNGUkVtQnFpSWhLb2tpM3JiCgl3dUVseWE3OGJNd2taMWtycDc2bldzbzQ3LzArNTFpby9XcmlBZHIwY2ptem9uaG83UnFJRTNEQzc3Q0VNa2FnCgladktTbUwzc2ZmK1dOU3JuUGx6bksxOU5BMno0SW1XOU1zenFQckNUUUdQLy9CQnU3U2Ftem9mVk05ZjRQQUlyCglGVHBuVzZzR2RwQ3pQOEUwV1V1OUIrdmlLcnRmTS85c3huSTlXaGZKUGRyRVAwaVpXM3Zod3ZnUWJLYjVEMk9TCglVNG5yVm92NkJXci9CbmhRSzhJWG8xdHEzajhGQ1JJb2xlWE5oa3M0Z25rT2FEc1cyS3RWcXd0SzNpTzNCdlBiCglMNXcwZ2RMandNTGtlazcyeTYxWHF6NVd4WndOaGw1WWNtQkt1U3ZtVlNIdkE2OEJWU2JCCgktLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCgk=\"}],\"tLog\":[{\"baseURL\":\"https://rekor.example.com\",\"hashAlgorithm\":\"sha-256\",\"publicKey\":\"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KCU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTdEMld2Z3FTenM5anBkSnNPSjVObDZ4ZzhKWG0KCU5tbzdNM2JONytkUWRkdzlJYmMyUjNTVjh0ekJadzByU1Q4RktjbjRhcEplcGNLTTRxVXBZVWVOZnc9PQoJLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCgk=\",\"logID\":\"rekor-log-id\"}],\"ctLog\":[{\"baseURL\":\"https://ctfe.example.com\",\"hashAlgorithm\":\"sha-256\",\"publicKey\":\"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KCU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRUp2Q0ppNzA3ZnY1dE1KMVUyVFZNWit1TzRkS0cKCWFFY3ZqbENrZ0JDS1hicmt1bVpWMG0wZFNsSzFWMWd4RWl5UTh5NmhrMU14Sk5lMkFaclpVdDdhNHc9PQoJLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCgk=\",\"logID\":\"ctfe-log-id\"}],\"timestampAuthorities\":[{\"subject\":{\"organization\":\"tsa-organization\",\"commonName\":\"tsa-common-name\"},\"uri\":\"https://tsa.example.com\",\"certChain\":\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCglNSUlCekRDQ0FYS2dBd0lCQWdJVWZ5R0tEb0ZhN3k2cy9XMXAxQ2lUbUJSczFlQXdDZ1lJS29aSXpqMEVBd0l3CglNREVPTUF3R0ExVUVDaE1GYkc5allXd3hIakFjQmdOVkJBTVRGVlJsYzNRZ1ZGTkJJRWx1ZEdWeWJXVmthV0YwCglaVEFlRncweU1qRXhNRGt5TURNeE16UmFGdzB6TVRFeE1Ea3lNRE0wTXpSYU1EQXhEakFNQmdOVkJBb1RCV3h2CglZMkZzTVI0d0hBWURWUVFERXhWVVpYTjBJRlJUUVNCVWFXMWxjM1JoYlhCcGJtY3dXVEFUQmdjcWhrak9QUUlCCglCZ2dxaGtqT1BRTUJCd05DQUFSM0tjRHk5andBUlgwckR2eXIrTUdHa0czbjFPQTBNVTUrWmlEbWd1c0Z5azZVCgk2Ym92S1dWTWZEOEo4TlRjSlpFMFJhWUpyOC9kRTlrZ2NJSVhsaE13bzJvd2FEQU9CZ05WSFE4QkFmOEVCQU1DCglCNEF3SFFZRFZSME9CQllFRkhObjVSM2IzTXRVZFNOckZPNDlRNlhEVlNua01COEdBMVVkSXdRWU1CYUFGTkxTCgk2Z25vN09tKytRdDV6SWErSDlvMEhpVDJNQllHQTFVZEpRRUIvd1FNTUFvR0NDc0dBUVVGQndNSU1Bb0dDQ3FHCglTTTQ5QkFNQ0EwZ0FNRVVDSVFDRjBvbG9obnZkVXE2VDcvd1BrMTlaNWFRUC95eFJUakNXWXVobi9UQ3lIZ0lnCglhelYzYWlyNEdSWmJOOWJkWXRjUTdKVUFLcTg5R09odEZmbDZrY29WVXZVPQoJLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQoJLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCglNSUlCMGpDQ0FYaWdBd0lCQWdJVVhwQm1ZSkZGYUdXM2NDOHA2Yi9ESHIxaThJb3dDZ1lJS29aSXpqMEVBd0l3CglLREVPTUF3R0ExVUVDaE1GYkc5allXd3hGakFVQmdOVkJBTVREVlJsYzNRZ1ZGTkJJRkp2YjNRd0hoY05Nakl4CglNVEE1TWpBeU9UTTBXaGNOTXpJeE1UQTVNakF6TkRNMFdqQXdNUTR3REFZRFZRUUtFd1ZzYjJOaGJERWVNQndHCglBMVVFQXhNVlZHVnpkQ0JVVTBFZ1NXNTBaWEp0WldScFlYUmxNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBECglBUWNEUWdBRUtEUERSSXdEUzFaQ3ltdWI2eWFuQ0c1bWEwcURqTHBOb25Edm9vU2tSSEVnVTBUTmliZUpuNk0rCgk1VzYwOGhDdzhud3V1Y01iWFE0MWtOZXVCZWV2eXFONE1IWXdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CTUdBMVVkCglKUVFNTUFvR0NDc0dBUVVGQndNSU1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZOTFM2Z25vCgk3T20rK1F0NXpJYStIOW8wSGlUMk1COEdBMVVkSXdRWU1CYUFGQjFudlhwTks3QXVRbGJKK3lhNm5QU3FXaStUCglNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJR2l3cUNJMjl3N0M0VjhUbHRDc2k3MjhzNUR0a2xDUHlTREFTVVN1CglhNXk1QWlFQTQwSWZkbHdmN1VqOHE4TlNENlo0Zy8wanMwdEdOZExTVUoxZG8vV29OMHM9CgktLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCgktLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KCU1JSUJsRENDQVRxZ0F3SUJBZ0lVWVp4OXNTMTRFbjdTdUhET0pKUDRJUG9wTWpVd0NnWUlLb1pJemowRUF3SXcKCUtERU9NQXdHQTFVRUNoTUZiRzlqWVd3eEZqQVVCZ05WQkFNVERWUmxjM1FnVkZOQklGSnZiM1F3SGhjTk1qSXgKCU1UQTVNakF5T1RNMFdoY05Nekl4TVRBNU1qQXpORE0wV2pBb01RNHdEQVlEVlFRS0V3VnNiMk5oYkRFV01CUUcKCUExVUVBeE1OVkdWemRDQlVVMEVnVW05dmREQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJBYkIKCUIwU1U4Rzc1aFZJVXBoQ2hBNG5mT3dOV1AzNDdUalNjSWRzRVByS1ZuKy9ZMUhtbUxISkRqU2ZuK3hoRUZvRWsKCTdqcWdycW9uNDhpNHhibzd4QXVqUWpCQU1BNEdBMVVkRHdFQi93UUVBd0lCQmpBUEJnTlZIUk1CQWY4RUJUQUQKCUFRSC9NQjBHQTFVZERnUVdCQlFkWjcxNlRTdXdMa0pXeWZzbXVwejBxbG92a3pBS0JnZ3Foa2pPUFFRREFnTkkKCUFEQkZBaUJlNVA1NmZvcW1GY1pBVnBFZUFPRlpyQWxFaXEwNUNDcE1OWWg1RWpMdm1BSWhBS05GNnhJVjV1RmQKCXBTVEpzQXd6alc3OENLUW03cW9sMHVQbVBQdTZtTmF3CgktLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t\"}]}\n" }, { "path": "config/dummy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Package config is a placeholder that allows us to pull in config files\n// via go mod vendor.\npackage config\n" }, { "path": "config/kustomization.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: kustomize.config.k8s.io/v1beta1\nkind: Kustomization\n\nresources:\n - 100-namespace.yaml\n - 200-serviceaccount.yaml\n - 200-role.yaml\n - 200-clusterrole.yaml\n - 201-rolebinding.yaml\n - 201-clusterrolebinding.yaml\n - 300-clusterimagepolicy.yaml\n - 300-trustroot.yaml\n - 400-webhook-service.yaml\n - 500-webhook-configuration.yaml\n - 501-policy-webhook-configurations.yaml\n - config-observability.yaml\n - config-logging.yaml\n - config-leader-election.yaml\n - config-image-policies.yaml\n - config-sigstore-keys.yaml\n - config-policy-controller.yaml\n" }, { "path": "config/webhook.yaml", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n---\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: webhook\n namespace: cosign-system\nspec:\n selector:\n matchLabels:\n role: webhook\n template:\n metadata:\n labels:\n role: webhook\n spec:\n # To avoid node becoming SPOF, spread our replicas to different nodes.\n affinity:\n podAntiAffinity:\n preferredDuringSchedulingIgnoredDuringExecution:\n - podAffinityTerm:\n labelSelector:\n matchLabels:\n role: webhook\n topologyKey: kubernetes.io/hostname\n weight: 100\n\n serviceAccountName: webhook\n containers:\n - name: webhook\n # This is the Go import path for the binary that is containerized\n # and substituted here.\n image: ko://github.com/sigstore/policy-controller/cmd/webhook\n args: [\n # Uncomment these to initialize with a custom TUF root.\n # TODO: How to specify the entire TUF directory for multiple\n # TUF roots.\n #\"--tuf-mirror\", \"http://tuf.tuf-system.svc\",\n #\"--tuf-root\", \"/var/run/tuf/root.json\",\n # Uncomment to customize ClusterImagePolicy resync period\n # \"--policy-resync-period\", \"10h\",\n ]\n resources:\n requests:\n cpu: 40m\n memory: 40Mi\n limits:\n cpu: 400m\n memory: 400Mi\n env:\n - name: SYSTEM_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: CONFIG_LOGGING_NAME\n value: config-logging\n - name: METRICS_DOMAIN\n value: sigstore.dev/policy\n - name: WEBHOOK_NAME\n value: webhook\n - name: KUBERNETES_MIN_VERSION\n value: \"1.21.0\"\n - name: HOME\n value: \"/var/run/sigstore\"\n\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n capabilities:\n drop:\n - ALL\n\n volumeMounts:\n - name: homedir\n mountPath: \"/var/run/sigstore\"\n - name: tuf-root\n mountPath: \"/var/run/tuf\"\n readOnly: true\n\n readinessProbe: &probe\n failureThreshold: 6\n initialDelaySeconds: 20\n periodSeconds: 1\n httpGet:\n scheme: HTTPS\n port: 8443\n httpHeaders:\n - name: k-kubelet-probe\n value: \"webhook\"\n livenessProbe: *probe\n\n # Our webhook should gracefully terminate by lame ducking first, set this to a sufficiently\n # high value that we respect whatever value it has configured for the lame duck grace period.\n terminationGracePeriodSeconds: 300\n\n volumes:\n - emptyDir: {}\n name: homedir\n - name: tuf-root\n secret:\n secretName: tuf-root\n # This is marked as optional, since if you are using public\n # instance, TUF root is built in to the cosign container.\n optional: true\n items:\n - key: root\n path: root.json\n\n---\n" }, { "path": "docs/api-types/index-v1alpha1.md", "content": "\n\n# API Documentation (v1alpha1)\n\n> This document is automatically generated from the API definition in the code.\n\n## Table of Contents\n* [CertificateAuthority](#certificateauthority)\n* [DistinguishedName](#distinguishedname)\n* [Remote](#remote)\n* [Repository](#repository)\n* [SigstoreKeys](#sigstorekeys)\n* [TransparencyLogInstance](#transparencyloginstance)\n* [TrustRoot](#trustroot)\n* [TrustRootList](#trustrootlist)\n* [TrustRootSpec](#trustrootspec)\n* [Attestation](#attestation)\n* [Authority](#authority)\n* [ClusterImagePolicy](#clusterimagepolicy)\n* [ClusterImagePolicyList](#clusterimagepolicylist)\n* [ClusterImagePolicySpec](#clusterimagepolicyspec)\n* [ConfigMapReference](#configmapreference)\n* [Identity](#identity)\n* [ImagePattern](#imagepattern)\n* [KeyRef](#keyref)\n* [KeylessRef](#keylessref)\n* [MatchResource](#matchresource)\n* [Policy](#policy)\n* [RFC3161Timestamp](#rfc3161timestamp)\n* [RemotePolicy](#remotepolicy)\n* [Source](#source)\n* [StaticRef](#staticref)\n* [TLog](#tlog)\n\n## CertificateAuthority\n\n\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| subject | The root certificate MUST be self-signed, and so the subject and issuer are the same. | [DistinguishedName](#distinguishedname) | true |\n| uri | The URI at which the CA can be accessed. | apis.URL | true |\n| certChain | The certificate chain for this CA in PEM format. Last entry in this chain is the Root certificate. | []byte | true |\n\n[Back to TOC](#table-of-contents)\n\n## DistinguishedName\n\n\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| organization | | string | true |\n| commonName | | string | true |\n\n[Back to TOC](#table-of-contents)\n\n## Remote\n\nRemote specifies the TUF with trusted initial root and remote mirror where to fetch updates from.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| root | Root is the base64 encoded, json trusted initial root. | []byte | true |\n| mirror | Mirror is the remote mirror, for example: https://tuf-repo-cdn.sigstore.dev | apis.URL | true |\n| targets | Targets is where the targets live off of the root of the Remote If not specified 'targets' is defaulted. | string | false |\n| trustedRootTarget | TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used. | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## Repository\n\nRepository specifies an airgapped TUF. Specifies the trusted initial root as well as a serialized repository.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| root | Root is the base64 encoded, json trusted initial root. | []byte | true |\n| mirrorFS | MirrorFS is the base64 tarred, gzipped, and base64 encoded remote repository that can be used for example in air-gap environments. Will not make outbound network connections, and must then be kept up to date in some other manner. The repository must contain metadata as well as targets. | []byte | true |\n| targets | Targets is where the targets live off of the root of the Repository above. If not specified 'targets' is defaulted. | string | false |\n| trustedRootTarget | TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used. | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## SigstoreKeys\n\nSigstoreKeys contains all the necessary Keys and Certificates for validating against a specific instance of Sigstore. This is used for bringing your own trusted keys/certs. and see how easy it is to replace with protos instead of our custom defs above. https://github.com/sigstore/protobuf-specs/pull/5 And in particular: https://github.com/sigstore/protobuf-specs/pull/5/files#diff-b1f89b7fd3eb27b519380b092a2416f893a96fbba3f8c90cfa767e7687383ad4R70 Well, not the multi-root, but one instance of that is exactly the SigstoreKeys.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| certificateAuthorities | Trusted certificate authorities (e.g Fulcio). | [][CertificateAuthority](#certificateauthority) | true |\n| tLogs | Rekor log specifications | [][TransparencyLogInstance](#transparencyloginstance) | false |\n| ctLogs | Certificate Transparency Log | [][TransparencyLogInstance](#transparencyloginstance) | false |\n| timestampAuthorities | Trusted timestamping authorities | [][CertificateAuthority](#certificateauthority) | false |\n\n[Back to TOC](#table-of-contents)\n\n## TransparencyLogInstance\n\nTransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters for more details. The incluced parameters are the minimal set required to identify a log, and verify an inclusion promise.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| baseURL | The base URL which can be used for URLs for clients. | apis.URL | true |\n| hashAlgorithm | / The hash algorithm used for the Merkle Tree | string | true |\n| publicKey | PEM encoded public key | []byte | true |\n\n[Back to TOC](#table-of-contents)\n\n## TrustRoot\n\nTrustRoot defines the keys and certificates that are trusted for validating against. These can be specified as TUF Roots, serialized TUF repository (for air-gap scenarios), as well as serialized keys/certificates, for bring your own keys/certs.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| metadata | | [metav1.ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta) | true |\n| spec | Spec is the definition for a trust root. This is either a TUF root and remote or local repository. You can also bring your own keys/certs here. | [TrustRootSpec](#trustrootspec) | true |\n| status | Status represents the current state of the TrustRoot. This data may be out of date. | [TrustRootStatus](#trustrootstatus) | false |\n\n[Back to TOC](#table-of-contents)\n\n## TrustRootList\n\nTrustRootList is a list of TrustRoot resources\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| metadata | | [metav1.ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#listmeta-v1-meta) | true |\n| items | | [][TrustRoot](#trustroot) | true |\n\n[Back to TOC](#table-of-contents)\n\n## TrustRootSpec\n\nTrustRootSpec defines a trusted Root. This is typically either a TUF Root or a bring your own keys variation. It specifies either: root.json and remote or fully gzipped / tarred directory containing root and metadata directories or serialized keys / certificate chains (bring your own keys).\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| remote | Remote specifies initial root of trust & remote mirror. | [Remote](#remote) | false |\n| repository | Repository contains the serialized TUF remote repository. | [Repository](#repository) | false |\n| sigstoreKeys | SigstoreKeys contains the serialized keys. | [SigstoreKeys](#sigstorekeys) | false |\n\n[Back to TOC](#table-of-contents)\n\n## TrustRootStatus\n\nTrustRootStatus represents the current state of a TrustRoot.\n\n\n## Attestation\n\nAttestation defines the type of attestation to validate and optionally apply a policy decision to it. Authority block is used to verify the specified attestation types, and if Policy is specified, then it's applied only after the validation of the Attestation signature has been verified.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| name | Name of the attestation. These can then be referenced at the CIP level policy. | string | true |\n| predicateType | PredicateType defines which predicate type to verify. Matches cosign verify-attestation options. | string | true |\n| policy | Policy defines all of the matching signatures, and all of the matching attestations (whose attestations are verified). | [Policy](#policy) | false |\n\n[Back to TOC](#table-of-contents)\n\n## Authority\n\n\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| name | Name is the name for this authority. Used by the CIP Policy validator to be able to reference matching signature or attestation verifications. If not specified, the name will be authority- | string | true |\n| key | Key defines the type of key to validate the image. | [KeyRef](#keyref) | false |\n| keyless | Keyless sets the configuration to verify the authority against a Fulcio instance. | [KeylessRef](#keylessref) | false |\n| static | Static specifies that signatures / attestations are not validated but instead a static policy is applied against matching images. | [StaticRef](#staticref) | false |\n| source | Sources sets the configuration to specify the sources from where to consume the signature and attestations. | [][Source](#source) | false |\n| ctlog | CTLog sets the configuration to verify the authority against a Rekor instance. | [TLog](#tlog) | false |\n| attestations | Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. | [][Attestation](#attestation) | false |\n| rfc3161timestamp | RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. | [RFC3161Timestamp](#rfc3161timestamp) | false |\n| signatureFormat | SignatureFormat specifies the format the authority expects. Supported formats are \\\"legacy\\\" and \\\"bundle\\\". If not specified, the default is \\\"legacy\\\" (cosign's default). | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## ClusterImagePolicy\n\nClusterImagePolicy defines the images that go through verification and the authorities used for verification\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| metadata | | [metav1.ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta) | true |\n| spec | Spec holds the desired state of the ClusterImagePolicy (from the client). | [ClusterImagePolicySpec](#clusterimagepolicyspec) | true |\n| status | Status represents the current state of the ClusterImagePolicy. This data may be out of date. | [ClusterImagePolicyStatus](#clusterimagepolicystatus) | false |\n\n[Back to TOC](#table-of-contents)\n\n## ClusterImagePolicyList\n\nClusterImagePolicyList is a list of ClusterImagePolicy resources\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| metadata | | [metav1.ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#listmeta-v1-meta) | true |\n| items | | [][ClusterImagePolicy](#clusterimagepolicy) | true |\n\n[Back to TOC](#table-of-contents)\n\n## ClusterImagePolicySpec\n\nClusterImagePolicySpec defines a list of images that should be verified\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| images | Images defines the patterns of image names that should be subject to this policy. | [][ImagePattern](#imagepattern) | true |\n| authorities | Authorities defines the rules for discovering and validating signatures. | [][Authority](#authority) | false |\n| policy | Policy is an optional policy that can be applied against all the successfully validated Authorities. If no authorities pass, this does not even get evaluated, as the Policy is considered failed. | [Policy](#policy) | false |\n| mode | Mode controls whether a failing policy will be rejected (not admitted), or if errors are converted to Warnings. enforce - Reject (default) warn - allow but warn | string | false |\n| match | Match allows selecting resources based on their properties. | [][MatchResource](#matchresource) | false |\n\n[Back to TOC](#table-of-contents)\n\n## ClusterImagePolicyStatus\n\nClusterImagePolicyStatus represents the current state of a ClusterImagePolicy.\n\n\n## ConfigMapReference\n\nConfigMapReference is cut&paste from SecretReference, but for the life of me couldn't find one in the public types. If there's one, use it.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| name | Name is unique within a namespace to reference a configmap resource. | string | false |\n| namespace | Namespace defines the space within which the configmap name must be unique. | string | false |\n| key | Key defines the key to pull from the configmap. | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## Identity\n\nIdentity may contain the issuer and/or the subject found in the transparency log. Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp apply a regexp for matching.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| issuer | Issuer defines the issuer for this identity. | string | false |\n| subject | Subject defines the subject for this identity. | string | false |\n| issuerRegExp | IssuerRegExp specifies a regular expression to match the issuer for this identity. | string | false |\n| subjectRegExp | SubjectRegExp specifies a regular expression to match the subject for this identity. | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## ImagePattern\n\nImagePattern defines a pattern and its associated authorties If multiple patterns match a particular image, then ALL of those authorities must be satisfied for the image to be admitted.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| glob | Glob defines a globbing pattern. | string | true |\n\n[Back to TOC](#table-of-contents)\n\n## KeyRef\n\nThis references a public verification key stored in a secret in the cosign-system namespace. A KeyRef must specify only one of SecretRef, Data or KMS\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| secretRef | SecretRef sets a reference to a secret with the key. | [v1.SecretReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#secretreference-v1-core) | false |\n| data | Data contains the inline public key | string | false |\n| kms | KMS contains the KMS url of the public key Supported formats differ based on the KMS system used. | string | false |\n| hashAlgorithm | HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## KeylessRef\n\nKeylessRef contains location of the validating certificate and the identities against which to verify. KeylessRef will contain either the URL to the verifying certificate, or it will contain the certificate data inline or in a secret.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| url | URL defines a url to the keyless instance. | apis.URL | false |\n| identities | Identities sets a list of identities. | [][Identity](#identity) | true |\n| ca-cert | CACert sets a reference to CA certificate | [KeyRef](#keyref) | false |\n| trustRootRef | Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog | string | false |\n| insecureIgnoreSCT | InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT | bool | false |\n\n[Back to TOC](#table-of-contents)\n\n## MatchResource\n\nMatchResource allows selecting resources based on its version, group and resource. It is also possible to select resources based on a list of matching labels.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| selector | | [metav1.LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#labelselector-v1-meta) | false |\n\n[Back to TOC](#table-of-contents)\n\n## Policy\n\nPolicy specifies a policy to use for Attestation or the CIP validation (iff at least one authority matches). Exactly one of Data, URL, or ConfigMapReference must be specified.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| type | Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :) | string | true |\n| data | Data contains the policy definition. | string | false |\n| remote | Remote defines the url to a policy. | [RemotePolicy](#remotepolicy) | false |\n| configMapRef | ConfigMapRef defines the reference to a configMap with the policy definition. | [ConfigMapReference](#configmapreference) | false |\n| fetchConfigFile | FetchConfigFile controls whether ConfigFile will be fetched and made available for CIP level policy evaluation. Note that this only gets evaluated (and hence fetched) iff at least one authority matches. The ConfigFile will then be available in this format: https://github.com/opencontainers/image-spec/blob/main/config.md | bool | false |\n| includeSpec | IncludeSpec controls whether resource `Spec` will be included and made available for CIP level policy evaluation. Note that this only gets evaluated iff at least one authority matches. Also note that because Spec may be of a different shape depending on the resource being evaluatied (see MatchResource for filtering) you might want to configure these to match the policy file to ensure the shape of the Spec is what you expect when evaling the policy. | bool | false |\n| includeObjectMeta | IncludeObjectMeta controls whether the ObjectMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches. | bool | false |\n| includeTypeMeta | IncludeTypeMeta controls whether the TypeMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches. | bool | false |\n\n[Back to TOC](#table-of-contents)\n\n## RFC3161Timestamp\n\nRFC3161Timestamp specifies the URL to a RFC3161 time-stamping server that holds the time-stamped verification for the signature\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| trustRootRef | Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## RemotePolicy\n\nRemotePolicy defines all the properties to fetch a remote policy\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| url | URL to the policy data. | apis.URL | false |\n| sha256sum | Sha256sum defines the exact sha256sum computed out of the 'body' of the http response. | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## Source\n\nSource specifies the location of the signature / attestations.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| oci | OCI defines the registry from where to pull the signature / attestations. | string | false |\n| signaturePullSecrets | SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source. | [][v1.LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#localobjectreference-v1-core) | false |\n| tagPrefix | TagPrefix is an optional prefix that signature and attestations have. This is the 'tag based discovery' and in the future once references are fully supported that should likely be the preferred way to handle these. | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## StaticRef\n\nStaticRef specifies that signatures / attestations are not validated but instead a static policy is applied against matching images.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| action | Action defines how to handle a matching policy. | string | true |\n| message | For fail actions, emit an optional custom message. This only makes sense for 'fail' action because on 'pass' there's no place to jot down the message. | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## TLog\n\nTLog specifies the URL to a transparency log that holds the signature and public key information\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| url | URL sets the url to the rekor instance (by default the public rekor.sigstore.dev) | apis.URL | false |\n| trustRootRef | Use the Public Key from the referred TrustRoot.TLog | string | false |\n\n[Back to TOC](#table-of-contents)\n" }, { "path": "docs/api-types/index.md", "content": "\n\n# API Documentation (v1beta1)\n\n> This document is automatically generated from the API definition in the code.\n\n## Table of Contents\n* [Attestation](#attestation)\n* [Authority](#authority)\n* [ClusterImagePolicy](#clusterimagepolicy)\n* [ClusterImagePolicyList](#clusterimagepolicylist)\n* [ClusterImagePolicySpec](#clusterimagepolicyspec)\n* [ConfigMapReference](#configmapreference)\n* [Identity](#identity)\n* [ImagePattern](#imagepattern)\n* [KeyRef](#keyref)\n* [KeylessRef](#keylessref)\n* [MatchResource](#matchresource)\n* [Policy](#policy)\n* [RFC3161Timestamp](#rfc3161timestamp)\n* [RemotePolicy](#remotepolicy)\n* [Source](#source)\n* [StaticRef](#staticref)\n* [TLog](#tlog)\n\n## Attestation\n\nAttestation defines the type of attestation to validate and optionally apply a policy decision to it. Authority block is used to verify the specified attestation types, and if Policy is specified, then it's applied only after the validation of the Attestation signature has been verified.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| name | Name of the attestation. These can then be referenced at the CIP level policy. | string | true |\n| predicateType | PredicateType defines which predicate type to verify. Matches cosign verify-attestation options. | string | true |\n| policy | Policy defines all of the matching signatures, and all of the matching attestations (whose attestations are verified). | [Policy](#policy) | false |\n\n[Back to TOC](#table-of-contents)\n\n## Authority\n\nThe authorities block defines the rules for discovering and validating signatures. Signatures are cryptographically verified using one of the \\\"key\\\" or \\\"keyless\\\" fields. When multiple authorities are specified, any of them may be used to source the valid signature we are looking for to admit an image.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| name | Name is the name for this authority. Used by the CIP Policy validator to be able to reference matching signature or attestation verifications. If not specified, the name will be authority- | string | true |\n| key | Key defines the type of key to validate the image. | [KeyRef](#keyref) | false |\n| keyless | Keyless sets the configuration to verify the authority against a Fulcio instance. | [KeylessRef](#keylessref) | false |\n| static | Static specifies that signatures / attestations are not validated but instead a static policy is applied against matching images. | [StaticRef](#staticref) | false |\n| source | Sources sets the configuration to specify the sources from where to consume the signatures. | [][Source](#source) | false |\n| ctlog | CTLog sets the configuration to verify the authority against a Rekor instance. | [TLog](#tlog) | false |\n| attestations | Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. | [][Attestation](#attestation) | false |\n| rfc3161timestamp | RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. | [RFC3161Timestamp](#rfc3161timestamp) | false |\n| signatureFormat | SignatureFormat specifies the format the authority expects. Supported formats are \\\"legacy\\\" and \\\"bundle\\\". If not specified, the default is \\\"legacy\\\" (cosign's default). | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## ClusterImagePolicy\n\nClusterImagePolicy defines the images that go through verification and the authorities used for verification\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| metadata | | [metav1.ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta) | true |\n| spec | Spec holds the desired state of the ClusterImagePolicy (from the client). | [ClusterImagePolicySpec](#clusterimagepolicyspec) | true |\n| status | Status represents the current state of the ClusterImagePolicy. This data may be out of date. | [ClusterImagePolicyStatus](#clusterimagepolicystatus) | false |\n\n[Back to TOC](#table-of-contents)\n\n## ClusterImagePolicyList\n\nClusterImagePolicyList is a list of ClusterImagePolicy resources\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| metadata | | [metav1.ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#listmeta-v1-meta) | true |\n| items | | [][ClusterImagePolicy](#clusterimagepolicy) | true |\n\n[Back to TOC](#table-of-contents)\n\n## ClusterImagePolicySpec\n\nClusterImagePolicySpec defines a list of images that should be verified\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| images | Images defines the patterns of image names that should be subject to this policy. | [][ImagePattern](#imagepattern) | true |\n| authorities | Authorities defines the rules for discovering and validating signatures. | [][Authority](#authority) | false |\n| policy | Policy is an optional policy that can be applied against all the successfully validated Authorities. If no authorities pass, this does not even get evaluated, as the Policy is considered failed. | [Policy](#policy) | false |\n| mode | Mode controls whether a failing policy will be rejected (not admitted), or if errors are converted to Warnings. enforce - Reject (default) warn - allow but warn | string | false |\n| match | Match allows selecting resources based on their properties. | [][MatchResource](#matchresource) | false |\n\n[Back to TOC](#table-of-contents)\n\n## ClusterImagePolicyStatus\n\nClusterImagePolicyStatus represents the current state of a ClusterImagePolicy.\n\n\n## ConfigMapReference\n\nConfigMapReference is cut&paste from SecretReference, but for the life of me couldn't find one in the public types. If there's one, use it.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| name | Name is unique within a namespace to reference a configmap resource. | string | false |\n| namespace | Namespace defines the space within which the configmap name must be unique. | string | false |\n| key | Key defines the key to pull from the configmap. | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## Identity\n\nIdentity may contain the issuer and/or the subject found in the transparency log. Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp apply a regexp for matching.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| issuer | Issuer defines the issuer for this identity. | string | false |\n| subject | Subject defines the subject for this identity. | string | false |\n| issuerRegExp | IssuerRegExp specifies a regular expression to match the issuer for this identity. | string | false |\n| subjectRegExp | SubjectRegExp specifies a regular expression to match the subject for this identity. | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## ImagePattern\n\nImagePattern defines a pattern and its associated authorties If multiple patterns match a particular image, then ALL of those authorities must be satisfied for the image to be admitted.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| glob | Glob defines a globbing pattern. | string | true |\n\n[Back to TOC](#table-of-contents)\n\n## KeyRef\n\nThis references a public verification key stored in a secret in the cosign-system namespace. A KeyRef must specify only one of SecretRef, Data or KMS\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| secretRef | SecretRef sets a reference to a secret with the key. | [v1.SecretReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#secretreference-v1-core) | false |\n| data | Data contains the inline public key. | string | false |\n| kms | KMS contains the KMS url of the public key Supported formats differ based on the KMS system used. | string | false |\n| hashAlgorithm | HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## KeylessRef\n\nKeylessRef contains location of the validating certificate and the identities against which to verify. KeylessRef will contain either the URL to the verifying certificate, or it will contain the certificate data inline or in a secret.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| url | URL defines a url to the keyless instance. | apis.URL | false |\n| identities | Identities sets a list of identities. | [][Identity](#identity) | true |\n| ca-cert | CACert sets a reference to CA certificate | [KeyRef](#keyref) | false |\n| trustRootRef | Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog | string | false |\n| insecureIgnoreSCT | InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT | bool | false |\n\n[Back to TOC](#table-of-contents)\n\n## MatchResource\n\nMatchResource allows selecting resources based on its version, group and resource. It is also possible to select resources based on a list of matching labels.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| selector | | [metav1.LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#labelselector-v1-meta) | false |\n\n[Back to TOC](#table-of-contents)\n\n## Policy\n\nPolicy specifies a policy to use for Attestation or the CIP validation (iff at least one authority matches). Exactly one of Data, URL, or ConfigMapReference must be specified.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| type | Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :) | string | true |\n| data | Data contains the policy definition. | string | false |\n| remote | Remote defines the url to a policy. | [RemotePolicy](#remotepolicy) | false |\n| configMapRef | ConfigMapRef defines the reference to a configMap with the policy definition. | [ConfigMapReference](#configmapreference) | false |\n| fetchConfigFile | FetchConfigFile controls whether ConfigFile will be fetched and made available for CIP level policy evaluation. Note that this only gets evaluated (and hence fetched) iff at least one authority matches. The ConfigFile will then be available in this format: https://github.com/opencontainers/image-spec/blob/main/config.md | bool | false |\n| includeSpec | IncludeSpec controls whether resource `Spec` will be included and made available for CIP level policy evaluation. Note that this only gets evaluated iff at least one authority matches. Also note that because Spec may be of a different shape depending on the resource being evaluatied (see MatchResource for filtering) you might want to configure these to match the policy file to ensure the shape of the Spec is what you expect when evaling the policy. | bool | false |\n| includeObjectMeta | IncludeObjectMeta controls whether the ObjectMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches. | bool | false |\n| includeTypeMeta | IncludeTypeMeta controls whether the TypeMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches. | bool | false |\n\n[Back to TOC](#table-of-contents)\n\n## RFC3161Timestamp\n\nRFC3161Timestamp specifies the URL to a RFC3161 time-stamping server that holds the time-stamped verification for the signature\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| trustRootRef | Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## RemotePolicy\n\nRemotePolicy defines all the properties to fetch a remote policy\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| url | URL to the policy data. | apis.URL | false |\n| sha256sum | Sha256sum defines the exact sha256sum computed out of the 'body' of the http response. | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## Source\n\nSource specifies the location of the signature / attestations.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| oci | OCI defines the registry from where to pull the signature / attestations. | string | false |\n| signaturePullSecrets | SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source. | [][v1.LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#localobjectreference-v1-core) | false |\n| tagPrefix | TagPrefix is an optional prefix that signature and attestations have. This is the 'tag based discovery' and in the future once references are fully supported that should likely be the preferred way to handle these. | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## StaticRef\n\nStaticRef specifies that signatures / attestations are not validated but instead a static policy is applied against matching images.\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| action | Action defines how to handle a matching policy. | string | true |\n| message | For fail actions, emit an optional custom message | string | false |\n\n[Back to TOC](#table-of-contents)\n\n## TLog\n\nTLog specifies the URL to a transparency log that holds the signature and public key information\n\n| Field | Description | Scheme | Required |\n| ----- | ----------- | ------ | -------- |\n| url | URL sets the url to the rekor instance (by default the public rekor.sigstore.dev) | apis.URL | false |\n| trustRootRef | Use the Public Key from the referred TrustRoot.TLog | string | false |\n\n[Back to TOC](#table-of-contents)\n" }, { "path": "examples/README.md", "content": "# Examples\n\n*Note: adding a new example here? Make sure to add test\nfor it in\n[`../.github/workflows/policy-tester-examples.yml`](../.github/workflows/policy-tester-examples.yml).*\n\n## Prerequisites\n\nMake sure that the `policy-tester` CLI\nis built.\n\nAt the root of this repo, run the following:\n```\nmake policy-tester\n```\n\n## Validating a policy\n\nSet the `POLICY` and `IMAGE` environment variables appropriately,\npointing to the example policy and image to test:\n```\nPOLICY=\"policies/some-policy.yaml\"\nIMAGE=\"r.example.com/myapp:v0.1.0\"\n```\n\nThen run the following to validate the image against the policy:\n```\n../policy-tester --policy \"${POLICY}\" --image \"${IMAGE}\"\n```\n\n## Example policies\n\n### custom-key-attestation-sbom-spdxjson\n\nSource: [policies/custom-key-attestation-sbom-spdxjson.yaml](./policies/custom-key-attestation-sbom-spdxjson.yaml)\n\nAssert that all images must have a signed SPDX SBOM\n(spdxjson) attestation using a custom key.\n\n```\nPOLICY=\"policies/custom-key-attestation-sbom-spdxjson.yaml\"\n```\n\n#### How to satisfy this policy\n\nFirst, use your favorite tool to generate an [SPDX](https://spdx.dev/) SBOM.\n\nFor example purposes, you can use\n[`sboms/example.spdx.json`](./sboms/example.spdx.json).\n\nThen attach it to your image using [cosign attest](https://github.com/sigstore/cosign/blob/main/doc/cosign_attest.md)\nwith the flag `--type spdxjson`, signing it using the private key\nlocated at [`keys/cosign.key`](./keys/cosign.key):\n```\nexport COSIGN_PASSWORD=\"\"\n\ncosign attest --yes --type spdxjson \\\n --predicate sboms/example.spdx.json \\\n --key keys/cosign.key \\\n \"${IMAGE}\"\n```\n\n### keyless-attestation-sbom-spdxjson\n\nSource: [policies/keyless-attestation-sbom-spdxjson.yaml](./policies/keyless-attestation-sbom-spdxjson.yaml)\n\nAssert that all images must have a \"keyless\"\nsigned SPDX SBOM (spdxjson) attestation against\nthe public Fulcio root.\n\n```\nPOLICY=\"policies/keyless-attestation-sbom-spdxjson.yaml\"\n```\n\n#### How to satisfy this policy\n\nFirst, use your favorite tool to generate an [SPDX](https://spdx.dev/) SBOM.\n\nFor example purposes, you can use\n[`sboms/example.spdx.json`](./sboms/example.spdx.json).\n\nThen attach it to your image using [cosign attest](https://github.com/sigstore/cosign/blob/main/doc/cosign_attest.md)\nwith the flag `--type spdxjson`, signing \"keyless\" against the public Fulcio root:\n```\n\ncosign attest --yes --type spdxjson \\\n --predicate sboms/example.spdx.json \\\n \"${IMAGE}\"\n```\n\n### signed-by-aws-kms-key\n\nSource: [policies/signed-by-aws-kms.yaml](./policies/signed-by-aws-kms.yaml)\n\nAsserts that images have been signed by a specific AWS KMS key.\n\n```\nPOLICY=\"policies/signed-by-aws-kms.yaml\"\n```\n\n#### How to satisfy this policy\n\nCreate (or find) an AWS KMS key to sign your container images and note\nthe ARN of the key.\n\n```sh\n$ aws kms create-key \\\n --description \"Container signing key\" \\\n --key-spec ECC_NIST_P256 \\\n --key-usage SIGN_VERIFY\n{\n \"KeyMetadata\": {\n \"AWSAccountId\": \"....\"\n \"Arn\": \"arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab\",\n ....\n }\n}\n```\n\nNext sign your container using the KMS key and `cosign`\n\n```\ncosign sign --key \"awskms:///<< arn of kms key >>\" \"${IMAGE}\"\n```\n\n### signed-by-gcp-kms-key\n\nSource: [policies/signed-by-gcp-kms.yaml](./policies/signed-by-gcp-kms.yaml)\n\nAsserts that images have been signed by a specific GCP KMS key.\n\n```\nPOLICY=\"policies/signed-by-gcp-kms.yaml\"\n```\n\n#### How to satisfy this policy\n\nCreate the GCP KMS keyring and key to sign your container images.\n\n```sh\ngcloud kms keyrings create ${KEY_RING} \\\n --location ${REGION}\ngcloud kms keys create ${KEY_NAME} \\\n --keyring ${KEY_RING} \\\n --location ${REGION} \\\n --purpose asymmetric-signing \\\n --default-algorithm ec-sign-p256-sha256\n```\n\nNext sign your container using the KMS key and `cosign`.\n\n```sh\ngcloud auth application-default login\ncosign generate-key-pair \\\n --kms gcpkms://projects/${PROJECT_ID}/locations/${REGION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}\ncosign sign \\\n --key gcpkms://projects/${PROJECT_ID}/locations/${REGION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME} \\\n ${IMAGE}\n```\n\nTo satisfy the policy, ensure that the policy controller must have `roles/cloudkms.viewer`\nand `roles/cloudkms.verifier` IAM permissions on the relevant service account. Also,\nthe GKE cluster should have the `https://www.googleapis.com/auth/cloudkms` scope.\n\n### signed-by-github-actions\n\nSource: [policies/signed-by-github-actions.yaml](./policies/signed-by-github-actions.yaml)\n\nAsserts that images have been signed by a specific Github Actions workflow\nusing keyless signing.\n\n```\nPOLICY=\"policies/signed-by-github-actions.yaml\"\n```\n\n#### How to satisfy this policy\n\nTo satisfy this policy you must sign your container image from within a [Github\nActions](https://docs.github.com/en/actions) workflow. Sigstore publishes\na cosign installer action that makes this easy. Here is an example workflow\nfor signing\n\n```yaml\njobs:\n sign_action:\n runs-on: ubuntu-latest\n\n permissions:\n contents: read\n id-token: write # NB: needed for signing the images with GitHub OIDC Token\n\n name: Install Cosign and sign image\n steps:\n - uses: actions/checkout@master\n with:\n fetch-depth: 1\n\n - name: Install Cosign\n uses: sigstore/cosign-installer@main\n\n - name: Sign the images with GitHub OIDC Token\n run: cosign sign ${IMAGE}\n\n```\n\nTo satisfy the policy, ensure that the path and branch of the workflow match\nthe workflow URI in the policy.\n" }, { "path": "examples/keys/cosign.key", "content": "-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----\neyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6\nOCwicCI6MX0sInNhbHQiOiJnQlZkM21FMnA3OHhsbUFPSlZkRmcwcXdpcnAwTEMy\na2ROdkFiTW9lWVpRPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94\nIiwibm9uY2UiOiJGNDdDZEN3K3U1TXRMMVd2K21wT0tWbnpkTmliaWh2USJ9LCJj\naXBoZXJ0ZXh0IjoiMUI4Q0o2ZC9JY1hIeTBqaEZrbkk4RXdCUXRuOFkyN2kzY0wz\nRURLVUFheUVDR3BiTWRsUXFFOGlGMVJaRW1BWTIwa0plV1VhdkVUMURocFZzZWVJ\nZjYraW1SK3c2V0lXWFB0MWJJNCthQ3RCVU1jZ21QN05IQXdRY0dZbGlXZmVRWG12\nZlh2bVJ1bFlwNnZBaUh4c3EvMFUxNU9qNjRCcWE4OE5TK010WWVIQjVrd1ZVcmJB\nVGYwaEpnaXNleFJZbHZra0lMeldYMXBxcFE9PSJ9\n-----END ENCRYPTED COSIGN PRIVATE KEY-----\n" }, { "path": "examples/keys/cosign.pub", "content": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOc6HkISHzVdUbtUsdjYtPuyPYBeg\n4FCemyVurIM4KEORQk4OAu8ZNwxvGSoY3eAabYaFIPPQ8ROAjrbdPwNdJw==\n-----END PUBLIC KEY-----\n" }, { "path": "examples/policies/allow-only-pods.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: policy.sigstore.dev/v1alpha1\nkind: ClusterImagePolicy\nmetadata:\n name: image-policy-typemeta-allow-only-pods\nspec:\n images:\n - glob: \"ghcr.io/sigstore/timestamp-server**\"\n authorities:\n - static:\n action: pass\n policy:\n includeTypeMeta: true\n type: \"cue\"\n data: |\n typemeta:\n kind: \"Pod\"\n" }, { "path": "examples/policies/custom-key-attestation-sbom-spdxjson.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n#\n# Name: custom-key-attestation-sbom-spdxjson\n#\n# Description:\n# Assert that all images must have a\n# signed SPDX SBOM (spdxjson) attestation\n# using a custom key\n#\n\napiVersion: policy.sigstore.dev/v1alpha1\nkind: ClusterImagePolicy\nmetadata:\n name: custom-key-attestation-sbom-spdxjson\nspec:\n images:\n - glob: \"**\"\n authorities:\n - name: custom-key\n key:\n data: |\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOc6HkISHzVdUbtUsdjYtPuyPYBeg\n 4FCemyVurIM4KEORQk4OAu8ZNwxvGSoY3eAabYaFIPPQ8ROAjrbdPwNdJw==\n -----END PUBLIC KEY-----\n ctlog:\n url: https://rekor.sigstore.dev\n attestations:\n - name: must-have-spdxjson\n predicateType: spdxjson\n policy:\n type: cue\n data: |\n predicateType: \"https://spdx.dev/Document\"\n" }, { "path": "examples/policies/keyless-attestation-sbom-spdxjson.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n#\n# Name: keyless-attestation-sbom-spdxjson\n#\n# Description:\n# Assert that all images must have a\n# \"keyless\" signed SPDX SBOM (spdxjson)\n# attestation against the public Fulcio root\n#\n\napiVersion: policy.sigstore.dev/v1alpha1\nkind: ClusterImagePolicy\nmetadata:\n name: keyless-attestation-sbom-spdxjson\nspec:\n images:\n - glob: \"**\"\n authorities:\n - name: keyless\n keyless:\n url: \"https://fulcio.sigstore.dev\"\n identities:\n - issuer: https://token.actions.githubusercontent.com\n subject: \"https://github.com/sigstore/policy-controller/.github/workflows/policy-tester-examples.yml@refs/heads/main\"\n ctlog:\n url: https://rekor.sigstore.dev\n attestations:\n - name: must-have-spdxjson\n predicateType: spdxjson\n policy:\n type: cue\n data: |\n predicateType: \"https://spdx.dev/Document\"\n" }, { "path": "examples/policies/release-signed-by-github-actions.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n#\n# Name: release-signed-by-github-actions\n#\n# Description:\n# Assert that a policy-controller release was signed by expected subject\n# and issuer.\n#\n\napiVersion: policy.sigstore.dev/v1alpha1\nkind: ClusterImagePolicy\nmetadata:\n name: image-is-signed-by-github-actions\nspec:\n images:\n # This is the release v0.3.0\n - glob: \"gcr.io/projectsigstore/policy-webhook@sha256:d1e7af59381793687db4673277005276eb73a06cf555503138dd18eaa1ca47d6\"\n authorities:\n - keyless:\n # Signed by the public Fulcio certificate authority\n url: https://fulcio.sigstore.dev\n identities:\n # Matches the Github Actions OIDC issuer\n - issuer: https://token.actions.githubusercontent.com\n # Matches a specific github workflow on main branch. Here we use the\n # sigstore policy controller example testing workflow as an example.\n subject: \"https://github.com/sigstore/policy-controller/.github/workflows/release.yaml@refs/tags/v0.3.0\"\n ctlog:\n url: https://rekor.sigstore.dev\n" }, { "path": "examples/policies/signed-by-aws-kms-key.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n#\n# Name: image-is-signed-by-aws-kms-key\n#\n# Description:\n# Assert that images from are signed by a specific\n# AWS KMS key\n#\n\napiVersion: policy.sigstore.dev/v1alpha1\nkind: ClusterImagePolicy\nmetadata:\n name: image-is-signed-by-aws-kms-key\nspec:\n images:\n # All images\n - glob: \"**\"\n authorities:\n - name: aws-kms\n key:\n # NB: the policy controller must have kms.DescribeKey, kms.GetPublicKey\n # and kms.Verify IAM permissions on the relevant key.\n kms: awskms:///arn:aws:kms:<< region >>:<< account id >>:key/<< key id >>\n ctlog:\n url: https://rekor.sigstore.dev\n" }, { "path": "examples/policies/signed-by-gcp-kms-key.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n#\n# Name: image-is-signed-by-gcp-kms-key\n#\n# Description:\n# Assert that images from are signed by a specific\n# GCP KMS key\n#\n\napiVersion: policy.sigstore.dev/v1alpha1\nkind: ClusterImagePolicy\nmetadata:\n name: image-is-signed-by-gcp-kms-key\nspec:\n images:\n # All images\n - glob: \"**\"\n authorities:\n - name: gcp-kms\n key:\n kms: gcpkms://projects/${PROJECT_ID}/locations/${REGION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/cryptoKeyVersions/${KEY_VERSION}\n ctlog:\n url: https://rekor.sigstore.dev\n" }, { "path": "examples/policies/signed-by-github-actions.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n#\n# Name: image-is-signed-by-github-actions\n#\n# Description:\n# Assert that images are signed by a specific Github Actions\n# workflow on the main branch.\n#\n\napiVersion: policy.sigstore.dev/v1alpha1\nkind: ClusterImagePolicy\nmetadata:\n name: image-is-signed-by-github-actions\nspec:\n images:\n # All images in example repository matched\n - glob: \"**\"\n authorities:\n - keyless:\n # Signed by the public Fulcio certificate authority\n url: https://fulcio.sigstore.dev\n identities:\n # Matches the Github Actions OIDC issuer\n - issuer: https://token.actions.githubusercontent.com\n # Matches a specific github workflow on main branch. Here we use the\n # sigstore policy controller example testing workflow as an example.\n subject: \"https://github.com/sigstore/policy-controller/.github/workflows/policy-tester-examples.yml@refs/heads/main\"\n ctlog:\n url: https://rekor.sigstore.dev\n" }, { "path": "examples/sboms/example.spdx.json", "content": "{\n \"spdxVersion\": \"SPDX-2.2\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"creationInfo\": {\n \"created\": \"2020-11-24T01:12:27Z\",\n \"creators\": [\n {\n \"Person\": \"Nisha K (nishak@vmware.com)\"\n }\n ]\n },\n \"name\": \"golang-dist\",\n \"documentNamespace\": \"https://swinslow.net/spdx-examples/example7/golang-dist\",\n \"documentDescribes\": [\n \"SPDXRef-golang-dist\"\n ],\n \"packages\": [\n {\n \"packageName\": \"go1.16.4.linux-amd64\",\n \"SPDXID\": \"SPDXRef-golang-dist\",\n \"downloadLocation\": \"https://golang.org/dl/go1.16.4.linux-amd64.tar.gz\",\n \"packageVersion\": \"1.16.4\",\n \"filesAnalyzed\": \"false\",\n \"checksums\": [\n {\n \"algorithm\": \"SHA256\",\n \"checksumValue\": \"7154e88f5a8047aad4b80ebace58a059e36e7e2e4eb3b383127a28c711b4ff59\"\n }\n ],\n \"packageLicenseConcluded\": \"NOASSERTION\",\n \"packageLicenseDeclared\": \"LicenseRef-Golang-BSD-plus-Patents\",\n \"packageCopyrightText\": \"Copyright (c) 2009 The Go Authors. All rights reserved.\"\n },\n {\n \"packageName\": \"go\",\n \"SPDXID\": \"SPDXRef-go-compiler\",\n \"downloadLocation\": \"https://golang.org/dl/go1.16.4.linux-amd64.tar.gz\",\n \"packageVersion\": \"1.16.4\",\n \"filesAnalyzed\": \"false\",\n \"packageLicenseConcluded\": \"NOASSERTION\",\n \"packageLicenseDeclared\": \"NOASSERTION\",\n \"packageCopyrightText\": \"NOASSERTION\"\n }\n ]\n}\n" }, { "path": "go.mod", "content": "module github.com/sigstore/policy-controller\n\ngo 1.25.7\n\nrequire (\n\tgithub.com/aws/aws-sdk-go-v2 v1.41.2\n\tgithub.com/golang/protobuf v1.5.4 // indirect\n\tgithub.com/golang/snappy v0.0.4 // indirect\n\tgithub.com/google/go-cmp v0.7.0\n\tgithub.com/google/go-containerregistry v0.21.3\n\tgithub.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20260317232201-3888fb8f8738\n\tgithub.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20260317232201-3888fb8f8738\n\tgithub.com/hashicorp/errwrap v1.1.0\n\tgithub.com/hashicorp/go-cleanhttp v0.5.2\n\tgithub.com/hashicorp/go-multierror v1.1.1\n\tgithub.com/hashicorp/go-retryablehttp v0.7.8\n\tgithub.com/hashicorp/go-rootcerts v1.0.2\n\tgithub.com/hashicorp/go-secure-stdlib/parseutil v0.2.0\n\tgithub.com/hashicorp/go-secure-stdlib/strutil v0.1.2\n\tgithub.com/hashicorp/go-sockaddr v1.0.7\n\tgithub.com/hashicorp/golang-lru v1.0.2\n\tgithub.com/hashicorp/hcl v1.0.1-vault-7\n\tgithub.com/kelseyhightower/envconfig v1.4.0\n\tgithub.com/letsencrypt/boulder v0.20251110.0\n\tgithub.com/mitchellh/go-homedir v1.1.0\n\tgithub.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c\n\tgithub.com/ryanuber/go-glob v1.0.0\n\tgithub.com/sigstore/cosign/v3 v3.0.5\n\tgithub.com/sigstore/rekor v1.5.0\n\tgithub.com/sigstore/sigstore v1.10.4\n\tgithub.com/stretchr/testify v1.11.1\n\tgithub.com/theupdateframework/go-tuf v0.7.0\n\tgithub.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399\n\tgo.uber.org/zap v1.27.1\n\tgolang.org/x/crypto v0.49.0\n\tgolang.org/x/net v0.52.0\n\tgolang.org/x/sys v0.42.0 // indirect\n\tgolang.org/x/time v0.14.0\n\tgoogle.golang.org/grpc v1.79.3\n\tgoogle.golang.org/protobuf v1.36.11\n\tgopkg.in/yaml.v3 v3.0.1 // indirect\n\tk8s.io/api v0.35.2\n\tk8s.io/apimachinery v0.35.2\n\tk8s.io/client-go v0.35.2\n\tk8s.io/code-generator v0.32.2\n\tk8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912\n\tknative.dev/hack v0.0.0-20240111013919-e89096d74d85\n\tsigs.k8s.io/release-utils v0.12.3\n\tsigs.k8s.io/yaml v1.6.0\n)\n\nrequire github.com/spf13/cobra v1.10.2\n\nrequire (\n\tgithub.com/Azure/azure-sdk-for-go v68.0.0+incompatible\n\tgithub.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0\n\tgithub.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1\n\tgithub.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.12.0\n\tgithub.com/cenkalti/backoff/v4 v4.3.0\n\tgithub.com/docker/docker v28.5.2+incompatible\n\tgithub.com/docker/docker-credential-helpers v0.9.5\n\tgithub.com/docker/go-connections v0.6.0\n\tgithub.com/go-jose/go-jose/v4 v4.1.3\n\tgithub.com/hashicorp/vault/api v1.22.0\n\tgithub.com/natefinch/atomic v1.0.1\n\tgithub.com/sigstore/protobuf-specs v0.5.0\n\tgithub.com/sigstore/scaffolding v0.7.22\n\tgithub.com/sigstore/sigstore-go v1.1.4\n\tgithub.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.4\n\tgithub.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.4\n\tgithub.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.4\n\tgithub.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.4\n\tgithub.com/spf13/viper v1.21.0\n\tgithub.com/theupdateframework/go-tuf/v2 v2.4.1\n\tknative.dev/hack/schema v0.0.0-20240607132042-09143140a254\n\tknative.dev/pkg v0.0.0-20230612155445-74c4be5e935e\n)\n\nrequire (\n\tcloud.google.com/go v0.123.0 // indirect\n\tcloud.google.com/go/auth v0.18.1 // indirect\n\tcloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect\n\tcloud.google.com/go/compute/metadata v0.9.0 // indirect\n\tcloud.google.com/go/iam v1.5.3 // indirect\n\tcloud.google.com/go/kms v1.25.0 // indirect\n\tcloud.google.com/go/longrunning v0.8.0 // indirect\n\tcontrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d // indirect\n\tcontrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect\n\tcuelang.org/go v0.15.4 // indirect\n\tgithub.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect\n\tgithub.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect\n\tgithub.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 // indirect\n\tgithub.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 // indirect\n\tgithub.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect\n\tgithub.com/Azure/go-autorest v14.2.0+incompatible // indirect\n\tgithub.com/Azure/go-autorest/autorest v0.11.30 // indirect\n\tgithub.com/Azure/go-autorest/autorest/adal v0.9.24 // indirect\n\tgithub.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect\n\tgithub.com/Azure/go-autorest/autorest/azure/cli v0.4.7 // indirect\n\tgithub.com/Azure/go-autorest/autorest/date v0.3.1 // indirect\n\tgithub.com/Azure/go-autorest/logger v0.2.2 // indirect\n\tgithub.com/Azure/go-autorest/tracing v0.6.1 // indirect\n\tgithub.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect\n\tgithub.com/Microsoft/go-winio v0.6.2 // indirect\n\tgithub.com/ThalesIgnite/crypto11 v1.2.5 // indirect\n\tgithub.com/agnivade/levenshtein v1.2.1 // indirect\n\tgithub.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect\n\tgithub.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect\n\tgithub.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect\n\tgithub.com/alibabacloud-go/darabonba-openapi v0.2.1 // indirect\n\tgithub.com/alibabacloud-go/debug v1.0.0 // indirect\n\tgithub.com/alibabacloud-go/endpoint-util v1.1.1 // indirect\n\tgithub.com/alibabacloud-go/openapi-util v0.1.0 // indirect\n\tgithub.com/alibabacloud-go/tea v1.2.1 // indirect\n\tgithub.com/alibabacloud-go/tea-utils v1.4.5 // indirect\n\tgithub.com/alibabacloud-go/tea-xml v1.1.3 // indirect\n\tgithub.com/aliyun/credentials-go v1.3.2 // indirect\n\tgithub.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/config v1.32.10 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/credentials v1.19.10 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/ecr v1.55.3 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/ecrpublic v1.38.10 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/kms v1.49.5 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/signin v1.0.6 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/sso v1.30.11 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/sts v1.41.7 // indirect\n\tgithub.com/aws/smithy-go v1.24.1 // indirect\n\tgithub.com/beorn7/perks v1.0.1 // indirect\n\tgithub.com/blang/semver v3.5.1+incompatible // indirect\n\tgithub.com/blang/semver/v4 v4.0.0 // indirect\n\tgithub.com/blendle/zapdriver v1.3.1 // indirect\n\tgithub.com/cenkalti/backoff/v5 v5.0.3 // indirect\n\tgithub.com/census-instrumentation/opencensus-proto v0.4.1 // indirect\n\tgithub.com/cespare/xxhash/v2 v2.3.0 // indirect\n\tgithub.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect\n\tgithub.com/clbanning/mxj/v2 v2.7.0 // indirect\n\tgithub.com/cockroachdb/apd/v3 v3.2.1 // indirect\n\tgithub.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect\n\tgithub.com/containerd/errdefs v1.0.0 // indirect\n\tgithub.com/containerd/errdefs/pkg v0.3.0 // indirect\n\tgithub.com/containerd/stargz-snapshotter/estargz v0.18.2 // indirect\n\tgithub.com/coreos/go-oidc/v3 v3.17.0 // indirect\n\tgithub.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 // indirect\n\tgithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect\n\tgithub.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect\n\tgithub.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect\n\tgithub.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect\n\tgithub.com/dimchansky/utfbom v1.1.1 // indirect\n\tgithub.com/distribution/reference v0.6.0 // indirect\n\tgithub.com/docker/cli v29.3.0+incompatible // indirect\n\tgithub.com/docker/distribution v2.8.3+incompatible // indirect\n\tgithub.com/docker/go-units v0.5.0 // indirect\n\tgithub.com/dustin/go-humanize v1.0.1 // indirect\n\tgithub.com/emicklei/go-restful/v3 v3.13.0 // indirect\n\tgithub.com/emicklei/proto v1.14.2 // indirect\n\tgithub.com/evanphx/json-patch v5.6.0+incompatible // indirect\n\tgithub.com/evanphx/json-patch/v5 v5.7.0 // indirect\n\tgithub.com/felixge/httpsnoop v1.0.4 // indirect\n\tgithub.com/fsnotify/fsnotify v1.9.0 // indirect\n\tgithub.com/fxamacker/cbor/v2 v2.9.0 // indirect\n\tgithub.com/go-chi/chi/v5 v5.2.4 // indirect\n\tgithub.com/go-ini/ini v1.67.0 // indirect\n\tgithub.com/go-kit/log v0.2.1 // indirect\n\tgithub.com/go-logfmt/logfmt v0.5.1 // indirect\n\tgithub.com/go-logr/logr v1.4.3 // indirect\n\tgithub.com/go-logr/stdr v1.2.2 // indirect\n\tgithub.com/go-openapi/analysis v0.24.1 // indirect\n\tgithub.com/go-openapi/errors v0.22.6 // indirect\n\tgithub.com/go-openapi/jsonpointer v0.22.4 // indirect\n\tgithub.com/go-openapi/jsonreference v0.21.4 // indirect\n\tgithub.com/go-openapi/loads v0.23.2 // indirect\n\tgithub.com/go-openapi/runtime v0.29.2 // indirect\n\tgithub.com/go-openapi/spec v0.22.3 // indirect\n\tgithub.com/go-openapi/strfmt v0.25.0 // indirect\n\tgithub.com/go-openapi/swag v0.25.4 // indirect\n\tgithub.com/go-openapi/swag/cmdutils v0.25.4 // indirect\n\tgithub.com/go-openapi/swag/conv v0.25.4 // indirect\n\tgithub.com/go-openapi/swag/fileutils v0.25.4 // indirect\n\tgithub.com/go-openapi/swag/jsonname v0.25.4 // indirect\n\tgithub.com/go-openapi/swag/jsonutils v0.25.4 // indirect\n\tgithub.com/go-openapi/swag/loading v0.25.4 // indirect\n\tgithub.com/go-openapi/swag/mangling v0.25.4 // indirect\n\tgithub.com/go-openapi/swag/netutils v0.25.4 // indirect\n\tgithub.com/go-openapi/swag/stringutils v0.25.4 // indirect\n\tgithub.com/go-openapi/swag/typeutils v0.25.4 // indirect\n\tgithub.com/go-openapi/swag/yamlutils v0.25.4 // indirect\n\tgithub.com/go-openapi/validate v0.25.1 // indirect\n\tgithub.com/go-viper/mapstructure/v2 v2.4.0 // indirect\n\tgithub.com/gobuffalo/flect v1.0.2 // indirect\n\tgithub.com/gobwas/glob v0.2.3 // indirect\n\tgithub.com/goccy/go-json v0.10.5 // indirect\n\tgithub.com/gogo/protobuf v1.3.2 // indirect\n\tgithub.com/golang-jwt/jwt/v4 v4.5.2 // indirect\n\tgithub.com/golang-jwt/jwt/v5 v5.3.0 // indirect\n\tgithub.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect\n\tgithub.com/google/certificate-transparency-go v1.3.2 // indirect\n\tgithub.com/google/gnostic-models v0.7.0 // indirect\n\tgithub.com/google/go-github/v73 v73.0.0 // indirect\n\tgithub.com/google/go-querystring v1.2.0 // indirect\n\tgithub.com/google/s2a-go v0.1.9 // indirect\n\tgithub.com/google/uuid v1.6.0 // indirect\n\tgithub.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect\n\tgithub.com/googleapis/gax-go/v2 v2.17.0 // indirect\n\tgithub.com/grpc-ecosystem/grpc-gateway/v2 v2.27.5 // indirect\n\tgithub.com/in-toto/attestation v1.1.2 // indirect\n\tgithub.com/in-toto/in-toto-golang v0.9.0 // indirect\n\tgithub.com/inconshreveable/mousetrap v1.1.0 // indirect\n\tgithub.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect\n\tgithub.com/jellydator/ttlcache/v3 v3.4.0 // indirect\n\tgithub.com/json-iterator/go v1.1.12 // indirect\n\tgithub.com/klauspost/compress v1.18.4 // indirect\n\tgithub.com/kylelemons/godebug v1.1.0 // indirect\n\tgithub.com/lestrrat-go/blackmagic v1.0.4 // indirect\n\tgithub.com/lestrrat-go/dsig v1.0.0 // indirect\n\tgithub.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect\n\tgithub.com/lestrrat-go/httpcc v1.0.1 // indirect\n\tgithub.com/lestrrat-go/httprc/v3 v3.0.1 // indirect\n\tgithub.com/lestrrat-go/jwx/v3 v3.0.12 // indirect\n\tgithub.com/lestrrat-go/option v1.0.1 // indirect\n\tgithub.com/lestrrat-go/option/v2 v2.0.0 // indirect\n\tgithub.com/miekg/pkcs11 v1.1.2 // indirect\n\tgithub.com/mitchellh/go-wordwrap v1.0.1 // indirect\n\tgithub.com/moby/docker-image-spec v1.3.1 // indirect\n\tgithub.com/moby/sys/atomicwriter v0.1.0 // indirect\n\tgithub.com/moby/term v0.5.2 // indirect\n\tgithub.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect\n\tgithub.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect\n\tgithub.com/morikuni/aec v1.1.0 // indirect\n\tgithub.com/mozillazg/docker-credential-acr-helper v0.4.0 // indirect\n\tgithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect\n\tgithub.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect\n\tgithub.com/oklog/ulid v1.3.1 // indirect\n\tgithub.com/open-policy-agent/opa v1.12.3 // indirect\n\tgithub.com/opencontainers/go-digest v1.0.0 // indirect\n\tgithub.com/opencontainers/image-spec v1.1.1 // indirect\n\tgithub.com/pelletier/go-toml/v2 v2.2.4 // indirect\n\tgithub.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect\n\tgithub.com/pkg/errors v0.9.1 // indirect\n\tgithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect\n\tgithub.com/prometheus/client_golang v1.23.2 // indirect\n\tgithub.com/prometheus/client_model v0.6.2 // indirect\n\tgithub.com/prometheus/common v0.67.5 // indirect\n\tgithub.com/prometheus/procfs v0.19.2 // indirect\n\tgithub.com/prometheus/statsd_exporter v0.22.8 // indirect\n\tgithub.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91 // indirect\n\tgithub.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect\n\tgithub.com/sagikazarmark/locafero v0.11.0 // indirect\n\tgithub.com/sassoftware/relic v7.2.1+incompatible // indirect\n\tgithub.com/secure-systems-lab/go-securesystemslib v0.10.0 // indirect\n\tgithub.com/segmentio/asm v1.2.1 // indirect\n\tgithub.com/shibumi/go-pathspec v1.3.0 // indirect\n\tgithub.com/sigstore/rekor-tiles/v2 v2.2.0 // indirect\n\tgithub.com/sigstore/timestamp-authority/v2 v2.0.4 // indirect\n\tgithub.com/sirupsen/logrus v1.9.4 // indirect\n\tgithub.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect\n\tgithub.com/spf13/afero v1.15.0 // indirect\n\tgithub.com/spf13/cast v1.10.0 // indirect\n\tgithub.com/spf13/pflag v1.0.10 // indirect\n\tgithub.com/subosito/gotenv v1.6.0 // indirect\n\tgithub.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect\n\tgithub.com/tchap/go-patricia/v2 v2.3.3 // indirect\n\tgithub.com/thales-e-security/pool v0.0.2 // indirect\n\tgithub.com/tjfoc/gmsm v1.4.1 // indirect\n\tgithub.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c // indirect\n\tgithub.com/transparency-dev/merkle v0.0.2 // indirect\n\tgithub.com/valyala/fastjson v1.6.4 // indirect\n\tgithub.com/vbatts/tar-split v0.12.2 // indirect\n\tgithub.com/vektah/gqlparser/v2 v2.5.31 // indirect\n\tgithub.com/x448/float16 v0.8.4 // indirect\n\tgithub.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect\n\tgithub.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect\n\tgithub.com/yashtewari/glob-intersection v0.2.0 // indirect\n\tgitlab.com/gitlab-org/api/client-go v1.25.0 // indirect\n\tgo.mongodb.org/mongo-driver v1.17.6 // indirect\n\tgo.opencensus.io v0.24.0 // indirect\n\tgo.opentelemetry.io/auto/sdk v1.2.1 // indirect\n\tgo.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect\n\tgo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect\n\tgo.opentelemetry.io/otel v1.42.0 // indirect\n\tgo.opentelemetry.io/otel/metric v1.42.0 // indirect\n\tgo.opentelemetry.io/otel/sdk v1.42.0 // indirect\n\tgo.opentelemetry.io/otel/trace v1.42.0 // indirect\n\tgo.uber.org/atomic v1.9.0 // indirect\n\tgo.uber.org/automaxprocs v1.6.0 // indirect\n\tgo.uber.org/multierr v1.11.0 // indirect\n\tgo.yaml.in/yaml/v2 v2.4.3 // indirect\n\tgo.yaml.in/yaml/v3 v3.0.4 // indirect\n\tgolang.org/x/mod v0.34.0 // indirect\n\tgolang.org/x/oauth2 v0.36.0 // indirect\n\tgolang.org/x/sync v0.20.0 // indirect\n\tgolang.org/x/term v0.41.0 // indirect\n\tgolang.org/x/text v0.35.0 // indirect\n\tgolang.org/x/tools v0.43.0 // indirect\n\tgomodules.xyz/jsonpatch/v2 v2.4.0 // indirect\n\tgoogle.golang.org/api v0.267.0 // indirect\n\tgoogle.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect\n\tgoogle.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect\n\tgoogle.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect\n\tgopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect\n\tgopkg.in/inf.v0 v0.9.1 // indirect\n\tgopkg.in/ini.v1 v1.67.1 // indirect\n\tgopkg.in/yaml.v2 v2.4.0 // indirect\n\tk8s.io/apiextensions-apiserver v0.27.6 // indirect\n\tk8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 // indirect\n\tk8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f // indirect\n\tk8s.io/klog/v2 v2.130.1 // indirect\n\tk8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect\n\tsigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect\n\tsigs.k8s.io/randfill v1.0.0 // indirect\n\tsigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect\n)\n\n// TODO: this dependency causes issues on webhook startup due\n// to conflicting \"log_dir\" flags between this and klog (knative)\nreplace github.com/golang/glog => github.com/jdolitsky/glog v0.0.0-20220729172235-78744e90d087\n\n// knative deps require to use an old k8s.io/gengo so we need to replace these ones\nreplace k8s.io/code-generator => k8s.io/code-generator v0.29.4\n" }, { "path": "go.sum", "content": "al.essio.dev/pkg/shellescape v1.6.0 h1:NxFcEqzFSEVCGN2yq7Huv/9hyCEGVa/TncnOOBBeXHA=\nal.essio.dev/pkg/shellescape v1.6.0/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=\ncloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=\ncloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=\ncloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=\ncloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=\ncloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=\ncloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=\ncloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=\ncloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=\ncloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=\ncloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=\ncloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=\ncloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=\ncloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=\ncloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=\ncloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=\ncloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=\ncloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=\ncloud.google.com/go/auth v0.18.1 h1:IwTEx92GFUo2pJ6Qea0EU3zYvKnTAeRCODxfA/G5UWs=\ncloud.google.com/go/auth v0.18.1/go.mod h1:GfTYoS9G3CWpRA3Va9doKN9mjPGRS+v41jmZAhBzbrA=\ncloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=\ncloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=\ncloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=\ncloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=\ncloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=\ncloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=\ncloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=\ncloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=\ncloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=\ncloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=\ncloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=\ncloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=\ncloud.google.com/go/iam v1.5.3 h1:+vMINPiDF2ognBJ97ABAYYwRgsaqxPbQDlMnbHMjolc=\ncloud.google.com/go/iam v1.5.3/go.mod h1:MR3v9oLkZCTlaqljW6Eb2d3HGDGK5/bDv93jhfISFvU=\ncloud.google.com/go/kms v1.25.0 h1:gVqvGGUmz0nYCmtoxWmdc1wli2L1apgP8U4fghPGSbQ=\ncloud.google.com/go/kms v1.25.0/go.mod h1:XIdHkzfj0bUO3E+LvwPg+oc7s58/Ns8Nd8Sdtljihbk=\ncloud.google.com/go/longrunning v0.8.0 h1:LiKK77J3bx5gDLi4SMViHixjD2ohlkwBi+mKA7EhfW8=\ncloud.google.com/go/longrunning v0.8.0/go.mod h1:UmErU2Onzi+fKDg2gR7dusz11Pe26aknR4kHmJJqIfk=\ncloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=\ncloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=\ncloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=\ncloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=\ncloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=\ncloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=\ncloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=\ncloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=\ncloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=\ncontrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d h1:LblfooH1lKOpp1hIhukktmSAxFkqMPFk9KR6iZ0MJNI=\ncontrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d/go.mod h1:IshRmMJBhDfFj5Y67nVhMYTTIze91RUeT73ipWKs/GY=\ncontrib.go.opencensus.io/exporter/prometheus v0.4.2 h1:sqfsYl5GIY/L570iT+l93ehxaWJs2/OwXtiWwew3oAg=\ncontrib.go.opencensus.io/exporter/prometheus v0.4.2/go.mod h1:dvEHbiKmgvbr5pjaF9fpw1KeYcjrnC1J8B+JKjsZyRQ=\ncuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084 h1:4k1yAtPvZJZQTu8DRY8muBo0LHv6TqtrE0AO5n6IPYs=\ncuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084/go.mod h1:4WWeZNxUO1vRoZWAHIG0KZOd6dA25ypyWuwD3ti0Tdc=\ncuelang.org/go v0.15.4 h1:lrkTDhqy8dveHgX1ZLQ6WmgbhD8+rXa0fD25hxEKYhw=\ncuelang.org/go v0.15.4/go.mod h1:NYw6n4akZcTjA7QQwJ1/gqWrrhsN4aZwhcAL0jv9rZE=\ndmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=\nfilippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw=\nfilippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=\ngithub.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d h1:zjqpY4C7H15HjRPEenkS4SAn3Jy2eRRjkjZbGR30TOg=\ngithub.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d/go.mod h1:XNqJ7hv2kY++g8XEHREpi+JqZo3+0l+CH2egBVN4yqM=\ngithub.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 h1:kcnfY4vljxXliXDBrA9K9lwF8IoEZ4Up6Eg9kWTIm28=\ngithub.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0/go.mod h1:tlqp9mUGbsP+0z3Q+c0Q5MgSdq/OMwQhm5bffR3Q3ss=\ngithub.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=\ngithub.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=\ngithub.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 h1:fou+2+WFTib47nS+nz/ozhEBnvU96bKHy6LjRsY4E28=\ngithub.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0/go.mod h1:t76Ruy8AHvUAC8GfMWJMa0ElSbuIcO03NLpynfbgsPA=\ngithub.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=\ngithub.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0=\ngithub.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=\ngithub.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=\ngithub.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=\ngithub.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=\ngithub.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 h1:E4MgwLBGeVB5f2MdcIVD3ELVAWpr+WD6MUe1i+tM/PA=\ngithub.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0/go.mod h1:Y2b/1clN4zsAoUd/pgNAQHjLDnTis/6ROkUfyob6psM=\ngithub.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 h1:nCYfgcSyHZXJI8J0IWE5MsCGlb2xp9fJiXyxWgmOFg4=\ngithub.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0/go.mod h1:ucUjca2JtSZboY8IoUqyQyuuXvwbMBVwFOm0vdQPNhA=\ngithub.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=\ngithub.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=\ngithub.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=\ngithub.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=\ngithub.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA=\ngithub.com/Azure/go-autorest/autorest v0.11.30 h1:iaZ1RGz/ALZtN5eq4Nr1SOFSlf2E4pDI3Tcsl+dZPVE=\ngithub.com/Azure/go-autorest/autorest v0.11.30/go.mod h1:t1kpPIOpIVX7annvothKvb0stsrXa37i7b+xpmBW8Fs=\ngithub.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=\ngithub.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk=\ngithub.com/Azure/go-autorest/autorest/adal v0.9.24 h1:BHZfgGsGwdkHDyZdtQRQk1WeUdW0m2WPAwuHZwUi5i4=\ngithub.com/Azure/go-autorest/autorest/adal v0.9.24/go.mod h1:7T1+g0PYFmACYW5LlG2fcoPiPlFHjClyRGL7dRlP5c8=\ngithub.com/Azure/go-autorest/autorest/azure/auth v0.5.13 h1:Ov8avRZi2vmrE2JcXw+tu5K/yB41r7xK9GZDiBF7NdM=\ngithub.com/Azure/go-autorest/autorest/azure/auth v0.5.13/go.mod h1:5BAVfWLWXihP47vYrPuBKKf4cS0bXI+KM9Qx6ETDJYo=\ngithub.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0=\ngithub.com/Azure/go-autorest/autorest/azure/cli v0.4.7 h1:Q9R3utmFg9K1B4OYtAZ7ZUUvIUdzQt7G2MN5Hi/d670=\ngithub.com/Azure/go-autorest/autorest/azure/cli v0.4.7/go.mod h1:bVrAueELJ0CKLBpUHDIvD516TwmHmzqwCpvONWRsw3s=\ngithub.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=\ngithub.com/Azure/go-autorest/autorest/date v0.3.1 h1:o9Z8Jyt+VJJTCZ/UORishuHOusBwolhjokt9s5k8I4w=\ngithub.com/Azure/go-autorest/autorest/date v0.3.1/go.mod h1:Dz/RDmXlfiFFS/eW+b/xMUSFs1tboPVy6UjgADToWDM=\ngithub.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=\ngithub.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw=\ngithub.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU=\ngithub.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=\ngithub.com/Azure/go-autorest/logger v0.2.2 h1:hYqBsEBywrrOSW24kkOCXRcKfKhK76OzLTfF+MYDE2o=\ngithub.com/Azure/go-autorest/logger v0.2.2/go.mod h1:I5fg9K52o+iuydlWfa9T5K6WFos9XYr9dYTFzpqgibw=\ngithub.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=\ngithub.com/Azure/go-autorest/tracing v0.6.1 h1:YUMSrC/CeD1ZnnXcNYU4a/fzsO35u2Fsful9L/2nyR0=\ngithub.com/Azure/go-autorest/tracing v0.6.1/go.mod h1:/3EgjbsjraOqiicERAeu3m7/z0x1TzjQGAwDrJrXGkc=\ngithub.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=\ngithub.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=\ngithub.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=\ngithub.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=\ngithub.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=\ngithub.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=\ngithub.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=\ngithub.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=\ngithub.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=\ngithub.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=\ngithub.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E=\ngithub.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE=\ngithub.com/agnivade/levenshtein v1.2.1 h1:EHBY3UOn1gwdy/VbFwgo4cxecRznFk7fKWN1KOX7eoM=\ngithub.com/agnivade/levenshtein v1.2.1/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=\ngithub.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=\ngithub.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=\ngithub.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=\ngithub.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=\ngithub.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=\ngithub.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=\ngithub.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.2/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc=\ngithub.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 h1:iC9YFYKDGEy3n/FtqJnOkZsene9olVspKmkX5A2YBEo=\ngithub.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc=\ngithub.com/alibabacloud-go/cr-20160607 v1.0.1 h1:WEnP1iPFKJU74ryUKh/YDPHoxMZawqlPajOymyNAkts=\ngithub.com/alibabacloud-go/cr-20160607 v1.0.1/go.mod h1:QHeKZtZ3F3FOE+/uIXCBAp8POwnUYekpLwr1dtQa5r0=\ngithub.com/alibabacloud-go/cr-20181201 v1.0.10 h1:B60f6S1imsgn2fgC6X6FrVNrONDrbCT0NwYhsJ0C9/c=\ngithub.com/alibabacloud-go/cr-20181201 v1.0.10/go.mod h1:VN9orB/w5G20FjytoSpZROqu9ZqxwycASmGqYUJSoDc=\ngithub.com/alibabacloud-go/darabonba-openapi v0.1.12/go.mod h1:sTAjsFJmVsmcVeklL9d9uDBlFsgl43wZ6jhI6BHqHqU=\ngithub.com/alibabacloud-go/darabonba-openapi v0.1.14/go.mod h1:w4CosR7O/kapCtEEMBm3JsQqWBU/CnZ2o0pHorsTWDI=\ngithub.com/alibabacloud-go/darabonba-openapi v0.2.1 h1:WyzxxKvhdVDlwpAMOHgAiCJ+NXa6g5ZWPFEzaK/ewwY=\ngithub.com/alibabacloud-go/darabonba-openapi v0.2.1/go.mod h1:zXOqLbpIqq543oioL9IuuZYOQgHQ5B8/n5OPrnko8aY=\ngithub.com/alibabacloud-go/darabonba-string v1.0.0/go.mod h1:93cTfV3vuPhhEwGGpKKqhVW4jLe7tDpo3LUM0i0g6mA=\ngithub.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68/go.mod h1:6pb/Qy8c+lqua8cFpEy7g39NRRqOWc3rOwAy8m5Y2BY=\ngithub.com/alibabacloud-go/debug v1.0.0 h1:3eIEQWfay1fB24PQIEzXAswlVJtdQok8f3EVN5VrBnA=\ngithub.com/alibabacloud-go/debug v1.0.0/go.mod h1:8gfgZCCAC3+SCzjWtY053FrOcd4/qlH6IHTI4QyICOc=\ngithub.com/alibabacloud-go/endpoint-util v1.1.0/go.mod h1:O5FuCALmCKs2Ff7JFJMudHs0I5EBgecXXxZRyswlEjE=\ngithub.com/alibabacloud-go/endpoint-util v1.1.1 h1:ZkBv2/jnghxtU0p+upSU0GGzW1VL9GQdZO3mcSUTUy8=\ngithub.com/alibabacloud-go/endpoint-util v1.1.1/go.mod h1:O5FuCALmCKs2Ff7JFJMudHs0I5EBgecXXxZRyswlEjE=\ngithub.com/alibabacloud-go/openapi-util v0.0.9/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws=\ngithub.com/alibabacloud-go/openapi-util v0.0.10/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws=\ngithub.com/alibabacloud-go/openapi-util v0.0.11/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws=\ngithub.com/alibabacloud-go/openapi-util v0.1.0 h1:0z75cIULkDrdEhkLWgi9tnLe+KhAFE/r5Pb3312/eAY=\ngithub.com/alibabacloud-go/openapi-util v0.1.0/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws=\ngithub.com/alibabacloud-go/tea v1.1.0/go.mod h1:IkGyUSX4Ba1V+k4pCtJUc6jDpZLFph9QMy2VUPTwukg=\ngithub.com/alibabacloud-go/tea v1.1.7/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4=\ngithub.com/alibabacloud-go/tea v1.1.8/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4=\ngithub.com/alibabacloud-go/tea v1.1.11/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4=\ngithub.com/alibabacloud-go/tea v1.1.17/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A=\ngithub.com/alibabacloud-go/tea v1.1.19/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A=\ngithub.com/alibabacloud-go/tea v1.2.1 h1:rFF1LnrAdhaiPmKwH5xwYOKlMh66CqRwPUTzIK74ask=\ngithub.com/alibabacloud-go/tea v1.2.1/go.mod h1:qbzof29bM/IFhLMtJPrgTGK3eauV5J2wSyEUo4OEmnA=\ngithub.com/alibabacloud-go/tea-utils v1.3.1/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE=\ngithub.com/alibabacloud-go/tea-utils v1.3.9/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE=\ngithub.com/alibabacloud-go/tea-utils v1.4.3/go.mod h1:KNcT0oXlZZxOXINnZBs6YvgOd5aYp9U67G+E3R8fcQw=\ngithub.com/alibabacloud-go/tea-utils v1.4.5 h1:h0/6Xd2f3bPE4XHTvkpjwxowIwRCJAJOqY6Eq8f3zfA=\ngithub.com/alibabacloud-go/tea-utils v1.4.5/go.mod h1:KNcT0oXlZZxOXINnZBs6YvgOd5aYp9U67G+E3R8fcQw=\ngithub.com/alibabacloud-go/tea-xml v1.1.2/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=\ngithub.com/alibabacloud-go/tea-xml v1.1.3 h1:7LYnm+JbOq2B+T/B0fHC4Ies4/FofC4zHzYtqw7dgt0=\ngithub.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=\ngithub.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw=\ngithub.com/aliyun/credentials-go v1.3.2 h1:L4WppI9rctC8PdlMgyTkF8bBsy9pyKQEzBD1bHMRl+g=\ngithub.com/aliyun/credentials-go v1.3.2/go.mod h1:tlpz4uys4Rn7Ik4/piGRrTbXy2uLKvePgQJJduE+Y5c=\ngithub.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ=\ngithub.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=\ngithub.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=\ngithub.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=\ngithub.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=\ngithub.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=\ngithub.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=\ngithub.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ=\ngithub.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk=\ngithub.com/aws/aws-sdk-go-v2 v1.41.2 h1:LuT2rzqNQsauaGkPK/7813XxcZ3o3yePY0Iy891T2ls=\ngithub.com/aws/aws-sdk-go-v2 v1.41.2/go.mod h1:IvvlAZQXvTXznUPfRVfryiG1fbzE2NGK6m9u39YQ+S4=\ngithub.com/aws/aws-sdk-go-v2/config v1.32.10 h1:9DMthfO6XWZYLfzZglAgW5Fyou2nRI5CuV44sTedKBI=\ngithub.com/aws/aws-sdk-go-v2/config v1.32.10/go.mod h1:2rUIOnA2JaiqYmSKYmRJlcMWy6qTj1vuRFscppSBMcw=\ngithub.com/aws/aws-sdk-go-v2/credentials v1.19.10 h1:EEhmEUFCE1Yhl7vDhNOI5OCL/iKMdkkYFTRpZXNw7m8=\ngithub.com/aws/aws-sdk-go-v2/credentials v1.19.10/go.mod h1:RnnlFCAlxQCkN2Q379B67USkBMu1PipEEiibzYN5UTE=\ngithub.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18 h1:Ii4s+Sq3yDfaMLpjrJsqD6SmG/Wq/P5L/hw2qa78UAY=\ngithub.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18/go.mod h1:6x81qnY++ovptLE6nWQeWrpXxbnlIex+4H4eYYGcqfc=\ngithub.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18 h1:F43zk1vemYIqPAwhjTjYIz0irU2EY7sOb/F5eJ3HuyM=\ngithub.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18/go.mod h1:w1jdlZXrGKaJcNoL+Nnrj+k5wlpGXqnNrKoP22HvAug=\ngithub.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18 h1:xCeWVjj0ki0l3nruoyP2slHsGArMxeiiaoPN5QZH6YQ=\ngithub.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18/go.mod h1:r/eLGuGCBw6l36ZRWiw6PaZwPXb6YOj+i/7MizNl5/k=\ngithub.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=\ngithub.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=\ngithub.com/aws/aws-sdk-go-v2/service/ecr v1.55.3 h1:RtGctYMmkTerGClvdY6bHXdtly4FeYw9wz/NPz62LF8=\ngithub.com/aws/aws-sdk-go-v2/service/ecr v1.55.3/go.mod h1:vBfBu24Ka3/5UZtepbTV0gnc9VPLT8ok+0oDDaYAzn4=\ngithub.com/aws/aws-sdk-go-v2/service/ecrpublic v1.38.10 h1:1A/sI3LNMi3fhRI5TFLMwwo7ALAALSFVCSGvFlr1Iys=\ngithub.com/aws/aws-sdk-go-v2/service/ecrpublic v1.38.10/go.mod h1:Diyyyz0b43X13pdi1mVMqlTwDjOmRbJMvDsqnduUYWM=\ngithub.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5 h1:CeY9LUdur+Dxoeldqoun6y4WtJ3RQtzk0JMP2gfUay0=\ngithub.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5/go.mod h1:AZLZf2fMaahW5s/wMRciu1sYbdsikT/UHwbUjOdEVTc=\ngithub.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18 h1:LTRCYFlnnKFlKsyIQxKhJuDuA3ZkrDQMRYm6rXiHlLY=\ngithub.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18/go.mod h1:XhwkgGG6bHSd00nO/mexWTcTjgd6PjuvWQMqSn2UaEk=\ngithub.com/aws/aws-sdk-go-v2/service/kms v1.49.5 h1:DKibav4XF66XSeaXcrn9GlWGHos6D/vJ4r7jsK7z5CE=\ngithub.com/aws/aws-sdk-go-v2/service/kms v1.49.5/go.mod h1:1SdcmEGUEQE1mrU2sIgeHtcMSxHuybhPvuEPANzIDfI=\ngithub.com/aws/aws-sdk-go-v2/service/signin v1.0.6 h1:MzORe+J94I+hYu2a6XmV5yC9huoTv8NRcCrUNedDypQ=\ngithub.com/aws/aws-sdk-go-v2/service/signin v1.0.6/go.mod h1:hXzcHLARD7GeWnifd8j9RWqtfIgxj4/cAtIVIK7hg8g=\ngithub.com/aws/aws-sdk-go-v2/service/sso v1.30.11 h1:7oGD8KPfBOJGXiCoRKrrrQkbvCp8N++u36hrLMPey6o=\ngithub.com/aws/aws-sdk-go-v2/service/sso v1.30.11/go.mod h1:0DO9B5EUJQlIDif+XJRWCljZRKsAFKh3gpFz7UnDtOo=\ngithub.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15 h1:edCcNp9eGIUDUCrzoCu1jWAXLGFIizeqkdkKgRlJwWc=\ngithub.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15/go.mod h1:lyRQKED9xWfgkYC/wmmYfv7iVIM68Z5OQ88ZdcV1QbU=\ngithub.com/aws/aws-sdk-go-v2/service/sts v1.41.7 h1:NITQpgo9A5NrDZ57uOWj+abvXSb83BbyggcUBVksN7c=\ngithub.com/aws/aws-sdk-go-v2/service/sts v1.41.7/go.mod h1:sks5UWBhEuWYDPdwlnRFn1w7xWdH29Jcpe+/PJQefEs=\ngithub.com/aws/smithy-go v1.24.1 h1:VbyeNfmYkWoxMVpGUAbQumkODcYmfMRfZ8yQiH30SK0=\ngithub.com/aws/smithy-go v1.24.1/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=\ngithub.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.12.0 h1:JFWXO6QPihCknDdnL6VaQE57km4ZKheHIGd9YiOGcTo=\ngithub.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.12.0/go.mod h1:046/oLyFlYdAghYQE2yHXi/E//VM5Cf3/dFmA+3CZ0c=\ngithub.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=\ngithub.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=\ngithub.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=\ngithub.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=\ngithub.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=\ngithub.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=\ngithub.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=\ngithub.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=\ngithub.com/blendle/zapdriver v1.3.1 h1:C3dydBOWYRiOk+B8X9IVZ5IOe+7cl+tGOexN4QqHfpE=\ngithub.com/blendle/zapdriver v1.3.1/go.mod h1:mdXfREi6u5MArG4j9fewC+FGnXaBR+T4Ox4J2u4eHCc=\ngithub.com/bytecodealliance/wasmtime-go/v39 v39.0.1 h1:RibaT47yiyCRxMOj/l2cvL8cWiWBSqDXHyqsa9sGcCE=\ngithub.com/bytecodealliance/wasmtime-go/v39 v39.0.1/go.mod h1:miR4NYIEBXeDNamZIzpskhJ0z/p8al+lwMWylQ/ZJb4=\ngithub.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=\ngithub.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=\ngithub.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=\ngithub.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=\ngithub.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=\ngithub.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g=\ngithub.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=\ngithub.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=\ngithub.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=\ngithub.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=\ngithub.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=\ngithub.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 h1:krfRl01rzPzxSxyLyrChD+U+MzsBXbm0OwYYB67uF+4=\ngithub.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589/go.mod h1:OuDyvmLnMCwa2ep4Jkm6nyA0ocJuZlGyk2gGseVzERM=\ngithub.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=\ngithub.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=\ngithub.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=\ngithub.com/clbanning/mxj/v2 v2.5.5/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s=\ngithub.com/clbanning/mxj/v2 v2.7.0 h1:WA/La7UGCanFe5NpHF0Q3DNtnCsVoxbPKuyBNHWRyME=\ngithub.com/clbanning/mxj/v2 v2.7.0/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s=\ngithub.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=\ngithub.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=\ngithub.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w=\ngithub.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=\ngithub.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=\ngithub.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc=\ngithub.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=\ngithub.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=\ngithub.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ=\ngithub.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w=\ngithub.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=\ngithub.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=\ngithub.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=\ngithub.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=\ngithub.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=\ngithub.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=\ngithub.com/containerd/stargz-snapshotter/estargz v0.18.2 h1:yXkZFYIzz3eoLwlTUZKz2iQ4MrckBxJjkmD16ynUTrw=\ngithub.com/containerd/stargz-snapshotter/estargz v0.18.2/go.mod h1:XyVU5tcJ3PRpkA9XS2T5us6Eg35yM0214Y+wvrZTBrY=\ngithub.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=\ngithub.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=\ngithub.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=\ngithub.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=\ngithub.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=\ngithub.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 h1:uX1JmpONuD549D73r6cgnxyUu18Zb7yHAy5AYU0Pm4Q=\ngithub.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=\ngithub.com/danieljoos/wincred v1.2.3 h1:v7dZC2x32Ut3nEfRH+vhoZGvN72+dQ/snVXo/vMFLdQ=\ngithub.com/danieljoos/wincred v1.2.3/go.mod h1:6qqX0WNrS4RzPZ1tnroDzq9kY3fu1KwE7MRLQK4X0bs=\ngithub.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=\ngithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=\ngithub.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=\ngithub.com/dgraph-io/badger/v4 v4.8.0 h1:JYph1ChBijCw8SLeybvPINizbDKWZ5n/GYbz2yhN/bs=\ngithub.com/dgraph-io/badger/v4 v4.8.0/go.mod h1:U6on6e8k/RTbUWxqKR0MvugJuVmkxSNc79ap4917h4w=\ngithub.com/dgraph-io/ristretto/v2 v2.2.0 h1:bkY3XzJcXoMuELV8F+vS8kzNgicwQFAaGINAEJdWGOM=\ngithub.com/dgraph-io/ristretto/v2 v2.2.0/go.mod h1:RZrm63UmcBAaYWC1DotLYBmTvgkrs0+XhBd7Npn7/zI=\ngithub.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7cNTs5R6Hk4V2lcmLz2NsG2VnInyNo=\ngithub.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=\ngithub.com/digitorus/pkcs7 v0.0.0-20230713084857-e76b763bdc49/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc=\ngithub.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 h1:ge14PCmCvPjpMQMIAH7uKg0lrtNSOdpYsRXlwk3QbaE=\ngithub.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc=\ngithub.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 h1:lxmTCgmHE1GUYL7P0MlNa00M67axePTq+9nBSGddR8I=\ngithub.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y=\ngithub.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U=\ngithub.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=\ngithub.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=\ngithub.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=\ngithub.com/docker/cli v29.3.0+incompatible h1:z3iWveU7h19Pqx7alZES8j+IeFQZ1lhTwb2F+V9SVvk=\ngithub.com/docker/cli v29.3.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=\ngithub.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=\ngithub.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=\ngithub.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=\ngithub.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=\ngithub.com/docker/docker-credential-helpers v0.9.5 h1:EFNN8DHvaiK8zVqFA2DT6BjXE0GzfLOZ38ggPTKePkY=\ngithub.com/docker/docker-credential-helpers v0.9.5/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c=\ngithub.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=\ngithub.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=\ngithub.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=\ngithub.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=\ngithub.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=\ngithub.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=\ngithub.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes=\ngithub.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=\ngithub.com/emicklei/proto v1.14.2 h1:wJPxPy2Xifja9cEMrcA/g08art5+7CGJNFNk35iXC1I=\ngithub.com/emicklei/proto v1.14.2/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A=\ngithub.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=\ngithub.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=\ngithub.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=\ngithub.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=\ngithub.com/envoyproxy/go-control-plane/envoy v1.36.0 h1:yg/JjO5E7ubRyKX3m07GF3reDNEnfOboJ0QySbH736g=\ngithub.com/envoyproxy/go-control-plane/envoy v1.36.0/go.mod h1:ty89S1YCCVruQAm9OtKeEkQLTb+Lkz0k8v9W0Oxsv98=\ngithub.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=\ngithub.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=\ngithub.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=\ngithub.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=\ngithub.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=\ngithub.com/evanphx/json-patch/v5 v5.7.0 h1:nJqP7uwL84RJInrohHfW0Fx3awjbm8qZeFv0nW9SYGc=\ngithub.com/evanphx/json-patch/v5 v5.7.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=\ngithub.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=\ngithub.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=\ngithub.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=\ngithub.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=\ngithub.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=\ngithub.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=\ngithub.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI=\ngithub.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=\ngithub.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=\ngithub.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=\ngithub.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=\ngithub.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=\ngithub.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=\ngithub.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=\ngithub.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=\ngithub.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=\ngithub.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=\ngithub.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=\ngithub.com/go-chi/chi/v5 v5.2.4 h1:WtFKPHwlywe8Srng8j2BhOD9312j9cGUxG1SP4V2cR4=\ngithub.com/go-chi/chi/v5 v5.2.4/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=\ngithub.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=\ngithub.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=\ngithub.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=\ngithub.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=\ngithub.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=\ngithub.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=\ngithub.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=\ngithub.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=\ngithub.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=\ngithub.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=\ngithub.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=\ngithub.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU=\ngithub.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=\ngithub.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=\ngithub.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=\ngithub.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=\ngithub.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA=\ngithub.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=\ngithub.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=\ngithub.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=\ngithub.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=\ngithub.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=\ngithub.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=\ngithub.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=\ngithub.com/go-openapi/analysis v0.24.1 h1:Xp+7Yn/KOnVWYG8d+hPksOYnCYImE3TieBa7rBOesYM=\ngithub.com/go-openapi/analysis v0.24.1/go.mod h1:dU+qxX7QGU1rl7IYhBC8bIfmWQdX4Buoea4TGtxXY84=\ngithub.com/go-openapi/errors v0.22.6 h1:eDxcf89O8odEnohIXwEjY1IB4ph5vmbUsBMsFNwXWPo=\ngithub.com/go-openapi/errors v0.22.6/go.mod h1:z9S8ASTUqx7+CP1Q8dD8ewGH/1JWFFLX/2PmAYNQLgk=\ngithub.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4=\ngithub.com/go-openapi/jsonpointer v0.22.4/go.mod h1:elX9+UgznpFhgBuaMQ7iu4lvvX1nvNsesQ3oxmYTw80=\ngithub.com/go-openapi/jsonreference v0.21.4 h1:24qaE2y9bx/q3uRK/qN+TDwbok1NhbSmGjjySRCHtC8=\ngithub.com/go-openapi/jsonreference v0.21.4/go.mod h1:rIENPTjDbLpzQmQWCj5kKj3ZlmEh+EFVbz3RTUh30/4=\ngithub.com/go-openapi/loads v0.23.2 h1:rJXAcP7g1+lWyBHC7iTY+WAF0rprtM+pm8Jxv1uQJp4=\ngithub.com/go-openapi/loads v0.23.2/go.mod h1:IEVw1GfRt/P2Pplkelxzj9BYFajiWOtY2nHZNj4UnWY=\ngithub.com/go-openapi/runtime v0.29.2 h1:UmwSGWNmWQqKm1c2MGgXVpC2FTGwPDQeUsBMufc5Yj0=\ngithub.com/go-openapi/runtime v0.29.2/go.mod h1:biq5kJXRJKBJxTDJXAa00DOTa/anflQPhT0/wmjuy+0=\ngithub.com/go-openapi/spec v0.22.3 h1:qRSmj6Smz2rEBxMnLRBMeBWxbbOvuOoElvSvObIgwQc=\ngithub.com/go-openapi/spec v0.22.3/go.mod h1:iIImLODL2loCh3Vnox8TY2YWYJZjMAKYyLH2Mu8lOZs=\ngithub.com/go-openapi/strfmt v0.25.0 h1:7R0RX7mbKLa9EYCTHRcCuIPcaqlyQiWNPTXwClK0saQ=\ngithub.com/go-openapi/strfmt v0.25.0/go.mod h1:nNXct7OzbwrMY9+5tLX4I21pzcmE6ccMGXl3jFdPfn8=\ngithub.com/go-openapi/swag v0.25.4 h1:OyUPUFYDPDBMkqyxOTkqDYFnrhuhi9NR6QVUvIochMU=\ngithub.com/go-openapi/swag v0.25.4/go.mod h1:zNfJ9WZABGHCFg2RnY0S4IOkAcVTzJ6z2Bi+Q4i6qFQ=\ngithub.com/go-openapi/swag/cmdutils v0.25.4 h1:8rYhB5n6WawR192/BfUu2iVlxqVR9aRgGJP6WaBoW+4=\ngithub.com/go-openapi/swag/cmdutils v0.25.4/go.mod h1:pdae/AFo6WxLl5L0rq87eRzVPm/XRHM3MoYgRMvG4A0=\ngithub.com/go-openapi/swag/conv v0.25.4 h1:/Dd7p0LZXczgUcC/Ikm1+YqVzkEeCc9LnOWjfkpkfe4=\ngithub.com/go-openapi/swag/conv v0.25.4/go.mod h1:3LXfie/lwoAv0NHoEuY1hjoFAYkvlqI/Bn5EQDD3PPU=\ngithub.com/go-openapi/swag/fileutils v0.25.4 h1:2oI0XNW5y6UWZTC7vAxC8hmsK/tOkWXHJQH4lKjqw+Y=\ngithub.com/go-openapi/swag/fileutils v0.25.4/go.mod h1:cdOT/PKbwcysVQ9Tpr0q20lQKH7MGhOEb6EwmHOirUk=\ngithub.com/go-openapi/swag/jsonname v0.25.4 h1:bZH0+MsS03MbnwBXYhuTttMOqk+5KcQ9869Vye1bNHI=\ngithub.com/go-openapi/swag/jsonname v0.25.4/go.mod h1:GPVEk9CWVhNvWhZgrnvRA6utbAltopbKwDu8mXNUMag=\ngithub.com/go-openapi/swag/jsonutils v0.25.4 h1:VSchfbGhD4UTf4vCdR2F4TLBdLwHyUDTd1/q4i+jGZA=\ngithub.com/go-openapi/swag/jsonutils v0.25.4/go.mod h1:7OYGXpvVFPn4PpaSdPHJBtF0iGnbEaTk8AvBkoWnaAY=\ngithub.com/go-openapi/swag/jsonutils/fixtures_test v0.25.4 h1:IACsSvBhiNJwlDix7wq39SS2Fh7lUOCJRmx/4SN4sVo=\ngithub.com/go-openapi/swag/jsonutils/fixtures_test v0.25.4/go.mod h1:Mt0Ost9l3cUzVv4OEZG+WSeoHwjWLnarzMePNDAOBiM=\ngithub.com/go-openapi/swag/loading v0.25.4 h1:jN4MvLj0X6yhCDduRsxDDw1aHe+ZWoLjW+9ZQWIKn2s=\ngithub.com/go-openapi/swag/loading v0.25.4/go.mod h1:rpUM1ZiyEP9+mNLIQUdMiD7dCETXvkkC30z53i+ftTE=\ngithub.com/go-openapi/swag/mangling v0.25.4 h1:2b9kBJk9JvPgxr36V23FxJLdwBrpijI26Bx5JH4Hp48=\ngithub.com/go-openapi/swag/mangling v0.25.4/go.mod h1:6dxwu6QyORHpIIApsdZgb6wBk/DPU15MdyYj/ikn0Hg=\ngithub.com/go-openapi/swag/netutils v0.25.4 h1:Gqe6K71bGRb3ZQLusdI8p/y1KLgV4M/k+/HzVSqT8H0=\ngithub.com/go-openapi/swag/netutils v0.25.4/go.mod h1:m2W8dtdaoX7oj9rEttLyTeEFFEBvnAx9qHd5nJEBzYg=\ngithub.com/go-openapi/swag/stringutils v0.25.4 h1:O6dU1Rd8bej4HPA3/CLPciNBBDwZj9HiEpdVsb8B5A8=\ngithub.com/go-openapi/swag/stringutils v0.25.4/go.mod h1:GTsRvhJW5xM5gkgiFe0fV3PUlFm0dr8vki6/VSRaZK0=\ngithub.com/go-openapi/swag/typeutils v0.25.4 h1:1/fbZOUN472NTc39zpa+YGHn3jzHWhv42wAJSN91wRw=\ngithub.com/go-openapi/swag/typeutils v0.25.4/go.mod h1:Ou7g//Wx8tTLS9vG0UmzfCsjZjKhpjxayRKTHXf2pTE=\ngithub.com/go-openapi/swag/yamlutils v0.25.4 h1:6jdaeSItEUb7ioS9lFoCZ65Cne1/RZtPBZ9A56h92Sw=\ngithub.com/go-openapi/swag/yamlutils v0.25.4/go.mod h1:MNzq1ulQu+yd8Kl7wPOut/YHAAU/H6hL91fF+E2RFwc=\ngithub.com/go-openapi/testify/enable/yaml/v2 v2.0.2 h1:0+Y41Pz1NkbTHz8NngxTuAXxEodtNSI1WG1c/m5Akw4=\ngithub.com/go-openapi/testify/enable/yaml/v2 v2.0.2/go.mod h1:kme83333GCtJQHXQ8UKX3IBZu6z8T5Dvy5+CW3NLUUg=\ngithub.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6Ub6wls=\ngithub.com/go-openapi/testify/v2 v2.0.2/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=\ngithub.com/go-openapi/validate v0.25.1 h1:sSACUI6Jcnbo5IWqbYHgjibrhhmt3vR6lCzKZnmAgBw=\ngithub.com/go-openapi/validate v0.25.1/go.mod h1:RMVyVFYte0gbSTaZ0N4KmTn6u/kClvAFp+mAVfS/DQc=\ngithub.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=\ngithub.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=\ngithub.com/go-rod/rod v0.116.2 h1:A5t2Ky2A+5eD/ZJQr1EfsQSe5rms5Xof/qj296e+ZqA=\ngithub.com/go-rod/rod v0.116.2/go.mod h1:H+CMO9SCNc2TJ2WfrG+pKhITz57uGNYU43qYHh438Mg=\ngithub.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=\ngithub.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=\ngithub.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=\ngithub.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=\ngithub.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=\ngithub.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=\ngithub.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=\ngithub.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=\ngithub.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=\ngithub.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=\ngithub.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=\ngithub.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA=\ngithub.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs=\ngithub.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=\ngithub.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=\ngithub.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=\ngithub.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=\ngithub.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=\ngithub.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=\ngithub.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=\ngithub.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=\ngithub.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=\ngithub.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=\ngithub.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=\ngithub.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=\ngithub.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=\ngithub.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=\ngithub.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=\ngithub.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=\ngithub.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=\ngithub.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=\ngithub.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=\ngithub.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=\ngithub.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=\ngithub.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=\ngithub.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=\ngithub.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=\ngithub.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=\ngithub.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=\ngithub.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=\ngithub.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=\ngithub.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=\ngithub.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=\ngithub.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=\ngithub.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=\ngithub.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=\ngithub.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=\ngithub.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=\ngithub.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=\ngithub.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=\ngithub.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=\ngithub.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=\ngithub.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=\ngithub.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=\ngithub.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=\ngithub.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=\ngithub.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=\ngithub.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=\ngithub.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=\ngithub.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=\ngithub.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=\ngithub.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=\ngithub.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=\ngithub.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=\ngithub.com/google/certificate-transparency-go v1.3.2 h1:9ahSNZF2o7SYMaKaXhAumVEzXB2QaayzII9C8rv7v+A=\ngithub.com/google/certificate-transparency-go v1.3.2/go.mod h1:H5FpMUaGa5Ab2+KCYsxg6sELw3Flkl7pGZzWdBoYLXs=\ngithub.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q=\ngithub.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=\ngithub.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=\ngithub.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=\ngithub.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=\ngithub.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=\ngithub.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=\ngithub.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=\ngithub.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=\ngithub.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=\ngithub.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=\ngithub.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=\ngithub.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=\ngithub.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=\ngithub.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=\ngithub.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=\ngithub.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=\ngithub.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=\ngithub.com/google/go-containerregistry v0.21.3 h1:Xr+yt3VvwOOn/5nJzd7UoOhwPGiPkYW0zWDLLUXqAi4=\ngithub.com/google/go-containerregistry v0.21.3/go.mod h1:D5ZrJF1e6dMzvInpBPuMCX0FxURz7GLq2rV3Us9aPkc=\ngithub.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20260317232201-3888fb8f8738 h1:rOwKr2V11+ajUwz0Qjzfw7FHelubq4aI4FvBUqzyMDE=\ngithub.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20260317232201-3888fb8f8738/go.mod h1:g6FvB88DCkE3bEDiE0qvSQDxvTFTGs5x0W/GyvwYlKo=\ngithub.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20260317232201-3888fb8f8738 h1:he86yi71fRDCdJbVFayjjfx7jcxcopjYW5SNbxmkmv4=\ngithub.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20260317232201-3888fb8f8738/go.mod h1:WQf3N6DB+/qX08z4DaUzV94aNRkjlAA04SBjvdXtf6I=\ngithub.com/google/go-github/v73 v73.0.0 h1:aR+Utnh+Y4mMkS+2qLQwcQ/cF9mOTpdwnzlaw//rG24=\ngithub.com/google/go-github/v73 v73.0.0/go.mod h1:fa6w8+/V+edSU0muqdhCVY7Beh1M8F1IlQPZIANKIYw=\ngithub.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0=\ngithub.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=\ngithub.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=\ngithub.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=\ngithub.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=\ngithub.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=\ngithub.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=\ngithub.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=\ngithub.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=\ngithub.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=\ngithub.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=\ngithub.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=\ngithub.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=\ngithub.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=\ngithub.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=\ngithub.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=\ngithub.com/google/pprof v0.0.0-20250602020802-c6617b811d0e h1:FJta/0WsADCe1r9vQjdHbd3KuiLPu7Y9WlyLGwMUNyE=\ngithub.com/google/pprof v0.0.0-20250602020802-c6617b811d0e/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=\ngithub.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=\ngithub.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=\ngithub.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=\ngithub.com/google/trillian v1.7.2 h1:EPBxc4YWY4Ak8tcuhyFleY+zYlbCDCa4Sn24e1Ka8Js=\ngithub.com/google/trillian v1.7.2/go.mod h1:mfQJW4qRH6/ilABtPYNBerVJAJ/upxHLX81zxNQw05s=\ngithub.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=\ngithub.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=\ngithub.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=\ngithub.com/googleapis/enterprise-certificate-proxy v0.3.11 h1:vAe81Msw+8tKUxi2Dqh/NZMz7475yUvmRIkXr4oN2ao=\ngithub.com/googleapis/enterprise-certificate-proxy v0.3.11/go.mod h1:RFV7MUdlb7AgEq2v7FmMCfeSMCllAzWxFgRdusoGks8=\ngithub.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=\ngithub.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=\ngithub.com/googleapis/gax-go/v2 v2.17.0 h1:RksgfBpxqff0EZkDWYuz9q/uWsTVz+kf43LsZ1J6SMc=\ngithub.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOIDp5YKHhb9PAgDY=\ngithub.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=\ngithub.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=\ngithub.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=\ngithub.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8=\ngithub.com/grpc-ecosystem/grpc-gateway v1.14.6/go.mod h1:zdiPV4Yse/1gnckTHtghG4GkDEdKCRJduHpTxT3/jcw=\ngithub.com/grpc-ecosystem/grpc-gateway/v2 v2.27.5 h1:jP1RStw811EvUDzsUQ9oESqw2e4RqCjSAD9qIL8eMns=\ngithub.com/grpc-ecosystem/grpc-gateway/v2 v2.27.5/go.mod h1:WXNBZ64q3+ZUemCMXD9kYnr56H7CgZxDBHCVwstfl3s=\ngithub.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=\ngithub.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=\ngithub.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=\ngithub.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=\ngithub.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=\ngithub.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=\ngithub.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=\ngithub.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=\ngithub.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=\ngithub.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48=\ngithub.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw=\ngithub.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=\ngithub.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=\ngithub.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 h1:U+kC2dOhMFQctRfhK0gRctKAPTloZdMU5ZJxaesJ/VM=\ngithub.com/hashicorp/go-secure-stdlib/parseutil v0.2.0/go.mod h1:Ll013mhdmsVDuoIXVfBtvgGJsXDYkTw1kooNcoCXuE0=\ngithub.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=\ngithub.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=\ngithub.com/hashicorp/go-sockaddr v1.0.7 h1:G+pTkSO01HpR5qCxg7lxfsFEZaG+C0VssTy/9dbT+Fw=\ngithub.com/hashicorp/go-sockaddr v1.0.7/go.mod h1:FZQbEYa1pxkQ7WLpyXJ6cbjpT8q0YgQaK/JakXqGyWw=\ngithub.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=\ngithub.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=\ngithub.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c=\ngithub.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=\ngithub.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=\ngithub.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=\ngithub.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=\ngithub.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=\ngithub.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicHEZiH0=\ngithub.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=\ngithub.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb28sjiS3i7tcKCkflWFEkHfuAgM=\ngithub.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs=\ngithub.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=\ngithub.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=\ngithub.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=\ngithub.com/in-toto/attestation v1.1.2 h1:MBFn6lsMq6dptQZJBhalXTcWMb/aJy3V+GX3VYj/V1E=\ngithub.com/in-toto/attestation v1.1.2/go.mod h1:gYFddHMZj3DiQ0b62ltNi1Vj5rC879bTmBbrv9CRHpM=\ngithub.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=\ngithub.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo=\ngithub.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=\ngithub.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=\ngithub.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=\ngithub.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=\ngithub.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=\ngithub.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=\ngithub.com/jackc/pgx/v5 v5.7.5 h1:JHGfMnQY+IEtGM63d+NGMjoRpysB2JBwDr5fsngwmJs=\ngithub.com/jackc/pgx/v5 v5.7.5/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=\ngithub.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=\ngithub.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=\ngithub.com/jdolitsky/glog v0.0.0-20220729172235-78744e90d087/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=\ngithub.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 h1:TMtDYDHKYY15rFihtRfck/bfFqNfvcabqvXAFQfAUpY=\ngithub.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267/go.mod h1:h1nSAbGFqGVzn6Jyl1R/iCcBUHN4g+gW1u9CoBTrb9E=\ngithub.com/jellydator/ttlcache/v3 v3.4.0 h1:YS4P125qQS0tNhtL6aeYkheEaB/m8HCqdMMP4mnWdTY=\ngithub.com/jellydator/ttlcache/v3 v3.4.0/go.mod h1:Hw9EgjymziQD3yGsQdf1FqFdpp7YjFMd4Srg5EJlgD4=\ngithub.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY=\ngithub.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=\ngithub.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs=\ngithub.com/jmhodges/clock v1.2.0/go.mod h1:qKjhA7x7u/lQpPB1XAqX1b1lCI/w3/fNuYpI/ZjLynI=\ngithub.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=\ngithub.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=\ngithub.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=\ngithub.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=\ngithub.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=\ngithub.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=\ngithub.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=\ngithub.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=\ngithub.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=\ngithub.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=\ngithub.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=\ngithub.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=\ngithub.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=\ngithub.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=\ngithub.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=\ngithub.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=\ngithub.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=\ngithub.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=\ngithub.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=\ngithub.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=\ngithub.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=\ngithub.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=\ngithub.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=\ngithub.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=\ngithub.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=\ngithub.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=\ngithub.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=\ngithub.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=\ngithub.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=\ngithub.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=\ngithub.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=\ngithub.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=\ngithub.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA=\ngithub.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=\ngithub.com/lestrrat-go/dsig v1.0.0 h1:OE09s2r9Z81kxzJYRn07TFM9XA4akrUdoMwr0L8xj38=\ngithub.com/lestrrat-go/dsig v1.0.0/go.mod h1:dEgoOYYEJvW6XGbLasr8TFcAxoWrKlbQvmJgCR0qkDo=\ngithub.com/lestrrat-go/dsig-secp256k1 v1.0.0 h1:JpDe4Aybfl0soBvoVwjqDbp+9S1Y2OM7gcrVVMFPOzY=\ngithub.com/lestrrat-go/dsig-secp256k1 v1.0.0/go.mod h1:CxUgAhssb8FToqbL8NjSPoGQlnO4w3LG1P0qPWQm/NU=\ngithub.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=\ngithub.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=\ngithub.com/lestrrat-go/httprc/v3 v3.0.1 h1:3n7Es68YYGZb2Jf+k//llA4FTZMl3yCwIjFIk4ubevI=\ngithub.com/lestrrat-go/httprc/v3 v3.0.1/go.mod h1:2uAvmbXE4Xq8kAUjVrZOq1tZVYYYs5iP62Cmtru00xk=\ngithub.com/lestrrat-go/jwx/v3 v3.0.12 h1:p25r68Y4KrbBdYjIsQweYxq794CtGCzcrc5dGzJIRjg=\ngithub.com/lestrrat-go/jwx/v3 v3.0.12/go.mod h1:HiUSaNmMLXgZ08OmGBaPVvoZQgJVOQphSrGr5zMamS8=\ngithub.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=\ngithub.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=\ngithub.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss=\ngithub.com/lestrrat-go/option/v2 v2.0.0/go.mod h1:oSySsmzMoR0iRzCDCaUfsCzxQHUEuhOViQObyy7S6Vg=\ngithub.com/letsencrypt/boulder v0.20251110.0 h1:J8MnKICeilO91dyQ2n5eBbab24neHzUpYMUIOdOtbjc=\ngithub.com/letsencrypt/boulder v0.20251110.0/go.mod h1:ogKCJQwll82m7OVHWyTuf8eeFCjuzdRQlgnZcCl0V+8=\ngithub.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=\ngithub.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=\ngithub.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=\ngithub.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=\ngithub.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=\ngithub.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=\ngithub.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=\ngithub.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs=\ngithub.com/miekg/dns v1.1.61/go.mod h1:mnAarhS3nWaW+NVP2wTkYVIZyHNJ098SJZUki3eykwQ=\ngithub.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=\ngithub.com/miekg/pkcs11 v1.1.2 h1:/VxmeAX5qU6Q3EwafypogwWbYryHFmF2RpkJmw3m4MQ=\ngithub.com/miekg/pkcs11 v1.1.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=\ngithub.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=\ngithub.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=\ngithub.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=\ngithub.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=\ngithub.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c h1:cqn374mizHuIWj+OSJCajGr/phAmuMug9qIX3l9CflE=\ngithub.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=\ngithub.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=\ngithub.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=\ngithub.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=\ngithub.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=\ngithub.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=\ngithub.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=\ngithub.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=\ngithub.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=\ngithub.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=\ngithub.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=\ngithub.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=\ngithub.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=\ngithub.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=\ngithub.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=\ngithub.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=\ngithub.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=\ngithub.com/morikuni/aec v1.1.0 h1:vBBl0pUnvi/Je71dsRrhMBtreIqNMYErSAbEeb8jrXQ=\ngithub.com/morikuni/aec v1.1.0/go.mod h1:xDRgiq/iw5l+zkao76YTKzKttOp2cwPEne25HDkJnBw=\ngithub.com/mozillazg/docker-credential-acr-helper v0.4.0 h1:Uoh3Z9CcpEDnLiozDx+D7oDgRq7X+R296vAqAumnOcw=\ngithub.com/mozillazg/docker-credential-acr-helper v0.4.0/go.mod h1:2kiicb3OlPytmlNC9XGkLvVC+f0qTiJw3f/mhmeeQBg=\ngithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=\ngithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=\ngithub.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=\ngithub.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=\ngithub.com/natefinch/atomic v1.0.1 h1:ZPYKxkqQOx3KZ+RsbnP/YsgvxWQPGxjC0oBt2AhwV0A=\ngithub.com/natefinch/atomic v1.0.1/go.mod h1:N/D/ELrljoqDyT3rZrsUmtsuzvHkeB/wWjHV22AZRbM=\ngithub.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=\ngithub.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE=\ngithub.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw=\ngithub.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=\ngithub.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=\ngithub.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=\ngithub.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc=\ngithub.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=\ngithub.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=\ngithub.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=\ngithub.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=\ngithub.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=\ngithub.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=\ngithub.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=\ngithub.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=\ngithub.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns=\ngithub.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=\ngithub.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=\ngithub.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=\ngithub.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=\ngithub.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=\ngithub.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=\ngithub.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=\ngithub.com/open-policy-agent/opa v1.12.3 h1:qe3m/w52baKC/HJtippw+hYBUKCzuBCPjB+D5P9knfc=\ngithub.com/open-policy-agent/opa v1.12.3/go.mod h1:RnDgm04GA1RjEXJvrsG9uNT/+FyBNmozcPvA2qz60M4=\ngithub.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=\ngithub.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=\ngithub.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=\ngithub.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=\ngithub.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=\ngithub.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=\ngithub.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=\ngithub.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=\ngithub.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=\ngithub.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=\ngithub.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=\ngithub.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=\ngithub.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=\ngithub.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=\ngithub.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=\ngithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=\ngithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=\ngithub.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=\ngithub.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=\ngithub.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=\ngithub.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=\ngithub.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=\ngithub.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=\ngithub.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=\ngithub.com/prometheus/client_golang v1.12.2/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=\ngithub.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ=\ngithub.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=\ngithub.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=\ngithub.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=\ngithub.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=\ngithub.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=\ngithub.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=\ngithub.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=\ngithub.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=\ngithub.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=\ngithub.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=\ngithub.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=\ngithub.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=\ngithub.com/prometheus/common v0.35.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=\ngithub.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=\ngithub.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=\ngithub.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=\ngithub.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=\ngithub.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=\ngithub.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=\ngithub.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=\ngithub.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=\ngithub.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4=\ngithub.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=\ngithub.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=\ngithub.com/prometheus/statsd_exporter v0.22.7/go.mod h1:N/TevpjkIh9ccs6nuzY3jQn9dFqnUakOjnEuMPJJJnI=\ngithub.com/prometheus/statsd_exporter v0.22.8 h1:Qo2D9ZzaQG+id9i5NYNGmbf1aa/KxKbB9aKfMS+Yib0=\ngithub.com/prometheus/statsd_exporter v0.22.8/go.mod h1:/DzwbTEaFTE0Ojz5PqcSk6+PFHOPWGxdXVr6yC8eFOM=\ngithub.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91 h1:s1LvMaU6mVwoFtbxv/rCZKE7/fwDmDY684FfUe4c1Io=\ngithub.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91/go.mod h1:JSbkp0BviKovYYt9XunS95M3mLPibE9bGg+Y95DsEEY=\ngithub.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8AOIL7EB/X911+m4EHsnWEHeJ0c+3TTBrg=\ngithub.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=\ngithub.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=\ngithub.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=\ngithub.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=\ngithub.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=\ngithub.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=\ngithub.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=\ngithub.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=\ngithub.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=\ngithub.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik=\ngithub.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A=\ngithub.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk=\ngithub.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4=\ngithub.com/sassoftware/relic/v7 v7.6.2/go.mod h1:kjmP0IBVkJZ6gXeAu35/KCEfca//+PKM6vTAsyDPY+k=\ngithub.com/secure-systems-lab/go-securesystemslib v0.10.0 h1:l+H5ErcW0PAehBNrBxoGv1jjNpGYdZ9RcheFkB2WI14=\ngithub.com/secure-systems-lab/go-securesystemslib v0.10.0/go.mod h1:MRKONWmRoFzPNQ9USRF9i1mc7MvAVvF1LlW8X5VWDvk=\ngithub.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=\ngithub.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=\ngithub.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=\ngithub.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=\ngithub.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=\ngithub.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=\ngithub.com/sigstore/cosign/v3 v3.0.5 h1:c1zPqjU+H4wmirgysC+AkWMg7a7fykyOYF/m+F1150I=\ngithub.com/sigstore/cosign/v3 v3.0.5/go.mod h1:ble1vMvJagCFyTIDkibCq6MIHiWDw00JNYl0f9rB4T4=\ngithub.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA4FIkofAY=\ngithub.com/sigstore/protobuf-specs v0.5.0/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc=\ngithub.com/sigstore/rekor v1.5.0 h1:rL7SghHd5HLCtsCrxw0yQg+NczGvM75EjSPPWuGjaiQ=\ngithub.com/sigstore/rekor v1.5.0/go.mod h1:D7JoVCUkxwQOpPDNYeu+CE8zeBC18Y5uDo6tF8s2rcQ=\ngithub.com/sigstore/rekor-tiles/v2 v2.2.0 h1:QwJNwxT+k5A3id+Hrg+8vYcNsTaB0Sj51xjfW2rKyAs=\ngithub.com/sigstore/rekor-tiles/v2 v2.2.0/go.mod h1:/WNRYctHKdxcjgXydYwO5OclW72Zqh6fNHSyGE8zQOE=\ngithub.com/sigstore/scaffolding v0.7.22 h1:VjrRzUVRXWGPboglizvGvgq3U8kXnBS5/s4jDCUVwiU=\ngithub.com/sigstore/scaffolding v0.7.22/go.mod h1:ojN1gLIjZCl0lhEoqXBvaL+GJbTbBgcNZxxxvK7apuM=\ngithub.com/sigstore/sigstore v1.10.4 h1:ytOmxMgLdcUed3w1SbbZOgcxqwMG61lh1TmZLN+WeZE=\ngithub.com/sigstore/sigstore v1.10.4/go.mod h1:tDiyrdOref3q6qJxm2G+JHghqfmvifB7hw+EReAfnbI=\ngithub.com/sigstore/sigstore-go v1.1.4 h1:wTTsgCHOfqiEzVyBYA6mDczGtBkN7cM8mPpjJj5QvMg=\ngithub.com/sigstore/sigstore-go v1.1.4/go.mod h1:2U/mQOT9cjjxrtIUeKDVhL+sHBKsnWddn8URlswdBsg=\ngithub.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.4 h1:VZ+L6SKVWbLPHznIF0tBuO7qKMFdJiJMVwFKu9DlY5o=\ngithub.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.4/go.mod h1:Rstj47WpJym25il8j4jTL0BfikzP/9AhVD+DsBcYzZc=\ngithub.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.4 h1:G7yOv8bxk3zIEEZyVCixPxtePIAm+t3ZWSaKRPzVw+o=\ngithub.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.4/go.mod h1:hxJelB/bRItMYOzi6qD9xEKjse2QZcikh4TbysfdDHc=\ngithub.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.4 h1:Qxt6dE4IwhJ6gIXmg2q4S/SeqEDSZ29nmfsv7Zb6LL4=\ngithub.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.4/go.mod h1:hJVeNOwarqfyALjOwsf0OR8YA/A96NABucEaQumPr30=\ngithub.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.4 h1:KVavYMPfSf5NryOl6VrZ9nRG3fXOOJOPp7Czk/YCPkM=\ngithub.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.4/go.mod h1:J7CA1AaBkyK8dYq6EdQANhj+8oEcsA7PrIp088qgPiY=\ngithub.com/sigstore/timestamp-authority/v2 v2.0.4 h1:65IBa4LUeFWDQu9hiTt5lBpi/F5jonJWZtH6VLn4InU=\ngithub.com/sigstore/timestamp-authority/v2 v2.0.4/go.mod h1:EXJLiMDBqRPlzC02hPiFSiYTCqSuUpU68a4vr0DFePM=\ngithub.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=\ngithub.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=\ngithub.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=\ngithub.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=\ngithub.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=\ngithub.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=\ngithub.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=\ngithub.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=\ngithub.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=\ngithub.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=\ngithub.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=\ngithub.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=\ngithub.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=\ngithub.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=\ngithub.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=\ngithub.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=\ngithub.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=\ngithub.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=\ngithub.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=\ngithub.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=\ngithub.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=\ngithub.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=\ngithub.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=\ngithub.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=\ngithub.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=\ngithub.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=\ngithub.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=\ngithub.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=\ngithub.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=\ngithub.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=\ngithub.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=\ngithub.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=\ngithub.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=\ngithub.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=\ngithub.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=\ngithub.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=\ngithub.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=\ngithub.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=\ngithub.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=\ngithub.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=\ngithub.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=\ngithub.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=\ngithub.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc=\ngithub.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=\ngithub.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=\ngithub.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs=\ngithub.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48=\ngithub.com/tchap/go-patricia/v2 v2.3.3 h1:xfNEsODumaEcCcY3gI0hYPZ/PcpVv5ju6RMAhgwZDDc=\ngithub.com/tchap/go-patricia/v2 v2.3.3/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=\ngithub.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg=\ngithub.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=\ngithub.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=\ngithub.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=\ngithub.com/theupdateframework/go-tuf/v2 v2.4.1 h1:K6ewW064rKZCPkRo1W/CTbTtm/+IB4+coG1iNURAGCw=\ngithub.com/theupdateframework/go-tuf/v2 v2.4.1/go.mod h1:Nex2enPVYDFCklrnbTzl3OVwD7fgIAj0J5++z/rvCj8=\ngithub.com/tink-crypto/tink-go-awskms/v2 v2.1.0 h1:N9UxlsOzu5mttdjhxkDLbzwtEecuXmlxZVo/ds7JKJI=\ngithub.com/tink-crypto/tink-go-awskms/v2 v2.1.0/go.mod h1:PxSp9GlOkKL9rlybW804uspnHuO9nbD98V/fDX4uSis=\ngithub.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0 h1:3B9i6XBXNTRspfkTC0asN5W0K6GhOSgcujNiECNRNb0=\ngithub.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0/go.mod h1:jY5YN2BqD/KSCHM9SqZPIpJNG/u3zwfLXHgws4x2IRw=\ngithub.com/tink-crypto/tink-go-hcvault/v2 v2.4.0 h1:j+S+WKBQ5ya26A5EM/uXoVe+a2IaPQN8KgBJZ22cJ+4=\ngithub.com/tink-crypto/tink-go-hcvault/v2 v2.4.0/go.mod h1:OCKJIujnTzDq7f+73NhVs99oA2c1TR6nsOpuasYM6Yo=\ngithub.com/tink-crypto/tink-go/v2 v2.6.0 h1:+KHNBHhWH33Vn+igZWcsgdEPUxKwBMEe0QC60t388v4=\ngithub.com/tink-crypto/tink-go/v2 v2.6.0/go.mod h1:2WbBA6pfNsAfBwDCggboaHeB2X29wkU8XHtGwh2YIk8=\ngithub.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=\ngithub.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=\ngithub.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w=\ngithub.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho=\ngithub.com/tjfoc/gmsm v1.4.1/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE=\ngithub.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c h1:5a2XDQ2LiAUV+/RjckMyq9sXudfrPSuCY4FuPC1NyAw=\ngithub.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c/go.mod h1:g85IafeFJZLxlzZCDRu4JLpfS7HKzR+Hw9qRh3bVzDI=\ngithub.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=\ngithub.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A=\ngithub.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ=\ngithub.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=\ngithub.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4=\ngithub.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=\ngithub.com/vektah/gqlparser/v2 v2.5.31 h1:YhWGA1mfTjID7qJhd1+Vxhpk5HTgydrGU9IgkWBTJ7k=\ngithub.com/vektah/gqlparser/v2 v2.5.31/go.mod h1:c1I28gSOVNzlfc4WuDlqU7voQnsqI6OG2amkBAFmgts=\ngithub.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=\ngithub.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=\ngithub.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=\ngithub.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=\ngithub.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=\ngithub.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=\ngithub.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg=\ngithub.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok=\ngithub.com/ysmood/fetchup v0.2.3 h1:ulX+SonA0Vma5zUFXtv52Kzip/xe7aj4vqT5AJwQ+ZQ=\ngithub.com/ysmood/fetchup v0.2.3/go.mod h1:xhibcRKziSvol0H1/pj33dnKrYyI2ebIvz5cOOkYGns=\ngithub.com/ysmood/goob v0.4.0 h1:HsxXhyLBeGzWXnqVKtmT9qM7EuVs/XOgkX7T6r1o1AQ=\ngithub.com/ysmood/goob v0.4.0/go.mod h1:u6yx7ZhS4Exf2MwciFr6nIM8knHQIE22lFpWHnfql18=\ngithub.com/ysmood/got v0.40.0 h1:ZQk1B55zIvS7zflRrkGfPDrPG3d7+JOza1ZkNxcc74Q=\ngithub.com/ysmood/got v0.40.0/go.mod h1:W7DdpuX6skL3NszLmAsC5hT7JAhuLZhByVzHTq874Qg=\ngithub.com/ysmood/gson v0.7.3 h1:QFkWbTH8MxyUTKPkVWAENJhxqdBa4lYTQWqZCiLG6kE=\ngithub.com/ysmood/gson v0.7.3/go.mod h1:3Kzs5zDl21g5F/BlLTNcuAGAYLKt2lV5G8D1zF3RNmg=\ngithub.com/ysmood/leakless v0.9.0 h1:qxCG5VirSBvmi3uynXFkcnLMzkphdh3xx5FtrORwDCU=\ngithub.com/ysmood/leakless v0.9.0/go.mod h1:R8iAXPRaG97QJwqxs74RdwzcRHT1SWCGTNqY8q0JvMQ=\ngithub.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=\ngithub.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=\ngithub.com/yuin/goldmark v1.1.30/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=\ngithub.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=\ngithub.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=\ngithub.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=\ngithub.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s=\ngithub.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI=\ngitlab.com/gitlab-org/api/client-go v1.25.0 h1:9YVk2o1CjZWKh2/KGOsNbOReBSxFIdBv6LrdOnBfEQY=\ngitlab.com/gitlab-org/api/client-go v1.25.0/go.mod h1:r060AandE8Md/L5oKdUVjljL8YQprOAxKzUnpqWqP3A=\ngo.mongodb.org/mongo-driver v1.17.6 h1:87JUG1wZfWsr6rIz3ZmpH90rL5tea7O3IHuSwHUpsss=\ngo.mongodb.org/mongo-driver v1.17.6/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=\ngo.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=\ngo.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=\ngo.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=\ngo.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=\ngo.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=\ngo.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=\ngo.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=\ngo.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=\ngo.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=\ngo.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=\ngo.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 h1:YH4g8lQroajqUwWbq/tr2QX1JFmEXaDLgG+ew9bLMWo=\ngo.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ=\ngo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=\ngo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=\ngo.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho=\ngo.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=\ngo.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4=\ngo.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI=\ngo.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo=\ngo.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts=\ngo.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA=\ngo.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc=\ngo.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY=\ngo.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc=\ngo.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=\ngo.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=\ngo.step.sm/crypto v0.76.0 h1:K23BSaeoiY7Y5dvvijTeYC9EduDBetNwQYMBwMhi1aA=\ngo.step.sm/crypto v0.76.0/go.mod h1:PXYJdKkK8s+GHLwLguFaLxHNAFsFL3tL1vSBrYfey5k=\ngo.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=\ngo.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=\ngo.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=\ngo.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=\ngo.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=\ngo.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=\ngo.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=\ngo.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=\ngo.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=\ngo.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=\ngo.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=\ngo.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc=\ngo.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=\ngo.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=\ngo.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=\ngo.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=\ngo.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=\ngolang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=\ngolang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=\ngolang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=\ngolang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=\ngolang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=\ngolang.org/x/crypto v0.0.0-20191219195013-becbf705a915/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=\ngolang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=\ngolang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=\ngolang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=\ngolang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=\ngolang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=\ngolang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=\ngolang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=\ngolang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=\ngolang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=\ngolang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=\ngolang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=\ngolang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=\ngolang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=\ngolang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=\ngolang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=\ngolang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=\ngolang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=\ngolang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=\ngolang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=\ngolang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=\ngolang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=\ngolang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=\ngolang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=\ngolang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=\ngolang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=\ngolang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=\ngolang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=\ngolang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=\ngolang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=\ngolang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=\ngolang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=\ngolang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=\ngolang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=\ngolang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=\ngolang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=\ngolang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=\ngolang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=\ngolang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=\ngolang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=\ngolang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=\ngolang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=\ngolang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=\ngolang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=\ngolang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=\ngolang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=\ngolang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=\ngolang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=\ngolang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=\ngolang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=\ngolang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=\ngolang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=\ngolang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=\ngolang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=\ngolang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=\ngolang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=\ngolang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=\ngolang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=\ngolang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=\ngolang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=\ngolang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=\ngolang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=\ngolang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=\ngolang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=\ngolang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=\ngolang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=\ngolang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=\ngolang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=\ngolang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=\ngolang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=\ngolang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=\ngolang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=\ngolang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=\ngolang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=\ngolang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=\ngolang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=\ngolang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=\ngolang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=\ngolang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=\ngolang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=\ngolang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=\ngolang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=\ngolang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=\ngolang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=\ngolang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=\ngolang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=\ngolang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=\ngolang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=\ngolang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=\ngolang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=\ngolang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=\ngolang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=\ngolang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=\ngolang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=\ngolang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200509044756-6aff5f38e54f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220708085239-5a0f0661e09d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=\ngolang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=\ngolang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=\ngolang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=\ngolang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=\ngolang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=\ngolang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=\ngolang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo=\ngolang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=\ngolang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=\ngolang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=\ngolang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=\ngolang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=\ngolang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=\ngolang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=\ngolang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=\ngolang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=\ngolang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=\ngolang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=\ngolang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=\ngolang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=\ngolang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=\ngolang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=\ngolang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=\ngolang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=\ngolang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=\ngolang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=\ngolang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=\ngolang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=\ngolang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=\ngolang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=\ngolang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=\ngolang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=\ngolang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=\ngolang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=\ngolang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=\ngolang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=\ngolang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=\ngolang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=\ngolang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=\ngolang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=\ngolang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=\ngolang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=\ngolang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=\ngolang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=\ngolang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=\ngolang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=\ngolang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=\ngolang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=\ngolang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=\ngolang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=\ngolang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=\ngolang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=\ngolang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=\ngolang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=\ngolang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=\ngolang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=\ngolang.org/x/tools v0.0.0-20200509030707-2212a7e161a5/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=\ngolang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=\ngolang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=\ngolang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=\ngolang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=\ngolang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=\ngolang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=\ngolang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=\ngolang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=\ngolang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=\ngolang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=\ngolang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=\ngolang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=\ngolang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=\ngolang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY=\ngolang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=\ngolang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=\ngolang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=\ngolang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=\ngomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=\ngomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=\ngonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=\ngonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=\ngoogle.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=\ngoogle.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=\ngoogle.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=\ngoogle.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=\ngoogle.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=\ngoogle.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=\ngoogle.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=\ngoogle.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=\ngoogle.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=\ngoogle.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=\ngoogle.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=\ngoogle.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=\ngoogle.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=\ngoogle.golang.org/api v0.25.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=\ngoogle.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=\ngoogle.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=\ngoogle.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=\ngoogle.golang.org/api v0.267.0 h1:w+vfWPMPYeRs8qH1aYYsFX68jMls5acWl/jocfLomwE=\ngoogle.golang.org/api v0.267.0/go.mod h1:Jzc0+ZfLnyvXma3UtaTl023TdhZu6OMBP9tJ+0EmFD0=\ngoogle.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=\ngoogle.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=\ngoogle.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=\ngoogle.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=\ngoogle.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=\ngoogle.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=\ngoogle.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=\ngoogle.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=\ngoogle.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=\ngoogle.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=\ngoogle.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=\ngoogle.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=\ngoogle.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=\ngoogle.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=\ngoogle.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=\ngoogle.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=\ngoogle.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=\ngoogle.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=\ngoogle.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=\ngoogle.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=\ngoogle.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=\ngoogle.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=\ngoogle.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=\ngoogle.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=\ngoogle.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=\ngoogle.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=\ngoogle.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=\ngoogle.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=\ngoogle.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=\ngoogle.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=\ngoogle.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=\ngoogle.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=\ngoogle.golang.org/genproto v0.0.0-20200527145253-8367513e4ece/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=\ngoogle.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=\ngoogle.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=\ngoogle.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=\ngoogle.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=\ngoogle.golang.org/genproto v0.0.0-20260128011058-8636f8732409 h1:VQZ/yAbAtjkHgH80teYd2em3xtIkkHd7ZhqfH2N9CsM=\ngoogle.golang.org/genproto v0.0.0-20260128011058-8636f8732409/go.mod h1:rxKD3IEILWEu3P44seeNOAwZN4SaoKaQ/2eTg4mM6EM=\ngoogle.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M=\ngoogle.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I=\ngoogle.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE=\ngoogle.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=\ngoogle.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=\ngoogle.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=\ngoogle.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=\ngoogle.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=\ngoogle.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=\ngoogle.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=\ngoogle.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=\ngoogle.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=\ngoogle.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=\ngoogle.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=\ngoogle.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=\ngoogle.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=\ngoogle.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=\ngoogle.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=\ngoogle.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=\ngoogle.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=\ngoogle.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=\ngoogle.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=\ngoogle.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=\ngoogle.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=\ngoogle.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=\ngoogle.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=\ngoogle.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=\ngoogle.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=\ngoogle.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=\ngoogle.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=\ngoogle.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=\ngoogle.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=\ngoogle.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=\ngoogle.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=\ngoogle.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=\ngopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=\ngopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=\ngopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=\ngopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=\ngopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=\ngopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=\ngopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=\ngopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=\ngopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=\ngopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=\ngopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=\ngopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=\ngopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=\ngopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=\ngopkg.in/ini.v1 v1.67.1 h1:tVBILHy0R6e4wkYOn3XmiITt/hEVH4TFMYvAX2Ytz6k=\ngopkg.in/ini.v1 v1.67.1/go.mod h1:x/cyOwCgZqOkJoDIJ3c1KNHMo10+nLGAhh+kn3Zizss=\ngopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=\ngopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=\ngopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=\ngopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=\ngopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\ngopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=\ngopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\ngotest.tools/v3 v3.1.0 h1:rVV8Tcg/8jHUkPUorwjaMTtemIMVXfIPKiOqnhEhakk=\ngotest.tools/v3 v3.1.0/go.mod h1:fHy7eyTmJFO5bQbUsEGQ1v4m2J3Jz9eWL54TP2/ZuYQ=\nhonnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=\nhonnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=\nhonnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=\nhonnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=\nhonnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=\nhonnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=\nhonnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=\nk8s.io/api v0.35.2 h1:tW7mWc2RpxW7HS4CoRXhtYHSzme1PN1UjGHJ1bdrtdw=\nk8s.io/api v0.35.2/go.mod h1:7AJfqGoAZcwSFhOjcGM7WV05QxMMgUaChNfLTXDRE60=\nk8s.io/apiextensions-apiserver v0.27.6 h1:mOwSBJtThZhpJr+8gEkc3wFDIjq87E3JspR5mtZxIg8=\nk8s.io/apiextensions-apiserver v0.27.6/go.mod h1:AVNlLYRrESG5Poo6ASRUhY2pvoKPcNt8y/IuZ4lx3o8=\nk8s.io/apimachinery v0.35.2 h1:NqsM/mmZA7sHW02JZ9RTtk3wInRgbVxL8MPfzSANAK8=\nk8s.io/apimachinery v0.35.2/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=\nk8s.io/client-go v0.35.2 h1:YUfPefdGJA4aljDdayAXkc98DnPkIetMl4PrKX97W9o=\nk8s.io/client-go v0.35.2/go.mod h1:4QqEwh4oQpeK8AaefZ0jwTFJw/9kIjdQi0jpKeYvz7g=\nk8s.io/code-generator v0.29.4 h1:8ESudFNbY5/9BzB8KOEFG2uV9Q0AQxkc4mrQESr30Ks=\nk8s.io/code-generator v0.29.4/go.mod h1:7TYnI0dYItL2cKuhhgPSuF3WED9uMdELgbVXFfn/joE=\nk8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 h1:pWEwq4Asjm4vjW7vcsmijwBhOr1/shsbSYiWXmNGlks=\nk8s.io/gengo v0.0.0-20230829151522-9cce18d56c01/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=\nk8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f h1:SLb+kxmzfA87x4E4brQzB33VBbT2+x7Zq9ROIHmGn9Q=\nk8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=\nk8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=\nk8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=\nk8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=\nk8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=\nk8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=\nk8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=\nk8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=\nknative.dev/hack v0.0.0-20240111013919-e89096d74d85 h1:ERgPObDcW9LfaEPAeFvbW3UJcF3C3ul6B2ErNMv13OE=\nknative.dev/hack v0.0.0-20240111013919-e89096d74d85/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=\nknative.dev/hack/schema v0.0.0-20240607132042-09143140a254 h1:b9hFHGtxx0Kpm4EEjSD72lL0jms91To3OEVBTbqfOYI=\nknative.dev/hack/schema v0.0.0-20240607132042-09143140a254/go.mod h1:3pWwBLnTZSM9psSgCAvhKOHIPTzqfEMlWRpDu6IYhK0=\nknative.dev/pkg v0.0.0-20230612155445-74c4be5e935e h1:koM+NopG2Yw738NlJhQF3ZwpyS+HHznuLm294VYlUKg=\nknative.dev/pkg v0.0.0-20230612155445-74c4be5e935e/go.mod h1:dqC6IrvyBE7E+oZocs5PkVhq1G59pDTA7r8U17EAKMk=\nrsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=\nrsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=\nrsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=\nsigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=\nsigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=\nsigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=\nsigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=\nsigs.k8s.io/release-utils v0.12.3 h1:iNVJY81QfmMCmXxMg8IvvkkeQNk6ZWlLj+iPKSlKyVQ=\nsigs.k8s.io/release-utils v0.12.3/go.mod h1:BvbNmm1BmM3cnEpBmNHWL3wOSziOdGlsYR8vCFq/Q0o=\nsigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=\nsigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=\nsigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=\nsigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=\nsigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=\nsoftware.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=\nsoftware.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=\n" }, { "path": "hack/boilerplate/boilerplate.go.txt", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n" }, { "path": "hack/gentestdata/gentestdata.go", "content": "// Copyright 2024 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage main\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/ecdsa\"\n\t\"crypto/elliptic\"\n\t\"crypto/rand\"\n\t\"crypto/x509\"\n\t\"crypto/x509/pkix\"\n\t\"encoding/pem\"\n\t\"flag\"\n\t\"log\"\n\t\"math/big\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"time\"\n\n\t\"github.com/sigstore/cosign/v3/pkg/cosign\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\ttesting \"github.com/sigstore/policy-controller/pkg/reconciler/testing/v1alpha1\"\n\tpbcommon \"github.com/sigstore/protobuf-specs/gen/pb-go/common/v1\"\n\t\"github.com/sigstore/scaffolding/pkg/repo\"\n\t\"github.com/sigstore/sigstore/pkg/cryptoutils\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n\t\"google.golang.org/protobuf/types/known/timestamppb\"\n)\n\n// This program generates test data for the trustroot reconciler.\n//\n// To run this program, you can use the following command from the root of the repo:\n// $ go run hack/gentestdata/gentestdata.go\n// or,\n// $ make generate-testdata\n//\n// The output of this program can be used to update the `marshalledEntry.json`\n// file in the `pkg/reconciler/trustroot/testdata` package.\n//\n// Do not rely on the output of this program to produce valid results. Always\n// verify the output manually before committing.\n\nvar (\n\tdir = flag.String(\"output-dir\", \"pkg/reconciler/trustroot/testdata\", \"Output directory\")\n)\n\nfunc main() {\n\tflag.Parse()\n\tctfePK, ctfeLogID := genPK()\n\trekorPK, rekorLogID := genPK()\n\tfulcioChain := genCertChain(x509.KeyUsage(x509.ExtKeyUsageCodeSigning))\n\tfulcioChainConcat := bytes.Join(fulcioChain, nil)\n\ttsaChain := genCertChain(x509.KeyUsage(x509.ExtKeyUsageTimeStamping))\n\ttsaChainConcat := bytes.Join(tsaChain, nil)\n\n\tsigstoreKeysMap := map[string]string{\n\t\t\"ctfe\": string(ctfePK),\n\t\t\"fulcio\": string(fulcioChainConcat),\n\t\t\"rekor\": string(rekorPK),\n\t\t\"tsa\": string(tsaChainConcat),\n\t}\n\tmarshalledEntry, err := genTrustRoot(sigstoreKeysMap)\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\ttufRepo, rootJSON, err := genTUFRepo(map[string][]byte{\n\t\t\"rekor.pem\": []byte(sigstoreKeysMap[\"rekor\"]),\n\t\t\"ctfe.pem\": []byte(sigstoreKeysMap[\"ctfe\"]),\n\t\t\"fulcio.pem\": []byte(sigstoreKeysMap[\"fulcio\"]),\n\t})\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\ttufRepoWithTrustedRootJSON, rootJSONWithTrustedRootJSON, err := genTUFRepo(map[string][]byte{\n\t\t\"trusted_root.json\": marshalledEntry,\n\t})\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\ttufRepoWithCustomTrustedRootJSON, rootJSONWithCustomTrustedRootJSON, err := genTUFRepo(map[string][]byte{\n\t\t\"custom_trusted_root.json\": marshalledEntry,\n\t})\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\tmarshalledEntryFromMirrorFS, err := genTrustedRoot(sigstoreKeysMap)\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\tmustWriteFile(\"ctfePublicKey.pem\", ctfePK)\n\tmustWriteFile(\"ctfeLogID.txt\", []byte(ctfeLogID))\n\tmustWriteFile(\"rekorPublicKey.pem\", rekorPK)\n\tmustWriteFile(\"rekorLogID.txt\", []byte(rekorLogID))\n\tmustWriteFile(\"fulcioCertChain.pem\", fulcioChainConcat)\n\tmustWriteFile(\"tsaCertChain.pem\", tsaChainConcat)\n\tmustWriteFile(\"marshalledEntry.json\", marshalledEntry)\n\tmustWriteFile(\"marshalledEntryFromMirrorFS.json\", marshalledEntryFromMirrorFS)\n\tmustWriteFile(\"tufRepo.tar\", tufRepo)\n\tmustWriteFile(\"root.json\", rootJSON)\n\tmustWriteFile(\"tufRepoWithTrustedRootJSON.tar\", tufRepoWithTrustedRootJSON)\n\tmustWriteFile(\"rootWithTrustedRootJSON.json\", rootJSONWithTrustedRootJSON)\n\tmustWriteFile(\"tufRepoWithCustomTrustedRootJSON.tar\", tufRepoWithCustomTrustedRootJSON)\n\tmustWriteFile(\"rootWithCustomTrustedRootJSON.json\", rootJSONWithCustomTrustedRootJSON)\n}\n\nfunc mustWriteFile(path string, data []byte) {\n\terr := os.WriteFile(filepath.Join(*dir, path), data, 0600)\n\tif err != nil {\n\t\tlog.Fatalf(\"failed to write file %s: %v\", path, err)\n\t}\n}\n\nfunc genPK() ([]byte, string) {\n\tpriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\tif err != nil {\n\t\tlog.Fatalf(\"failed to generate ecdsa key: %v\", err)\n\t}\n\tder, err := x509.MarshalPKIXPublicKey(priv.Public().(*ecdsa.PublicKey))\n\tif err != nil {\n\t\tlog.Fatalf(\"failed to marshal ecdsa key: %v\", err)\n\t}\n\tpemPK := pem.EncodeToMemory(&pem.Block{Type: \"PUBLIC KEY\", Bytes: der})\n\n\t// generate log id\n\tpk, err := cryptoutils.UnmarshalPEMToPublicKey(pemPK)\n\tif err != nil {\n\t\tlog.Fatalf(\"failed to unmarshal ecdsa key: %v\", err)\n\t}\n\tlogID, err := cosign.GetTransparencyLogID(pk)\n\tif err != nil {\n\t\tlog.Fatalf(\"failed to get transparency log id: %v\", err)\n\t}\n\treturn pemPK, logID\n}\n\nfunc genCertChain(keyUsage x509.KeyUsage) [][]byte {\n\t// Create a new CA certificate\n\tcaPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\tif err != nil {\n\t\tlog.Fatalf(\"failed to generate ecdsa key: %v\", err)\n\t}\n\ttemplate := &x509.Certificate{\n\t\tSerialNumber: new(big.Int).SetInt64(1),\n\t\tSubject: pkix.Name{CommonName: \"ca\"},\n\t\tNotBefore: time.Now(),\n\t\tNotAfter: time.Now().AddDate(10, 0, 0),\n\t\tKeyUsage: x509.KeyUsageCertSign,\n\t\tBasicConstraintsValid: true,\n\t\tIsCA: true,\n\t}\n\tcaCertBytes, err := x509.CreateCertificate(rand.Reader, template, template, caPriv.Public(), caPriv)\n\tif err != nil {\n\t\tlog.Fatalf(\"failed to create x509 certificate: %v\", err)\n\t}\n\n\tcaCert, err := x509.ParseCertificate(caCertBytes)\n\tif err != nil {\n\t\tlog.Fatalf(\"failed to parse x509 certificate: %v\", err)\n\t}\n\n\t// Create a new leaf certificate\n\tleafPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\tif err != nil {\n\t\tlog.Fatalf(\"failed to generate ecdsa key: %v\", err)\n\t}\n\tleafCert, err := x509.CreateCertificate(rand.Reader, &x509.Certificate{\n\t\tSerialNumber: new(big.Int).SetInt64(2),\n\t\tSubject: pkix.Name{CommonName: \"leaf\"},\n\t\tNotBefore: time.Now(),\n\t\tNotAfter: time.Now().AddDate(10, 0, 0),\n\t\tKeyUsage: keyUsage,\n\t}, caCert, &leafPriv.PublicKey, caPriv)\n\tif err != nil {\n\t\tlog.Fatalf(\"failed to create x509 certificate: %v\", err)\n\t}\n\n\treturn [][]byte{pem.EncodeToMemory(&pem.Block{Type: \"CERTIFICATE\", Bytes: leafCert}), pem.EncodeToMemory(&pem.Block{Type: \"CERTIFICATE\", Bytes: caCertBytes})}\n}\n\nfunc genTrustRoot(sigstoreKeysMap map[string]string) (marshalledEntry []byte, err error) {\n\ttrustRoot := testing.NewTrustRoot(\"test-trustroot\", testing.WithSigstoreKeys(sigstoreKeysMap))\n\tsigstoreKeys, err := config.ConvertSigstoreKeys(context.Background(), trustRoot.Spec.SigstoreKeys)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\terr = populateLogIDs(sigstoreKeys)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn []byte(protojson.Format(sigstoreKeys)), nil\n}\n\nfunc populateLogIDs(sigstoreKeys *config.SigstoreKeys) error {\n\tfor i := range sigstoreKeys.Tlogs {\n\t\tlogID, err := genLogID(sigstoreKeys.Tlogs[i].PublicKey.RawBytes)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsigstoreKeys.Tlogs[i].LogId = &config.LogID{KeyId: []byte(logID)}\n\t}\n\tfor i := range sigstoreKeys.Ctlogs {\n\t\tlogID, err := genLogID(sigstoreKeys.Ctlogs[i].PublicKey.RawBytes)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsigstoreKeys.Ctlogs[i].LogId = &config.LogID{KeyId: []byte(logID)}\n\t}\n\treturn nil\n}\n\nfunc genLogID(pkBytes []byte) (string, error) {\n\tpk, err := x509.ParsePKIXPublicKey(pkBytes)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn cosign.GetTransparencyLogID(pk)\n}\n\nfunc genTUFRepo(files map[string][]byte) ([]byte, []byte, error) {\n\tdefer os.RemoveAll(path.Join(os.TempDir(), \"tuf\")) // TODO: Update scaffolding to use os.MkdirTemp and remove this\n\tctx := context.Background()\n\tlocal, dir, err := repo.CreateRepoWithOptions(ctx, files, repo.CreateRepoOptions{AddMetadataTargets: true})\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\tmeta, err := local.GetMeta()\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\trootJSON, ok := meta[\"root.json\"]\n\tif !ok {\n\t\treturn nil, nil, err\n\t}\n\n\tvar compressed bytes.Buffer\n\tif err := repo.CompressFS(os.DirFS(dir), &compressed, map[string]bool{\"keys\": true, \"staged\": true}); err != nil {\n\t\treturn nil, nil, err\n\t}\n\treturn compressed.Bytes(), rootJSON, nil\n}\n\nfunc genTrustedRoot(sigstoreKeysMap map[string]string) ([]byte, error) {\n\ttlogKey, _, err := config.DeserializePublicKey([]byte(sigstoreKeysMap[\"rekor\"]))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tctlogKey, _, err := config.DeserializePublicKey([]byte(sigstoreKeysMap[\"ctfe\"]))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tcertChain, err := config.DeserializeCertChain([]byte(sigstoreKeysMap[\"fulcio\"]))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\ttrustRoot := &config.SigstoreKeys{\n\t\tCertificateAuthorities: []*config.CertificateAuthority{{\n\t\t\tCertChain: certChain,\n\t\t\tValidFor: &config.TimeRange{Start: ×tamppb.Timestamp{}},\n\t\t}},\n\t\tTlogs: []*config.TransparencyLogInstance{{\n\t\t\tHashAlgorithm: pbcommon.HashAlgorithm_SHA2_256,\n\t\t\tPublicKey: tlogKey,\n\t\t}},\n\t\tCtlogs: []*config.TransparencyLogInstance{{\n\t\t\tHashAlgorithm: pbcommon.HashAlgorithm_SHA2_256,\n\t\t\tPublicKey: ctlogKey,\n\t\t}},\n\t}\n\terr = populateLogIDs(trustRoot)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\ttrustRootBytes := []byte(protojson.Format(trustRoot))\n\treturn trustRootBytes, nil\n}\n" }, { "path": "hack/github-oidc-setup.sh", "content": "#!/usr/bin/env bash\n\n# Copyright 2022 The Sigstore Authors\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# Idempotent script.\n#\n# Commands based off of Google blog post\n# https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions\n#\n# One addition is the attribute.repository=assertion.repository mapping.\n# This allows it to be pinned to given repo.\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o verbose\nset -o xtrace\n\nPROJECT_ID=\"projectsigstore\"\nPROJECT_NUMBER=\"498091336538\"\nPOOL_NAME=\"githubactions\"\nPROVIDER_NAME=\"sigstore-cosign\"\nLOCATION=\"global\"\nREPO=\"sigstore/cosign\"\nSERVICE_ACCOUNT_ID=\"github-actions-cosign\"\nSERVICE_ACCOUNT=\"${SERVICE_ACCOUNT_ID}@${PROJECT_ID}.iam.gserviceaccount.com\"\n\n# Create workload identity pool if not present.\nif ! (gcloud iam workload-identity-pools describe \"${POOL_NAME}\" --location=${LOCATION}); then\n gcloud iam workload-identity-pools create \"${POOL_NAME}\" \\\n --project=\"${PROJECT_ID}\" \\\n --location=\"${LOCATION}\" \\\n --display-name=\"Github Actions Pool\"\nfi\n\n# Create workload identity provider if not present.\nif ! (gcloud iam workload-identity-pools providers describe \"${PROVIDER_NAME}\" --location=\"${LOCATION}\" --workload-identity-pool=\"${POOL_NAME}\"); then\n gcloud iam workload-identity-pools providers create-oidc \"${PROVIDER_NAME}\" \\\n --project=\"${PROJECT_ID}\" \\\n --location=\"${LOCATION}\" \\\n --workload-identity-pool=\"${POOL_NAME}\" \\\n --display-name=\"Github Actions Provider Cosign\" \\\n --attribute-mapping=\"google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository\" \\\n --issuer-uri=\"https://token.actions.githubusercontent.com\"\nfi\n\n# Create service account if not present.\nif ! (gcloud iam service-accounts describe \"${SERVICE_ACCOUNT}\"); then\ngcloud iam service-accounts create ${SERVICE_ACCOUNT_ID} \\\n --description=\"Service account for Github Actions Cosign\" \\\n --display-name=\"Github Actions Cosign\"\nfi\n\n# Adding binding is idempotent.\ngcloud iam service-accounts add-iam-policy-binding \"${SERVICE_ACCOUNT}\" \\\n --project=\"${PROJECT_ID}\" \\\n --role=\"roles/iam.workloadIdentityUser\" \\\n --member=\"principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/${LOCATION}/workloadIdentityPools/${POOL_NAME}/attribute.repository/${REPO}\"\n\n# Adding binding is idempotent.\n# Used for kicking off cloud build.\ngcloud projects add-iam-policy-binding \"${PROJECT_ID}\" \\\n --project=\"${PROJECT_ID}\" \\\n --role=\"roles/cloudbuild.builds.editor\" \\\n --member=\"serviceAccount:${SERVICE_ACCOUNT}\"\n\n# Adding binding is idempotent.\n# Permission needed to run `gcloud builds`\n# https://cloud.google.com/build/docs/securing-builds/configure-access-to-resources#granting_permissions_to_run_gcloud_commands\ngcloud projects add-iam-policy-binding \"${PROJECT_ID}\" \\\n --project=\"${PROJECT_ID}\" \\\n --role=\"roles/serviceusage.serviceUsageConsumer\" \\\n --member=\"serviceAccount:${SERVICE_ACCOUNT}\"\n" }, { "path": "hack/tools.go", "content": "//go:build tools\n// +build tools\n\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage tools\n\n// This package imports things required by this repository, to force `go mod` to see them as dependencies\nimport (\n\t_ \"k8s.io/code-generator\"\n\t_ \"knative.dev/hack\"\n\n\t// codegen: hack/generate-knative.sh\n\t_ \"knative.dev/pkg/hack\"\n\n\t_ \"k8s.io/code-generator/cmd/client-gen\"\n\t_ \"k8s.io/code-generator/cmd/deepcopy-gen\"\n\t_ \"k8s.io/code-generator/cmd/defaulter-gen\"\n\t_ \"k8s.io/code-generator/cmd/informer-gen\"\n\t_ \"k8s.io/code-generator/cmd/lister-gen\"\n\t_ \"k8s.io/kube-openapi/cmd/openapi-gen\"\n\t_ \"knative.dev/pkg/codegen/cmd/injection-gen\"\n)\n" }, { "path": "hack/update-codegen.sh", "content": "#!/usr/bin/env bash\n\n# Copyright 2022 The Sigstore Authors\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\npushd $(dirname \"$0\")/..\n# Removed by update-deps\necho === Vendoring scripts\ngo mod vendor\n\nsource $(dirname $0)/../vendor/knative.dev/hack/codegen-library.sh\n\nTMP_DIR=\"$(mktemp -d)\"\ntrap 'rm -rf ${TMP_DIR}' EXIT\n# Use the same go mod cache to speed things up.\nexport GOMODCACHE=${GOPATH}/pkg/mod\nexport GOPATH=${TMP_DIR}\n\n\nTMP_REPO_PATH=\"${TMP_DIR}/src/github.com/sigstore/policy-controller\"\nmkdir -p \"$(dirname \"${TMP_REPO_PATH}\")\" && ln -s \"${REPO_ROOT_DIR}\" \"${TMP_REPO_PATH}\"\n\necho \"=== Update Codegen for ${MODULE_NAME}\"\n\ngroup \"Kubernetes Codegen\"\n\n# generate the code with:\n# --output-base because this script should also be able to run inside the vendor dir of\n# k8s.io/kubernetes. The output-base is needed for the generators to output into the vendor dir\n# instead of the $GOPATH directly. For normal projects this can be dropped.\nbash \"${CODEGEN_PKG}/kube_codegen.sh\" \"deepcopy,client,informer,lister\" \\\n github.com/sigstore/policy-controller/pkg/client github.com/sigstore/policy-controller/pkg/apis \\\n \"policy:v1alpha1 policy:v1beta1\" \\\n --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt\n\ngroup \"ducks\"\nbash \"${CODEGEN_PKG}/kube_codegen.sh\" \"deepcopy\" \\\n github.com/sigstore/policy-controller/pkg/client github.com/sigstore/policy-controller/pkg/apis \\\n \"duck:v1beta1\" \\\n --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt\n\ngroup \"Knative Codegen\"\n\n# Knative Injection\n${KNATIVE_CODEGEN_PKG}/hack/generate-knative.sh \"injection\" \\\n github.com/sigstore/policy-controller/pkg/client github.com/sigstore/policy-controller/pkg/apis \\\n \"policy:v1alpha1 policy:v1beta1 duck:v1beta1\" \\\n --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt\n\ngroup \"Update CRD Schema\"\n\n# Note that we run this twice, once for each version of the api, hence the\n# index of [0,1] so that we get both API descriptions updated.\ngo run $(dirname $0)/../cmd/schema/ dump ClusterImagePolicy \\\n | yq eval-all --inplace 'select(fileIndex == 0).spec.versions[0].schema.openAPIV3Schema = select(fileIndex == 1) | select(fileIndex == 0)' \\\n $(dirname $0)/../config/300-clusterimagepolicy.yaml -\ngo run $(dirname $0)/../cmd/schema/ dump ClusterImagePolicy \\\n | yq eval-all --inplace 'select(fileIndex == 0).spec.versions[1].schema.openAPIV3Schema = select(fileIndex == 1) | select(fileIndex == 0)' \\\n $(dirname $0)/../config/300-clusterimagepolicy.yaml -\n\n# Create file for TrustRoot as well\ngo run $(dirname $0)/../cmd/schema/ dump TrustRoot \\\n | yq eval-all --inplace 'select(fileIndex == 0).spec.versions[0].schema.openAPIV3Schema = select(fileIndex == 1) | select(fileIndex == 0)' \\\n $(dirname $0)/../config/300-trustroot.yaml -\n\ngroup \"Update deps post-codegen\"\n\n# Make sure our dependencies are up-to-date\n${REPO_ROOT_DIR}/hack/update-deps.sh\n" }, { "path": "hack/update-deps.sh", "content": "#!/usr/bin/env bash\n\n# Copyright 2022 The Sigstore Authors\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\npushd $(dirname \"$0\")/..\necho === Vendoring scripts\ngo mod vendor\n\nsource $(dirname \"$0\")/../vendor/knative.dev/hack/library.sh\n\ngo_update_deps \"$@\"\n\necho === Removing vendor/\nrm -rf $REPO_ROOT_DIR/vendor/\n" }, { "path": "images/dot/signatures.dot", "content": "digraph {\n compound=true;\n rankdir=\"LR\";\n ordering = in;\n\n subgraph cluster_registry {\n label = \"registry\";\n\n subgraph cluster_tags {\n label = \"/v2/.../tags/list\";\n\n tag [label=\"tag\", shape=\"rect\"];\n tag2 [label=\"tag\", shape=\"rect\"];\n }\n\n subgraph cluster_manifests {\n label = \"/v2/.../manifests/\";\n\n subgraph cluster_image {\n label = \"image\";\n\n mconfig [label=\"config\", shape=\"rect\"];\n layers [label=\"layers\", shape=\"rect\"];\n }\n\n subgraph cluster_index {\n label = \"signature index\";\n\n imanifest [label=\"manifests\", shape=\"rect\"];\n }\n }\n\n subgraph cluster_blobs {\n label = \"/v2/.../blobs/\";\n\n bconfig [label=\"config\", shape=\"hexagon\"];\n\n l1 [label=\"layer\", shape=\"folder\"];\n l2 [label=\"layer\", shape=\"folder\"];\n desc1 [label=\"descriptor\", shape=\"rect\", color=\"green\"];\n desc2 [label=\"descriptor\", shape=\"rect\", color=\"green\"];\n }\n\n layers -> l1;\n layers -> l2;\n\n mconfig -> bconfig;\n\n imanifest -> desc1 [color=\"green\"];\n imanifest -> desc2 [color=\"green\"];\n\n desc1 -> mconfig [lhead=cluster_image, color=\"green\"];\n desc2 -> mconfig [lhead=cluster_image, color=\"green\"];\n\n tag -> mconfig [style=\"dashed\", lhead=cluster_image];\n tag2 -> imanifest [style=\"dashed\", lhead=cluster_index];\n }\n}" }, { "path": "pkg/apis/config/doc.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// +k8s:deepcopy-gen=package\n\n// Package config holds the typed objects that define the schemas for\n// ConfigMap objects that pertain to our API objects.\n// This ConfigMap gets created by the Reconciler by combining all the\n// ClusterImagePolicy CR into a single ConfigMap so that the AdmissionController\n// only needs to deal with a single resource when validationg.\npackage config\n" }, { "path": "pkg/apis/config/image_policies.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage config\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/glob\"\n\twebhookcip \"github.com/sigstore/policy-controller/pkg/webhook/clusterimagepolicy\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\t\"k8s.io/apimachinery/pkg/api/meta\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\tmetalabels \"k8s.io/apimachinery/pkg/labels\"\n\t\"k8s.io/apimachinery/pkg/runtime/schema\"\n\t\"sigs.k8s.io/yaml\"\n)\n\nconst (\n\t// ImagePoliciesConfigName is the name of ConfigMap created by the\n\t// reconciler and consumed by the admission webhook.\n\tImagePoliciesConfigName = \"config-image-policies\"\n)\n\ntype ImagePolicyConfig struct {\n\t// This is the list of ImagePolicies that a admission controller uses\n\t// to make policy decisions.\n\tPolicies map[string]webhookcip.ClusterImagePolicy\n}\n\n// NewImagePoliciesConfigFromMap creates an ImagePolicyConfig from the supplied\n// Map\nfunc NewImagePoliciesConfigFromMap(data map[string]string) (*ImagePolicyConfig, error) {\n\tret := &ImagePolicyConfig{Policies: make(map[string]webhookcip.ClusterImagePolicy, len(data))}\n\t// Spin through the ConfigMap. Each key will point to resolved\n\t// ImagePatterns.\n\tfor k, v := range data {\n\t\t// This is the example that we use to document / test the ConfigMap.\n\t\tif k == \"_example\" {\n\t\t\tcontinue\n\t\t}\n\t\tif v == \"\" {\n\t\t\treturn nil, fmt.Errorf(\"configmap has an entry %q but no value\", k)\n\t\t}\n\t\tclusterImagePolicy := &webhookcip.ClusterImagePolicy{}\n\n\t\tif err := parseEntry(v, clusterImagePolicy); err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to parse the entry %q : %q : %w\", k, v, err)\n\t\t}\n\t\tret.Policies[k] = *clusterImagePolicy\n\t}\n\treturn ret, nil\n}\n\n// NewImagePoliciesConfigFromConfigMap creates a Features from the supplied ConfigMap\nfunc NewImagePoliciesConfigFromConfigMap(config *corev1.ConfigMap) (*ImagePolicyConfig, error) {\n\treturn NewImagePoliciesConfigFromMap(config.Data)\n}\n\nfunc parseEntry(entry string, out interface{}) error {\n\tj, err := yaml.YAMLToJSON([]byte(entry))\n\tif err != nil {\n\t\treturn fmt.Errorf(\"config's value could not be converted to JSON: %w : %s\", err, entry)\n\t}\n\treturn json.Unmarshal(j, &out)\n}\n\n// GetMatchingPolicies returns all matching Policies and their Authorities that\n// need to be matched for the given kind, version and labels (if provided) to then match the Image.\n// Returned map contains the name of the CIP as the key, and a normalized\n// ClusterImagePolicy for it.\nfunc (p *ImagePolicyConfig) GetMatchingPolicies(image string, kind, apiVersion string, labels map[string]string) (map[string]webhookcip.ClusterImagePolicy, error) {\n\tif p == nil {\n\t\treturn nil, errors.New(\"config is nil\")\n\t}\n\n\tgv, err := schema.ParseGroupVersion(apiVersion)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\t// While unsafe, this is correct (safe!) for everything we care about.\n\tgvr, _ := meta.UnsafeGuessKindToResource(gv.WithKind(kind))\n\n\tvar lastError error\n\tret := make(map[string]webhookcip.ClusterImagePolicy)\n\n\t// TODO(vaikas): this is very inefficient, we should have a better\n\t// way to go from image to Authorities, but just seeing if this is even\n\t// workable so fine for now.\n\tfor k, v := range p.Policies {\n\t\tif len(v.Match) > 0 {\n\t\t\tfoundMatch := false\n\t\t\tfor _, matchResource := range v.Match {\n\t\t\t\tif matchResource.Resource != gvr.Resource {\n\t\t\t\t\t// Resource doesn't match.\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tif matchResource.Version != gvr.Version && matchResource.Version != \"*\" {\n\t\t\t\t\t// Version doesn't match exactly or wildcard.\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tif matchResource.Group != gvr.Group {\n\t\t\t\t\t// Group doesn't match.\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\n\t\t\t\tif matchResource.ResourceSelector != nil {\n\t\t\t\t\tselector, err := metav1.LabelSelectorAsSelector(matchResource.ResourceSelector)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn nil, errors.New(\"policy with wrong match label selector\")\n\t\t\t\t\t}\n\t\t\t\t\tif !selector.Matches(metalabels.Set(labels)) {\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t// We found a set of match criteria that this resource satisfies\n\t\t\t\tfoundMatch = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tif !foundMatch {\n\t\t\t\t// We didn't find any match with the current resource types, so we continue looking for policies\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\n\t\tfor _, pattern := range v.Images {\n\t\t\tif pattern.Glob != \"\" {\n\t\t\t\tif matched, err := glob.Match(pattern.Glob, image); err != nil {\n\t\t\t\t\tlastError = err\n\t\t\t\t} else if matched {\n\t\t\t\t\tret[k] = v\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn ret, lastError\n}\n" }, { "path": "pkg/apis/config/image_policies_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage config\n\nimport (\n\t\"crypto\"\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n\t\"fmt\"\n\t\"strings\"\n\t\"testing\"\n\n\twebhookcip \"github.com/sigstore/policy-controller/pkg/webhook/clusterimagepolicy\"\n\t. \"knative.dev/pkg/configmap/testing\"\n\t_ \"knative.dev/pkg/system/testing\"\n)\n\nconst (\n\t// Just some public key that was laying around, only format matters.\n\tinlineKeyData = `-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n-----END PUBLIC KEY-----`\n)\n\nfunc TestDefaultsConfigurationFromFile(t *testing.T) {\n\t_, example := ConfigMapsFromTestFile(t, ImagePoliciesConfigName)\n\tif _, err := NewImagePoliciesConfigFromConfigMap(example); err != nil {\n\t\tt.Error(\"NewImagePoliciesConfigFromConfigMap(example) =\", err)\n\t}\n}\n\nfunc TestGetAuthorities(t *testing.T) {\n\t// TODO: Clean up this test to be table-driven with sub-tests, instead of one big test.\n\tgetAuthority := func(t *testing.T, m map[string]webhookcip.ClusterImagePolicy, mp string) webhookcip.Authority {\n\t\tt.Helper()\n\t\tcip, found := m[mp]\n\t\tif !found {\n\t\t\tt.Fatalf(\"failed to find matching policy %q\", mp)\n\t\t}\n\t\tif len(cip.Authorities) == 0 {\n\t\t\tt.Fatalf(\"no authorities for matching policy %q\", mp)\n\t\t}\n\t\treturn cip.Authorities[0]\n\t}\n\n\t_, example := ConfigMapsFromTestFile(t, ImagePoliciesConfigName)\n\tdefaults, err := NewImagePoliciesConfigFromConfigMap(example)\n\tif err != nil {\n\t\tt.Error(\"NewImagePoliciesConfigFromConfigMap(example) =\", err)\n\t}\n\tc, err := defaults.GetMatchingPolicies(\"rando\", \"Pod\", \"v1\", map[string]string{})\n\tcheckGetMatches(t, c, err)\n\tmatchedPolicy := \"cluster-image-policy-0\"\n\twant := inlineKeyData\n\tif got := getAuthority(t, c, matchedPolicy).Key.Data; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\t// Make sure UID and ResourceVersion are unserialized properly\n\tcheckUIDAndResourceVersion(t, matchedPolicy, c[matchedPolicy])\n\t// Make sure glob matches 'randomstuff*'\n\tc, err = defaults.GetMatchingPolicies(\"randomstuffhere\", \"Pod\", \"v1\", map[string]string{})\n\tcheckGetMatches(t, c, err)\n\tmatchedPolicy = \"cluster-image-policy-1\"\n\twant = inlineKeyData\n\tif got := getAuthority(t, c, matchedPolicy).Key.Data; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\t// Make sure UID and ResourceVersion are unserialized properly\n\tcheckUIDAndResourceVersion(t, matchedPolicy, c[matchedPolicy])\n\tc, err = defaults.GetMatchingPolicies(\"rando3\", \"Pod\", \"v1\", map[string]string{})\n\tmatchedPolicy = \"cluster-image-policy-2\"\n\tcheckGetMatches(t, c, err)\n\twant = inlineKeyData\n\tif got := getAuthority(t, c, matchedPolicy).Keyless.CACert.Data; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\twantInsecureIgnoreSCT := true\n\tif got := getAuthority(t, c, matchedPolicy).Keyless.InsecureIgnoreSCT; *got != wantInsecureIgnoreSCT {\n\t\tt.Errorf(\"Did not get what I wanted %v, got %+v\", wantInsecureIgnoreSCT, got)\n\t}\n\twant = \"issuer\"\n\tif got := getAuthority(t, c, matchedPolicy).Keyless.Identities[0].Issuer; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\twant = \"subject\"\n\tif got := getAuthority(t, c, matchedPolicy).Keyless.Identities[0].Subject; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\twant = \"trustroot-tsa-ref\"\n\tgot := getAuthority(t, c, matchedPolicy)\n\tif got.RFC3161Timestamp.TrustRootRef != want {\n\t\tt.Errorf(\"Did not get the tsa what I wanted %q, got %+v\", want, got)\n\t}\n\t// Make sure UID and ResourceVersion are unserialized properly\n\tcheckUIDAndResourceVersion(t, matchedPolicy, c[matchedPolicy])\n\n\t// Make sure regex matches \"regexstring*\"\n\tc, err = defaults.GetMatchingPolicies(\"regexstringstuff\", \"Pod\", \"v1\", map[string]string{})\n\tcheckGetMatches(t, c, err)\n\tmatchedPolicy = \"cluster-image-policy-4\"\n\twant = inlineKeyData\n\tif got := getAuthority(t, c, matchedPolicy).Key.Data; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\tcheckPublicKey(t, getAuthority(t, c, matchedPolicy).Key.PublicKeys[0])\n\t// Make sure UID and ResourceVersion are unserialized properly\n\tcheckUIDAndResourceVersion(t, matchedPolicy, c[matchedPolicy])\n\n\t// Test multiline yaml cert\n\tc, err = defaults.GetMatchingPolicies(\"inlinecert\", \"Pod\", \"v1\", map[string]string{})\n\tcheckGetMatches(t, c, err)\n\tmatchedPolicy = \"cluster-image-policy-3\"\n\twant = inlineKeyData\n\tif got := getAuthority(t, c, matchedPolicy).Key.Data; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\tcheckPublicKey(t, getAuthority(t, c, matchedPolicy).Key.PublicKeys[0])\n\n\t// Test multiline cert but json encoded\n\tc, err = defaults.GetMatchingPolicies(\"ghcr.io/example/foo\", \"Pod\", \"v1\", map[string]string{})\n\tcheckGetMatches(t, c, err)\n\tmatchedPolicy = \"cluster-image-policy-json\"\n\twant = inlineKeyData\n\tif got := getAuthority(t, c, matchedPolicy).Key.Data; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\tcheckPublicKey(t, getAuthority(t, c, matchedPolicy).Key.PublicKeys[0])\n\n\t// Test multiple matches\n\tc, err = defaults.GetMatchingPolicies(\"regexstringtoo\", \"Pod\", \"v1\", map[string]string{})\n\tcheckGetMatches(t, c, err)\n\tif len(c) != 2 {\n\t\tt.Errorf(\"Wanted two matches, got %d\", len(c))\n\t}\n\tmatchedPolicy = \"cluster-image-policy-4\"\n\twant = inlineKeyData\n\tif got := getAuthority(t, c, matchedPolicy).Key.Data; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\tcheckPublicKey(t, getAuthority(t, c, matchedPolicy).Key.PublicKeys[0])\n\n\tmatchedPolicy = \"cluster-image-policy-5\"\n\twant = inlineKeyData\n\tif got := getAuthority(t, c, matchedPolicy).Key.Data; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\n\t// Test attestations + top level policy\n\tc, err = defaults.GetMatchingPolicies(\"withattestations\", \"Pod\", \"v1\", map[string]string{})\n\tcheckGetMatches(t, c, err)\n\tif len(c) != 1 {\n\t\tt.Errorf(\"Wanted 1 match, got %d\", len(c))\n\t}\n\tmatchedPolicy = \"cluster-image-policy-with-policy-attestations\"\n\twant = \"attestation-0\"\n\tif got := getAuthority(t, c, matchedPolicy).Name; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\t// Both top & authority policy is using cue\n\twant = \"cue\"\n\tif got := c[matchedPolicy].Policy.Type; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\twant = \"cip level cue here\"\n\tif got := c[matchedPolicy].Policy.Data; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\twant = \"cue\"\n\tif got := getAuthority(t, c, matchedPolicy).Attestations[0].Type; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\twant = \"test-cue-here\"\n\tif got := getAuthority(t, c, matchedPolicy).Attestations[0].Data; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\n\t// Test source oci\n\tmatchedPolicy = \"cluster-image-policy-source-oci\"\n\tc, err = defaults.GetMatchingPolicies(\"sourceocionly\", \"Pod\", \"v1\", map[string]string{})\n\tcheckGetMatches(t, c, err)\n\tif len(c) != 1 {\n\t\tt.Errorf(\"Wanted 1 match, got %d\", len(c))\n\t}\n\n\tcheckSourceOCI(t, c[matchedPolicy].Authorities)\n\twant = \"example.registry.com/alternative/signature\"\n\tif got := getAuthority(t, c, matchedPolicy).Sources[0].OCI; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\n\t// Test source signaturePullSecrets\n\tmatchedPolicy = \"cluster-image-policy-source-oci-signature-pull-secrets\"\n\tc, err = defaults.GetMatchingPolicies(\"sourceocisignaturepullsecrets\", \"Pod\", \"v1\", map[string]string{\"match\": \"match\"})\n\tcheckGetMatches(t, c, err)\n\tif len(c) != 1 {\n\t\tt.Errorf(\"Wanted 1 match, got %d\", len(c))\n\t}\n\n\tcheckSourceOCI(t, c[matchedPolicy].Authorities)\n\tif got := len(getAuthority(t, c, matchedPolicy).Sources[0].SignaturePullSecrets); got != 1 {\n\t\tt.Errorf(\"Did not get what I wanted %d, got %d\", 1, got)\n\t}\n\twant = \"examplePullSecret\"\n\tif got := getAuthority(t, c, matchedPolicy).Sources[0].SignaturePullSecrets[0].Name; got != want {\n\t\tt.Errorf(\"Did not get what I wanted %q, got %+v\", want, got)\n\t}\n\n\t// Test resource matching\n\tc, err = defaults.GetMatchingPolicies(\"match-pods\", \"Pod\", \"v1\", map[string]string{\"match\": \"match\"})\n\tcheckGetMatches(t, c, err)\n\tif len(c) != 1 {\n\t\tt.Errorf(\"Wanted 1 match, got %d\", len(c))\n\t}\n\tc, err = defaults.GetMatchingPolicies(\"match-pods\", \"Pod\", \"apps/v1\", map[string]string{\"match\": \"match\"})\n\tif err != nil {\n\t\tt.Fatalf(\"GetMatchingPolicies() = %v\", err)\n\t}\n\tif len(c) != 0 {\n\t\tt.Errorf(\"Wanted 0 matches, got %d\", len(c))\n\t}\n\tc, err = defaults.GetMatchingPolicies(\"match-pods\", \"Pod\", \"blah/v1alpha1\", map[string]string{\"match\": \"match\"})\n\tif err != nil {\n\t\tt.Fatalf(\"GetMatchingPolicies() = %v\", err)\n\t}\n\tif len(c) != 0 {\n\t\tt.Errorf(\"Wanted 0 matches, got %d\", len(c))\n\t}\n}\n\nfunc TestFailsToLoadInvalid(t *testing.T) {\n\twantErr := \"failed to parse the entry \\\"cluster-image-policy-0\\\"\"\n\t_, example := ConfigMapsFromTestFile(t, \"config-invalid-image-policy\")\n\t_, err := NewImagePoliciesConfigFromConfigMap(example)\n\tif err == nil {\n\t\tt.Error(\"Did not fail with invalid configmap\")\n\t} else if !strings.Contains(err.Error(), wantErr) {\n\t\tt.Errorf(\"Unexpected error, wanted to contain %s : got %v\", wantErr, err)\n\t}\n}\n\nfunc checkGetMatches(t *testing.T, c map[string]webhookcip.ClusterImagePolicy, err error) {\n\tt.Helper()\n\tif err != nil {\n\t\tt.Error(\"GetMatches Failed =\", err)\n\t}\n\tif len(c) == 0 {\n\t\tt.Error(\"Wanted a config, got none.\")\n\t}\n\tfor _, v := range c {\n\t\tif v.Authorities != nil || len(v.Authorities) > 0 {\n\t\t\treturn\n\t\t}\n\t}\n\tt.Error(\"Wanted a config and non-zero authorities, got no authorities\")\n}\n\nfunc checkPublicKey(t *testing.T, gotKey crypto.PublicKey) {\n\tt.Helper()\n\n\tderBytes, err := x509.MarshalPKIXPublicKey(gotKey)\n\tif err != nil {\n\t\tt.Error(\"Failed to Marshal Key =\", err)\n\t}\n\n\tpemBytes := pem.EncodeToMemory(&pem.Block{\n\t\tType: \"PUBLIC KEY\",\n\t\tBytes: derBytes,\n\t})\n\n\t// pem.EncodeToMemory has an extra newline at the end\n\tgot := strings.TrimSuffix(string(pemBytes), \"\\n\")\n\tif got != inlineKeyData {\n\t\tt.Errorf(\"Did not get what I wanted %s, got %s\", inlineKeyData, string(pemBytes))\n\t}\n}\n\nfunc checkSourceOCI(t *testing.T, authority []webhookcip.Authority) {\n\tt.Helper()\n\n\tif got := len(authority); got != 1 {\n\t\tt.Errorf(\"Did not get what I wanted %d, got %d\", 1, got)\n\t}\n\tif got := len(authority[0].Sources); got != 1 {\n\t\tt.Errorf(\"Did not get what I wanted %d, got %d\", 1, got)\n\t}\n\n\twant := len(authority[0].Sources)\n\tif got := len(authority[0].RemoteOpts); got != want {\n\t\tt.Errorf(\"Did not get what I wanted %d, got %d\", want, got)\n\t}\n}\n\nfunc checkUIDAndResourceVersion(t *testing.T, cipName string, cip webhookcip.ClusterImagePolicy) {\n\tt.Helper()\n\twantUID := fmt.Sprintf(\"%s-uid\", cipName)\n\tif wantUID != string(cip.UID) {\n\t\tt.Errorf(\"UID mismatch want: %s got: %s\", wantUID, cip.UID)\n\t}\n\twantResourceVersion := fmt.Sprintf(\"%s-resource-version\", cipName)\n\tif wantResourceVersion != cip.ResourceVersion {\n\t\tt.Errorf(\"UID mismatch want: %s got: %s\", wantResourceVersion, cip.ResourceVersion)\n\t}\n}\n" }, { "path": "pkg/apis/config/sigstore_keys.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage config\n\nimport (\n\t\"context\"\n\t\"crypto\"\n\t\"crypto/ecdsa\"\n\t\"crypto/elliptic\"\n\t\"crypto/rsa\"\n\t\"encoding/pem\"\n\t\"fmt\"\n\n\t\"github.com/sigstore/cosign/v3/pkg/cosign\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tpbcommon \"github.com/sigstore/protobuf-specs/gen/pb-go/common/v1\"\n\tpbtrustroot \"github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1\"\n\t\"github.com/sigstore/sigstore/pkg/cryptoutils\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n\t\"google.golang.org/protobuf/types/known/timestamppb\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\t\"sigs.k8s.io/yaml\"\n)\n\nconst (\n\t// SigstoreKeysConfigName is the name of ConfigMap created by the\n\t// reconciler and consumed by the admission webhook for determining\n\t// which Keys/Certificates are trusted for things like Fulcio/Rekor, etc.\n\tSigstoreKeysConfigName = \"config-sigstore-keys\"\n)\n\n// Type aliases for types from protobuf-specs. TODO: Consider just importing\n// the protobuf-specs types directly from each package as needed.\n\n// SigstoreKeys contains all the necessary Keys and Certificates for validating\n// against a specific instance of Sigstore.\ntype SigstoreKeys = pbtrustroot.TrustedRoot\ntype CertificateAuthority = pbtrustroot.CertificateAuthority\ntype TransparencyLogInstance = pbtrustroot.TransparencyLogInstance\ntype DistinguishedName = pbcommon.DistinguishedName\ntype LogID = pbcommon.LogId\ntype TimeRange = pbcommon.TimeRange\ntype Timestamp = timestamppb.Timestamp\n\ntype SigstoreKeysMap struct {\n\tSigstoreKeys map[string]*SigstoreKeys\n}\n\n// NewSigstoreKeysFromMap creates a map of SigstoreKeys to use for validation.\nfunc NewSigstoreKeysFromMap(data map[string]string) (*SigstoreKeysMap, error) {\n\tret := make(map[string]*SigstoreKeys, len(data))\n\t// Spin through the ConfigMap. Each entry will have a serialized form of\n\t// necessary validation keys in the form of SigstoreKeys.\n\tfor k, v := range data {\n\t\t// This is the example that we use to document / test the ConfigMap.\n\t\tif k == \"_example\" {\n\t\t\tcontinue\n\t\t}\n\t\tif v == \"\" {\n\t\t\treturn nil, fmt.Errorf(\"configmap has an entry %q but no value\", k)\n\t\t}\n\t\tsigstoreKeys := &SigstoreKeys{}\n\n\t\tif err := parseSigstoreKeys(v, sigstoreKeys); err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to parse the entry %q : %q : %w\", k, v, err)\n\t\t}\n\t\tret[k] = sigstoreKeys\n\t}\n\treturn &SigstoreKeysMap{SigstoreKeys: ret}, nil\n}\n\n// NewImagePoliciesConfigFromConfigMap creates a Features from the supplied ConfigMap\nfunc NewSigstoreKeysFromConfigMap(config *corev1.ConfigMap) (*SigstoreKeysMap, error) {\n\treturn NewSigstoreKeysFromMap(config.Data)\n}\n\nfunc parseSigstoreKeys(entry string, out *pbtrustroot.TrustedRoot) error {\n\tj, err := yaml.YAMLToJSON([]byte(entry))\n\tif err != nil {\n\t\treturn fmt.Errorf(\"config's value could not be converted to JSON: %w : %s\", err, entry)\n\t}\n\treturn protojson.Unmarshal(j, out)\n}\n\n// ConvertSigstoreKeys takes a source and converts into a SigstoreKeys suitable\n// for serialization into a ConfigMap entry.\nfunc ConvertSigstoreKeys(_ context.Context, source *v1alpha1.SigstoreKeys) (sk *SigstoreKeys, err error) {\n\tsk = &SigstoreKeys{}\n\tsk.MediaType = \"application/vnd.dev.sigstore.trustedroot+json;version=0.1\"\n\tsk.CertificateAuthorities = make([]*pbtrustroot.CertificateAuthority, len(source.CertificateAuthorities))\n\tfor i := range source.CertificateAuthorities {\n\t\tsk.CertificateAuthorities[i], err = ConvertCertificateAuthority(source.CertificateAuthorities[i])\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to convert certificate authority: %w\", err)\n\t\t}\n\t}\n\n\tsk.Tlogs = make([]*pbtrustroot.TransparencyLogInstance, len(source.TLogs))\n\tfor i := range source.TLogs {\n\t\tsk.Tlogs[i], err = ConvertTransparencyLogInstance(source.TLogs[i])\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to convert transparency log instance: %w\", err)\n\t\t}\n\t}\n\n\tsk.Ctlogs = make([]*pbtrustroot.TransparencyLogInstance, len(source.CTLogs))\n\tfor i := range source.CTLogs {\n\t\tsk.Ctlogs[i], err = ConvertTransparencyLogInstance(source.CTLogs[i])\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to convert ct log instance: %w\", err)\n\t\t}\n\t}\n\n\tsk.TimestampAuthorities = make([]*pbtrustroot.CertificateAuthority, len(source.TimeStampAuthorities))\n\tfor i := range source.TimeStampAuthorities {\n\t\tsk.TimestampAuthorities[i], err = ConvertCertificateAuthority(source.TimeStampAuthorities[i])\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to convert timestamp authority: %w\", err)\n\t\t}\n\t}\n\treturn sk, nil\n}\n\n// ConvertCertificateAuthority converts public into private CertificateAuthority\nfunc ConvertCertificateAuthority(source v1alpha1.CertificateAuthority) (*pbtrustroot.CertificateAuthority, error) {\n\tcertChain, err := DeserializeCertChain(source.CertChain)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &pbtrustroot.CertificateAuthority{\n\t\tSubject: &pbcommon.DistinguishedName{\n\t\t\tOrganization: source.Subject.Organization,\n\t\t\tCommonName: source.Subject.CommonName,\n\t\t},\n\t\tUri: source.URI.String(),\n\t\tCertChain: certChain,\n\t\tValidFor: &pbcommon.TimeRange{\n\t\t\tStart: ×tamppb.Timestamp{\n\t\t\t\tSeconds: 0, // TODO: Add support for time range to v1alpha1.CertificateAuthority\n\t\t\t},\n\t\t},\n\t}, nil\n}\n\n// ConvertTransparencyLogInstance converts public into private\n// TransparencyLogInstance.\nfunc ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) (*pbtrustroot.TransparencyLogInstance, error) {\n\tpbpk, pk, err := DeserializePublicKey(source.PublicKey)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tlogID, err := cosign.GetTransparencyLogID(pk)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &pbtrustroot.TransparencyLogInstance{\n\t\tBaseUrl: source.BaseURL.String(),\n\t\tHashAlgorithm: HashStringToHashAlgorithm(source.HashAlgorithm),\n\t\tPublicKey: pbpk,\n\t\tLogId: &pbcommon.LogId{\n\t\t\tKeyId: []byte(logID),\n\t\t},\n\t}, nil\n}\n\nfunc HashStringToHashAlgorithm(hash string) pbcommon.HashAlgorithm {\n\tswitch hash {\n\tcase \"sha-256\", \"sha256\":\n\t\treturn pbcommon.HashAlgorithm_SHA2_256\n\tcase \"sha-384\", \"sha384\":\n\t\treturn pbcommon.HashAlgorithm_SHA2_384\n\tcase \"sha-512\", \"sha512\":\n\t\treturn pbcommon.HashAlgorithm_SHA2_512\n\tdefault:\n\t\treturn pbcommon.HashAlgorithm_HASH_ALGORITHM_UNSPECIFIED\n\t}\n}\n\nfunc SerializeCertChain(certChain *pbcommon.X509CertificateChain) []byte {\n\tvar chain []byte\n\tfor _, cert := range certChain.Certificates {\n\t\tbytes := cert.RawBytes\n\t\tblock := &pem.Block{\n\t\t\tType: \"CERTIFICATE\",\n\t\t\tBytes: bytes,\n\t\t}\n\t\tchain = append(chain, pem.EncodeToMemory(block)...)\n\t}\n\treturn chain\n}\n\nfunc SerializePublicKey(publicKey *pbcommon.PublicKey) []byte {\n\tblock := &pem.Block{\n\t\tType: \"PUBLIC KEY\",\n\t\tBytes: publicKey.RawBytes,\n\t}\n\treturn pem.EncodeToMemory(block)\n}\n\nfunc DeserializeCertChain(chain []byte) (*pbcommon.X509CertificateChain, error) {\n\tvar certs []*pbcommon.X509Certificate\n\tvar block *pem.Block\n\tfor len(chain) > 0 {\n\t\tblock, chain = pem.Decode(chain)\n\t\tif block == nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to decode certificate chain PEM\")\n\t\t}\n\t\tcerts = append(certs, &pbcommon.X509Certificate{RawBytes: block.Bytes})\n\t}\n\treturn &pbcommon.X509CertificateChain{Certificates: certs}, nil\n}\n\nfunc DeserializePublicKey(publicKey []byte) (*pbcommon.PublicKey, crypto.PublicKey, error) {\n\tblock, _ := pem.Decode(publicKey)\n\tif block == nil {\n\t\treturn nil, nil, fmt.Errorf(\"failed to decode public key\")\n\t}\n\tpk, err := cryptoutils.UnmarshalPEMToPublicKey(publicKey)\n\tif err != nil {\n\t\treturn nil, nil, fmt.Errorf(\"failed to unmarshal public key: %w\", err)\n\t}\n\tvar keyDetails pbcommon.PublicKeyDetails\n\tswitch k := pk.(type) {\n\tcase *ecdsa.PublicKey:\n\t\tswitch k.Curve {\n\t\tcase elliptic.P256():\n\t\t\tkeyDetails = pbcommon.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256\n\t\tcase elliptic.P384():\n\t\t\tkeyDetails = pbcommon.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384\n\t\tcase elliptic.P521():\n\t\t\tkeyDetails = pbcommon.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512\n\t\tdefault:\n\t\t\tkeyDetails = pbcommon.PublicKeyDetails_PUBLIC_KEY_DETAILS_UNSPECIFIED\n\t\t}\n\tcase *rsa.PublicKey:\n\t\tswitch k.Size() {\n\t\tcase 2048:\n\t\t\tkeyDetails = pbcommon.PublicKeyDetails_PKIX_RSA_PSS_2048_SHA256\n\t\tcase 3072:\n\t\t\tkeyDetails = pbcommon.PublicKeyDetails_PKIX_RSA_PSS_3072_SHA256\n\t\tcase 4096:\n\t\t\tkeyDetails = pbcommon.PublicKeyDetails_PKIX_RSA_PSS_4096_SHA256\n\t\tdefault:\n\t\t\tkeyDetails = pbcommon.PublicKeyDetails_PUBLIC_KEY_DETAILS_UNSPECIFIED\n\t\t}\n\tdefault:\n\t\tkeyDetails = pbcommon.PublicKeyDetails_PUBLIC_KEY_DETAILS_UNSPECIFIED\n\t}\n\n\treturn &pbcommon.PublicKey{\n\t\tRawBytes: block.Bytes,\n\t\tKeyDetails: keyDetails,\n\t\tValidFor: &pbcommon.TimeRange{\n\t\t\tStart: ×tamppb.Timestamp{\n\t\t\t\tSeconds: 0, // TODO: Add support for time range to v1alpha.TransparencyLogInstance\n\t\t\t},\n\t\t},\n\t}, pk, nil\n}\n" }, { "path": "pkg/apis/config/sigstore_keys_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage config\n\nimport (\n\t\"bytes\"\n\t\"encoding/pem\"\n\t\"testing\"\n\n\t. \"knative.dev/pkg/configmap/testing\"\n\t_ \"knative.dev/pkg/system/testing\"\n)\n\nconst (\n\trekorPublicKey = `-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7D2WvgqSzs9jpdJsOJ5Nl6xg8JXm\nNmo7M3bN7+dQddw9Ibc2R3SV8tzBZw0rST8FKcn4apJepcKM4qUpYUeNfw==\n-----END PUBLIC KEY-----\n`\n\ttsaCertChain = `-----BEGIN CERTIFICATE-----\nMIIBzDCCAXKgAwIBAgIUfyGKDoFa7y6s/W1p1CiTmBRs1eAwCgYIKoZIzj0EAwIw\nMDEOMAwGA1UEChMFbG9jYWwxHjAcBgNVBAMTFVRlc3QgVFNBIEludGVybWVkaWF0\nZTAeFw0yMjExMDkyMDMxMzRaFw0zMTExMDkyMDM0MzRaMDAxDjAMBgNVBAoTBWxv\nY2FsMR4wHAYDVQQDExVUZXN0IFRTQSBUaW1lc3RhbXBpbmcwWTATBgcqhkjOPQIB\nBggqhkjOPQMBBwNCAAR3KcDy9jwARX0rDvyr+MGGkG3n1OA0MU5+ZiDmgusFyk6U\n6bovKWVMfD8J8NTcJZE0RaYJr8/dE9kgcIIXlhMwo2owaDAOBgNVHQ8BAf8EBAMC\nB4AwHQYDVR0OBBYEFHNn5R3b3MtUdSNrFO49Q6XDVSnkMB8GA1UdIwQYMBaAFNLS\n6gno7Om++Qt5zIa+H9o0HiT2MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMAoGCCqG\nSM49BAMCA0gAMEUCIQCF0olohnvdUq6T7/wPk19Z5aQP/yxRTjCWYuhn/TCyHgIg\nazV3air4GRZbN9bdYtcQ7JUAKq89GOhtFfl6kcoVUvU=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIB0jCCAXigAwIBAgIUXpBmYJFFaGW3cC8p6b/DHr1i8IowCgYIKoZIzj0EAwIw\nKDEOMAwGA1UEChMFbG9jYWwxFjAUBgNVBAMTDVRlc3QgVFNBIFJvb3QwHhcNMjIx\nMTA5MjAyOTM0WhcNMzIxMTA5MjAzNDM0WjAwMQ4wDAYDVQQKEwVsb2NhbDEeMBwG\nA1UEAxMVVGVzdCBUU0EgSW50ZXJtZWRpYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0D\nAQcDQgAEKDPDRIwDS1ZCymub6yanCG5ma0qDjLpNonDvooSkRHEgU0TNibeJn6M+\n5W608hCw8nwuucMbXQ41kNeuBeevyqN4MHYwDgYDVR0PAQH/BAQDAgEGMBMGA1Ud\nJQQMMAoGCCsGAQUFBwMIMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNLS6gno\n7Om++Qt5zIa+H9o0HiT2MB8GA1UdIwQYMBaAFB1nvXpNK7AuQlbJ+ya6nPSqWi+T\nMAoGCCqGSM49BAMCA0gAMEUCIGiwqCI29w7C4V8TltCsi728s5DtklCPySDASUSu\na5y5AiEA40Ifdlwf7Uj8q8NSD6Z4g/0js0tGNdLSUJ1do/WoN0s=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIBlDCCATqgAwIBAgIUYZx9sS14En7SuHDOJJP4IPopMjUwCgYIKoZIzj0EAwIw\nKDEOMAwGA1UEChMFbG9jYWwxFjAUBgNVBAMTDVRlc3QgVFNBIFJvb3QwHhcNMjIx\nMTA5MjAyOTM0WhcNMzIxMTA5MjAzNDM0WjAoMQ4wDAYDVQQKEwVsb2NhbDEWMBQG\nA1UEAxMNVGVzdCBUU0EgUm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAbB\nB0SU8G75hVIUphChA4nfOwNWP347TjScIdsEPrKVn+/Y1HmmLHJDjSfn+xhEFoEk\n7jqgrqon48i4xbo7xAujQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTAD\nAQH/MB0GA1UdDgQWBBQdZ716TSuwLkJWyfsmupz0qlovkzAKBggqhkjOPQQDAgNI\nADBFAiBe5P56foqmFcZAVpEeAOFZrAlEiq05CCpMNYh5EjLvmAIhAKNF6xIV5uFd\npSTJsAwzjW78CKQm7qol0uPmPPu6mNaw\n-----END CERTIFICATE-----`\n)\n\nfunc TestDefaultsSigstoreKeysConfigurationFromFile(t *testing.T) {\n\t_, example := ConfigMapsFromTestFile(t, SigstoreKeysConfigName)\n\tkeysMap, err := NewSigstoreKeysFromConfigMap(example)\n\tif err != nil {\n\t\tt.Error(\"NewSigstoreKeysFromConfigMap(example) =\", err)\n\t}\n\tsigstoreKeys := keysMap.SigstoreKeys[\"my-custom-sigstore-keys\"]\n\torg := sigstoreKeys.CertificateAuthorities[0].Subject.Organization\n\tif org != \"fulcio-organization\" {\n\t\tt.Errorf(\"Invalid organization, want foo got %s\", org)\n\t}\n\t// TODO: Validate the entire file, above spot checks are not enough, but\n\t// at least we can unmarshal.\n\t// Note that even though sigstoreKeys.TLog[0].PublicKey is base64 encoded\n\t// in the ConfigMap it gets decoded when we fetch it above, so we get the\n\t// PEM format for it directly. Same for tsaCertChain\n\tgot := sigstoreKeys.Tlogs[0].PublicKey.RawBytes\n\tblock, _ := pem.Decode([]byte(rekorPublicKey))\n\tif !bytes.Equal(got, block.Bytes) {\n\t\tt.Errorf(\"Invalid public key, want %s got %s\", block.Bytes, got)\n\t}\n\tcerts := []byte(tsaCertChain)\n\tfor _, cert := range sigstoreKeys.TimestampAuthorities[0].CertChain.Certificates {\n\t\tblock, certs = pem.Decode(certs)\n\t\tif !bytes.Equal(block.Bytes, cert.RawBytes) {\n\t\t\tt.Errorf(\"Invalid cert chain, want %s got %s\", cert.RawBytes, block.Bytes)\n\t\t}\n\t}\n}\n" }, { "path": "pkg/apis/config/store.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage config\n\nimport (\n\t\"context\"\n\n\t\"knative.dev/pkg/configmap\"\n)\n\ntype cfgKey struct{}\n\n// Config holds the collection of configurations that we attach to contexts.\n// +k8s:deepcopy-gen=false\ntype Config struct {\n\tImagePolicyConfig *ImagePolicyConfig\n\tSigstoreKeysConfig *SigstoreKeysMap\n}\n\n// FromContext extracts a Config from the provided context.\nfunc FromContext(ctx context.Context) *Config {\n\tx, ok := ctx.Value(cfgKey{}).(*Config)\n\tif ok {\n\t\treturn x\n\t}\n\treturn nil\n}\n\n// FromContextOrDefaults is like FromContext, but when no Config is attached it\n// returns a Config populated with the defaults for each of the Config fields.\nfunc FromContextOrDefaults(ctx context.Context) *Config {\n\tif cfg := FromContext(ctx); cfg != nil {\n\t\treturn cfg\n\t}\n\tconfig, _ := NewImagePoliciesConfigFromMap(map[string]string{})\n\tsigstoreKeysMap, _ := NewSigstoreKeysFromMap(map[string]string{})\n\treturn &Config{\n\t\tImagePolicyConfig: config,\n\t\tSigstoreKeysConfig: sigstoreKeysMap,\n\t}\n}\n\n// ToContext attaches the provided Config to the provided context, returning the\n// new context with the Config attached.\nfunc ToContext(ctx context.Context, c *Config) context.Context {\n\treturn context.WithValue(ctx, cfgKey{}, c)\n}\n\n// Store is a typed wrapper around configmap.Untyped store to handle our configmaps.\n// +k8s:deepcopy-gen=false\ntype Store struct {\n\t*configmap.UntypedStore\n}\n\n// NewStore creates a new store of Configs and optionally calls functions when ConfigMaps are updated.\nfunc NewStore(logger configmap.Logger, onAfterStore ...func(name string, value interface{})) *Store {\n\tstore := &Store{\n\t\tUntypedStore: configmap.NewUntypedStore(\n\t\t\t\"image-policies\",\n\t\t\tlogger,\n\t\t\tconfigmap.Constructors{\n\t\t\t\tImagePoliciesConfigName: NewImagePoliciesConfigFromConfigMap,\n\t\t\t\tSigstoreKeysConfigName: NewSigstoreKeysFromConfigMap,\n\t\t\t},\n\t\t\tonAfterStore...,\n\t\t),\n\t}\n\n\treturn store\n}\n\n// ToContext attaches the current Config state to the provided context.\nfunc (s *Store) ToContext(ctx context.Context) context.Context {\n\treturn ToContext(ctx, s.Load())\n}\n\n// Load creates a Config from the current config state of the Store.\nfunc (s *Store) Load() *Config {\n\treturn &Config{\n\t\tImagePolicyConfig: s.UntypedLoad(ImagePoliciesConfigName).(*ImagePolicyConfig),\n\t\tSigstoreKeysConfig: s.UntypedLoad(SigstoreKeysConfigName).(*SigstoreKeysMap),\n\t}\n}\n" }, { "path": "pkg/apis/config/store_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage config\n\nimport (\n\t\"context\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/go-cmp/cmp/cmpopts\"\n\t\"github.com/sigstore/cosign/v3/pkg/oci/remote\"\n\t\"google.golang.org/protobuf/testing/protocmp\"\n\t\"k8s.io/apimachinery/pkg/api/resource\"\n\tlogtesting \"knative.dev/pkg/logging/testing\"\n\n\t. \"knative.dev/pkg/configmap/testing\"\n)\n\nvar ignoreStuff = cmp.Options{\n\tprotocmp.Transform(),\n\tcmpopts.IgnoreUnexported(resource.Quantity{}),\n\t// Ignore functional remote options\n\tcmpopts.IgnoreTypes((remote.Option)(nil)),\n}\n\nfunc TestStoreLoadWithContext(t *testing.T) {\n\tstore := NewStore(logtesting.TestLogger(t))\n\n\t_, imagePolicies := ConfigMapsFromTestFile(t, ImagePoliciesConfigName)\n\t_, sigstoreKeysMap := ConfigMapsFromTestFile(t, SigstoreKeysConfigName)\n\n\tstore.OnConfigChanged(imagePolicies)\n\tstore.OnConfigChanged(sigstoreKeysMap)\n\n\tconfig := FromContextOrDefaults(store.ToContext(context.Background()))\n\n\tt.Run(\"image-policies\", func(t *testing.T) {\n\t\texpected, _ := NewImagePoliciesConfigFromConfigMap(imagePolicies)\n\t\tif diff := cmp.Diff(expected, config.ImagePolicyConfig, ignoreStuff...); diff != \"\" {\n\t\t\tt.Error(\"Unexpected defaults config (-want, +got):\", diff)\n\t\t}\n\t})\n\tt.Run(\"sigstore-keys\", func(t *testing.T) {\n\t\texpected, _ := NewSigstoreKeysFromConfigMap(sigstoreKeysMap)\n\t\tif diff := cmp.Diff(expected, config.SigstoreKeysConfig, ignoreStuff...); diff != \"\" {\n\t\t\tt.Error(\"Unexpected defaults config (-want, +got):\", diff)\n\t\t}\n\t})\n}\n\nfunc TestStoreLoadWithContextOrDefaults(t *testing.T) {\n\timagePolicies := ConfigMapFromTestFile(t, ImagePoliciesConfigName)\n\tsigstoreKeysMap := ConfigMapFromTestFile(t, SigstoreKeysConfigName)\n\tconfig := FromContextOrDefaults(context.Background())\n\n\tt.Run(\"image-policies\", func(t *testing.T) {\n\t\texpected, _ := NewImagePoliciesConfigFromConfigMap(imagePolicies)\n\t\tif diff := cmp.Diff(expected, config.ImagePolicyConfig, ignoreStuff...); diff != \"\" {\n\t\t\tt.Error(\"Unexpected defaults config (-want, +got):\", diff)\n\t\t}\n\t})\n\tt.Run(\"sigstore-keys\", func(t *testing.T) {\n\t\texpected, _ := NewSigstoreKeysFromConfigMap(sigstoreKeysMap)\n\t\tif diff := cmp.Diff(expected, config.SigstoreKeysConfig, ignoreStuff...); diff != \"\" {\n\t\t\tt.Error(\"Unexpected defaults config (-want, +got):\", diff)\n\t\t}\n\t})\n}\n" }, { "path": "pkg/apis/config/testdata/config-image-policies.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-image-policies\n namespace: cosign-system\n labels:\n policy.sigstore.dev/release: devel\n\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n cluster-image-policy-0: |\n uid: cluster-image-policy-0-uid\n resourceVersion: cluster-image-policy-0-resource-version\n images:\n - glob: rando\n authorities:\n - name: attestation-0\n key:\n data: |-\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\n RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n -----END PUBLIC KEY-----\n - name: attestation-1\n key:\n kms: whatevs\n cluster-image-policy-1: |\n uid: cluster-image-policy-1-uid\n resourceVersion: cluster-image-policy-1-resource-version\n images:\n - glob: randomstuff*\n authorities:\n - name: attestation-0\n key:\n data: |-\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\n RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n -----END PUBLIC KEY-----\n cluster-image-policy-2: |\n uid: cluster-image-policy-2-uid\n resourceVersion: cluster-image-policy-2-resource-version\n images:\n - glob: rando3\n authorities:\n - name: attestation-0\n rfc3161timestamp:\n trustRootRef: trustroot-tsa-ref\n keyless:\n insecureIgnoreSCT: true\n ca-cert:\n data: |-\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\n RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n -----END PUBLIC KEY-----\n url: http://keylessurl.here\n identities:\n - issuer: issuer\n subject: subject\n cluster-image-policy-3: |\n uid: cluster-image-policy-3-uid\n resourceVersion: cluster-image-policy-3-resource-version\n images:\n - glob: inlinecert\n authorities:\n - name: attestation-0\n key:\n data: |-\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\n RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n -----END PUBLIC KEY-----\n cluster-image-policy-4: |\n uid: cluster-image-policy-4-uid\n resourceVersion: cluster-image-policy-4-resource-version\n images:\n - glob: regexstring*\n authorities:\n - name: attestation-0\n key:\n data: |-\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\n RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n -----END PUBLIC KEY-----\n cluster-image-policy-5: |\n uid: cluster-image-policy-5-uid\n resourceVersion: cluster-image-policy-5-resource-version\n images:\n - glob: regexstringtoo*\n authorities:\n - name: attestation-0\n key:\n data: |-\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\n RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n -----END PUBLIC KEY-----\n cluster-image-policy-json: \"{\\\"images\\\":[{\\\"glob\\\":\\\"ghcr.io/example/*\\\",\\\"regex\\\":\\\"\\\"}],\\\"authorities\\\":[{\\\"key\\\":{\\\"data\\\":\\\"-----BEGIN PUBLIC KEY-----\\\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\\\n-----END PUBLIC KEY-----\\\"}}]}\"\n cluster-image-policy-with-policy-attestations: |\n images:\n - glob: withattestations\n authorities:\n - name: attestation-0\n keyless:\n ca-cert:\n data: |-\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\n RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n -----END PUBLIC KEY-----\n url: http://keylessurl.here\n identities:\n - issuer: issuer\n subject: subject\n attestations:\n - predicateType: vuln\n type: cue\n data: \"test-cue-here\"\n policy:\n type: cue\n data: \"cip level cue here\"\n cluster-image-policy-source-oci: |\n images:\n - glob: sourceocionly*\n authorities:\n - name: attestation-0\n key:\n data: |-\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\n RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n -----END PUBLIC KEY-----\n source:\n - oci: \"example.registry.com/alternative/signature\"\n cluster-image-policy-source-oci-signature-pull-secrets: |\n images:\n - glob: sourceocisignaturepullsecrets*\n authorities:\n - name: attestation-0\n key:\n data: |-\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\n RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n -----END PUBLIC KEY-----\n source:\n - oci: \"example.registry.com/alternative/signature\"\n signaturePullSecrets:\n - name: examplePullSecret\n cluster-image-policy-match-pods: |\n match:\n - version: v1\n resource: pods\n images:\n - glob: match-pods*\n authorities:\n - name: attestation-0\n key:\n data: |-\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\n RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n -----END PUBLIC KEY-----\n cluster-image-policy-match-deployments: |\n match:\n - group: apps\n version: v1\n resource: deployments\n images:\n - glob: match-deployments*\n authorities:\n - name: attestation-0\n key:\n data: |-\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\n RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n -----END PUBLIC KEY-----\n" }, { "path": "pkg/apis/config/testdata/config-invalid-image-policy.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-image-policies\n namespace: cosign-system\n labels:\n policy.sigstore.dev/release: devel\n\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n cluster-image-policy-0: |\n images:\n - glob: invalidkey\n authorities:\n - name: attestation-0\n key:\n data: |-\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzINVALIDKEYHEREAExB6+H6054/W1SJgs5JR6AJr6J35J\n RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n -----END PUBLIC KEY-----\n" }, { "path": "pkg/apis/config/testdata/config-sigstore-keys.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-sigstore-keys\n namespace: cosign-system\n labels:\n policy.sigstore.dev/release: devel\n\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n my-custom-sigstore-keys: |-\n {\"certificateAuthorities\":[{\"subject\":{\"organization\":\"fulcio-organization\",\"commonName\":\"fulcio-common-name\"},\"uri\":\"https://fulcio.example.com\",\"certChain\":{\"certificates\":[{\"rawBytes\":\"MIIFwzCCA6ugAwIBAgIIK7xb+rqY4gEwDQYJKoZIhvcNAQELBQAwfjEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRYwFAYDVQQJEw01NDggTWFya2V0IFN0MQ4wDAYDVQQREwU1NzI3NDEZMBcGA1UEChMQTGludXggRm91bmRhdGlvbjAeFw0yMjEyMDgwMjE3NTFaFw0yMzEyMDgwMjE3NTFaMH4xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEWMBQGA1UECRMNNTQ4IE1hcmtldCBTdDEOMAwGA1UEERMFNTcyNzQxGTAXBgNVBAoTEExpbnV4IEZvdW5kYXRpb24wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC142Ejlg2QxIwpNjbaeW/ft9sH1TXU6CWgbsvVp77vRgckSnpM3RTC/gwEwJHtX+GOTrP9ro6nFJN3G3hcFnaMHLKdGrof9iHu/w/lZLwQzXzVT+0ZyZxytHAWGFBvmYM4J33jH6Dj9PvqONwtSBSmZBPc/H/8EvYsUzxPWukhOtotSH3VXDqZ4jl96MLe0+5g2Wi7MxRX44X1RiPS14ba1ES538bThhcQ4SMj3uhbdsCIkcm7eF4EY3pEXQpXEEGnZGfwYgQr+6cT07Zd/WDM0NX3KxH6qRk9gDjPnfcMuFbOTbfD/nuvx6FNX6OUrzrZSglkLvcPIBVOW7Ln41LAb7aXmbWLFEJnuLooPpYYr+6NhnFDNGpsBKGKr/kvbQyDKKst3CKj9otPS1363ni41qnoA7YWSqxwz4185dKKc+Y7yvJQsRlr6qG1sNLO+c77fSS5VZImzNozBcRkuLJFlX+WB0uzgQU5s45IZW+fK92nfu8MmKjzHR+idyr4OyjS0YSN3GMgc0UP7K6hVphLedApFpykBSFGUgiPZwrT+mGSVgmOXq5n1dQTCD14lEh2qt3/rff8zNc0CMANWybaMGBGQ4bhVVXeRKYx9u2PZjPv53p7Yb/DCdqnGEDw/HCBDiCs4oYe4daE36xUojxDSm3DaeNG68z9RL7gfUjAxQIDAQABo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUf+lbNX0Wh4h+Q0SRthRK+KfLjqEwDQYJKoZIhvcNAQELBQADggIBAEhJja0ZSKwXcaOXCYRXTE06+JbpezI5LevBhmbRQK789Rq10JeAXa7mEToRGlGFLH2uDT11msFKyM3v67KlE1SYVcqKmClYfIVEYH3La0uI+9rHZnWgb4Bly1B8wblKJzhYQD9Z4H/gs+BAsoRX5VoFyIgkNBk1p3ftaVCbkQvS0OYtYs5iw4eKcI71/IsTIT3Zppj9R8IGsqwLKgzfnyNcFJdz+ohc6V22PjZMEBHCsHPO4av2LlWK5Y1flL+2bqTqbmO/bjfX0w4Z1DuojRcOZF7SH4O3Qu2Y7/69gH7Cp0niVCm5z+S5011V6PvMjrmiE+xVkxLHbYEgocbFhd5DciMCXpvsuDZojaI3FREmBqiIhKoki3rbwuElya78bMwkZ1krp76nWso47/0+51io/WriAdr0cjmzonho7RqIE3DC77CEMkagZvKSmL3sff+WNSrnPlznK19NA2z4ImW9MszqPrCTQGP//BBu7SamzofVM9f4PAIrFTpnW6sGdpCzP8E0WUu9B+viKrtfM/9sxnI9WhfJPdrEP0iZW3vhwvgQbKb5D2OSU4nrVov6BWr/BnhQK8IXo1tq3j8FCRIoleXNhks4gnkOaDsW2KtVqwtK3iO3BvPbL5w0gdLjwMLkek72y61Xqz5WxZwNhl5YcmBKuSvmVSHvA68BVSbB\"}]},\"validFor\":{\"start\":\"2024-01-01T00:00:00Z\"}}],\"tlogs\":[{\"baseUrl\":\"https://rekor.example.com\",\"hashAlgorithm\":\"SHA2_256\",\"publicKey\":{\"rawBytes\":\"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7D2WvgqSzs9jpdJsOJ5Nl6xg8JXmNmo7M3bN7+dQddw9Ibc2R3SV8tzBZw0rST8FKcn4apJepcKM4qUpYUeNfw==\",\"keyDetails\":\"PKIX_ECDSA_P256_SHA_256\",\"validFor\":{\"start\":\"2024-01-01T00:00:00Z\"}},\"logId\":{\"keyId\":\"0bac0fddd0c15fbc46f8b1bf51c2b57676a9f262294fe13417d85602e73f392a\"}}],\"ctlogs\":[{\"baseUrl\":\"https://ctfe.example.com\",\"hashAlgorithm\":\"SHA2_256\",\"publicKey\":{\"rawBytes\":\"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJvCJi707fv5tMJ1U2TVMZ+uO4dKGaEcvjlCkgBCKXbrkumZV0m0dSlK1V1gxEiyQ8y6hk1MxJNe2AZrZUt7a4w==\",\"keyDetails\":\"PKIX_ECDSA_P256_SHA_256\",\"validFor\":{\"start\":\"2024-01-01T00:00:00Z\"}},\"logId\":{\"keyId\":\"39d1c085f7d5f3fe7a0de9e52a3ead14186891e52a9269d90de7990a30b55083\"}}],\"timestampAuthorities\":[{\"subject\":{\"organization\":\"tsa-organization\",\"commonName\":\"tsa-common-name\"},\"uri\":\"https://tsa.example.com\",\"certChain\":{\"certificates\":[{\"rawBytes\":\"MIIBzDCCAXKgAwIBAgIUfyGKDoFa7y6s/W1p1CiTmBRs1eAwCgYIKoZIzj0EAwIwMDEOMAwGA1UEChMFbG9jYWwxHjAcBgNVBAMTFVRlc3QgVFNBIEludGVybWVkaWF0ZTAeFw0yMjExMDkyMDMxMzRaFw0zMTExMDkyMDM0MzRaMDAxDjAMBgNVBAoTBWxvY2FsMR4wHAYDVQQDExVUZXN0IFRTQSBUaW1lc3RhbXBpbmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3KcDy9jwARX0rDvyr+MGGkG3n1OA0MU5+ZiDmgusFyk6U6bovKWVMfD8J8NTcJZE0RaYJr8/dE9kgcIIXlhMwo2owaDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFHNn5R3b3MtUdSNrFO49Q6XDVSnkMB8GA1UdIwQYMBaAFNLS6gno7Om++Qt5zIa+H9o0HiT2MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMAoGCCqGSM49BAMCA0gAMEUCIQCF0olohnvdUq6T7/wPk19Z5aQP/yxRTjCWYuhn/TCyHgIgazV3air4GRZbN9bdYtcQ7JUAKq89GOhtFfl6kcoVUvU=\"},{\"rawBytes\":\"MIIB0jCCAXigAwIBAgIUXpBmYJFFaGW3cC8p6b/DHr1i8IowCgYIKoZIzj0EAwIwKDEOMAwGA1UEChMFbG9jYWwxFjAUBgNVBAMTDVRlc3QgVFNBIFJvb3QwHhcNMjIxMTA5MjAyOTM0WhcNMzIxMTA5MjAzNDM0WjAwMQ4wDAYDVQQKEwVsb2NhbDEeMBwGA1UEAxMVVGVzdCBUU0EgSW50ZXJtZWRpYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKDPDRIwDS1ZCymub6yanCG5ma0qDjLpNonDvooSkRHEgU0TNibeJn6M+5W608hCw8nwuucMbXQ41kNeuBeevyqN4MHYwDgYDVR0PAQH/BAQDAgEGMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNLS6gno7Om++Qt5zIa+H9o0HiT2MB8GA1UdIwQYMBaAFB1nvXpNK7AuQlbJ+ya6nPSqWi+TMAoGCCqGSM49BAMCA0gAMEUCIGiwqCI29w7C4V8TltCsi728s5DtklCPySDASUSua5y5AiEA40Ifdlwf7Uj8q8NSD6Z4g/0js0tGNdLSUJ1do/WoN0s=\"},{\"rawBytes\":\"MIIBlDCCATqgAwIBAgIUYZx9sS14En7SuHDOJJP4IPopMjUwCgYIKoZIzj0EAwIwKDEOMAwGA1UEChMFbG9jYWwxFjAUBgNVBAMTDVRlc3QgVFNBIFJvb3QwHhcNMjIxMTA5MjAyOTM0WhcNMzIxMTA5MjAzNDM0WjAoMQ4wDAYDVQQKEwVsb2NhbDEWMBQGA1UEAxMNVGVzdCBUU0EgUm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAbBB0SU8G75hVIUphChA4nfOwNWP347TjScIdsEPrKVn+/Y1HmmLHJDjSfn+xhEFoEk7jqgrqon48i4xbo7xAujQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQdZ716TSuwLkJWyfsmupz0qlovkzAKBggqhkjOPQQDAgNIADBFAiBe5P56foqmFcZAVpEeAOFZrAlEiq05CCpMNYh5EjLvmAIhAKNF6xIV5uFdpSTJsAwzjW78CKQm7qol0uPmPPu6mNaw\"}]},\"validFor\":{\"start\":\"2024-01-01T00:00:00Z\"}}]}\n\n" }, { "path": "pkg/apis/duck/v1beta1/doc.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n// Package v1beta1 contains the Autoscaling v1alpha1 API types.\n\n// +k8s:deepcopy-gen=package\n// +groupName=duck.sigstore.policy.dev\n\npackage v1beta1\n" }, { "path": "pkg/apis/duck/v1beta1/podscalable_defaults.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n)\n\n// PodScalableDefaulter is a callback to validate a PodScalable.\ntype PodScalableDefaulter func(context.Context, *PodScalable)\n\n// SetDefaults implements apis.Defaultable\nfunc (ps *PodScalable) SetDefaults(ctx context.Context) {\n\tif psd := GetPodScalableDefaulter(ctx); psd != nil {\n\t\tpsd(ctx, ps)\n\t}\n}\n\n// psdKey is used for associating a PodScalableDefaulter with a context.Context\ntype psdKey struct{}\n\nfunc WithPodScalableDefaulter(ctx context.Context, psd PodScalableDefaulter) context.Context {\n\treturn context.WithValue(ctx, psdKey{}, psd)\n}\n\n// GetPodScalableDefaulter extracts the PodScalableDefaulter from the context.\nfunc GetPodScalableDefaulter(ctx context.Context) PodScalableDefaulter {\n\tuntyped := ctx.Value(psdKey{})\n\tif untyped == nil {\n\t\treturn nil\n\t}\n\treturn untyped.(PodScalableDefaulter)\n}\n" }, { "path": "pkg/apis/duck/v1beta1/podscalable_defaults_test.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\t\"knative.dev/pkg/ptr\"\n)\n\nfunc TestPodScalableDefaulting(t *testing.T) {\n\tp := PodScalable{\n\t\tSpec: PodScalableSpec{\n\t\t\tReplicas: ptr.Int32(10),\n\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\tName: \"blah\",\n\t\t\t\t\t\tImage: \"busybox\",\n\t\t\t\t\t}},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\twith func(context.Context) context.Context\n\t\twant *PodScalable\n\t}{{\n\t\tname: \"no check\",\n\t\twith: func(ctx context.Context) context.Context {\n\t\t\treturn ctx\n\t\t},\n\t\twant: p.DeepCopy(),\n\t}, {\n\t\tname: \"no change\",\n\t\twith: func(ctx context.Context) context.Context {\n\t\t\treturn WithPodScalableDefaulter(ctx, func(_ context.Context, _ *PodScalable) {\n\t\t\t})\n\t\t},\n\t\twant: p.DeepCopy(),\n\t}, {\n\t\tname: \"no busybox\",\n\t\twith: func(ctx context.Context) context.Context {\n\t\t\treturn WithPodScalableDefaulter(ctx, func(_ context.Context, wp *PodScalable) {\n\t\t\t\tfor i, c := range wp.Spec.Template.Spec.InitContainers {\n\t\t\t\t\tif !strings.Contains(c.Image, \"@\") {\n\t\t\t\t\t\twp.Spec.Template.Spec.InitContainers[i].Image = c.Image + \"@sha256:deadbeef\"\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tfor i, c := range wp.Spec.Template.Spec.Containers {\n\t\t\t\t\tif !strings.Contains(c.Image, \"@\") {\n\t\t\t\t\t\twp.Spec.Template.Spec.Containers[i].Image = c.Image + \"@sha256:deadbeef\"\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t})\n\t\t},\n\t\twant: &PodScalable{\n\t\t\tSpec: PodScalableSpec{\n\t\t\t\tReplicas: ptr.Int32(10),\n\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\tName: \"blah\",\n\t\t\t\t\t\t\tImage: \"busybox@sha256:deadbeef\",\n\t\t\t\t\t\t}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tctx := test.with(context.Background())\n\t\t\tgot := p.DeepCopy()\n\t\t\tgot.SetDefaults(ctx)\n\t\t\tif !cmp.Equal(test.want, got) {\n\t\t\t\tt.Errorf(\"SetDefaults (-want, +got) = %s\", cmp.Diff(test.want, got))\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/apis/duck/v1beta1/podscalable_implements_test.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"testing\"\n\n\tappsv1 \"k8s.io/api/apps/v1\"\n\n\t\"knative.dev/pkg/apis/duck\"\n)\n\nfunc TestImplementsPodScalable(t *testing.T) {\n\tinstances := []interface{}{\n\t\t&PodScalable{},\n\t\t&appsv1.ReplicaSet{},\n\t\t&appsv1.Deployment{},\n\t\t&appsv1.StatefulSet{},\n\t}\n\tfor _, instance := range instances {\n\t\tif err := duck.VerifyType(instance, &PodScalable{}); err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t}\n}\n" }, { "path": "pkg/apis/duck/v1beta1/podscalable_types.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n\n\tcorev1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/runtime\"\n\t\"knative.dev/pkg/apis\"\n\t\"knative.dev/pkg/apis/duck\"\n\t\"knative.dev/pkg/ptr\"\n)\n\n// +genduck\n// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\n\n// PodScalable is a duck type that the are PodSpecable but also can scale.\n// These are used to validate resources that can be modified to scale down\n// even if they contain invalid images.\ntype PodScalable struct {\n\tmetav1.TypeMeta `json:\",inline\"`\n\tmetav1.ObjectMeta `json:\"metadata,omitempty\"`\n\n\tSpec PodScalableSpec `json:\"spec\"`\n\tStatus PodScalableStatus `json:\"status\"`\n}\n\n// PodScalableSpec is the specification for the desired state of a\n// PodScalable (or at least our shared portion).\ntype PodScalableSpec struct {\n\tReplicas *int32 `json:\"replicas,omitempty\"`\n\tSelector *metav1.LabelSelector `json:\"selector\"`\n\tTemplate corev1.PodTemplateSpec `json:\"template\"`\n}\n\n// PodScalableStatus is the observed state of a PodScalable (or at\n// least our shared portion).\ntype PodScalableStatus struct {\n\tReplicas int32 `json:\"replicas,omitempty\"`\n}\n\nvar (\n\t_ apis.Validatable = (*PodScalable)(nil)\n\t_ duck.Populatable = (*PodScalable)(nil)\n\t_ duck.Implementable = (*PodScalable)(nil)\n\t_ apis.Listable = (*PodScalable)(nil)\n)\n\n// GetFullType implements duck.Implementable\nfunc (*PodScalable) GetFullType() duck.Populatable {\n\treturn &PodScalable{}\n}\n\n// Populate implements duck.Populatable\nfunc (ps *PodScalable) Populate() {\n\tps.Spec = PodScalableSpec{\n\t\tReplicas: ptr.Int32(12),\n\t\tSelector: &metav1.LabelSelector{\n\t\t\tMatchLabels: map[string]string{\n\t\t\t\t\"foo\": \"bar\",\n\t\t\t},\n\t\t\tMatchExpressions: []metav1.LabelSelectorRequirement{{\n\t\t\t\tKey: \"foo\",\n\t\t\t\tOperator: \"In\",\n\t\t\t\tValues: []string{\"baz\", \"blah\"},\n\t\t\t}},\n\t\t},\n\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tLabels: map[string]string{\n\t\t\t\t\t\"foo\": \"bar\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tSpec: corev1.PodSpec{\n\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\tName: \"container-name\",\n\t\t\t\t\tImage: \"container-image:latest\",\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t}\n\tps.Status = PodScalableStatus{\n\t\tReplicas: 42,\n\t}\n}\n\n// GetListType implements apis.Listable\nfunc (*PodScalable) GetListType() runtime.Object {\n\treturn &PodScalableList{}\n}\n\n// IsScalingDown returns true if PodScalable is being scaled down\nfunc (ps *PodScalable) IsScalingDown(ctx context.Context) bool {\n\tif apis.IsInUpdate(ctx) {\n\t\tnewReplicaCount := ps.Spec.Replicas\n\t\toriginal := apis.GetBaseline(ctx).(*PodScalable)\n\t\tif newReplicaCount != nil && original != nil && original.Spec.Replicas != nil {\n\t\t\tif *newReplicaCount < *original.Spec.Replicas {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\n// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\n\n// PodScalableList is a list of PodScalable resources\ntype PodScalableList struct {\n\tmetav1.TypeMeta `json:\",inline\"`\n\tmetav1.ListMeta `json:\"metadata\"`\n\n\tItems []PodScalable `json:\"items\"`\n}\n" }, { "path": "pkg/apis/duck/v1beta1/podscalable_types_test.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n\t\"testing\"\n\n\tcorev1 \"k8s.io/api/core/v1\"\n\t\"knative.dev/pkg/apis\"\n\t\"knative.dev/pkg/ptr\"\n)\n\nfunc TestPodScalableIsScalingDown(t *testing.T) {\n\toriginal := &PodScalable{\n\t\tSpec: PodScalableSpec{\n\t\t\tReplicas: ptr.Int32(2),\n\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\tName: \"blah\",\n\t\t\t\t\t\tImage: \"busybox\",\n\t\t\t\t\t}},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\ttests := []struct {\n\t\tname string\n\t\tnew *PodScalable\n\t\twith func(context.Context) context.Context\n\t\twant bool\n\t}{{\n\t\tname: \"not in update\",\n\t\tnew: original.DeepCopy(),\n\t\twant: false,\n\t}, {\n\t\tname: \"scaling up\",\n\t\tnew: &PodScalable{\n\t\t\tSpec: PodScalableSpec{\n\t\t\t\tReplicas: ptr.Int32(4),\n\t\t\t}},\n\t\twant: false,\n\t\twith: func(ctx context.Context) context.Context {\n\t\t\treturn apis.WithinUpdate(ctx, original)\n\t\t},\n\t}, {\n\t\tname: \"scaling down\",\n\t\tnew: &PodScalable{\n\t\t\tSpec: PodScalableSpec{\n\t\t\t\tReplicas: ptr.Int32(1),\n\t\t\t}},\n\t\twant: true,\n\t\twith: func(ctx context.Context) context.Context {\n\t\t\treturn apis.WithinUpdate(ctx, original)\n\t\t},\n\t}, {\n\t\tname: \"scaling down with /scale\",\n\t\tnew: &PodScalable{\n\t\t\tSpec: PodScalableSpec{\n\t\t\t\tReplicas: ptr.Int32(1),\n\t\t\t}},\n\t\twant: true,\n\t\twith: func(ctx context.Context) context.Context {\n\t\t\treturn apis.WithinSubResourceUpdate(ctx, original, \"scale\")\n\t\t},\n\t}}\n\tfor _, tc := range tests {\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\tctx := context.Background()\n\t\t\tif tc.with != nil {\n\t\t\t\tctx = tc.with(ctx)\n\t\t\t}\n\t\t\tif got := tc.new.IsScalingDown(ctx); tc.want != got {\n\t\t\t\tt.Errorf(\"Unexpected scaling down result, want %v got %v\", tc.want, got)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/apis/duck/v1beta1/podscalable_validation.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n\n\t\"knative.dev/pkg/apis\"\n)\n\n// PodScalableValidator is a callback to validate a PodScalable.\ntype PodScalableValidator func(context.Context, *PodScalable) *apis.FieldError\n\n// Validate implements apis.Validatable\nfunc (ps *PodScalable) Validate(ctx context.Context) *apis.FieldError {\n\tif psv := GetPodScalableValidator(ctx); psv != nil {\n\t\treturn psv(ctx, ps)\n\t}\n\treturn nil\n}\n\n// psvKey is used for associating a PodScalableValidator with a context.Context\ntype psvKey struct{}\n\nfunc WithPodScalableValidator(ctx context.Context, psv PodScalableValidator) context.Context {\n\treturn context.WithValue(ctx, psvKey{}, psv)\n}\n\n// GetPodScalableValidator extracts the PodSpecValidator from the context.\nfunc GetPodScalableValidator(ctx context.Context) PodScalableValidator {\n\tuntyped := ctx.Value(psvKey{})\n\tif untyped == nil {\n\t\treturn nil\n\t}\n\treturn untyped.(PodScalableValidator)\n}\n" }, { "path": "pkg/apis/duck/v1beta1/podscalable_validation_test.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n\t\"testing\"\n\n\tcorev1 \"k8s.io/api/core/v1\"\n\t\"knative.dev/pkg/apis\"\n\t\"knative.dev/pkg/ptr\"\n)\n\nfunc TestPodScalableValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\twith func(context.Context) context.Context\n\t\twant *apis.FieldError\n\t}{{\n\t\tname: \"no check\",\n\t\twith: func(ctx context.Context) context.Context {\n\t\t\treturn ctx\n\t\t},\n\t\twant: nil,\n\t}, {\n\t\tname: \"no error\",\n\t\twith: func(ctx context.Context) context.Context {\n\t\t\treturn WithPodScalableValidator(ctx, func(_ context.Context, _ *PodScalable) *apis.FieldError {\n\t\t\t\treturn nil\n\t\t\t})\n\t\t},\n\t\twant: nil,\n\t}, {\n\t\tname: \"no busybox\",\n\t\twith: func(ctx context.Context) context.Context {\n\t\t\treturn WithPodScalableValidator(ctx, func(_ context.Context, wp *PodScalable) *apis.FieldError {\n\t\t\t\tfor i, c := range wp.Spec.Template.Spec.InitContainers {\n\t\t\t\t\tif c.Image == \"busybox\" {\n\t\t\t\t\t\treturn apis.ErrInvalidValue(c.Image, \"image\").ViaFieldIndex(\"spec.template.spec.initContainers\", i)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tfor i, c := range wp.Spec.Template.Spec.Containers {\n\t\t\t\t\tif c.Image == \"busybox\" {\n\t\t\t\t\t\treturn apis.ErrInvalidValue(c.Image, \"image\").ViaFieldIndex(\"spec.template.spec.containers\", i)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\treturn nil\n\t\t\t})\n\t\t},\n\t\twant: apis.ErrInvalidValue(\"busybox\", \"spec.template.spec.containers[0].image\"),\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tp := PodScalable{\n\t\t\t\tSpec: PodScalableSpec{\n\t\t\t\t\tReplicas: ptr.Int32(3),\n\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\tName: \"blah\",\n\t\t\t\t\t\t\t\tImage: \"busybox\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}\n\t\t\tctx := test.with(context.Background())\n\t\t\tgot := p.Validate(ctx)\n\t\t\tif test.want.Error() != got.Error() {\n\t\t\t\tt.Errorf(\"Validate() = %v, wanted %v\", got, test.want)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/apis/duck/v1beta1/register.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n// Package v1beta1 contains the Autoscaling v1alpha1 API types.\n\npackage v1beta1\n\nimport (\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/runtime\"\n\t\"k8s.io/apimachinery/pkg/runtime/schema\"\n)\n\n// SchemeGroupVersion is group version used to register these objects\nvar SchemeGroupVersion = schema.GroupVersion{Group: policy.DuckGroupName, Version: \"v1beta1\"}\n\n// Kind takes an unqualified kind and returns back a Group qualified GroupKind\nfunc Kind(kind string) schema.GroupKind {\n\treturn SchemeGroupVersion.WithKind(kind).GroupKind()\n}\n\n// Resource takes an unqualified resource and returns a Group qualified GroupResource\nfunc Resource(resource string) schema.GroupResource {\n\treturn SchemeGroupVersion.WithResource(resource).GroupResource()\n}\n\nvar (\n\t// SchemeBuilder registers the addKnownTypes function.\n\tSchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)\n\t// AddToScheme applies all the stored functions to the scheme.\n\tAddToScheme = SchemeBuilder.AddToScheme\n)\n\n// Adds the list of known types to Scheme.\nfunc addKnownTypes(scheme *runtime.Scheme) error {\n\tscheme.AddKnownTypes(SchemeGroupVersion,\n\t\t&PodScalable{},\n\t\t&PodScalableList{},\n\t)\n\tmetav1.AddToGroupVersion(scheme, SchemeGroupVersion)\n\treturn nil\n}\n" }, { "path": "pkg/apis/duck/v1beta1/zz_generated.deepcopy.go", "content": "//go:build !ignore_autogenerated\n// +build !ignore_autogenerated\n\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by deepcopy-gen. DO NOT EDIT.\n\npackage v1beta1\n\nimport (\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\truntime \"k8s.io/apimachinery/pkg/runtime\"\n)\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *PodScalable) DeepCopyInto(out *PodScalable) {\n\t*out = *in\n\tout.TypeMeta = in.TypeMeta\n\tin.ObjectMeta.DeepCopyInto(&out.ObjectMeta)\n\tin.Spec.DeepCopyInto(&out.Spec)\n\tout.Status = in.Status\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodScalable.\nfunc (in *PodScalable) DeepCopy() *PodScalable {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(PodScalable)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.\nfunc (in *PodScalable) DeepCopyObject() runtime.Object {\n\tif c := in.DeepCopy(); c != nil {\n\t\treturn c\n\t}\n\treturn nil\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *PodScalableList) DeepCopyInto(out *PodScalableList) {\n\t*out = *in\n\tout.TypeMeta = in.TypeMeta\n\tin.ListMeta.DeepCopyInto(&out.ListMeta)\n\tif in.Items != nil {\n\t\tin, out := &in.Items, &out.Items\n\t\t*out = make([]PodScalable, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodScalableList.\nfunc (in *PodScalableList) DeepCopy() *PodScalableList {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(PodScalableList)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.\nfunc (in *PodScalableList) DeepCopyObject() runtime.Object {\n\tif c := in.DeepCopy(); c != nil {\n\t\treturn c\n\t}\n\treturn nil\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *PodScalableSpec) DeepCopyInto(out *PodScalableSpec) {\n\t*out = *in\n\tif in.Replicas != nil {\n\t\tin, out := &in.Replicas, &out.Replicas\n\t\t*out = new(int32)\n\t\t**out = **in\n\t}\n\tif in.Selector != nil {\n\t\tin, out := &in.Selector, &out.Selector\n\t\t*out = new(v1.LabelSelector)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tin.Template.DeepCopyInto(&out.Template)\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodScalableSpec.\nfunc (in *PodScalableSpec) DeepCopy() *PodScalableSpec {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(PodScalableSpec)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *PodScalableStatus) DeepCopyInto(out *PodScalableStatus) {\n\t*out = *in\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodScalableStatus.\nfunc (in *PodScalableStatus) DeepCopy() *PodScalableStatus {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(PodScalableStatus)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n" }, { "path": "pkg/apis/glob/glob.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage glob\n\nimport (\n\t\"fmt\"\n\t\"regexp\"\n\t\"strings\"\n\n\t\"github.com/google/go-containerregistry/pkg/name\"\n)\n\nconst (\n\tResolvedDockerhubHost = \"index.docker.io/\"\n\t// Images such as \"busybox\" reside in the dockerhub \"library\" repository\n\t// The full resolved image reference would be index.docker.io/library/busybox\n\tDockerhubPublicRepository = \"library/\"\n)\n\nvar validGlob = regexp.MustCompile(`^[a-zA-Z0-9-_:\\/\\*\\.@]+$`)\n\n// Compile attempts to normalize the glob and turn it into a regular expression\n// that we can use for matching image names.\nfunc Compile(glob string) (*regexp.Regexp, error) {\n\tif glob == \"*/*\" {\n\t\t// TODO: Warn that the glob match \"*/*\" should be \"index.docker.io/*/*\".\n\t\tglob = \"index.docker.io/*/*\"\n\t}\n\tif glob == \"*\" {\n\t\t// TODO: Warn that the glob match \"*\" should be \"index.docker.io/library/*\".\n\t\tglob = \"index.docker.io/library/*\"\n\t}\n\n\t// Reject that glob doesn't look like a regexp\n\tif !validGlob.MatchString(glob) {\n\t\treturn nil, fmt.Errorf(\"invalid glob %q\", glob)\n\t}\n\n\t// Translate glob to regexp.\n\tglob = strings.ReplaceAll(glob, \".\", `\\.`) // . in glob means \\. in regexp\n\tglob = strings.ReplaceAll(glob, \"**\", \"#\") // ** in glob means 0+ of any character in regexp\n\t// We replace ** with a placeholder here, rather than `.*` directly, because the next line\n\t// would replace that `*` again, breaking the regexp. So we stash the change with a placeholder,\n\t// then replace the placeholder later to preserve the original intent.\n\tglob = strings.ReplaceAll(glob, \"*\", \"[^/]*\") // * in glob means 0+ of any non-`/` character in regexp\n\tglob = strings.ReplaceAll(glob, \"#\", \".*\")\n\tglob = fmt.Sprintf(\"^%s$\", glob) // glob must match the whole string\n\n\treturn regexp.Compile(glob)\n}\n\n// Match will return true if the image reference matches the requested glob pattern.\n//\n// If the image reference is invalid, an error will be returned.\n//\n// In the glob pattern, the \"*\" character matches any non-\"/\" character, and \"**\" matches any character, including \"/\".\n//\n// If the image is a DockerHub official image like \"ubuntu\" or \"debian\", the glob that matches it must be something like index.docker.io/library/ubuntu.\n// If the image is a DockerHub used-owned image like \"myuser/myapp\", then the glob that matches it must be something like index.docker.io/myuser/myapp.\n// This means that the glob patterns \"*\" will not match the image name \"ubuntu\", and \"*/*\" will not match \"myuser/myapp\"; the \"index.docker.io\" prefix is required.\n//\n// If the image does not specify a tag (e.g., :latest or :v1.2.3), the tag \":latest\" will be assumed.\n//\n// Note that the tag delimiter (\":\") does not act as a breaking separator for the purposes of a \"*\" glob.\n// To match any tag, the glob should end with \":**\".\nfunc Match(glob, image string) (bool, error) {\n\tre, err := Compile(glob)\n\tif err != nil {\n\t\treturn false, err\n\t}\n\n\t// TODO: do we want \":\" to count as a separator like \"/\" is?\n\n\tref, err := name.ParseReference(image, name.WeakValidation)\n\tif err != nil {\n\t\treturn false, err\n\t}\n\n\tmatch := re.MatchString(ref.Name())\n\tif !match && ref.Name() != image {\n\t\t// If the image was not fully qualified, try matching the glob against the original non-fully-qualified.\n\t\t// This should be a warning and this behavior should eventually be removed.\n\t\tmatch = re.MatchString(image)\n\t}\n\treturn match, nil\n}\n" }, { "path": "pkg/apis/glob/glob_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage glob\n\nimport (\n\t\"testing\"\n)\n\nfunc TestGlobMatch(t *testing.T) {\n\tfor _, c := range []struct {\n\t\timage, glob string\n\t\twantMatch bool\n\t\twantErr bool\n\t}{\n\t\t{image: \"foo\", glob: \"index.docker.io/library/foo:latest\", wantMatch: true},\n\t\t{image: \"foo\", glob: \"index.docker.io/library/foo:*\", wantMatch: true},\n\t\t{image: \"foo\", glob: \"index.docker.io/library/*\", wantMatch: true},\n\t\t{image: \"foo\", glob: \"index.docker.io/library/*:latest\", wantMatch: true},\n\t\t{image: \"foo\", glob: \"index.docker.io/*/*\", wantMatch: true},\n\t\t{image: \"foo\", glob: \"index.docker.io/**\", wantMatch: true},\n\t\t{image: \"foo\", glob: \"index.docker.**\", wantMatch: true},\n\t\t{image: \"foo\", glob: \"inde**\", wantMatch: true},\n\t\t{image: \"foo\", glob: \"**\", wantMatch: true},\n\t\t{image: \"foo\", glob: \"foo\", wantMatch: true}, // matches because of deprecated fallback logic.\n\t\t{image: \"foo\", glob: \"foo*\", wantMatch: true}, // * matches 0+ characters\n\t\t{image: \"foo\", glob: \"foo**\", wantMatch: true}, // ** matches 0+ characters\n\n\t\t{image: \"myuser/myapp\", glob: \"index.docker.io/myuser/myapp:latest\", wantMatch: true},\n\t\t{image: \"myuser/myapp\", glob: \"index.docker.io/myuser/myapp:*\", wantMatch: true},\n\t\t{image: \"myuser/myapp\", glob: \"index.docker.io/myuser/*\", wantMatch: true},\n\t\t{image: \"myuser/myapp\", glob: \"index.docker.io/myuser/*:latest\", wantMatch: true},\n\t\t{image: \"myuser/myapp\", glob: \"index.docker.io/*/*\", wantMatch: true},\n\t\t{image: \"myuser/myapp\", glob: \"index.docker.io/**\", wantMatch: true},\n\t\t{image: \"myuser/myapp\", glob: \"index.docker.**\", wantMatch: true},\n\t\t{image: \"myuser/myapp\", glob: \"inde**\", wantMatch: true},\n\t\t{image: \"myuser/myapp\", glob: \"**\", wantMatch: true},\n\t\t{image: \"myuser/myapp\", glob: \"myuser/myapp\", wantMatch: true}, // matches because of deprecated fallback logic.\n\t\t{image: \"myuser/myapp\", glob: \"myuser/myapp*\", wantMatch: true}, // * matches 0+ characters\n\t\t{image: \"myuser/myapp\", glob: \"myuser/myapp**\", wantMatch: true}, // ** matches 0+ characters\n\n\t\t// Fully qualified refs and globs.\n\t\t{image: \"ghcr.io/foo/bar\", glob: \"ghcr.io/*/*\", wantMatch: true},\n\t\t{image: \"ghcr.io/foo/bar\", glob: \"ghcr.io/**\", wantMatch: true},\n\t\t{image: \"ghcr.io/foo\", glob: \"ghcr.io/*/*\", wantMatch: false}, // doesn't match second *\n\t\t{image: \"ghcr.io/foo\", glob: \"ghcr.io/**\", wantMatch: true},\n\t\t{image: \"ghcr.io/foo\", glob: \"ghc**\", wantMatch: true},\n\t\t{image: \"ghcr.io/foo\", glob: \"**\", wantMatch: true},\n\t\t{image: \"ghcr.io/foo\", glob: \"*/**\", wantMatch: true},\n\t\t{image: \"ghcr.io/foo\", glob: \"ghcr.io/foo*\", wantMatch: true}, // * matches 0+ characters\n\t\t{image: \"ghcr.io/foo\", glob: \"ghcr.io/foo**\", wantMatch: true}, // ** matches 0+ characters\n\n\t\t// Various error cases.\n\t\t{image: \"prefix-ghcr.io/foo\", glob: \"ghcr.io/foo\", wantMatch: false}, // glob starts at beginning.\n\t\t{image: \"ghcr.io/foo-suffix\", glob: \"ghcr.io/foo\", wantMatch: false}, // glob ends at the end.\n\t\t{image: \"ghcrxio/foo\", glob: \"ghcr.io/**\", wantMatch: false}, // dots in glob are replaced with \\., not treated as regexp .\n\t\t{image: \"invalid&name\", glob: \"**\", wantMatch: false, wantErr: true}, // invalid refs are not matched.\n\t\t{image: \"invalid-glob\", glob: \".+\", wantMatch: false, wantErr: true}, // invalid globs are rejected.\n\t\t{image: \"invalid-glob\", glob: \"[a-z]*\", wantMatch: false, wantErr: true}, // invalid globs are rejected.\n\n\t\t// Upgrading unqualified globs to assume index.docker.io prefix.\n\t\t{image: \"foo\", glob: \"*\", wantMatch: true},\n\t\t{image: \"myuser/myapp\", glob: \"*/*\", wantMatch: true},\n\n\t\t// Image with digest (exact match)\n\t\t{\n\t\t\timage: \"ghcr.io/foo@sha256:5504f2a95018e3d8a52d80d9e1a128c6ea337581808ff9fe96f5628ce2336350\",\n\t\t\tglob: \"ghcr.io/foo@sha256:5504f2a95018e3d8a52d80d9e1a128c6ea337581808ff9fe96f5628ce2336350\",\n\t\t\twantMatch: true,\n\t\t},\n\t} {\n\t\tt.Run(c.image+\"|\"+c.glob, func(t *testing.T) {\n\t\t\tmatch, err := Match(c.glob, c.image)\n\t\t\tif match != c.wantMatch {\n\t\t\t\tt.Errorf(\"match: got %t, want %t\", match, c.wantMatch)\n\t\t\t}\n\t\t\tif gotErr := err != nil; gotErr != c.wantErr {\n\t\t\t\tt.Errorf(\"err: got %v, want %t\", err, c.wantErr)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/apis/policy/common/validation.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage common\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"regexp\"\n\t\"strings\"\n\n\t\"github.com/aws/aws-sdk-go-v2/aws/arn\"\n\tregistryfuncs \"github.com/google/go-containerregistry/pkg/name\"\n\t\"github.com/sigstore/sigstore/pkg/signature/kms/aws\"\n\t\"github.com/sigstore/sigstore/pkg/signature/kms/azure\"\n\t\"github.com/sigstore/sigstore/pkg/signature/kms/gcp\"\n\t\"github.com/sigstore/sigstore/pkg/signature/kms/hashivault\"\n\t\"k8s.io/apimachinery/pkg/util/sets\"\n\t\"knative.dev/pkg/apis\"\n)\n\nconst (\n\tociRepoDelimiter = \"/\"\n)\n\nvar (\n\tSupportedKMSProviders = []string{aws.ReferenceScheme, azure.ReferenceScheme, hashivault.ReferenceScheme, gcp.ReferenceScheme}\n\n\t// TODO: create constants in to cosign?\n\tValidPredicateTypes = sets.NewString(\"custom\", \"slsaprovenance\", \"spdx\",\n\t\t\"spdxjson\", \"cyclonedx\", \"link\", \"vuln\")\n\n\t// If a static matches, define the behaviour for it.\n\tValidStaticRefTypes = sets.NewString(\"fail\", \"pass\")\n\n\t// Valid modes for a policy\n\tValidModes = sets.NewString(\"enforce\", \"warn\")\n\n\t// ValidResourceNames for a policy match selector.\n\t// By default, this is empty, which should allow any resource name, however,\n\t// this can be populated with the set of resources to allow in the validating\n\t// webhook, which should match the set of resources.\n\tValidResourceNames = sets.NewString()\n)\n\nfunc ValidateOCI(oci string) error {\n\t// We want to validate both registry uris only or registry with valid repository names\n\tparts := strings.SplitN(oci, ociRepoDelimiter, 2)\n\tif len(parts) == 2 && (strings.ContainsRune(parts[0], '.') || strings.ContainsRune(parts[0], ':')) {\n\t\t_, err := registryfuncs.NewRepository(oci, registryfuncs.StrictValidation)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t}\n\t_, err := registryfuncs.NewRegistry(oci, registryfuncs.StrictValidation)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n\nvar (\n\terrKMSReference = errors.New(\"kms key should be in the format awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional)\")\n\n\t// Key ID/ALIAS/ARN conforms to KMS standard documented here: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id\n\t// Key format examples:\n\t// Key ID: awskms:///1234abcd-12ab-34cd-56ef-1234567890ab\n\t// Key ID with endpoint: awskms://localhost:4566/1234abcd-12ab-34cd-56ef-1234567890ab\n\t// Key ARN: awskms:///arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\n\t// Key ARN with endpoint: awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\n\t// Alias name: awskms:///alias/ExampleAlias\n\t// Alias name with endpoint: awskms://localhost:4566/alias/ExampleAlias\n\t// Alias ARN: awskms:///arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias\n\t// Alias ARN with endpoint: awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias\n\tuuidRE = `m?r?k?-?[A-Fa-f0-9]{8}-?[A-Fa-f0-9]{4}-?[A-Fa-f0-9]{4}-?[A-Fa-f0-9]{4}-?[A-Fa-f0-9]{12}`\n\tarnRE = `arn:(?:aws|aws-us-gov|aws-cn):kms:[a-z0-9-]+:\\d{12}:`\n\thostRE = `([^/]*)/`\n\tkeyIDRE = regexp.MustCompile(`^awskms://` + hostRE + `(` + uuidRE + `)$`)\n\tkeyARNRE = regexp.MustCompile(`^awskms://` + hostRE + `(` + arnRE + `key/` + uuidRE + `)$`)\n\taliasNameRE = regexp.MustCompile(`^awskms://` + hostRE + `((alias/.*))$`)\n\taliasARNRE = regexp.MustCompile(`^awskms://` + hostRE + `(` + arnRE + `(alias/.*))$`)\n\tallREs = []*regexp.Regexp{keyIDRE, keyARNRE, aliasNameRE, aliasARNRE}\n)\n\n// validAWSKMSRegex returns a non-nil error if the reference string is invalid\nfunc validAWSKMSRegex(ref string) error {\n\tfor _, re := range allREs {\n\t\tif re.MatchString(ref) {\n\t\t\treturn nil\n\t\t}\n\t}\n\treturn errKMSReference\n}\n\n// validateAWSKMS validates that the KMS conforms to AWS\n// KMS format:\n// awskms://$ENDPOINT/$KEYID\n// Where:\n// $ENDPOINT is optional\n// $KEYID is either the key ARN or an alias ARN\n// Key ID/ALIAS/ARN conforms to KMS standard documented here: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id\n// Reasoning for only supporting these formats is that other\n// formats require additional configuration via ENV variables.\nfunc validateAWSKMS(kms string) *apis.FieldError {\n\tparts := strings.Split(kms, \"/\")\n\t// Either it is a key id reference or an endpoint, it should be composed of more than 4 parts.\n\tif len(parts) < 4 {\n\t\treturn apis.ErrInvalidValue(kms, apis.CurrentField, \"malformed AWS KMS format 'awskms://$ENDPOINT/$KEYID', should be conformant with KMS standard documented here: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id\")\n\t}\n\n\t// validate the awskms reference against valid regular expressions\n\tif err := validAWSKMSRegex(kms); err != nil {\n\t\treturn apis.ErrInvalidValue(kms, apis.CurrentField, err.Error())\n\t}\n\n\tendpoint := parts[2]\n\t// Sometimes this logic assumes the endpoint is part of the KEY e.g. awskms://arn:...\n\t// These examples are invalid, so we need to throw proper errors\n\tif endpoint != \"\" && (strings.HasPrefix(endpoint, \"arn\") || strings.HasPrefix(endpoint, \"alias\")) {\n\t\treturn apis.ErrInvalidValue(kms, apis.CurrentField, errKMSReference.Error())\n\t}\n\t// Even if the reference is valid, the endpoint could NOT be, only validate if not empty\n\tif endpoint != \"\" {\n\t\t_, _, err := net.SplitHostPort(endpoint)\n\t\tif err != nil {\n\t\t\treturn apis.ErrInvalidValue(kms, apis.CurrentField, fmt.Sprintf(\"malformed endpoint: %s\", err))\n\t\t}\n\t}\n\tkeyID := parts[3]\n\tarn, err := arn.Parse(keyID)\n\tif err != nil {\n\t\treturn apis.ErrInvalidValue(kms, apis.CurrentField, fmt.Sprintf(\"failed to parse either key or alias arn: %s\", err))\n\t}\n\t// Only support key or alias ARN.\n\tif arn.Resource != \"key\" && arn.Resource != \"alias\" {\n\t\treturn apis.ErrInvalidValue(kms, apis.CurrentField, fmt.Sprintf(\"Got ARN: %+v Resource: %s\", arn, arn.Resource))\n\t}\n\treturn nil\n}\n\nfunc ValidateKMS(kms string) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tvalidPrefix := false\n\tfor _, prefix := range SupportedKMSProviders {\n\t\tif strings.HasPrefix(kms, prefix) {\n\t\t\tvalidPrefix = true\n\t\t\tbreak\n\t\t}\n\t}\n\tif !validPrefix {\n\t\treturn apis.ErrInvalidValue(kms, apis.CurrentField, fmt.Sprintf(\"malformed KMS format, should be prefixed by any of the supported providers: %v\", SupportedKMSProviders))\n\t}\n\tif strings.HasPrefix(kms, aws.ReferenceScheme) {\n\t\terrs = errs.Also(validateAWSKMS(kms))\n\t}\n\treturn errs\n}\n" }, { "path": "pkg/apis/policy/common/validation_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage common\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n)\n\nfunc TestValidateOCI(t *testing.T) {\n\ttests := []struct {\n\t\toci string\n\t\terrorString string\n\t\tisError bool\n\t}{\n\t\t{\n\t\t\toci: \"gcr.io\",\n\t\t\tisError: false,\n\t\t},\n\t\t{\n\t\t\toci: \"gcr.io/test/*\",\n\t\t\terrorString: \"repository can only contain the characters `abcdefghijklmnopqrstuvwxyz0123456789_-./`: test/*\",\n\t\t\tisError: true,\n\t\t},\n\t\t{\n\t\t\toci: \"gcr.@io/test\",\n\t\t\terrorString: \"registries must be valid RFC 3986 URI authorities: gcr.@io\",\n\t\t\tisError: true,\n\t\t},\n\t\t{\n\t\t\toci: \"ghcr.io/sigstore/test\",\n\t\t\tisError: false,\n\t\t},\n\t\t{\n\t\t\toci: \"registry.example.com\",\n\t\t\tisError: false,\n\t\t},\n\t\t{\n\t\t\toci: \"localhost:8080/test\",\n\t\t\tisError: false,\n\t\t},\n\t\t{\n\t\t\toci: \"localhost\",\n\t\t\tisError: false,\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.oci, func(t *testing.T) {\n\t\t\terr := ValidateOCI(test.oci)\n\t\t\tif !test.isError && err != nil {\n\t\t\t\tt.Error(\"Unxpected error\", err.Error())\n\t\t\t}\n\t\t\tif test.isError {\n\t\t\t\tif diff := cmp.Diff(test.errorString, err.Error()); diff != \"\" {\n\t\t\t\t\tt.Error(\"Unexpected error mesage (-want, +got):\", diff)\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/apis/policy/register.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage policy\n\nimport \"k8s.io/apimachinery/pkg/runtime/schema\"\n\nconst (\n\t// GroupName is the name of the API group.\n\tGroupName = \"policy.sigstore.dev\"\n\tDuckGroupName = \"duck.policy.sigstore.dev\"\n)\n\nvar (\n\t// ClusterImagePolicyResource represents a ClusterImagePolicy\n\tClusterImagePolicyResource = schema.GroupResource{\n\t\tGroup: GroupName,\n\t\tResource: \"clusterimagepolicies\",\n\t}\n)\n" }, { "path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\tv1 \"k8s.io/api/core/v1\"\n\t\"knative.dev/pkg/apis\"\n\t\"knative.dev/pkg/ptr\"\n)\n\nvar _ apis.Convertible = (*ClusterImagePolicy)(nil)\n\n// ConvertTo implements api.Convertible\nfunc (c *ClusterImagePolicy) ConvertTo(ctx context.Context, obj apis.Convertible) error {\n\tswitch sink := obj.(type) {\n\tcase *v1beta1.ClusterImagePolicy:\n\t\tsink.ObjectMeta = c.ObjectMeta\n\t\tsink.Status.Status = c.Status.DeepCopy().Status\n\t\treturn c.Spec.ConvertTo(ctx, &sink.Spec)\n\tdefault:\n\t\treturn fmt.Errorf(\"unknown version, got: %T\", sink)\n\t}\n}\n\n// ConvertFrom implements api.Convertible\nfunc (c *ClusterImagePolicy) ConvertFrom(ctx context.Context, obj apis.Convertible) error {\n\tswitch source := obj.(type) {\n\tcase *v1beta1.ClusterImagePolicy:\n\t\tc.ObjectMeta = source.ObjectMeta\n\t\tc.Status.Status = source.Status.DeepCopy().Status\n\t\treturn c.Spec.ConvertFrom(ctx, &source.Spec)\n\tdefault:\n\t\treturn fmt.Errorf(\"unknown version, got: %T\", c)\n\t}\n}\n\nfunc (spec *ClusterImagePolicySpec) ConvertTo(ctx context.Context, sink *v1beta1.ClusterImagePolicySpec) error {\n\tfor _, image := range spec.Images {\n\t\tsink.Images = append(sink.Images, v1beta1.ImagePattern{Glob: image.Glob})\n\t}\n\tfor _, authority := range spec.Authorities {\n\t\tv1beta1Authority := v1beta1.Authority{}\n\t\terr := authority.ConvertTo(ctx, &v1beta1Authority)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsink.Authorities = append(sink.Authorities, v1beta1Authority)\n\t}\n\tfor _, m := range spec.Match {\n\t\tv1beta1Match := v1beta1.MatchResource{}\n\t\terr := m.ConvertTo(ctx, &v1beta1Match)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsink.Match = append(sink.Match, v1beta1Match)\n\t}\n\tif spec.Policy != nil {\n\t\tsink.Policy = &v1beta1.Policy{}\n\t\tspec.Policy.ConvertTo(ctx, sink.Policy)\n\t}\n\tsink.Mode = spec.Mode\n\treturn nil\n}\n\nfunc (matchResource *MatchResource) ConvertTo(_ context.Context, sink *v1beta1.MatchResource) error {\n\tsink.GroupVersionResource = *matchResource.GroupVersionResource.DeepCopy()\n\tif matchResource.ResourceSelector != nil {\n\t\tsink.ResourceSelector = matchResource.ResourceSelector.DeepCopy()\n\t}\n\n\treturn nil\n}\n\nfunc (authority *Authority) ConvertTo(ctx context.Context, sink *v1beta1.Authority) error {\n\tsink.Name = authority.Name\n\tsink.SignatureFormat = authority.SignatureFormat\n\tif authority.CTLog != nil && authority.CTLog.URL != nil {\n\t\tsink.CTLog = &v1beta1.TLog{\n\t\t\tURL: authority.CTLog.URL.DeepCopy(),\n\t\t\tTrustRootRef: authority.CTLog.TrustRootRef,\n\t\t}\n\t}\n\tif authority.RFC3161Timestamp != nil && authority.RFC3161Timestamp.TrustRootRef != \"\" {\n\t\tsink.RFC3161Timestamp = &v1beta1.RFC3161Timestamp{}\n\t\tsink.RFC3161Timestamp.TrustRootRef = authority.RFC3161Timestamp.TrustRootRef\n\t}\n\tfor _, source := range authority.Sources {\n\t\tv1beta1Source := v1beta1.Source{}\n\t\tv1beta1Source.OCI = source.OCI\n\t\tv1beta1Source.TagPrefix = source.TagPrefix\n\t\tfor _, sps := range source.SignaturePullSecrets {\n\t\t\tv1beta1Source.SignaturePullSecrets = append(v1beta1Source.SignaturePullSecrets, v1.LocalObjectReference{Name: sps.Name})\n\t\t}\n\t\tsink.Sources = append(sink.Sources, v1beta1Source)\n\t}\n\tfor _, att := range authority.Attestations {\n\t\tv1beta1Att := v1beta1.Attestation{}\n\t\tv1beta1Att.Name = att.Name\n\t\tv1beta1Att.PredicateType = att.PredicateType\n\t\tif att.Policy != nil {\n\t\t\tv1beta1Att.Policy = &v1beta1.Policy{}\n\t\t\tatt.Policy.ConvertTo(ctx, v1beta1Att.Policy)\n\t\t}\n\t\tsink.Attestations = append(sink.Attestations, v1beta1Att)\n\t}\n\tif authority.Key != nil {\n\t\tsink.Key = &v1beta1.KeyRef{}\n\t\tauthority.Key.ConvertTo(ctx, sink.Key)\n\t}\n\tif authority.Keyless != nil {\n\t\tsink.Keyless = &v1beta1.KeylessRef{\n\t\t\tURL: authority.Keyless.URL.DeepCopy(),\n\t\t\tTrustRootRef: authority.Keyless.TrustRootRef,\n\t\t}\n\t\tfor _, id := range authority.Keyless.Identities {\n\t\t\tsink.Keyless.Identities = append(sink.Keyless.Identities, v1beta1.Identity{Issuer: id.Issuer, Subject: id.Subject, IssuerRegExp: id.IssuerRegExp, SubjectRegExp: id.SubjectRegExp})\n\t\t}\n\t\tif authority.Keyless.CACert != nil {\n\t\t\tsink.Keyless.CACert = &v1beta1.KeyRef{}\n\t\t\tauthority.Keyless.CACert.ConvertTo(ctx, sink.Keyless.CACert)\n\t\t}\n\t\tif authority.Keyless.InsecureIgnoreSCT != nil {\n\t\t\tsink.Keyless.InsecureIgnoreSCT = authority.Keyless.InsecureIgnoreSCT\n\t\t}\n\t}\n\tif authority.Static != nil {\n\t\tsink.Static = &v1beta1.StaticRef{\n\t\t\tAction: authority.Static.Action,\n\t\t\tMessage: authority.Static.Message,\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (p *Policy) ConvertTo(_ context.Context, sink *v1beta1.Policy) {\n\tsink.Type = p.Type\n\tsink.Data = p.Data\n\tif p.Remote != nil {\n\t\tsink.Remote = &v1beta1.RemotePolicy{\n\t\t\tURL: p.Remote.URL,\n\t\t\tSha256sum: p.Remote.Sha256sum,\n\t\t}\n\t}\n\tif p.ConfigMapRef != nil {\n\t\tsink.ConfigMapRef = &v1beta1.ConfigMapReference{\n\t\t\tName: p.ConfigMapRef.Name,\n\t\t\tNamespace: p.ConfigMapRef.Namespace,\n\t\t\tKey: p.ConfigMapRef.Key,\n\t\t}\n\t}\n\tif p.FetchConfigFile != nil {\n\t\tsink.FetchConfigFile = ptr.Bool(*p.FetchConfigFile)\n\t}\n\tif p.IncludeSpec != nil {\n\t\tsink.IncludeSpec = ptr.Bool(*p.IncludeSpec)\n\t}\n\tif p.IncludeObjectMeta != nil {\n\t\tsink.IncludeObjectMeta = ptr.Bool(*p.IncludeObjectMeta)\n\t}\n\tif p.IncludeTypeMeta != nil {\n\t\tsink.IncludeTypeMeta = ptr.Bool(*p.IncludeTypeMeta)\n\t}\n}\n\nfunc (p *Policy) ConvertFrom(_ context.Context, source *v1beta1.Policy) {\n\tp.Type = source.Type\n\tp.Data = source.Data\n\tif source.Remote != nil {\n\t\tp.Remote = &RemotePolicy{\n\t\t\tURL: source.Remote.URL,\n\t\t\tSha256sum: source.Remote.Sha256sum,\n\t\t}\n\t}\n\tif source.ConfigMapRef != nil {\n\t\tp.ConfigMapRef = &ConfigMapReference{\n\t\t\tName: source.ConfigMapRef.Name,\n\t\t\tNamespace: source.ConfigMapRef.Namespace,\n\t\t\tKey: source.ConfigMapRef.Key,\n\t\t}\n\t}\n\tif source.FetchConfigFile != nil {\n\t\tp.FetchConfigFile = ptr.Bool(*source.FetchConfigFile)\n\t}\n\tif source.IncludeSpec != nil {\n\t\tp.IncludeSpec = ptr.Bool(*source.IncludeSpec)\n\t}\n\tif source.IncludeObjectMeta != nil {\n\t\tp.IncludeObjectMeta = ptr.Bool(*source.IncludeObjectMeta)\n\t}\n\tif source.IncludeTypeMeta != nil {\n\t\tp.IncludeTypeMeta = ptr.Bool(*source.IncludeTypeMeta)\n\t}\n}\n\nfunc (key *KeyRef) ConvertTo(_ context.Context, sink *v1beta1.KeyRef) {\n\tsink.SecretRef = key.SecretRef.DeepCopy()\n\tsink.Data = key.Data\n\tsink.KMS = key.KMS\n\tsink.HashAlgorithm = key.HashAlgorithm\n}\n\nfunc (spec *ClusterImagePolicySpec) ConvertFrom(ctx context.Context, source *v1beta1.ClusterImagePolicySpec) error {\n\tfor _, image := range source.Images {\n\t\tspec.Images = append(spec.Images, ImagePattern{Glob: image.Glob})\n\t}\n\tfor i := range source.Authorities {\n\t\tauthority := Authority{}\n\t\terr := authority.ConvertFrom(ctx, &source.Authorities[i])\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tspec.Authorities = append(spec.Authorities, authority)\n\t}\n\tfor i := range source.Match {\n\t\tmatchResource := MatchResource{}\n\t\terr := matchResource.ConvertFrom(ctx, &source.Match[i])\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tspec.Match = append(spec.Match, matchResource)\n\t}\n\tspec.Mode = source.Mode\n\tif source.Policy != nil {\n\t\tspec.Policy = &Policy{}\n\t\tspec.Policy.ConvertFrom(ctx, source.Policy)\n\t}\n\treturn nil\n}\n\nfunc (authority *Authority) ConvertFrom(ctx context.Context, source *v1beta1.Authority) error {\n\tauthority.Name = source.Name\n\tauthority.SignatureFormat = source.SignatureFormat\n\tif source.CTLog != nil && source.CTLog.URL != nil {\n\t\tauthority.CTLog = &TLog{\n\t\t\tURL: source.CTLog.URL.DeepCopy(),\n\t\t\tTrustRootRef: source.CTLog.TrustRootRef,\n\t\t}\n\t}\n\tif source.RFC3161Timestamp != nil && source.RFC3161Timestamp.TrustRootRef != \"\" {\n\t\tauthority.RFC3161Timestamp = &RFC3161Timestamp{}\n\t\tauthority.RFC3161Timestamp.TrustRootRef = source.RFC3161Timestamp.TrustRootRef\n\t}\n\tfor _, s := range source.Sources {\n\t\tsrc := Source{}\n\t\tsrc.OCI = s.OCI\n\t\tsrc.TagPrefix = s.TagPrefix\n\t\tfor _, sps := range s.SignaturePullSecrets {\n\t\t\tsrc.SignaturePullSecrets = append(src.SignaturePullSecrets, v1.LocalObjectReference{Name: sps.Name})\n\t\t}\n\t\tauthority.Sources = append(authority.Sources, src)\n\t}\n\tfor _, att := range source.Attestations {\n\t\tattestation := Attestation{}\n\t\tattestation.Name = att.Name\n\t\tattestation.PredicateType = att.PredicateType\n\t\tif att.Policy != nil {\n\t\t\tattestation.Policy = &Policy{}\n\t\t\tattestation.Policy.ConvertFrom(ctx, att.Policy)\n\t\t}\n\t\tauthority.Attestations = append(authority.Attestations, attestation)\n\t}\n\tif source.Key != nil {\n\t\tauthority.Key = &KeyRef{}\n\t\tauthority.Key.ConvertFrom(ctx, source.Key)\n\t}\n\tif source.Keyless != nil {\n\t\tauthority.Keyless = &KeylessRef{\n\t\t\tURL: source.Keyless.URL.DeepCopy(),\n\t\t\tTrustRootRef: source.Keyless.TrustRootRef,\n\t\t}\n\t\tfor _, id := range source.Keyless.Identities {\n\t\t\tauthority.Keyless.Identities = append(authority.Keyless.Identities, Identity{Issuer: id.Issuer, Subject: id.Subject, IssuerRegExp: id.IssuerRegExp, SubjectRegExp: id.SubjectRegExp})\n\t\t}\n\t\tif source.Keyless.CACert != nil {\n\t\t\tauthority.Keyless.CACert = &KeyRef{}\n\t\t\tauthority.Keyless.CACert.ConvertFrom(ctx, source.Keyless.CACert)\n\t\t}\n\t\tif source.Keyless.InsecureIgnoreSCT != nil {\n\t\t\tauthority.Keyless.InsecureIgnoreSCT = source.Keyless.InsecureIgnoreSCT\n\t\t}\n\t}\n\tif source.Static != nil {\n\t\tauthority.Static = &StaticRef{\n\t\t\tAction: source.Static.Action,\n\t\t\tMessage: source.Static.Message,\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (key *KeyRef) ConvertFrom(_ context.Context, source *v1beta1.KeyRef) {\n\tkey.SecretRef = source.SecretRef.DeepCopy()\n\tkey.Data = source.Data\n\tkey.KMS = source.KMS\n\tkey.HashAlgorithm = source.HashAlgorithm\n}\n\nfunc (matchResource *MatchResource) ConvertFrom(_ context.Context, source *v1beta1.MatchResource) error {\n\tmatchResource.GroupVersionResource = *source.GroupVersionResource.DeepCopy()\n\tif source.ResourceSelector != nil {\n\t\tmatchResource.ResourceSelector = source.ResourceSelector.DeepCopy()\n\t}\n\treturn nil\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\tv1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"knative.dev/pkg/ptr\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n)\n\n// Test v1alpha1 -> v1beta1 -> v1alpha1\nfunc TestConversionRoundTripV1alpha1(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tin *ClusterImagePolicy\n\t}{{name: \"key and keyless\",\n\t\tin: &ClusterImagePolicy{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"test-cip\",\n\t\t\t},\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{Key: &KeyRef{\n\t\t\t\t\t\tSecretRef: &v1.SecretReference{Name: \"mysecret\"}}},\n\t\t\t\t\t{Keyless: &KeylessRef{\n\t\t\t\t\t\tIdentities: []Identity{{Subject: \"subject\", Issuer: \"issuer\"}},\n\t\t\t\t\t\tCACert: &KeyRef{KMS: \"kms\", Data: \"data\", SecretRef: &v1.SecretReference{Name: \"secret\"}},\n\t\t\t\t\t}},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {name: \"key, keyless, and static, regexp\",\n\t\tin: &ClusterImagePolicy{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"test-cip\",\n\t\t\t},\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{Key: &KeyRef{\n\t\t\t\t\t\tSecretRef: &v1.SecretReference{Name: \"mysecret\"}}},\n\t\t\t\t\t{Keyless: &KeylessRef{\n\t\t\t\t\t\tIdentities: []Identity{{SubjectRegExp: \"subjectregexp\", IssuerRegExp: \"issuerregexp\"}},\n\t\t\t\t\t\tCACert: &KeyRef{KMS: \"kms\", Data: \"data\", SecretRef: &v1.SecretReference{Name: \"secret\"}},\n\t\t\t\t\t}},\n\t\t\t\t\t{Static: &StaticRef{Action: \"pass\"}},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {name: \"key and keyless, regexp\",\n\t\tin: &ClusterImagePolicy{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"test-cip\",\n\t\t\t},\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{Key: &KeyRef{\n\t\t\t\t\t\tSecretRef: &v1.SecretReference{Name: \"mysecret\"}}},\n\t\t\t\t\t{Keyless: &KeylessRef{\n\t\t\t\t\t\tIdentities: []Identity{{SubjectRegExp: \"subjectregexp\", IssuerRegExp: \"issuerregexp\"}},\n\t\t\t\t\t\tCACert: &KeyRef{KMS: \"kms\", Data: \"data\", SecretRef: &v1.SecretReference{Name: \"secret\"}},\n\t\t\t\t\t}},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {name: \"source and attestations\",\n\t\tin: &ClusterImagePolicy{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"test-cip\",\n\t\t\t},\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tMode: \"warn\",\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{Key: &KeyRef{\n\t\t\t\t\t\tSecretRef: &v1.SecretReference{Name: \"mysecret\"}}},\n\t\t\t\t\t{Sources: []Source{{\n\t\t\t\t\t\tOCI: \"registry.example.com\",\n\t\t\t\t\t\tTagPrefix: ptr.String(\"sbom\"),\n\t\t\t\t\t\tSignaturePullSecrets: []v1.LocalObjectReference{{Name: \"sps-secret\"}}}}},\n\t\t\t\t\t{Attestations: []Attestation{{\n\t\t\t\t\t\tName: \"attestation-0\",\n\t\t\t\t\t\tPredicateType: \"vuln\",\n\t\t\t\t\t\tPolicy: &Policy{\n\t\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\t\tData: \"cue language goes here\",\n\t\t\t\t\t\t},\n\t\t\t\t\t}}},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}}\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tver := &v1beta1.ClusterImagePolicy{}\n\t\t\tif err := test.in.ConvertTo(context.Background(), ver); err != nil {\n\t\t\t\tt.Error(\"ConvertTo() =\", err)\n\t\t\t}\n\t\t\tgot := &ClusterImagePolicy{}\n\t\t\tif err := got.ConvertFrom(context.Background(), ver); err != nil {\n\t\t\t\tt.Error(\"ConvertFrom() =\", err)\n\t\t\t}\n\n\t\t\tif diff := cmp.Diff(test.in, got); diff != \"\" {\n\t\t\t\tt.Error(\"roundtrip (-want, +got) =\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n\n// Test v1beta1 -> v1alpha1 -> v1beta1\nfunc TestConversionRoundTripV1beta1(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tin *v1beta1.ClusterImagePolicy\n\t}{{name: \"simple configuration\",\n\t\tin: &v1beta1.ClusterImagePolicy{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"test-cip\",\n\t\t\t},\n\t\t\tSpec: v1beta1.ClusterImagePolicySpec{\n\t\t\t\tImages: []v1beta1.ImagePattern{{Glob: \"*\"}},\n\t\t\t},\n\t\t},\n\t}, {name: \"another\",\n\t\tin: &v1beta1.ClusterImagePolicy{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"test-cip\",\n\t\t\t},\n\t\t},\n\t}, {name: \"key, keyless, and static, regexp\",\n\t\tin: &v1beta1.ClusterImagePolicy{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"test-cip\",\n\t\t\t},\n\t\t\tSpec: v1beta1.ClusterImagePolicySpec{\n\t\t\t\tImages: []v1beta1.ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []v1beta1.Authority{\n\t\t\t\t\t{Key: &v1beta1.KeyRef{\n\t\t\t\t\t\tSecretRef: &v1.SecretReference{Name: \"mysecret\"}}},\n\t\t\t\t\t{Keyless: &v1beta1.KeylessRef{\n\t\t\t\t\t\tIdentities: []v1beta1.Identity{{SubjectRegExp: \"subjectregexp\", IssuerRegExp: \"issuerregexp\"}},\n\t\t\t\t\t\tCACert: &v1beta1.KeyRef{KMS: \"kms\", Data: \"data\", SecretRef: &v1.SecretReference{Name: \"secret\"}},\n\t\t\t\t\t}},\n\t\t\t\t\t{Static: &v1beta1.StaticRef{Action: \"pass\"}},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {name: \"key, keyless, and static, regexp, policy\",\n\t\tin: &v1beta1.ClusterImagePolicy{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"test-cip\",\n\t\t\t},\n\t\t\tSpec: v1beta1.ClusterImagePolicySpec{\n\t\t\t\tImages: []v1beta1.ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []v1beta1.Authority{\n\t\t\t\t\t{Key: &v1beta1.KeyRef{\n\t\t\t\t\t\tSecretRef: &v1.SecretReference{Name: \"mysecret\"}}},\n\t\t\t\t\t{Keyless: &v1beta1.KeylessRef{\n\t\t\t\t\t\tIdentities: []v1beta1.Identity{{SubjectRegExp: \"subjectregexp\", IssuerRegExp: \"issuerregexp\"}},\n\t\t\t\t\t\tCACert: &v1beta1.KeyRef{KMS: \"kms\", Data: \"data\", SecretRef: &v1.SecretReference{Name: \"secret\"}},\n\t\t\t\t\t}},\n\t\t\t\t\t{Static: &v1beta1.StaticRef{Action: \"pass\"}},\n\t\t\t\t},\n\t\t\t\tPolicy: &v1beta1.Policy{\n\t\t\t\t\tType: \"cue\",\n\t\t\t\t\tData: \"cue language goes here\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {name: \"key, keyless, and static, regexp, policy, fetchConfigFile, includeSpec\",\n\t\tin: &v1beta1.ClusterImagePolicy{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"test-cip\",\n\t\t\t},\n\t\t\tSpec: v1beta1.ClusterImagePolicySpec{\n\t\t\t\tImages: []v1beta1.ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []v1beta1.Authority{\n\t\t\t\t\t{Key: &v1beta1.KeyRef{\n\t\t\t\t\t\tSecretRef: &v1.SecretReference{Name: \"mysecret\"}}},\n\t\t\t\t\t{Keyless: &v1beta1.KeylessRef{\n\t\t\t\t\t\tIdentities: []v1beta1.Identity{{SubjectRegExp: \"subjectregexp\", IssuerRegExp: \"issuerregexp\"}},\n\t\t\t\t\t\tCACert: &v1beta1.KeyRef{KMS: \"kms\", Data: \"data\", SecretRef: &v1.SecretReference{Name: \"secret\"}},\n\t\t\t\t\t}},\n\t\t\t\t\t{Static: &v1beta1.StaticRef{Action: \"pass\"}},\n\t\t\t\t},\n\t\t\t\tPolicy: &v1beta1.Policy{\n\t\t\t\t\tType: \"cue\",\n\t\t\t\t\tData: \"cue language goes here\",\n\t\t\t\t\tFetchConfigFile: ptr.Bool(true),\n\t\t\t\t\tIncludeSpec: ptr.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {name: \"key, keyless, and static, regexp, policy with cmref, fetchConfigFile, includeSpec\",\n\t\tin: &v1beta1.ClusterImagePolicy{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"test-cip\",\n\t\t\t},\n\t\t\tSpec: v1beta1.ClusterImagePolicySpec{\n\t\t\t\tImages: []v1beta1.ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []v1beta1.Authority{\n\t\t\t\t\t{Key: &v1beta1.KeyRef{\n\t\t\t\t\t\tSecretRef: &v1.SecretReference{Name: \"mysecret\"}},\n\t\t\t\t\t\tAttestations: []v1beta1.Attestation{{Policy: &v1beta1.Policy{\n\t\t\t\t\t\t\tType: \"rego\",\n\t\t\t\t\t\t\tConfigMapRef: &v1beta1.ConfigMapReference{\n\t\t\t\t\t\t\t\tName: \"cip-cmname\",\n\t\t\t\t\t\t\t\tKey: \"cip-keyname\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t}}},\n\t\t\t\t\t{Keyless: &v1beta1.KeylessRef{\n\t\t\t\t\t\tIdentities: []v1beta1.Identity{{SubjectRegExp: \"subjectregexp\", IssuerRegExp: \"issuerregexp\"}},\n\t\t\t\t\t\tCACert: &v1beta1.KeyRef{KMS: \"kms\", Data: \"data\", SecretRef: &v1.SecretReference{Name: \"secret\"}},\n\t\t\t\t\t}},\n\t\t\t\t\t{Static: &v1beta1.StaticRef{Action: \"pass\"}},\n\t\t\t\t},\n\t\t\t\tPolicy: &v1beta1.Policy{\n\t\t\t\t\tType: \"cue\",\n\t\t\t\t\tConfigMapRef: &v1beta1.ConfigMapReference{\n\t\t\t\t\t\tName: \"cmname\",\n\t\t\t\t\t\tKey: \"keyname\",\n\t\t\t\t\t},\n\t\t\t\t\tFetchConfigFile: ptr.Bool(true),\n\t\t\t\t\tIncludeSpec: ptr.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {name: \"key, keyless, and static, regexp, policy, fetchConfigFile, includeSpec, includeObjectMeta, includeTypeMeta\",\n\t\tin: &v1beta1.ClusterImagePolicy{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"test-cip\",\n\t\t\t},\n\t\t\tSpec: v1beta1.ClusterImagePolicySpec{\n\t\t\t\tImages: []v1beta1.ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []v1beta1.Authority{\n\t\t\t\t\t{Key: &v1beta1.KeyRef{\n\t\t\t\t\t\tSecretRef: &v1.SecretReference{Name: \"mysecret\"}}},\n\t\t\t\t\t{Keyless: &v1beta1.KeylessRef{\n\t\t\t\t\t\tIdentities: []v1beta1.Identity{{SubjectRegExp: \"subjectregexp\", IssuerRegExp: \"issuerregexp\"}},\n\t\t\t\t\t\tCACert: &v1beta1.KeyRef{KMS: \"kms\", Data: \"data\", SecretRef: &v1.SecretReference{Name: \"secret\"}},\n\t\t\t\t\t}},\n\t\t\t\t\t{Static: &v1beta1.StaticRef{Action: \"pass\"}},\n\t\t\t\t},\n\t\t\t\tPolicy: &v1beta1.Policy{\n\t\t\t\t\tType: \"cue\",\n\t\t\t\t\tData: \"cue language goes here\",\n\t\t\t\t\tFetchConfigFile: ptr.Bool(true),\n\t\t\t\t\tIncludeSpec: ptr.Bool(true),\n\t\t\t\t\tIncludeObjectMeta: ptr.Bool(true),\n\t\t\t\t\tIncludeTypeMeta: ptr.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {name: \"key, keyless, source, and rfc3161timestamp, regexp\",\n\t\tin: &v1beta1.ClusterImagePolicy{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"test-cip\",\n\t\t\t},\n\t\t\tSpec: v1beta1.ClusterImagePolicySpec{\n\t\t\t\tImages: []v1beta1.ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []v1beta1.Authority{\n\t\t\t\t\t{Key: &v1beta1.KeyRef{\n\t\t\t\t\t\tSecretRef: &v1.SecretReference{Name: \"mysecret\"}}},\n\t\t\t\t\t{Keyless: &v1beta1.KeylessRef{\n\t\t\t\t\t\tIdentities: []v1beta1.Identity{{SubjectRegExp: \"subjectregexp\", IssuerRegExp: \"issuerregexp\"}},\n\t\t\t\t\t\tCACert: &v1beta1.KeyRef{KMS: \"kms\", Data: \"data\", SecretRef: &v1.SecretReference{Name: \"secret\"}},\n\t\t\t\t\t},\n\t\t\t\t\t\tRFC3161Timestamp: &v1beta1.RFC3161Timestamp{TrustRootRef: \"trust-root-tsa-ref\"},\n\t\t\t\t\t},\n\t\t\t\t\t{Sources: []v1beta1.Source{{\n\t\t\t\t\t\tOCI: \"registry.example.com\",\n\t\t\t\t\t\tTagPrefix: ptr.String(\"sbom\"),\n\t\t\t\t\t\tSignaturePullSecrets: []v1.LocalObjectReference{{Name: \"sps-secret\"}}}}},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {name: \"key, keyless, and rfc3161timestamp, regexp\",\n\t\tin: &v1beta1.ClusterImagePolicy{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"test-cip\",\n\t\t\t},\n\t\t\tSpec: v1beta1.ClusterImagePolicySpec{\n\t\t\t\tImages: []v1beta1.ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []v1beta1.Authority{\n\t\t\t\t\t{Keyless: &v1beta1.KeylessRef{\n\t\t\t\t\t\tIdentities: []v1beta1.Identity{{SubjectRegExp: \"subjectregexp\", IssuerRegExp: \"issuerregexp\"}},\n\t\t\t\t\t\tCACert: &v1beta1.KeyRef{KMS: \"kms\", Data: \"data\", SecretRef: &v1.SecretReference{Name: \"secret\"}},\n\t\t\t\t\t\tInsecureIgnoreSCT: ptr.Bool(true),\n\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}}\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tver := &ClusterImagePolicy{}\n\t\t\tif err := ver.ConvertFrom(context.Background(), test.in); err != nil {\n\t\t\t\tt.Error(\"ConvertDown() =\", err)\n\t\t\t}\n\t\t\tgot := &v1beta1.ClusterImagePolicy{}\n\t\t\tif err := ver.ConvertTo(context.Background(), got); err != nil {\n\t\t\t\tt.Error(\"ConvertUp() =\", err)\n\t\t\t}\n\n\t\t\tif diff := cmp.Diff(test.in, got); diff != \"\" {\n\t\t\t\tt.Error(\"roundtrip (-want, +got) =\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_defaults.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\n\t\"knative.dev/pkg/apis\"\n)\n\n// SetDefaults implements apis.Defaultable\nfunc (c *ClusterImagePolicy) SetDefaults(ctx context.Context) {\n\tc.Spec.SetDefaults(ctx)\n}\n\nfunc (spec *ClusterImagePolicySpec) SetDefaults(_ context.Context) {\n\tif spec.Mode == \"\" {\n\t\tspec.Mode = \"enforce\"\n\t}\n\tfor i, authority := range spec.Authorities {\n\t\tif authority.Name == \"\" {\n\t\t\tspec.Authorities[i].Name = fmt.Sprintf(\"authority-%d\", i)\n\t\t}\n\t\tif authority.Key == nil && authority.Static == nil && authority.Keyless != nil && authority.Keyless.CACert == nil && authority.Keyless.URL == nil {\n\t\t\tauthority.Keyless.URL = apis.HTTPS(\"fulcio.sigstore.dev\")\n\t\t}\n\t}\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_defaults_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\n\t\"testing\"\n\n\t\"knative.dev/pkg/apis\"\n)\n\nfunc TestNameDefaulting(t *testing.T) {\n\ttests := []struct {\n\t\tin *ClusterImagePolicy\n\t\twantNames []string\n\t}{\n\t\t{in: cipWithNames([]string{\"\"}),\n\t\t\twantNames: []string{\"authority-0\"},\n\t\t},\n\t\t{in: cipWithNames([]string{\"\", \"vuln-scan\"}),\n\t\t\twantNames: []string{\"authority-0\", \"vuln-scan\"},\n\t\t},\n\t\t{in: cipWithNames([]string{\"vuln-scan\", \"\"}),\n\t\t\twantNames: []string{\"vuln-scan\", \"authority-1\"},\n\t\t},\n\t\t{in: cipWithNames([]string{\"first\", \"second\"}),\n\t\t\twantNames: []string{\"first\", \"second\"},\n\t\t}}\n\tfor _, tc := range tests {\n\t\ttc.in.SetDefaults(context.TODO())\n\t\tif len(tc.in.Spec.Authorities) != len(tc.wantNames) {\n\t\t\tt.Fatalf(\"Mismatch number of wantNames: %d vs authorities: %d\", len(tc.wantNames), len(tc.in.Spec.Authorities))\n\t\t}\n\t\tfor i, wantName := range tc.wantNames {\n\t\t\tif tc.in.Spec.Authorities[i].Name != wantName {\n\t\t\t\tt.Errorf(\"Wanted name: %s got %s\", wantName, tc.in.Spec.Authorities[i].Name)\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc TestModeDefaulting(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tmode string\n\t\twantMode string\n\t}{{\n\t\tname: \"empty\",\n\t\twantMode: \"enforce\",\n\t}, {\n\t\tname: \"enforce\",\n\t\tmode: \"enforce\",\n\t\twantMode: \"enforce\",\n\t}, {\n\t\tname: \"warn\",\n\t\tmode: \"warn\",\n\t\twantMode: \"warn\",\n\t}}\n\tfor _, tc := range tests {\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\ttc := tc\n\t\t\tin := ClusterImagePolicy{Spec: ClusterImagePolicySpec{Mode: tc.mode}}\n\t\t\tin.SetDefaults(context.TODO())\n\t\t\tif in.Spec.Mode != tc.wantMode {\n\t\t\t\tt.Errorf(\"Wanted mode: %s got %s\", tc.wantMode, in.Spec.Mode)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestKeylessURLDefaulting(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tin *ClusterImagePolicy\n\t\twantURL string\n\t}{\n\t\t{name: \"static specified, no default\",\n\t\t\tin: &ClusterImagePolicy{Spec: ClusterImagePolicySpec{Authorities: []Authority{{Static: &StaticRef{Action: \"pass\"}}}}}},\n\t\t{name: \"key specified, no default\",\n\t\t\tin: &ClusterImagePolicy{Spec: ClusterImagePolicySpec{Authorities: []Authority{{Key: &KeyRef{Data: \"Keydata here\"}}}}}},\n\t\t{name: \"kms specified, no default\",\n\t\t\tin: &ClusterImagePolicy{Spec: ClusterImagePolicySpec{Authorities: []Authority{{Keyless: &KeylessRef{CACert: &KeyRef{KMS: \"Keydata here\"}}}}}}},\n\t\t{name: \"keyless specified, do not overwite fulcio\",\n\t\t\tin: &ClusterImagePolicy{Spec: ClusterImagePolicySpec{Authorities: []Authority{{Keyless: &KeylessRef{URL: apis.HTTP(\"fulcio.fulcio-system.svc\")}}}}},\n\t\t\twantURL: \"http://fulcio.fulcio-system.svc\",\n\t\t},\n\t\t{name: \"keyless specified, public fulcio\",\n\t\t\tin: &ClusterImagePolicy{Spec: ClusterImagePolicySpec{Authorities: []Authority{{Keyless: &KeylessRef{Identities: []Identity{{Issuer: \"someissuer\"}}}}}}},\n\t\t\twantURL: \"https://fulcio.sigstore.dev\",\n\t\t},\n\t}\n\tfor _, tc := range tests {\n\t\tin := tc.in.DeepCopy()\n\t\tin.SetDefaults(context.TODO())\n\t\tswitch tc.wantURL {\n\t\tcase \"\":\n\t\t\tif in.Spec.Authorities[0].Keyless != nil && in.Spec.Authorities[0].Keyless.URL != nil {\n\t\t\t\tt.Errorf(\"Wanted no defaulting, got %s\", in.Spec.Authorities[0].Keyless.URL)\n\t\t\t}\n\t\tdefault:\n\t\t\tif in.Spec.Authorities[0].Keyless == nil || in.Spec.Authorities[0].Keyless.URL == nil {\n\t\t\t\tt.Errorf(\"Wanted defaulting %s, got none\", tc.wantURL)\n\t\t\t} else if in.Spec.Authorities[0].Keyless.URL.String() != tc.wantURL {\n\t\t\t\tt.Errorf(\"Wanted defaulting %s, got %s\", tc.wantURL, in.Spec.Authorities[0].Keyless.URL)\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc cipWithNames(names []string) *ClusterImagePolicy {\n\tcip := &ClusterImagePolicy{\n\t\tSpec: ClusterImagePolicySpec{},\n\t}\n\tfor _, name := range names {\n\t\tcip.Spec.Authorities = append(cip.Spec.Authorities, Authority{Name: name, Keyless: &KeylessRef{URL: &apis.URL{Host: \"tests.example.com\"}}})\n\t}\n\treturn cip\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_lifecycle.go", "content": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\t\"knative.dev/pkg/apis\"\n)\n\nconst (\n\tinlineKeysFailedReason = \"InliningKeysFailed\"\n\tinlinePoliciesFailedReason = \"InliningPoliciesFailed\"\n\tupdateCMFailedReason = \"UpdatingConfigMap\"\n)\n\nvar cipCondSet = apis.NewLivingConditionSet(\n\tClusterImagePolicyConditionKeysInlined,\n\tClusterImagePolicyConditionPoliciesInlined,\n\tClusterImagePolicyConditionCMUpdated,\n)\n\n// GetConditionSet retrieves the condition set for this resource.\n// Implements the KRShaped interface.\nfunc (*ClusterImagePolicy) GetConditionSet() apis.ConditionSet {\n\treturn cipCondSet\n}\n\n// IsReady returns if the ClusterImagePolicy was compiled successfully to\n// ConfigMap.\nfunc (c *ClusterImagePolicy) IsReady() bool {\n\tcs := c.Status\n\treturn cs.ObservedGeneration == c.Generation &&\n\t\tcs.GetCondition(ClusterImagePolicyConditionReady).IsTrue()\n}\n\n// IsFailed returns true if the resource has observed\n// the latest generation and ready is false.\nfunc (c *ClusterImagePolicy) IsFailed() bool {\n\tcs := c.Status\n\treturn cs.ObservedGeneration == c.Generation &&\n\t\tcs.GetCondition(ClusterImagePolicyConditionReady).IsFalse()\n}\n\n// InitializeConditions sets the initial values to the conditions.\nfunc (cs *ClusterImagePolicyStatus) InitializeConditions() {\n\tcipCondSet.Manage(cs).InitializeConditions()\n}\n\n// MarkInlineKeysFailed surfaces a failure that we were unable to inline\n// the keys (from secrets or from KMS).\nfunc (cs *ClusterImagePolicyStatus) MarkInlineKeysFailed(msg string) {\n\tcipCondSet.Manage(cs).MarkFalse(ClusterImagePolicyConditionKeysInlined, inlineKeysFailedReason, msg)\n}\n\n// MarkInlineKeysOk marks the status saying that the inlining of the keys\n// had no errors.\nfunc (cs *ClusterImagePolicyStatus) MarkInlineKeysOk() {\n\tcipCondSet.Manage(cs).MarkTrue(ClusterImagePolicyConditionKeysInlined)\n}\n\n// MarkInlinePoliciesFailed surfaces a failure that we were unable to inline\n// the policies, either from ConfigMap or from URL.\nfunc (cs *ClusterImagePolicyStatus) MarkInlinePoliciesFailed(msg string) {\n\tcipCondSet.Manage(cs).MarkFalse(ClusterImagePolicyConditionPoliciesInlined, inlinePoliciesFailedReason, msg)\n}\n\n// MarkInlinePoliciesdOk marks the status saying that the inlining of the\n// policies had no errors.\nfunc (cs *ClusterImagePolicyStatus) MarkInlinePoliciesOk() {\n\tcipCondSet.Manage(cs).MarkTrue(ClusterImagePolicyConditionPoliciesInlined)\n}\n\n// MarkCMUpdateFailed surfaces a failure that we were unable to reflect the\n// CIP into the compiled ConfigMap.\nfunc (cs *ClusterImagePolicyStatus) MarkCMUpdateFailed(msg string) {\n\tcipCondSet.Manage(cs).MarkFalse(ClusterImagePolicyConditionCMUpdated, updateCMFailedReason, msg)\n}\n\n// MarkCMUpdated marks the status saying that the ConfigMap has been updated.\nfunc (cs *ClusterImagePolicyStatus) MarkCMUpdatedOK() {\n\tcipCondSet.Manage(cs).MarkTrue(ClusterImagePolicyConditionCMUpdated)\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_lifecycle_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\t\"testing\"\n\n\tcorev1 \"k8s.io/api/core/v1\"\n\t\"knative.dev/pkg/apis\"\n\t\"knative.dev/pkg/apis/duck\"\n\tduckv1 \"knative.dev/pkg/apis/duck/v1\"\n)\n\nfunc TestClusterImagePolicyDuckTypes(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tt duck.Implementable\n\t}{{\n\t\tname: \"conditions\",\n\t\tt: &duckv1.Conditions{},\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := duck.VerifyType(&ClusterImagePolicy{}, test.t)\n\t\t\tif err != nil {\n\t\t\t\tt.Errorf(\"VerifyType(ClusterImagePolicy, %T) = %v\", test.t, err)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestClusterImagePolicyGetConditionSet(t *testing.T) {\n\tr := &ClusterImagePolicy{}\n\n\tif got, want := r.GetConditionSet().GetTopLevelConditionType(), apis.ConditionReady; got != want {\n\t\tt.Errorf(\"GetTopLevelCondition=%v, want=%v\", got, want)\n\t}\n}\n\nfunc TestClusterImagePolicyIsReady(t *testing.T) {\n\tcases := []struct {\n\t\tname string\n\t\tstatus ClusterImagePolicyStatus\n\t\tisReady bool\n\t}{{\n\t\tname: \"empty status should not be ready\",\n\t\tstatus: ClusterImagePolicyStatus{},\n\t\tisReady: false,\n\t}, {\n\t\tname: \"Single condition type ready should not be ready\",\n\t\tstatus: ClusterImagePolicyStatus{\n\t\t\tStatus: duckv1.Status{\n\t\t\t\tConditions: duckv1.Conditions{{\n\t\t\t\t\tType: ClusterImagePolicyConditionCMUpdated,\n\t\t\t\t\tStatus: corev1.ConditionTrue,\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t\tisReady: false,\n\t}, {\n\t\tname: \"False condition status should not be ready\",\n\t\tstatus: ClusterImagePolicyStatus{\n\t\t\tStatus: duckv1.Status{\n\t\t\t\tConditions: duckv1.Conditions{{\n\t\t\t\t\tType: ClusterImagePolicyConditionCMUpdated,\n\t\t\t\t\tStatus: corev1.ConditionFalse,\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t\tisReady: false,\n\t}, {\n\t\tname: \"Unknown condition status should not be ready\",\n\t\tstatus: ClusterImagePolicyStatus{\n\t\t\tStatus: duckv1.Status{\n\n\t\t\t\tConditions: duckv1.Conditions{{\n\t\t\t\t\tType: ClusterImagePolicyConditionReady,\n\t\t\t\t\tStatus: corev1.ConditionUnknown,\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t\tisReady: false,\n\t}, {\n\t\tname: \"Missing condition status should not be ready\",\n\t\tstatus: ClusterImagePolicyStatus{\n\t\t\tStatus: duckv1.Status{\n\t\t\t\tConditions: duckv1.Conditions{{\n\t\t\t\t\tType: ClusterImagePolicyConditionReady,\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t\tisReady: false,\n\t}, {\n\t\tname: \"True condition status should be ready\",\n\t\tstatus: ClusterImagePolicyStatus{\n\t\t\tStatus: duckv1.Status{\n\t\t\t\tConditions: duckv1.Conditions{{\n\t\t\t\t\tType: ClusterImagePolicyConditionReady,\n\t\t\t\t\tStatus: corev1.ConditionTrue,\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t\tisReady: true,\n\t}, {\n\t\tname: \"All conditions with ready status should be ready\",\n\t\tstatus: ClusterImagePolicyStatus{\n\t\t\tStatus: duckv1.Status{\n\t\t\t\tConditions: duckv1.Conditions{{\n\t\t\t\t\tType: ClusterImagePolicyConditionPoliciesInlined,\n\t\t\t\t\tStatus: corev1.ConditionTrue,\n\t\t\t\t}, {\n\t\t\t\t\tType: ClusterImagePolicyConditionKeysInlined,\n\t\t\t\t\tStatus: corev1.ConditionTrue,\n\t\t\t\t}, {\n\t\t\t\t\tType: ClusterImagePolicyConditionCMUpdated,\n\t\t\t\t\tStatus: corev1.ConditionTrue,\n\t\t\t\t}, {\n\t\t\t\t\tType: ClusterImagePolicyConditionReady,\n\t\t\t\t\tStatus: corev1.ConditionTrue,\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t\tisReady: true,\n\t}, {\n\t\tname: \"Multiple conditions with ready status false should not be ready\",\n\t\tstatus: ClusterImagePolicyStatus{\n\t\t\tStatus: duckv1.Status{\n\t\t\t\tConditions: duckv1.Conditions{{\n\t\t\t\t\tType: ClusterImagePolicyConditionKeysInlined,\n\t\t\t\t\tStatus: corev1.ConditionTrue,\n\t\t\t\t}, {\n\t\t\t\t\tType: ClusterImagePolicyConditionReady,\n\t\t\t\t\tStatus: corev1.ConditionFalse,\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t\tisReady: false,\n\t}}\n\n\tfor _, tc := range cases {\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\tr := ClusterImagePolicy{Status: tc.status}\n\t\t\tif e, a := tc.isReady, r.IsReady(); e != a {\n\t\t\t\tt.Errorf(\"%q expected: %v got: %v\", tc.name, e, a)\n\t\t\t}\n\n\t\t\tr.Generation = 1\n\t\t\tr.Status.ObservedGeneration = 2\n\t\t\tif r.IsReady() {\n\t\t\t\tt.Error(\"Expected IsReady() to be false when Generation != ObservedGeneration\")\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestClusterImagePolicyIsFailed(t *testing.T) {\n\tcases := []struct {\n\t\tname string\n\t\tstatus ClusterImagePolicyStatus\n\t\tisFailed bool\n\t}{{\n\t\tname: \"empty status should not be failed\",\n\t\tstatus: ClusterImagePolicyStatus{},\n\t\tisFailed: false,\n\t}, {\n\t\tname: \"False condition status should be failed\",\n\t\tstatus: ClusterImagePolicyStatus{\n\t\t\tStatus: duckv1.Status{\n\t\t\t\tConditions: duckv1.Conditions{{\n\t\t\t\t\tType: ClusterImagePolicyConditionReady,\n\t\t\t\t\tStatus: corev1.ConditionFalse,\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t\tisFailed: true,\n\t}, {\n\t\tname: \"Unknown condition status should not be failed\",\n\t\tstatus: ClusterImagePolicyStatus{\n\t\t\tStatus: duckv1.Status{\n\n\t\t\t\tConditions: duckv1.Conditions{{\n\t\t\t\t\tType: ClusterImagePolicyConditionReady,\n\t\t\t\t\tStatus: corev1.ConditionUnknown,\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t\tisFailed: false,\n\t}, {\n\t\tname: \"Missing condition status should not be failed\",\n\t\tstatus: ClusterImagePolicyStatus{\n\t\t\tStatus: duckv1.Status{\n\t\t\t\tConditions: duckv1.Conditions{{\n\t\t\t\t\tType: ClusterImagePolicyConditionReady,\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t\tisFailed: false,\n\t}, {\n\t\tname: \"True condition status should not be failed\",\n\t\tstatus: ClusterImagePolicyStatus{\n\t\t\tStatus: duckv1.Status{\n\t\t\t\tConditions: duckv1.Conditions{{\n\t\t\t\t\tType: ClusterImagePolicyConditionReady,\n\t\t\t\t\tStatus: corev1.ConditionTrue,\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t\tisFailed: false,\n\t}}\n\n\tfor _, tc := range cases {\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\tr := ClusterImagePolicy{Status: tc.status}\n\t\t\tif e, a := tc.isFailed, r.IsFailed(); e != a {\n\t\t\t\tt.Errorf(\"%q expected: %v got: %v\", tc.name, e, a)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\tv1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/runtime/schema\"\n\t\"knative.dev/pkg/apis\"\n\tduckv1 \"knative.dev/pkg/apis/duck/v1\"\n\t\"knative.dev/pkg/kmeta\"\n)\n\n// ClusterImagePolicy defines the images that go through verification\n// and the authorities used for verification\n//\n// +genclient\n// +genclient:nonNamespaced\n// +genreconciler:krshapedlogic=true\n// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\ntype ClusterImagePolicy struct {\n\tmetav1.TypeMeta `json:\",inline\"`\n\tmetav1.ObjectMeta `json:\"metadata\"`\n\n\t// Spec holds the desired state of the ClusterImagePolicy (from the client).\n\tSpec ClusterImagePolicySpec `json:\"spec\"`\n\n\t// Status represents the current state of the ClusterImagePolicy.\n\t// This data may be out of date.\n\t// +optional\n\tStatus ClusterImagePolicyStatus `json:\"status,omitempty\"`\n}\n\nvar (\n\t_ apis.Validatable = (*ClusterImagePolicy)(nil)\n\t_ apis.Defaultable = (*ClusterImagePolicy)(nil)\n\t_ kmeta.OwnerRefable = (*ClusterImagePolicy)(nil)\n\t// Check that the type conforms to the duck Knative Resource shape.\n\t_ duckv1.KRShaped = (*ClusterImagePolicy)(nil)\n)\n\nconst (\n\t// ClusterImagePolicyConditionReady is set when the ClusterImagePolicy has\n\t// been compiled into the underlying ConfigMap properly.\n\tClusterImagePolicyConditionReady = apis.ConditionReady\n\t// ClusterImagePolicyConditionKeysInlined is set to True when all the Keys\n\t// have been (Secrets, KMS, etc.) resolved, fetched, validated, and inlined\n\t// into the compiled representation.\n\t// In failure cases, the Condition will describe the errors in detail.\n\tClusterImagePolicyConditionKeysInlined apis.ConditionType = \"KeysInlined\"\n\t// ClusterImagePolicyConditionPoliciesInlined is set to True when all the\n\t// policies have been resolved, fetched, validated, and inlined into the\n\t// compiled representation.\n\t// In failure cases, the Condition will describe the errors in detail.\n\tClusterImagePolicyConditionPoliciesInlined apis.ConditionType = \"PoliciesInlined\"\n\t// ClusterImagePolicyConditionCMUpdated\tis set to True when the CIP has been\n\t// successfully added into the ConfigMap holding all the compiled CIPs.\n\t// In failure cases, the Condition will describe the errors in detail.\n\tClusterImagePolicyConditionCMUpdated apis.ConditionType = \"ConfigMapUpdated\"\n)\n\n// GetGroupVersionKind implements kmeta.OwnerRefable\nfunc (c *ClusterImagePolicy) GetGroupVersionKind() schema.GroupVersionKind {\n\treturn SchemeGroupVersion.WithKind(\"ClusterImagePolicy\")\n}\n\n// ClusterImagePolicySpec defines a list of images that should be verified\ntype ClusterImagePolicySpec struct {\n\t// Images defines the patterns of image names that should be subject to this policy.\n\tImages []ImagePattern `json:\"images\"`\n\t// Authorities defines the rules for discovering and validating signatures.\n\t// +optional\n\tAuthorities []Authority `json:\"authorities,omitempty\"`\n\t// Policy is an optional policy that can be applied against all the\n\t// successfully validated Authorities. If no authorities pass, this does\n\t// not even get evaluated, as the Policy is considered failed.\n\t// +optional\n\tPolicy *Policy `json:\"policy,omitempty\"`\n\t// Mode controls whether a failing policy will be rejected (not admitted),\n\t// or if errors are converted to Warnings.\n\t// enforce - Reject (default)\n\t// warn - allow but warn\n\t// +optional\n\tMode string `json:\"mode,omitempty\"`\n\t// Match allows selecting resources based on their properties.\n\t// +optional\n\tMatch []MatchResource `json:\"match,omitempty\"`\n}\n\n// ImagePattern defines a pattern and its associated authorties\n// If multiple patterns match a particular image, then ALL of\n// those authorities must be satisfied for the image to be admitted.\ntype ImagePattern struct {\n\t// Glob defines a globbing pattern.\n\tGlob string `json:\"glob\"`\n}\n\n// The authorities block defines the rules for discovering and\n// validating signatures. Signatures are\n// cryptographically verified using one of the \"key\" or \"keyless\"\n// fields.\n// When multiple authorities are specified, any of them may be used\n// to source the valid signature we are looking for to admit an\n// image.\n\ntype Authority struct {\n\t// Name is the name for this authority. Used by the CIP Policy\n\t// validator to be able to reference matching signature or attestation\n\t// verifications.\n\t// If not specified, the name will be authority-\n\tName string `json:\"name\"`\n\t// Key defines the type of key to validate the image.\n\t// +optional\n\tKey *KeyRef `json:\"key,omitempty\"`\n\t// Keyless sets the configuration to verify the authority against a Fulcio instance.\n\t// +optional\n\tKeyless *KeylessRef `json:\"keyless,omitempty\"`\n\t// Static specifies that signatures / attestations are not validated but\n\t// instead a static policy is applied against matching images.\n\t// +optional\n\tStatic *StaticRef `json:\"static,omitempty\"`\n\t// Sources sets the configuration to specify the sources from where to consume the signature and attestations.\n\t// +optional\n\tSources []Source `json:\"source,omitempty\"`\n\t// CTLog sets the configuration to verify the authority against a Rekor instance.\n\t// +optional\n\tCTLog *TLog `json:\"ctlog,omitempty\"`\n\t// Attestations is a list of individual attestations for this authority,\n\t// once the signature for this authority has been verified.\n\t// +optional\n\tAttestations []Attestation `json:\"attestations,omitempty\"`\n\t// RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance.\n\t// +optional\n\tRFC3161Timestamp *RFC3161Timestamp `json:\"rfc3161timestamp,omitempty\"`\n\t// SignatureFormat specifies the format the authority expects. Supported\n\t// formats are \"legacy\" and \"bundle\". If not specified, the default\n\t// is \"legacy\" (cosign's default).\n\tSignatureFormat string `json:\"signatureFormat,omitempty\"`\n}\n\n// This references a public verification key stored in\n// a secret in the cosign-system namespace.\n// A KeyRef must specify only one of SecretRef, Data or KMS\ntype KeyRef struct {\n\t// SecretRef sets a reference to a secret with the key.\n\t// +optional\n\tSecretRef *v1.SecretReference `json:\"secretRef,omitempty\"`\n\t// Data contains the inline public key\n\t// +optional\n\tData string `json:\"data,omitempty\"`\n\t// KMS contains the KMS url of the public key\n\t// Supported formats differ based on the KMS system used.\n\t// +optional\n\tKMS string `json:\"kms,omitempty\"`\n\t// HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set\n\t// +optional\n\tHashAlgorithm string `json:\"hashAlgorithm,omitempty\"`\n}\n\n// StaticRef specifies that signatures / attestations are not validated but\n// instead a static policy is applied against matching images.\ntype StaticRef struct {\n\t// Action defines how to handle a matching policy.\n\tAction string `json:\"action\"`\n\t// For fail actions, emit an optional custom message. This only makes\n\t// sense for 'fail' action because on 'pass' there's no place to jot down\n\t// the message.\n\tMessage string `json:\"message,omitempty\"`\n}\n\n// Source specifies the location of the signature / attestations.\ntype Source struct {\n\t// OCI defines the registry from where to pull the signature / attestations.\n\t// +optional\n\tOCI string `json:\"oci,omitempty\"`\n\t// SignaturePullSecrets is an optional list of references to secrets in the\n\t// same namespace as the deploying resource for pulling any of the signatures\n\t// used by this Source.\n\t// +optional\n\tSignaturePullSecrets []v1.LocalObjectReference `json:\"signaturePullSecrets,omitempty\"`\n\t// TagPrefix is an optional prefix that signature and attestations have.\n\t// This is the 'tag based discovery' and in the future once references are\n\t// fully supported that should likely be the preferred way to handle these.\n\t// +optional\n\tTagPrefix *string `json:\"tagPrefix,omitempty\"`\n}\n\n// TLog specifies the URL to a transparency log that holds\n// the signature and public key information\ntype TLog struct {\n\t// URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)\n\t// +optional\n\tURL *apis.URL `json:\"url,omitempty\"`\n\t// Use the Public Key from the referred TrustRoot.TLog\n\t// +optional\n\tTrustRootRef string `json:\"trustRootRef,omitempty\"`\n}\n\n// KeylessRef contains location of the validating certificate and the identities\n// against which to verify. KeylessRef will contain either the URL to the verifying\n// certificate, or it will contain the certificate data inline or in a secret.\ntype KeylessRef struct {\n\t// URL defines a url to the keyless instance.\n\t// +optional\n\tURL *apis.URL `json:\"url,omitempty\"`\n\t// Identities sets a list of identities.\n\tIdentities []Identity `json:\"identities\"`\n\t// CACert sets a reference to CA certificate\n\t// +optional\n\tCACert *KeyRef `json:\"ca-cert,omitempty\"`\n\t// Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog\n\t// +optional\n\tTrustRootRef string `json:\"trustRootRef,omitempty\"`\n\t// InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT\n\t// +optional\n\tInsecureIgnoreSCT *bool `json:\"insecureIgnoreSCT,omitempty\"`\n}\n\n// Attestation defines the type of attestation to validate and optionally\n// apply a policy decision to it. Authority block is used to verify the\n// specified attestation types, and if Policy is specified, then it's applied\n// only after the validation of the Attestation signature has been verified.\ntype Attestation struct {\n\t// Name of the attestation. These can then be referenced at the CIP level\n\t// policy.\n\tName string `json:\"name\"`\n\t// PredicateType defines which predicate type to verify. Matches cosign verify-attestation options.\n\tPredicateType string `json:\"predicateType\"`\n\t// Policy defines all of the matching signatures, and all of\n\t// the matching attestations (whose attestations are verified).\n\t// +optional\n\tPolicy *Policy `json:\"policy,omitempty\"`\n}\n\n// MatchResource allows selecting resources based on its version, group and resource.\n// It is also possible to select resources based on a list of matching labels.\ntype MatchResource struct {\n\t// +optional\n\tmetav1.GroupVersionResource `json:\",inline\"`\n\t// +optional\n\tResourceSelector *metav1.LabelSelector `json:\"selector,omitempty\"`\n}\n\n// RemotePolicy defines all the properties to fetch a remote policy\ntype RemotePolicy struct {\n\t// URL to the policy data.\n\tURL apis.URL `json:\"url,omitempty\"`\n\t// Sha256sum defines the exact sha256sum computed out of the 'body' of the http response.\n\tSha256sum string `json:\"sha256sum,omitempty\"`\n}\n\n// Policy specifies a policy to use for Attestation or the CIP validation (iff\n// at least one authority matches).\n// Exactly one of Data, URL, or ConfigMapReference must be specified.\ntype Policy struct {\n\t// Which kind of policy this is, currently only rego or cue are supported.\n\t// Furthermore, only cue is tested :)\n\tType string `json:\"type\"`\n\t// Data contains the policy definition.\n\t// +optional\n\tData string `json:\"data,omitempty\"`\n\t// Remote defines the url to a policy.\n\t// +optional\n\tRemote *RemotePolicy `json:\"remote,omitempty\"`\n\t// ConfigMapRef defines the reference to a configMap with the policy definition.\n\t// +optional\n\tConfigMapRef *ConfigMapReference `json:\"configMapRef,omitempty\"`\n\t// FetchConfigFile controls whether ConfigFile will be fetched and made\n\t// available for CIP level policy evaluation. Note that this only gets\n\t// evaluated (and hence fetched) iff at least one authority matches.\n\t// The ConfigFile will then be available in this format:\n\t// https://github.com/opencontainers/image-spec/blob/main/config.md\n\t// +optional\n\tFetchConfigFile *bool `json:\"fetchConfigFile,omitempty\"`\n\t// IncludeSpec controls whether resource `Spec` will be included and\n\t// made available for CIP level policy evaluation. Note that this only gets\n\t// evaluated iff at least one authority matches.\n\t// Also note that because Spec may be of a different shape depending\n\t// on the resource being evaluatied (see MatchResource for filtering)\n\t// you might want to configure these to match the policy file to ensure\n\t// the shape of the Spec is what you expect when evaling the policy.\n\t// +optional\n\tIncludeSpec *bool `json:\"includeSpec,omitempty\"`\n\t// IncludeObjectMeta controls whether the ObjectMeta will be included and\n\t// made available for CIP level policy evalutation. Note that this only gets\n\t// evaluated iff at least one authority matches.\n\t// +optional\n\tIncludeObjectMeta *bool `json:\"includeObjectMeta,omitempty\"`\n\t// IncludeTypeMeta controls whether the TypeMeta will be included and\n\t// made available for CIP level policy evalutation. Note that this only gets\n\t// evaluated iff at least one authority matches.\n\t// +optional\n\tIncludeTypeMeta *bool `json:\"includeTypeMeta,omitempty\"`\n}\n\n// ConfigMapReference is cut&paste from SecretReference, but for the life of me\n// couldn't find one in the public types. If there's one, use it.\ntype ConfigMapReference struct {\n\t// Name is unique within a namespace to reference a configmap resource.\n\t// +optional\n\tName string `json:\"name,omitempty\"`\n\t// Namespace defines the space within which the configmap name must be unique.\n\t// +optional\n\tNamespace string `json:\"namespace,omitempty\"`\n\t// Key defines the key to pull from the configmap.\n\t// +optional\n\tKey string `json:\"key,omitempty\"`\n}\n\n// Identity may contain the issuer and/or the subject found in the transparency\n// log.\n// Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\n// apply a regexp for matching.\ntype Identity struct {\n\t// Issuer defines the issuer for this identity.\n\t// +optional\n\tIssuer string `json:\"issuer,omitempty\"`\n\t// Subject defines the subject for this identity.\n\t// +optional\n\tSubject string `json:\"subject,omitempty\"`\n\t// IssuerRegExp specifies a regular expression to match the issuer for this identity.\n\t// +optional\n\tIssuerRegExp string `json:\"issuerRegExp,omitempty\"`\n\t// SubjectRegExp specifies a regular expression to match the subject for this identity.\n\t// +optional\n\tSubjectRegExp string `json:\"subjectRegExp,omitempty\"`\n}\n\n// RFC3161Timestamp specifies the URL to a RFC3161 time-stamping server that holds\n// the time-stamped verification for the signature\ntype RFC3161Timestamp struct {\n\t// Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities\n\t// +optional\n\tTrustRootRef string `json:\"trustRootRef,omitempty\"`\n}\n\n// ClusterImagePolicyStatus represents the current state of a\n// ClusterImagePolicy.\ntype ClusterImagePolicyStatus struct {\n\t// inherits duck/v1 Status, which currently provides:\n\t// * ObservedGeneration - the 'Generation' of the Broker that was last processed by the controller.\n\t// * Conditions - the latest available observations of a resource's current state.\n\tduckv1.Status `json:\",inline\"`\n}\n\n// GetStatus retrieves the status of the ClusterImagePolicy.\n// Implements the KRShaped interface.\nfunc (c *ClusterImagePolicy) GetStatus() *duckv1.Status {\n\treturn &c.Status.Status\n}\n\n// ClusterImagePolicyList is a list of ClusterImagePolicy resources\n//\n// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\ntype ClusterImagePolicyList struct {\n\tmetav1.TypeMeta `json:\",inline\"`\n\tmetav1.ListMeta `json:\"metadata\"`\n\n\tItems []ClusterImagePolicy `json:\"items\"`\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_validation.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/url\"\n\t\"path/filepath\"\n\t\"regexp\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/glob\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/common\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/signaturealgo\"\n\t\"github.com/sigstore/sigstore/pkg/cryptoutils\"\n\t\"knative.dev/pkg/apis\"\n\t\"knative.dev/pkg/system\"\n\n\tpolicycontrollerconfig \"github.com/sigstore/policy-controller/pkg/config\"\n)\n\n// Validate implements apis.Validatable\nfunc (c *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldError {\n\t// If we're doing status updates, do not validate the spec.\n\tif apis.IsInStatusUpdate(ctx) {\n\t\treturn nil\n\t}\n\treturn c.Spec.Validate(ctx).ViaField(\"spec\")\n}\n\nfunc (spec *ClusterImagePolicySpec) Validate(ctx context.Context) (errors *apis.FieldError) {\n\t// Check what the configuration is and act accordingly.\n\tpcConfig := policycontrollerconfig.FromContextOrDefaults(ctx)\n\n\tif len(spec.Images) == 0 {\n\t\terrors = errors.Also(apis.ErrMissingField(\"images\"))\n\t}\n\tfor i, image := range spec.Images {\n\t\terrors = errors.Also(image.Validate(ctx).ViaFieldIndex(\"images\", i))\n\t}\n\tif len(spec.Authorities) == 0 && pcConfig.FailOnEmptyAuthorities {\n\t\terrors = errors.Also(apis.ErrMissingField(\"authorities\"))\n\t}\n\tfor i, authority := range spec.Authorities {\n\t\terrors = errors.Also(authority.Validate(ctx).ViaFieldIndex(\"authorities\", i))\n\t}\n\tif spec.Mode != \"\" && !common.ValidModes.Has(spec.Mode) {\n\t\terrors = errors.Also(apis.ErrInvalidValue(spec.Mode, \"mode\", \"unsupported mode\"))\n\t}\n\tfor i, m := range spec.Match {\n\t\terrors = errors.Also(m.Validate(ctx).ViaFieldIndex(\"match\", i))\n\t}\n\t// Note that we're within Spec here so that we can validate that the policy\n\t// FetchConfigFile is only set within Spec.Policy.\n\terrors = errors.Also(spec.Policy.Validate(apis.WithinSpec(ctx)))\n\treturn\n}\n\nfunc (image *ImagePattern) Validate(_ context.Context) *apis.FieldError {\n\tif image.Glob == \"\" {\n\t\treturn apis.ErrMissingField(\"glob\")\n\t}\n\treturn ValidateGlob(image.Glob).ViaField(\"glob\")\n}\n\nfunc (authority *Authority) Validate(ctx context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif authority.Key == nil && authority.Keyless == nil && authority.Static == nil {\n\t\terrs = errs.Also(apis.ErrMissingOneOf(\"key\", \"keyless\", \"static\"))\n\t\t// Instead of returning all the missing subfields, just return here\n\t\t// to give a more concise and arguably a more meaningful error message.\n\t\treturn errs\n\t}\n\tif (authority.Key != nil && authority.Keyless != nil) ||\n\t\t(authority.Key != nil && authority.Static != nil) ||\n\t\t(authority.Keyless != nil && authority.Static != nil) {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"key\", \"keyless\", \"static\"))\n\t\t// Instead of returning all the missing subfields, just return here\n\t\t// to give a more concise and arguably a more meaningful error message.\n\t\treturn errs\n\t}\n\n\tif authority.Key != nil {\n\t\terrs = errs.Also(authority.Key.Validate(ctx).ViaField(\"key\"))\n\t}\n\tif authority.Keyless != nil {\n\t\terrs = errs.Also(authority.Keyless.Validate(ctx).ViaField(\"keyless\"))\n\t}\n\tif authority.Static != nil {\n\t\terrs = errs.Also(authority.Static.Validate(ctx).ViaField(\"static\"))\n\t\t// Attestations, Sources, or CTLog do not make sense with static policy.\n\t\tif len(authority.Attestations) > 0 {\n\t\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"static\", \"attestations\"))\n\t\t}\n\t\tif len(authority.Sources) > 0 {\n\t\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"static\", \"source\"))\n\t\t}\n\t\tif authority.CTLog != nil {\n\t\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"static\", \"ctlog\"))\n\t\t}\n\t\tif authority.RFC3161Timestamp != nil {\n\t\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"static\", \"rfc3161timestamp\"))\n\t\t}\n\t}\n\n\tif len(authority.Sources) > 1 {\n\t\terrs = errs.Also(apis.ErrInvalidValue(\"source\", \"source\", \"only single source is supported\"))\n\t} else {\n\t\t// If there are multiple sources, don't complain about each of them.\n\t\tfor i, source := range authority.Sources {\n\t\t\terrs = errs.Also(source.Validate(ctx).ViaFieldIndex(\"source\", i))\n\t\t}\n\t}\n\n\tfor _, att := range authority.Attestations {\n\t\terrs = errs.Also(att.Validate(ctx).ViaField(\"attestations\"))\n\t}\n\n\treturn errs\n}\n\nfunc (s *StaticRef) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\n\tif s.Action == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"action\"))\n\t} else if !common.ValidStaticRefTypes.Has(s.Action) {\n\t\terrs = errs.Also(apis.ErrInvalidValue(s.Action, \"action\", \"unsupported action\"))\n\t}\n\treturn errs\n}\n\nfunc (matchResource *MatchResource) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif matchResource.Resource != \"\" && common.ValidResourceNames.Len() > 0 &&\n\t\t!common.ValidResourceNames.Has(matchResource.Resource) {\n\t\terrs = errs.Also(apis.ErrInvalidValue(matchResource.Resource, \"resource\", \"unsupported resource name\"))\n\t}\n\n\tif matchResource.ResourceSelector != nil && (matchResource.Resource == \"\" && matchResource.Version == \"\" && matchResource.Group == \"\") {\n\t\terrs = errs.Also(apis.ErrInvalidValue(matchResource.Resource, \"selector\", \"selector requires a resource type to match the labels\"))\n\t}\n\treturn errs\n}\n\nfunc (key *KeyRef) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\n\tif key.Data == \"\" && key.KMS == \"\" && key.SecretRef == nil {\n\t\terrs = errs.Also(apis.ErrMissingOneOf(\"data\", \"kms\", \"secretref\"))\n\t}\n\n\tif key.HashAlgorithm != \"\" {\n\t\t_, err := signaturealgo.HashAlgorithm(key.HashAlgorithm)\n\t\tif err != nil {\n\t\t\terrs = errs.Also(apis.ErrInvalidValue(key.HashAlgorithm, \"hashAlgorithm\"))\n\t\t}\n\t}\n\n\tif key.Data != \"\" {\n\t\tif key.KMS != \"\" || key.SecretRef != nil {\n\t\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"data\", \"kms\", \"secretref\"))\n\t\t}\n\t\tpublicKey, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(key.Data))\n\t\tif err != nil || publicKey == nil {\n\t\t\terrs = errs.Also(apis.ErrInvalidValue(key.Data, \"data\"))\n\t\t}\n\t} else if key.KMS != \"\" && key.SecretRef != nil {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"data\", \"kms\", \"secretref\"))\n\t}\n\tif key.KMS != \"\" {\n\t\terrs = errs.Also(common.ValidateKMS(key.KMS).ViaField(\"kms\"))\n\t}\n\tif key.SecretRef != nil && key.SecretRef.Namespace != \"\" && key.SecretRef.Namespace != system.Namespace() {\n\t\terrs = errs.Also(apis.ErrInvalidValue(key.SecretRef.Namespace, \"secretref.namespace\", \"secretref.namespace is invalid. If set, it should use the same namespace where the policy-controller was deployed\"))\n\t}\n\treturn errs\n}\n\nfunc (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif keyless.URL == nil && keyless.CACert == nil {\n\t\terrs = errs.Also(apis.ErrMissingOneOf(\"url\", \"ca-cert\"))\n\t}\n\n\t// TODO: Are these really mutually exclusive?\n\tif keyless.URL != nil && keyless.CACert != nil {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"url\", \"ca-cert\"))\n\t}\n\n\tif keyless.CACert != nil {\n\t\terrs = errs.Also(keyless.DeepCopy().CACert.Validate(ctx).ViaField(\"ca-cert\"))\n\t}\n\t// Check that identities is specified.\n\tif len(keyless.Identities) == 0 {\n\t\terrs = errs.Also(apis.ErrMissingField(\"identities\"))\n\t}\n\tfor i, identity := range keyless.Identities {\n\t\terrs = errs.Also(identity.Validate(ctx).ViaFieldIndex(\"identities\", i))\n\t}\n\treturn errs\n}\n\nfunc (source *Source) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif source.OCI != \"\" {\n\t\tif err := common.ValidateOCI(source.OCI); err != nil {\n\t\t\terrs = errs.Also(apis.ErrInvalidValue(source.OCI, \"oci\", err.Error()))\n\t\t}\n\t}\n\n\tif len(source.SignaturePullSecrets) > 0 {\n\t\tfor i, secret := range source.SignaturePullSecrets {\n\t\t\tif secret.Name == \"\" {\n\t\t\t\terrs = errs.Also(apis.ErrMissingField(\"name\")).ViaFieldIndex(\"signaturePullSecrets\", i)\n\t\t\t}\n\t\t}\n\t}\n\treturn errs\n}\n\nfunc (a *Attestation) Validate(ctx context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif a.Name == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"name\"))\n\t}\n\tswitch {\n\tcase a.PredicateType == \"\":\n\t\t// This is just straight up missing, so error out.\n\t\terrs = errs.Also(apis.ErrMissingField(\"predicateType\"))\n\tcase common.ValidPredicateTypes.Has(a.PredicateType):\n\t\t// Ok, it's a valid, deprecated short form. It's fine for now, but\n\t\t// should remove it soon because it is very error prone, so warn.\n\t\terrs = errs.Also(apis.ErrInvalidValue(a.PredicateType, \"predicateType\", \"deprecated value, please use RFC 3986 conformant values\").At(apis.WarningLevel))\n\tdefault:\n\t\t// This could be a fully specified URL, so check for that here.\n\t\tif _, err := url.ParseRequestURI(a.PredicateType); err != nil {\n\t\t\t// This is fine for now, but should remove it soon because it is\n\t\t\t// very error prone.\n\t\t\terrs = errs.Also(apis.ErrInvalidValue(a.PredicateType, \"predicateType\", \"deprecated value, please use RFC 3986 conformant values\").At(apis.WarningLevel))\n\t\t}\n\t}\n\terrs = errs.Also(a.Policy.Validate(ctx).ViaField(\"policy\"))\n\treturn errs\n}\n\nfunc (cmr *ConfigMapReference) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif cmr.Name == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"name\"))\n\t}\n\tif cmr.Key == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"key\"))\n\t}\n\treturn errs\n}\n\nfunc (r *RemotePolicy) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\turlObj := r.URL\n\tu, err := url.Parse(urlObj.String())\n\tif err != nil || (err == nil && (u.Host == \"\" || u.Scheme == \"\" || u.Scheme != \"https\")) {\n\t\terrs = errs.Also(apis.ErrInvalidValue(r.URL.String(), \"url\", \"url valid is invalid. host and https scheme are expected\"))\n\t}\n\tif r.Sha256sum == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"sha256sum\"))\n\t}\n\treturn errs\n}\n\nfunc (p *Policy) Validate(ctx context.Context) *apis.FieldError {\n\tif p == nil {\n\t\treturn nil\n\t}\n\tvar errs *apis.FieldError\n\tif p.Type != \"cue\" && p.Type != \"rego\" {\n\t\terrs = errs.Also(apis.ErrInvalidValue(p.Type, \"type\", \"only [cue,rego] are supported at the moment\"))\n\t}\n\tif p.Data == \"\" && p.ConfigMapRef == nil && p.Remote == nil {\n\t\terrs = errs.Also(apis.ErrMissingField(\"data\", \"configMapRef\", \"remote\"))\n\t}\n\tif p.Data != \"\" && p.ConfigMapRef != nil && p.Remote != nil {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"data\", \"configMapRef\", \"remote\"))\n\t}\n\tif (p.Data != \"\" && p.ConfigMapRef != nil) ||\n\t\t(p.Data != \"\" && p.Remote != nil) ||\n\t\t(p.ConfigMapRef != nil && p.Remote != nil) {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"data\", \"configMapRef\", \"remote\"))\n\t}\n\tif p.Remote != nil {\n\t\terrs = errs.Also(p.Remote.Validate(ctx).ViaField(\"remote\"))\n\t}\n\tif p.ConfigMapRef != nil {\n\t\terrs = errs.Also(p.ConfigMapRef.Validate(ctx).ViaField(\"configMapRef\"))\n\t}\n\tif !apis.IsInSpec(ctx) && p.FetchConfigFile != nil {\n\t\terrs = errs.Also(apis.ErrDisallowedFields(\"fetchConfigFile\"))\n\t}\n\tif !apis.IsInSpec(ctx) && p.IncludeSpec != nil {\n\t\terrs = errs.Also(apis.ErrDisallowedFields(\"includeSpec\"))\n\t}\n\tif !apis.IsInSpec(ctx) && p.IncludeObjectMeta != nil {\n\t\terrs = errs.Also(apis.ErrDisallowedFields(\"includeObjectMeta\"))\n\t}\n\tif !apis.IsInSpec(ctx) && p.IncludeTypeMeta != nil {\n\t\terrs = errs.Also(apis.ErrDisallowedFields(\"includeTypeMeta\"))\n\t}\n\t// TODO(vaikas): How to validate the cue / rego bytes here (data).\n\treturn errs\n}\n\nfunc (identity *Identity) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif identity.Issuer != \"\" && identity.IssuerRegExp != \"\" {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"issuer\", \"issuerRegExp\"))\n\t}\n\tif identity.Subject != \"\" && identity.SubjectRegExp != \"\" {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"subject\", \"subjectRegExp\"))\n\t}\n\tif identity.IssuerRegExp != \"\" {\n\t\terrs = errs.Also(ValidateRegex(identity.IssuerRegExp).ViaField(\"issuerRegExp\"))\n\t}\n\tif identity.SubjectRegExp != \"\" {\n\t\terrs = errs.Also(ValidateRegex(identity.SubjectRegExp).ViaField(\"subjectRegExp\"))\n\t}\n\tif identity.SubjectRegExp == \"\" && identity.Subject == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"subject\", \"subjectRegExp\"))\n\t}\n\tif identity.IssuerRegExp == \"\" && identity.Issuer == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"issuer\", \"issuerRegExp\"))\n\t}\n\treturn errs\n}\n\n// ValidateGlob glob compilation by testing against empty string\nfunc ValidateGlob(g string) *apis.FieldError {\n\tif _, err := filepath.Match(g, \"\"); err != nil {\n\t\treturn apis.ErrInvalidValue(g, apis.CurrentField, fmt.Sprintf(\"glob is invalid: %v\", err))\n\t}\n\tif _, err := glob.Compile(g); err != nil {\n\t\treturn apis.ErrInvalidValue(g, apis.CurrentField, fmt.Sprintf(\"glob is invalid: %v\", err))\n\t}\n\treturn nil\n}\n\nfunc ValidateRegex(regex string) *apis.FieldError {\n\t_, err := regexp.Compile(regex)\n\tif err != nil {\n\t\treturn apis.ErrInvalidValue(regex, apis.CurrentField, fmt.Sprintf(\"regex is invalid: %v\", err))\n\t}\n\n\treturn nil\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_validation_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\t\"os\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/common\"\n\t\"github.com/stretchr/testify/require\"\n\tv1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"knative.dev/pkg/apis\"\n\t\"knative.dev/pkg/ptr\"\n)\n\nconst validPublicKey = \"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaEOVJCFtduYr3xqTxeRWSW32CY/s\\nTBNZj4oIUPl8JvhVPJ1TKDPlNcuT4YphSt6t3yOmMvkdQbCj8broX6vijw==\\n-----END PUBLIC KEY-----\"\n\nfunc TestImagePatternValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should fail when glob is not present\",\n\t\terrorString: \"missing field(s): spec.authorities, spec.images[0].glob\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Glob should fail with invalid glob\",\n\t\terrorString: \"invalid value: [: spec.images[0].glob\\nglob is invalid: syntax error in pattern\\nmissing field(s): spec.authorities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"[\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Glob should fail with invalid regexp\",\n\t\terrorString: \"invalid value: $FOO*: spec.images[0].glob\\nglob is invalid: invalid glob \\\"$FOO*\\\"\\nmissing field(s): spec.authorities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"$FOO*\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"missing image and authorities in the spec\",\n\t\terrorString: \"missing field(s): spec.authorities, spec.images\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when authority is missing\",\n\t\terrorString: \"missing field(s): spec.authorities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"*\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass when glob is valid: %v\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"gcr.io/*\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{\n\t\t\t\t\t\t\tKMS: \"hashivault://key/path\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Glob should pass with exact digest image\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"ghcr.io/foo@sha256:5504f2a95018e3d8a52d80d9e1a128c6ea337581808ff9fe96f5628ce2336350\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{\n\t\t\t\t\t\t\tKMS: \"hashivault://key/path\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestKeyValidation(t *testing.T) {\n\tos.Setenv(\"SYSTEM_NAMESPACE\", \"cosign-system\")\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should fail when key has multiple properties\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].key.data, spec.authorities[0].key.kms, spec.authorities[0].key.secretref\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"myglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{\n\t\t\t\t\t\t\tData: \"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaEOVJCFtduYr3xqTxeRWSW32CY/s\\nTBNZj4oIUPl8JvhVPJ1TKDPlNcuT4YphSt6t3yOmMvkdQbCj8broX6vijw==\\n-----END PUBLIC KEY-----\",\n\t\t\t\t\t\t\tKMS: \"hashivault://key/path\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when key has malformed pubkey data\",\n\t\terrorString: \"invalid value: ---some key data----: spec.authorities[0].key.data\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"myglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{\n\t\t\t\t\t\t\tData: \"---some key data----\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when key secretref has an invalid value for the namespace\",\n\t\terrorString: \"invalid value: invalid: spec.authorities[0].key.secretref.namespace\\nsecretref.namespace is invalid. If set, it should use the same namespace where the policy-controller was deployed\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"myglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{\n\t\t\t\t\t\t\tSecretRef: &v1.SecretReference{\n\t\t\t\t\t\t\t\tName: \"test\",\n\t\t\t\t\t\t\t\tNamespace: \"invalid\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when key is empty\",\n\t\terrorString: \"expected exactly one, got neither: spec.authorities[0].key.data, spec.authorities[0].key.kms, spec.authorities[0].key.secretref\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"myglob*\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass when key has only one property: %v\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"yepanotherglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{\n\t\t\t\t\t\t\tKMS: \"hashivault://key/path\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestKeylessValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should fail when keyless is empty\",\n\t\terrorString: \"expected exactly one, got neither: spec.authorities[0].keyless.ca-cert, spec.authorities[0].keyless.url\\nmissing field(s): spec.authorities[0].keyless.identities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when keyless has multiple properties\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].keyless.ca-cert, spec.authorities[0].keyless.url\\nmissing field(s): spec.authorities[0].keyless.identities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tCACert: &KeyRef{\n\t\t\t\t\t\t\t\tData: validPublicKey,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should warn when valid keyless ref is specified, but no identities given\",\n\t\terrorString: \"missing field(s): spec.authorities[0].keyless.identities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass when valid keyless ref is specified\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tIdentities: []Identity{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tSubject: \"somesubject\",\n\t\t\t\t\t\t\t\t\tIssuer: \"someissuer\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestStaticValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should fail when static is empty\",\n\t\terrorString: \"missing field(s): spec.authorities[0].static.action\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when action is invalid\",\n\t\terrorString: \"invalid value: garbage: spec.authorities[0].static.action\\nunsupported action\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"garbage\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Works with pass\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"pass\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Works with pass, and Spec.Policy.FetchConfigFile\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"pass\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPolicy: &Policy{\n\t\t\t\t\tType: \"cue\",\n\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\tFetchConfigFile: ptr.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Works with pass, and Spec.Policy.IncludeSpec\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"pass\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPolicy: &Policy{\n\t\t\t\t\tType: \"cue\",\n\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\tIncludeSpec: ptr.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Works with pass, and Spec.Policy.IncludeObjectMeta\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"pass\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPolicy: &Policy{\n\t\t\t\t\tType: \"cue\",\n\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\tIncludeObjectMeta: ptr.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Works with pass, and Spec.Policy.IncludeTypeMeta\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"pass\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPolicy: &Policy{\n\t\t\t\t\tType: \"cue\",\n\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\tIncludeTypeMeta: ptr.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Works with fail\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"fail\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestModeValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tmode string\n\t}{{\n\t\tname: \"Should work when mode is empty\",\n\t\tmode: \"\",\n\t}, {\n\t\tname: \"Should work with mode enforce\",\n\t\tmode: \"enforce\",\n\t}, {\n\t\tname: \"Should work with mode warn\",\n\t\tmode: \"warn\",\n\t}, {\n\t\tname: \"Should not work with mode garbage\",\n\t\tmode: \"garbage\",\n\t\terrorString: \"invalid value: garbage: spec.mode\\nunsupported mode\",\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tpolicy := ClusterImagePolicy{\n\t\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\t\tImages: []ImagePattern{{Glob: \"globbityglob\"}},\n\t\t\t\t\tAuthorities: []Authority{{Static: &StaticRef{Action: \"pass\"}}},\n\t\t\t\t\tMode: test.mode,\n\t\t\t\t},\n\t\t\t}\n\t\t\terr := policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestAuthoritiesValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\twarnString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should fail when authority is empty\",\n\t\terrorString: \"expected exactly one, got neither: spec.authorities[0].key, spec.authorities[0].keyless, spec.authorities[0].static\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when key/keyless specified\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].key, spec.authorities[0].keyless, spec.authorities[0].static\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{Data: validPublicKey},\n\t\t\t\t\t\tKeyless: &KeylessRef{URL: apis.HTTPS(\"fulcio.sigstore.dev\")},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when key/static specified\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].key, spec.authorities[0].keyless, spec.authorities[0].static\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{Data: validPublicKey},\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"pass\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when keyless/static specified\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].key, spec.authorities[0].keyless, spec.authorities[0].static\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"fail\"},\n\t\t\t\t\t\tKeyless: &KeylessRef{URL: apis.HTTPS(\"fulcio.sigstore.dev\")},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when key/keyless/static specified\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].key, spec.authorities[0].keyless, spec.authorities[0].static\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{Data: validPublicKey},\n\t\t\t\t\t\tKeyless: &KeylessRef{URL: apis.HTTPS(\"fulcio.sigstore.dev\")},\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"fail\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when static and sources,attestations, and ctlog is specified, warn about legacy short predicate type\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].attestations, spec.authorities[0].ctlog, spec.authorities[0].source, spec.authorities[0].static\",\n\t\twarnString: \"invalid value: vuln: spec.authorities[0].attestations.predicateType\\ndeprecated value, please use RFC 3986 conformant values\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"fail\"},\n\t\t\t\t\t\tAttestations: []Attestation{{Name: \"first\", PredicateType: \"vuln\"}},\n\t\t\t\t\t\tSources: []Source{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tOCI: \"registry1\",\n\t\t\t\t\t\t\t\tSignaturePullSecrets: []v1.LocalObjectReference{\n\t\t\t\t\t\t\t\t\t{Name: \"placeholder\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tCTLog: &TLog{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when authorities is empty\",\n\t\terrorString: \"missing field(s): spec.authorities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass when source oci is present\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"registry.example.com\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with invalid AWS KMS for Keyful\",\n\t\terrorString: \"invalid value: awskms://localhost:8888/arn:butnotvalid: spec.authorities[0].key.kms\\nkms key should be in the format awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional)\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"awskms://localhost:8888/arn:butnotvalid\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"registry.example.com\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with invalid kms prefix\",\n\t\terrorString: \"invalid value: fookms://localhost:8888/xpa:butnotvalid: spec.authorities[0].key.kms\\nmalformed KMS format, should be prefixed by any of the supported providers: [awskms:// azurekms:// hashivault:// gcpkms://]\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"fookms://localhost:8888/xpa:butnotvalid\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"registry.example.com\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with invalid AWS KMS for Keyful\",\n\t\terrorString: \"invalid value: awskms://localhost:8888/arn:butnotvalid: spec.authorities[0].key.kms\\nkms key should be in the format awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional)\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"awskms://localhost:8888/arn:butnotvalid\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"registry.example.com\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with invalid OCI value\",\n\t\terrorString: \"invalid value: registry.example.com/repo/*: spec.authorities[0].source[0].oci\\nrepository can only contain the characters `abcdefghijklmnopqrstuvwxyz0123456789_-./`: repo/*\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"registry.example.com/repo/*\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with invalid OCI value usign wrong characters\",\n\t\terrorString: \"invalid value: re@gistry/reponame: spec.authorities[0].source[0].oci\\nregistries must be valid RFC 3986 URI authorities: re@gistry/reponame\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"re@gistry/reponame\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with valid OCI repository name\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"gcr.io/google.com/project/hello-world\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with valid OCI repository name\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"registry.example.com/repository\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with invalid AWS KMS for Keyless\",\n\t\terrorString: \"invalid value: awskms://localhost:8888/arn:butnotvalid: spec.authorities[0].keyless.ca-cert.kms\\nkms key should be in the format awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional)\\nmissing field(s): spec.authorities[0].keyless.identities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{CACert: &KeyRef{KMS: \"awskms://localhost:8888/arn:butnotvalid\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with single source oci is present\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{\n\t\t\t\t\t\t\t{OCI: \"registry1\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with multiple source oci is present\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{\n\t\t\t\t\t\t\t{OCI: \"registry1\"},\n\t\t\t\t\t\t\t{OCI: \"registry2\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"invalid value: source: spec.authorities[0].source\\nonly single source is supported\",\n\t}, {\n\t\tname: \"Should pass with attestations present\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tAttestations: []Attestation{\n\t\t\t\t\t\t\t{Name: \"first\", PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t\t\t\t\t\t\t{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\", Policy: &Policy{\n\t\t\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with attestations policy specifying fetchConfigFile\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tAttestations: []Attestation{\n\t\t\t\t\t\t\t{Name: \"first\", PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t\t\t\t\t\t\t{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\", Policy: &Policy{\n\t\t\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\t\t\t\tFetchConfigFile: ptr.Bool(true),\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"must not set the field(s): spec.authorities[0].attestations.policy.fetchConfigFile\",\n\t}, {\n\t\tname: \"Should fail with attestations policy specifying includeSpec\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tAttestations: []Attestation{\n\t\t\t\t\t\t\t{Name: \"first\", PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t\t\t\t\t\t\t{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\", Policy: &Policy{\n\t\t\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\t\t\t\tIncludeSpec: ptr.Bool(true),\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"must not set the field(s): spec.authorities[0].attestations.policy.includeSpec\",\n\t}, {\n\t\tname: \"Should fail with attestations policy specifying includeObjectMeta\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tAttestations: []Attestation{\n\t\t\t\t\t\t\t{Name: \"first\", PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t\t\t\t\t\t\t{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\", Policy: &Policy{\n\t\t\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\t\t\t\tIncludeObjectMeta: ptr.Bool(true),\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"must not set the field(s): spec.authorities[0].attestations.policy.includeObjectMeta\",\n\t}, {\n\t\tname: \"Should fail with attestations policy specifying includeTypeMeta\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tAttestations: []Attestation{\n\t\t\t\t\t\t\t{Name: \"first\", PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t\t\t\t\t\t\t{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\", Policy: &Policy{\n\t\t\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\t\t\t\tIncludeTypeMeta: ptr.Bool(true),\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"must not set the field(s): spec.authorities[0].attestations.policy.includeTypeMeta\",\n\t}, {\n\t\tname: \"Should fail with signaturePullSecret name empty\",\n\t\terrorString: \"missing field(s): spec.authorities[0].source[0].signaturePullSecrets[0].name\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tOCI: \"registry1\",\n\t\t\t\t\t\t\t\tSignaturePullSecrets: []v1.LocalObjectReference{\n\t\t\t\t\t\t\t\t\t{Name: \"\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with signaturePullSecret name filled\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tOCI: \"registry1\",\n\t\t\t\t\t\t\t\tSignaturePullSecrets: []v1.LocalObjectReference{\n\t\t\t\t\t\t\t\t\t{Name: \"testPullSecrets\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass when source oci is empty\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, test.warnString, err)\n\t\t})\n\t}\n}\n\nfunc TestAttestationsValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\twarnString string\n\t\tattestation Attestation\n\t}{{\n\t\tname: \"https://cosign.sigstore.dev/attestation/vuln/v1\",\n\t\tattestation: Attestation{Name: \"first\", PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t}, {\n\t\tname: \"fully specified URL\",\n\t\tattestation: Attestation{Name: \"fullyspecified\", PredicateType: \"https://cyclonedx.org/schema\"},\n\t}, {\n\t\tname: \"missing name\",\n\t\tattestation: Attestation{PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t\terrorString: \"missing field(s): name\",\n\t}, {\n\t\tname: \"missing predicatetype\",\n\t\tattestation: Attestation{Name: \"first\"},\n\t\terrorString: \"missing field(s): predicateType\",\n\t}, {\n\t\tname: \"invalid predicatetype\",\n\t\tattestation: Attestation{Name: \"first\", PredicateType: \"notsupported\"},\n\t\twarnString: \"invalid value: notsupported: predicateType\\ndeprecated value, please use RFC 3986 conformant values\",\n\t}, {\n\t\tname: \"custom with invalid policy type\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"not-cue\",\n\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t},\n\t\t},\n\t\terrorString: \"invalid value: not-cue: policy.type\\nonly [cue,rego] are supported at the moment\",\n\t}, {\n\t\tname: \"custom with missing policy data and configMapRef\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t},\n\t\t},\n\t\terrorString: \"missing field(s): policy.configMapRef, policy.data, policy.remote\",\n\t}, {\n\t\tname: \"custom with both policy data and configMapRef\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\tConfigMapRef: &ConfigMapReference{\n\t\t\t\t\tName: \"cmname\",\n\t\t\t\t\tKey: \"keyname\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"expected exactly one, got both: policy.configMapRef, policy.data, policy.remote\",\n\t}, {\n\t\tname: \"custom with both policy data, url and configMapRef\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\tConfigMapRef: &ConfigMapReference{\n\t\t\t\t\tName: \"cmname\",\n\t\t\t\t\tKey: \"keyname\",\n\t\t\t\t},\n\t\t\t\tRemote: &RemotePolicy{\n\t\t\t\t\tURL: *apis.HTTPS(\"example.com\"),\n\t\t\t\t\tSha256sum: \"123123123\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"expected exactly one, got both: policy.configMapRef, policy.data, policy.remote\",\n\t}, {\n\t\tname: \"custom with both policy url\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t\tRemote: &RemotePolicy{\n\t\t\t\t\tURL: *apis.HTTPS(\"example.com\"),\n\t\t\t\t\tSha256sum: \"123123123\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"custom with invalid policy url scheme\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t\tRemote: &RemotePolicy{\n\t\t\t\t\tURL: *apis.HTTP(\"example.com\"),\n\t\t\t\t\tSha256sum: \"123123123\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"invalid value: http://example.com: policy.remote.url\\nurl valid is invalid. host and https scheme are expected\",\n\t}, {\n\t\tname: \"custom with invalid configMapRef, missing key\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t\tConfigMapRef: &ConfigMapReference{\n\t\t\t\t\tName: \"cmname\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"missing field(s): policy.configMapRef.key\",\n\t}, {\n\t\tname: \"custom with policy\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t},\n\t\t},\n\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.attestation.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, test.warnString, err)\n\t\t})\n\t}\n}\nfunc TestIdentitiesValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should pass with identities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tIdentities: []Identity{{SubjectRegExp: \".*subject.*\", IssuerRegExp: \".*issuer.*\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should warn when identities fields are empty\",\n\t\terrorString: \"missing field(s): spec.authorities[0].keyless.identities[0].issuer, spec.authorities[0].keyless.identities[0].issuerRegExp, spec.authorities[0].keyless.identities[0].subject, spec.authorities[0].keyless.identities[0].subjectRegExp\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tIdentities: []Identity{{Issuer: \"\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with both issuer and issuerRegExp\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].keyless.identities[0].issuer, spec.authorities[0].keyless.identities[0].issuerRegExp\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{Issuer: \"issuer\", IssuerRegExp: \"issuerregexp\", Subject: \"subject\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with both subject and subjectRegExp\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].keyless.identities[0].subject, spec.authorities[0].keyless.identities[0].subjectRegExp\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{Subject: \"subject\", SubjectRegExp: \"subjectregexp\", Issuer: \"issuer\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when issuer has invalid regex\",\n\t\terrorString: \"invalid value: ****: spec.authorities[0].keyless.identities[0].issuerRegExp\\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{IssuerRegExp: \"****\", Subject: \"subject\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should warn when issuer or issuerRegExp is missing\",\n\t\terrorString: \"missing field(s): spec.authorities[0].keyless.identities[0].issuer, spec.authorities[0].keyless.identities[0].issuerRegExp\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{Subject: \"subject\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should warn when subject or subjectRegExp is missing\",\n\t\terrorString: \"missing field(s): spec.authorities[0].keyless.identities[0].subject, spec.authorities[0].keyless.identities[0].subjectRegExp\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{Issuer: \"issuer\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when subject has invalid regex\",\n\t\terrorString: \"invalid value: ****: spec.authorities[0].keyless.identities[0].subjectRegExp\\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{Issuer: \"issuer\", SubjectRegExp: \"****\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass when subject and issuer have valid regex\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{SubjectRegExp: \".*subject.*\", IssuerRegExp: \".*issuer.*\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass when identities is valid\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tIssuer: \"some issuer\",\n\t\t\t\t\t\t\t\t\tSubject: \"some subject\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t}\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestAWSKMSValidation(t *testing.T) {\n\t// Note the error messages betweeen the kms / cacert validation is\n\t// identical, with the only difference being `kms` or `ca-cert.kms`. Reason\n\t// for the ca-cert.kms is because it's embedded within the ca-cert that\n\t// we pass in. So we put a KMSORCACERT into the err string that we then\n\t// replace based on the tests so we don't have to write identical tests\n\t// for both of them.\n\ttests := []struct {\n\t\tname string\n\t\texpectErr bool\n\t\terrorString string\n\t\tkms string\n\t}{{\n\t\tname: \"malformed, only 2 slashes \",\n\t\texpectErr: true,\n\t\terrorString: \"invalid value: awskms://1234abcd-12ab-34cd-56ef-1234567890ab: KMSORCACERT\\nmalformed AWS KMS format 'awskms://$ENDPOINT/$KEYID', should be conformant with KMS standard documented here: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id\",\n\t\tkms: \"awskms://1234abcd-12ab-34cd-56ef-1234567890ab\",\n\t}, {\n\t\tname: \"fails with invalid host\",\n\t\texpectErr: true,\n\t\terrorString: \"invalid value: awskms://localhost:::4566/alias/exampleAlias: KMSORCACERT\\nmalformed endpoint: address localhost:::4566: too many colons in address\",\n\t\tkms: \"awskms://localhost:::4566/alias/exampleAlias\",\n\t}, {\n\t\tname: \"fails with non-arn alias\",\n\t\texpectErr: true,\n\t\terrorString: \"invalid value: awskms://localhost:4566/alias/exampleAlias: KMSORCACERT\\nfailed to parse either key or alias arn: arn: invalid prefix\",\n\t\tkms: \"awskms://localhost:4566/alias/exampleAlias\",\n\t}, {\n\t\tname: \"Should fail when arn is invalid\",\n\t\texpectErr: true,\n\t\terrorString: \"invalid value: awskms://localhost:4566/arn:sonotvalid: KMSORCACERT\\nkms key should be in the format awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional)\",\n\t\tkms: \"awskms://localhost:4566/arn:sonotvalid\",\n\t}, {\n\t\tname: \"Should fail with key is invalid\",\n\t\texpectErr: true,\n\t\terrorString: \"invalid value: awskms://arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab: KMSORCACERT\\nkms key should be in the format awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional)\",\n\t\tkms: \"awskms://arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\",\n\t}, {\n\t\tname: \"works with valid arn key and endpoint\",\n\t\tkms: \"awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\",\n\t}, {\n\t\tname: \"works with valid arn key and no endpoint\",\n\t\tkms: \"awskms:///arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\",\n\t}, {\n\t\tname: \"works with valid arn alias and endpoint\",\n\t\tkms: \"awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias\",\n\t}, {\n\t\tname: \"works with valid arn alias and no endpoint\",\n\t\tkms: \"awskms:///arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias\",\n\t},\n\t}\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\t// First test with KeyRef\n\t\t\tkeyRef := KeyRef{KMS: test.kms}\n\t\t\terr := keyRef.Validate(context.TODO())\n\t\t\tkmsErrString := strings.Replace(test.errorString, \"KMSORCACERT\", \"kms\", 1)\n\t\t\tvalidateError(t, kmsErrString, \"\", err)\n\t\t\t// Then with Keyless with CACert as KeyRef\n\t\t\tkeylessRef := KeylessRef{CACert: &keyRef, Identities: []Identity{{Subject: \"testsubject\", Issuer: \"testIssuer\"}}}\n\t\t\terr = keylessRef.Validate(context.TODO())\n\t\t\tcaCertErrString := strings.Replace(test.errorString, \"KMSORCACERT\", \"ca-cert.kms\", 1)\n\t\t\tvalidateError(t, caCertErrString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestMatchValidation(t *testing.T) {\n\t// Add a \"supported\" resource name that we'll use to test things.\n\tcommon.ValidResourceNames.Insert(\"supported\")\n\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should pass with identities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tIdentities: []Identity{{SubjectRegExp: \".*subject.*\", IssuerRegExp: \".*issuer.*\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with match label selector\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tMatch: []MatchResource{\n\t\t\t\t\t{\n\t\t\t\t\t\tGroupVersionResource: metav1.GroupVersionResource{\n\t\t\t\t\t\t\tGroup: \"apps\",\n\t\t\t\t\t\t\tVersion: \"v1\",\n\t\t\t\t\t\t\tResource: \"supported\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tResourceSelector: &metav1.LabelSelector{\n\t\t\t\t\t\t\tMatchLabels: map[string]string{\"a\": \"b\", \"c\": \"d\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tIssuer: \"some issuer\",\n\t\t\t\t\t\t\t\t\tSubject: \"some subject\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with match resource types\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tMatch: []MatchResource{\n\t\t\t\t\t{\n\t\t\t\t\t\tGroupVersionResource: metav1.GroupVersionResource{\n\t\t\t\t\t\t\tGroup: \"apps\",\n\t\t\t\t\t\t\tVersion: \"v1\",\n\t\t\t\t\t\t\tResource: \"supported\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tInsecureIgnoreSCT: ptr.Bool(true),\n\t\t\t\t\t\t\tIdentities: []Identity{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tIssuer: \"some issuer\",\n\t\t\t\t\t\t\t\t\tSubject: \"some subject\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with invalid match resource type\",\n\t\terrorString: \"invalid value: myobject: spec.match[0].resource\\nunsupported resource name\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tMatch: []MatchResource{\n\t\t\t\t\t{\n\t\t\t\t\t\tGroupVersionResource: metav1.GroupVersionResource{\n\t\t\t\t\t\t\tGroup: \"\",\n\t\t\t\t\t\t\tVersion: \"v1\",\n\t\t\t\t\t\t\tResource: \"myobject\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tIssuer: \"some issuer\",\n\t\t\t\t\t\t\t\t\tSubject: \"some subject\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t}\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\n// validateError checks the given error against wanted error/warning strings\n// if either is \"\" then it's assume an error/warning is not wanted and if\n// one is given, will error.\n// nolint since currently we do not have warnings we expect, but having this\n// around makes it easier to add warning validations in the future.\n//\n//nolint:all\nfunc validateError(t *testing.T, wantErrStr, wantWarnStr string, fe *apis.FieldError) {\n\tt.Helper()\n\t// Grab warning and check it first\n\twarnFE := fe.Filter(apis.WarningLevel)\n\tif wantWarnStr != \"\" {\n\t\trequire.NotNil(t, warnFE)\n\t\trequire.EqualError(t, warnFE, wantWarnStr)\n\t} else {\n\t\trequire.Nil(t, warnFE)\n\t}\n\n\t// Then grab error and check it\n\terrFE := fe.Filter(apis.ErrorLevel)\n\tif wantErrStr != \"\" {\n\t\trequire.NotNil(t, errFE)\n\t\trequire.EqualError(t, errFE, wantErrStr)\n\t} else {\n\t\trequire.Nil(t, errFE)\n\t}\n}\n\nfunc TestIgnoreStatusUpdates(t *testing.T) {\n\tcip := &ClusterImagePolicy{Spec: ClusterImagePolicySpec{Images: []ImagePattern{{Glob: \"\"}}}}\n\n\tif err := cip.Validate(apis.WithinSubResourceUpdate(context.Background(), &cip, \"status\")); err != nil {\n\t\tt.Errorf(\"Failed to update status on invalid resource: %v\", err)\n\t}\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/doc.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// +k8s:deepcopy-gen=package\n// +groupName=policy.sigstore.dev\npackage v1alpha1\n" }, { "path": "pkg/apis/policy/v1alpha1/register.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\tpolicy \"github.com/sigstore/policy-controller/pkg/apis/policy\"\n\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/runtime\"\n\t\"k8s.io/apimachinery/pkg/runtime/schema\"\n)\n\n// SchemeGroupVersion is group version used to register these objects\nvar SchemeGroupVersion = schema.GroupVersion{Group: policy.GroupName, Version: \"v1alpha1\"}\n\n// Kind takes an unqualified kind and returns back a Group qualified GroupKind\nfunc Kind(kind string) schema.GroupKind {\n\treturn SchemeGroupVersion.WithKind(kind).GroupKind()\n}\n\n// Resource takes an unqualified resource and returns a Group qualified GroupResource\nfunc Resource(resource string) schema.GroupResource {\n\treturn SchemeGroupVersion.WithResource(resource).GroupResource()\n}\n\nvar (\n\t// SchemeBuilder builds a scheme with the types known to the package.\n\tSchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)\n\t// AddToScheme adds the types known to this package to an existing schema.\n\tAddToScheme = SchemeBuilder.AddToScheme\n)\n\n// Adds the list of known types to Scheme.\nfunc addKnownTypes(scheme *runtime.Scheme) error {\n\tscheme.AddKnownTypes(SchemeGroupVersion,\n\t\t&ClusterImagePolicy{},\n\t\t&ClusterImagePolicyList{},\n\t\t&TrustRoot{},\n\t\t&TrustRootList{},\n\t)\n\tmetav1.AddToGroupVersion(scheme, SchemeGroupVersion)\n\treturn nil\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/trustroot_defaults.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport \"context\"\n\n// SetDefaults implements apis.Defaultable\nfunc (tr *TrustRoot) SetDefaults(ctx context.Context) {\n\ttr.Spec.SetDefaults(ctx)\n}\n\nfunc (spec *TrustRootSpec) SetDefaults(_ context.Context) {\n\tif spec.Repository != nil && spec.Repository.Targets == \"\" {\n\t\tspec.Repository.Targets = \"targets\"\n\t}\n\tif spec.Remote != nil && spec.Remote.Targets == \"\" {\n\t\tspec.Remote.Targets = \"targets\"\n\t}\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/trustroot_defaults_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\n\t\"testing\"\n)\n\nconst defaultTargets = \"targets\"\n\nfunc TestTargetsDefaulting(t *testing.T) {\n\ttests := []struct {\n\t\tin *TrustRoot\n\t\twantRepositoryTarget string\n\t\twantRemoteTarget string\n\t}{\n\t\t{in: trustrootWithTargets(\"\", \"\"),\n\t\t\twantRepositoryTarget: defaultTargets,\n\t\t\twantRemoteTarget: defaultTargets,\n\t\t}, {in: trustrootWithTargets(\"foo\", \"\"),\n\t\t\twantRepositoryTarget: \"foo\",\n\t\t\twantRemoteTarget: defaultTargets,\n\t\t}, {in: trustrootWithTargets(\"\", \"bar\"),\n\t\t\twantRepositoryTarget: defaultTargets,\n\t\t\twantRemoteTarget: \"bar\",\n\t\t}, {in: trustrootWithTargets(\"foo\", \"bar\"),\n\t\t\twantRepositoryTarget: \"foo\",\n\t\t\twantRemoteTarget: \"bar\",\n\t\t}}\n\tfor _, tc := range tests {\n\t\ttc.in.SetDefaults(context.TODO())\n\t\tif tc.wantRemoteTarget != tc.in.Spec.Remote.Targets {\n\t\t\tt.Errorf(\"Wanted remote target: %s got: %s\", tc.wantRemoteTarget, tc.in.Spec.Remote.Targets)\n\t\t}\n\t\tif tc.wantRepositoryTarget != tc.in.Spec.Repository.Targets {\n\t\t\tt.Errorf(\"Wanted remote target: %s got: %s\", tc.wantRepositoryTarget, tc.in.Spec.Repository.Targets)\n\t\t}\n\t}\n}\n\nfunc trustrootWithTargets(repoTargets, remoteTargets string) *TrustRoot {\n\treturn &TrustRoot{\n\t\tSpec: TrustRootSpec{\n\t\t\tRepository: &Repository{Targets: repoTargets},\n\t\t\tRemote: &Remote{Targets: remoteTargets},\n\t\t},\n\t}\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/trustroot_lifecycle.go", "content": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\t\"knative.dev/pkg/apis\"\n)\n\nvar trCondSet = apis.NewLivingConditionSet(\n\tTrustRootConditionKeysInlined,\n\tTrustRootConditionCMUpdated,\n)\n\n// GetConditionSet retrieves the condition set for this resource.\n// Implements the KRShaped interface.\nfunc (*TrustRoot) GetConditionSet() apis.ConditionSet {\n\treturn trCondSet\n}\n\n// IsReady returns if the TrustRoot was compiled successfully to\n// ConfigMap.\nfunc (tr *TrustRoot) IsReady() bool {\n\tts := tr.Status\n\treturn ts.ObservedGeneration == tr.Generation &&\n\t\tts.GetCondition(TrustRootConditionReady).IsTrue()\n}\n\n// IsFailed returns true if the resource has observed\n// the latest generation and ready is false.\nfunc (tr *TrustRoot) IsFailed() bool {\n\tts := tr.Status\n\treturn ts.ObservedGeneration == tr.Generation &&\n\t\tts.GetCondition(TrustRootConditionReady).IsFalse()\n}\n\n// InitializeConditions sets the initial values to the conditions.\nfunc (ts *TrustRootStatus) InitializeConditions() {\n\ttrCondSet.Manage(ts).InitializeConditions()\n}\n\n// MarkInlineKeysFailed surfaces a failure that we were unable to inline\n// the keys (from secrets or from KMS).\nfunc (ts *TrustRootStatus) MarkInlineKeysFailed(msg string) {\n\tcipCondSet.Manage(ts).MarkFalse(TrustRootConditionKeysInlined, inlineKeysFailedReason, msg)\n}\n\n// MarkInlineKeysOk marks the status saying that the inlining of the keys\n// had no errors.\nfunc (ts *TrustRootStatus) MarkInlineKeysOk() {\n\tcipCondSet.Manage(ts).MarkTrue(TrustRootConditionKeysInlined)\n}\n\n// MarkCMUpdateFailed surfaces a failure that we were unable to reflect the\n// TrustRoot into the compiled ConfigMap.\nfunc (ts *TrustRootStatus) MarkCMUpdateFailed(msg string) {\n\ttrCondSet.Manage(ts).MarkFalse(TrustRootConditionCMUpdated, updateCMFailedReason, msg)\n}\n\n// MarkCMUpdated marks the status saying that the ConfigMap has been updated.\nfunc (ts *TrustRootStatus) MarkCMUpdatedOK() {\n\ttrCondSet.Manage(ts).MarkTrue(TrustRootConditionCMUpdated)\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/trustroot_types.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/runtime/schema\"\n\t\"knative.dev/pkg/apis\"\n\tduckv1 \"knative.dev/pkg/apis/duck/v1\"\n\t\"knative.dev/pkg/kmeta\"\n)\n\n// TrustRoot defines the keys and certificates that are trusted for\n// validating against. These can be specified as TUF Roots, serialized TUF\n// repository (for air-gap scenarios), as well as serialized keys/certificates,\n// for bring your own keys/certs.\n//\n// +genclient\n// +genclient:nonNamespaced\n// +genreconciler:krshapedlogic=true\n// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\ntype TrustRoot struct {\n\tmetav1.TypeMeta `json:\",inline\"`\n\tmetav1.ObjectMeta `json:\"metadata\"`\n\n\t// Spec is the definition for a trust root. This is either a TUF root and\n\t// remote or local repository. You can also bring your own keys/certs here.\n\tSpec TrustRootSpec `json:\"spec\"`\n\n\t// Status represents the current state of the TrustRoot.\n\t// This data may be out of date.\n\t// +optional\n\tStatus TrustRootStatus `json:\"status,omitempty\"`\n}\n\nvar (\n\t_ apis.Validatable = (*TrustRoot)(nil)\n\t_ apis.Defaultable = (*TrustRoot)(nil)\n\t_ kmeta.OwnerRefable = (*TrustRoot)(nil)\n\t// Check that the type conforms to the duck Knative Resource shape.\n\t_ duckv1.KRShaped = (*TrustRoot)(nil)\n)\n\nconst (\n\t// TrustRootConditionReady is set when the TrustRoot has been\n\t// compiled into the underlying ConfigMap properly.\n\tTrustRootConditionReady = apis.ConditionReady\n\t// TrustRootConditionKeysInlined is set to True when keys have been either\n\t// verified, fetched and verified and inlined into the intermediate\n\t// representation usable for validation.\n\tTrustRootConditionKeysInlined apis.ConditionType = \"KeysInlined\"\n\t// TrustRootConditionCMUpdated is set to True when the inline representation\n\t// has been successfully added to the ConfigMap holding all the TrustRoots.\n\tTrustRootConditionCMUpdated apis.ConditionType = \"ConfigMapUpdated\"\n)\n\n// GetGroupVersionKind implements kmeta.OwnerRefable\nfunc (tr *TrustRoot) GetGroupVersionKind() schema.GroupVersionKind {\n\treturn SchemeGroupVersion.WithKind(\"TrustRoot\")\n}\n\n// TrustRootSpec defines a trusted Root. This is typically either a TUF Root\n// or a bring your own keys variation.\n// It specifies either:\n// root.json and remote\n// or\n// fully gzipped / tarred directory containing root and metadata directories\n// or\n// serialized keys / certificate chains (bring your own keys).\ntype TrustRootSpec struct {\n\t// Remote specifies initial root of trust & remote mirror.\n\t// +optional\n\tRemote *Remote `json:\"remote,omitempty\"`\n\n\t// Repository contains the serialized TUF remote repository.\n\t// +optional\n\tRepository *Repository `json:\"repository,omitempty\"`\n\n\t// SigstoreKeys contains the serialized keys.\n\t// +optional\n\tSigstoreKeys *SigstoreKeys `json:\"sigstoreKeys,omitempty\"`\n}\n\n// Remote specifies the TUF with trusted initial root and remote mirror where\n// to fetch updates from.\ntype Remote struct {\n\t// Root is the base64 encoded, json trusted initial root.\n\tRoot []byte `json:\"root\"`\n\n\t// Mirror is the remote mirror, for example:\n\t// https://tuf-repo-cdn.sigstore.dev\n\tMirror apis.URL `json:\"mirror\"`\n\n\t// Targets is where the targets live off of the root of the Remote\n\t// If not specified 'targets' is defaulted.\n\t// +optional\n\tTargets string `json:\"targets,omitempty\"`\n\n\t// TrustedRootTarget is the name of the target containing the JSON trusted\n\t// root. If not specified, `trusted_root.json` is used.\n\t// +optional\n\tTrustedRootTarget string `json:\"trustedRootTarget,omitempty\"`\n}\n\n// Repository specifies an airgapped TUF. Specifies the trusted initial root as\n// well as a serialized repository.\ntype Repository struct {\n\t// Root is the base64 encoded, json trusted initial root.\n\tRoot []byte `json:\"root\"`\n\n\t// MirrorFS is the base64 tarred, gzipped, and base64 encoded remote\n\t// repository that can be used for example in air-gap environments. Will\n\t// not make outbound network connections, and must then be kept up to date\n\t// in some other manner.\n\t// The repository must contain metadata as well as targets.\n\tMirrorFS []byte `json:\"mirrorFS\"`\n\n\t// Targets is where the targets live off of the root of the Repository\n\t// above. If not specified 'targets' is defaulted.\n\t// +optional\n\tTargets string `json:\"targets,omitempty\"`\n\n\t// TrustedRootTarget is the name of the target containing the JSON trusted\n\t// root. If not specified, `trusted_root.json` is used.\n\t// +optional\n\tTrustedRootTarget string `json:\"trustedRootTarget,omitempty\"`\n}\n\n// TransparencyLogInstance describes the immutable parameters from a\n// transparency log.\n// See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters\n// for more details.\n// The incluced parameters are the minimal set required to identify a log,\n// and verify an inclusion promise.\ntype TransparencyLogInstance struct {\n\t// The base URL which can be used for URLs for clients.\n\tBaseURL apis.URL `json:\"baseURL\"`\n\t// / The hash algorithm used for the Merkle Tree\n\tHashAlgorithm string `json:\"hashAlgorithm\"`\n\t// PEM encoded public key\n\tPublicKey []byte `json:\"publicKey\"`\n}\n\ntype DistinguishedName struct {\n\tOrganization string `json:\"organization\"`\n\tCommonName string `json:\"commonName\"`\n}\n\ntype CertificateAuthority struct {\n\t// The root certificate MUST be self-signed, and so the subject and\n\t// issuer are the same.\n\tSubject DistinguishedName `json:\"subject\"`\n\t// The URI at which the CA can be accessed.\n\tURI apis.URL `json:\"uri\"`\n\t// The certificate chain for this CA in PEM format. Last entry in this\n\t// chain is the Root certificate.\n\tCertChain []byte `json:\"certChain\"`\n\n\t// TODO(vaikas): How to best represent this\n\t// The time the *entire* chain was valid. This is at max the\n\t// longest interval when *all* certificates in the chain where valid,\n\t// but it MAY be shorter.\n\t// dev.sigstore.common.v1.TimeRange valid_for = 4;\n}\n\n// SigstoreKeys contains all the necessary Keys and Certificates for validating\n// against a specific instance of Sigstore. This is used for bringing your own\n// trusted keys/certs.\n// TODO(vaikas): See about replacing these with the protos here once they land\n// and see how easy it is to replace with protos instead of our custom defs\n// above.\n// https://github.com/sigstore/protobuf-specs/pull/5\n// And in particular: https://github.com/sigstore/protobuf-specs/pull/5/files#diff-b1f89b7fd3eb27b519380b092a2416f893a96fbba3f8c90cfa767e7687383ad4R70\n// Well, not the multi-root, but one instance of that is exactly the\n// SigstoreKeys.\ntype SigstoreKeys struct {\n\t// Trusted certificate authorities (e.g Fulcio).\n\tCertificateAuthorities []CertificateAuthority `json:\"certificateAuthorities\"`\n\t// Rekor log specifications\n\t// +optional\n\tTLogs []TransparencyLogInstance `json:\"tLogs,omitempty\"`\n\t// Certificate Transparency Log\n\t// +optional\n\tCTLogs []TransparencyLogInstance `json:\"ctLogs,omitempty\"`\n\t// Trusted timestamping authorities\n\t// +optional\n\tTimeStampAuthorities []CertificateAuthority `json:\"timestampAuthorities,omitempty\"`\n}\n\n// TrustRootStatus represents the current state of a TrustRoot.\ntype TrustRootStatus struct {\n\t// inherits duck/v1 Status, which currently provides:\n\t// * ObservedGeneration - the 'Generation' of the Broker that was last processed by the controller.\n\t// * Conditions - the latest available observations of a resource's current state.\n\tduckv1.Status `json:\",inline\"`\n}\n\n// GetStatus retrieves the status of the TrustRoot.\n// Implements the KRShaped interface.\nfunc (tr *TrustRoot) GetStatus() *duckv1.Status {\n\treturn &tr.Status.Status\n}\n\n// TrustRootList is a list of TrustRoot resources\n//\n// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\ntype TrustRootList struct {\n\tmetav1.TypeMeta `json:\",inline\"`\n\tmetav1.ListMeta `json:\"metadata\"`\n\n\tItems []TrustRoot `json:\"items\"`\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/trustroot_validation.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/x509\"\n\t\"encoding/json\"\n\n\t\"github.com/sigstore/policy-controller/pkg/tuf\"\n\t\"github.com/sigstore/sigstore/pkg/cryptoutils\"\n\n\t\"knative.dev/pkg/apis\"\n\t\"knative.dev/pkg/logging\"\n)\n\n// By default the TUF repo contains this prefix, so if it's there, remove\n// it.\nconst DefaultTUFRepoPrefix = \"/repository/\"\n\n// Validate implements apis.Validatable\nfunc (tr *TrustRoot) Validate(ctx context.Context) *apis.FieldError {\n\t// If we're doing status updates, do not validate the spec.\n\tif apis.IsInStatusUpdate(ctx) {\n\t\treturn nil\n\t}\n\treturn tr.Spec.Validate(ctx).ViaField(\"spec\")\n}\n\nfunc (spec *TrustRootSpec) Validate(ctx context.Context) (errors *apis.FieldError) {\n\tif spec.Repository == nil && spec.Remote == nil && spec.SigstoreKeys == nil {\n\t\treturn apis.ErrMissingOneOf(\"repository\", \"remote\", \"sigstoreKeys\")\n\t}\n\tif spec.Repository != nil {\n\t\tif spec.Remote != nil || spec.SigstoreKeys != nil {\n\t\t\treturn apis.ErrMultipleOneOf(\"repository\", \"remote\", \"sigstoreKeys\")\n\t\t}\n\t\treturn spec.Repository.Validate(ctx).ViaField(\"repository\")\n\t}\n\tif spec.Remote != nil {\n\t\tif spec.Repository != nil || spec.SigstoreKeys != nil {\n\t\t\treturn apis.ErrMultipleOneOf(\"repository\", \"remote\", \"sigstoreKeys\")\n\t\t}\n\t\treturn spec.Remote.Validate(ctx).ViaField(\"remote\")\n\t}\n\tif spec.SigstoreKeys != nil {\n\t\tif spec.Remote != nil || spec.Repository != nil {\n\t\t\treturn apis.ErrMultipleOneOf(\"repository\", \"remote\", \"sigstoreKeys\")\n\t\t}\n\t\treturn spec.SigstoreKeys.Validate(ctx).ViaField(\"sigstoreKeys\")\n\t}\n\treturn\n}\n\nfunc (repo *Repository) Validate(ctx context.Context) (errors *apis.FieldError) {\n\tif repo.Targets == \"\" {\n\t\terrors = errors.Also(apis.ErrMissingField(\"targets\"))\n\t}\n\n\terrors = errors.Also(ValidateRoot(ctx, repo.Root))\n\n\tif len(repo.MirrorFS) == 0 {\n\t\terrors = errors.Also(apis.ErrMissingField(\"repository\"))\n\t} else {\n\t\tif errors != nil {\n\t\t\t// We return here in case there in case there are errors. This is\n\t\t\t// because we do not want to pollute the error message, because\n\t\t\t// with any of the above errors, the TUF init will fail and it will\n\t\t\t// not be a meaningful error without fixing the above errors.\n\t\t\treturn\n\t\t}\n\t\t// Make sure we can construct a TUF client out of it.\n\t\tc, err := tuf.ClientFromSerializedMirror(ctx, repo.MirrorFS, repo.Root, repo.Targets, DefaultTUFRepoPrefix)\n\t\tif err != nil {\n\t\t\terrors = errors.Also(apis.ErrInvalidValue(\"failed to construct a TUF client\", \"mirrorFS\", err.Error()))\n\t\t} else if targetFiles, err := c.GetTopLevelTargets(); err != nil {\n\t\t\terrors = errors.Also(apis.ErrInvalidValue(\"failed to get targets from a TUF client\", \"mirrorFS\", err.Error()))\n\t\t} else {\n\t\t\tlogging.FromContext(ctx).Debugf(\"FS uncompressed ok, have %d valid targets\", len(targetFiles))\n\t\t}\n\t}\n\treturn\n}\n\nfunc (remote *Remote) Validate(ctx context.Context) (errors *apis.FieldError) {\n\tif remote.Mirror.String() == \"\" {\n\t\terrors = errors.Also(apis.ErrMissingField(\"mirror\"))\n\t}\n\terrors = errors.Also(ValidateRoot(ctx, remote.Root))\n\treturn\n}\n\nfunc (sigstoreKeys *SigstoreKeys) Validate(ctx context.Context) (errors *apis.FieldError) {\n\tif len(sigstoreKeys.CertificateAuthorities) == 0 && len(sigstoreKeys.TimeStampAuthorities) == 0 {\n\t\terrors = errors.Also(apis.ErrMissingOneOf(\"certificateAuthority\", \"timestampAuthorities\"))\n\t} else {\n\t\tfor i, ca := range sigstoreKeys.CertificateAuthorities {\n\t\t\terrors = ValidateCertificateAuthority(ctx, ca).ViaFieldIndex(\"certificateAuthority\", i)\n\t\t}\n\t}\n\n\t// These are optionals, so we just validate them if they are there and do\n\t// not report them as missing.\n\tfor i, tsa := range sigstoreKeys.TimeStampAuthorities {\n\t\terrors = ValidateTimeStampAuthority(ctx, tsa).ViaFieldIndex(\"timestampAuthorities\", i)\n\t}\n\tfor i, ctl := range sigstoreKeys.CTLogs {\n\t\terrors = ValidateTransparencyLogInstance(ctx, ctl).ViaFieldIndex(\"ctLogs\", i)\n\t}\n\tfor i, tl := range sigstoreKeys.TLogs {\n\t\terrors = ValidateTransparencyLogInstance(ctx, tl).ViaFieldIndex(\"tLogs\", i)\n\t}\n\treturn\n}\n\nfunc ValidateRoot(_ context.Context, rootJSON []byte) *apis.FieldError {\n\tif rootJSON == nil {\n\t\treturn apis.ErrMissingField(\"root\")\n\t}\n\tvar root map[string]interface{}\n\tif err := json.Unmarshal(rootJSON, &root); err != nil {\n\t\treturn apis.ErrInvalidValue(\"failed to unmarshal\", \"root\", err.Error())\n\t}\n\t// TODO(vaikas): Tighten this validation to check for proper shape.\n\tif root[\"signatures\"] == nil {\n\t\treturn apis.ErrInvalidValue(\"missing signatures in root.json\", \"root\", \"no signatures\")\n\t}\n\treturn nil\n}\n\nfunc ValidateCertificateAuthority(ctx context.Context, ca CertificateAuthority) (errors *apis.FieldError) {\n\terrors = errors.Also(ValidateDistinguishedName(ctx, ca.Subject)).ViaField(\"subject\")\n\tif ca.URI.String() == \"\" {\n\t\terrors = errors.Also(apis.ErrMissingField(\"uri\"))\n\t}\n\tif len(ca.CertChain) == 0 {\n\t\terrors = errors.Also(apis.ErrMissingField(\"certchain\"))\n\t}\n\treturn\n}\n\nfunc ValidateTimeStampAuthority(ctx context.Context, ca CertificateAuthority) (errors *apis.FieldError) {\n\terrors = errors.Also(ValidateDistinguishedName(ctx, ca.Subject)).ViaField(\"subject\")\n\tif ca.URI.String() == \"\" {\n\t\terrors = errors.Also(apis.ErrMissingField(\"uri\"))\n\t}\n\tif len(ca.CertChain) == 0 {\n\t\terrors = errors.Also(apis.ErrMissingField(\"certchain\"))\n\t}\n\tleaves, _, _, err := SplitPEMCertificateChain(ca.CertChain)\n\tif err != nil {\n\t\terrors = errors.Also(apis.ErrInvalidValue(\"error splitting the certificates\", \"certChain\", err.Error()))\n\t}\n\tif len(leaves) > 1 {\n\t\terrors = errors.Also(apis.ErrInvalidValue(\"certificate chain must contain at most one TSA certificate\", \"certChain\"))\n\t}\n\treturn\n}\n\nfunc ValidateDistinguishedName(_ context.Context, dn DistinguishedName) (errors *apis.FieldError) {\n\tif dn.Organization == \"\" {\n\t\terrors = errors.Also(apis.ErrMissingField(\"organization\"))\n\t}\n\tif dn.CommonName == \"\" {\n\t\terrors = errors.Also(apis.ErrMissingField(\"commonName\"))\n\t}\n\treturn\n}\n\nfunc ValidateTransparencyLogInstance(_ context.Context, tli TransparencyLogInstance) (errors *apis.FieldError) {\n\tif tli.BaseURL.String() == \"\" {\n\t\terrors = errors.Also(apis.ErrMissingField(\"baseURL\"))\n\t}\n\tif tli.HashAlgorithm == \"\" {\n\t\terrors = errors.Also(apis.ErrMissingField(\"hashAlgorithm\"))\n\t}\n\tif len(tli.PublicKey) == 0 {\n\t\terrors = errors.Also(apis.ErrMissingField(\"publicKey\"))\n\t}\n\treturn\n}\n\n// SplitPEMCertificateChain returns a list of leaf (non-CA) certificates, a certificate pool for\n// intermediate CA certificates, and a certificate pool for root CA certificates\nfunc SplitPEMCertificateChain(pem []byte) (leaves, intermediates, roots []*x509.Certificate, err error) {\n\tcerts, err := cryptoutils.UnmarshalCertificatesFromPEM(pem)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\n\tfor _, cert := range certs {\n\t\tif !cert.IsCA {\n\t\t\tleaves = append(leaves, cert)\n\t\t} else {\n\t\t\t// root certificates are self-signed\n\t\t\tif bytes.Equal(cert.RawSubject, cert.RawIssuer) {\n\t\t\t\troots = append(roots, cert)\n\t\t\t} else {\n\t\t\t\tintermediates = append(intermediates, cert)\n\t\t\t}\n\t\t}\n\t}\n\n\treturn leaves, intermediates, roots, nil\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/trustroot_validation_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\t\"crypto/x509\"\n\t\"encoding/base64\"\n\t\"testing\"\n\n\t\"github.com/sigstore/policy-controller/test\"\n\t\"github.com/sigstore/sigstore/pkg/cryptoutils\"\n\t\"knative.dev/pkg/apis\"\n)\n\n// validRepository is a TUF repository that's been tarred, gzipped and base64\n// encoded. These are vars because conversion to []byte seems to make them not\n// constant\nvar (\n\tvalidRepository = `H4sIAAAAAAAA/+xcW1MbOdPOtX+Fi9t8G0stqSWlai9m7AEMGLBjjl+9ldLRGBsMHoOBt/a/vzXmTA5kF3Cyu/NUJfYcGLW6NU8/oiXG4WSU9yej8eW7NwMhhEghZp+EkKefs+9UUMYo5VDcRxlQ/q4q3s6ke5zlEzN+R8h4NJp8777nrj/t3N8E9/Gv0Q9FHz8c5qPj122j8Ady/q34cyD0SfwFI+JddS5O/JfH/7+V6kLe7x0Hv/Cx+t9KtbrweXJ5EhY+VheKHi/8X3EqPwnu83kY5/3RcXGFfiDXF+7P0dlxuDjpj0Ne3AME8Dcif6OqS9RH4B8p27/+oUG4zG8aqy6QSAQYz7QWSLwUjrOoiPecRxfRUOK4ljRaI5mg0hBkxliQlBOUiKBuHzR77K3lwYMQVM+aK8x3B+HoaxcG4bLvPx+Y/OCzGfZG4/7k4Kgw7f9nl6sL+YEBgTd3zw4FhYXZ0X/uH3FuhndWVBdOzuyw74rGCI02YvCMRm6QRO69A4KKO23RIAAlUTqnqI1MOmWshUhVAEGVoU7o64b+KP7/Y9baApcRwKEJCjToiEIGgRCiMCJKw7k3VkcwHFgwSJxGZkNkURiU2gj7KztLOUN41ECt5AA8MCetit4QrwJ1xHDiQQftvTGcoAJUDgMNmosYpGXsS2dpxRAMs9xozUFxJ6wEQaSXTAXnfVAgWQAXA0dk2tkQg6PgpTSWOUV/YWdZDiC0C5YYDTrISALjPkiHkRLKBYKSyglGI3XOKE2IUggSWCRIePiKs6yAwJRVMjqv0IboKUdLhNPEEaBGRWUcdxSiZDJowZWKwnHJIFCJNvzCzkJEQwWxTAF3Ej2xNHoKlkcilRdoOGXBOhkEmAgyGE45807EEIMO1j90VuXGYQvj0TDck9iMKR96oO8f2v/ikfioq5ODccgPRsOCsOmDEObH5iQ/+K4hL47yDxkyMeNemOTfsePFPPZjdvSPQj4xRyffseTF6ecZS+4GjBsd5/18Eo4nnx8EajI+C5XZHbMkbCZn19mzMO96aM0sLobxiwfRzSjp94qnMSgCgNYFH5V1aLQn3jHwEINwyimhtbfRKs2VkZwbRowMaD2CAq2tQpRcIeccgaEROqDk4AEYBqYcWIFRKrTMg5DeQsDgwQFTzEnGiSj89kel+p/KHz9bAP3L8Uj/347MV54DPKP/KRXwRP8jRVbq/3ngO/r/jqfeYA5wFCbmLn3eJIzZqLvn6mE47k0OiscyFDcEW2iE+7x7rwU+VheEVNyitdZqHxUz3FCjhVUuOiBUCqeUITE4E33gGqWODIC6aJ223oroopHKKMEkiIJNhZHSGwNSUBQsSK2cx2i8Uga9lFJFobHQXYFJq4m8kQk3hj5wyl0e+EGif3GSfkT03DOggQZOVBCojTFUAmHoCJNMeQfOQaA+ghSCaAUCBaWOBURKjDEcLVrjDUXGVNBEMeWokoEIghSLxB11JFojR+2EJQIQlEBng9MCI4GS6H9tPOL/hy/iK7bxDP+DAPGU/wmBkv/nge/w/62OfwP6fzJFWHCTGD6chKOvsb9Uz5M/RqEQBBVKqEidt045RzxDSYjTkjgSKPcO0CDVnmhLNAvSBggYHYlcKqSReu+9NpYq4ilqErjVIUYqNVgTiylKUFY75yUNRChiiLQSNIVAHpO/O8sno6OHhvZ7+WQ0vp8lV6sLZ7npzdxc7y5mt3Pb6kI+MZOzmfcSN+mfh/srZ+N+cfq6qev56KMpfDwbuv7oG17U+ge8SKNHzmIgIZAoOXPKiiK5gKXMoXFIlDdWyOgJiiCYRSG9Z2BBRaRWmUi5pagCISQSCZF5ydApzxQzaLykIiqmFCGRcuKkURhl5KCt8IwIeIkXF2e9fw0/jsNgNH7JYIxWEhGsVp4QkF56rRU3qC2KwJUCxzUKNCJEjtyZaBSSgExZ8C5KEQ1DDgDMqIiKokNBDRUcpSNMWSGJlMRGBhSASBOohagVpww0KFTcvcSNnaLzL/Pin5A6L/49wCOp45QPwiPTIphCqEQRhEUlbTBCREqN9BqoBialgWIaa2JELiJTkRLqQGqC1kltJVhNkGMstBGjRAmromHKcycJJUFp4FJYSXURSCG0YToS9beUOg/y/xtVf/5S/YdyLPP/PFDWf8r6z6/grLL+U9Z/yvpPWf8p6z9l/afE/PBA/79R9ecv1X8I8FL/zwNl/aes/5T1n38vHvD/zWv4+m2QP73+myOKcv33PPBl/Gub5mI5GB/G+QdSe42awDfifhd/EI/HAgEhGL6rXszDAbfxn0dbvyAoquqJmRz8/pWB8LPrQR/uS1qVn+2nfyrmEfbn9L/k+Jj/GaFMlvp/HvitQJotNder9azTbS4260k3m52ttJrNdPOwnorVpJH0snrxr5WMlur106VPLa7TpFVvJeSifpWspL317TRpdZOj9YNWyncb3SZUWo3sYqOR8NZh+6I1HO02ui14cm7auMrWW0m+lNCtLLloZXZp+2D/MN1vpa2lSnp53VLSy+5aTabZckKaSVo/bu2KUWPtNAm1qzwTw4uTE59f5aupzs/rtbWD3a1KurYxUF0Ug/WG/nS5u6RaCX3/6XQHmg73OsdHYgyH789r9U4fh0u7OVlq4GHrKrloJbywyFca0yytTdtZMm0uTRtJLPq5/KmVLTWSnV7aYZNVgRs7q7s4Ojqkm7VBtjM4H/Q72Uk3WU17vdPKweBwY7PdbiS99ZWkkS4l/SzRa/2s+543PrlNt7m2ic3909GAk7o8Z5uXI7LotwZ723XeGfu9eqXZrnfiynS4eGinbLnVXls/7++RenLQU0tJ3jrKTxe3asnKxrCpbG/6+++VWfCy9caXAX0u2J+69VSZu2Cnrx/sbrbWSga3wa7vQTbd6SbdtOduPdVMC7ddf2+l6XS9niSdLd1/v7VxtrzaWcmHp4PQ3Gyp5fNxbeP4YvR+vGMustE5rVyk2fvzw91hLYbF+lGfqV7SbIraVu80294fLortNPVhmO2ntM8vczsdkea03Ug2ZjFtq7SSRJUV/Ux67WljutfY7pBu0l6upcnWNCkGwlXir2/m2WKvveXlp7NwOOwP35+ujHS3VhHp4smaaA46q1vTem+vuTrab14dkmL0NDrTZNpJmj2zOBGddhzsLQ1h0r7c2K3pbkxdXygyrvSOW7WsvhrC+DS9XG3Wm+l5urHEruJOKk8Xt+qj/LCXD4+E6V7srO3ZoffrZnXJjg+vtP5O4L/9/j+n/15jZc2z+o/jU/0HXJb6bx6giN/Ufz97VdWH22Vhpfp7M8wj7M/oPwIIX+g/Tkr9Nw88kASbW+las15dzfZuFMHiYJpN95Zvklg9ad8ltEbSdo12L8lUfW9d1Ae1nph09i/Olt1Zd6iicid8+7jC6PCqv6lHK7BpV7yyhzvbpsE3G921AW5uu81Jf3mShWy9trJOu5PT9mCrl7eG9WgeqZinZv1sj/2z8Fz+f43FjM/nf/k0/zPJy/w/D1CU38z/P3sh64e7pbjlS/9WmEfY/3T+Bylpuf9jLnhh/vfLV2M7PJpGftDK2PuNiVyDVC0Oup52Kp2Y58fDgz58uty6bO+pjeOTddw8XMSJ3PXmcv1iRe7ube+Etf2ktsRXe4K26/LSrtBemf/nhS/f/9dfAv7M+/+V/V8Cebn/dy4o93+V+7/K/V/l/q9y/9e/fv/X3XrpOe//plSwL/7+h6Rl/p8Hvpf/79bPv/UC0Ecrj79Cu0h/RANAoCQSTRmitSFCIJIwQMkjMdKiIJ4rpFwwKr0UTNFoXVDceOlJ8ER5KpkGSwn10jJ0hmtPDZXRW2+shwhFd0Bawp3QIhrFuC74GhljUr3aAtAX70l4xIpKcgyMExaVA8PQWoLKU+RUOWKIi5I5cMEEL50R3AvDKNOUMWBguLPaUO44KzhVWMK1DdHGSJUQgRLhvVQiBssEOCNVcKCNpDwqpqnkQAj/W7JiiRIlSvzz8b8AAAD//1nncb4AXAAA`\n\n\t// This is valid base64 (hello world), but should not be able to gunzip\n\t// untar.\n\tinvalidRepository = []byte(`aGVsbG8gd29ybGQK`)\n\n\t// TUF Root json, generated via scaffolding\n\t// IMPORTANT: The next expiration is on '2026-07-18T08:24:13Z'\n\t// Steps to generate:\n\t// 1. cgit clone github.com/sigstore/scaffolding\n\t// 2. run ./hack/setup-kind.sh\n\t// 3. export KO_DOCKER_REPO=registry.local:5001/sigstore\n\t// 4. run ./hack/setup-scaffolding.sh\n\t// 5. get the secrets from the kind cluster\n\t// kubectl get secrets -o yaml -n tuf-system tuf-root\n\trootJSON = `ewogInNpZ25lZCI6IHsKICAiX3R5cGUiOiAicm9vdCIsCiAgInNwZWNfdmVyc2lvbiI6ICIxLjAiLAogICJ2ZXJzaW9uIjogMSwKICAiZXhwaXJlcyI6ICIyMDI2LTA3LTE4VDA4OjI0OjEzWiIsCiAgImtleXMiOiB7CiAgICIwZjA1MmFkMzk5NTYwZDc1YzQzZjgwZGQ0NGZjZjZhMTBjNDk3MWZiYTczNTE3YTA2M2FhYjI3MTQwNjc2NjI4IjogewogICAgImtleXR5cGUiOiAiZWQyNTUxOSIsCiAgICAic2NoZW1lIjogImVkMjU1MTkiLAogICAgImtleWlkX2hhc2hfYWxnb3JpdGhtcyI6IFsKICAgICAic2hhMjU2IiwKICAgICAic2hhNTEyIgogICAgXSwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICIwMWZiZjZlZDMxZjRhNjBmNGRkYzIwNjg0YzliNmE2MjIxMGY3Y2M4MWJmMzdjOGFiYjJmMThlMjUxOGExYzU5IgogICAgfQogICB9LAogICAiNDdmMjJjNmFlODI5MjlmNjU3ZTU2MmVmNWE1ZjdhNDRkYWI5ZjJhNDIzZWE2MGM5NjNiZWYzZjVhNjc5YTViOCI6IHsKICAgICJrZXl0eXBlIjogImVkMjU1MTkiLAogICAgInNjaGVtZSI6ICJlZDI1NTE5IiwKICAgICJrZXlpZF9oYXNoX2FsZ29yaXRobXMiOiBbCiAgICAgInNoYTI1NiIsCiAgICAgInNoYTUxMiIKICAgIF0sCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiOGNhMDRmOTIxYjc0MjI0ZTNjN2I4ZmRhMGQ4ZTFjMGE0MGQyOWU5ZGRhYTQwNjgyNjhjNmUxZTk0NWZlN2IzMyIKICAgIH0KICAgfSwKICAgIjk4MzYyYTNiNGE5OTQyODRjNWI3MjUwN2Q3MzhlY2RkZTgyNzNlMmNmZTQ2NjM5Y2JlZmVjMTJkNzdhYjNjODEiOiB7CiAgICAia2V5dHlwZSI6ICJlZDI1NTE5IiwKICAgICJzY2hlbWUiOiAiZWQyNTUxOSIsCiAgICAia2V5aWRfaGFzaF9hbGdvcml0aG1zIjogWwogICAgICJzaGEyNTYiLAogICAgICJzaGE1MTIiCiAgICBdLAogICAgImtleXZhbCI6IHsKICAgICAicHVibGljIjogImI0MjI1OWNlYjBhOTI5ZTdmMGUzNGRlN2M2ZjEwMTQ1NjI4NzhjNTMxZjFjY2E4OTAwODg2MjcyM2YwNjA0ZTMiCiAgICB9CiAgIH0sCiAgICJiNTJlMzhiODdmY2Q4NmJlZmQxNDZiMDVjOTBjMDIxYThmOGFjNGMxMmY3MzdlOTU0ODhmNWM0NzMyZTE3NmJlIjogewogICAgImtleXR5cGUiOiAiZWQyNTUxOSIsCiAgICAic2NoZW1lIjogImVkMjU1MTkiLAogICAgImtleWlkX2hhc2hfYWxnb3JpdGhtcyI6IFsKICAgICAic2hhMjU2IiwKICAgICAic2hhNTEyIgogICAgXSwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICI2NjZhMTUwYjM4MjRjNzZkMGIxZmQxMmI0ZjA3OGQ1NmE0MTNlYmM3ZTUyYWYyN2VhNDE0M2RjNWZlZmU5ZWJkIgogICAgfQogICB9CiAgfSwKICAicm9sZXMiOiB7CiAgICJyb290IjogewogICAgImtleWlkcyI6IFsKICAgICAiOTgzNjJhM2I0YTk5NDI4NGM1YjcyNTA3ZDczOGVjZGRlODI3M2UyY2ZlNDY2MzljYmVmZWMxMmQ3N2FiM2M4MSIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9LAogICAic25hcHNob3QiOiB7CiAgICAia2V5aWRzIjogWwogICAgICJiNTJlMzhiODdmY2Q4NmJlZmQxNDZiMDVjOTBjMDIxYThmOGFjNGMxMmY3MzdlOTU0ODhmNWM0NzMyZTE3NmJlIgogICAgXSwKICAgICJ0aHJlc2hvbGQiOiAxCiAgIH0sCiAgICJ0YXJnZXRzIjogewogICAgImtleWlkcyI6IFsKICAgICAiNDdmMjJjNmFlODI5MjlmNjU3ZTU2MmVmNWE1ZjdhNDRkYWI5ZjJhNDIzZWE2MGM5NjNiZWYzZjVhNjc5YTViOCIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9LAogICAidGltZXN0YW1wIjogewogICAgImtleWlkcyI6IFsKICAgICAiMGYwNTJhZDM5OTU2MGQ3NWM0M2Y4MGRkNDRmY2Y2YTEwYzQ5NzFmYmE3MzUxN2EwNjNhYWIyNzE0MDY3NjYyOCIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9CiAgfSwKICAiY29uc2lzdGVudF9zbmFwc2hvdCI6IHRydWUKIH0sCiAic2lnbmF0dXJlcyI6IFsKICB7CiAgICJrZXlpZCI6ICI5ODM2MmEzYjRhOTk0Mjg0YzViNzI1MDdkNzM4ZWNkZGU4MjczZTJjZmU0NjYzOWNiZWZlYzEyZDc3YWIzYzgxIiwKICAgInNpZyI6ICIzMjIyYzY2YmNlZGY4YmM2YTlkMGRjMzJkMmZlNWM4Yzg1OTlkYmZiODk0OGE3NDRhMzBhN2U2YmQ2MjgyOTliODY2NzQ4NjQ0NDYyMzZhNTllNjc0MmQyMjM2ZTM4YzJiNTZmNzg2YjNkMjU3ZGIyZTZlZDJjMjM4M2M3MzQwNSIKICB9CiBdCn0=`\n)\n\nfunc TestTrustRootValidation(t *testing.T) {\n\trootJSONDecoded, err := base64.StdEncoding.DecodeString(rootJSON)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to decode rootJSON for testing: %v\", err)\n\t}\n\tvalidRepositoryDecoded, err := base64.StdEncoding.DecodeString(validRepository)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to decode validRepository for testing: %v\", err)\n\t}\n\ttests := []struct {\n\t\tname string\n\t\ttrustroot TrustRoot\n\t\terrorString string\n\t}{{\n\t\tname: \"Should work with a valid repository\",\n\t\ttrustroot: TrustRoot{\n\t\t\tSpec: TrustRootSpec{\n\t\t\t\tRepository: &Repository{\n\t\t\t\t\tRoot: rootJSONDecoded,\n\t\t\t\t\tMirrorFS: validRepositoryDecoded,\n\t\t\t\t\tTargets: \"targets\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with a missing repository.root\",\n\t\terrorString: \"missing field(s): spec.repository.root\",\n\t\ttrustroot: TrustRoot{\n\t\t\tSpec: TrustRootSpec{\n\t\t\t\tRepository: &Repository{\n\t\t\t\t\tMirrorFS: validRepositoryDecoded,\n\t\t\t\t\tTargets: \"targets\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with a missing repository.repository\",\n\t\terrorString: \"missing field(s): spec.repository.repository\",\n\t\ttrustroot: TrustRoot{\n\t\t\tSpec: TrustRootSpec{\n\t\t\t\tRepository: &Repository{\n\t\t\t\t\tRoot: rootJSONDecoded,\n\t\t\t\t\tTargets: \"targets\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with a missing repository.targets\",\n\t\terrorString: \"missing field(s): spec.repository.targets\",\n\t\ttrustroot: TrustRoot{\n\t\t\tSpec: TrustRootSpec{\n\t\t\t\tRepository: &Repository{\n\t\t\t\t\tRoot: rootJSONDecoded,\n\t\t\t\t\tMirrorFS: validRepositoryDecoded,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with an invalid repository.mirrorFS, not a gzip/tar file\",\n\t\terrorString: \"invalid value: failed to construct a TUF client: spec.repository.mirrorFS\\nfailed to uncompress: gzip: invalid header\",\n\t\ttrustroot: TrustRoot{\n\t\t\tSpec: TrustRootSpec{\n\t\t\t\tRepository: &Repository{\n\t\t\t\t\tRoot: rootJSONDecoded,\n\t\t\t\t\tMirrorFS: invalidRepository,\n\t\t\t\t\tTargets: \"targets\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.trustroot.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestTimeStampAuthorityValidation(t *testing.T) {\n\trootCert, rootKey, _ := test.GenerateRootCa()\n\tsubCert, subKey, _ := test.GenerateSubordinateCa(rootCert, rootKey)\n\tleafCert, _, _ := test.GenerateLeafCert(\"subject\", \"oidc-issuer\", subCert, subKey)\n\trootCert2, rootKey2, _ := test.GenerateRootCa()\n\tsubCert2, subKey2, _ := test.GenerateSubordinateCa(rootCert2, rootKey2)\n\tleafCert2, _, _ := test.GenerateLeafCert(\"subject\", \"oidc-issuer\", subCert2, subKey2)\n\n\tpem, err := cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{rootCert, subCert, leafCert})\n\tif err != nil {\n\t\tt.Fatalf(\"unexpected error marshalling certificates to PEM: %v\", err)\n\t}\n\ttooManyLeavesPem, err := cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{rootCert, subCert, leafCert, leafCert2})\n\tif err != nil {\n\t\tt.Fatalf(\"unexpected error marshalling certificates to PEM: %v\", err)\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\ttsa CertificateAuthority\n\t\terrorString string\n\t}{{\n\t\tname: \"Should work with a valid repository\",\n\t\ttsa: CertificateAuthority{\n\t\t\tSubject: DistinguishedName{\n\t\t\t\tOrganization: \"fulcio-organization\",\n\t\t\t\tCommonName: \"fulcio-common-name\",\n\t\t\t},\n\t\t\tURI: *apis.HTTPS(\"fulcio.example.com\"),\n\t\t\tCertChain: pem,\n\t\t},\n\t}, {\n\t\tname: \"Should fail splitting the certificates of the certChain\",\n\t\terrorString: \"invalid value: error splitting the certificates: certChain\\nerror during PEM decoding\",\n\t\ttsa: CertificateAuthority{\n\t\t\tSubject: DistinguishedName{\n\t\t\t\tOrganization: \"fulcio-organization\",\n\t\t\t\tCommonName: \"fulcio-common-name\",\n\t\t\t},\n\t\t\tURI: *apis.HTTPS(\"fulcio.example.com\"),\n\t\t\tCertChain: []byte(\"INVALID\"),\n\t\t},\n\t}, {\n\t\tname: \"Should fail with a must contain at most one TSA certificate\",\n\t\terrorString: \"invalid value: certificate chain must contain at most one TSA certificate: certChain\",\n\t\ttsa: CertificateAuthority{\n\t\t\tSubject: DistinguishedName{\n\t\t\t\tOrganization: \"fulcio-organization\",\n\t\t\t\tCommonName: \"fulcio-common-name\",\n\t\t\t},\n\t\t\tURI: *apis.HTTPS(\"fulcio.example.com\"),\n\t\t\tCertChain: tooManyLeavesPem,\n\t\t},\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := ValidateTimeStampAuthority(context.TODO(), test.tsa)\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestIgnoreStatusUpdatesTrustRoot(t *testing.T) {\n\ttr := &TrustRoot{Spec: TrustRootSpec{}}\n\n\tif err := tr.Validate(apis.WithinSubResourceUpdate(context.Background(), &tr, \"status\")); err != nil {\n\t\tt.Errorf(\"Failed to update status on invalid resource: %v\", err)\n\t}\n}\n" }, { "path": "pkg/apis/policy/v1alpha1/zz_generated.deepcopy.go", "content": "//go:build !ignore_autogenerated\n// +build !ignore_autogenerated\n\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by deepcopy-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\tv1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\truntime \"k8s.io/apimachinery/pkg/runtime\"\n\tapis \"knative.dev/pkg/apis\"\n)\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *Attestation) DeepCopyInto(out *Attestation) {\n\t*out = *in\n\tif in.Policy != nil {\n\t\tin, out := &in.Policy, &out.Policy\n\t\t*out = new(Policy)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestation.\nfunc (in *Attestation) DeepCopy() *Attestation {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(Attestation)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *Authority) DeepCopyInto(out *Authority) {\n\t*out = *in\n\tif in.Key != nil {\n\t\tin, out := &in.Key, &out.Key\n\t\t*out = new(KeyRef)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.Keyless != nil {\n\t\tin, out := &in.Keyless, &out.Keyless\n\t\t*out = new(KeylessRef)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.Static != nil {\n\t\tin, out := &in.Static, &out.Static\n\t\t*out = new(StaticRef)\n\t\t**out = **in\n\t}\n\tif in.Sources != nil {\n\t\tin, out := &in.Sources, &out.Sources\n\t\t*out = make([]Source, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\tif in.CTLog != nil {\n\t\tin, out := &in.CTLog, &out.CTLog\n\t\t*out = new(TLog)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.Attestations != nil {\n\t\tin, out := &in.Attestations, &out.Attestations\n\t\t*out = make([]Attestation, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\tif in.RFC3161Timestamp != nil {\n\t\tin, out := &in.RFC3161Timestamp, &out.RFC3161Timestamp\n\t\t*out = new(RFC3161Timestamp)\n\t\t**out = **in\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authority.\nfunc (in *Authority) DeepCopy() *Authority {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(Authority)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *CertificateAuthority) DeepCopyInto(out *CertificateAuthority) {\n\t*out = *in\n\tout.Subject = in.Subject\n\tin.URI.DeepCopyInto(&out.URI)\n\tif in.CertChain != nil {\n\t\tin, out := &in.CertChain, &out.CertChain\n\t\t*out = make([]byte, len(*in))\n\t\tcopy(*out, *in)\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthority.\nfunc (in *CertificateAuthority) DeepCopy() *CertificateAuthority {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(CertificateAuthority)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) {\n\t*out = *in\n\tout.TypeMeta = in.TypeMeta\n\tin.ObjectMeta.DeepCopyInto(&out.ObjectMeta)\n\tin.Spec.DeepCopyInto(&out.Spec)\n\tin.Status.DeepCopyInto(&out.Status)\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicy.\nfunc (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(ClusterImagePolicy)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.\nfunc (in *ClusterImagePolicy) DeepCopyObject() runtime.Object {\n\tif c := in.DeepCopy(); c != nil {\n\t\treturn c\n\t}\n\treturn nil\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyList) {\n\t*out = *in\n\tout.TypeMeta = in.TypeMeta\n\tin.ListMeta.DeepCopyInto(&out.ListMeta)\n\tif in.Items != nil {\n\t\tin, out := &in.Items, &out.Items\n\t\t*out = make([]ClusterImagePolicy, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyList.\nfunc (in *ClusterImagePolicyList) DeepCopy() *ClusterImagePolicyList {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(ClusterImagePolicyList)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.\nfunc (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object {\n\tif c := in.DeepCopy(); c != nil {\n\t\treturn c\n\t}\n\treturn nil\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec) {\n\t*out = *in\n\tif in.Images != nil {\n\t\tin, out := &in.Images, &out.Images\n\t\t*out = make([]ImagePattern, len(*in))\n\t\tcopy(*out, *in)\n\t}\n\tif in.Authorities != nil {\n\t\tin, out := &in.Authorities, &out.Authorities\n\t\t*out = make([]Authority, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\tif in.Policy != nil {\n\t\tin, out := &in.Policy, &out.Policy\n\t\t*out = new(Policy)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.Match != nil {\n\t\tin, out := &in.Match, &out.Match\n\t\t*out = make([]MatchResource, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicySpec.\nfunc (in *ClusterImagePolicySpec) DeepCopy() *ClusterImagePolicySpec {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(ClusterImagePolicySpec)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *ClusterImagePolicyStatus) DeepCopyInto(out *ClusterImagePolicyStatus) {\n\t*out = *in\n\tin.Status.DeepCopyInto(&out.Status)\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyStatus.\nfunc (in *ClusterImagePolicyStatus) DeepCopy() *ClusterImagePolicyStatus {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(ClusterImagePolicyStatus)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *ConfigMapReference) DeepCopyInto(out *ConfigMapReference) {\n\t*out = *in\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapReference.\nfunc (in *ConfigMapReference) DeepCopy() *ConfigMapReference {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(ConfigMapReference)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *DistinguishedName) DeepCopyInto(out *DistinguishedName) {\n\t*out = *in\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DistinguishedName.\nfunc (in *DistinguishedName) DeepCopy() *DistinguishedName {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(DistinguishedName)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *Identity) DeepCopyInto(out *Identity) {\n\t*out = *in\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Identity.\nfunc (in *Identity) DeepCopy() *Identity {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(Identity)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *ImagePattern) DeepCopyInto(out *ImagePattern) {\n\t*out = *in\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePattern.\nfunc (in *ImagePattern) DeepCopy() *ImagePattern {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(ImagePattern)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *KeyRef) DeepCopyInto(out *KeyRef) {\n\t*out = *in\n\tif in.SecretRef != nil {\n\t\tin, out := &in.SecretRef, &out.SecretRef\n\t\t*out = new(v1.SecretReference)\n\t\t**out = **in\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyRef.\nfunc (in *KeyRef) DeepCopy() *KeyRef {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(KeyRef)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *KeylessRef) DeepCopyInto(out *KeylessRef) {\n\t*out = *in\n\tif in.URL != nil {\n\t\tin, out := &in.URL, &out.URL\n\t\t*out = new(apis.URL)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.Identities != nil {\n\t\tin, out := &in.Identities, &out.Identities\n\t\t*out = make([]Identity, len(*in))\n\t\tcopy(*out, *in)\n\t}\n\tif in.CACert != nil {\n\t\tin, out := &in.CACert, &out.CACert\n\t\t*out = new(KeyRef)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.InsecureIgnoreSCT != nil {\n\t\tin, out := &in.InsecureIgnoreSCT, &out.InsecureIgnoreSCT\n\t\t*out = new(bool)\n\t\t**out = **in\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeylessRef.\nfunc (in *KeylessRef) DeepCopy() *KeylessRef {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(KeylessRef)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *MatchResource) DeepCopyInto(out *MatchResource) {\n\t*out = *in\n\tout.GroupVersionResource = in.GroupVersionResource\n\tif in.ResourceSelector != nil {\n\t\tin, out := &in.ResourceSelector, &out.ResourceSelector\n\t\t*out = new(metav1.LabelSelector)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResource.\nfunc (in *MatchResource) DeepCopy() *MatchResource {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(MatchResource)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *Policy) DeepCopyInto(out *Policy) {\n\t*out = *in\n\tif in.Remote != nil {\n\t\tin, out := &in.Remote, &out.Remote\n\t\t*out = new(RemotePolicy)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.ConfigMapRef != nil {\n\t\tin, out := &in.ConfigMapRef, &out.ConfigMapRef\n\t\t*out = new(ConfigMapReference)\n\t\t**out = **in\n\t}\n\tif in.FetchConfigFile != nil {\n\t\tin, out := &in.FetchConfigFile, &out.FetchConfigFile\n\t\t*out = new(bool)\n\t\t**out = **in\n\t}\n\tif in.IncludeSpec != nil {\n\t\tin, out := &in.IncludeSpec, &out.IncludeSpec\n\t\t*out = new(bool)\n\t\t**out = **in\n\t}\n\tif in.IncludeObjectMeta != nil {\n\t\tin, out := &in.IncludeObjectMeta, &out.IncludeObjectMeta\n\t\t*out = new(bool)\n\t\t**out = **in\n\t}\n\tif in.IncludeTypeMeta != nil {\n\t\tin, out := &in.IncludeTypeMeta, &out.IncludeTypeMeta\n\t\t*out = new(bool)\n\t\t**out = **in\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.\nfunc (in *Policy) DeepCopy() *Policy {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(Policy)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *RFC3161Timestamp) DeepCopyInto(out *RFC3161Timestamp) {\n\t*out = *in\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RFC3161Timestamp.\nfunc (in *RFC3161Timestamp) DeepCopy() *RFC3161Timestamp {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(RFC3161Timestamp)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *Remote) DeepCopyInto(out *Remote) {\n\t*out = *in\n\tif in.Root != nil {\n\t\tin, out := &in.Root, &out.Root\n\t\t*out = make([]byte, len(*in))\n\t\tcopy(*out, *in)\n\t}\n\tin.Mirror.DeepCopyInto(&out.Mirror)\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Remote.\nfunc (in *Remote) DeepCopy() *Remote {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(Remote)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *RemotePolicy) DeepCopyInto(out *RemotePolicy) {\n\t*out = *in\n\tin.URL.DeepCopyInto(&out.URL)\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemotePolicy.\nfunc (in *RemotePolicy) DeepCopy() *RemotePolicy {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(RemotePolicy)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *Repository) DeepCopyInto(out *Repository) {\n\t*out = *in\n\tif in.Root != nil {\n\t\tin, out := &in.Root, &out.Root\n\t\t*out = make([]byte, len(*in))\n\t\tcopy(*out, *in)\n\t}\n\tif in.MirrorFS != nil {\n\t\tin, out := &in.MirrorFS, &out.MirrorFS\n\t\t*out = make([]byte, len(*in))\n\t\tcopy(*out, *in)\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Repository.\nfunc (in *Repository) DeepCopy() *Repository {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(Repository)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *SigstoreKeys) DeepCopyInto(out *SigstoreKeys) {\n\t*out = *in\n\tif in.CertificateAuthorities != nil {\n\t\tin, out := &in.CertificateAuthorities, &out.CertificateAuthorities\n\t\t*out = make([]CertificateAuthority, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\tif in.TLogs != nil {\n\t\tin, out := &in.TLogs, &out.TLogs\n\t\t*out = make([]TransparencyLogInstance, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\tif in.CTLogs != nil {\n\t\tin, out := &in.CTLogs, &out.CTLogs\n\t\t*out = make([]TransparencyLogInstance, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\tif in.TimeStampAuthorities != nil {\n\t\tin, out := &in.TimeStampAuthorities, &out.TimeStampAuthorities\n\t\t*out = make([]CertificateAuthority, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SigstoreKeys.\nfunc (in *SigstoreKeys) DeepCopy() *SigstoreKeys {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(SigstoreKeys)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *Source) DeepCopyInto(out *Source) {\n\t*out = *in\n\tif in.SignaturePullSecrets != nil {\n\t\tin, out := &in.SignaturePullSecrets, &out.SignaturePullSecrets\n\t\t*out = make([]v1.LocalObjectReference, len(*in))\n\t\tcopy(*out, *in)\n\t}\n\tif in.TagPrefix != nil {\n\t\tin, out := &in.TagPrefix, &out.TagPrefix\n\t\t*out = new(string)\n\t\t**out = **in\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Source.\nfunc (in *Source) DeepCopy() *Source {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(Source)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *StaticRef) DeepCopyInto(out *StaticRef) {\n\t*out = *in\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticRef.\nfunc (in *StaticRef) DeepCopy() *StaticRef {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(StaticRef)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *TLog) DeepCopyInto(out *TLog) {\n\t*out = *in\n\tif in.URL != nil {\n\t\tin, out := &in.URL, &out.URL\n\t\t*out = new(apis.URL)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLog.\nfunc (in *TLog) DeepCopy() *TLog {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(TLog)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *TransparencyLogInstance) DeepCopyInto(out *TransparencyLogInstance) {\n\t*out = *in\n\tin.BaseURL.DeepCopyInto(&out.BaseURL)\n\tif in.PublicKey != nil {\n\t\tin, out := &in.PublicKey, &out.PublicKey\n\t\t*out = make([]byte, len(*in))\n\t\tcopy(*out, *in)\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransparencyLogInstance.\nfunc (in *TransparencyLogInstance) DeepCopy() *TransparencyLogInstance {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(TransparencyLogInstance)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *TrustRoot) DeepCopyInto(out *TrustRoot) {\n\t*out = *in\n\tout.TypeMeta = in.TypeMeta\n\tin.ObjectMeta.DeepCopyInto(&out.ObjectMeta)\n\tin.Spec.DeepCopyInto(&out.Spec)\n\tin.Status.DeepCopyInto(&out.Status)\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustRoot.\nfunc (in *TrustRoot) DeepCopy() *TrustRoot {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(TrustRoot)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.\nfunc (in *TrustRoot) DeepCopyObject() runtime.Object {\n\tif c := in.DeepCopy(); c != nil {\n\t\treturn c\n\t}\n\treturn nil\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *TrustRootList) DeepCopyInto(out *TrustRootList) {\n\t*out = *in\n\tout.TypeMeta = in.TypeMeta\n\tin.ListMeta.DeepCopyInto(&out.ListMeta)\n\tif in.Items != nil {\n\t\tin, out := &in.Items, &out.Items\n\t\t*out = make([]TrustRoot, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustRootList.\nfunc (in *TrustRootList) DeepCopy() *TrustRootList {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(TrustRootList)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.\nfunc (in *TrustRootList) DeepCopyObject() runtime.Object {\n\tif c := in.DeepCopy(); c != nil {\n\t\treturn c\n\t}\n\treturn nil\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *TrustRootSpec) DeepCopyInto(out *TrustRootSpec) {\n\t*out = *in\n\tif in.Remote != nil {\n\t\tin, out := &in.Remote, &out.Remote\n\t\t*out = new(Remote)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.Repository != nil {\n\t\tin, out := &in.Repository, &out.Repository\n\t\t*out = new(Repository)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.SigstoreKeys != nil {\n\t\tin, out := &in.SigstoreKeys, &out.SigstoreKeys\n\t\t*out = new(SigstoreKeys)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustRootSpec.\nfunc (in *TrustRootSpec) DeepCopy() *TrustRootSpec {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(TrustRootSpec)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *TrustRootStatus) DeepCopyInto(out *TrustRootStatus) {\n\t*out = *in\n\tin.Status.DeepCopyInto(&out.Status)\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustRootStatus.\nfunc (in *TrustRootStatus) DeepCopy() *TrustRootStatus {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(TrustRootStatus)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n" }, { "path": "pkg/apis/policy/v1beta1/clusterimagepolicy_conversion.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\n\t\"knative.dev/pkg/apis\"\n)\n\nvar _ apis.Convertible = (*ClusterImagePolicy)(nil)\n\n// ConvertTo implements api.Convertible\nfunc (c *ClusterImagePolicy) ConvertTo(_ context.Context, sink apis.Convertible) error {\n\treturn fmt.Errorf(\"v1beta1 is the highest known version, got: %T\", sink)\n}\n\n// ConvertFrom implements api.Convertible\nfunc (c *ClusterImagePolicy) ConvertFrom(_ context.Context, source apis.Convertible) error {\n\treturn fmt.Errorf(\"v1beta1 is the highest know version, got: %T\", source)\n}\n" }, { "path": "pkg/apis/policy/v1beta1/clusterimagepolicy_conversion_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"testing\"\n\n\t\"knative.dev/pkg/apis\"\n)\n\ntype BadOne struct{}\n\nfunc (ct *BadOne) ConvertTo(_ context.Context, sink apis.Convertible) error {\n\treturn fmt.Errorf(\"v1beta1 is the highest known version, got: %T\", sink)\n}\nfunc (ct *BadOne) ConvertFrom(_ context.Context, source apis.Convertible) error {\n\treturn fmt.Errorf(\"v1beta1 is the highest know version, got: %T\", source)\n}\n\nfunc TestClusterTaskConversionBadType(t *testing.T) {\n\tgood, bad := &ClusterImagePolicy{}, &BadOne{}\n\n\tif err := good.ConvertTo(context.Background(), bad); err == nil {\n\t\tt.Errorf(\"ConvertTo() = %#v, wanted error\", bad)\n\t}\n\n\tif err := good.ConvertFrom(context.Background(), bad); err == nil {\n\t\tt.Errorf(\"ConvertFrom() = %#v, wanted error\", good)\n\t}\n}\n" }, { "path": "pkg/apis/policy/v1beta1/clusterimagepolicy_defaults.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\n\t\"knative.dev/pkg/apis\"\n)\n\n// SetDefaults implements apis.Defaultable\nfunc (c *ClusterImagePolicy) SetDefaults(ctx context.Context) {\n\tc.Spec.SetDefaults(ctx)\n}\n\nfunc (spec *ClusterImagePolicySpec) SetDefaults(_ context.Context) {\n\tif spec.Mode == \"\" {\n\t\tspec.Mode = \"enforce\"\n\t}\n\tfor i, authority := range spec.Authorities {\n\t\tif authority.Name == \"\" {\n\t\t\tspec.Authorities[i].Name = fmt.Sprintf(\"authority-%d\", i)\n\t\t}\n\t\tif authority.Key == nil && authority.Static == nil && authority.Keyless != nil && authority.Keyless.CACert == nil && authority.Keyless.URL == nil {\n\t\t\tauthority.Keyless.URL = apis.HTTPS(\"fulcio.sigstore.dev\")\n\t\t}\n\t}\n}\n" }, { "path": "pkg/apis/policy/v1beta1/clusterimagepolicy_defaults_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n\n\t\"testing\"\n\n\t\"knative.dev/pkg/apis\"\n)\n\nfunc TestNameDefaulting(t *testing.T) {\n\ttests := []struct {\n\t\tin *ClusterImagePolicy\n\t\twantNames []string\n\t}{\n\t\t{in: cipWithNames([]string{\"\"}),\n\t\t\twantNames: []string{\"authority-0\"},\n\t\t},\n\t\t{in: cipWithNames([]string{\"\", \"vuln-scan\"}),\n\t\t\twantNames: []string{\"authority-0\", \"vuln-scan\"},\n\t\t},\n\t\t{in: cipWithNames([]string{\"vuln-scan\", \"\"}),\n\t\t\twantNames: []string{\"vuln-scan\", \"authority-1\"},\n\t\t},\n\t\t{in: cipWithNames([]string{\"first\", \"second\"}),\n\t\t\twantNames: []string{\"first\", \"second\"},\n\t\t}}\n\tfor _, tc := range tests {\n\t\ttc.in.SetDefaults(context.TODO())\n\t\tif len(tc.in.Spec.Authorities) != len(tc.wantNames) {\n\t\t\tt.Fatalf(\"Mismatch number of wantNames: %d vs authorities: %d\", len(tc.wantNames), len(tc.in.Spec.Authorities))\n\t\t}\n\t\tfor i, wantName := range tc.wantNames {\n\t\t\tif tc.in.Spec.Authorities[i].Name != wantName {\n\t\t\t\tt.Errorf(\"Wanted name: %s got %s\", wantName, tc.in.Spec.Authorities[i].Name)\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc TestModeDefaulting(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tmode string\n\t\twantMode string\n\t}{{\n\t\tname: \"empty\",\n\t\twantMode: \"enforce\",\n\t}, {\n\t\tname: \"enforce\",\n\t\tmode: \"enforce\",\n\t\twantMode: \"enforce\",\n\t}, {\n\t\tname: \"warn\",\n\t\tmode: \"warn\",\n\t\twantMode: \"warn\",\n\t}}\n\tfor _, tc := range tests {\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\ttc := tc\n\t\t\tin := ClusterImagePolicy{Spec: ClusterImagePolicySpec{Mode: tc.mode}}\n\t\t\tin.SetDefaults(context.TODO())\n\t\t\tif in.Spec.Mode != tc.wantMode {\n\t\t\t\tt.Errorf(\"Wanted mode: %s got %s\", tc.wantMode, in.Spec.Mode)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestKeylessURLDefaulting(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tin *ClusterImagePolicy\n\t\twantURL string\n\t}{\n\t\t{name: \"static specified, no default\",\n\t\t\tin: &ClusterImagePolicy{Spec: ClusterImagePolicySpec{Authorities: []Authority{{Static: &StaticRef{Action: \"pass\"}}}}}},\n\t\t{name: \"key specified, no default\",\n\t\t\tin: &ClusterImagePolicy{Spec: ClusterImagePolicySpec{Authorities: []Authority{{Key: &KeyRef{Data: \"Keydata here\"}}}}}},\n\t\t{name: \"kms specified, no default\",\n\t\t\tin: &ClusterImagePolicy{Spec: ClusterImagePolicySpec{Authorities: []Authority{{Keyless: &KeylessRef{CACert: &KeyRef{KMS: \"Keydata here\"}}}}}}},\n\t\t{name: \"keyless specified, do not overwite fulcio\",\n\t\t\tin: &ClusterImagePolicy{Spec: ClusterImagePolicySpec{Authorities: []Authority{{Keyless: &KeylessRef{URL: apis.HTTP(\"fulcio.fulcio-system.svc\")}}}}},\n\t\t\twantURL: \"http://fulcio.fulcio-system.svc\",\n\t\t},\n\t\t{name: \"keyless specified but no url, public fulcio\",\n\t\t\tin: &ClusterImagePolicy{Spec: ClusterImagePolicySpec{Authorities: []Authority{{Keyless: &KeylessRef{Identities: []Identity{{Issuer: \"someissuer\"}}}}}}},\n\t\t\twantURL: \"https://fulcio.sigstore.dev\",\n\t\t},\n\t}\n\tfor _, tc := range tests {\n\t\tin := tc.in.DeepCopy()\n\t\tin.SetDefaults(context.TODO())\n\t\tswitch tc.wantURL {\n\t\tcase \"\":\n\t\t\tif in.Spec.Authorities[0].Keyless != nil && in.Spec.Authorities[0].Keyless.URL != nil {\n\t\t\t\tt.Errorf(\"Wanted no defaulting, got %s\", in.Spec.Authorities[0].Keyless.URL)\n\t\t\t}\n\t\tdefault:\n\t\t\tif in.Spec.Authorities[0].Keyless == nil || in.Spec.Authorities[0].Keyless.URL == nil {\n\t\t\t\tt.Errorf(\"Wanted defaulting %s, got none\", tc.wantURL)\n\t\t\t} else if in.Spec.Authorities[0].Keyless.URL.String() != tc.wantURL {\n\t\t\t\tt.Errorf(\"Wanted defaulting %s, got %s\", tc.wantURL, in.Spec.Authorities[0].Keyless.URL)\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc cipWithNames(names []string) *ClusterImagePolicy {\n\tcip := &ClusterImagePolicy{\n\t\tSpec: ClusterImagePolicySpec{},\n\t}\n\tfor _, name := range names {\n\t\tcip.Spec.Authorities = append(cip.Spec.Authorities, Authority{Name: name, Keyless: &KeylessRef{URL: &apis.URL{Host: \"tests.example.com\"}}})\n\t}\n\treturn cip\n}\n" }, { "path": "pkg/apis/policy/v1beta1/clusterimagepolicy_lifecycle.go", "content": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"knative.dev/pkg/apis\"\n)\n\nconst (\n\tinlineKeysFailedReason = \"InliningKeysFailed\"\n\tinlinePoliciesFailedReason = \"InliningPoliciesFailed\"\n\tupdateCMFailedReason = \"UpdatingConfigMap\"\n)\n\nvar cipCondSet = apis.NewLivingConditionSet(\n\tClusterImagePolicyConditionKeysInlined,\n\tClusterImagePolicyConditionPoliciesInlined,\n\tClusterImagePolicyConditionCMUpdated,\n)\n\n// GetConditionSet retrieves the condition set for this resource.\n// Implements the KRShaped interface.\nfunc (*ClusterImagePolicy) GetConditionSet() apis.ConditionSet {\n\treturn cipCondSet\n}\n\n// IsReady returns if the ClusterImagePolicy was compiled successfully to\n// ConfigMap.\nfunc (c *ClusterImagePolicy) IsReady() bool {\n\tcs := c.Status\n\treturn cs.ObservedGeneration == c.Generation &&\n\t\tcs.GetCondition(ClusterImagePolicyConditionReady).IsTrue()\n}\n\n// IsFailed returns true if the resource has observed\n// the latest generation and ready is false.\nfunc (c *ClusterImagePolicy) IsFailed() bool {\n\tcs := c.Status\n\treturn cs.ObservedGeneration == c.Generation &&\n\t\tcs.GetCondition(ClusterImagePolicyConditionReady).IsFalse()\n}\n\n// InitializeConditions sets the initial values to the conditions.\nfunc (cs *ClusterImagePolicyStatus) InitializeConditions() {\n\tcipCondSet.Manage(cs).InitializeConditions()\n}\n\n// MarkInlineKeysFailed surfaces a failure that we were unable to inline\n// the keys (from secrets or from KMS).\nfunc (cs *ClusterImagePolicyStatus) MarkInlineKeysFailed(msg string) {\n\tcipCondSet.Manage(cs).MarkFalse(ClusterImagePolicyConditionKeysInlined, inlineKeysFailedReason, msg)\n}\n\n// MarkInlineKeysOk marks the status saying that the inlining of the keys\n// had no errors.\nfunc (cs *ClusterImagePolicyStatus) MarkInlineKeysOk() {\n\tcipCondSet.Manage(cs).MarkTrue(ClusterImagePolicyConditionKeysInlined)\n}\n\n// MarkInlinePoliciesFailed surfaces a failure that we were unable to inline\n// the policies, either from ConfigMap or from URL.\nfunc (cs *ClusterImagePolicyStatus) MarkInlinePoliciesFailed(msg string) {\n\tcipCondSet.Manage(cs).MarkFalse(ClusterImagePolicyConditionPoliciesInlined, inlinePoliciesFailedReason, msg)\n}\n\n// MarkInlinePoliciesdOk marks the status saying that the inlining of the\n// policies had no errors.\nfunc (cs *ClusterImagePolicyStatus) MarkInlinePoliciesOk() {\n\tcipCondSet.Manage(cs).MarkTrue(ClusterImagePolicyConditionPoliciesInlined)\n}\n\n// MarkCMUpdateFailed surfaces a failure that we were unable to reflect the\n// CIP into the compiled ConfigMap.\nfunc (cs *ClusterImagePolicyStatus) MarkCMUpdateFailed(msg string) {\n\tcipCondSet.Manage(cs).MarkFalse(ClusterImagePolicyConditionCMUpdated, updateCMFailedReason, msg)\n}\n\n// MarkCMUpdated marks the status saying that the ConfigMap has been updated.\nfunc (cs *ClusterImagePolicyStatus) MarkCMUpdatedOK() {\n\tcipCondSet.Manage(cs).MarkTrue(ClusterImagePolicyConditionCMUpdated)\n}\n" }, { "path": "pkg/apis/policy/v1beta1/clusterimagepolicy_types.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\tv1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/runtime/schema\"\n\t\"knative.dev/pkg/apis\"\n\tduckv1 \"knative.dev/pkg/apis/duck/v1\"\n\t\"knative.dev/pkg/kmeta\"\n)\n\n// ClusterImagePolicy defines the images that go through verification\n// and the authorities used for verification\n//\n// +genclient\n// +genclient:nonNamespaced\n// +genreconciler:krshapedlogic=true\n// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\ntype ClusterImagePolicy struct {\n\tmetav1.TypeMeta `json:\",inline\"`\n\tmetav1.ObjectMeta `json:\"metadata\"`\n\n\t// Spec holds the desired state of the ClusterImagePolicy (from the client).\n\tSpec ClusterImagePolicySpec `json:\"spec\"`\n\n\t// Status represents the current state of the ClusterImagePolicy.\n\t// This data may be out of date.\n\t// +optional\n\tStatus ClusterImagePolicyStatus `json:\"status,omitempty\"`\n}\n\nvar (\n\t_ apis.Validatable = (*ClusterImagePolicy)(nil)\n\t_ apis.Defaultable = (*ClusterImagePolicy)(nil)\n\t_ kmeta.OwnerRefable = (*ClusterImagePolicy)(nil)\n\t// Check that the type conforms to the duck Knative Resource shape.\n\t_ duckv1.KRShaped = (*ClusterImagePolicy)(nil)\n)\n\nconst (\n\t// ClusterImagePolicyReady is set when the ClusterImagePolicy has been\n\t// compiled into the underlying ConfigMap properly.\n\tClusterImagePolicyConditionReady = apis.ConditionReady\n\t// ClusterImagePolicyConditionKeysInlined is set to True when all the Keys\n\t// have been (Secrets, KMS, etc.) resolved, fetched, validated, and inlined\n\t// into the compiled representation.\n\t// In failure cases, the Condition will describe the errors in detail.\n\tClusterImagePolicyConditionKeysInlined apis.ConditionType = \"KeysInlined\"\n\t// ClusterImagePolicyConditionPoliciesInlined is set to True when all the\n\t// policies have been resolved, fetched, validated, and inlined into the\n\t// compiled representation.\n\t// In failure cases, the Condition will describe the errors in detail.\n\tClusterImagePolicyConditionPoliciesInlined apis.ConditionType = \"PoliciesInlined\"\n\t// ClusterImagePolicyConditionCMUpdated\tis set to True when the CIP has been\n\t// successfully added into the ConfigMap holding all the compiled CIPs.\n\t// In failure cases, the Condition will describe the errors in detail.\n\tClusterImagePolicyConditionCMUpdated apis.ConditionType = \"ConfigMapUpdated\"\n)\n\n// GetGroupVersionKind implements kmeta.OwnerRefable\nfunc (c *ClusterImagePolicy) GetGroupVersionKind() schema.GroupVersionKind {\n\treturn SchemeGroupVersion.WithKind(\"ClusterImagePolicy\")\n}\n\n// ClusterImagePolicySpec defines a list of images that should be verified\ntype ClusterImagePolicySpec struct {\n\t// Images defines the patterns of image names that should be subject to this policy.\n\tImages []ImagePattern `json:\"images\"`\n\t// Authorities defines the rules for discovering and validating signatures.\n\t// +optional\n\tAuthorities []Authority `json:\"authorities,omitempty\"`\n\t// Policy is an optional policy that can be applied against all the\n\t// successfully validated Authorities. If no authorities pass, this does\n\t// not even get evaluated, as the Policy is considered failed.\n\t// +optional\n\tPolicy *Policy `json:\"policy,omitempty\"`\n\t// Mode controls whether a failing policy will be rejected (not admitted),\n\t// or if errors are converted to Warnings.\n\t// enforce - Reject (default)\n\t// warn - allow but warn\n\t// +optional\n\tMode string `json:\"mode,omitempty\"`\n\t// Match allows selecting resources based on their properties.\n\t// +optional\n\tMatch []MatchResource `json:\"match,omitempty\"`\n}\n\n// ImagePattern defines a pattern and its associated authorties\n// If multiple patterns match a particular image, then ALL of\n// those authorities must be satisfied for the image to be admitted.\ntype ImagePattern struct {\n\t// Glob defines a globbing pattern.\n\tGlob string `json:\"glob\"`\n}\n\n// The authorities block defines the rules for discovering and\n// validating signatures. Signatures are\n// cryptographically verified using one of the \"key\" or \"keyless\"\n// fields.\n// When multiple authorities are specified, any of them may be used\n// to source the valid signature we are looking for to admit an\n// image.\ntype Authority struct {\n\t// Name is the name for this authority. Used by the CIP Policy\n\t// validator to be able to reference matching signature or attestation\n\t// verifications.\n\t// If not specified, the name will be authority-\n\tName string `json:\"name\"`\n\t// Key defines the type of key to validate the image.\n\t// +optional\n\tKey *KeyRef `json:\"key,omitempty\"`\n\t// Keyless sets the configuration to verify the authority against a Fulcio instance.\n\t// +optional\n\tKeyless *KeylessRef `json:\"keyless,omitempty\"`\n\t// Static specifies that signatures / attestations are not validated but\n\t// instead a static policy is applied against matching images.\n\t// +optional\n\tStatic *StaticRef `json:\"static,omitempty\"`\n\t// Sources sets the configuration to specify the sources from where to consume the signatures.\n\t// +optional\n\tSources []Source `json:\"source,omitempty\"`\n\t// CTLog sets the configuration to verify the authority against a Rekor instance.\n\t// +optional\n\tCTLog *TLog `json:\"ctlog,omitempty\"`\n\t// Attestations is a list of individual attestations for this authority,\n\t// once the signature for this authority has been verified.\n\t// +optional\n\tAttestations []Attestation `json:\"attestations,omitempty\"`\n\t// RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance.\n\t// +optional\n\tRFC3161Timestamp *RFC3161Timestamp `json:\"rfc3161timestamp,omitempty\"`\n\t// SignatureFormat specifies the format the authority expects. Supported\n\t// formats are \"legacy\" and \"bundle\". If not specified, the default\n\t// is \"legacy\" (cosign's default).\n\tSignatureFormat string `json:\"signatureFormat,omitempty\"`\n}\n\n// This references a public verification key stored in\n// a secret in the cosign-system namespace.\n// A KeyRef must specify only one of SecretRef, Data or KMS\ntype KeyRef struct {\n\t// SecretRef sets a reference to a secret with the key.\n\t// +optional\n\tSecretRef *v1.SecretReference `json:\"secretRef,omitempty\"`\n\t// Data contains the inline public key.\n\t// +optional\n\tData string `json:\"data,omitempty\"`\n\t// KMS contains the KMS url of the public key\n\t// Supported formats differ based on the KMS system used.\n\t// +optional\n\tKMS string `json:\"kms,omitempty\"`\n\t// HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set\n\t// +optional\n\tHashAlgorithm string `json:\"hashAlgorithm,omitempty\"`\n}\n\n// StaticRef specifies that signatures / attestations are not validated but\n// instead a static policy is applied against matching images.\ntype StaticRef struct {\n\t// Action defines how to handle a matching policy.\n\tAction string `json:\"action\"`\n\t// For fail actions, emit an optional custom message\n\tMessage string `json:\"message,omitempty\"`\n}\n\n// Source specifies the location of the signature / attestations.\ntype Source struct {\n\t// OCI defines the registry from where to pull the signature / attestations.\n\t// +optional\n\tOCI string `json:\"oci,omitempty\"`\n\t// SignaturePullSecrets is an optional list of references to secrets in the\n\t// same namespace as the deploying resource for pulling any of the signatures\n\t// used by this Source.\n\t// +optional\n\tSignaturePullSecrets []v1.LocalObjectReference `json:\"signaturePullSecrets,omitempty\"`\n\t// TagPrefix is an optional prefix that signature and attestations have.\n\t// This is the 'tag based discovery' and in the future once references are\n\t// fully supported that should likely be the preferred way to handle these.\n\t// +optional\n\tTagPrefix *string `json:\"tagPrefix,omitempty\"`\n}\n\n// TLog specifies the URL to a transparency log that holds\n// the signature and public key information\ntype TLog struct {\n\t// URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)\n\t// +optional\n\tURL *apis.URL `json:\"url,omitempty\"`\n\t// Use the Public Key from the referred TrustRoot.TLog\n\t// +optional\n\tTrustRootRef string `json:\"trustRootRef,omitempty\"`\n}\n\n// KeylessRef contains location of the validating certificate and the identities\n// against which to verify. KeylessRef will contain either the URL to the verifying\n// certificate, or it will contain the certificate data inline or in a secret.\ntype KeylessRef struct {\n\t// URL defines a url to the keyless instance.\n\t// +optional\n\tURL *apis.URL `json:\"url,omitempty\"`\n\t// Identities sets a list of identities.\n\tIdentities []Identity `json:\"identities\"`\n\t// CACert sets a reference to CA certificate\n\t// +optional\n\tCACert *KeyRef `json:\"ca-cert,omitempty\"`\n\t// Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog\n\t// +optional\n\tTrustRootRef string `json:\"trustRootRef,omitempty\"`\n\t// InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT\n\t// +optional\n\tInsecureIgnoreSCT *bool `json:\"insecureIgnoreSCT,omitempty\"`\n}\n\n// Attestation defines the type of attestation to validate and optionally\n// apply a policy decision to it. Authority block is used to verify the\n// specified attestation types, and if Policy is specified, then it's applied\n// only after the validation of the Attestation signature has been verified.\ntype Attestation struct {\n\t// Name of the attestation. These can then be referenced at the CIP level\n\t// policy.\n\tName string `json:\"name\"`\n\t// PredicateType defines which predicate type to verify. Matches cosign verify-attestation options.\n\tPredicateType string `json:\"predicateType\"`\n\t// Policy defines all of the matching signatures, and all of\n\t// the matching attestations (whose attestations are verified).\n\t// +optional\n\tPolicy *Policy `json:\"policy,omitempty\"`\n}\n\n// RemotePolicy defines all the properties to fetch a remote policy\ntype RemotePolicy struct {\n\t// URL to the policy data.\n\tURL apis.URL `json:\"url,omitempty\"`\n\t// Sha256sum defines the exact sha256sum computed out of the 'body' of the http response.\n\tSha256sum string `json:\"sha256sum,omitempty\"`\n}\n\n// Policy specifies a policy to use for Attestation or the CIP validation (iff\n// at least one authority matches).\n// Exactly one of Data, URL, or ConfigMapReference must be specified.\ntype Policy struct {\n\t// Which kind of policy this is, currently only rego or cue are supported.\n\t// Furthermore, only cue is tested :)\n\tType string `json:\"type\"`\n\t// Data contains the policy definition.\n\t// +optional\n\tData string `json:\"data,omitempty\"`\n\t// Remote defines the url to a policy.\n\t// +optional\n\tRemote *RemotePolicy `json:\"remote,omitempty\"`\n\t// ConfigMapRef defines the reference to a configMap with the policy definition.\n\t// +optional\n\tConfigMapRef *ConfigMapReference `json:\"configMapRef,omitempty\"`\n\t// FetchConfigFile controls whether ConfigFile will be fetched and made\n\t// available for CIP level policy evaluation. Note that this only gets\n\t// evaluated (and hence fetched) iff at least one authority matches.\n\t// The ConfigFile will then be available in this format:\n\t// https://github.com/opencontainers/image-spec/blob/main/config.md\n\t// +optional\n\tFetchConfigFile *bool `json:\"fetchConfigFile,omitempty\"`\n\t// IncludeSpec controls whether resource `Spec` will be included and\n\t// made available for CIP level policy evaluation. Note that this only gets\n\t// evaluated iff at least one authority matches.\n\t// Also note that because Spec may be of a different shape depending\n\t// on the resource being evaluatied (see MatchResource for filtering)\n\t// you might want to configure these to match the policy file to ensure\n\t// the shape of the Spec is what you expect when evaling the policy.\n\t// +optional\n\tIncludeSpec *bool `json:\"includeSpec,omitempty\"`\n\t// IncludeObjectMeta controls whether the ObjectMeta will be included and\n\t// made available for CIP level policy evalutation. Note that this only gets\n\t// evaluated iff at least one authority matches.\n\t// +optional\n\tIncludeObjectMeta *bool `json:\"includeObjectMeta,omitempty\"`\n\t// IncludeTypeMeta controls whether the TypeMeta will be included and\n\t// made available for CIP level policy evalutation. Note that this only gets\n\t// evaluated iff at least one authority matches.\n\t// +optional\n\tIncludeTypeMeta *bool `json:\"includeTypeMeta,omitempty\"`\n}\n\n// MatchResource allows selecting resources based on its version, group and resource.\n// It is also possible to select resources based on a list of matching labels.\ntype MatchResource struct {\n\t// +optional\n\tmetav1.GroupVersionResource `json:\",inline\"`\n\t// +optional\n\tResourceSelector *metav1.LabelSelector `json:\"selector,omitempty\"`\n}\n\n// ConfigMapReference is cut&paste from SecretReference, but for the life of me\n// couldn't find one in the public types. If there's one, use it.\ntype ConfigMapReference struct {\n\t// Name is unique within a namespace to reference a configmap resource.\n\t// +optional\n\tName string `json:\"name,omitempty\"`\n\t// Namespace defines the space within which the configmap name must be unique.\n\t// +optional\n\tNamespace string `json:\"namespace,omitempty\"`\n\t// Key defines the key to pull from the configmap.\n\t// +optional\n\tKey string `json:\"key,omitempty\"`\n}\n\n// Identity may contain the issuer and/or the subject found in the transparency\n// log.\n// Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\n// apply a regexp for matching.\ntype Identity struct {\n\t// Issuer defines the issuer for this identity.\n\t// +optional\n\tIssuer string `json:\"issuer,omitempty\"`\n\t// Subject defines the subject for this identity.\n\t// +optional\n\tSubject string `json:\"subject,omitempty\"`\n\t// IssuerRegExp specifies a regular expression to match the issuer for this identity.\n\t// +optional\n\tIssuerRegExp string `json:\"issuerRegExp,omitempty\"`\n\t// SubjectRegExp specifies a regular expression to match the subject for this identity.\n\t// +optional\n\tSubjectRegExp string `json:\"subjectRegExp,omitempty\"`\n}\n\n// RFC3161Timestamp specifies the URL to a RFC3161 time-stamping server that holds\n// the time-stamped verification for the signature\ntype RFC3161Timestamp struct {\n\t// Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities\n\t// +optional\n\tTrustRootRef string `json:\"trustRootRef,omitempty\"`\n}\n\n// ClusterImagePolicyStatus represents the current state of a\n// ClusterImagePolicy.\ntype ClusterImagePolicyStatus struct {\n\t// inherits duck/v1 Status, which currently provides:\n\t// * ObservedGeneration - the 'Generation' of the Broker that was last processed by the controller.\n\t// * Conditions - the latest available observations of a resource's current state.\n\tduckv1.Status `json:\",inline\"`\n}\n\n// GetStatus retrieves the status of the ClusterImagePolicy.\n// Implements the KRShaped interface.\nfunc (c *ClusterImagePolicy) GetStatus() *duckv1.Status {\n\treturn &c.Status.Status\n}\n\n// ClusterImagePolicyList is a list of ClusterImagePolicy resources\n//\n// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\ntype ClusterImagePolicyList struct {\n\tmetav1.TypeMeta `json:\",inline\"`\n\tmetav1.ListMeta `json:\"metadata\"`\n\n\tItems []ClusterImagePolicy `json:\"items\"`\n}\n" }, { "path": "pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/url\"\n\t\"path/filepath\"\n\t\"regexp\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/glob\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/common\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/signaturealgo\"\n\t\"github.com/sigstore/sigstore/pkg/cryptoutils\"\n\t\"knative.dev/pkg/apis\"\n\t\"knative.dev/pkg/system\"\n\n\tpolicycontrollerconfig \"github.com/sigstore/policy-controller/pkg/config\"\n)\n\n// Validate implements apis.Validatable\nfunc (c *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldError {\n\t// If we're doing status updates, do not validate the spec.\n\tif apis.IsInStatusUpdate(ctx) {\n\t\treturn nil\n\t}\n\treturn c.Spec.Validate(ctx).ViaField(\"spec\")\n}\n\nfunc (spec *ClusterImagePolicySpec) Validate(ctx context.Context) (errors *apis.FieldError) {\n\t// Check what the configuration is and act accordingly.\n\tpcConfig := policycontrollerconfig.FromContextOrDefaults(ctx)\n\n\tif len(spec.Images) == 0 {\n\t\terrors = errors.Also(apis.ErrMissingField(\"images\"))\n\t}\n\tfor i, image := range spec.Images {\n\t\terrors = errors.Also(image.Validate(ctx).ViaFieldIndex(\"images\", i))\n\t}\n\t// Check if PolicyControllerConfig is configured to fail when having empty authorities\n\tif len(spec.Authorities) == 0 && pcConfig.FailOnEmptyAuthorities {\n\t\terrors = errors.Also(apis.ErrMissingField(\"authorities\"))\n\t}\n\tfor i, authority := range spec.Authorities {\n\t\terrors = errors.Also(authority.Validate(ctx).ViaFieldIndex(\"authorities\", i))\n\t}\n\tif spec.Mode != \"\" && !common.ValidModes.Has(spec.Mode) {\n\t\terrors = errors.Also(apis.ErrInvalidValue(spec.Mode, \"mode\", \"unsupported mode\"))\n\t}\n\tfor i, m := range spec.Match {\n\t\terrors = errors.Also(m.Validate(ctx).ViaFieldIndex(\"match\", i))\n\t}\n\t// Note that we're within Spec here so that we can validate that the policy\n\t// FetchConfigFile is only set within Spec.Policy.\n\terrors = errors.Also(spec.Policy.Validate(apis.WithinSpec(ctx)))\n\treturn\n}\n\nfunc (image *ImagePattern) Validate(_ context.Context) *apis.FieldError {\n\tif image.Glob == \"\" {\n\t\treturn apis.ErrMissingField(\"glob\")\n\t}\n\treturn ValidateGlob(image.Glob).ViaField(\"glob\")\n}\n\nfunc (matchResource *MatchResource) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif matchResource.Resource != \"\" && common.ValidResourceNames.Len() > 0 &&\n\t\t!common.ValidResourceNames.Has(matchResource.Resource) {\n\t\terrs = errs.Also(apis.ErrInvalidValue(matchResource.Resource, \"resource\", \"unsupported resource name\"))\n\t}\n\n\tif matchResource.ResourceSelector != nil && (matchResource.Resource == \"\" && matchResource.Version == \"\" && matchResource.Group == \"\") {\n\t\terrs = errs.Also(apis.ErrInvalidValue(matchResource.Resource, \"selector\", \"selector requires a resource type to match the labels\"))\n\t}\n\treturn errs\n}\n\nfunc (authority *Authority) Validate(ctx context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif authority.Key == nil && authority.Keyless == nil && authority.Static == nil {\n\t\terrs = errs.Also(apis.ErrMissingOneOf(\"key\", \"keyless\", \"static\"))\n\t\t// Instead of returning all the missing subfields, just return here\n\t\t// to give a more concise and arguably a more meaningful error message.\n\t\treturn errs\n\t}\n\tif (authority.Key != nil && authority.Keyless != nil) ||\n\t\t(authority.Key != nil && authority.Static != nil) ||\n\t\t(authority.Keyless != nil && authority.Static != nil) {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"key\", \"keyless\", \"static\"))\n\t\t// Instead of returning all the missing subfields, just return here\n\t\t// to give a more concise and arguably a more meaningful error message.\n\t\treturn errs\n\t}\n\n\tif authority.Key != nil {\n\t\terrs = errs.Also(authority.Key.Validate(ctx).ViaField(\"key\"))\n\t}\n\tif authority.Keyless != nil {\n\t\terrs = errs.Also(authority.Keyless.Validate(ctx).ViaField(\"keyless\"))\n\t}\n\tif authority.Static != nil {\n\t\terrs = errs.Also(authority.Static.Validate(ctx).ViaField(\"static\"))\n\t\t// Attestations, Sources, RFC3161Timestamp, or CTLog do not make sense with static policy.\n\t\tif len(authority.Attestations) > 0 {\n\t\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"static\", \"attestations\"))\n\t\t}\n\t\tif len(authority.Sources) > 0 {\n\t\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"static\", \"source\"))\n\t\t}\n\t\tif authority.CTLog != nil {\n\t\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"static\", \"ctlog\"))\n\t\t}\n\t\tif authority.RFC3161Timestamp != nil {\n\t\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"static\", \"rfc3161timestamp\"))\n\t\t}\n\t}\n\n\tif len(authority.Sources) > 1 {\n\t\terrs = errs.Also(apis.ErrInvalidValue(\"source\", \"source\", \"only single source is supported\"))\n\t} else {\n\t\t// If there are multiple sources, don't complain about each of them.\n\t\tfor i, source := range authority.Sources {\n\t\t\terrs = errs.Also(source.Validate(ctx).ViaFieldIndex(\"source\", i))\n\t\t}\n\t}\n\n\tfor _, att := range authority.Attestations {\n\t\terrs = errs.Also(att.Validate(ctx).ViaField(\"attestations\"))\n\t}\n\n\treturn errs\n}\n\nfunc (s *StaticRef) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\n\tif s.Action == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"action\"))\n\t} else if !common.ValidStaticRefTypes.Has(s.Action) {\n\t\terrs = errs.Also(apis.ErrInvalidValue(s.Action, \"action\", \"unsupported action\"))\n\t}\n\treturn errs\n}\n\nfunc (key *KeyRef) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\n\tif key.Data == \"\" && key.KMS == \"\" && key.SecretRef == nil {\n\t\terrs = errs.Also(apis.ErrMissingOneOf(\"data\", \"kms\", \"secretref\"))\n\t}\n\n\tif key.HashAlgorithm != \"\" {\n\t\t_, err := signaturealgo.HashAlgorithm(key.HashAlgorithm)\n\t\tif err != nil {\n\t\t\terrs = errs.Also(apis.ErrInvalidValue(key.HashAlgorithm, \"hashAlgorithm\"))\n\t\t}\n\t}\n\n\tif key.Data != \"\" {\n\t\tif key.KMS != \"\" || key.SecretRef != nil {\n\t\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"data\", \"kms\", \"secretref\"))\n\t\t}\n\t\tpublicKey, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(key.Data))\n\t\tif err != nil || publicKey == nil {\n\t\t\terrs = errs.Also(apis.ErrInvalidValue(key.Data, \"data\"))\n\t\t}\n\t} else if key.KMS != \"\" && key.SecretRef != nil {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"data\", \"kms\", \"secretref\"))\n\t}\n\tif key.KMS != \"\" {\n\t\terrs = errs.Also(common.ValidateKMS(key.KMS).ViaField(\"kms\"))\n\t}\n\tif key.SecretRef != nil && key.SecretRef.Namespace != \"\" && key.SecretRef.Namespace != system.Namespace() {\n\t\terrs = errs.Also(apis.ErrInvalidValue(key.SecretRef.Namespace, \"secretref.namespace\", \"secretref.namespace is invalid. If set, it should use the same namespace where the policy-controller was deployed\"))\n\t}\n\treturn errs\n}\n\nfunc (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif keyless.URL == nil && keyless.CACert == nil {\n\t\terrs = errs.Also(apis.ErrMissingOneOf(\"url\", \"ca-cert\"))\n\t}\n\n\t// TODO: Are these really mutually exclusive?\n\tif keyless.URL != nil && keyless.CACert != nil {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"url\", \"ca-cert\"))\n\t}\n\n\tif keyless.CACert != nil {\n\t\terrs = errs.Also(keyless.DeepCopy().CACert.Validate(ctx).ViaField(\"ca-cert\"))\n\t}\n\t// Check that identities is specified.\n\tif len(keyless.Identities) == 0 {\n\t\terrs = errs.Also(apis.ErrMissingField(\"identities\"))\n\t}\n\tfor i, identity := range keyless.Identities {\n\t\terrs = errs.Also(identity.Validate(ctx).ViaFieldIndex(\"identities\", i))\n\t}\n\treturn errs\n}\n\nfunc (source *Source) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif source.OCI != \"\" {\n\t\tif err := common.ValidateOCI(source.OCI); err != nil {\n\t\t\terrs = errs.Also(apis.ErrInvalidValue(source.OCI, \"oci\", err.Error()))\n\t\t}\n\t}\n\n\tif len(source.SignaturePullSecrets) > 0 {\n\t\tfor i, secret := range source.SignaturePullSecrets {\n\t\t\tif secret.Name == \"\" {\n\t\t\t\terrs = errs.Also(apis.ErrMissingField(\"name\")).ViaFieldIndex(\"signaturePullSecrets\", i)\n\t\t\t}\n\t\t}\n\t}\n\treturn errs\n}\n\nfunc (a *Attestation) Validate(ctx context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif a.Name == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"name\"))\n\t}\n\tswitch {\n\tcase a.PredicateType == \"\":\n\t\t// This is just straight up missing, so error out.\n\t\terrs = errs.Also(apis.ErrMissingField(\"predicateType\"))\n\tcase common.ValidPredicateTypes.Has(a.PredicateType):\n\t\t// Ok, it's a valid, deprecated short form. It's fine for now, but\n\t\t// should remove it soon because it is very error prone, so warn.\n\t\terrs = errs.Also(apis.ErrInvalidValue(a.PredicateType, \"predicateType\", \"deprecated value, please use RFC 3986 conformant values\").At(apis.WarningLevel))\n\tdefault:\n\t\t// This could be a fully specified URL, so check for that here.\n\t\tif _, err := url.ParseRequestURI(a.PredicateType); err != nil {\n\t\t\t// This is fine for now, but should remove it soon because it is\n\t\t\t// very error prone.\n\t\t\terrs = errs.Also(apis.ErrInvalidValue(a.PredicateType, \"predicateType\", \"deprecated value, please use RFC 3986 conformant values\").At(apis.WarningLevel))\n\t\t}\n\t}\n\terrs = errs.Also(a.Policy.Validate(ctx).ViaField(\"policy\"))\n\treturn errs\n}\n\nfunc (cmr *ConfigMapReference) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif cmr.Name == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"name\"))\n\t}\n\tif cmr.Key == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"key\"))\n\t}\n\treturn errs\n}\n\nfunc (r *RemotePolicy) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\turlObj := r.URL\n\tu, err := url.Parse(urlObj.String())\n\tif err != nil || (err == nil && (u.Host == \"\" || u.Scheme == \"\" || u.Scheme != \"https\")) {\n\t\terrs = errs.Also(apis.ErrInvalidValue(r.URL.String(), \"url\", \"url valid is invalid. host and https scheme are expected\"))\n\t}\n\tif r.Sha256sum == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"sha256sum\"))\n\t}\n\treturn errs\n}\n\nfunc (p *Policy) Validate(ctx context.Context) *apis.FieldError {\n\tif p == nil {\n\t\treturn nil\n\t}\n\tvar errs *apis.FieldError\n\tif p.Type != \"cue\" && p.Type != \"rego\" {\n\t\terrs = errs.Also(apis.ErrInvalidValue(p.Type, \"type\", \"only [cue,rego] are supported at the moment\"))\n\t}\n\tif p.Data == \"\" && p.ConfigMapRef == nil && p.Remote == nil {\n\t\terrs = errs.Also(apis.ErrMissingField(\"data\", \"configMapRef\", \"remote\"))\n\t}\n\tif p.Data != \"\" && p.ConfigMapRef != nil && p.Remote != nil {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"data\", \"configMapRef\", \"remote\"))\n\t}\n\tif (p.Data != \"\" && p.ConfigMapRef != nil) ||\n\t\t(p.Data != \"\" && p.Remote != nil) ||\n\t\t(p.ConfigMapRef != nil && p.Remote != nil) {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"data\", \"configMapRef\", \"remote\"))\n\t}\n\tif p.Remote != nil {\n\t\terrs = errs.Also(p.Remote.Validate(ctx).ViaField(\"remote\"))\n\t}\n\tif p.ConfigMapRef != nil {\n\t\terrs = errs.Also(p.ConfigMapRef.Validate(ctx).ViaField(\"configMapRef\"))\n\t}\n\tif !apis.IsInSpec(ctx) && p.FetchConfigFile != nil {\n\t\terrs = errs.Also(apis.ErrDisallowedFields(\"fetchConfigFile\"))\n\t}\n\tif !apis.IsInSpec(ctx) && p.IncludeSpec != nil {\n\t\terrs = errs.Also(apis.ErrDisallowedFields(\"includeSpec\"))\n\t}\n\tif !apis.IsInSpec(ctx) && p.IncludeObjectMeta != nil {\n\t\terrs = errs.Also(apis.ErrDisallowedFields(\"includeObjectMeta\"))\n\t}\n\tif !apis.IsInSpec(ctx) && p.IncludeTypeMeta != nil {\n\t\terrs = errs.Also(apis.ErrDisallowedFields(\"includeTypeMeta\"))\n\t}\n\t// TODO(vaikas): How to validate the cue / rego bytes here (data).\n\treturn errs\n}\n\nfunc (identity *Identity) Validate(_ context.Context) *apis.FieldError {\n\tvar errs *apis.FieldError\n\tif identity.Issuer != \"\" && identity.IssuerRegExp != \"\" {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"issuer\", \"issuerRegExp\"))\n\t}\n\tif identity.Subject != \"\" && identity.SubjectRegExp != \"\" {\n\t\terrs = errs.Also(apis.ErrMultipleOneOf(\"subject\", \"subjectRegExp\"))\n\t}\n\tif identity.IssuerRegExp != \"\" {\n\t\terrs = errs.Also(ValidateRegex(identity.IssuerRegExp).ViaField(\"issuerRegExp\"))\n\t}\n\tif identity.SubjectRegExp != \"\" {\n\t\terrs = errs.Also(ValidateRegex(identity.SubjectRegExp).ViaField(\"subjectRegExp\"))\n\t}\n\tif identity.SubjectRegExp == \"\" && identity.Subject == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"subject\", \"subjectRegExp\"))\n\t}\n\tif identity.IssuerRegExp == \"\" && identity.Issuer == \"\" {\n\t\terrs = errs.Also(apis.ErrMissingField(\"issuer\", \"issuerRegExp\"))\n\t}\n\treturn errs\n}\n\n// ValidateGlob glob compilation by testing against empty string\nfunc ValidateGlob(g string) *apis.FieldError {\n\tif _, err := filepath.Match(g, \"\"); err != nil {\n\t\treturn apis.ErrInvalidValue(g, apis.CurrentField, fmt.Sprintf(\"glob is invalid: %v\", err))\n\t}\n\tif _, err := glob.Compile(g); err != nil {\n\t\treturn apis.ErrInvalidValue(g, apis.CurrentField, fmt.Sprintf(\"glob is invalid: %v\", err))\n\t}\n\treturn nil\n}\n\nfunc ValidateRegex(regex string) *apis.FieldError {\n\t_, err := regexp.Compile(regex)\n\tif err != nil {\n\t\treturn apis.ErrInvalidValue(regex, apis.CurrentField, fmt.Sprintf(\"regex is invalid: %v\", err))\n\t}\n\n\treturn nil\n}\n" }, { "path": "pkg/apis/policy/v1beta1/clusterimagepolicy_validation_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n\t\"os\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/common\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/signaturealgo\"\n\t\"github.com/stretchr/testify/require\"\n\tv1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"knative.dev/pkg/apis\"\n\t\"knative.dev/pkg/ptr\"\n\n\tpolicycontrollerconfig \"github.com/sigstore/policy-controller/pkg/config\"\n)\n\nconst validPublicKey = \"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaEOVJCFtduYr3xqTxeRWSW32CY/s\\nTBNZj4oIUPl8JvhVPJ1TKDPlNcuT4YphSt6t3yOmMvkdQbCj8broX6vijw==\\n-----END PUBLIC KEY-----\"\n\nconst (\n\tsignatureSHA512HashAlgorithm = \"sha512\"\n\tsignatureSHAInvalidHashAlgorithm = \"shaInvalid\"\n)\n\nfunc TestImagePatternValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should fail when glob is not present\",\n\t\terrorString: \"missing field(s): spec.authorities, spec.images[0].glob\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Glob should fail with invalid glob\",\n\t\terrorString: \"invalid value: [: spec.images[0].glob\\nglob is invalid: syntax error in pattern\\nmissing field(s): spec.authorities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"[\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Glob should fail with invalid regexp\",\n\t\terrorString: \"invalid value: $FOO*: spec.images[0].glob\\nglob is invalid: invalid glob \\\"$FOO*\\\"\\nmissing field(s): spec.authorities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"$FOO*\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"missing image and authorities in the spec\",\n\t\terrorString: \"missing field(s): spec.authorities, spec.images\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{},\n\t\t},\n\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\ttestContext := policycontrollerconfig.ToContext(context.TODO(), &policycontrollerconfig.PolicyControllerConfig{NoMatchPolicy: policycontrollerconfig.AllowAll, FailOnEmptyAuthorities: true})\n\n\t\t\terr := test.policy.Validate(testContext)\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestKeyValidation(t *testing.T) {\n\tos.Setenv(\"SYSTEM_NAMESPACE\", \"cosign-system\")\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should fail when key has multiple properties\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].key.data, spec.authorities[0].key.kms, spec.authorities[0].key.secretref\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"myglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{\n\t\t\t\t\t\t\tData: \"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaEOVJCFtduYr3xqTxeRWSW32CY/s\\nTBNZj4oIUPl8JvhVPJ1TKDPlNcuT4YphSt6t3yOmMvkdQbCj8broX6vijw==\\n-----END PUBLIC KEY-----\",\n\t\t\t\t\t\t\tKMS: \"hashivault://key/path\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when key has malformed pubkey data\",\n\t\terrorString: \"invalid value: ---some key data----: spec.authorities[0].key.data\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"myglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{\n\t\t\t\t\t\t\tData: \"---some key data----\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when key secretref has an invalid value for the namespace\",\n\t\terrorString: \"invalid value: invalid: spec.authorities[0].key.secretref.namespace\\nsecretref.namespace is invalid. If set, it should use the same namespace where the policy-controller was deployed\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"myglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{\n\t\t\t\t\t\t\tSecretRef: &v1.SecretReference{\n\t\t\t\t\t\t\t\tName: \"test\",\n\t\t\t\t\t\t\t\tNamespace: \"invalid\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when key is empty\",\n\t\terrorString: \"expected exactly one, got neither: spec.authorities[0].key.data, spec.authorities[0].key.kms, spec.authorities[0].key.secretref\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"myglob*\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with invalid AWS KMS for Keyful\",\n\t\terrorString: \"invalid value: awskms://localhost:8888/arn:butnotvalid: spec.authorities[0].key.kms\\nkms key should be in the format awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional)\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"awskms://localhost:8888/arn:butnotvalid\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"registry.example.com\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with invalid OCI value\",\n\t\terrorString: \"invalid value: registry.example.com/repo/*: spec.authorities[0].source[0].oci\\nrepository can only contain the characters `abcdefghijklmnopqrstuvwxyz0123456789_-./`: repo/*\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"registry.example.com/repo/*\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with invalid OCI value usign wrong characters\",\n\t\terrorString: \"invalid value: re@gistry/reponame: spec.authorities[0].source[0].oci\\nregistries must be valid RFC 3986 URI authorities: re@gistry/reponame\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"re@gistry/reponame\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with valid OCI repository name\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"gcr.io/google.com/project/hello-world\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with valid OCI repository name\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"registry.example.com/repository\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass when key has only one property: %v\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"yepanotherglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{\n\t\t\t\t\t\t\tKMS: \"hashivault://key/path\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Glob should pass with exact digest image\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"ghcr.io/foo@sha256:5504f2a95018e3d8a52d80d9e1a128c6ea337581808ff9fe96f5628ce2336350\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{\n\t\t\t\t\t\t\tKMS: \"hashivault://key/path\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestKeylessValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should fail when keyless is empty\",\n\t\terrorString: \"expected exactly one, got neither: spec.authorities[0].keyless.ca-cert, spec.authorities[0].keyless.url\\nmissing field(s): spec.authorities[0].keyless.identities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when keyless has multiple properties\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].keyless.ca-cert, spec.authorities[0].keyless.url\\nmissing field(s): spec.authorities[0].keyless.identities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tCACert: &KeyRef{\n\t\t\t\t\t\t\t\tData: validPublicKey,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should warn when valid keyless ref is specified, but no identities given\",\n\t\terrorString: \"missing field(s): spec.authorities[0].keyless.identities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass when valid keyless ref is specified\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tIdentities: []Identity{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tSubject: \"somesubject\",\n\t\t\t\t\t\t\t\t\tIssuer: \"someissuer\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestStaticValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should fail when static is empty\",\n\t\terrorString: \"missing field(s): spec.authorities[0].static.action\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when action is invalid\",\n\t\terrorString: \"invalid value: garbage: spec.authorities[0].static.action\\nunsupported action\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"garbage\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Works with pass\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"pass\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Works with pass, and Spec.Policy.FetchConfigFile\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"pass\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPolicy: &Policy{\n\t\t\t\t\tType: \"cue\",\n\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\tFetchConfigFile: ptr.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Works with pass, and Spec.Policy.IncludeSpec\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"pass\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPolicy: &Policy{\n\t\t\t\t\tType: \"cue\",\n\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\tIncludeSpec: ptr.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Works with pass, and Spec.Policy.IncludeObjectMeta\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"pass\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPolicy: &Policy{\n\t\t\t\t\tType: \"cue\",\n\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\tIncludeObjectMeta: ptr.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Works with pass, and Spec.Policy.IncludeTypeMeta\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"pass\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPolicy: &Policy{\n\t\t\t\t\tType: \"cue\",\n\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\tIncludeTypeMeta: ptr.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Works with fail\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"fail\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestModeValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tmode string\n\t}{{\n\t\tname: \"Should work when mode is empty\",\n\t\tmode: \"\",\n\t}, {\n\t\tname: \"Should work with mode enforce\",\n\t\tmode: \"enforce\",\n\t}, {\n\t\tname: \"Should work with mode warn\",\n\t\tmode: \"warn\",\n\t}, {\n\t\tname: \"Should not work with mode garbage\",\n\t\tmode: \"garbage\",\n\t\terrorString: \"invalid value: garbage: spec.mode\\nunsupported mode\",\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tpolicy := ClusterImagePolicy{\n\t\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\t\tImages: []ImagePattern{{Glob: \"globbityglob\"}},\n\t\t\t\t\tAuthorities: []Authority{{Static: &StaticRef{Action: \"pass\"}}},\n\t\t\t\t\tMode: test.mode,\n\t\t\t\t},\n\t\t\t}\n\t\t\terr := policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestAuthoritiesValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\twarnString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should fail when authority is empty\",\n\t\terrorString: \"expected exactly one, got neither: spec.authorities[0].key, spec.authorities[0].keyless, spec.authorities[0].static\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when key/keyless specified\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].key, spec.authorities[0].keyless, spec.authorities[0].static\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{Data: validPublicKey},\n\t\t\t\t\t\tKeyless: &KeylessRef{URL: apis.HTTPS(\"fulcio.sigstore.dev\")},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when key/static specified\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].key, spec.authorities[0].keyless, spec.authorities[0].static\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{Data: validPublicKey},\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"pass\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when keyless/static specified\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].key, spec.authorities[0].keyless, spec.authorities[0].static\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"fail\"},\n\t\t\t\t\t\tKeyless: &KeylessRef{URL: apis.HTTPS(\"fulcio.sigstore.dev\")},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when key/keyless/static specified\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].key, spec.authorities[0].keyless, spec.authorities[0].static\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{Data: validPublicKey},\n\t\t\t\t\t\tKeyless: &KeylessRef{URL: apis.HTTPS(\"fulcio.sigstore.dev\")},\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"fail\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when static and sources,attestations, and ctlog is specified, warn about legacy short predicate type\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].attestations, spec.authorities[0].ctlog, spec.authorities[0].source, spec.authorities[0].static\",\n\t\twarnString: \"invalid value: vuln: spec.authorities[0].attestations.predicateType\\ndeprecated value, please use RFC 3986 conformant values\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"fail\"},\n\t\t\t\t\t\tAttestations: []Attestation{{Name: \"first\", PredicateType: \"vuln\"}},\n\t\t\t\t\t\tSources: []Source{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tOCI: \"registry1\",\n\t\t\t\t\t\t\t\tSignaturePullSecrets: []v1.LocalObjectReference{\n\t\t\t\t\t\t\t\t\t{Name: \"placeholder\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tCTLog: &TLog{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with invalid kms prefix\",\n\t\terrorString: \"invalid value: fookms://localhost:8888/xpa:butnotvalid: spec.authorities[0].key.kms\\nmalformed KMS format, should be prefixed by any of the supported providers: [awskms:// azurekms:// hashivault:// gcpkms://]\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"fookms://localhost:8888/xpa:butnotvalid\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"registry.example.com\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when static and sources,attestations, and rfc3161timestamp is specified\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].attestations, spec.authorities[0].rfc3161timestamp, spec.authorities[0].source, spec.authorities[0].static\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tStatic: &StaticRef{Action: \"fail\"},\n\t\t\t\t\t\tAttestations: []Attestation{{Name: \"first\", PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"}},\n\t\t\t\t\t\tSources: []Source{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tOCI: \"registry1\",\n\t\t\t\t\t\t\t\tSignaturePullSecrets: []v1.LocalObjectReference{\n\t\t\t\t\t\t\t\t\t{Name: \"placeholder\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tRFC3161Timestamp: &RFC3161Timestamp{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when authorities is empty\",\n\t\terrorString: \"missing field(s): spec.authorities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass when source oci is present\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"registry.example.com\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with multiple source oci is present\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{\n\t\t\t\t\t\t\t{OCI: \"registry1\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with multiple source oci is present\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{\n\t\t\t\t\t\t\t{OCI: \"registry1\"},\n\t\t\t\t\t\t\t{OCI: \"registry2\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"invalid value: source: spec.authorities[0].source\\nonly single source is supported\",\n\t}, {\n\t\tname: \"Should fail with invalid AWS KMS for Keyful\",\n\t\terrorString: \"invalid value: awskms://localhost:8888/arn:butnotvalid: spec.authorities[0].key.kms\\nkms key should be in the format awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional)\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"awskms://localhost:8888/arn:butnotvalid\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"registry.example.com\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with invalid AWS KMS for Keyless\",\n\t\terrorString: \"invalid value: awskms://localhost:8888/arn:butnotvalid: spec.authorities[0].keyless.ca-cert.kms\\nkms key should be in the format awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional)\\nmissing field(s): spec.authorities[0].keyless.identities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{CACert: &KeyRef{KMS: \"awskms://localhost:8888/arn:butnotvalid\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with attestations present\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tAttestations: []Attestation{\n\t\t\t\t\t\t\t{Name: \"first\", PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t\t\t\t\t\t\t{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\", Policy: &Policy{\n\t\t\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with attestations policy specifying fetchConfigFile\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tAttestations: []Attestation{\n\t\t\t\t\t\t\t{Name: \"first\", PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t\t\t\t\t\t\t{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\", Policy: &Policy{\n\t\t\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\t\t\t\tFetchConfigFile: ptr.Bool(true),\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"must not set the field(s): spec.authorities[0].attestations.policy.fetchConfigFile\",\n\t}, {\n\t\tname: \"Should fail with attestations policy specifying includeSpec\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tAttestations: []Attestation{\n\t\t\t\t\t\t\t{Name: \"first\", PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t\t\t\t\t\t\t{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\", Policy: &Policy{\n\t\t\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\t\t\t\tIncludeSpec: ptr.Bool(true),\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"must not set the field(s): spec.authorities[0].attestations.policy.includeSpec\",\n\t}, {\n\t\tname: \"Should fail with attestations policy specifying includeObjectMeta\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tAttestations: []Attestation{\n\t\t\t\t\t\t\t{Name: \"first\", PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t\t\t\t\t\t\t{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\", Policy: &Policy{\n\t\t\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\t\t\t\tIncludeObjectMeta: ptr.Bool(true),\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"must not set the field(s): spec.authorities[0].attestations.policy.includeObjectMeta\",\n\t}, {\n\t\tname: \"Should fail with attestations policy specifying includeTypeMeta\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"gcr.io/*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tAttestations: []Attestation{\n\t\t\t\t\t\t\t{Name: \"first\", PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t\t\t\t\t\t\t{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\", Policy: &Policy{\n\t\t\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\t\t\t\t\tIncludeTypeMeta: ptr.Bool(true),\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"must not set the field(s): spec.authorities[0].attestations.policy.includeTypeMeta\",\n\t}, {\n\t\tname: \"Should fail with signaturePullSecret name empty\",\n\t\terrorString: \"missing field(s): spec.authorities[0].source[0].signaturePullSecrets[0].name\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tOCI: \"registry1\",\n\t\t\t\t\t\t\t\tSignaturePullSecrets: []v1.LocalObjectReference{\n\t\t\t\t\t\t\t\t\t{Name: \"\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with signaturePullSecret name filled\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tOCI: \"registry1\",\n\t\t\t\t\t\t\t\tSignaturePullSecrets: []v1.LocalObjectReference{\n\t\t\t\t\t\t\t\t\t{Name: \"testPullSecrets\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with invalid signature hash algorithm\",\n\t\terrorString: \"invalid value: \" + signatureSHAInvalidHashAlgorithm + \": spec.authorities[0].key.hashAlgorithm\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\", HashAlgorithm: signatureSHAInvalidHashAlgorithm},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with sha256 signature hash algorithm\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\", HashAlgorithm: signaturealgo.DefaultSignatureAlgorithm},\n\t\t\t\t\t\tSources: []Source{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tOCI: \"registry1\",\n\t\t\t\t\t\t\t\tSignaturePullSecrets: []v1.LocalObjectReference{\n\t\t\t\t\t\t\t\t\t{Name: \"testPullSecrets\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with sha512 signature hash algorithm\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\", HashAlgorithm: signatureSHA512HashAlgorithm},\n\t\t\t\t\t\tSources: []Source{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tOCI: \"registry1\",\n\t\t\t\t\t\t\t\tSignaturePullSecrets: []v1.LocalObjectReference{\n\t\t\t\t\t\t\t\t\t{Name: \"testPullSecrets\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass when source oci is empty\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: &KeyRef{KMS: \"hashivault://key/path\"},\n\t\t\t\t\t\tSources: []Source{{OCI: \"\"}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\ttestContext := policycontrollerconfig.ToContext(context.TODO(), &policycontrollerconfig.PolicyControllerConfig{NoMatchPolicy: policycontrollerconfig.AllowAll, FailOnEmptyAuthorities: true})\n\n\t\t\terr := test.policy.Validate(testContext)\n\t\t\tvalidateError(t, test.errorString, test.warnString, err)\n\t\t})\n\t}\n}\n\nfunc TestEmptyAuthoritiesValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should pass when Authorities is empty\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{{Glob: \"*\"}},\n\t\t\t\tAuthorities: []Authority{},\n\t\t\t},\n\t\t},\n\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\ttestContext := policycontrollerconfig.ToContext(context.TODO(), &policycontrollerconfig.PolicyControllerConfig{NoMatchPolicy: policycontrollerconfig.AllowAll, FailOnEmptyAuthorities: false})\n\n\t\t\terr := test.policy.Validate(testContext)\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestAttestationsValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\twarnString string\n\t\tattestation Attestation\n\t}{{\n\t\tname: \"https://cosign.sigstore.dev/attestation/vuln/v1\",\n\t\tattestation: Attestation{Name: \"first\", PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t}, {\n\t\tname: \"fully specified URL\",\n\t\tattestation: Attestation{Name: \"fullyspecified\", PredicateType: \"https://cyclonedx.org/schema\"},\n\t}, {\n\t\tname: \"missing name\",\n\t\tattestation: Attestation{PredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"},\n\t\terrorString: \"missing field(s): name\",\n\t}, {\n\t\tname: \"missing predicatetype\",\n\t\tattestation: Attestation{Name: \"first\"},\n\t\terrorString: \"missing field(s): predicateType\",\n\t}, {\n\t\tname: \"invalid predicatetype\",\n\t\tattestation: Attestation{Name: \"first\", PredicateType: \"notsupported\"},\n\t\twarnString: \"invalid value: notsupported: predicateType\\ndeprecated value, please use RFC 3986 conformant values\",\n\t}, {\n\t\tname: \"custom with invalid policy type\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"not-cue\",\n\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t},\n\t\t},\n\t\terrorString: \"invalid value: not-cue: policy.type\\nonly [cue,rego] are supported at the moment\",\n\t}, {\n\t\tname: \"custom with missing policy data, url and configMapRef\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t},\n\t\t},\n\t\terrorString: \"missing field(s): policy.configMapRef, policy.data, policy.remote\",\n\t}, {\n\t\tname: \"custom with both policy data and configMapRef\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\tConfigMapRef: &ConfigMapReference{\n\t\t\t\t\tName: \"cmname\",\n\t\t\t\t\tKey: \"keyname\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"expected exactly one, got both: policy.configMapRef, policy.data, policy.remote\",\n\t}, {\n\t\tname: \"custom with both policy data, url and configMapRef\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t\tConfigMapRef: &ConfigMapReference{\n\t\t\t\t\tName: \"cmname\",\n\t\t\t\t\tKey: \"keyname\",\n\t\t\t\t},\n\t\t\t\tRemote: &RemotePolicy{\n\t\t\t\t\tURL: *apis.HTTPS(\"example.com\"),\n\t\t\t\t\tSha256sum: \"123123123\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"expected exactly one, got both: policy.configMapRef, policy.data, policy.remote\",\n\t}, {\n\t\tname: \"custom with both policy url\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t\tRemote: &RemotePolicy{\n\t\t\t\t\tURL: *apis.HTTPS(\"example.com\"),\n\t\t\t\t\tSha256sum: \"123123123\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"custom with invalid policy url scheme\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t\tRemote: &RemotePolicy{\n\t\t\t\t\tURL: *apis.HTTP(\"example.com\"),\n\t\t\t\t\tSha256sum: \"123123123\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"invalid value: http://example.com: policy.remote.url\\nurl valid is invalid. host and https scheme are expected\",\n\t}, {\n\t\tname: \"custom with invalid configMapRef, missing key\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t\tConfigMapRef: &ConfigMapReference{\n\t\t\t\t\tName: \"cmname\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\terrorString: \"missing field(s): policy.configMapRef.key\",\n\t}, {\n\t\tname: \"custom with policy\",\n\t\tattestation: Attestation{Name: \"second\", PredicateType: \"https://cosign.sigstore.dev/attestation/v1\",\n\t\t\tPolicy: &Policy{\n\t\t\t\tType: \"cue\",\n\t\t\t\tData: `predicateType: \"cosign.sigstore.dev/attestation/vuln/v1\"`,\n\t\t\t},\n\t\t},\n\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.attestation.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, test.warnString, err)\n\t\t})\n\t}\n}\nfunc TestIdentitiesValidation(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should pass with identities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tIdentities: []Identity{{SubjectRegExp: \".*subject.*\", IssuerRegExp: \".*issuer.*\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should warn when identities fields are empty\",\n\t\terrorString: \"missing field(s): spec.authorities[0].keyless.identities[0].issuer, spec.authorities[0].keyless.identities[0].issuerRegExp, spec.authorities[0].keyless.identities[0].subject, spec.authorities[0].keyless.identities[0].subjectRegExp\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tIdentities: []Identity{{Issuer: \"\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with both issuer and issuerRegExp\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].keyless.identities[0].issuer, spec.authorities[0].keyless.identities[0].issuerRegExp\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{Issuer: \"issuer\", IssuerRegExp: \"issuerregexp\", Subject: \"subject\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail with both subject and subjectRegExp\",\n\t\terrorString: \"expected exactly one, got both: spec.authorities[0].keyless.identities[0].subject, spec.authorities[0].keyless.identities[0].subjectRegExp\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{Subject: \"subject\", SubjectRegExp: \"subjectregexp\", Issuer: \"issuer\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when issuer has invalid regex\",\n\t\terrorString: \"invalid value: ****: spec.authorities[0].keyless.identities[0].issuerRegExp\\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{IssuerRegExp: \"****\", Subject: \"subject\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should warn when issuer or issuerRegExp is missing\",\n\t\terrorString: \"missing field(s): spec.authorities[0].keyless.identities[0].issuer, spec.authorities[0].keyless.identities[0].issuerRegExp\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{Subject: \"subject\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should warn when subject or subjectRegExp is missing\",\n\t\terrorString: \"missing field(s): spec.authorities[0].keyless.identities[0].subject, spec.authorities[0].keyless.identities[0].subjectRegExp\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{Issuer: \"issuer\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should fail when subject has invalid regex\",\n\t\terrorString: \"invalid value: ****: spec.authorities[0].keyless.identities[0].subjectRegExp\\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{Issuer: \"issuer\", SubjectRegExp: \"****\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass when subject and issuer have valid regex\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{{SubjectRegExp: \".*subject.*\", IssuerRegExp: \".*issuer.*\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass when identities is valid\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tIssuer: \"some issuer\",\n\t\t\t\t\t\t\t\t\tSubject: \"some subject\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t}\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestAWSKMSValidation(t *testing.T) {\n\t// Note the error messages betweeen the kms / cacert validation is\n\t// identical, with the only difference being `kms` or `ca-cert.kms`. Reason\n\t// for the ca-cert.kms is because it's embedded within the ca-cert that\n\t// we pass in. So we put a KMSORCACERT into the err string that we then\n\t// replace based on the tests so we don't have to write identical tests\n\t// for both of them.\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tkms string\n\t}{{\n\t\tname: \"malformed, only 2 slashes \",\n\t\terrorString: \"invalid value: awskms://1234abcd-12ab-34cd-56ef-1234567890ab: KMSORCACERT\\nmalformed AWS KMS format 'awskms://$ENDPOINT/$KEYID', should be conformant with KMS standard documented here: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id\",\n\t\tkms: \"awskms://1234abcd-12ab-34cd-56ef-1234567890ab\",\n\t}, {\n\t\tname: \"fails with invalid host\",\n\t\terrorString: \"invalid value: awskms://localhost:::4566/alias/exampleAlias: KMSORCACERT\\nmalformed endpoint: address localhost:::4566: too many colons in address\",\n\t\tkms: \"awskms://localhost:::4566/alias/exampleAlias\",\n\t}, {\n\t\tname: \"fails with non-arn alias\",\n\t\terrorString: \"invalid value: awskms://localhost:4566/alias/exampleAlias: KMSORCACERT\\nfailed to parse either key or alias arn: arn: invalid prefix\",\n\t\tkms: \"awskms://localhost:4566/alias/exampleAlias\",\n\t}, {\n\t\tname: \"Should fail when arn is invalid\",\n\t\terrorString: \"invalid value: awskms://localhost:4566/arn:sonotvalid: KMSORCACERT\\nkms key should be in the format awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional)\",\n\t\tkms: \"awskms://localhost:4566/arn:sonotvalid\",\n\t}, {\n\t\tname: \"Should fail with key is invalid\",\n\t\terrorString: \"invalid value: awskms://arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab: KMSORCACERT\\nkms key should be in the format awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional)\",\n\t\tkms: \"awskms://arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\",\n\t}, {\n\t\tname: \"works with valid arn key and endpoint\",\n\t\tkms: \"awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\",\n\t}, {\n\t\tname: \"works with valid arn key and no endpoint\",\n\t\tkms: \"awskms:///arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\",\n\t}, {\n\t\tname: \"works with valid arn alias and endpoint\",\n\t\tkms: \"awskms://localhost:4566/arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias\",\n\t}, {\n\t\tname: \"works with valid arn alias and no endpoint\",\n\t\tkms: \"awskms:///arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias\",\n\t},\n\t}\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\t// First test with KeyRef\n\t\t\tkeyRef := KeyRef{KMS: test.kms}\n\t\t\terr := keyRef.Validate(context.TODO())\n\t\t\tkmsErrString := strings.Replace(test.errorString, \"KMSORCACERT\", \"kms\", 1)\n\t\t\tvalidateError(t, kmsErrString, \"\", err)\n\t\t\t// Then with Keyless with CACert as KeyRef\n\t\t\tkeylessRef := KeylessRef{CACert: &keyRef, Identities: []Identity{{Subject: \"testsubject\", Issuer: \"testIssuer\"}}}\n\t\t\terr = keylessRef.Validate(context.TODO())\n\t\t\tcaCertErrString := strings.Replace(test.errorString, \"KMSORCACERT\", \"ca-cert.kms\", 1)\n\t\t\tvalidateError(t, caCertErrString, \"\", err)\n\t\t})\n\t}\n}\n\n// validateError checks the given error against wanted error/warning strings\n// if either is \"\" then it's assume an error/warning is not wanted and if\n// one is given, will error.\n// nolint since currently we do not have warnings we expect, but having this\n// around makes it easier to add warning validations in the future.\n//\n//nolint:all\nfunc validateError(t *testing.T, wantErrStr, wantWarnStr string, fe *apis.FieldError) {\n\tt.Helper()\n\t// Grab warning and check it first\n\twarnFE := fe.Filter(apis.WarningLevel)\n\tif wantWarnStr != \"\" {\n\t\trequire.NotNil(t, warnFE)\n\t\trequire.EqualError(t, warnFE, wantWarnStr)\n\t} else {\n\t\trequire.Nil(t, warnFE)\n\t}\n\n\t// Then grab error and check it\n\terrFE := fe.Filter(apis.ErrorLevel)\n\tif wantErrStr != \"\" {\n\t\trequire.NotNil(t, errFE)\n\t\trequire.EqualError(t, errFE, wantErrStr)\n\t} else {\n\t\trequire.Nil(t, errFE)\n\t}\n}\n\nfunc TestMatchValidation(t *testing.T) {\n\t// Add a \"supported\" resource name that we'll use to test things.\n\tcommon.ValidResourceNames.Insert(\"supported\")\n\n\ttests := []struct {\n\t\tname string\n\t\terrorString string\n\t\tpolicy ClusterImagePolicy\n\t}{{\n\t\tname: \"Should pass with identities\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tIdentities: []Identity{{SubjectRegExp: \".*subject.*\", IssuerRegExp: \".*issuer.*\"}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with match label selector\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tMatch: []MatchResource{\n\t\t\t\t\t{\n\t\t\t\t\t\tGroupVersionResource: metav1.GroupVersionResource{\n\t\t\t\t\t\t\tGroup: \"apps\",\n\t\t\t\t\t\t\tVersion: \"v1\",\n\t\t\t\t\t\t\tResource: \"supported\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tResourceSelector: &metav1.LabelSelector{\n\t\t\t\t\t\t\tMatchLabels: map[string]string{\"a\": \"b\", \"c\": \"d\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\tIdentities: []Identity{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tIssuer: \"some issuer\",\n\t\t\t\t\t\t\t\t\tSubject: \"some subject\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"Should pass with match resource types\",\n\t\tpolicy: ClusterImagePolicy{\n\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tMatch: []MatchResource{\n\t\t\t\t\t{\n\t\t\t\t\t\tGroupVersionResource: metav1.GroupVersionResource{\n\t\t\t\t\t\t\tGroup: \"apps\",\n\t\t\t\t\t\t\tVersion: \"v1\",\n\t\t\t\t\t\t\tResource: \"supported\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tInsecureIgnoreSCT: ptr.Bool(true),\n\t\t\t\t\t\t\tIdentities: []Identity{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tIssuer: \"some issuer\",\n\t\t\t\t\t\t\t\t\tSubject: \"some subject\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t\t{\n\t\t\tname: \"Should fail with invalid match resource type\",\n\t\t\terrorString: \"invalid value: myobject: spec.match[0].resource\\nunsupported resource name\",\n\t\t\tpolicy: ClusterImagePolicy{\n\t\t\t\tSpec: ClusterImagePolicySpec{\n\t\t\t\t\tImages: []ImagePattern{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tGlob: \"globbityglob\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tMatch: []MatchResource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tGroupVersionResource: metav1.GroupVersionResource{\n\t\t\t\t\t\t\t\tGroup: \"\",\n\t\t\t\t\t\t\t\tVersion: \"v1\",\n\t\t\t\t\t\t\t\tResource: \"myobject\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tAuthorities: []Authority{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tKeyless: &KeylessRef{\n\t\t\t\t\t\t\t\tURL: &apis.URL{\n\t\t\t\t\t\t\t\t\tHost: \"myhost\",\n\t\t\t\t\t\t\t\t},\n\n\t\t\t\t\t\t\t\tIdentities: []Identity{\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tIssuer: \"some issuer\",\n\t\t\t\t\t\t\t\t\t\tSubject: \"some subject\",\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := test.policy.Validate(context.TODO())\n\t\t\tvalidateError(t, test.errorString, \"\", err)\n\t\t})\n\t}\n}\n\nfunc TestIgnoreStatusUpdates(t *testing.T) {\n\tcip := &ClusterImagePolicy{Spec: ClusterImagePolicySpec{Images: []ImagePattern{{Glob: \"\"}}}}\n\n\tif err := cip.Validate(apis.WithinSubResourceUpdate(context.Background(), &cip, \"status\")); err != nil {\n\t\tt.Errorf(\"Failed to update status on invalid resource: %v\", err)\n\t}\n}\n" }, { "path": "pkg/apis/policy/v1beta1/doc.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// +k8s:deepcopy-gen=package\n// +groupName=policy.sigstore.dev\npackage v1beta1\n" }, { "path": "pkg/apis/policy/v1beta1/register.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage v1beta1\n\nimport (\n\tpolicy \"github.com/sigstore/policy-controller/pkg/apis/policy\"\n\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/runtime\"\n\t\"k8s.io/apimachinery/pkg/runtime/schema\"\n)\n\n// SchemeGroupVersion is group version used to register these objects\nvar SchemeGroupVersion = schema.GroupVersion{Group: policy.GroupName, Version: \"v1beta1\"}\n\n// Kind takes an unqualified kind and returns back a Group qualified GroupKind\nfunc Kind(kind string) schema.GroupKind {\n\treturn SchemeGroupVersion.WithKind(kind).GroupKind()\n}\n\n// Resource takes an unqualified resource and returns a Group qualified GroupResource\nfunc Resource(resource string) schema.GroupResource {\n\treturn SchemeGroupVersion.WithResource(resource).GroupResource()\n}\n\nvar (\n\t// SchemeBuilder builds a scheme with the types known to the package.\n\tSchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)\n\t// AddToScheme adds the types known to this package to an existing schema.\n\tAddToScheme = SchemeBuilder.AddToScheme\n)\n\n// Adds the list of known types to Scheme.\nfunc addKnownTypes(scheme *runtime.Scheme) error {\n\tscheme.AddKnownTypes(SchemeGroupVersion,\n\t\t&ClusterImagePolicy{},\n\t\t&ClusterImagePolicyList{},\n\t)\n\tmetav1.AddToGroupVersion(scheme, SchemeGroupVersion)\n\treturn nil\n}\n" }, { "path": "pkg/apis/policy/v1beta1/zz_generated.deepcopy.go", "content": "//go:build !ignore_autogenerated\n// +build !ignore_autogenerated\n\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by deepcopy-gen. DO NOT EDIT.\n\npackage v1beta1\n\nimport (\n\tv1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\truntime \"k8s.io/apimachinery/pkg/runtime\"\n\tapis \"knative.dev/pkg/apis\"\n)\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *Attestation) DeepCopyInto(out *Attestation) {\n\t*out = *in\n\tif in.Policy != nil {\n\t\tin, out := &in.Policy, &out.Policy\n\t\t*out = new(Policy)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestation.\nfunc (in *Attestation) DeepCopy() *Attestation {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(Attestation)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *Authority) DeepCopyInto(out *Authority) {\n\t*out = *in\n\tif in.Key != nil {\n\t\tin, out := &in.Key, &out.Key\n\t\t*out = new(KeyRef)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.Keyless != nil {\n\t\tin, out := &in.Keyless, &out.Keyless\n\t\t*out = new(KeylessRef)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.Static != nil {\n\t\tin, out := &in.Static, &out.Static\n\t\t*out = new(StaticRef)\n\t\t**out = **in\n\t}\n\tif in.Sources != nil {\n\t\tin, out := &in.Sources, &out.Sources\n\t\t*out = make([]Source, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\tif in.CTLog != nil {\n\t\tin, out := &in.CTLog, &out.CTLog\n\t\t*out = new(TLog)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.Attestations != nil {\n\t\tin, out := &in.Attestations, &out.Attestations\n\t\t*out = make([]Attestation, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\tif in.RFC3161Timestamp != nil {\n\t\tin, out := &in.RFC3161Timestamp, &out.RFC3161Timestamp\n\t\t*out = new(RFC3161Timestamp)\n\t\t**out = **in\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authority.\nfunc (in *Authority) DeepCopy() *Authority {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(Authority)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) {\n\t*out = *in\n\tout.TypeMeta = in.TypeMeta\n\tin.ObjectMeta.DeepCopyInto(&out.ObjectMeta)\n\tin.Spec.DeepCopyInto(&out.Spec)\n\tin.Status.DeepCopyInto(&out.Status)\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicy.\nfunc (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(ClusterImagePolicy)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.\nfunc (in *ClusterImagePolicy) DeepCopyObject() runtime.Object {\n\tif c := in.DeepCopy(); c != nil {\n\t\treturn c\n\t}\n\treturn nil\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyList) {\n\t*out = *in\n\tout.TypeMeta = in.TypeMeta\n\tin.ListMeta.DeepCopyInto(&out.ListMeta)\n\tif in.Items != nil {\n\t\tin, out := &in.Items, &out.Items\n\t\t*out = make([]ClusterImagePolicy, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyList.\nfunc (in *ClusterImagePolicyList) DeepCopy() *ClusterImagePolicyList {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(ClusterImagePolicyList)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.\nfunc (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object {\n\tif c := in.DeepCopy(); c != nil {\n\t\treturn c\n\t}\n\treturn nil\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec) {\n\t*out = *in\n\tif in.Images != nil {\n\t\tin, out := &in.Images, &out.Images\n\t\t*out = make([]ImagePattern, len(*in))\n\t\tcopy(*out, *in)\n\t}\n\tif in.Authorities != nil {\n\t\tin, out := &in.Authorities, &out.Authorities\n\t\t*out = make([]Authority, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\tif in.Policy != nil {\n\t\tin, out := &in.Policy, &out.Policy\n\t\t*out = new(Policy)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.Match != nil {\n\t\tin, out := &in.Match, &out.Match\n\t\t*out = make([]MatchResource, len(*in))\n\t\tfor i := range *in {\n\t\t\t(*in)[i].DeepCopyInto(&(*out)[i])\n\t\t}\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicySpec.\nfunc (in *ClusterImagePolicySpec) DeepCopy() *ClusterImagePolicySpec {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(ClusterImagePolicySpec)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *ClusterImagePolicyStatus) DeepCopyInto(out *ClusterImagePolicyStatus) {\n\t*out = *in\n\tin.Status.DeepCopyInto(&out.Status)\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyStatus.\nfunc (in *ClusterImagePolicyStatus) DeepCopy() *ClusterImagePolicyStatus {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(ClusterImagePolicyStatus)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *ConfigMapReference) DeepCopyInto(out *ConfigMapReference) {\n\t*out = *in\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapReference.\nfunc (in *ConfigMapReference) DeepCopy() *ConfigMapReference {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(ConfigMapReference)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *Identity) DeepCopyInto(out *Identity) {\n\t*out = *in\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Identity.\nfunc (in *Identity) DeepCopy() *Identity {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(Identity)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *ImagePattern) DeepCopyInto(out *ImagePattern) {\n\t*out = *in\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePattern.\nfunc (in *ImagePattern) DeepCopy() *ImagePattern {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(ImagePattern)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *KeyRef) DeepCopyInto(out *KeyRef) {\n\t*out = *in\n\tif in.SecretRef != nil {\n\t\tin, out := &in.SecretRef, &out.SecretRef\n\t\t*out = new(v1.SecretReference)\n\t\t**out = **in\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyRef.\nfunc (in *KeyRef) DeepCopy() *KeyRef {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(KeyRef)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *KeylessRef) DeepCopyInto(out *KeylessRef) {\n\t*out = *in\n\tif in.URL != nil {\n\t\tin, out := &in.URL, &out.URL\n\t\t*out = new(apis.URL)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.Identities != nil {\n\t\tin, out := &in.Identities, &out.Identities\n\t\t*out = make([]Identity, len(*in))\n\t\tcopy(*out, *in)\n\t}\n\tif in.CACert != nil {\n\t\tin, out := &in.CACert, &out.CACert\n\t\t*out = new(KeyRef)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.InsecureIgnoreSCT != nil {\n\t\tin, out := &in.InsecureIgnoreSCT, &out.InsecureIgnoreSCT\n\t\t*out = new(bool)\n\t\t**out = **in\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeylessRef.\nfunc (in *KeylessRef) DeepCopy() *KeylessRef {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(KeylessRef)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *MatchResource) DeepCopyInto(out *MatchResource) {\n\t*out = *in\n\tout.GroupVersionResource = in.GroupVersionResource\n\tif in.ResourceSelector != nil {\n\t\tin, out := &in.ResourceSelector, &out.ResourceSelector\n\t\t*out = new(metav1.LabelSelector)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResource.\nfunc (in *MatchResource) DeepCopy() *MatchResource {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(MatchResource)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *Policy) DeepCopyInto(out *Policy) {\n\t*out = *in\n\tif in.Remote != nil {\n\t\tin, out := &in.Remote, &out.Remote\n\t\t*out = new(RemotePolicy)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\tif in.ConfigMapRef != nil {\n\t\tin, out := &in.ConfigMapRef, &out.ConfigMapRef\n\t\t*out = new(ConfigMapReference)\n\t\t**out = **in\n\t}\n\tif in.FetchConfigFile != nil {\n\t\tin, out := &in.FetchConfigFile, &out.FetchConfigFile\n\t\t*out = new(bool)\n\t\t**out = **in\n\t}\n\tif in.IncludeSpec != nil {\n\t\tin, out := &in.IncludeSpec, &out.IncludeSpec\n\t\t*out = new(bool)\n\t\t**out = **in\n\t}\n\tif in.IncludeObjectMeta != nil {\n\t\tin, out := &in.IncludeObjectMeta, &out.IncludeObjectMeta\n\t\t*out = new(bool)\n\t\t**out = **in\n\t}\n\tif in.IncludeTypeMeta != nil {\n\t\tin, out := &in.IncludeTypeMeta, &out.IncludeTypeMeta\n\t\t*out = new(bool)\n\t\t**out = **in\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.\nfunc (in *Policy) DeepCopy() *Policy {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(Policy)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *RFC3161Timestamp) DeepCopyInto(out *RFC3161Timestamp) {\n\t*out = *in\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RFC3161Timestamp.\nfunc (in *RFC3161Timestamp) DeepCopy() *RFC3161Timestamp {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(RFC3161Timestamp)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *RemotePolicy) DeepCopyInto(out *RemotePolicy) {\n\t*out = *in\n\tin.URL.DeepCopyInto(&out.URL)\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemotePolicy.\nfunc (in *RemotePolicy) DeepCopy() *RemotePolicy {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(RemotePolicy)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *Source) DeepCopyInto(out *Source) {\n\t*out = *in\n\tif in.SignaturePullSecrets != nil {\n\t\tin, out := &in.SignaturePullSecrets, &out.SignaturePullSecrets\n\t\t*out = make([]v1.LocalObjectReference, len(*in))\n\t\tcopy(*out, *in)\n\t}\n\tif in.TagPrefix != nil {\n\t\tin, out := &in.TagPrefix, &out.TagPrefix\n\t\t*out = new(string)\n\t\t**out = **in\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Source.\nfunc (in *Source) DeepCopy() *Source {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(Source)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *StaticRef) DeepCopyInto(out *StaticRef) {\n\t*out = *in\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticRef.\nfunc (in *StaticRef) DeepCopy() *StaticRef {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(StaticRef)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n\n// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.\nfunc (in *TLog) DeepCopyInto(out *TLog) {\n\t*out = *in\n\tif in.URL != nil {\n\t\tin, out := &in.URL, &out.URL\n\t\t*out = new(apis.URL)\n\t\t(*in).DeepCopyInto(*out)\n\t}\n\treturn\n}\n\n// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLog.\nfunc (in *TLog) DeepCopy() *TLog {\n\tif in == nil {\n\t\treturn nil\n\t}\n\tout := new(TLog)\n\tin.DeepCopyInto(out)\n\treturn out\n}\n" }, { "path": "pkg/apis/signaturealgo/signature_digest.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage signaturealgo\n\nimport (\n\t\"crypto\"\n\t\"fmt\"\n\t\"strings\"\n)\n\nvar DefaultSignatureAlgorithm = \"sha256\"\n\n// supportedSignatureAlgorithms sets a list of support signature algorithms that is similar to the list supported by cosign\nvar supportedSignatureAlgorithms = map[string]crypto.Hash{\n\t\"sha224\": crypto.SHA224,\n\t\"sha256\": crypto.SHA256,\n\t\"sha384\": crypto.SHA384,\n\t\"sha512\": crypto.SHA512,\n}\n\n// HashAlgorithm returns a crypto.Hash code using an algorithm name as input parameter\nfunc HashAlgorithm(algorithmName string) (crypto.Hash, error) {\n\tif algorithmName == \"\" {\n\t\treturn crypto.SHA256, nil\n\t}\n\tnormalizedAlgo := strings.ToLower(strings.TrimSpace(algorithmName))\n\n\talgo, exists := supportedSignatureAlgorithms[normalizedAlgo]\n\tif !exists {\n\t\treturn crypto.SHA256, fmt.Errorf(\"unknown digest algorithm: %s\", algorithmName)\n\t}\n\n\treturn algo, nil\n}\n" }, { "path": "pkg/apis/signaturealgo/signature_digest_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n//\thttp://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage signaturealgo\n\nimport (\n\t\"crypto\"\n\t\"testing\"\n)\n\nfunc TestHashAlgorithm(t *testing.T) {\n\tfor _, c := range []struct {\n\t\talgorithm string\n\t\twantHash crypto.Hash\n\t\twantErr bool\n\t}{\n\t\t{algorithm: \"sha256\", wantErr: false, wantHash: crypto.SHA256},\n\t\t{algorithm: \"sha512\", wantErr: false, wantHash: crypto.SHA512},\n\t\t{algorithm: \"sha224\", wantErr: false, wantHash: crypto.SHA224},\n\t\t{algorithm: \"sha384\", wantErr: false, wantHash: crypto.SHA384},\n\t\t{algorithm: \"sha3845\", wantErr: true, wantHash: crypto.SHA256},\n\t\t{algorithm: \"\", wantErr: false, wantHash: crypto.SHA256},\n\t} {\n\t\tt.Run(c.algorithm, func(t *testing.T) {\n\t\t\thashCode, err := HashAlgorithm(c.algorithm)\n\t\t\tif hashCode != c.wantHash {\n\t\t\t\tt.Errorf(\"hash code: got %v, want %v\", hashCode, c.wantHash)\n\t\t\t}\n\t\t\tif gotErr := err != nil; gotErr != c.wantErr {\n\t\t\t\tt.Errorf(\"err: got %v, want %t\", err, c.wantErr)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/client/clientset/versioned/clientset.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage versioned\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\n\tpolicyv1alpha1 \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/typed/policy/v1alpha1\"\n\tpolicyv1beta1 \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/typed/policy/v1beta1\"\n\tdiscovery \"k8s.io/client-go/discovery\"\n\trest \"k8s.io/client-go/rest\"\n\tflowcontrol \"k8s.io/client-go/util/flowcontrol\"\n)\n\ntype Interface interface {\n\tDiscovery() discovery.DiscoveryInterface\n\tPolicyV1alpha1() policyv1alpha1.PolicyV1alpha1Interface\n\tPolicyV1beta1() policyv1beta1.PolicyV1beta1Interface\n}\n\n// Clientset contains the clients for groups.\ntype Clientset struct {\n\t*discovery.DiscoveryClient\n\tpolicyV1alpha1 *policyv1alpha1.PolicyV1alpha1Client\n\tpolicyV1beta1 *policyv1beta1.PolicyV1beta1Client\n}\n\n// PolicyV1alpha1 retrieves the PolicyV1alpha1Client\nfunc (c *Clientset) PolicyV1alpha1() policyv1alpha1.PolicyV1alpha1Interface {\n\treturn c.policyV1alpha1\n}\n\n// PolicyV1beta1 retrieves the PolicyV1beta1Client\nfunc (c *Clientset) PolicyV1beta1() policyv1beta1.PolicyV1beta1Interface {\n\treturn c.policyV1beta1\n}\n\n// Discovery retrieves the DiscoveryClient\nfunc (c *Clientset) Discovery() discovery.DiscoveryInterface {\n\tif c == nil {\n\t\treturn nil\n\t}\n\treturn c.DiscoveryClient\n}\n\n// NewForConfig creates a new Clientset for the given config.\n// If config's RateLimiter is not set and QPS and Burst are acceptable,\n// NewForConfig will generate a rate-limiter in configShallowCopy.\n// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),\n// where httpClient was generated with rest.HTTPClientFor(c).\nfunc NewForConfig(c *rest.Config) (*Clientset, error) {\n\tconfigShallowCopy := *c\n\n\tif configShallowCopy.UserAgent == \"\" {\n\t\tconfigShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent()\n\t}\n\n\t// share the transport between all clients\n\thttpClient, err := rest.HTTPClientFor(&configShallowCopy)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn NewForConfigAndClient(&configShallowCopy, httpClient)\n}\n\n// NewForConfigAndClient creates a new Clientset for the given config and http client.\n// Note the http client provided takes precedence over the configured transport values.\n// If config's RateLimiter is not set and QPS and Burst are acceptable,\n// NewForConfigAndClient will generate a rate-limiter in configShallowCopy.\nfunc NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, error) {\n\tconfigShallowCopy := *c\n\tif configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 {\n\t\tif configShallowCopy.Burst <= 0 {\n\t\t\treturn nil, fmt.Errorf(\"burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0\")\n\t\t}\n\t\tconfigShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst)\n\t}\n\n\tvar cs Clientset\n\tvar err error\n\tcs.policyV1alpha1, err = policyv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tcs.policyV1beta1, err = policyv1beta1.NewForConfigAndClient(&configShallowCopy, httpClient)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tcs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &cs, nil\n}\n\n// NewForConfigOrDie creates a new Clientset for the given config and\n// panics if there is an error in the config.\nfunc NewForConfigOrDie(c *rest.Config) *Clientset {\n\tcs, err := NewForConfig(c)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn cs\n}\n\n// New creates a new Clientset for the given RESTClient.\nfunc New(c rest.Interface) *Clientset {\n\tvar cs Clientset\n\tcs.policyV1alpha1 = policyv1alpha1.New(c)\n\tcs.policyV1beta1 = policyv1beta1.New(c)\n\n\tcs.DiscoveryClient = discovery.NewDiscoveryClient(c)\n\treturn &cs\n}\n" }, { "path": "pkg/client/clientset/versioned/doc.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\n// This package has the automatically generated clientset.\npackage versioned\n" }, { "path": "pkg/client/clientset/versioned/fake/clientset_generated.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tclientset \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned\"\n\tpolicyv1alpha1 \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/typed/policy/v1alpha1\"\n\tfakepolicyv1alpha1 \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/typed/policy/v1alpha1/fake\"\n\tpolicyv1beta1 \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/typed/policy/v1beta1\"\n\tfakepolicyv1beta1 \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/typed/policy/v1beta1/fake\"\n\t\"k8s.io/apimachinery/pkg/runtime\"\n\t\"k8s.io/apimachinery/pkg/watch\"\n\t\"k8s.io/client-go/discovery\"\n\tfakediscovery \"k8s.io/client-go/discovery/fake\"\n\t\"k8s.io/client-go/testing\"\n)\n\n// NewSimpleClientset returns a clientset that will respond with the provided objects.\n// It's backed by a very simple object tracker that processes creates, updates and deletions as-is,\n// without applying any validations and/or defaults. It shouldn't be considered a replacement\n// for a real clientset and is mostly useful in simple unit tests.\nfunc NewSimpleClientset(objects ...runtime.Object) *Clientset {\n\to := testing.NewObjectTracker(scheme, codecs.UniversalDecoder())\n\tfor _, obj := range objects {\n\t\tif err := o.Add(obj); err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t}\n\n\tcs := &Clientset{tracker: o}\n\tcs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake}\n\tcs.AddReactor(\"*\", \"*\", testing.ObjectReaction(o))\n\tcs.AddWatchReactor(\"*\", func(action testing.Action) (handled bool, ret watch.Interface, err error) {\n\t\tgvr := action.GetResource()\n\t\tns := action.GetNamespace()\n\t\twatch, err := o.Watch(gvr, ns)\n\t\tif err != nil {\n\t\t\treturn false, nil, err\n\t\t}\n\t\treturn true, watch, nil\n\t})\n\n\treturn cs\n}\n\n// Clientset implements clientset.Interface. Meant to be embedded into a\n// struct to get a default implementation. This makes faking out just the method\n// you want to test easier.\ntype Clientset struct {\n\ttesting.Fake\n\tdiscovery *fakediscovery.FakeDiscovery\n\ttracker testing.ObjectTracker\n}\n\nfunc (c *Clientset) Discovery() discovery.DiscoveryInterface {\n\treturn c.discovery\n}\n\nfunc (c *Clientset) Tracker() testing.ObjectTracker {\n\treturn c.tracker\n}\n\nvar (\n\t_ clientset.Interface = &Clientset{}\n\t_ testing.FakeClient = &Clientset{}\n)\n\n// PolicyV1alpha1 retrieves the PolicyV1alpha1Client\nfunc (c *Clientset) PolicyV1alpha1() policyv1alpha1.PolicyV1alpha1Interface {\n\treturn &fakepolicyv1alpha1.FakePolicyV1alpha1{Fake: &c.Fake}\n}\n\n// PolicyV1beta1 retrieves the PolicyV1beta1Client\nfunc (c *Clientset) PolicyV1beta1() policyv1beta1.PolicyV1beta1Interface {\n\treturn &fakepolicyv1beta1.FakePolicyV1beta1{Fake: &c.Fake}\n}\n" }, { "path": "pkg/client/clientset/versioned/fake/doc.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\n// This package has the automatically generated fake clientset.\npackage fake\n" }, { "path": "pkg/client/clientset/versioned/fake/register.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tpolicyv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tpolicyv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\truntime \"k8s.io/apimachinery/pkg/runtime\"\n\tschema \"k8s.io/apimachinery/pkg/runtime/schema\"\n\tserializer \"k8s.io/apimachinery/pkg/runtime/serializer\"\n\tutilruntime \"k8s.io/apimachinery/pkg/util/runtime\"\n)\n\nvar scheme = runtime.NewScheme()\nvar codecs = serializer.NewCodecFactory(scheme)\n\nvar localSchemeBuilder = runtime.SchemeBuilder{\n\tpolicyv1alpha1.AddToScheme,\n\tpolicyv1beta1.AddToScheme,\n}\n\n// AddToScheme adds all types of this clientset into the given scheme. This allows composition\n// of clientsets, like in:\n//\n//\timport (\n//\t \"k8s.io/client-go/kubernetes\"\n//\t clientsetscheme \"k8s.io/client-go/kubernetes/scheme\"\n//\t aggregatorclientsetscheme \"k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme\"\n//\t)\n//\n//\tkclientset, _ := kubernetes.NewForConfig(c)\n//\t_ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)\n//\n// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types\n// correctly.\nvar AddToScheme = localSchemeBuilder.AddToScheme\n\nfunc init() {\n\tv1.AddToGroupVersion(scheme, schema.GroupVersion{Version: \"v1\"})\n\tutilruntime.Must(AddToScheme(scheme))\n}\n" }, { "path": "pkg/client/clientset/versioned/scheme/doc.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\n// This package contains the scheme of the automatically generated clientset.\npackage scheme\n" }, { "path": "pkg/client/clientset/versioned/scheme/register.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage scheme\n\nimport (\n\tpolicyv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tpolicyv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\truntime \"k8s.io/apimachinery/pkg/runtime\"\n\tschema \"k8s.io/apimachinery/pkg/runtime/schema\"\n\tserializer \"k8s.io/apimachinery/pkg/runtime/serializer\"\n\tutilruntime \"k8s.io/apimachinery/pkg/util/runtime\"\n)\n\nvar Scheme = runtime.NewScheme()\nvar Codecs = serializer.NewCodecFactory(Scheme)\nvar ParameterCodec = runtime.NewParameterCodec(Scheme)\nvar localSchemeBuilder = runtime.SchemeBuilder{\n\tpolicyv1alpha1.AddToScheme,\n\tpolicyv1beta1.AddToScheme,\n}\n\n// AddToScheme adds all types of this clientset into the given scheme. This allows composition\n// of clientsets, like in:\n//\n//\timport (\n//\t \"k8s.io/client-go/kubernetes\"\n//\t clientsetscheme \"k8s.io/client-go/kubernetes/scheme\"\n//\t aggregatorclientsetscheme \"k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme\"\n//\t)\n//\n//\tkclientset, _ := kubernetes.NewForConfig(c)\n//\t_ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)\n//\n// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types\n// correctly.\nvar AddToScheme = localSchemeBuilder.AddToScheme\n\nfunc init() {\n\tv1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: \"v1\"})\n\tutilruntime.Must(AddToScheme(Scheme))\n}\n" }, { "path": "pkg/client/clientset/versioned/typed/duck/v1beta1/doc.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\n// This package has the automatically generated typed clients.\npackage v1beta1\n" }, { "path": "pkg/client/clientset/versioned/typed/duck/v1beta1/duck_client.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage v1beta1\n\nimport (\n\t\"net/http\"\n\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/duck/v1beta1\"\n\t\"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/scheme\"\n\trest \"k8s.io/client-go/rest\"\n)\n\ntype DuckV1beta1Interface interface {\n\tRESTClient() rest.Interface\n}\n\n// DuckV1beta1Client is used to interact with features provided by the duck.sigstore.policy.dev group.\ntype DuckV1beta1Client struct {\n\trestClient rest.Interface\n}\n\n// NewForConfig creates a new DuckV1beta1Client for the given config.\n// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),\n// where httpClient was generated with rest.HTTPClientFor(c).\nfunc NewForConfig(c *rest.Config) (*DuckV1beta1Client, error) {\n\tconfig := *c\n\tif err := setConfigDefaults(&config); err != nil {\n\t\treturn nil, err\n\t}\n\thttpClient, err := rest.HTTPClientFor(&config)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn NewForConfigAndClient(&config, httpClient)\n}\n\n// NewForConfigAndClient creates a new DuckV1beta1Client for the given config and http client.\n// Note the http client provided takes precedence over the configured transport values.\nfunc NewForConfigAndClient(c *rest.Config, h *http.Client) (*DuckV1beta1Client, error) {\n\tconfig := *c\n\tif err := setConfigDefaults(&config); err != nil {\n\t\treturn nil, err\n\t}\n\tclient, err := rest.RESTClientForConfigAndClient(&config, h)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &DuckV1beta1Client{client}, nil\n}\n\n// NewForConfigOrDie creates a new DuckV1beta1Client for the given config and\n// panics if there is an error in the config.\nfunc NewForConfigOrDie(c *rest.Config) *DuckV1beta1Client {\n\tclient, err := NewForConfig(c)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn client\n}\n\n// New creates a new DuckV1beta1Client for the given RESTClient.\nfunc New(c rest.Interface) *DuckV1beta1Client {\n\treturn &DuckV1beta1Client{c}\n}\n\nfunc setConfigDefaults(config *rest.Config) error {\n\tgv := v1beta1.SchemeGroupVersion\n\tconfig.GroupVersion = &gv\n\tconfig.APIPath = \"/apis\"\n\tconfig.NegotiatedSerializer = scheme.Codecs.WithoutConversion()\n\n\tif config.UserAgent == \"\" {\n\t\tconfig.UserAgent = rest.DefaultKubernetesUserAgent()\n\t}\n\n\treturn nil\n}\n\n// RESTClient returns a RESTClient that is used to communicate\n// with API server by this client implementation.\nfunc (c *DuckV1beta1Client) RESTClient() rest.Interface {\n\tif c == nil {\n\t\treturn nil\n\t}\n\treturn c.restClient\n}\n" }, { "path": "pkg/client/clientset/versioned/typed/duck/v1beta1/fake/doc.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\n// Package fake has the automatically generated clients.\npackage fake\n" }, { "path": "pkg/client/clientset/versioned/typed/duck/v1beta1/fake/fake_duck_client.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\trest \"k8s.io/client-go/rest\"\n\ttesting \"k8s.io/client-go/testing\"\n)\n\ntype FakeDuckV1beta1 struct {\n\t*testing.Fake\n}\n\n// RESTClient returns a RESTClient that is used to communicate\n// with API server by this client implementation.\nfunc (c *FakeDuckV1beta1) RESTClient() rest.Interface {\n\tvar ret *rest.RESTClient\n\treturn ret\n}\n" }, { "path": "pkg/client/clientset/versioned/typed/duck/v1beta1/generated_expansion.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage v1beta1\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\t\"time\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tscheme \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/scheme\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\twatch \"k8s.io/apimachinery/pkg/watch\"\n\trest \"k8s.io/client-go/rest\"\n)\n\n// ClusterImagePoliciesGetter has a method to return a ClusterImagePolicyInterface.\n// A group's client should implement this interface.\ntype ClusterImagePoliciesGetter interface {\n\tClusterImagePolicies() ClusterImagePolicyInterface\n}\n\n// ClusterImagePolicyInterface has methods to work with ClusterImagePolicy resources.\ntype ClusterImagePolicyInterface interface {\n\tCreate(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.CreateOptions) (*v1alpha1.ClusterImagePolicy, error)\n\tUpdate(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.UpdateOptions) (*v1alpha1.ClusterImagePolicy, error)\n\tUpdateStatus(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.UpdateOptions) (*v1alpha1.ClusterImagePolicy, error)\n\tDelete(ctx context.Context, name string, opts v1.DeleteOptions) error\n\tDeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error\n\tGet(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.ClusterImagePolicy, error)\n\tList(ctx context.Context, opts v1.ListOptions) (*v1alpha1.ClusterImagePolicyList, error)\n\tWatch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)\n\tPatch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ClusterImagePolicy, err error)\n\tClusterImagePolicyExpansion\n}\n\n// clusterImagePolicies implements ClusterImagePolicyInterface\ntype clusterImagePolicies struct {\n\tclient rest.Interface\n}\n\n// newClusterImagePolicies returns a ClusterImagePolicies\nfunc newClusterImagePolicies(c *PolicyV1alpha1Client) *clusterImagePolicies {\n\treturn &clusterImagePolicies{\n\t\tclient: c.RESTClient(),\n\t}\n}\n\n// Get takes name of the clusterImagePolicy, and returns the corresponding clusterImagePolicy object, and an error if there is any.\nfunc (c *clusterImagePolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ClusterImagePolicy, err error) {\n\tresult = &v1alpha1.ClusterImagePolicy{}\n\terr = c.client.Get().\n\t\tResource(\"clusterimagepolicies\").\n\t\tName(name).\n\t\tVersionedParams(&options, scheme.ParameterCodec).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// List takes label and field selectors, and returns the list of ClusterImagePolicies that match those selectors.\nfunc (c *clusterImagePolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ClusterImagePolicyList, err error) {\n\tvar timeout time.Duration\n\tif opts.TimeoutSeconds != nil {\n\t\ttimeout = time.Duration(*opts.TimeoutSeconds) * time.Second\n\t}\n\tresult = &v1alpha1.ClusterImagePolicyList{}\n\terr = c.client.Get().\n\t\tResource(\"clusterimagepolicies\").\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tTimeout(timeout).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// Watch returns a watch.Interface that watches the requested clusterImagePolicies.\nfunc (c *clusterImagePolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {\n\tvar timeout time.Duration\n\tif opts.TimeoutSeconds != nil {\n\t\ttimeout = time.Duration(*opts.TimeoutSeconds) * time.Second\n\t}\n\topts.Watch = true\n\treturn c.client.Get().\n\t\tResource(\"clusterimagepolicies\").\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tTimeout(timeout).\n\t\tWatch(ctx)\n}\n\n// Create takes the representation of a clusterImagePolicy and creates it. Returns the server's representation of the clusterImagePolicy, and an error, if there is any.\nfunc (c *clusterImagePolicies) Create(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.CreateOptions) (result *v1alpha1.ClusterImagePolicy, err error) {\n\tresult = &v1alpha1.ClusterImagePolicy{}\n\terr = c.client.Post().\n\t\tResource(\"clusterimagepolicies\").\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tBody(clusterImagePolicy).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// Update takes the representation of a clusterImagePolicy and updates it. Returns the server's representation of the clusterImagePolicy, and an error, if there is any.\nfunc (c *clusterImagePolicies) Update(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.UpdateOptions) (result *v1alpha1.ClusterImagePolicy, err error) {\n\tresult = &v1alpha1.ClusterImagePolicy{}\n\terr = c.client.Put().\n\t\tResource(\"clusterimagepolicies\").\n\t\tName(clusterImagePolicy.Name).\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tBody(clusterImagePolicy).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// UpdateStatus was generated because the type contains a Status member.\n// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().\nfunc (c *clusterImagePolicies) UpdateStatus(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.UpdateOptions) (result *v1alpha1.ClusterImagePolicy, err error) {\n\tresult = &v1alpha1.ClusterImagePolicy{}\n\terr = c.client.Put().\n\t\tResource(\"clusterimagepolicies\").\n\t\tName(clusterImagePolicy.Name).\n\t\tSubResource(\"status\").\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tBody(clusterImagePolicy).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// Delete takes name of the clusterImagePolicy and deletes it. Returns an error if one occurs.\nfunc (c *clusterImagePolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {\n\treturn c.client.Delete().\n\t\tResource(\"clusterimagepolicies\").\n\t\tName(name).\n\t\tBody(&opts).\n\t\tDo(ctx).\n\t\tError()\n}\n\n// DeleteCollection deletes a collection of objects.\nfunc (c *clusterImagePolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {\n\tvar timeout time.Duration\n\tif listOpts.TimeoutSeconds != nil {\n\t\ttimeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second\n\t}\n\treturn c.client.Delete().\n\t\tResource(\"clusterimagepolicies\").\n\t\tVersionedParams(&listOpts, scheme.ParameterCodec).\n\t\tTimeout(timeout).\n\t\tBody(&opts).\n\t\tDo(ctx).\n\t\tError()\n}\n\n// Patch applies the patch and returns the patched clusterImagePolicy.\nfunc (c *clusterImagePolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ClusterImagePolicy, err error) {\n\tresult = &v1alpha1.ClusterImagePolicy{}\n\terr = c.client.Patch(pt).\n\t\tResource(\"clusterimagepolicies\").\n\t\tName(name).\n\t\tSubResource(subresources...).\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tBody(data).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/doc.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\n// This package has the automatically generated typed clients.\npackage v1alpha1\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/fake/doc.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\n// Package fake has the automatically generated clients.\npackage fake\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/fake/fake_clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\t\"context\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\tlabels \"k8s.io/apimachinery/pkg/labels\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\twatch \"k8s.io/apimachinery/pkg/watch\"\n\ttesting \"k8s.io/client-go/testing\"\n)\n\n// FakeClusterImagePolicies implements ClusterImagePolicyInterface\ntype FakeClusterImagePolicies struct {\n\tFake *FakePolicyV1alpha1\n}\n\nvar clusterimagepoliciesResource = v1alpha1.SchemeGroupVersion.WithResource(\"clusterimagepolicies\")\n\nvar clusterimagepoliciesKind = v1alpha1.SchemeGroupVersion.WithKind(\"ClusterImagePolicy\")\n\n// Get takes name of the clusterImagePolicy, and returns the corresponding clusterImagePolicy object, and an error if there is any.\nfunc (c *FakeClusterImagePolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ClusterImagePolicy, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootGetAction(clusterimagepoliciesResource, name), &v1alpha1.ClusterImagePolicy{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1alpha1.ClusterImagePolicy), err\n}\n\n// List takes label and field selectors, and returns the list of ClusterImagePolicies that match those selectors.\nfunc (c *FakeClusterImagePolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ClusterImagePolicyList, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootListAction(clusterimagepoliciesResource, clusterimagepoliciesKind, opts), &v1alpha1.ClusterImagePolicyList{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\n\tlabel, _, _ := testing.ExtractFromListOptions(opts)\n\tif label == nil {\n\t\tlabel = labels.Everything()\n\t}\n\tlist := &v1alpha1.ClusterImagePolicyList{ListMeta: obj.(*v1alpha1.ClusterImagePolicyList).ListMeta}\n\tfor _, item := range obj.(*v1alpha1.ClusterImagePolicyList).Items {\n\t\tif label.Matches(labels.Set(item.Labels)) {\n\t\t\tlist.Items = append(list.Items, item)\n\t\t}\n\t}\n\treturn list, err\n}\n\n// Watch returns a watch.Interface that watches the requested clusterImagePolicies.\nfunc (c *FakeClusterImagePolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {\n\treturn c.Fake.\n\t\tInvokesWatch(testing.NewRootWatchAction(clusterimagepoliciesResource, opts))\n}\n\n// Create takes the representation of a clusterImagePolicy and creates it. Returns the server's representation of the clusterImagePolicy, and an error, if there is any.\nfunc (c *FakeClusterImagePolicies) Create(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.CreateOptions) (result *v1alpha1.ClusterImagePolicy, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootCreateAction(clusterimagepoliciesResource, clusterImagePolicy), &v1alpha1.ClusterImagePolicy{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1alpha1.ClusterImagePolicy), err\n}\n\n// Update takes the representation of a clusterImagePolicy and updates it. Returns the server's representation of the clusterImagePolicy, and an error, if there is any.\nfunc (c *FakeClusterImagePolicies) Update(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.UpdateOptions) (result *v1alpha1.ClusterImagePolicy, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootUpdateAction(clusterimagepoliciesResource, clusterImagePolicy), &v1alpha1.ClusterImagePolicy{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1alpha1.ClusterImagePolicy), err\n}\n\n// UpdateStatus was generated because the type contains a Status member.\n// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().\nfunc (c *FakeClusterImagePolicies) UpdateStatus(ctx context.Context, clusterImagePolicy *v1alpha1.ClusterImagePolicy, opts v1.UpdateOptions) (*v1alpha1.ClusterImagePolicy, error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootUpdateSubresourceAction(clusterimagepoliciesResource, \"status\", clusterImagePolicy), &v1alpha1.ClusterImagePolicy{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1alpha1.ClusterImagePolicy), err\n}\n\n// Delete takes name of the clusterImagePolicy and deletes it. Returns an error if one occurs.\nfunc (c *FakeClusterImagePolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {\n\t_, err := c.Fake.\n\t\tInvokes(testing.NewRootDeleteActionWithOptions(clusterimagepoliciesResource, name, opts), &v1alpha1.ClusterImagePolicy{})\n\treturn err\n}\n\n// DeleteCollection deletes a collection of objects.\nfunc (c *FakeClusterImagePolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {\n\taction := testing.NewRootDeleteCollectionAction(clusterimagepoliciesResource, listOpts)\n\n\t_, err := c.Fake.Invokes(action, &v1alpha1.ClusterImagePolicyList{})\n\treturn err\n}\n\n// Patch applies the patch and returns the patched clusterImagePolicy.\nfunc (c *FakeClusterImagePolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ClusterImagePolicy, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootPatchSubresourceAction(clusterimagepoliciesResource, name, pt, data, subresources...), &v1alpha1.ClusterImagePolicy{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1alpha1.ClusterImagePolicy), err\n}\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/fake/fake_policy_client.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/typed/policy/v1alpha1\"\n\trest \"k8s.io/client-go/rest\"\n\ttesting \"k8s.io/client-go/testing\"\n)\n\ntype FakePolicyV1alpha1 struct {\n\t*testing.Fake\n}\n\nfunc (c *FakePolicyV1alpha1) ClusterImagePolicies() v1alpha1.ClusterImagePolicyInterface {\n\treturn &FakeClusterImagePolicies{c}\n}\n\nfunc (c *FakePolicyV1alpha1) TrustRoots() v1alpha1.TrustRootInterface {\n\treturn &FakeTrustRoots{c}\n}\n\n// RESTClient returns a RESTClient that is used to communicate\n// with API server by this client implementation.\nfunc (c *FakePolicyV1alpha1) RESTClient() rest.Interface {\n\tvar ret *rest.RESTClient\n\treturn ret\n}\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/fake/fake_trustroot.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\t\"context\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\tlabels \"k8s.io/apimachinery/pkg/labels\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\twatch \"k8s.io/apimachinery/pkg/watch\"\n\ttesting \"k8s.io/client-go/testing\"\n)\n\n// FakeTrustRoots implements TrustRootInterface\ntype FakeTrustRoots struct {\n\tFake *FakePolicyV1alpha1\n}\n\nvar trustrootsResource = v1alpha1.SchemeGroupVersion.WithResource(\"trustroots\")\n\nvar trustrootsKind = v1alpha1.SchemeGroupVersion.WithKind(\"TrustRoot\")\n\n// Get takes name of the trustRoot, and returns the corresponding trustRoot object, and an error if there is any.\nfunc (c *FakeTrustRoots) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.TrustRoot, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootGetAction(trustrootsResource, name), &v1alpha1.TrustRoot{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1alpha1.TrustRoot), err\n}\n\n// List takes label and field selectors, and returns the list of TrustRoots that match those selectors.\nfunc (c *FakeTrustRoots) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.TrustRootList, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootListAction(trustrootsResource, trustrootsKind, opts), &v1alpha1.TrustRootList{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\n\tlabel, _, _ := testing.ExtractFromListOptions(opts)\n\tif label == nil {\n\t\tlabel = labels.Everything()\n\t}\n\tlist := &v1alpha1.TrustRootList{ListMeta: obj.(*v1alpha1.TrustRootList).ListMeta}\n\tfor _, item := range obj.(*v1alpha1.TrustRootList).Items {\n\t\tif label.Matches(labels.Set(item.Labels)) {\n\t\t\tlist.Items = append(list.Items, item)\n\t\t}\n\t}\n\treturn list, err\n}\n\n// Watch returns a watch.Interface that watches the requested trustRoots.\nfunc (c *FakeTrustRoots) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {\n\treturn c.Fake.\n\t\tInvokesWatch(testing.NewRootWatchAction(trustrootsResource, opts))\n}\n\n// Create takes the representation of a trustRoot and creates it. Returns the server's representation of the trustRoot, and an error, if there is any.\nfunc (c *FakeTrustRoots) Create(ctx context.Context, trustRoot *v1alpha1.TrustRoot, opts v1.CreateOptions) (result *v1alpha1.TrustRoot, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootCreateAction(trustrootsResource, trustRoot), &v1alpha1.TrustRoot{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1alpha1.TrustRoot), err\n}\n\n// Update takes the representation of a trustRoot and updates it. Returns the server's representation of the trustRoot, and an error, if there is any.\nfunc (c *FakeTrustRoots) Update(ctx context.Context, trustRoot *v1alpha1.TrustRoot, opts v1.UpdateOptions) (result *v1alpha1.TrustRoot, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootUpdateAction(trustrootsResource, trustRoot), &v1alpha1.TrustRoot{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1alpha1.TrustRoot), err\n}\n\n// UpdateStatus was generated because the type contains a Status member.\n// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().\nfunc (c *FakeTrustRoots) UpdateStatus(ctx context.Context, trustRoot *v1alpha1.TrustRoot, opts v1.UpdateOptions) (*v1alpha1.TrustRoot, error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootUpdateSubresourceAction(trustrootsResource, \"status\", trustRoot), &v1alpha1.TrustRoot{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1alpha1.TrustRoot), err\n}\n\n// Delete takes name of the trustRoot and deletes it. Returns an error if one occurs.\nfunc (c *FakeTrustRoots) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {\n\t_, err := c.Fake.\n\t\tInvokes(testing.NewRootDeleteActionWithOptions(trustrootsResource, name, opts), &v1alpha1.TrustRoot{})\n\treturn err\n}\n\n// DeleteCollection deletes a collection of objects.\nfunc (c *FakeTrustRoots) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {\n\taction := testing.NewRootDeleteCollectionAction(trustrootsResource, listOpts)\n\n\t_, err := c.Fake.Invokes(action, &v1alpha1.TrustRootList{})\n\treturn err\n}\n\n// Patch applies the patch and returns the patched trustRoot.\nfunc (c *FakeTrustRoots) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.TrustRoot, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootPatchSubresourceAction(trustrootsResource, name, pt, data, subresources...), &v1alpha1.TrustRoot{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1alpha1.TrustRoot), err\n}\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/generated_expansion.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage v1alpha1\n\ntype ClusterImagePolicyExpansion interface{}\n\ntype TrustRootExpansion interface{}\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/policy_client.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\t\"net/http\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\t\"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/scheme\"\n\trest \"k8s.io/client-go/rest\"\n)\n\ntype PolicyV1alpha1Interface interface {\n\tRESTClient() rest.Interface\n\tClusterImagePoliciesGetter\n\tTrustRootsGetter\n}\n\n// PolicyV1alpha1Client is used to interact with features provided by the policy.sigstore.dev group.\ntype PolicyV1alpha1Client struct {\n\trestClient rest.Interface\n}\n\nfunc (c *PolicyV1alpha1Client) ClusterImagePolicies() ClusterImagePolicyInterface {\n\treturn newClusterImagePolicies(c)\n}\n\nfunc (c *PolicyV1alpha1Client) TrustRoots() TrustRootInterface {\n\treturn newTrustRoots(c)\n}\n\n// NewForConfig creates a new PolicyV1alpha1Client for the given config.\n// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),\n// where httpClient was generated with rest.HTTPClientFor(c).\nfunc NewForConfig(c *rest.Config) (*PolicyV1alpha1Client, error) {\n\tconfig := *c\n\tif err := setConfigDefaults(&config); err != nil {\n\t\treturn nil, err\n\t}\n\thttpClient, err := rest.HTTPClientFor(&config)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn NewForConfigAndClient(&config, httpClient)\n}\n\n// NewForConfigAndClient creates a new PolicyV1alpha1Client for the given config and http client.\n// Note the http client provided takes precedence over the configured transport values.\nfunc NewForConfigAndClient(c *rest.Config, h *http.Client) (*PolicyV1alpha1Client, error) {\n\tconfig := *c\n\tif err := setConfigDefaults(&config); err != nil {\n\t\treturn nil, err\n\t}\n\tclient, err := rest.RESTClientForConfigAndClient(&config, h)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &PolicyV1alpha1Client{client}, nil\n}\n\n// NewForConfigOrDie creates a new PolicyV1alpha1Client for the given config and\n// panics if there is an error in the config.\nfunc NewForConfigOrDie(c *rest.Config) *PolicyV1alpha1Client {\n\tclient, err := NewForConfig(c)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn client\n}\n\n// New creates a new PolicyV1alpha1Client for the given RESTClient.\nfunc New(c rest.Interface) *PolicyV1alpha1Client {\n\treturn &PolicyV1alpha1Client{c}\n}\n\nfunc setConfigDefaults(config *rest.Config) error {\n\tgv := v1alpha1.SchemeGroupVersion\n\tconfig.GroupVersion = &gv\n\tconfig.APIPath = \"/apis\"\n\tconfig.NegotiatedSerializer = scheme.Codecs.WithoutConversion()\n\n\tif config.UserAgent == \"\" {\n\t\tconfig.UserAgent = rest.DefaultKubernetesUserAgent()\n\t}\n\n\treturn nil\n}\n\n// RESTClient returns a RESTClient that is used to communicate\n// with API server by this client implementation.\nfunc (c *PolicyV1alpha1Client) RESTClient() rest.Interface {\n\tif c == nil {\n\t\treturn nil\n\t}\n\treturn c.restClient\n}\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/trustroot.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\t\"time\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tscheme \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/scheme\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\twatch \"k8s.io/apimachinery/pkg/watch\"\n\trest \"k8s.io/client-go/rest\"\n)\n\n// TrustRootsGetter has a method to return a TrustRootInterface.\n// A group's client should implement this interface.\ntype TrustRootsGetter interface {\n\tTrustRoots() TrustRootInterface\n}\n\n// TrustRootInterface has methods to work with TrustRoot resources.\ntype TrustRootInterface interface {\n\tCreate(ctx context.Context, trustRoot *v1alpha1.TrustRoot, opts v1.CreateOptions) (*v1alpha1.TrustRoot, error)\n\tUpdate(ctx context.Context, trustRoot *v1alpha1.TrustRoot, opts v1.UpdateOptions) (*v1alpha1.TrustRoot, error)\n\tUpdateStatus(ctx context.Context, trustRoot *v1alpha1.TrustRoot, opts v1.UpdateOptions) (*v1alpha1.TrustRoot, error)\n\tDelete(ctx context.Context, name string, opts v1.DeleteOptions) error\n\tDeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error\n\tGet(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.TrustRoot, error)\n\tList(ctx context.Context, opts v1.ListOptions) (*v1alpha1.TrustRootList, error)\n\tWatch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)\n\tPatch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.TrustRoot, err error)\n\tTrustRootExpansion\n}\n\n// trustRoots implements TrustRootInterface\ntype trustRoots struct {\n\tclient rest.Interface\n}\n\n// newTrustRoots returns a TrustRoots\nfunc newTrustRoots(c *PolicyV1alpha1Client) *trustRoots {\n\treturn &trustRoots{\n\t\tclient: c.RESTClient(),\n\t}\n}\n\n// Get takes name of the trustRoot, and returns the corresponding trustRoot object, and an error if there is any.\nfunc (c *trustRoots) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.TrustRoot, err error) {\n\tresult = &v1alpha1.TrustRoot{}\n\terr = c.client.Get().\n\t\tResource(\"trustroots\").\n\t\tName(name).\n\t\tVersionedParams(&options, scheme.ParameterCodec).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// List takes label and field selectors, and returns the list of TrustRoots that match those selectors.\nfunc (c *trustRoots) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.TrustRootList, err error) {\n\tvar timeout time.Duration\n\tif opts.TimeoutSeconds != nil {\n\t\ttimeout = time.Duration(*opts.TimeoutSeconds) * time.Second\n\t}\n\tresult = &v1alpha1.TrustRootList{}\n\terr = c.client.Get().\n\t\tResource(\"trustroots\").\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tTimeout(timeout).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// Watch returns a watch.Interface that watches the requested trustRoots.\nfunc (c *trustRoots) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {\n\tvar timeout time.Duration\n\tif opts.TimeoutSeconds != nil {\n\t\ttimeout = time.Duration(*opts.TimeoutSeconds) * time.Second\n\t}\n\topts.Watch = true\n\treturn c.client.Get().\n\t\tResource(\"trustroots\").\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tTimeout(timeout).\n\t\tWatch(ctx)\n}\n\n// Create takes the representation of a trustRoot and creates it. Returns the server's representation of the trustRoot, and an error, if there is any.\nfunc (c *trustRoots) Create(ctx context.Context, trustRoot *v1alpha1.TrustRoot, opts v1.CreateOptions) (result *v1alpha1.TrustRoot, err error) {\n\tresult = &v1alpha1.TrustRoot{}\n\terr = c.client.Post().\n\t\tResource(\"trustroots\").\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tBody(trustRoot).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// Update takes the representation of a trustRoot and updates it. Returns the server's representation of the trustRoot, and an error, if there is any.\nfunc (c *trustRoots) Update(ctx context.Context, trustRoot *v1alpha1.TrustRoot, opts v1.UpdateOptions) (result *v1alpha1.TrustRoot, err error) {\n\tresult = &v1alpha1.TrustRoot{}\n\terr = c.client.Put().\n\t\tResource(\"trustroots\").\n\t\tName(trustRoot.Name).\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tBody(trustRoot).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// UpdateStatus was generated because the type contains a Status member.\n// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().\nfunc (c *trustRoots) UpdateStatus(ctx context.Context, trustRoot *v1alpha1.TrustRoot, opts v1.UpdateOptions) (result *v1alpha1.TrustRoot, err error) {\n\tresult = &v1alpha1.TrustRoot{}\n\terr = c.client.Put().\n\t\tResource(\"trustroots\").\n\t\tName(trustRoot.Name).\n\t\tSubResource(\"status\").\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tBody(trustRoot).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// Delete takes name of the trustRoot and deletes it. Returns an error if one occurs.\nfunc (c *trustRoots) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {\n\treturn c.client.Delete().\n\t\tResource(\"trustroots\").\n\t\tName(name).\n\t\tBody(&opts).\n\t\tDo(ctx).\n\t\tError()\n}\n\n// DeleteCollection deletes a collection of objects.\nfunc (c *trustRoots) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {\n\tvar timeout time.Duration\n\tif listOpts.TimeoutSeconds != nil {\n\t\ttimeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second\n\t}\n\treturn c.client.Delete().\n\t\tResource(\"trustroots\").\n\t\tVersionedParams(&listOpts, scheme.ParameterCodec).\n\t\tTimeout(timeout).\n\t\tBody(&opts).\n\t\tDo(ctx).\n\t\tError()\n}\n\n// Patch applies the patch and returns the patched trustRoot.\nfunc (c *trustRoots) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.TrustRoot, err error) {\n\tresult = &v1alpha1.TrustRoot{}\n\terr = c.client.Patch(pt).\n\t\tResource(\"trustroots\").\n\t\tName(name).\n\t\tSubResource(subresources...).\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tBody(data).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1beta1/clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n\t\"time\"\n\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\tscheme \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/scheme\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\twatch \"k8s.io/apimachinery/pkg/watch\"\n\trest \"k8s.io/client-go/rest\"\n)\n\n// ClusterImagePoliciesGetter has a method to return a ClusterImagePolicyInterface.\n// A group's client should implement this interface.\ntype ClusterImagePoliciesGetter interface {\n\tClusterImagePolicies() ClusterImagePolicyInterface\n}\n\n// ClusterImagePolicyInterface has methods to work with ClusterImagePolicy resources.\ntype ClusterImagePolicyInterface interface {\n\tCreate(ctx context.Context, clusterImagePolicy *v1beta1.ClusterImagePolicy, opts v1.CreateOptions) (*v1beta1.ClusterImagePolicy, error)\n\tUpdate(ctx context.Context, clusterImagePolicy *v1beta1.ClusterImagePolicy, opts v1.UpdateOptions) (*v1beta1.ClusterImagePolicy, error)\n\tUpdateStatus(ctx context.Context, clusterImagePolicy *v1beta1.ClusterImagePolicy, opts v1.UpdateOptions) (*v1beta1.ClusterImagePolicy, error)\n\tDelete(ctx context.Context, name string, opts v1.DeleteOptions) error\n\tDeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error\n\tGet(ctx context.Context, name string, opts v1.GetOptions) (*v1beta1.ClusterImagePolicy, error)\n\tList(ctx context.Context, opts v1.ListOptions) (*v1beta1.ClusterImagePolicyList, error)\n\tWatch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)\n\tPatch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.ClusterImagePolicy, err error)\n\tClusterImagePolicyExpansion\n}\n\n// clusterImagePolicies implements ClusterImagePolicyInterface\ntype clusterImagePolicies struct {\n\tclient rest.Interface\n}\n\n// newClusterImagePolicies returns a ClusterImagePolicies\nfunc newClusterImagePolicies(c *PolicyV1beta1Client) *clusterImagePolicies {\n\treturn &clusterImagePolicies{\n\t\tclient: c.RESTClient(),\n\t}\n}\n\n// Get takes name of the clusterImagePolicy, and returns the corresponding clusterImagePolicy object, and an error if there is any.\nfunc (c *clusterImagePolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1beta1.ClusterImagePolicy, err error) {\n\tresult = &v1beta1.ClusterImagePolicy{}\n\terr = c.client.Get().\n\t\tResource(\"clusterimagepolicies\").\n\t\tName(name).\n\t\tVersionedParams(&options, scheme.ParameterCodec).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// List takes label and field selectors, and returns the list of ClusterImagePolicies that match those selectors.\nfunc (c *clusterImagePolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1beta1.ClusterImagePolicyList, err error) {\n\tvar timeout time.Duration\n\tif opts.TimeoutSeconds != nil {\n\t\ttimeout = time.Duration(*opts.TimeoutSeconds) * time.Second\n\t}\n\tresult = &v1beta1.ClusterImagePolicyList{}\n\terr = c.client.Get().\n\t\tResource(\"clusterimagepolicies\").\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tTimeout(timeout).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// Watch returns a watch.Interface that watches the requested clusterImagePolicies.\nfunc (c *clusterImagePolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {\n\tvar timeout time.Duration\n\tif opts.TimeoutSeconds != nil {\n\t\ttimeout = time.Duration(*opts.TimeoutSeconds) * time.Second\n\t}\n\topts.Watch = true\n\treturn c.client.Get().\n\t\tResource(\"clusterimagepolicies\").\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tTimeout(timeout).\n\t\tWatch(ctx)\n}\n\n// Create takes the representation of a clusterImagePolicy and creates it. Returns the server's representation of the clusterImagePolicy, and an error, if there is any.\nfunc (c *clusterImagePolicies) Create(ctx context.Context, clusterImagePolicy *v1beta1.ClusterImagePolicy, opts v1.CreateOptions) (result *v1beta1.ClusterImagePolicy, err error) {\n\tresult = &v1beta1.ClusterImagePolicy{}\n\terr = c.client.Post().\n\t\tResource(\"clusterimagepolicies\").\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tBody(clusterImagePolicy).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// Update takes the representation of a clusterImagePolicy and updates it. Returns the server's representation of the clusterImagePolicy, and an error, if there is any.\nfunc (c *clusterImagePolicies) Update(ctx context.Context, clusterImagePolicy *v1beta1.ClusterImagePolicy, opts v1.UpdateOptions) (result *v1beta1.ClusterImagePolicy, err error) {\n\tresult = &v1beta1.ClusterImagePolicy{}\n\terr = c.client.Put().\n\t\tResource(\"clusterimagepolicies\").\n\t\tName(clusterImagePolicy.Name).\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tBody(clusterImagePolicy).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// UpdateStatus was generated because the type contains a Status member.\n// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().\nfunc (c *clusterImagePolicies) UpdateStatus(ctx context.Context, clusterImagePolicy *v1beta1.ClusterImagePolicy, opts v1.UpdateOptions) (result *v1beta1.ClusterImagePolicy, err error) {\n\tresult = &v1beta1.ClusterImagePolicy{}\n\terr = c.client.Put().\n\t\tResource(\"clusterimagepolicies\").\n\t\tName(clusterImagePolicy.Name).\n\t\tSubResource(\"status\").\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tBody(clusterImagePolicy).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n\n// Delete takes name of the clusterImagePolicy and deletes it. Returns an error if one occurs.\nfunc (c *clusterImagePolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {\n\treturn c.client.Delete().\n\t\tResource(\"clusterimagepolicies\").\n\t\tName(name).\n\t\tBody(&opts).\n\t\tDo(ctx).\n\t\tError()\n}\n\n// DeleteCollection deletes a collection of objects.\nfunc (c *clusterImagePolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {\n\tvar timeout time.Duration\n\tif listOpts.TimeoutSeconds != nil {\n\t\ttimeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second\n\t}\n\treturn c.client.Delete().\n\t\tResource(\"clusterimagepolicies\").\n\t\tVersionedParams(&listOpts, scheme.ParameterCodec).\n\t\tTimeout(timeout).\n\t\tBody(&opts).\n\t\tDo(ctx).\n\t\tError()\n}\n\n// Patch applies the patch and returns the patched clusterImagePolicy.\nfunc (c *clusterImagePolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.ClusterImagePolicy, err error) {\n\tresult = &v1beta1.ClusterImagePolicy{}\n\terr = c.client.Patch(pt).\n\t\tResource(\"clusterimagepolicies\").\n\t\tName(name).\n\t\tSubResource(subresources...).\n\t\tVersionedParams(&opts, scheme.ParameterCodec).\n\t\tBody(data).\n\t\tDo(ctx).\n\t\tInto(result)\n\treturn\n}\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1beta1/doc.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\n// This package has the automatically generated typed clients.\npackage v1beta1\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1beta1/fake/doc.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\n// Package fake has the automatically generated clients.\npackage fake\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1beta1/fake/fake_clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\t\"context\"\n\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\tlabels \"k8s.io/apimachinery/pkg/labels\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\twatch \"k8s.io/apimachinery/pkg/watch\"\n\ttesting \"k8s.io/client-go/testing\"\n)\n\n// FakeClusterImagePolicies implements ClusterImagePolicyInterface\ntype FakeClusterImagePolicies struct {\n\tFake *FakePolicyV1beta1\n}\n\nvar clusterimagepoliciesResource = v1beta1.SchemeGroupVersion.WithResource(\"clusterimagepolicies\")\n\nvar clusterimagepoliciesKind = v1beta1.SchemeGroupVersion.WithKind(\"ClusterImagePolicy\")\n\n// Get takes name of the clusterImagePolicy, and returns the corresponding clusterImagePolicy object, and an error if there is any.\nfunc (c *FakeClusterImagePolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1beta1.ClusterImagePolicy, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootGetAction(clusterimagepoliciesResource, name), &v1beta1.ClusterImagePolicy{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1beta1.ClusterImagePolicy), err\n}\n\n// List takes label and field selectors, and returns the list of ClusterImagePolicies that match those selectors.\nfunc (c *FakeClusterImagePolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1beta1.ClusterImagePolicyList, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootListAction(clusterimagepoliciesResource, clusterimagepoliciesKind, opts), &v1beta1.ClusterImagePolicyList{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\n\tlabel, _, _ := testing.ExtractFromListOptions(opts)\n\tif label == nil {\n\t\tlabel = labels.Everything()\n\t}\n\tlist := &v1beta1.ClusterImagePolicyList{ListMeta: obj.(*v1beta1.ClusterImagePolicyList).ListMeta}\n\tfor _, item := range obj.(*v1beta1.ClusterImagePolicyList).Items {\n\t\tif label.Matches(labels.Set(item.Labels)) {\n\t\t\tlist.Items = append(list.Items, item)\n\t\t}\n\t}\n\treturn list, err\n}\n\n// Watch returns a watch.Interface that watches the requested clusterImagePolicies.\nfunc (c *FakeClusterImagePolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {\n\treturn c.Fake.\n\t\tInvokesWatch(testing.NewRootWatchAction(clusterimagepoliciesResource, opts))\n}\n\n// Create takes the representation of a clusterImagePolicy and creates it. Returns the server's representation of the clusterImagePolicy, and an error, if there is any.\nfunc (c *FakeClusterImagePolicies) Create(ctx context.Context, clusterImagePolicy *v1beta1.ClusterImagePolicy, opts v1.CreateOptions) (result *v1beta1.ClusterImagePolicy, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootCreateAction(clusterimagepoliciesResource, clusterImagePolicy), &v1beta1.ClusterImagePolicy{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1beta1.ClusterImagePolicy), err\n}\n\n// Update takes the representation of a clusterImagePolicy and updates it. Returns the server's representation of the clusterImagePolicy, and an error, if there is any.\nfunc (c *FakeClusterImagePolicies) Update(ctx context.Context, clusterImagePolicy *v1beta1.ClusterImagePolicy, opts v1.UpdateOptions) (result *v1beta1.ClusterImagePolicy, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootUpdateAction(clusterimagepoliciesResource, clusterImagePolicy), &v1beta1.ClusterImagePolicy{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1beta1.ClusterImagePolicy), err\n}\n\n// UpdateStatus was generated because the type contains a Status member.\n// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().\nfunc (c *FakeClusterImagePolicies) UpdateStatus(ctx context.Context, clusterImagePolicy *v1beta1.ClusterImagePolicy, opts v1.UpdateOptions) (*v1beta1.ClusterImagePolicy, error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootUpdateSubresourceAction(clusterimagepoliciesResource, \"status\", clusterImagePolicy), &v1beta1.ClusterImagePolicy{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1beta1.ClusterImagePolicy), err\n}\n\n// Delete takes name of the clusterImagePolicy and deletes it. Returns an error if one occurs.\nfunc (c *FakeClusterImagePolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {\n\t_, err := c.Fake.\n\t\tInvokes(testing.NewRootDeleteActionWithOptions(clusterimagepoliciesResource, name, opts), &v1beta1.ClusterImagePolicy{})\n\treturn err\n}\n\n// DeleteCollection deletes a collection of objects.\nfunc (c *FakeClusterImagePolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {\n\taction := testing.NewRootDeleteCollectionAction(clusterimagepoliciesResource, listOpts)\n\n\t_, err := c.Fake.Invokes(action, &v1beta1.ClusterImagePolicyList{})\n\treturn err\n}\n\n// Patch applies the patch and returns the patched clusterImagePolicy.\nfunc (c *FakeClusterImagePolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.ClusterImagePolicy, err error) {\n\tobj, err := c.Fake.\n\t\tInvokes(testing.NewRootPatchSubresourceAction(clusterimagepoliciesResource, name, pt, data, subresources...), &v1beta1.ClusterImagePolicy{})\n\tif obj == nil {\n\t\treturn nil, err\n\t}\n\treturn obj.(*v1beta1.ClusterImagePolicy), err\n}\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1beta1/fake/fake_policy_client.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/typed/policy/v1beta1\"\n\trest \"k8s.io/client-go/rest\"\n\ttesting \"k8s.io/client-go/testing\"\n)\n\ntype FakePolicyV1beta1 struct {\n\t*testing.Fake\n}\n\nfunc (c *FakePolicyV1beta1) ClusterImagePolicies() v1beta1.ClusterImagePolicyInterface {\n\treturn &FakeClusterImagePolicies{c}\n}\n\n// RESTClient returns a RESTClient that is used to communicate\n// with API server by this client implementation.\nfunc (c *FakePolicyV1beta1) RESTClient() rest.Interface {\n\tvar ret *rest.RESTClient\n\treturn ret\n}\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1beta1/generated_expansion.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage v1beta1\n\ntype ClusterImagePolicyExpansion interface{}\n" }, { "path": "pkg/client/clientset/versioned/typed/policy/v1beta1/policy_client.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by client-gen. DO NOT EDIT.\n\npackage v1beta1\n\nimport (\n\t\"net/http\"\n\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\t\"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/scheme\"\n\trest \"k8s.io/client-go/rest\"\n)\n\ntype PolicyV1beta1Interface interface {\n\tRESTClient() rest.Interface\n\tClusterImagePoliciesGetter\n}\n\n// PolicyV1beta1Client is used to interact with features provided by the policy.sigstore.dev group.\ntype PolicyV1beta1Client struct {\n\trestClient rest.Interface\n}\n\nfunc (c *PolicyV1beta1Client) ClusterImagePolicies() ClusterImagePolicyInterface {\n\treturn newClusterImagePolicies(c)\n}\n\n// NewForConfig creates a new PolicyV1beta1Client for the given config.\n// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),\n// where httpClient was generated with rest.HTTPClientFor(c).\nfunc NewForConfig(c *rest.Config) (*PolicyV1beta1Client, error) {\n\tconfig := *c\n\tif err := setConfigDefaults(&config); err != nil {\n\t\treturn nil, err\n\t}\n\thttpClient, err := rest.HTTPClientFor(&config)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn NewForConfigAndClient(&config, httpClient)\n}\n\n// NewForConfigAndClient creates a new PolicyV1beta1Client for the given config and http client.\n// Note the http client provided takes precedence over the configured transport values.\nfunc NewForConfigAndClient(c *rest.Config, h *http.Client) (*PolicyV1beta1Client, error) {\n\tconfig := *c\n\tif err := setConfigDefaults(&config); err != nil {\n\t\treturn nil, err\n\t}\n\tclient, err := rest.RESTClientForConfigAndClient(&config, h)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &PolicyV1beta1Client{client}, nil\n}\n\n// NewForConfigOrDie creates a new PolicyV1beta1Client for the given config and\n// panics if there is an error in the config.\nfunc NewForConfigOrDie(c *rest.Config) *PolicyV1beta1Client {\n\tclient, err := NewForConfig(c)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn client\n}\n\n// New creates a new PolicyV1beta1Client for the given RESTClient.\nfunc New(c rest.Interface) *PolicyV1beta1Client {\n\treturn &PolicyV1beta1Client{c}\n}\n\nfunc setConfigDefaults(config *rest.Config) error {\n\tgv := v1beta1.SchemeGroupVersion\n\tconfig.GroupVersion = &gv\n\tconfig.APIPath = \"/apis\"\n\tconfig.NegotiatedSerializer = scheme.Codecs.WithoutConversion()\n\n\tif config.UserAgent == \"\" {\n\t\tconfig.UserAgent = rest.DefaultKubernetesUserAgent()\n\t}\n\n\treturn nil\n}\n\n// RESTClient returns a RESTClient that is used to communicate\n// with API server by this client implementation.\nfunc (c *PolicyV1beta1Client) RESTClient() rest.Interface {\n\tif c == nil {\n\t\treturn nil\n\t}\n\treturn c.restClient\n}\n" }, { "path": "pkg/client/informers/externalversions/factory.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by informer-gen. DO NOT EDIT.\n\npackage externalversions\n\nimport (\n\treflect \"reflect\"\n\tsync \"sync\"\n\ttime \"time\"\n\n\tversioned \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned\"\n\tinternalinterfaces \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/internalinterfaces\"\n\tpolicy \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\truntime \"k8s.io/apimachinery/pkg/runtime\"\n\tschema \"k8s.io/apimachinery/pkg/runtime/schema\"\n\tcache \"k8s.io/client-go/tools/cache\"\n)\n\n// SharedInformerOption defines the functional option type for SharedInformerFactory.\ntype SharedInformerOption func(*sharedInformerFactory) *sharedInformerFactory\n\ntype sharedInformerFactory struct {\n\tclient versioned.Interface\n\tnamespace string\n\ttweakListOptions internalinterfaces.TweakListOptionsFunc\n\tlock sync.Mutex\n\tdefaultResync time.Duration\n\tcustomResync map[reflect.Type]time.Duration\n\n\tinformers map[reflect.Type]cache.SharedIndexInformer\n\t// startedInformers is used for tracking which informers have been started.\n\t// This allows Start() to be called multiple times safely.\n\tstartedInformers map[reflect.Type]bool\n\t// wg tracks how many goroutines were started.\n\twg sync.WaitGroup\n\t// shuttingDown is true when Shutdown has been called. It may still be running\n\t// because it needs to wait for goroutines.\n\tshuttingDown bool\n}\n\n// WithCustomResyncConfig sets a custom resync period for the specified informer types.\nfunc WithCustomResyncConfig(resyncConfig map[v1.Object]time.Duration) SharedInformerOption {\n\treturn func(factory *sharedInformerFactory) *sharedInformerFactory {\n\t\tfor k, v := range resyncConfig {\n\t\t\tfactory.customResync[reflect.TypeOf(k)] = v\n\t\t}\n\t\treturn factory\n\t}\n}\n\n// WithTweakListOptions sets a custom filter on all listers of the configured SharedInformerFactory.\nfunc WithTweakListOptions(tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerOption {\n\treturn func(factory *sharedInformerFactory) *sharedInformerFactory {\n\t\tfactory.tweakListOptions = tweakListOptions\n\t\treturn factory\n\t}\n}\n\n// WithNamespace limits the SharedInformerFactory to the specified namespace.\nfunc WithNamespace(namespace string) SharedInformerOption {\n\treturn func(factory *sharedInformerFactory) *sharedInformerFactory {\n\t\tfactory.namespace = namespace\n\t\treturn factory\n\t}\n}\n\n// NewSharedInformerFactory constructs a new instance of sharedInformerFactory for all namespaces.\nfunc NewSharedInformerFactory(client versioned.Interface, defaultResync time.Duration) SharedInformerFactory {\n\treturn NewSharedInformerFactoryWithOptions(client, defaultResync)\n}\n\n// NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.\n// Listers obtained via this SharedInformerFactory will be subject to the same filters\n// as specified here.\n// Deprecated: Please use NewSharedInformerFactoryWithOptions instead\nfunc NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {\n\treturn NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))\n}\n\n// NewSharedInformerFactoryWithOptions constructs a new instance of a SharedInformerFactory with additional options.\nfunc NewSharedInformerFactoryWithOptions(client versioned.Interface, defaultResync time.Duration, options ...SharedInformerOption) SharedInformerFactory {\n\tfactory := &sharedInformerFactory{\n\t\tclient: client,\n\t\tnamespace: v1.NamespaceAll,\n\t\tdefaultResync: defaultResync,\n\t\tinformers: make(map[reflect.Type]cache.SharedIndexInformer),\n\t\tstartedInformers: make(map[reflect.Type]bool),\n\t\tcustomResync: make(map[reflect.Type]time.Duration),\n\t}\n\n\t// Apply all options\n\tfor _, opt := range options {\n\t\tfactory = opt(factory)\n\t}\n\n\treturn factory\n}\n\nfunc (f *sharedInformerFactory) Start(stopCh <-chan struct{}) {\n\tf.lock.Lock()\n\tdefer f.lock.Unlock()\n\n\tif f.shuttingDown {\n\t\treturn\n\t}\n\n\tfor informerType, informer := range f.informers {\n\t\tif !f.startedInformers[informerType] {\n\t\t\tf.wg.Add(1)\n\t\t\t// We need a new variable in each loop iteration,\n\t\t\t// otherwise the goroutine would use the loop variable\n\t\t\t// and that keeps changing.\n\t\t\tinformer := informer\n\t\t\tgo func() {\n\t\t\t\tdefer f.wg.Done()\n\t\t\t\tinformer.Run(stopCh)\n\t\t\t}()\n\t\t\tf.startedInformers[informerType] = true\n\t\t}\n\t}\n}\n\nfunc (f *sharedInformerFactory) Shutdown() {\n\tf.lock.Lock()\n\tf.shuttingDown = true\n\tf.lock.Unlock()\n\n\t// Will return immediately if there is nothing to wait for.\n\tf.wg.Wait()\n}\n\nfunc (f *sharedInformerFactory) WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool {\n\tinformers := func() map[reflect.Type]cache.SharedIndexInformer {\n\t\tf.lock.Lock()\n\t\tdefer f.lock.Unlock()\n\n\t\tinformers := map[reflect.Type]cache.SharedIndexInformer{}\n\t\tfor informerType, informer := range f.informers {\n\t\t\tif f.startedInformers[informerType] {\n\t\t\t\tinformers[informerType] = informer\n\t\t\t}\n\t\t}\n\t\treturn informers\n\t}()\n\n\tres := map[reflect.Type]bool{}\n\tfor informType, informer := range informers {\n\t\tres[informType] = cache.WaitForCacheSync(stopCh, informer.HasSynced)\n\t}\n\treturn res\n}\n\n// InternalInformerFor returns the SharedIndexInformer for obj using an internal\n// client.\nfunc (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer {\n\tf.lock.Lock()\n\tdefer f.lock.Unlock()\n\n\tinformerType := reflect.TypeOf(obj)\n\tinformer, exists := f.informers[informerType]\n\tif exists {\n\t\treturn informer\n\t}\n\n\tresyncPeriod, exists := f.customResync[informerType]\n\tif !exists {\n\t\tresyncPeriod = f.defaultResync\n\t}\n\n\tinformer = newFunc(f.client, resyncPeriod)\n\tf.informers[informerType] = informer\n\n\treturn informer\n}\n\n// SharedInformerFactory provides shared informers for resources in all known\n// API group versions.\n//\n// It is typically used like this:\n//\n//\tctx, cancel := context.Background()\n//\tdefer cancel()\n//\tfactory := NewSharedInformerFactory(client, resyncPeriod)\n//\tdefer factory.WaitForStop() // Returns immediately if nothing was started.\n//\tgenericInformer := factory.ForResource(resource)\n//\ttypedInformer := factory.SomeAPIGroup().V1().SomeType()\n//\tfactory.Start(ctx.Done()) // Start processing these informers.\n//\tsynced := factory.WaitForCacheSync(ctx.Done())\n//\tfor v, ok := range synced {\n//\t if !ok {\n//\t fmt.Fprintf(os.Stderr, \"caches failed to sync: %v\", v)\n//\t return\n//\t }\n//\t}\n//\n//\t// Creating informers can also be created after Start, but then\n//\t// Start must be called again:\n//\tanotherGenericInformer := factory.ForResource(resource)\n//\tfactory.Start(ctx.Done())\ntype SharedInformerFactory interface {\n\tinternalinterfaces.SharedInformerFactory\n\n\t// Start initializes all requested informers. They are handled in goroutines\n\t// which run until the stop channel gets closed.\n\tStart(stopCh <-chan struct{})\n\n\t// Shutdown marks a factory as shutting down. At that point no new\n\t// informers can be started anymore and Start will return without\n\t// doing anything.\n\t//\n\t// In addition, Shutdown blocks until all goroutines have terminated. For that\n\t// to happen, the close channel(s) that they were started with must be closed,\n\t// either before Shutdown gets called or while it is waiting.\n\t//\n\t// Shutdown may be called multiple times, even concurrently. All such calls will\n\t// block until all goroutines have terminated.\n\tShutdown()\n\n\t// WaitForCacheSync blocks until all started informers' caches were synced\n\t// or the stop channel gets closed.\n\tWaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool\n\n\t// ForResource gives generic access to a shared informer of the matching type.\n\tForResource(resource schema.GroupVersionResource) (GenericInformer, error)\n\n\t// InternalInformerFor returns the SharedIndexInformer for obj using an internal\n\t// client.\n\tInformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer\n\n\tPolicy() policy.Interface\n}\n\nfunc (f *sharedInformerFactory) Policy() policy.Interface {\n\treturn policy.New(f, f.namespace, f.tweakListOptions)\n}\n" }, { "path": "pkg/client/informers/externalversions/generic.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by informer-gen. DO NOT EDIT.\n\npackage externalversions\n\nimport (\n\t\"fmt\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\tschema \"k8s.io/apimachinery/pkg/runtime/schema\"\n\tcache \"k8s.io/client-go/tools/cache\"\n)\n\n// GenericInformer is type of SharedIndexInformer which will locate and delegate to other\n// sharedInformers based on type\ntype GenericInformer interface {\n\tInformer() cache.SharedIndexInformer\n\tLister() cache.GenericLister\n}\n\ntype genericInformer struct {\n\tinformer cache.SharedIndexInformer\n\tresource schema.GroupResource\n}\n\n// Informer returns the SharedIndexInformer.\nfunc (f *genericInformer) Informer() cache.SharedIndexInformer {\n\treturn f.informer\n}\n\n// Lister returns the GenericLister.\nfunc (f *genericInformer) Lister() cache.GenericLister {\n\treturn cache.NewGenericLister(f.Informer().GetIndexer(), f.resource)\n}\n\n// ForResource gives generic access to a shared informer of the matching type\n// TODO extend this to unknown resources with a client pool\nfunc (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {\n\tswitch resource {\n\t// Group=policy.sigstore.dev, Version=v1alpha1\n\tcase v1alpha1.SchemeGroupVersion.WithResource(\"clusterimagepolicies\"):\n\t\treturn &genericInformer{resource: resource.GroupResource(), informer: f.Policy().V1alpha1().ClusterImagePolicies().Informer()}, nil\n\tcase v1alpha1.SchemeGroupVersion.WithResource(\"trustroots\"):\n\t\treturn &genericInformer{resource: resource.GroupResource(), informer: f.Policy().V1alpha1().TrustRoots().Informer()}, nil\n\n\t\t// Group=policy.sigstore.dev, Version=v1beta1\n\tcase v1beta1.SchemeGroupVersion.WithResource(\"clusterimagepolicies\"):\n\t\treturn &genericInformer{resource: resource.GroupResource(), informer: f.Policy().V1beta1().ClusterImagePolicies().Informer()}, nil\n\n\t}\n\n\treturn nil, fmt.Errorf(\"no informer found for %v\", resource)\n}\n" }, { "path": "pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by informer-gen. DO NOT EDIT.\n\npackage internalinterfaces\n\nimport (\n\ttime \"time\"\n\n\tversioned \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\truntime \"k8s.io/apimachinery/pkg/runtime\"\n\tcache \"k8s.io/client-go/tools/cache\"\n)\n\n// NewInformerFunc takes versioned.Interface and time.Duration to return a SharedIndexInformer.\ntype NewInformerFunc func(versioned.Interface, time.Duration) cache.SharedIndexInformer\n\n// SharedInformerFactory a small interface to allow for adding an informer without an import cycle\ntype SharedInformerFactory interface {\n\tStart(stopCh <-chan struct{})\n\tInformerFor(obj runtime.Object, newFunc NewInformerFunc) cache.SharedIndexInformer\n}\n\n// TweakListOptionsFunc is a function that transforms a v1.ListOptions.\ntype TweakListOptionsFunc func(*v1.ListOptions)\n" }, { "path": "pkg/client/informers/externalversions/policy/interface.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by informer-gen. DO NOT EDIT.\n\npackage policy\n\nimport (\n\tinternalinterfaces \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/internalinterfaces\"\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1alpha1\"\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1beta1\"\n)\n\n// Interface provides access to each of this group's versions.\ntype Interface interface {\n\t// V1alpha1 provides access to shared informers for resources in V1alpha1.\n\tV1alpha1() v1alpha1.Interface\n\t// V1beta1 provides access to shared informers for resources in V1beta1.\n\tV1beta1() v1beta1.Interface\n}\n\ntype group struct {\n\tfactory internalinterfaces.SharedInformerFactory\n\tnamespace string\n\ttweakListOptions internalinterfaces.TweakListOptionsFunc\n}\n\n// New returns a new Interface.\nfunc New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {\n\treturn &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}\n}\n\n// V1alpha1 returns a new v1alpha1.Interface.\nfunc (g *group) V1alpha1() v1alpha1.Interface {\n\treturn v1alpha1.New(g.factory, g.namespace, g.tweakListOptions)\n}\n\n// V1beta1 returns a new v1beta1.Interface.\nfunc (g *group) V1beta1() v1beta1.Interface {\n\treturn v1beta1.New(g.factory, g.namespace, g.tweakListOptions)\n}\n" }, { "path": "pkg/client/informers/externalversions/policy/v1alpha1/clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by informer-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\ttime \"time\"\n\n\tpolicyv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tversioned \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned\"\n\tinternalinterfaces \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/internalinterfaces\"\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/client/listers/policy/v1alpha1\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\truntime \"k8s.io/apimachinery/pkg/runtime\"\n\twatch \"k8s.io/apimachinery/pkg/watch\"\n\tcache \"k8s.io/client-go/tools/cache\"\n)\n\n// ClusterImagePolicyInformer provides access to a shared informer and lister for\n// ClusterImagePolicies.\ntype ClusterImagePolicyInformer interface {\n\tInformer() cache.SharedIndexInformer\n\tLister() v1alpha1.ClusterImagePolicyLister\n}\n\ntype clusterImagePolicyInformer struct {\n\tfactory internalinterfaces.SharedInformerFactory\n\ttweakListOptions internalinterfaces.TweakListOptionsFunc\n}\n\n// NewClusterImagePolicyInformer constructs a new informer for ClusterImagePolicy type.\n// Always prefer using an informer factory to get a shared informer instead of getting an independent\n// one. This reduces memory footprint and number of connections to the server.\nfunc NewClusterImagePolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {\n\treturn NewFilteredClusterImagePolicyInformer(client, resyncPeriod, indexers, nil)\n}\n\n// NewFilteredClusterImagePolicyInformer constructs a new informer for ClusterImagePolicy type.\n// Always prefer using an informer factory to get a shared informer instead of getting an independent\n// one. This reduces memory footprint and number of connections to the server.\nfunc NewFilteredClusterImagePolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {\n\treturn cache.NewSharedIndexInformer(\n\t\t&cache.ListWatch{\n\t\t\tListFunc: func(options v1.ListOptions) (runtime.Object, error) {\n\t\t\t\tif tweakListOptions != nil {\n\t\t\t\t\ttweakListOptions(&options)\n\t\t\t\t}\n\t\t\t\treturn client.PolicyV1alpha1().ClusterImagePolicies().List(context.TODO(), options)\n\t\t\t},\n\t\t\tWatchFunc: func(options v1.ListOptions) (watch.Interface, error) {\n\t\t\t\tif tweakListOptions != nil {\n\t\t\t\t\ttweakListOptions(&options)\n\t\t\t\t}\n\t\t\t\treturn client.PolicyV1alpha1().ClusterImagePolicies().Watch(context.TODO(), options)\n\t\t\t},\n\t\t},\n\t\t&policyv1alpha1.ClusterImagePolicy{},\n\t\tresyncPeriod,\n\t\tindexers,\n\t)\n}\n\nfunc (f *clusterImagePolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {\n\treturn NewFilteredClusterImagePolicyInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)\n}\n\nfunc (f *clusterImagePolicyInformer) Informer() cache.SharedIndexInformer {\n\treturn f.factory.InformerFor(&policyv1alpha1.ClusterImagePolicy{}, f.defaultInformer)\n}\n\nfunc (f *clusterImagePolicyInformer) Lister() v1alpha1.ClusterImagePolicyLister {\n\treturn v1alpha1.NewClusterImagePolicyLister(f.Informer().GetIndexer())\n}\n" }, { "path": "pkg/client/informers/externalversions/policy/v1alpha1/interface.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by informer-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\tinternalinterfaces \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/internalinterfaces\"\n)\n\n// Interface provides access to all the informers in this group version.\ntype Interface interface {\n\t// ClusterImagePolicies returns a ClusterImagePolicyInformer.\n\tClusterImagePolicies() ClusterImagePolicyInformer\n\t// TrustRoots returns a TrustRootInformer.\n\tTrustRoots() TrustRootInformer\n}\n\ntype version struct {\n\tfactory internalinterfaces.SharedInformerFactory\n\tnamespace string\n\ttweakListOptions internalinterfaces.TweakListOptionsFunc\n}\n\n// New returns a new Interface.\nfunc New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {\n\treturn &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}\n}\n\n// ClusterImagePolicies returns a ClusterImagePolicyInformer.\nfunc (v *version) ClusterImagePolicies() ClusterImagePolicyInformer {\n\treturn &clusterImagePolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}\n}\n\n// TrustRoots returns a TrustRootInformer.\nfunc (v *version) TrustRoots() TrustRootInformer {\n\treturn &trustRootInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}\n}\n" }, { "path": "pkg/client/informers/externalversions/policy/v1alpha1/trustroot.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by informer-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\ttime \"time\"\n\n\tpolicyv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tversioned \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned\"\n\tinternalinterfaces \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/internalinterfaces\"\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/client/listers/policy/v1alpha1\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\truntime \"k8s.io/apimachinery/pkg/runtime\"\n\twatch \"k8s.io/apimachinery/pkg/watch\"\n\tcache \"k8s.io/client-go/tools/cache\"\n)\n\n// TrustRootInformer provides access to a shared informer and lister for\n// TrustRoots.\ntype TrustRootInformer interface {\n\tInformer() cache.SharedIndexInformer\n\tLister() v1alpha1.TrustRootLister\n}\n\ntype trustRootInformer struct {\n\tfactory internalinterfaces.SharedInformerFactory\n\ttweakListOptions internalinterfaces.TweakListOptionsFunc\n}\n\n// NewTrustRootInformer constructs a new informer for TrustRoot type.\n// Always prefer using an informer factory to get a shared informer instead of getting an independent\n// one. This reduces memory footprint and number of connections to the server.\nfunc NewTrustRootInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {\n\treturn NewFilteredTrustRootInformer(client, resyncPeriod, indexers, nil)\n}\n\n// NewFilteredTrustRootInformer constructs a new informer for TrustRoot type.\n// Always prefer using an informer factory to get a shared informer instead of getting an independent\n// one. This reduces memory footprint and number of connections to the server.\nfunc NewFilteredTrustRootInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {\n\treturn cache.NewSharedIndexInformer(\n\t\t&cache.ListWatch{\n\t\t\tListFunc: func(options v1.ListOptions) (runtime.Object, error) {\n\t\t\t\tif tweakListOptions != nil {\n\t\t\t\t\ttweakListOptions(&options)\n\t\t\t\t}\n\t\t\t\treturn client.PolicyV1alpha1().TrustRoots().List(context.TODO(), options)\n\t\t\t},\n\t\t\tWatchFunc: func(options v1.ListOptions) (watch.Interface, error) {\n\t\t\t\tif tweakListOptions != nil {\n\t\t\t\t\ttweakListOptions(&options)\n\t\t\t\t}\n\t\t\t\treturn client.PolicyV1alpha1().TrustRoots().Watch(context.TODO(), options)\n\t\t\t},\n\t\t},\n\t\t&policyv1alpha1.TrustRoot{},\n\t\tresyncPeriod,\n\t\tindexers,\n\t)\n}\n\nfunc (f *trustRootInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {\n\treturn NewFilteredTrustRootInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)\n}\n\nfunc (f *trustRootInformer) Informer() cache.SharedIndexInformer {\n\treturn f.factory.InformerFor(&policyv1alpha1.TrustRoot{}, f.defaultInformer)\n}\n\nfunc (f *trustRootInformer) Lister() v1alpha1.TrustRootLister {\n\treturn v1alpha1.NewTrustRootLister(f.Informer().GetIndexer())\n}\n" }, { "path": "pkg/client/informers/externalversions/policy/v1beta1/clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by informer-gen. DO NOT EDIT.\n\npackage v1beta1\n\nimport (\n\t\"context\"\n\ttime \"time\"\n\n\tpolicyv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\tversioned \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned\"\n\tinternalinterfaces \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/internalinterfaces\"\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/client/listers/policy/v1beta1\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\truntime \"k8s.io/apimachinery/pkg/runtime\"\n\twatch \"k8s.io/apimachinery/pkg/watch\"\n\tcache \"k8s.io/client-go/tools/cache\"\n)\n\n// ClusterImagePolicyInformer provides access to a shared informer and lister for\n// ClusterImagePolicies.\ntype ClusterImagePolicyInformer interface {\n\tInformer() cache.SharedIndexInformer\n\tLister() v1beta1.ClusterImagePolicyLister\n}\n\ntype clusterImagePolicyInformer struct {\n\tfactory internalinterfaces.SharedInformerFactory\n\ttweakListOptions internalinterfaces.TweakListOptionsFunc\n}\n\n// NewClusterImagePolicyInformer constructs a new informer for ClusterImagePolicy type.\n// Always prefer using an informer factory to get a shared informer instead of getting an independent\n// one. This reduces memory footprint and number of connections to the server.\nfunc NewClusterImagePolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {\n\treturn NewFilteredClusterImagePolicyInformer(client, resyncPeriod, indexers, nil)\n}\n\n// NewFilteredClusterImagePolicyInformer constructs a new informer for ClusterImagePolicy type.\n// Always prefer using an informer factory to get a shared informer instead of getting an independent\n// one. This reduces memory footprint and number of connections to the server.\nfunc NewFilteredClusterImagePolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {\n\treturn cache.NewSharedIndexInformer(\n\t\t&cache.ListWatch{\n\t\t\tListFunc: func(options v1.ListOptions) (runtime.Object, error) {\n\t\t\t\tif tweakListOptions != nil {\n\t\t\t\t\ttweakListOptions(&options)\n\t\t\t\t}\n\t\t\t\treturn client.PolicyV1beta1().ClusterImagePolicies().List(context.TODO(), options)\n\t\t\t},\n\t\t\tWatchFunc: func(options v1.ListOptions) (watch.Interface, error) {\n\t\t\t\tif tweakListOptions != nil {\n\t\t\t\t\ttweakListOptions(&options)\n\t\t\t\t}\n\t\t\t\treturn client.PolicyV1beta1().ClusterImagePolicies().Watch(context.TODO(), options)\n\t\t\t},\n\t\t},\n\t\t&policyv1beta1.ClusterImagePolicy{},\n\t\tresyncPeriod,\n\t\tindexers,\n\t)\n}\n\nfunc (f *clusterImagePolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {\n\treturn NewFilteredClusterImagePolicyInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)\n}\n\nfunc (f *clusterImagePolicyInformer) Informer() cache.SharedIndexInformer {\n\treturn f.factory.InformerFor(&policyv1beta1.ClusterImagePolicy{}, f.defaultInformer)\n}\n\nfunc (f *clusterImagePolicyInformer) Lister() v1beta1.ClusterImagePolicyLister {\n\treturn v1beta1.NewClusterImagePolicyLister(f.Informer().GetIndexer())\n}\n" }, { "path": "pkg/client/informers/externalversions/policy/v1beta1/interface.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by informer-gen. DO NOT EDIT.\n\npackage v1beta1\n\nimport (\n\tinternalinterfaces \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/internalinterfaces\"\n)\n\n// Interface provides access to all the informers in this group version.\ntype Interface interface {\n\t// ClusterImagePolicies returns a ClusterImagePolicyInformer.\n\tClusterImagePolicies() ClusterImagePolicyInformer\n}\n\ntype version struct {\n\tfactory internalinterfaces.SharedInformerFactory\n\tnamespace string\n\ttweakListOptions internalinterfaces.TweakListOptionsFunc\n}\n\n// New returns a new Interface.\nfunc New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {\n\treturn &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}\n}\n\n// ClusterImagePolicies returns a ClusterImagePolicyInformer.\nfunc (v *version) ClusterImagePolicies() ClusterImagePolicyInformer {\n\treturn &clusterImagePolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}\n}\n" }, { "path": "pkg/client/injection/client/client.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage client\n\nimport (\n\tcontext \"context\"\n\n\tversioned \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned\"\n\trest \"k8s.io/client-go/rest\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nfunc init() {\n\tinjection.Default.RegisterClient(withClientFromConfig)\n\tinjection.Default.RegisterClientFetcher(func(ctx context.Context) interface{} {\n\t\treturn Get(ctx)\n\t})\n}\n\n// Key is used as the key for associating information with a context.Context.\ntype Key struct{}\n\nfunc withClientFromConfig(ctx context.Context, cfg *rest.Config) context.Context {\n\treturn context.WithValue(ctx, Key{}, versioned.NewForConfigOrDie(cfg))\n}\n\n// Get extracts the versioned.Interface client from the context.\nfunc Get(ctx context.Context) versioned.Interface {\n\tuntyped := ctx.Value(Key{})\n\tif untyped == nil {\n\t\tif injection.GetConfig(ctx) == nil {\n\t\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\t\"Unable to fetch github.com/sigstore/policy-controller/pkg/client/clientset/versioned.Interface from context. This context is not the application context (which is typically given to constructors via sharedmain).\")\n\t\t} else {\n\t\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\t\"Unable to fetch github.com/sigstore/policy-controller/pkg/client/clientset/versioned.Interface from context.\")\n\t\t}\n\t}\n\treturn untyped.(versioned.Interface)\n}\n" }, { "path": "pkg/client/injection/client/fake/fake.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tcontext \"context\"\n\n\tfake \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/fake\"\n\tclient \"github.com/sigstore/policy-controller/pkg/client/injection/client\"\n\truntime \"k8s.io/apimachinery/pkg/runtime\"\n\trest \"k8s.io/client-go/rest\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nfunc init() {\n\tinjection.Fake.RegisterClient(withClient)\n\tinjection.Fake.RegisterClientFetcher(func(ctx context.Context) interface{} {\n\t\treturn Get(ctx)\n\t})\n}\n\nfunc withClient(ctx context.Context, cfg *rest.Config) context.Context {\n\tctx, _ = With(ctx)\n\treturn ctx\n}\n\nfunc With(ctx context.Context, objects ...runtime.Object) (context.Context, *fake.Clientset) {\n\tcs := fake.NewSimpleClientset(objects...)\n\treturn context.WithValue(ctx, client.Key{}, cs), cs\n}\n\n// Get extracts the Kubernetes client from the context.\nfunc Get(ctx context.Context) *fake.Clientset {\n\tuntyped := ctx.Value(client.Key{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch github.com/sigstore/policy-controller/pkg/client/clientset/versioned/fake.Clientset from context.\")\n\t}\n\treturn untyped.(*fake.Clientset)\n}\n" }, { "path": "pkg/client/injection/ducks/duck/v1beta1/podscalable/fake/fake.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tpodscalable \"github.com/sigstore/policy-controller/pkg/client/injection/ducks/duck/v1beta1/podscalable\"\n\tinjection \"knative.dev/pkg/injection\"\n)\n\nvar Get = podscalable.Get\n\nfunc init() {\n\tinjection.Fake.RegisterDuck(podscalable.WithDuck)\n}\n" }, { "path": "pkg/client/injection/ducks/duck/v1beta1/podscalable/podscalable.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage podscalable\n\nimport (\n\tcontext \"context\"\n\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/duck/v1beta1\"\n\tduck \"knative.dev/pkg/apis/duck\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n\tdynamicclient \"knative.dev/pkg/injection/clients/dynamicclient\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nfunc init() {\n\tinjection.Default.RegisterDuck(WithDuck)\n}\n\n// Key is used for associating the Informer inside the context.Context.\ntype Key struct{}\n\nfunc WithDuck(ctx context.Context) context.Context {\n\tdc := dynamicclient.Get(ctx)\n\tdif := &duck.CachedInformerFactory{\n\t\tDelegate: &duck.TypedInformerFactory{\n\t\t\tClient: dc,\n\t\t\tType: (&v1beta1.PodScalable{}).GetFullType(),\n\t\t\tResyncPeriod: controller.GetResyncPeriod(ctx),\n\t\t\tStopChannel: ctx.Done(),\n\t\t},\n\t}\n\treturn context.WithValue(ctx, Key{}, dif)\n}\n\n// Get extracts the typed informer from the context.\nfunc Get(ctx context.Context) duck.InformerFactory {\n\tuntyped := ctx.Value(Key{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch knative.dev/pkg/apis/duck.InformerFactory from context.\")\n\t}\n\treturn untyped.(duck.InformerFactory)\n}\n" }, { "path": "pkg/client/injection/informers/factory/factory.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage factory\n\nimport (\n\tcontext \"context\"\n\n\texternalversions \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions\"\n\tclient \"github.com/sigstore/policy-controller/pkg/client/injection/client\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nfunc init() {\n\tinjection.Default.RegisterInformerFactory(withInformerFactory)\n}\n\n// Key is used as the key for associating information with a context.Context.\ntype Key struct{}\n\nfunc withInformerFactory(ctx context.Context) context.Context {\n\tc := client.Get(ctx)\n\topts := make([]externalversions.SharedInformerOption, 0, 1)\n\tif injection.HasNamespaceScope(ctx) {\n\t\topts = append(opts, externalversions.WithNamespace(injection.GetNamespaceScope(ctx)))\n\t}\n\treturn context.WithValue(ctx, Key{},\n\t\texternalversions.NewSharedInformerFactoryWithOptions(c, controller.GetResyncPeriod(ctx), opts...))\n}\n\n// Get extracts the InformerFactory from the context.\nfunc Get(ctx context.Context) externalversions.SharedInformerFactory {\n\tuntyped := ctx.Value(Key{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch github.com/sigstore/policy-controller/pkg/client/informers/externalversions.SharedInformerFactory from context.\")\n\t}\n\treturn untyped.(externalversions.SharedInformerFactory)\n}\n" }, { "path": "pkg/client/injection/informers/factory/fake/fake.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tcontext \"context\"\n\n\texternalversions \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions\"\n\tfake \"github.com/sigstore/policy-controller/pkg/client/injection/client/fake\"\n\tfactory \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n)\n\nvar Get = factory.Get\n\nfunc init() {\n\tinjection.Fake.RegisterInformerFactory(withInformerFactory)\n}\n\nfunc withInformerFactory(ctx context.Context) context.Context {\n\tc := fake.Get(ctx)\n\topts := make([]externalversions.SharedInformerOption, 0, 1)\n\tif injection.HasNamespaceScope(ctx) {\n\t\topts = append(opts, externalversions.WithNamespace(injection.GetNamespaceScope(ctx)))\n\t}\n\treturn context.WithValue(ctx, factory.Key{},\n\t\texternalversions.NewSharedInformerFactoryWithOptions(c, controller.GetResyncPeriod(ctx), opts...))\n}\n" }, { "path": "pkg/client/injection/informers/factory/filtered/fake/fake_filtered_factory.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage fakeFilteredFactory\n\nimport (\n\tcontext \"context\"\n\n\texternalversions \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions\"\n\tfake \"github.com/sigstore/policy-controller/pkg/client/injection/client/fake\"\n\tfiltered \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory/filtered\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nvar Get = filtered.Get\n\nfunc init() {\n\tinjection.Fake.RegisterInformerFactory(withInformerFactory)\n}\n\nfunc withInformerFactory(ctx context.Context) context.Context {\n\tc := fake.Get(ctx)\n\tuntyped := ctx.Value(filtered.LabelKey{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch labelkey from context.\")\n\t}\n\tlabelSelectors := untyped.([]string)\n\tfor _, selector := range labelSelectors {\n\t\topts := []externalversions.SharedInformerOption{}\n\t\tif injection.HasNamespaceScope(ctx) {\n\t\t\topts = append(opts, externalversions.WithNamespace(injection.GetNamespaceScope(ctx)))\n\t\t}\n\t\topts = append(opts, externalversions.WithTweakListOptions(func(l *v1.ListOptions) {\n\t\t\tl.LabelSelector = selector\n\t\t}))\n\t\tctx = context.WithValue(ctx, filtered.Key{Selector: selector},\n\t\t\texternalversions.NewSharedInformerFactoryWithOptions(c, controller.GetResyncPeriod(ctx), opts...))\n\t}\n\treturn ctx\n}\n" }, { "path": "pkg/client/injection/informers/factory/filtered/filtered_factory.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage filteredFactory\n\nimport (\n\tcontext \"context\"\n\n\texternalversions \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions\"\n\tclient \"github.com/sigstore/policy-controller/pkg/client/injection/client\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nfunc init() {\n\tinjection.Default.RegisterInformerFactory(withInformerFactory)\n}\n\n// Key is used as the key for associating information with a context.Context.\ntype Key struct {\n\tSelector string\n}\n\ntype LabelKey struct{}\n\nfunc WithSelectors(ctx context.Context, selector ...string) context.Context {\n\treturn context.WithValue(ctx, LabelKey{}, selector)\n}\n\nfunc withInformerFactory(ctx context.Context) context.Context {\n\tc := client.Get(ctx)\n\tuntyped := ctx.Value(LabelKey{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch labelkey from context.\")\n\t}\n\tlabelSelectors := untyped.([]string)\n\tfor _, selector := range labelSelectors {\n\t\topts := []externalversions.SharedInformerOption{}\n\t\tif injection.HasNamespaceScope(ctx) {\n\t\t\topts = append(opts, externalversions.WithNamespace(injection.GetNamespaceScope(ctx)))\n\t\t}\n\t\topts = append(opts, externalversions.WithTweakListOptions(func(l *v1.ListOptions) {\n\t\t\tl.LabelSelector = selector\n\t\t}))\n\t\tctx = context.WithValue(ctx, Key{Selector: selector},\n\t\t\texternalversions.NewSharedInformerFactoryWithOptions(c, controller.GetResyncPeriod(ctx), opts...))\n\t}\n\treturn ctx\n}\n\n// Get extracts the InformerFactory from the context.\nfunc Get(ctx context.Context, selector string) externalversions.SharedInformerFactory {\n\tuntyped := ctx.Value(Key{Selector: selector})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panicf(\n\t\t\t\"Unable to fetch github.com/sigstore/policy-controller/pkg/client/informers/externalversions.SharedInformerFactory with selector %s from context.\", selector)\n\t}\n\treturn untyped.(externalversions.SharedInformerFactory)\n}\n" }, { "path": "pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage clusterimagepolicy\n\nimport (\n\tcontext \"context\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1alpha1\"\n\tfactory \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nfunc init() {\n\tinjection.Default.RegisterInformer(withInformer)\n}\n\n// Key is used for associating the Informer inside the context.Context.\ntype Key struct{}\n\nfunc withInformer(ctx context.Context) (context.Context, controller.Informer) {\n\tf := factory.Get(ctx)\n\tinf := f.Policy().V1alpha1().ClusterImagePolicies()\n\treturn context.WithValue(ctx, Key{}, inf), inf.Informer()\n}\n\n// Get extracts the typed informer from the context.\nfunc Get(ctx context.Context) v1alpha1.ClusterImagePolicyInformer {\n\tuntyped := ctx.Value(Key{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1alpha1.ClusterImagePolicyInformer from context.\")\n\t}\n\treturn untyped.(v1alpha1.ClusterImagePolicyInformer)\n}\n" }, { "path": "pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/fake/fake.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tcontext \"context\"\n\n\tfake \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory/fake\"\n\tclusterimagepolicy \"github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n)\n\nvar Get = clusterimagepolicy.Get\n\nfunc init() {\n\tinjection.Fake.RegisterInformer(withInformer)\n}\n\nfunc withInformer(ctx context.Context) (context.Context, controller.Informer) {\n\tf := fake.Get(ctx)\n\tinf := f.Policy().V1alpha1().ClusterImagePolicies()\n\treturn context.WithValue(ctx, clusterimagepolicy.Key{}, inf), inf.Informer()\n}\n" }, { "path": "pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/filtered/clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage filtered\n\nimport (\n\tcontext \"context\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1alpha1\"\n\tfiltered \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory/filtered\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nfunc init() {\n\tinjection.Default.RegisterFilteredInformers(withInformer)\n}\n\n// Key is used for associating the Informer inside the context.Context.\ntype Key struct {\n\tSelector string\n}\n\nfunc withInformer(ctx context.Context) (context.Context, []controller.Informer) {\n\tuntyped := ctx.Value(filtered.LabelKey{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch labelkey from context.\")\n\t}\n\tlabelSelectors := untyped.([]string)\n\tinfs := []controller.Informer{}\n\tfor _, selector := range labelSelectors {\n\t\tf := filtered.Get(ctx, selector)\n\t\tinf := f.Policy().V1alpha1().ClusterImagePolicies()\n\t\tctx = context.WithValue(ctx, Key{Selector: selector}, inf)\n\t\tinfs = append(infs, inf.Informer())\n\t}\n\treturn ctx, infs\n}\n\n// Get extracts the typed informer from the context.\nfunc Get(ctx context.Context, selector string) v1alpha1.ClusterImagePolicyInformer {\n\tuntyped := ctx.Value(Key{Selector: selector})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panicf(\n\t\t\t\"Unable to fetch github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1alpha1.ClusterImagePolicyInformer with selector %s from context.\", selector)\n\t}\n\treturn untyped.(v1alpha1.ClusterImagePolicyInformer)\n}\n" }, { "path": "pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/filtered/fake/fake.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tcontext \"context\"\n\n\tfactoryfiltered \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory/filtered\"\n\tfiltered \"github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/filtered\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nvar Get = filtered.Get\n\nfunc init() {\n\tinjection.Fake.RegisterFilteredInformers(withInformer)\n}\n\nfunc withInformer(ctx context.Context) (context.Context, []controller.Informer) {\n\tuntyped := ctx.Value(factoryfiltered.LabelKey{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch labelkey from context.\")\n\t}\n\tlabelSelectors := untyped.([]string)\n\tinfs := []controller.Informer{}\n\tfor _, selector := range labelSelectors {\n\t\tf := factoryfiltered.Get(ctx, selector)\n\t\tinf := f.Policy().V1alpha1().ClusterImagePolicies()\n\t\tctx = context.WithValue(ctx, filtered.Key{Selector: selector}, inf)\n\t\tinfs = append(infs, inf.Informer())\n\t}\n\treturn ctx, infs\n}\n" }, { "path": "pkg/client/injection/informers/policy/v1alpha1/trustroot/fake/fake.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tcontext \"context\"\n\n\tfake \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory/fake\"\n\ttrustroot \"github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1alpha1/trustroot\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n)\n\nvar Get = trustroot.Get\n\nfunc init() {\n\tinjection.Fake.RegisterInformer(withInformer)\n}\n\nfunc withInformer(ctx context.Context) (context.Context, controller.Informer) {\n\tf := fake.Get(ctx)\n\tinf := f.Policy().V1alpha1().TrustRoots()\n\treturn context.WithValue(ctx, trustroot.Key{}, inf), inf.Informer()\n}\n" }, { "path": "pkg/client/injection/informers/policy/v1alpha1/trustroot/filtered/fake/fake.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tcontext \"context\"\n\n\tfactoryfiltered \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory/filtered\"\n\tfiltered \"github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1alpha1/trustroot/filtered\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nvar Get = filtered.Get\n\nfunc init() {\n\tinjection.Fake.RegisterFilteredInformers(withInformer)\n}\n\nfunc withInformer(ctx context.Context) (context.Context, []controller.Informer) {\n\tuntyped := ctx.Value(factoryfiltered.LabelKey{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch labelkey from context.\")\n\t}\n\tlabelSelectors := untyped.([]string)\n\tinfs := []controller.Informer{}\n\tfor _, selector := range labelSelectors {\n\t\tf := factoryfiltered.Get(ctx, selector)\n\t\tinf := f.Policy().V1alpha1().TrustRoots()\n\t\tctx = context.WithValue(ctx, filtered.Key{Selector: selector}, inf)\n\t\tinfs = append(infs, inf.Informer())\n\t}\n\treturn ctx, infs\n}\n" }, { "path": "pkg/client/injection/informers/policy/v1alpha1/trustroot/filtered/trustroot.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage filtered\n\nimport (\n\tcontext \"context\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1alpha1\"\n\tfiltered \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory/filtered\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nfunc init() {\n\tinjection.Default.RegisterFilteredInformers(withInformer)\n}\n\n// Key is used for associating the Informer inside the context.Context.\ntype Key struct {\n\tSelector string\n}\n\nfunc withInformer(ctx context.Context) (context.Context, []controller.Informer) {\n\tuntyped := ctx.Value(filtered.LabelKey{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch labelkey from context.\")\n\t}\n\tlabelSelectors := untyped.([]string)\n\tinfs := []controller.Informer{}\n\tfor _, selector := range labelSelectors {\n\t\tf := filtered.Get(ctx, selector)\n\t\tinf := f.Policy().V1alpha1().TrustRoots()\n\t\tctx = context.WithValue(ctx, Key{Selector: selector}, inf)\n\t\tinfs = append(infs, inf.Informer())\n\t}\n\treturn ctx, infs\n}\n\n// Get extracts the typed informer from the context.\nfunc Get(ctx context.Context, selector string) v1alpha1.TrustRootInformer {\n\tuntyped := ctx.Value(Key{Selector: selector})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panicf(\n\t\t\t\"Unable to fetch github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1alpha1.TrustRootInformer with selector %s from context.\", selector)\n\t}\n\treturn untyped.(v1alpha1.TrustRootInformer)\n}\n" }, { "path": "pkg/client/injection/informers/policy/v1alpha1/trustroot/trustroot.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage trustroot\n\nimport (\n\tcontext \"context\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1alpha1\"\n\tfactory \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nfunc init() {\n\tinjection.Default.RegisterInformer(withInformer)\n}\n\n// Key is used for associating the Informer inside the context.Context.\ntype Key struct{}\n\nfunc withInformer(ctx context.Context) (context.Context, controller.Informer) {\n\tf := factory.Get(ctx)\n\tinf := f.Policy().V1alpha1().TrustRoots()\n\treturn context.WithValue(ctx, Key{}, inf), inf.Informer()\n}\n\n// Get extracts the typed informer from the context.\nfunc Get(ctx context.Context) v1alpha1.TrustRootInformer {\n\tuntyped := ctx.Value(Key{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1alpha1.TrustRootInformer from context.\")\n\t}\n\treturn untyped.(v1alpha1.TrustRootInformer)\n}\n" }, { "path": "pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy/clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage clusterimagepolicy\n\nimport (\n\tcontext \"context\"\n\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1beta1\"\n\tfactory \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nfunc init() {\n\tinjection.Default.RegisterInformer(withInformer)\n}\n\n// Key is used for associating the Informer inside the context.Context.\ntype Key struct{}\n\nfunc withInformer(ctx context.Context) (context.Context, controller.Informer) {\n\tf := factory.Get(ctx)\n\tinf := f.Policy().V1beta1().ClusterImagePolicies()\n\treturn context.WithValue(ctx, Key{}, inf), inf.Informer()\n}\n\n// Get extracts the typed informer from the context.\nfunc Get(ctx context.Context) v1beta1.ClusterImagePolicyInformer {\n\tuntyped := ctx.Value(Key{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1beta1.ClusterImagePolicyInformer from context.\")\n\t}\n\treturn untyped.(v1beta1.ClusterImagePolicyInformer)\n}\n" }, { "path": "pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy/fake/fake.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tcontext \"context\"\n\n\tfake \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory/fake\"\n\tclusterimagepolicy \"github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n)\n\nvar Get = clusterimagepolicy.Get\n\nfunc init() {\n\tinjection.Fake.RegisterInformer(withInformer)\n}\n\nfunc withInformer(ctx context.Context) (context.Context, controller.Informer) {\n\tf := fake.Get(ctx)\n\tinf := f.Policy().V1beta1().ClusterImagePolicies()\n\treturn context.WithValue(ctx, clusterimagepolicy.Key{}, inf), inf.Informer()\n}\n" }, { "path": "pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy/filtered/clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage filtered\n\nimport (\n\tcontext \"context\"\n\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1beta1\"\n\tfiltered \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory/filtered\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nfunc init() {\n\tinjection.Default.RegisterFilteredInformers(withInformer)\n}\n\n// Key is used for associating the Informer inside the context.Context.\ntype Key struct {\n\tSelector string\n}\n\nfunc withInformer(ctx context.Context) (context.Context, []controller.Informer) {\n\tuntyped := ctx.Value(filtered.LabelKey{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch labelkey from context.\")\n\t}\n\tlabelSelectors := untyped.([]string)\n\tinfs := []controller.Informer{}\n\tfor _, selector := range labelSelectors {\n\t\tf := filtered.Get(ctx, selector)\n\t\tinf := f.Policy().V1beta1().ClusterImagePolicies()\n\t\tctx = context.WithValue(ctx, Key{Selector: selector}, inf)\n\t\tinfs = append(infs, inf.Informer())\n\t}\n\treturn ctx, infs\n}\n\n// Get extracts the typed informer from the context.\nfunc Get(ctx context.Context, selector string) v1beta1.ClusterImagePolicyInformer {\n\tuntyped := ctx.Value(Key{Selector: selector})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panicf(\n\t\t\t\"Unable to fetch github.com/sigstore/policy-controller/pkg/client/informers/externalversions/policy/v1beta1.ClusterImagePolicyInformer with selector %s from context.\", selector)\n\t}\n\treturn untyped.(v1beta1.ClusterImagePolicyInformer)\n}\n" }, { "path": "pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy/filtered/fake/fake.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tcontext \"context\"\n\n\tfactoryfiltered \"github.com/sigstore/policy-controller/pkg/client/injection/informers/factory/filtered\"\n\tfiltered \"github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy/filtered\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tinjection \"knative.dev/pkg/injection\"\n\tlogging \"knative.dev/pkg/logging\"\n)\n\nvar Get = filtered.Get\n\nfunc init() {\n\tinjection.Fake.RegisterFilteredInformers(withInformer)\n}\n\nfunc withInformer(ctx context.Context) (context.Context, []controller.Informer) {\n\tuntyped := ctx.Value(factoryfiltered.LabelKey{})\n\tif untyped == nil {\n\t\tlogging.FromContext(ctx).Panic(\n\t\t\t\"Unable to fetch labelkey from context.\")\n\t}\n\tlabelSelectors := untyped.([]string)\n\tinfs := []controller.Informer{}\n\tfor _, selector := range labelSelectors {\n\t\tf := factoryfiltered.Get(ctx, selector)\n\t\tinf := f.Policy().V1beta1().ClusterImagePolicies()\n\t\tctx = context.WithValue(ctx, filtered.Key{Selector: selector}, inf)\n\t\tinfs = append(infs, inf.Informer())\n\t}\n\treturn ctx, infs\n}\n" }, { "path": "pkg/client/injection/reconciler/policy/v1alpha1/clusterimagepolicy/controller.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage clusterimagepolicy\n\nimport (\n\tcontext \"context\"\n\tfmt \"fmt\"\n\treflect \"reflect\"\n\tstrings \"strings\"\n\n\tversionedscheme \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/scheme\"\n\tclient \"github.com/sigstore/policy-controller/pkg/client/injection/client\"\n\tclusterimagepolicy \"github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy\"\n\tzap \"go.uber.org/zap\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\tlabels \"k8s.io/apimachinery/pkg/labels\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\twatch \"k8s.io/apimachinery/pkg/watch\"\n\tscheme \"k8s.io/client-go/kubernetes/scheme\"\n\tv1 \"k8s.io/client-go/kubernetes/typed/core/v1\"\n\trecord \"k8s.io/client-go/tools/record\"\n\tkubeclient \"knative.dev/pkg/client/injection/kube/client\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tlogging \"knative.dev/pkg/logging\"\n\tlogkey \"knative.dev/pkg/logging/logkey\"\n\treconciler \"knative.dev/pkg/reconciler\"\n)\n\nconst (\n\tdefaultControllerAgentName = \"clusterimagepolicy-controller\"\n\tdefaultFinalizerName = \"clusterimagepolicies.policy.sigstore.dev\"\n)\n\n// NewImpl returns a controller.Impl that handles queuing and feeding work from\n// the queue through an implementation of controller.Reconciler, delegating to\n// the provided Interface and optional Finalizer methods. OptionsFn is used to return\n// controller.ControllerOptions to be used by the internal reconciler.\nfunc NewImpl(ctx context.Context, r Interface, optionsFns ...controller.OptionsFn) *controller.Impl {\n\tlogger := logging.FromContext(ctx)\n\n\t// Check the options function input. It should be 0 or 1.\n\tif len(optionsFns) > 1 {\n\t\tlogger.Fatal(\"Up to one options function is supported, found: \", len(optionsFns))\n\t}\n\n\tclusterimagepolicyInformer := clusterimagepolicy.Get(ctx)\n\n\tlister := clusterimagepolicyInformer.Lister()\n\n\tvar promoteFilterFunc func(obj interface{}) bool\n\tvar promoteFunc = func(bkt reconciler.Bucket) {}\n\n\trec := &reconcilerImpl{\n\t\tLeaderAwareFuncs: reconciler.LeaderAwareFuncs{\n\t\t\tPromoteFunc: func(bkt reconciler.Bucket, enq func(reconciler.Bucket, types.NamespacedName)) error {\n\n\t\t\t\t// Signal promotion event\n\t\t\t\tpromoteFunc(bkt)\n\n\t\t\t\tall, err := lister.List(labels.Everything())\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tfor _, elt := range all {\n\t\t\t\t\tif promoteFilterFunc != nil {\n\t\t\t\t\t\tif ok := promoteFilterFunc(elt); !ok {\n\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tenq(bkt, types.NamespacedName{\n\t\t\t\t\t\tNamespace: elt.GetNamespace(),\n\t\t\t\t\t\tName: elt.GetName(),\n\t\t\t\t\t})\n\t\t\t\t}\n\t\t\t\treturn nil\n\t\t\t},\n\t\t},\n\t\tClient: client.Get(ctx),\n\t\tLister: lister,\n\t\treconciler: r,\n\t\tfinalizerName: defaultFinalizerName,\n\t}\n\n\tctrType := reflect.TypeOf(r).Elem()\n\tctrTypeName := fmt.Sprintf(\"%s.%s\", ctrType.PkgPath(), ctrType.Name())\n\tctrTypeName = strings.ReplaceAll(ctrTypeName, \"/\", \".\")\n\n\tlogger = logger.With(\n\t\tzap.String(logkey.ControllerType, ctrTypeName),\n\t\tzap.String(logkey.Kind, \"policy.sigstore.dev.ClusterImagePolicy\"),\n\t)\n\n\timpl := controller.NewContext(ctx, rec, controller.ControllerOptions{WorkQueueName: ctrTypeName, Logger: logger})\n\tagentName := defaultControllerAgentName\n\n\t// Pass impl to the options. Save any optional results.\n\tfor _, fn := range optionsFns {\n\t\topts := fn(impl)\n\t\tif opts.ConfigStore != nil {\n\t\t\trec.configStore = opts.ConfigStore\n\t\t}\n\t\tif opts.FinalizerName != \"\" {\n\t\t\trec.finalizerName = opts.FinalizerName\n\t\t}\n\t\tif opts.AgentName != \"\" {\n\t\t\tagentName = opts.AgentName\n\t\t}\n\t\tif opts.SkipStatusUpdates {\n\t\t\trec.skipStatusUpdates = true\n\t\t}\n\t\tif opts.DemoteFunc != nil {\n\t\t\trec.DemoteFunc = opts.DemoteFunc\n\t\t}\n\t\tif opts.PromoteFilterFunc != nil {\n\t\t\tpromoteFilterFunc = opts.PromoteFilterFunc\n\t\t}\n\t\tif opts.PromoteFunc != nil {\n\t\t\tpromoteFunc = opts.PromoteFunc\n\t\t}\n\t}\n\n\trec.Recorder = createRecorder(ctx, agentName)\n\n\treturn impl\n}\n\nfunc createRecorder(ctx context.Context, agentName string) record.EventRecorder {\n\tlogger := logging.FromContext(ctx)\n\n\trecorder := controller.GetEventRecorder(ctx)\n\tif recorder == nil {\n\t\t// Create event broadcaster\n\t\tlogger.Debug(\"Creating event broadcaster\")\n\t\teventBroadcaster := record.NewBroadcaster()\n\t\twatches := []watch.Interface{\n\t\t\teventBroadcaster.StartLogging(logger.Named(\"event-broadcaster\").Infof),\n\t\t\teventBroadcaster.StartRecordingToSink(\n\t\t\t\t&v1.EventSinkImpl{Interface: kubeclient.Get(ctx).CoreV1().Events(\"\")}),\n\t\t}\n\t\trecorder = eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: agentName})\n\t\tgo func() {\n\t\t\t<-ctx.Done()\n\t\t\tfor _, w := range watches {\n\t\t\t\tw.Stop()\n\t\t\t}\n\t\t}()\n\t}\n\n\treturn recorder\n}\n\nfunc init() {\n\tversionedscheme.AddToScheme(scheme.Scheme)\n}\n" }, { "path": "pkg/client/injection/reconciler/policy/v1alpha1/clusterimagepolicy/reconciler.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage clusterimagepolicy\n\nimport (\n\tcontext \"context\"\n\tjson \"encoding/json\"\n\tfmt \"fmt\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tversioned \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned\"\n\tpolicyv1alpha1 \"github.com/sigstore/policy-controller/pkg/client/listers/policy/v1alpha1\"\n\tzap \"go.uber.org/zap\"\n\t\"go.uber.org/zap/zapcore\"\n\tv1 \"k8s.io/api/core/v1\"\n\tequality \"k8s.io/apimachinery/pkg/api/equality\"\n\terrors \"k8s.io/apimachinery/pkg/api/errors\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\tlabels \"k8s.io/apimachinery/pkg/labels\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\tsets \"k8s.io/apimachinery/pkg/util/sets\"\n\trecord \"k8s.io/client-go/tools/record\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tkmp \"knative.dev/pkg/kmp\"\n\tlogging \"knative.dev/pkg/logging\"\n\treconciler \"knative.dev/pkg/reconciler\"\n)\n\n// Interface defines the strongly typed interfaces to be implemented by a\n// controller reconciling v1alpha1.ClusterImagePolicy.\ntype Interface interface {\n\t// ReconcileKind implements custom logic to reconcile v1alpha1.ClusterImagePolicy. Any changes\n\t// to the objects .Status or .Finalizers will be propagated to the stored\n\t// object. It is recommended that implementors do not call any update calls\n\t// for the Kind inside of ReconcileKind, it is the responsibility of the calling\n\t// controller to propagate those properties. The resource passed to ReconcileKind\n\t// will always have an empty deletion timestamp.\n\tReconcileKind(ctx context.Context, o *v1alpha1.ClusterImagePolicy) reconciler.Event\n}\n\n// Finalizer defines the strongly typed interfaces to be implemented by a\n// controller finalizing v1alpha1.ClusterImagePolicy.\ntype Finalizer interface {\n\t// FinalizeKind implements custom logic to finalize v1alpha1.ClusterImagePolicy. Any changes\n\t// to the objects .Status or .Finalizers will be ignored. Returning a nil or\n\t// Normal type reconciler.Event will allow the finalizer to be deleted on\n\t// the resource. The resource passed to FinalizeKind will always have a set\n\t// deletion timestamp.\n\tFinalizeKind(ctx context.Context, o *v1alpha1.ClusterImagePolicy) reconciler.Event\n}\n\n// ReadOnlyInterface defines the strongly typed interfaces to be implemented by a\n// controller reconciling v1alpha1.ClusterImagePolicy if they want to process resources for which\n// they are not the leader.\ntype ReadOnlyInterface interface {\n\t// ObserveKind implements logic to observe v1alpha1.ClusterImagePolicy.\n\t// This method should not write to the API.\n\tObserveKind(ctx context.Context, o *v1alpha1.ClusterImagePolicy) reconciler.Event\n}\n\ntype doReconcile func(ctx context.Context, o *v1alpha1.ClusterImagePolicy) reconciler.Event\n\n// reconcilerImpl implements controller.Reconciler for v1alpha1.ClusterImagePolicy resources.\ntype reconcilerImpl struct {\n\t// LeaderAwareFuncs is inlined to help us implement reconciler.LeaderAware.\n\treconciler.LeaderAwareFuncs\n\n\t// Client is used to write back status updates.\n\tClient versioned.Interface\n\n\t// Listers index properties about resources.\n\tLister policyv1alpha1.ClusterImagePolicyLister\n\n\t// Recorder is an event recorder for recording Event resources to the\n\t// Kubernetes API.\n\tRecorder record.EventRecorder\n\n\t// configStore allows for decorating a context with config maps.\n\t// +optional\n\tconfigStore reconciler.ConfigStore\n\n\t// reconciler is the implementation of the business logic of the resource.\n\treconciler Interface\n\n\t// finalizerName is the name of the finalizer to reconcile.\n\tfinalizerName string\n\n\t// skipStatusUpdates configures whether or not this reconciler automatically updates\n\t// the status of the reconciled resource.\n\tskipStatusUpdates bool\n}\n\n// Check that our Reconciler implements controller.Reconciler.\nvar _ controller.Reconciler = (*reconcilerImpl)(nil)\n\n// Check that our generated Reconciler is always LeaderAware.\nvar _ reconciler.LeaderAware = (*reconcilerImpl)(nil)\n\nfunc NewReconciler(ctx context.Context, logger *zap.SugaredLogger, client versioned.Interface, lister policyv1alpha1.ClusterImagePolicyLister, recorder record.EventRecorder, r Interface, options ...controller.Options) controller.Reconciler {\n\t// Check the options function input. It should be 0 or 1.\n\tif len(options) > 1 {\n\t\tlogger.Fatal(\"Up to one options struct is supported, found: \", len(options))\n\t}\n\n\t// Fail fast when users inadvertently implement the other LeaderAware interface.\n\t// For the typed reconcilers, Promote shouldn't take any arguments.\n\tif _, ok := r.(reconciler.LeaderAware); ok {\n\t\tlogger.Fatalf(\"%T implements the incorrect LeaderAware interface. Promote() should not take an argument as genreconciler handles the enqueuing automatically.\", r)\n\t}\n\n\trec := &reconcilerImpl{\n\t\tLeaderAwareFuncs: reconciler.LeaderAwareFuncs{\n\t\t\tPromoteFunc: func(bkt reconciler.Bucket, enq func(reconciler.Bucket, types.NamespacedName)) error {\n\t\t\t\tall, err := lister.List(labels.Everything())\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tfor _, elt := range all {\n\t\t\t\t\t// TODO: Consider letting users specify a filter in options.\n\t\t\t\t\tenq(bkt, types.NamespacedName{\n\t\t\t\t\t\tNamespace: elt.GetNamespace(),\n\t\t\t\t\t\tName: elt.GetName(),\n\t\t\t\t\t})\n\t\t\t\t}\n\t\t\t\treturn nil\n\t\t\t},\n\t\t},\n\t\tClient: client,\n\t\tLister: lister,\n\t\tRecorder: recorder,\n\t\treconciler: r,\n\t\tfinalizerName: defaultFinalizerName,\n\t}\n\n\tfor _, opts := range options {\n\t\tif opts.ConfigStore != nil {\n\t\t\trec.configStore = opts.ConfigStore\n\t\t}\n\t\tif opts.FinalizerName != \"\" {\n\t\t\trec.finalizerName = opts.FinalizerName\n\t\t}\n\t\tif opts.SkipStatusUpdates {\n\t\t\trec.skipStatusUpdates = true\n\t\t}\n\t\tif opts.DemoteFunc != nil {\n\t\t\trec.DemoteFunc = opts.DemoteFunc\n\t\t}\n\t}\n\n\treturn rec\n}\n\n// Reconcile implements controller.Reconciler\nfunc (r *reconcilerImpl) Reconcile(ctx context.Context, key string) error {\n\tlogger := logging.FromContext(ctx)\n\n\t// Initialize the reconciler state. This will convert the namespace/name\n\t// string into a distinct namespace and name, determine if this instance of\n\t// the reconciler is the leader, and any additional interfaces implemented\n\t// by the reconciler. Returns an error is the resource key is invalid.\n\ts, err := newState(key, r)\n\tif err != nil {\n\t\tlogger.Error(\"Invalid resource key: \", key)\n\t\treturn nil\n\t}\n\n\t// If we are not the leader, and we don't implement either ReadOnly\n\t// observer interfaces, then take a fast-path out.\n\tif s.isNotLeaderNorObserver() {\n\t\treturn controller.NewSkipKey(key)\n\t}\n\n\t// If configStore is set, attach the frozen configuration to the context.\n\tif r.configStore != nil {\n\t\tctx = r.configStore.ToContext(ctx)\n\t}\n\n\t// Add the recorder to context.\n\tctx = controller.WithEventRecorder(ctx, r.Recorder)\n\n\t// Get the resource with this namespace/name.\n\n\tgetter := r.Lister\n\n\toriginal, err := getter.Get(s.name)\n\n\tif errors.IsNotFound(err) {\n\t\t// The resource may no longer exist, in which case we stop processing and call\n\t\t// the ObserveDeletion handler if appropriate.\n\t\tlogger.Debugf(\"Resource %q no longer exists\", key)\n\t\tif del, ok := r.reconciler.(reconciler.OnDeletionInterface); ok {\n\t\t\treturn del.ObserveDeletion(ctx, types.NamespacedName{\n\t\t\t\tNamespace: s.namespace,\n\t\t\t\tName: s.name,\n\t\t\t})\n\t\t}\n\t\treturn nil\n\t} else if err != nil {\n\t\treturn err\n\t}\n\n\t// Don't modify the informers copy.\n\tresource := original.DeepCopy()\n\n\tvar reconcileEvent reconciler.Event\n\n\tname, do := s.reconcileMethodFor(resource)\n\t// Append the target method to the logger.\n\tlogger = logger.With(zap.String(\"targetMethod\", name))\n\tswitch name {\n\tcase reconciler.DoReconcileKind:\n\t\t// Set and update the finalizer on resource if r.reconciler\n\t\t// implements Finalizer.\n\t\tif resource, err = r.setFinalizerIfFinalizer(ctx, resource); err != nil {\n\t\t\treturn fmt.Errorf(\"failed to set finalizers: %w\", err)\n\t\t}\n\n\t\tif !r.skipStatusUpdates {\n\t\t\treconciler.PreProcessReconcile(ctx, resource)\n\t\t}\n\n\t\t// Reconcile this copy of the resource and then write back any status\n\t\t// updates regardless of whether the reconciliation errored out.\n\t\treconcileEvent = do(ctx, resource)\n\n\t\tif !r.skipStatusUpdates {\n\t\t\treconciler.PostProcessReconcile(ctx, resource, original)\n\t\t}\n\n\tcase reconciler.DoFinalizeKind:\n\t\t// For finalizing reconcilers, if this resource being marked for deletion\n\t\t// and reconciled cleanly (nil or normal event), remove the finalizer.\n\t\treconcileEvent = do(ctx, resource)\n\n\t\tif resource, err = r.clearFinalizer(ctx, resource, reconcileEvent); err != nil {\n\t\t\treturn fmt.Errorf(\"failed to clear finalizers: %w\", err)\n\t\t}\n\n\tcase reconciler.DoObserveKind:\n\t\t// Observe any changes to this resource, since we are not the leader.\n\t\treconcileEvent = do(ctx, resource)\n\n\t}\n\n\t// Synchronize the status.\n\tswitch {\n\tcase r.skipStatusUpdates:\n\t\t// This reconciler implementation is configured to skip resource updates.\n\t\t// This may mean this reconciler does not observe spec, but reconciles external changes.\n\tcase equality.Semantic.DeepEqual(original.Status, resource.Status):\n\t\t// If we didn't change anything then don't call updateStatus.\n\t\t// This is important because the copy we loaded from the injectionInformer's\n\t\t// cache may be stale and we don't want to overwrite a prior update\n\t\t// to status with this stale state.\n\tcase !s.isLeader:\n\t\t// High-availability reconcilers may have many replicas watching the resource, but only\n\t\t// the elected leader is expected to write modifications.\n\t\tlogger.Warn(\"Saw status changes when we aren't the leader!\")\n\tdefault:\n\t\tif err = r.updateStatus(ctx, logger, original, resource); err != nil {\n\t\t\tlogger.Warnw(\"Failed to update resource status\", zap.Error(err))\n\t\t\tr.Recorder.Eventf(resource, v1.EventTypeWarning, \"UpdateFailed\",\n\t\t\t\t\"Failed to update status for %q: %v\", resource.Name, err)\n\t\t\treturn err\n\t\t}\n\t}\n\n\t// Report the reconciler event, if any.\n\tif reconcileEvent != nil {\n\t\tvar event *reconciler.ReconcilerEvent\n\t\tif reconciler.EventAs(reconcileEvent, &event) {\n\t\t\tlogger.Infow(\"Returned an event\", zap.Any(\"event\", reconcileEvent))\n\t\t\tr.Recorder.Event(resource, event.EventType, event.Reason, event.Error())\n\n\t\t\t// the event was wrapped inside an error, consider the reconciliation as failed\n\t\t\tif _, isEvent := reconcileEvent.(*reconciler.ReconcilerEvent); !isEvent {\n\t\t\t\treturn reconcileEvent\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\n\t\tif controller.IsSkipKey(reconcileEvent) {\n\t\t\t// This is a wrapped error, don't emit an event.\n\t\t} else if ok, _ := controller.IsRequeueKey(reconcileEvent); ok {\n\t\t\t// This is a wrapped error, don't emit an event.\n\t\t} else {\n\t\t\tlogger.Errorw(\"Returned an error\", zap.Error(reconcileEvent))\n\t\t\tr.Recorder.Event(resource, v1.EventTypeWarning, \"InternalError\", reconcileEvent.Error())\n\t\t}\n\t\treturn reconcileEvent\n\t}\n\n\treturn nil\n}\n\nfunc (r *reconcilerImpl) updateStatus(ctx context.Context, logger *zap.SugaredLogger, existing *v1alpha1.ClusterImagePolicy, desired *v1alpha1.ClusterImagePolicy) error {\n\texisting = existing.DeepCopy()\n\treturn reconciler.RetryUpdateConflicts(func(attempts int) (err error) {\n\t\t// The first iteration tries to use the injectionInformer's state, subsequent attempts fetch the latest state via API.\n\t\tif attempts > 0 {\n\n\t\t\tgetter := r.Client.PolicyV1alpha1().ClusterImagePolicies()\n\n\t\t\texisting, err = getter.Get(ctx, desired.Name, metav1.GetOptions{})\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\n\t\t// If there's nothing to update, just return.\n\t\tif equality.Semantic.DeepEqual(existing.Status, desired.Status) {\n\t\t\treturn nil\n\t\t}\n\n\t\tif logger.Desugar().Core().Enabled(zapcore.DebugLevel) {\n\t\t\tif diff, err := kmp.SafeDiff(existing.Status, desired.Status); err == nil && diff != \"\" {\n\t\t\t\tlogger.Debug(\"Updating status with: \", diff)\n\t\t\t}\n\t\t}\n\n\t\texisting.Status = desired.Status\n\n\t\tupdater := r.Client.PolicyV1alpha1().ClusterImagePolicies()\n\n\t\t_, err = updater.UpdateStatus(ctx, existing, metav1.UpdateOptions{})\n\t\treturn err\n\t})\n}\n\n// updateFinalizersFiltered will update the Finalizers of the resource.\n// TODO: this method could be generic and sync all finalizers. For now it only\n// updates defaultFinalizerName or its override.\nfunc (r *reconcilerImpl) updateFinalizersFiltered(ctx context.Context, resource *v1alpha1.ClusterImagePolicy, desiredFinalizers sets.String) (*v1alpha1.ClusterImagePolicy, error) {\n\t// Don't modify the informers copy.\n\texisting := resource.DeepCopy()\n\n\tvar finalizers []string\n\n\t// If there's nothing to update, just return.\n\texistingFinalizers := sets.NewString(existing.Finalizers...)\n\n\tif desiredFinalizers.Has(r.finalizerName) {\n\t\tif existingFinalizers.Has(r.finalizerName) {\n\t\t\t// Nothing to do.\n\t\t\treturn resource, nil\n\t\t}\n\t\t// Add the finalizer.\n\t\tfinalizers = append(existing.Finalizers, r.finalizerName)\n\t} else {\n\t\tif !existingFinalizers.Has(r.finalizerName) {\n\t\t\t// Nothing to do.\n\t\t\treturn resource, nil\n\t\t}\n\t\t// Remove the finalizer.\n\t\texistingFinalizers.Delete(r.finalizerName)\n\t\tfinalizers = existingFinalizers.List()\n\t}\n\n\tmergePatch := map[string]interface{}{\n\t\t\"metadata\": map[string]interface{}{\n\t\t\t\"finalizers\": finalizers,\n\t\t\t\"resourceVersion\": existing.ResourceVersion,\n\t\t},\n\t}\n\n\tpatch, err := json.Marshal(mergePatch)\n\tif err != nil {\n\t\treturn resource, err\n\t}\n\n\tpatcher := r.Client.PolicyV1alpha1().ClusterImagePolicies()\n\n\tresourceName := resource.Name\n\tupdated, err := patcher.Patch(ctx, resourceName, types.MergePatchType, patch, metav1.PatchOptions{})\n\tif err != nil {\n\t\tr.Recorder.Eventf(existing, v1.EventTypeWarning, \"FinalizerUpdateFailed\",\n\t\t\t\"Failed to update finalizers for %q: %v\", resourceName, err)\n\t} else {\n\t\tr.Recorder.Eventf(updated, v1.EventTypeNormal, \"FinalizerUpdate\",\n\t\t\t\"Updated %q finalizers\", resource.GetName())\n\t}\n\treturn updated, err\n}\n\nfunc (r *reconcilerImpl) setFinalizerIfFinalizer(ctx context.Context, resource *v1alpha1.ClusterImagePolicy) (*v1alpha1.ClusterImagePolicy, error) {\n\tif _, ok := r.reconciler.(Finalizer); !ok {\n\t\treturn resource, nil\n\t}\n\n\tfinalizers := sets.NewString(resource.Finalizers...)\n\n\t// If this resource is not being deleted, mark the finalizer.\n\tif resource.GetDeletionTimestamp().IsZero() {\n\t\tfinalizers.Insert(r.finalizerName)\n\t}\n\n\t// Synchronize the finalizers filtered by r.finalizerName.\n\treturn r.updateFinalizersFiltered(ctx, resource, finalizers)\n}\n\nfunc (r *reconcilerImpl) clearFinalizer(ctx context.Context, resource *v1alpha1.ClusterImagePolicy, reconcileEvent reconciler.Event) (*v1alpha1.ClusterImagePolicy, error) {\n\tif _, ok := r.reconciler.(Finalizer); !ok {\n\t\treturn resource, nil\n\t}\n\tif resource.GetDeletionTimestamp().IsZero() {\n\t\treturn resource, nil\n\t}\n\n\tfinalizers := sets.NewString(resource.Finalizers...)\n\n\tif reconcileEvent != nil {\n\t\tvar event *reconciler.ReconcilerEvent\n\t\tif reconciler.EventAs(reconcileEvent, &event) {\n\t\t\tif event.EventType == v1.EventTypeNormal {\n\t\t\t\tfinalizers.Delete(r.finalizerName)\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfinalizers.Delete(r.finalizerName)\n\t}\n\n\t// Synchronize the finalizers filtered by r.finalizerName.\n\treturn r.updateFinalizersFiltered(ctx, resource, finalizers)\n}\n" }, { "path": "pkg/client/injection/reconciler/policy/v1alpha1/clusterimagepolicy/state.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage clusterimagepolicy\n\nimport (\n\tfmt \"fmt\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\tcache \"k8s.io/client-go/tools/cache\"\n\treconciler \"knative.dev/pkg/reconciler\"\n)\n\n// state is used to track the state of a reconciler in a single run.\ntype state struct {\n\t// key is the original reconciliation key from the queue.\n\tkey string\n\t// namespace is the namespace split from the reconciliation key.\n\tnamespace string\n\t// name is the name split from the reconciliation key.\n\tname string\n\t// reconciler is the reconciler.\n\treconciler Interface\n\t// roi is the read only interface cast of the reconciler.\n\troi ReadOnlyInterface\n\t// isROI (Read Only Interface) the reconciler only observes reconciliation.\n\tisROI bool\n\t// isLeader the instance of the reconciler is the elected leader.\n\tisLeader bool\n}\n\nfunc newState(key string, r *reconcilerImpl) (*state, error) {\n\t// Convert the namespace/name string into a distinct namespace and name.\n\tnamespace, name, err := cache.SplitMetaNamespaceKey(key)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"invalid resource key: %s\", key)\n\t}\n\n\troi, isROI := r.reconciler.(ReadOnlyInterface)\n\n\tisLeader := r.IsLeaderFor(types.NamespacedName{\n\t\tNamespace: namespace,\n\t\tName: name,\n\t})\n\n\treturn &state{\n\t\tkey: key,\n\t\tnamespace: namespace,\n\t\tname: name,\n\t\treconciler: r.reconciler,\n\t\troi: roi,\n\t\tisROI: isROI,\n\t\tisLeader: isLeader,\n\t}, nil\n}\n\n// isNotLeaderNorObserver checks to see if this reconciler with the current\n// state is enabled to do any work or not.\n// isNotLeaderNorObserver returns true when there is no work possible for the\n// reconciler.\nfunc (s *state) isNotLeaderNorObserver() bool {\n\tif !s.isLeader && !s.isROI {\n\t\t// If we are not the leader, and we don't implement the ReadOnly\n\t\t// interface, then take a fast-path out.\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc (s *state) reconcileMethodFor(o *v1alpha1.ClusterImagePolicy) (string, doReconcile) {\n\tif o.GetDeletionTimestamp().IsZero() {\n\t\tif s.isLeader {\n\t\t\treturn reconciler.DoReconcileKind, s.reconciler.ReconcileKind\n\t\t} else if s.isROI {\n\t\t\treturn reconciler.DoObserveKind, s.roi.ObserveKind\n\t\t}\n\t} else if fin, ok := s.reconciler.(Finalizer); s.isLeader && ok {\n\t\treturn reconciler.DoFinalizeKind, fin.FinalizeKind\n\t}\n\treturn \"unknown\", nil\n}\n" }, { "path": "pkg/client/injection/reconciler/policy/v1alpha1/trustroot/controller.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage trustroot\n\nimport (\n\tcontext \"context\"\n\tfmt \"fmt\"\n\treflect \"reflect\"\n\tstrings \"strings\"\n\n\tversionedscheme \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/scheme\"\n\tclient \"github.com/sigstore/policy-controller/pkg/client/injection/client\"\n\ttrustroot \"github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1alpha1/trustroot\"\n\tzap \"go.uber.org/zap\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\tlabels \"k8s.io/apimachinery/pkg/labels\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\twatch \"k8s.io/apimachinery/pkg/watch\"\n\tscheme \"k8s.io/client-go/kubernetes/scheme\"\n\tv1 \"k8s.io/client-go/kubernetes/typed/core/v1\"\n\trecord \"k8s.io/client-go/tools/record\"\n\tkubeclient \"knative.dev/pkg/client/injection/kube/client\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tlogging \"knative.dev/pkg/logging\"\n\tlogkey \"knative.dev/pkg/logging/logkey\"\n\treconciler \"knative.dev/pkg/reconciler\"\n)\n\nconst (\n\tdefaultControllerAgentName = \"trustroot-controller\"\n\tdefaultFinalizerName = \"trustroots.policy.sigstore.dev\"\n)\n\n// NewImpl returns a controller.Impl that handles queuing and feeding work from\n// the queue through an implementation of controller.Reconciler, delegating to\n// the provided Interface and optional Finalizer methods. OptionsFn is used to return\n// controller.ControllerOptions to be used by the internal reconciler.\nfunc NewImpl(ctx context.Context, r Interface, optionsFns ...controller.OptionsFn) *controller.Impl {\n\tlogger := logging.FromContext(ctx)\n\n\t// Check the options function input. It should be 0 or 1.\n\tif len(optionsFns) > 1 {\n\t\tlogger.Fatal(\"Up to one options function is supported, found: \", len(optionsFns))\n\t}\n\n\ttrustrootInformer := trustroot.Get(ctx)\n\n\tlister := trustrootInformer.Lister()\n\n\tvar promoteFilterFunc func(obj interface{}) bool\n\tvar promoteFunc = func(bkt reconciler.Bucket) {}\n\n\trec := &reconcilerImpl{\n\t\tLeaderAwareFuncs: reconciler.LeaderAwareFuncs{\n\t\t\tPromoteFunc: func(bkt reconciler.Bucket, enq func(reconciler.Bucket, types.NamespacedName)) error {\n\n\t\t\t\t// Signal promotion event\n\t\t\t\tpromoteFunc(bkt)\n\n\t\t\t\tall, err := lister.List(labels.Everything())\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tfor _, elt := range all {\n\t\t\t\t\tif promoteFilterFunc != nil {\n\t\t\t\t\t\tif ok := promoteFilterFunc(elt); !ok {\n\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tenq(bkt, types.NamespacedName{\n\t\t\t\t\t\tNamespace: elt.GetNamespace(),\n\t\t\t\t\t\tName: elt.GetName(),\n\t\t\t\t\t})\n\t\t\t\t}\n\t\t\t\treturn nil\n\t\t\t},\n\t\t},\n\t\tClient: client.Get(ctx),\n\t\tLister: lister,\n\t\treconciler: r,\n\t\tfinalizerName: defaultFinalizerName,\n\t}\n\n\tctrType := reflect.TypeOf(r).Elem()\n\tctrTypeName := fmt.Sprintf(\"%s.%s\", ctrType.PkgPath(), ctrType.Name())\n\tctrTypeName = strings.ReplaceAll(ctrTypeName, \"/\", \".\")\n\n\tlogger = logger.With(\n\t\tzap.String(logkey.ControllerType, ctrTypeName),\n\t\tzap.String(logkey.Kind, \"policy.sigstore.dev.TrustRoot\"),\n\t)\n\n\timpl := controller.NewContext(ctx, rec, controller.ControllerOptions{WorkQueueName: ctrTypeName, Logger: logger})\n\tagentName := defaultControllerAgentName\n\n\t// Pass impl to the options. Save any optional results.\n\tfor _, fn := range optionsFns {\n\t\topts := fn(impl)\n\t\tif opts.ConfigStore != nil {\n\t\t\trec.configStore = opts.ConfigStore\n\t\t}\n\t\tif opts.FinalizerName != \"\" {\n\t\t\trec.finalizerName = opts.FinalizerName\n\t\t}\n\t\tif opts.AgentName != \"\" {\n\t\t\tagentName = opts.AgentName\n\t\t}\n\t\tif opts.SkipStatusUpdates {\n\t\t\trec.skipStatusUpdates = true\n\t\t}\n\t\tif opts.DemoteFunc != nil {\n\t\t\trec.DemoteFunc = opts.DemoteFunc\n\t\t}\n\t\tif opts.PromoteFilterFunc != nil {\n\t\t\tpromoteFilterFunc = opts.PromoteFilterFunc\n\t\t}\n\t\tif opts.PromoteFunc != nil {\n\t\t\tpromoteFunc = opts.PromoteFunc\n\t\t}\n\t}\n\n\trec.Recorder = createRecorder(ctx, agentName)\n\n\treturn impl\n}\n\nfunc createRecorder(ctx context.Context, agentName string) record.EventRecorder {\n\tlogger := logging.FromContext(ctx)\n\n\trecorder := controller.GetEventRecorder(ctx)\n\tif recorder == nil {\n\t\t// Create event broadcaster\n\t\tlogger.Debug(\"Creating event broadcaster\")\n\t\teventBroadcaster := record.NewBroadcaster()\n\t\twatches := []watch.Interface{\n\t\t\teventBroadcaster.StartLogging(logger.Named(\"event-broadcaster\").Infof),\n\t\t\teventBroadcaster.StartRecordingToSink(\n\t\t\t\t&v1.EventSinkImpl{Interface: kubeclient.Get(ctx).CoreV1().Events(\"\")}),\n\t\t}\n\t\trecorder = eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: agentName})\n\t\tgo func() {\n\t\t\t<-ctx.Done()\n\t\t\tfor _, w := range watches {\n\t\t\t\tw.Stop()\n\t\t\t}\n\t\t}()\n\t}\n\n\treturn recorder\n}\n\nfunc init() {\n\tversionedscheme.AddToScheme(scheme.Scheme)\n}\n" }, { "path": "pkg/client/injection/reconciler/policy/v1alpha1/trustroot/reconciler.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage trustroot\n\nimport (\n\tcontext \"context\"\n\tjson \"encoding/json\"\n\tfmt \"fmt\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tversioned \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned\"\n\tpolicyv1alpha1 \"github.com/sigstore/policy-controller/pkg/client/listers/policy/v1alpha1\"\n\tzap \"go.uber.org/zap\"\n\t\"go.uber.org/zap/zapcore\"\n\tv1 \"k8s.io/api/core/v1\"\n\tequality \"k8s.io/apimachinery/pkg/api/equality\"\n\terrors \"k8s.io/apimachinery/pkg/api/errors\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\tlabels \"k8s.io/apimachinery/pkg/labels\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\tsets \"k8s.io/apimachinery/pkg/util/sets\"\n\trecord \"k8s.io/client-go/tools/record\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tkmp \"knative.dev/pkg/kmp\"\n\tlogging \"knative.dev/pkg/logging\"\n\treconciler \"knative.dev/pkg/reconciler\"\n)\n\n// Interface defines the strongly typed interfaces to be implemented by a\n// controller reconciling v1alpha1.TrustRoot.\ntype Interface interface {\n\t// ReconcileKind implements custom logic to reconcile v1alpha1.TrustRoot. Any changes\n\t// to the objects .Status or .Finalizers will be propagated to the stored\n\t// object. It is recommended that implementors do not call any update calls\n\t// for the Kind inside of ReconcileKind, it is the responsibility of the calling\n\t// controller to propagate those properties. The resource passed to ReconcileKind\n\t// will always have an empty deletion timestamp.\n\tReconcileKind(ctx context.Context, o *v1alpha1.TrustRoot) reconciler.Event\n}\n\n// Finalizer defines the strongly typed interfaces to be implemented by a\n// controller finalizing v1alpha1.TrustRoot.\ntype Finalizer interface {\n\t// FinalizeKind implements custom logic to finalize v1alpha1.TrustRoot. Any changes\n\t// to the objects .Status or .Finalizers will be ignored. Returning a nil or\n\t// Normal type reconciler.Event will allow the finalizer to be deleted on\n\t// the resource. The resource passed to FinalizeKind will always have a set\n\t// deletion timestamp.\n\tFinalizeKind(ctx context.Context, o *v1alpha1.TrustRoot) reconciler.Event\n}\n\n// ReadOnlyInterface defines the strongly typed interfaces to be implemented by a\n// controller reconciling v1alpha1.TrustRoot if they want to process resources for which\n// they are not the leader.\ntype ReadOnlyInterface interface {\n\t// ObserveKind implements logic to observe v1alpha1.TrustRoot.\n\t// This method should not write to the API.\n\tObserveKind(ctx context.Context, o *v1alpha1.TrustRoot) reconciler.Event\n}\n\ntype doReconcile func(ctx context.Context, o *v1alpha1.TrustRoot) reconciler.Event\n\n// reconcilerImpl implements controller.Reconciler for v1alpha1.TrustRoot resources.\ntype reconcilerImpl struct {\n\t// LeaderAwareFuncs is inlined to help us implement reconciler.LeaderAware.\n\treconciler.LeaderAwareFuncs\n\n\t// Client is used to write back status updates.\n\tClient versioned.Interface\n\n\t// Listers index properties about resources.\n\tLister policyv1alpha1.TrustRootLister\n\n\t// Recorder is an event recorder for recording Event resources to the\n\t// Kubernetes API.\n\tRecorder record.EventRecorder\n\n\t// configStore allows for decorating a context with config maps.\n\t// +optional\n\tconfigStore reconciler.ConfigStore\n\n\t// reconciler is the implementation of the business logic of the resource.\n\treconciler Interface\n\n\t// finalizerName is the name of the finalizer to reconcile.\n\tfinalizerName string\n\n\t// skipStatusUpdates configures whether or not this reconciler automatically updates\n\t// the status of the reconciled resource.\n\tskipStatusUpdates bool\n}\n\n// Check that our Reconciler implements controller.Reconciler.\nvar _ controller.Reconciler = (*reconcilerImpl)(nil)\n\n// Check that our generated Reconciler is always LeaderAware.\nvar _ reconciler.LeaderAware = (*reconcilerImpl)(nil)\n\nfunc NewReconciler(ctx context.Context, logger *zap.SugaredLogger, client versioned.Interface, lister policyv1alpha1.TrustRootLister, recorder record.EventRecorder, r Interface, options ...controller.Options) controller.Reconciler {\n\t// Check the options function input. It should be 0 or 1.\n\tif len(options) > 1 {\n\t\tlogger.Fatal(\"Up to one options struct is supported, found: \", len(options))\n\t}\n\n\t// Fail fast when users inadvertently implement the other LeaderAware interface.\n\t// For the typed reconcilers, Promote shouldn't take any arguments.\n\tif _, ok := r.(reconciler.LeaderAware); ok {\n\t\tlogger.Fatalf(\"%T implements the incorrect LeaderAware interface. Promote() should not take an argument as genreconciler handles the enqueuing automatically.\", r)\n\t}\n\n\trec := &reconcilerImpl{\n\t\tLeaderAwareFuncs: reconciler.LeaderAwareFuncs{\n\t\t\tPromoteFunc: func(bkt reconciler.Bucket, enq func(reconciler.Bucket, types.NamespacedName)) error {\n\t\t\t\tall, err := lister.List(labels.Everything())\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tfor _, elt := range all {\n\t\t\t\t\t// TODO: Consider letting users specify a filter in options.\n\t\t\t\t\tenq(bkt, types.NamespacedName{\n\t\t\t\t\t\tNamespace: elt.GetNamespace(),\n\t\t\t\t\t\tName: elt.GetName(),\n\t\t\t\t\t})\n\t\t\t\t}\n\t\t\t\treturn nil\n\t\t\t},\n\t\t},\n\t\tClient: client,\n\t\tLister: lister,\n\t\tRecorder: recorder,\n\t\treconciler: r,\n\t\tfinalizerName: defaultFinalizerName,\n\t}\n\n\tfor _, opts := range options {\n\t\tif opts.ConfigStore != nil {\n\t\t\trec.configStore = opts.ConfigStore\n\t\t}\n\t\tif opts.FinalizerName != \"\" {\n\t\t\trec.finalizerName = opts.FinalizerName\n\t\t}\n\t\tif opts.SkipStatusUpdates {\n\t\t\trec.skipStatusUpdates = true\n\t\t}\n\t\tif opts.DemoteFunc != nil {\n\t\t\trec.DemoteFunc = opts.DemoteFunc\n\t\t}\n\t}\n\n\treturn rec\n}\n\n// Reconcile implements controller.Reconciler\nfunc (r *reconcilerImpl) Reconcile(ctx context.Context, key string) error {\n\tlogger := logging.FromContext(ctx)\n\n\t// Initialize the reconciler state. This will convert the namespace/name\n\t// string into a distinct namespace and name, determine if this instance of\n\t// the reconciler is the leader, and any additional interfaces implemented\n\t// by the reconciler. Returns an error is the resource key is invalid.\n\ts, err := newState(key, r)\n\tif err != nil {\n\t\tlogger.Error(\"Invalid resource key: \", key)\n\t\treturn nil\n\t}\n\n\t// If we are not the leader, and we don't implement either ReadOnly\n\t// observer interfaces, then take a fast-path out.\n\tif s.isNotLeaderNorObserver() {\n\t\treturn controller.NewSkipKey(key)\n\t}\n\n\t// If configStore is set, attach the frozen configuration to the context.\n\tif r.configStore != nil {\n\t\tctx = r.configStore.ToContext(ctx)\n\t}\n\n\t// Add the recorder to context.\n\tctx = controller.WithEventRecorder(ctx, r.Recorder)\n\n\t// Get the resource with this namespace/name.\n\n\tgetter := r.Lister\n\n\toriginal, err := getter.Get(s.name)\n\n\tif errors.IsNotFound(err) {\n\t\t// The resource may no longer exist, in which case we stop processing and call\n\t\t// the ObserveDeletion handler if appropriate.\n\t\tlogger.Debugf(\"Resource %q no longer exists\", key)\n\t\tif del, ok := r.reconciler.(reconciler.OnDeletionInterface); ok {\n\t\t\treturn del.ObserveDeletion(ctx, types.NamespacedName{\n\t\t\t\tNamespace: s.namespace,\n\t\t\t\tName: s.name,\n\t\t\t})\n\t\t}\n\t\treturn nil\n\t} else if err != nil {\n\t\treturn err\n\t}\n\n\t// Don't modify the informers copy.\n\tresource := original.DeepCopy()\n\n\tvar reconcileEvent reconciler.Event\n\n\tname, do := s.reconcileMethodFor(resource)\n\t// Append the target method to the logger.\n\tlogger = logger.With(zap.String(\"targetMethod\", name))\n\tswitch name {\n\tcase reconciler.DoReconcileKind:\n\t\t// Set and update the finalizer on resource if r.reconciler\n\t\t// implements Finalizer.\n\t\tif resource, err = r.setFinalizerIfFinalizer(ctx, resource); err != nil {\n\t\t\treturn fmt.Errorf(\"failed to set finalizers: %w\", err)\n\t\t}\n\n\t\tif !r.skipStatusUpdates {\n\t\t\treconciler.PreProcessReconcile(ctx, resource)\n\t\t}\n\n\t\t// Reconcile this copy of the resource and then write back any status\n\t\t// updates regardless of whether the reconciliation errored out.\n\t\treconcileEvent = do(ctx, resource)\n\n\t\tif !r.skipStatusUpdates {\n\t\t\treconciler.PostProcessReconcile(ctx, resource, original)\n\t\t}\n\n\tcase reconciler.DoFinalizeKind:\n\t\t// For finalizing reconcilers, if this resource being marked for deletion\n\t\t// and reconciled cleanly (nil or normal event), remove the finalizer.\n\t\treconcileEvent = do(ctx, resource)\n\n\t\tif resource, err = r.clearFinalizer(ctx, resource, reconcileEvent); err != nil {\n\t\t\treturn fmt.Errorf(\"failed to clear finalizers: %w\", err)\n\t\t}\n\n\tcase reconciler.DoObserveKind:\n\t\t// Observe any changes to this resource, since we are not the leader.\n\t\treconcileEvent = do(ctx, resource)\n\n\t}\n\n\t// Synchronize the status.\n\tswitch {\n\tcase r.skipStatusUpdates:\n\t\t// This reconciler implementation is configured to skip resource updates.\n\t\t// This may mean this reconciler does not observe spec, but reconciles external changes.\n\tcase equality.Semantic.DeepEqual(original.Status, resource.Status):\n\t\t// If we didn't change anything then don't call updateStatus.\n\t\t// This is important because the copy we loaded from the injectionInformer's\n\t\t// cache may be stale and we don't want to overwrite a prior update\n\t\t// to status with this stale state.\n\tcase !s.isLeader:\n\t\t// High-availability reconcilers may have many replicas watching the resource, but only\n\t\t// the elected leader is expected to write modifications.\n\t\tlogger.Warn(\"Saw status changes when we aren't the leader!\")\n\tdefault:\n\t\tif err = r.updateStatus(ctx, logger, original, resource); err != nil {\n\t\t\tlogger.Warnw(\"Failed to update resource status\", zap.Error(err))\n\t\t\tr.Recorder.Eventf(resource, v1.EventTypeWarning, \"UpdateFailed\",\n\t\t\t\t\"Failed to update status for %q: %v\", resource.Name, err)\n\t\t\treturn err\n\t\t}\n\t}\n\n\t// Report the reconciler event, if any.\n\tif reconcileEvent != nil {\n\t\tvar event *reconciler.ReconcilerEvent\n\t\tif reconciler.EventAs(reconcileEvent, &event) {\n\t\t\tlogger.Infow(\"Returned an event\", zap.Any(\"event\", reconcileEvent))\n\t\t\tr.Recorder.Event(resource, event.EventType, event.Reason, event.Error())\n\n\t\t\t// the event was wrapped inside an error, consider the reconciliation as failed\n\t\t\tif _, isEvent := reconcileEvent.(*reconciler.ReconcilerEvent); !isEvent {\n\t\t\t\treturn reconcileEvent\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\n\t\tif controller.IsSkipKey(reconcileEvent) {\n\t\t\t// This is a wrapped error, don't emit an event.\n\t\t} else if ok, _ := controller.IsRequeueKey(reconcileEvent); ok {\n\t\t\t// This is a wrapped error, don't emit an event.\n\t\t} else {\n\t\t\tlogger.Errorw(\"Returned an error\", zap.Error(reconcileEvent))\n\t\t\tr.Recorder.Event(resource, v1.EventTypeWarning, \"InternalError\", reconcileEvent.Error())\n\t\t}\n\t\treturn reconcileEvent\n\t}\n\n\treturn nil\n}\n\nfunc (r *reconcilerImpl) updateStatus(ctx context.Context, logger *zap.SugaredLogger, existing *v1alpha1.TrustRoot, desired *v1alpha1.TrustRoot) error {\n\texisting = existing.DeepCopy()\n\treturn reconciler.RetryUpdateConflicts(func(attempts int) (err error) {\n\t\t// The first iteration tries to use the injectionInformer's state, subsequent attempts fetch the latest state via API.\n\t\tif attempts > 0 {\n\n\t\t\tgetter := r.Client.PolicyV1alpha1().TrustRoots()\n\n\t\t\texisting, err = getter.Get(ctx, desired.Name, metav1.GetOptions{})\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\n\t\t// If there's nothing to update, just return.\n\t\tif equality.Semantic.DeepEqual(existing.Status, desired.Status) {\n\t\t\treturn nil\n\t\t}\n\n\t\tif logger.Desugar().Core().Enabled(zapcore.DebugLevel) {\n\t\t\tif diff, err := kmp.SafeDiff(existing.Status, desired.Status); err == nil && diff != \"\" {\n\t\t\t\tlogger.Debug(\"Updating status with: \", diff)\n\t\t\t}\n\t\t}\n\n\t\texisting.Status = desired.Status\n\n\t\tupdater := r.Client.PolicyV1alpha1().TrustRoots()\n\n\t\t_, err = updater.UpdateStatus(ctx, existing, metav1.UpdateOptions{})\n\t\treturn err\n\t})\n}\n\n// updateFinalizersFiltered will update the Finalizers of the resource.\n// TODO: this method could be generic and sync all finalizers. For now it only\n// updates defaultFinalizerName or its override.\nfunc (r *reconcilerImpl) updateFinalizersFiltered(ctx context.Context, resource *v1alpha1.TrustRoot, desiredFinalizers sets.String) (*v1alpha1.TrustRoot, error) {\n\t// Don't modify the informers copy.\n\texisting := resource.DeepCopy()\n\n\tvar finalizers []string\n\n\t// If there's nothing to update, just return.\n\texistingFinalizers := sets.NewString(existing.Finalizers...)\n\n\tif desiredFinalizers.Has(r.finalizerName) {\n\t\tif existingFinalizers.Has(r.finalizerName) {\n\t\t\t// Nothing to do.\n\t\t\treturn resource, nil\n\t\t}\n\t\t// Add the finalizer.\n\t\tfinalizers = append(existing.Finalizers, r.finalizerName)\n\t} else {\n\t\tif !existingFinalizers.Has(r.finalizerName) {\n\t\t\t// Nothing to do.\n\t\t\treturn resource, nil\n\t\t}\n\t\t// Remove the finalizer.\n\t\texistingFinalizers.Delete(r.finalizerName)\n\t\tfinalizers = existingFinalizers.List()\n\t}\n\n\tmergePatch := map[string]interface{}{\n\t\t\"metadata\": map[string]interface{}{\n\t\t\t\"finalizers\": finalizers,\n\t\t\t\"resourceVersion\": existing.ResourceVersion,\n\t\t},\n\t}\n\n\tpatch, err := json.Marshal(mergePatch)\n\tif err != nil {\n\t\treturn resource, err\n\t}\n\n\tpatcher := r.Client.PolicyV1alpha1().TrustRoots()\n\n\tresourceName := resource.Name\n\tupdated, err := patcher.Patch(ctx, resourceName, types.MergePatchType, patch, metav1.PatchOptions{})\n\tif err != nil {\n\t\tr.Recorder.Eventf(existing, v1.EventTypeWarning, \"FinalizerUpdateFailed\",\n\t\t\t\"Failed to update finalizers for %q: %v\", resourceName, err)\n\t} else {\n\t\tr.Recorder.Eventf(updated, v1.EventTypeNormal, \"FinalizerUpdate\",\n\t\t\t\"Updated %q finalizers\", resource.GetName())\n\t}\n\treturn updated, err\n}\n\nfunc (r *reconcilerImpl) setFinalizerIfFinalizer(ctx context.Context, resource *v1alpha1.TrustRoot) (*v1alpha1.TrustRoot, error) {\n\tif _, ok := r.reconciler.(Finalizer); !ok {\n\t\treturn resource, nil\n\t}\n\n\tfinalizers := sets.NewString(resource.Finalizers...)\n\n\t// If this resource is not being deleted, mark the finalizer.\n\tif resource.GetDeletionTimestamp().IsZero() {\n\t\tfinalizers.Insert(r.finalizerName)\n\t}\n\n\t// Synchronize the finalizers filtered by r.finalizerName.\n\treturn r.updateFinalizersFiltered(ctx, resource, finalizers)\n}\n\nfunc (r *reconcilerImpl) clearFinalizer(ctx context.Context, resource *v1alpha1.TrustRoot, reconcileEvent reconciler.Event) (*v1alpha1.TrustRoot, error) {\n\tif _, ok := r.reconciler.(Finalizer); !ok {\n\t\treturn resource, nil\n\t}\n\tif resource.GetDeletionTimestamp().IsZero() {\n\t\treturn resource, nil\n\t}\n\n\tfinalizers := sets.NewString(resource.Finalizers...)\n\n\tif reconcileEvent != nil {\n\t\tvar event *reconciler.ReconcilerEvent\n\t\tif reconciler.EventAs(reconcileEvent, &event) {\n\t\t\tif event.EventType == v1.EventTypeNormal {\n\t\t\t\tfinalizers.Delete(r.finalizerName)\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfinalizers.Delete(r.finalizerName)\n\t}\n\n\t// Synchronize the finalizers filtered by r.finalizerName.\n\treturn r.updateFinalizersFiltered(ctx, resource, finalizers)\n}\n" }, { "path": "pkg/client/injection/reconciler/policy/v1alpha1/trustroot/state.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage trustroot\n\nimport (\n\tfmt \"fmt\"\n\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\tcache \"k8s.io/client-go/tools/cache\"\n\treconciler \"knative.dev/pkg/reconciler\"\n)\n\n// state is used to track the state of a reconciler in a single run.\ntype state struct {\n\t// key is the original reconciliation key from the queue.\n\tkey string\n\t// namespace is the namespace split from the reconciliation key.\n\tnamespace string\n\t// name is the name split from the reconciliation key.\n\tname string\n\t// reconciler is the reconciler.\n\treconciler Interface\n\t// roi is the read only interface cast of the reconciler.\n\troi ReadOnlyInterface\n\t// isROI (Read Only Interface) the reconciler only observes reconciliation.\n\tisROI bool\n\t// isLeader the instance of the reconciler is the elected leader.\n\tisLeader bool\n}\n\nfunc newState(key string, r *reconcilerImpl) (*state, error) {\n\t// Convert the namespace/name string into a distinct namespace and name.\n\tnamespace, name, err := cache.SplitMetaNamespaceKey(key)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"invalid resource key: %s\", key)\n\t}\n\n\troi, isROI := r.reconciler.(ReadOnlyInterface)\n\n\tisLeader := r.IsLeaderFor(types.NamespacedName{\n\t\tNamespace: namespace,\n\t\tName: name,\n\t})\n\n\treturn &state{\n\t\tkey: key,\n\t\tnamespace: namespace,\n\t\tname: name,\n\t\treconciler: r.reconciler,\n\t\troi: roi,\n\t\tisROI: isROI,\n\t\tisLeader: isLeader,\n\t}, nil\n}\n\n// isNotLeaderNorObserver checks to see if this reconciler with the current\n// state is enabled to do any work or not.\n// isNotLeaderNorObserver returns true when there is no work possible for the\n// reconciler.\nfunc (s *state) isNotLeaderNorObserver() bool {\n\tif !s.isLeader && !s.isROI {\n\t\t// If we are not the leader, and we don't implement the ReadOnly\n\t\t// interface, then take a fast-path out.\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc (s *state) reconcileMethodFor(o *v1alpha1.TrustRoot) (string, doReconcile) {\n\tif o.GetDeletionTimestamp().IsZero() {\n\t\tif s.isLeader {\n\t\t\treturn reconciler.DoReconcileKind, s.reconciler.ReconcileKind\n\t\t} else if s.isROI {\n\t\t\treturn reconciler.DoObserveKind, s.roi.ObserveKind\n\t\t}\n\t} else if fin, ok := s.reconciler.(Finalizer); s.isLeader && ok {\n\t\treturn reconciler.DoFinalizeKind, fin.FinalizeKind\n\t}\n\treturn \"unknown\", nil\n}\n" }, { "path": "pkg/client/injection/reconciler/policy/v1beta1/clusterimagepolicy/controller.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage clusterimagepolicy\n\nimport (\n\tcontext \"context\"\n\tfmt \"fmt\"\n\treflect \"reflect\"\n\tstrings \"strings\"\n\n\tversionedscheme \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/scheme\"\n\tclient \"github.com/sigstore/policy-controller/pkg/client/injection/client\"\n\tclusterimagepolicy \"github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy\"\n\tzap \"go.uber.org/zap\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\tlabels \"k8s.io/apimachinery/pkg/labels\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\twatch \"k8s.io/apimachinery/pkg/watch\"\n\tscheme \"k8s.io/client-go/kubernetes/scheme\"\n\tv1 \"k8s.io/client-go/kubernetes/typed/core/v1\"\n\trecord \"k8s.io/client-go/tools/record\"\n\tkubeclient \"knative.dev/pkg/client/injection/kube/client\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tlogging \"knative.dev/pkg/logging\"\n\tlogkey \"knative.dev/pkg/logging/logkey\"\n\treconciler \"knative.dev/pkg/reconciler\"\n)\n\nconst (\n\tdefaultControllerAgentName = \"clusterimagepolicy-controller\"\n\tdefaultFinalizerName = \"clusterimagepolicies.policy.sigstore.dev\"\n)\n\n// NewImpl returns a controller.Impl that handles queuing and feeding work from\n// the queue through an implementation of controller.Reconciler, delegating to\n// the provided Interface and optional Finalizer methods. OptionsFn is used to return\n// controller.ControllerOptions to be used by the internal reconciler.\nfunc NewImpl(ctx context.Context, r Interface, optionsFns ...controller.OptionsFn) *controller.Impl {\n\tlogger := logging.FromContext(ctx)\n\n\t// Check the options function input. It should be 0 or 1.\n\tif len(optionsFns) > 1 {\n\t\tlogger.Fatal(\"Up to one options function is supported, found: \", len(optionsFns))\n\t}\n\n\tclusterimagepolicyInformer := clusterimagepolicy.Get(ctx)\n\n\tlister := clusterimagepolicyInformer.Lister()\n\n\tvar promoteFilterFunc func(obj interface{}) bool\n\tvar promoteFunc = func(bkt reconciler.Bucket) {}\n\n\trec := &reconcilerImpl{\n\t\tLeaderAwareFuncs: reconciler.LeaderAwareFuncs{\n\t\t\tPromoteFunc: func(bkt reconciler.Bucket, enq func(reconciler.Bucket, types.NamespacedName)) error {\n\n\t\t\t\t// Signal promotion event\n\t\t\t\tpromoteFunc(bkt)\n\n\t\t\t\tall, err := lister.List(labels.Everything())\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tfor _, elt := range all {\n\t\t\t\t\tif promoteFilterFunc != nil {\n\t\t\t\t\t\tif ok := promoteFilterFunc(elt); !ok {\n\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tenq(bkt, types.NamespacedName{\n\t\t\t\t\t\tNamespace: elt.GetNamespace(),\n\t\t\t\t\t\tName: elt.GetName(),\n\t\t\t\t\t})\n\t\t\t\t}\n\t\t\t\treturn nil\n\t\t\t},\n\t\t},\n\t\tClient: client.Get(ctx),\n\t\tLister: lister,\n\t\treconciler: r,\n\t\tfinalizerName: defaultFinalizerName,\n\t}\n\n\tctrType := reflect.TypeOf(r).Elem()\n\tctrTypeName := fmt.Sprintf(\"%s.%s\", ctrType.PkgPath(), ctrType.Name())\n\tctrTypeName = strings.ReplaceAll(ctrTypeName, \"/\", \".\")\n\n\tlogger = logger.With(\n\t\tzap.String(logkey.ControllerType, ctrTypeName),\n\t\tzap.String(logkey.Kind, \"policy.sigstore.dev.ClusterImagePolicy\"),\n\t)\n\n\timpl := controller.NewContext(ctx, rec, controller.ControllerOptions{WorkQueueName: ctrTypeName, Logger: logger})\n\tagentName := defaultControllerAgentName\n\n\t// Pass impl to the options. Save any optional results.\n\tfor _, fn := range optionsFns {\n\t\topts := fn(impl)\n\t\tif opts.ConfigStore != nil {\n\t\t\trec.configStore = opts.ConfigStore\n\t\t}\n\t\tif opts.FinalizerName != \"\" {\n\t\t\trec.finalizerName = opts.FinalizerName\n\t\t}\n\t\tif opts.AgentName != \"\" {\n\t\t\tagentName = opts.AgentName\n\t\t}\n\t\tif opts.SkipStatusUpdates {\n\t\t\trec.skipStatusUpdates = true\n\t\t}\n\t\tif opts.DemoteFunc != nil {\n\t\t\trec.DemoteFunc = opts.DemoteFunc\n\t\t}\n\t\tif opts.PromoteFilterFunc != nil {\n\t\t\tpromoteFilterFunc = opts.PromoteFilterFunc\n\t\t}\n\t\tif opts.PromoteFunc != nil {\n\t\t\tpromoteFunc = opts.PromoteFunc\n\t\t}\n\t}\n\n\trec.Recorder = createRecorder(ctx, agentName)\n\n\treturn impl\n}\n\nfunc createRecorder(ctx context.Context, agentName string) record.EventRecorder {\n\tlogger := logging.FromContext(ctx)\n\n\trecorder := controller.GetEventRecorder(ctx)\n\tif recorder == nil {\n\t\t// Create event broadcaster\n\t\tlogger.Debug(\"Creating event broadcaster\")\n\t\teventBroadcaster := record.NewBroadcaster()\n\t\twatches := []watch.Interface{\n\t\t\teventBroadcaster.StartLogging(logger.Named(\"event-broadcaster\").Infof),\n\t\t\teventBroadcaster.StartRecordingToSink(\n\t\t\t\t&v1.EventSinkImpl{Interface: kubeclient.Get(ctx).CoreV1().Events(\"\")}),\n\t\t}\n\t\trecorder = eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: agentName})\n\t\tgo func() {\n\t\t\t<-ctx.Done()\n\t\t\tfor _, w := range watches {\n\t\t\t\tw.Stop()\n\t\t\t}\n\t\t}()\n\t}\n\n\treturn recorder\n}\n\nfunc init() {\n\tversionedscheme.AddToScheme(scheme.Scheme)\n}\n" }, { "path": "pkg/client/injection/reconciler/policy/v1beta1/clusterimagepolicy/reconciler.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage clusterimagepolicy\n\nimport (\n\tcontext \"context\"\n\tjson \"encoding/json\"\n\tfmt \"fmt\"\n\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\tversioned \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned\"\n\tpolicyv1beta1 \"github.com/sigstore/policy-controller/pkg/client/listers/policy/v1beta1\"\n\tzap \"go.uber.org/zap\"\n\t\"go.uber.org/zap/zapcore\"\n\tv1 \"k8s.io/api/core/v1\"\n\tequality \"k8s.io/apimachinery/pkg/api/equality\"\n\terrors \"k8s.io/apimachinery/pkg/api/errors\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\tlabels \"k8s.io/apimachinery/pkg/labels\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\tsets \"k8s.io/apimachinery/pkg/util/sets\"\n\trecord \"k8s.io/client-go/tools/record\"\n\tcontroller \"knative.dev/pkg/controller\"\n\tkmp \"knative.dev/pkg/kmp\"\n\tlogging \"knative.dev/pkg/logging\"\n\treconciler \"knative.dev/pkg/reconciler\"\n)\n\n// Interface defines the strongly typed interfaces to be implemented by a\n// controller reconciling v1beta1.ClusterImagePolicy.\ntype Interface interface {\n\t// ReconcileKind implements custom logic to reconcile v1beta1.ClusterImagePolicy. Any changes\n\t// to the objects .Status or .Finalizers will be propagated to the stored\n\t// object. It is recommended that implementors do not call any update calls\n\t// for the Kind inside of ReconcileKind, it is the responsibility of the calling\n\t// controller to propagate those properties. The resource passed to ReconcileKind\n\t// will always have an empty deletion timestamp.\n\tReconcileKind(ctx context.Context, o *v1beta1.ClusterImagePolicy) reconciler.Event\n}\n\n// Finalizer defines the strongly typed interfaces to be implemented by a\n// controller finalizing v1beta1.ClusterImagePolicy.\ntype Finalizer interface {\n\t// FinalizeKind implements custom logic to finalize v1beta1.ClusterImagePolicy. Any changes\n\t// to the objects .Status or .Finalizers will be ignored. Returning a nil or\n\t// Normal type reconciler.Event will allow the finalizer to be deleted on\n\t// the resource. The resource passed to FinalizeKind will always have a set\n\t// deletion timestamp.\n\tFinalizeKind(ctx context.Context, o *v1beta1.ClusterImagePolicy) reconciler.Event\n}\n\n// ReadOnlyInterface defines the strongly typed interfaces to be implemented by a\n// controller reconciling v1beta1.ClusterImagePolicy if they want to process resources for which\n// they are not the leader.\ntype ReadOnlyInterface interface {\n\t// ObserveKind implements logic to observe v1beta1.ClusterImagePolicy.\n\t// This method should not write to the API.\n\tObserveKind(ctx context.Context, o *v1beta1.ClusterImagePolicy) reconciler.Event\n}\n\ntype doReconcile func(ctx context.Context, o *v1beta1.ClusterImagePolicy) reconciler.Event\n\n// reconcilerImpl implements controller.Reconciler for v1beta1.ClusterImagePolicy resources.\ntype reconcilerImpl struct {\n\t// LeaderAwareFuncs is inlined to help us implement reconciler.LeaderAware.\n\treconciler.LeaderAwareFuncs\n\n\t// Client is used to write back status updates.\n\tClient versioned.Interface\n\n\t// Listers index properties about resources.\n\tLister policyv1beta1.ClusterImagePolicyLister\n\n\t// Recorder is an event recorder for recording Event resources to the\n\t// Kubernetes API.\n\tRecorder record.EventRecorder\n\n\t// configStore allows for decorating a context with config maps.\n\t// +optional\n\tconfigStore reconciler.ConfigStore\n\n\t// reconciler is the implementation of the business logic of the resource.\n\treconciler Interface\n\n\t// finalizerName is the name of the finalizer to reconcile.\n\tfinalizerName string\n\n\t// skipStatusUpdates configures whether or not this reconciler automatically updates\n\t// the status of the reconciled resource.\n\tskipStatusUpdates bool\n}\n\n// Check that our Reconciler implements controller.Reconciler.\nvar _ controller.Reconciler = (*reconcilerImpl)(nil)\n\n// Check that our generated Reconciler is always LeaderAware.\nvar _ reconciler.LeaderAware = (*reconcilerImpl)(nil)\n\nfunc NewReconciler(ctx context.Context, logger *zap.SugaredLogger, client versioned.Interface, lister policyv1beta1.ClusterImagePolicyLister, recorder record.EventRecorder, r Interface, options ...controller.Options) controller.Reconciler {\n\t// Check the options function input. It should be 0 or 1.\n\tif len(options) > 1 {\n\t\tlogger.Fatal(\"Up to one options struct is supported, found: \", len(options))\n\t}\n\n\t// Fail fast when users inadvertently implement the other LeaderAware interface.\n\t// For the typed reconcilers, Promote shouldn't take any arguments.\n\tif _, ok := r.(reconciler.LeaderAware); ok {\n\t\tlogger.Fatalf(\"%T implements the incorrect LeaderAware interface. Promote() should not take an argument as genreconciler handles the enqueuing automatically.\", r)\n\t}\n\n\trec := &reconcilerImpl{\n\t\tLeaderAwareFuncs: reconciler.LeaderAwareFuncs{\n\t\t\tPromoteFunc: func(bkt reconciler.Bucket, enq func(reconciler.Bucket, types.NamespacedName)) error {\n\t\t\t\tall, err := lister.List(labels.Everything())\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tfor _, elt := range all {\n\t\t\t\t\t// TODO: Consider letting users specify a filter in options.\n\t\t\t\t\tenq(bkt, types.NamespacedName{\n\t\t\t\t\t\tNamespace: elt.GetNamespace(),\n\t\t\t\t\t\tName: elt.GetName(),\n\t\t\t\t\t})\n\t\t\t\t}\n\t\t\t\treturn nil\n\t\t\t},\n\t\t},\n\t\tClient: client,\n\t\tLister: lister,\n\t\tRecorder: recorder,\n\t\treconciler: r,\n\t\tfinalizerName: defaultFinalizerName,\n\t}\n\n\tfor _, opts := range options {\n\t\tif opts.ConfigStore != nil {\n\t\t\trec.configStore = opts.ConfigStore\n\t\t}\n\t\tif opts.FinalizerName != \"\" {\n\t\t\trec.finalizerName = opts.FinalizerName\n\t\t}\n\t\tif opts.SkipStatusUpdates {\n\t\t\trec.skipStatusUpdates = true\n\t\t}\n\t\tif opts.DemoteFunc != nil {\n\t\t\trec.DemoteFunc = opts.DemoteFunc\n\t\t}\n\t}\n\n\treturn rec\n}\n\n// Reconcile implements controller.Reconciler\nfunc (r *reconcilerImpl) Reconcile(ctx context.Context, key string) error {\n\tlogger := logging.FromContext(ctx)\n\n\t// Initialize the reconciler state. This will convert the namespace/name\n\t// string into a distinct namespace and name, determine if this instance of\n\t// the reconciler is the leader, and any additional interfaces implemented\n\t// by the reconciler. Returns an error is the resource key is invalid.\n\ts, err := newState(key, r)\n\tif err != nil {\n\t\tlogger.Error(\"Invalid resource key: \", key)\n\t\treturn nil\n\t}\n\n\t// If we are not the leader, and we don't implement either ReadOnly\n\t// observer interfaces, then take a fast-path out.\n\tif s.isNotLeaderNorObserver() {\n\t\treturn controller.NewSkipKey(key)\n\t}\n\n\t// If configStore is set, attach the frozen configuration to the context.\n\tif r.configStore != nil {\n\t\tctx = r.configStore.ToContext(ctx)\n\t}\n\n\t// Add the recorder to context.\n\tctx = controller.WithEventRecorder(ctx, r.Recorder)\n\n\t// Get the resource with this namespace/name.\n\n\tgetter := r.Lister\n\n\toriginal, err := getter.Get(s.name)\n\n\tif errors.IsNotFound(err) {\n\t\t// The resource may no longer exist, in which case we stop processing and call\n\t\t// the ObserveDeletion handler if appropriate.\n\t\tlogger.Debugf(\"Resource %q no longer exists\", key)\n\t\tif del, ok := r.reconciler.(reconciler.OnDeletionInterface); ok {\n\t\t\treturn del.ObserveDeletion(ctx, types.NamespacedName{\n\t\t\t\tNamespace: s.namespace,\n\t\t\t\tName: s.name,\n\t\t\t})\n\t\t}\n\t\treturn nil\n\t} else if err != nil {\n\t\treturn err\n\t}\n\n\t// Don't modify the informers copy.\n\tresource := original.DeepCopy()\n\n\tvar reconcileEvent reconciler.Event\n\n\tname, do := s.reconcileMethodFor(resource)\n\t// Append the target method to the logger.\n\tlogger = logger.With(zap.String(\"targetMethod\", name))\n\tswitch name {\n\tcase reconciler.DoReconcileKind:\n\t\t// Set and update the finalizer on resource if r.reconciler\n\t\t// implements Finalizer.\n\t\tif resource, err = r.setFinalizerIfFinalizer(ctx, resource); err != nil {\n\t\t\treturn fmt.Errorf(\"failed to set finalizers: %w\", err)\n\t\t}\n\n\t\tif !r.skipStatusUpdates {\n\t\t\treconciler.PreProcessReconcile(ctx, resource)\n\t\t}\n\n\t\t// Reconcile this copy of the resource and then write back any status\n\t\t// updates regardless of whether the reconciliation errored out.\n\t\treconcileEvent = do(ctx, resource)\n\n\t\tif !r.skipStatusUpdates {\n\t\t\treconciler.PostProcessReconcile(ctx, resource, original)\n\t\t}\n\n\tcase reconciler.DoFinalizeKind:\n\t\t// For finalizing reconcilers, if this resource being marked for deletion\n\t\t// and reconciled cleanly (nil or normal event), remove the finalizer.\n\t\treconcileEvent = do(ctx, resource)\n\n\t\tif resource, err = r.clearFinalizer(ctx, resource, reconcileEvent); err != nil {\n\t\t\treturn fmt.Errorf(\"failed to clear finalizers: %w\", err)\n\t\t}\n\n\tcase reconciler.DoObserveKind:\n\t\t// Observe any changes to this resource, since we are not the leader.\n\t\treconcileEvent = do(ctx, resource)\n\n\t}\n\n\t// Synchronize the status.\n\tswitch {\n\tcase r.skipStatusUpdates:\n\t\t// This reconciler implementation is configured to skip resource updates.\n\t\t// This may mean this reconciler does not observe spec, but reconciles external changes.\n\tcase equality.Semantic.DeepEqual(original.Status, resource.Status):\n\t\t// If we didn't change anything then don't call updateStatus.\n\t\t// This is important because the copy we loaded from the injectionInformer's\n\t\t// cache may be stale and we don't want to overwrite a prior update\n\t\t// to status with this stale state.\n\tcase !s.isLeader:\n\t\t// High-availability reconcilers may have many replicas watching the resource, but only\n\t\t// the elected leader is expected to write modifications.\n\t\tlogger.Warn(\"Saw status changes when we aren't the leader!\")\n\tdefault:\n\t\tif err = r.updateStatus(ctx, logger, original, resource); err != nil {\n\t\t\tlogger.Warnw(\"Failed to update resource status\", zap.Error(err))\n\t\t\tr.Recorder.Eventf(resource, v1.EventTypeWarning, \"UpdateFailed\",\n\t\t\t\t\"Failed to update status for %q: %v\", resource.Name, err)\n\t\t\treturn err\n\t\t}\n\t}\n\n\t// Report the reconciler event, if any.\n\tif reconcileEvent != nil {\n\t\tvar event *reconciler.ReconcilerEvent\n\t\tif reconciler.EventAs(reconcileEvent, &event) {\n\t\t\tlogger.Infow(\"Returned an event\", zap.Any(\"event\", reconcileEvent))\n\t\t\tr.Recorder.Event(resource, event.EventType, event.Reason, event.Error())\n\n\t\t\t// the event was wrapped inside an error, consider the reconciliation as failed\n\t\t\tif _, isEvent := reconcileEvent.(*reconciler.ReconcilerEvent); !isEvent {\n\t\t\t\treturn reconcileEvent\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\n\t\tif controller.IsSkipKey(reconcileEvent) {\n\t\t\t// This is a wrapped error, don't emit an event.\n\t\t} else if ok, _ := controller.IsRequeueKey(reconcileEvent); ok {\n\t\t\t// This is a wrapped error, don't emit an event.\n\t\t} else {\n\t\t\tlogger.Errorw(\"Returned an error\", zap.Error(reconcileEvent))\n\t\t\tr.Recorder.Event(resource, v1.EventTypeWarning, \"InternalError\", reconcileEvent.Error())\n\t\t}\n\t\treturn reconcileEvent\n\t}\n\n\treturn nil\n}\n\nfunc (r *reconcilerImpl) updateStatus(ctx context.Context, logger *zap.SugaredLogger, existing *v1beta1.ClusterImagePolicy, desired *v1beta1.ClusterImagePolicy) error {\n\texisting = existing.DeepCopy()\n\treturn reconciler.RetryUpdateConflicts(func(attempts int) (err error) {\n\t\t// The first iteration tries to use the injectionInformer's state, subsequent attempts fetch the latest state via API.\n\t\tif attempts > 0 {\n\n\t\t\tgetter := r.Client.PolicyV1beta1().ClusterImagePolicies()\n\n\t\t\texisting, err = getter.Get(ctx, desired.Name, metav1.GetOptions{})\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\n\t\t// If there's nothing to update, just return.\n\t\tif equality.Semantic.DeepEqual(existing.Status, desired.Status) {\n\t\t\treturn nil\n\t\t}\n\n\t\tif logger.Desugar().Core().Enabled(zapcore.DebugLevel) {\n\t\t\tif diff, err := kmp.SafeDiff(existing.Status, desired.Status); err == nil && diff != \"\" {\n\t\t\t\tlogger.Debug(\"Updating status with: \", diff)\n\t\t\t}\n\t\t}\n\n\t\texisting.Status = desired.Status\n\n\t\tupdater := r.Client.PolicyV1beta1().ClusterImagePolicies()\n\n\t\t_, err = updater.UpdateStatus(ctx, existing, metav1.UpdateOptions{})\n\t\treturn err\n\t})\n}\n\n// updateFinalizersFiltered will update the Finalizers of the resource.\n// TODO: this method could be generic and sync all finalizers. For now it only\n// updates defaultFinalizerName or its override.\nfunc (r *reconcilerImpl) updateFinalizersFiltered(ctx context.Context, resource *v1beta1.ClusterImagePolicy, desiredFinalizers sets.String) (*v1beta1.ClusterImagePolicy, error) {\n\t// Don't modify the informers copy.\n\texisting := resource.DeepCopy()\n\n\tvar finalizers []string\n\n\t// If there's nothing to update, just return.\n\texistingFinalizers := sets.NewString(existing.Finalizers...)\n\n\tif desiredFinalizers.Has(r.finalizerName) {\n\t\tif existingFinalizers.Has(r.finalizerName) {\n\t\t\t// Nothing to do.\n\t\t\treturn resource, nil\n\t\t}\n\t\t// Add the finalizer.\n\t\tfinalizers = append(existing.Finalizers, r.finalizerName)\n\t} else {\n\t\tif !existingFinalizers.Has(r.finalizerName) {\n\t\t\t// Nothing to do.\n\t\t\treturn resource, nil\n\t\t}\n\t\t// Remove the finalizer.\n\t\texistingFinalizers.Delete(r.finalizerName)\n\t\tfinalizers = existingFinalizers.List()\n\t}\n\n\tmergePatch := map[string]interface{}{\n\t\t\"metadata\": map[string]interface{}{\n\t\t\t\"finalizers\": finalizers,\n\t\t\t\"resourceVersion\": existing.ResourceVersion,\n\t\t},\n\t}\n\n\tpatch, err := json.Marshal(mergePatch)\n\tif err != nil {\n\t\treturn resource, err\n\t}\n\n\tpatcher := r.Client.PolicyV1beta1().ClusterImagePolicies()\n\n\tresourceName := resource.Name\n\tupdated, err := patcher.Patch(ctx, resourceName, types.MergePatchType, patch, metav1.PatchOptions{})\n\tif err != nil {\n\t\tr.Recorder.Eventf(existing, v1.EventTypeWarning, \"FinalizerUpdateFailed\",\n\t\t\t\"Failed to update finalizers for %q: %v\", resourceName, err)\n\t} else {\n\t\tr.Recorder.Eventf(updated, v1.EventTypeNormal, \"FinalizerUpdate\",\n\t\t\t\"Updated %q finalizers\", resource.GetName())\n\t}\n\treturn updated, err\n}\n\nfunc (r *reconcilerImpl) setFinalizerIfFinalizer(ctx context.Context, resource *v1beta1.ClusterImagePolicy) (*v1beta1.ClusterImagePolicy, error) {\n\tif _, ok := r.reconciler.(Finalizer); !ok {\n\t\treturn resource, nil\n\t}\n\n\tfinalizers := sets.NewString(resource.Finalizers...)\n\n\t// If this resource is not being deleted, mark the finalizer.\n\tif resource.GetDeletionTimestamp().IsZero() {\n\t\tfinalizers.Insert(r.finalizerName)\n\t}\n\n\t// Synchronize the finalizers filtered by r.finalizerName.\n\treturn r.updateFinalizersFiltered(ctx, resource, finalizers)\n}\n\nfunc (r *reconcilerImpl) clearFinalizer(ctx context.Context, resource *v1beta1.ClusterImagePolicy, reconcileEvent reconciler.Event) (*v1beta1.ClusterImagePolicy, error) {\n\tif _, ok := r.reconciler.(Finalizer); !ok {\n\t\treturn resource, nil\n\t}\n\tif resource.GetDeletionTimestamp().IsZero() {\n\t\treturn resource, nil\n\t}\n\n\tfinalizers := sets.NewString(resource.Finalizers...)\n\n\tif reconcileEvent != nil {\n\t\tvar event *reconciler.ReconcilerEvent\n\t\tif reconciler.EventAs(reconcileEvent, &event) {\n\t\t\tif event.EventType == v1.EventTypeNormal {\n\t\t\t\tfinalizers.Delete(r.finalizerName)\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfinalizers.Delete(r.finalizerName)\n\t}\n\n\t// Synchronize the finalizers filtered by r.finalizerName.\n\treturn r.updateFinalizersFiltered(ctx, resource, finalizers)\n}\n" }, { "path": "pkg/client/injection/reconciler/policy/v1beta1/clusterimagepolicy/state.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by injection-gen. DO NOT EDIT.\n\npackage clusterimagepolicy\n\nimport (\n\tfmt \"fmt\"\n\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\ttypes \"k8s.io/apimachinery/pkg/types\"\n\tcache \"k8s.io/client-go/tools/cache\"\n\treconciler \"knative.dev/pkg/reconciler\"\n)\n\n// state is used to track the state of a reconciler in a single run.\ntype state struct {\n\t// key is the original reconciliation key from the queue.\n\tkey string\n\t// namespace is the namespace split from the reconciliation key.\n\tnamespace string\n\t// name is the name split from the reconciliation key.\n\tname string\n\t// reconciler is the reconciler.\n\treconciler Interface\n\t// roi is the read only interface cast of the reconciler.\n\troi ReadOnlyInterface\n\t// isROI (Read Only Interface) the reconciler only observes reconciliation.\n\tisROI bool\n\t// isLeader the instance of the reconciler is the elected leader.\n\tisLeader bool\n}\n\nfunc newState(key string, r *reconcilerImpl) (*state, error) {\n\t// Convert the namespace/name string into a distinct namespace and name.\n\tnamespace, name, err := cache.SplitMetaNamespaceKey(key)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"invalid resource key: %s\", key)\n\t}\n\n\troi, isROI := r.reconciler.(ReadOnlyInterface)\n\n\tisLeader := r.IsLeaderFor(types.NamespacedName{\n\t\tNamespace: namespace,\n\t\tName: name,\n\t})\n\n\treturn &state{\n\t\tkey: key,\n\t\tnamespace: namespace,\n\t\tname: name,\n\t\treconciler: r.reconciler,\n\t\troi: roi,\n\t\tisROI: isROI,\n\t\tisLeader: isLeader,\n\t}, nil\n}\n\n// isNotLeaderNorObserver checks to see if this reconciler with the current\n// state is enabled to do any work or not.\n// isNotLeaderNorObserver returns true when there is no work possible for the\n// reconciler.\nfunc (s *state) isNotLeaderNorObserver() bool {\n\tif !s.isLeader && !s.isROI {\n\t\t// If we are not the leader, and we don't implement the ReadOnly\n\t\t// interface, then take a fast-path out.\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc (s *state) reconcileMethodFor(o *v1beta1.ClusterImagePolicy) (string, doReconcile) {\n\tif o.GetDeletionTimestamp().IsZero() {\n\t\tif s.isLeader {\n\t\t\treturn reconciler.DoReconcileKind, s.reconciler.ReconcileKind\n\t\t} else if s.isROI {\n\t\t\treturn reconciler.DoObserveKind, s.roi.ObserveKind\n\t\t}\n\t} else if fin, ok := s.reconciler.(Finalizer); s.isLeader && ok {\n\t\treturn reconciler.DoFinalizeKind, fin.FinalizeKind\n\t}\n\treturn \"unknown\", nil\n}\n" }, { "path": "pkg/client/listers/policy/v1alpha1/clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by lister-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\t\"k8s.io/apimachinery/pkg/api/errors\"\n\t\"k8s.io/apimachinery/pkg/labels\"\n\t\"k8s.io/client-go/tools/cache\"\n)\n\n// ClusterImagePolicyLister helps list ClusterImagePolicies.\n// All objects returned here must be treated as read-only.\ntype ClusterImagePolicyLister interface {\n\t// List lists all ClusterImagePolicies in the indexer.\n\t// Objects returned here must be treated as read-only.\n\tList(selector labels.Selector) (ret []*v1alpha1.ClusterImagePolicy, err error)\n\t// Get retrieves the ClusterImagePolicy from the index for a given name.\n\t// Objects returned here must be treated as read-only.\n\tGet(name string) (*v1alpha1.ClusterImagePolicy, error)\n\tClusterImagePolicyListerExpansion\n}\n\n// clusterImagePolicyLister implements the ClusterImagePolicyLister interface.\ntype clusterImagePolicyLister struct {\n\tindexer cache.Indexer\n}\n\n// NewClusterImagePolicyLister returns a new ClusterImagePolicyLister.\nfunc NewClusterImagePolicyLister(indexer cache.Indexer) ClusterImagePolicyLister {\n\treturn &clusterImagePolicyLister{indexer: indexer}\n}\n\n// List lists all ClusterImagePolicies in the indexer.\nfunc (s *clusterImagePolicyLister) List(selector labels.Selector) (ret []*v1alpha1.ClusterImagePolicy, err error) {\n\terr = cache.ListAll(s.indexer, selector, func(m interface{}) {\n\t\tret = append(ret, m.(*v1alpha1.ClusterImagePolicy))\n\t})\n\treturn ret, err\n}\n\n// Get retrieves the ClusterImagePolicy from the index for a given name.\nfunc (s *clusterImagePolicyLister) Get(name string) (*v1alpha1.ClusterImagePolicy, error) {\n\tobj, exists, err := s.indexer.GetByKey(name)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif !exists {\n\t\treturn nil, errors.NewNotFound(v1alpha1.Resource(\"clusterimagepolicy\"), name)\n\t}\n\treturn obj.(*v1alpha1.ClusterImagePolicy), nil\n}\n" }, { "path": "pkg/client/listers/policy/v1alpha1/expansion_generated.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by lister-gen. DO NOT EDIT.\n\npackage v1alpha1\n\n// ClusterImagePolicyListerExpansion allows custom methods to be added to\n// ClusterImagePolicyLister.\ntype ClusterImagePolicyListerExpansion interface{}\n\n// TrustRootListerExpansion allows custom methods to be added to\n// TrustRootLister.\ntype TrustRootListerExpansion interface{}\n" }, { "path": "pkg/client/listers/policy/v1alpha1/trustroot.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by lister-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\tv1alpha1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\t\"k8s.io/apimachinery/pkg/api/errors\"\n\t\"k8s.io/apimachinery/pkg/labels\"\n\t\"k8s.io/client-go/tools/cache\"\n)\n\n// TrustRootLister helps list TrustRoots.\n// All objects returned here must be treated as read-only.\ntype TrustRootLister interface {\n\t// List lists all TrustRoots in the indexer.\n\t// Objects returned here must be treated as read-only.\n\tList(selector labels.Selector) (ret []*v1alpha1.TrustRoot, err error)\n\t// Get retrieves the TrustRoot from the index for a given name.\n\t// Objects returned here must be treated as read-only.\n\tGet(name string) (*v1alpha1.TrustRoot, error)\n\tTrustRootListerExpansion\n}\n\n// trustRootLister implements the TrustRootLister interface.\ntype trustRootLister struct {\n\tindexer cache.Indexer\n}\n\n// NewTrustRootLister returns a new TrustRootLister.\nfunc NewTrustRootLister(indexer cache.Indexer) TrustRootLister {\n\treturn &trustRootLister{indexer: indexer}\n}\n\n// List lists all TrustRoots in the indexer.\nfunc (s *trustRootLister) List(selector labels.Selector) (ret []*v1alpha1.TrustRoot, err error) {\n\terr = cache.ListAll(s.indexer, selector, func(m interface{}) {\n\t\tret = append(ret, m.(*v1alpha1.TrustRoot))\n\t})\n\treturn ret, err\n}\n\n// Get retrieves the TrustRoot from the index for a given name.\nfunc (s *trustRootLister) Get(name string) (*v1alpha1.TrustRoot, error) {\n\tobj, exists, err := s.indexer.GetByKey(name)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif !exists {\n\t\treturn nil, errors.NewNotFound(v1alpha1.Resource(\"trustroot\"), name)\n\t}\n\treturn obj.(*v1alpha1.TrustRoot), nil\n}\n" }, { "path": "pkg/client/listers/policy/v1beta1/clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by lister-gen. DO NOT EDIT.\n\npackage v1beta1\n\nimport (\n\tv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\t\"k8s.io/apimachinery/pkg/api/errors\"\n\t\"k8s.io/apimachinery/pkg/labels\"\n\t\"k8s.io/client-go/tools/cache\"\n)\n\n// ClusterImagePolicyLister helps list ClusterImagePolicies.\n// All objects returned here must be treated as read-only.\ntype ClusterImagePolicyLister interface {\n\t// List lists all ClusterImagePolicies in the indexer.\n\t// Objects returned here must be treated as read-only.\n\tList(selector labels.Selector) (ret []*v1beta1.ClusterImagePolicy, err error)\n\t// Get retrieves the ClusterImagePolicy from the index for a given name.\n\t// Objects returned here must be treated as read-only.\n\tGet(name string) (*v1beta1.ClusterImagePolicy, error)\n\tClusterImagePolicyListerExpansion\n}\n\n// clusterImagePolicyLister implements the ClusterImagePolicyLister interface.\ntype clusterImagePolicyLister struct {\n\tindexer cache.Indexer\n}\n\n// NewClusterImagePolicyLister returns a new ClusterImagePolicyLister.\nfunc NewClusterImagePolicyLister(indexer cache.Indexer) ClusterImagePolicyLister {\n\treturn &clusterImagePolicyLister{indexer: indexer}\n}\n\n// List lists all ClusterImagePolicies in the indexer.\nfunc (s *clusterImagePolicyLister) List(selector labels.Selector) (ret []*v1beta1.ClusterImagePolicy, err error) {\n\terr = cache.ListAll(s.indexer, selector, func(m interface{}) {\n\t\tret = append(ret, m.(*v1beta1.ClusterImagePolicy))\n\t})\n\treturn ret, err\n}\n\n// Get retrieves the ClusterImagePolicy from the index for a given name.\nfunc (s *clusterImagePolicyLister) Get(name string) (*v1beta1.ClusterImagePolicy, error) {\n\tobj, exists, err := s.indexer.GetByKey(name)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif !exists {\n\t\treturn nil, errors.NewNotFound(v1beta1.Resource(\"clusterimagepolicy\"), name)\n\t}\n\treturn obj.(*v1beta1.ClusterImagePolicy), nil\n}\n" }, { "path": "pkg/client/listers/policy/v1beta1/expansion_generated.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Code generated by lister-gen. DO NOT EDIT.\n\npackage v1beta1\n\n// ClusterImagePolicyListerExpansion allows custom methods to be added to\n// ClusterImagePolicyLister.\ntype ClusterImagePolicyListerExpansion interface{}\n" }, { "path": "pkg/config/store.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage config\n\nimport (\n\t\"context\"\n\t\"strconv\"\n\n\tcorev1 \"k8s.io/api/core/v1\"\n\t\"knative.dev/pkg/configmap\"\n)\n\ntype cfgKey struct{}\n\nconst (\n\t// PolicyControllerConfigName is the name of the configmap used to configure\n\t// policy-controller.\n\tPolicyControllerConfigName = \"config-policy-controller\" //nolint: gosec\n\n\t// Specifies that if an image is not found to match any policy, it should\n\t// be rejected.\n\tDenyAll = \"deny\"\n\n\t// Specifies that if an image is not found to match any policy, it should\n\t// be allowed.\n\tAllowAll = \"allow\"\n\n\tWarnAll = \"warn\"\n\n\tNoMatchPolicyKey = \"no-match-policy\"\n\n\tFailOnEmptyAuthorities = \"fail-on-empty-authorities\"\n\n\tEnableOCI11 = \"enable-oci11\"\n)\n\n// PolicyControllerConfig controls the behaviour of policy-controller that needs\n// to be more flexible than requiring a controller restart. Some examples are\n// controlling behaviour for what to do if no matching policies are found.\n// Point is that these apply to the whole controller instead of specific CIP\n// policies that apply only to matching images.\ntype PolicyControllerConfig struct {\n\t// NoMatchPolicy says what do in the case where an image does not match\n\t// any policy.\n\tNoMatchPolicy string `json:\"no-match-policy\"`\n\t// FailOnEmptyAuthorities configures the validating webhook to allow creating CIP without a list authorities\n\tFailOnEmptyAuthorities bool `json:\"fail-on-empty-authorities\"`\n\t// EnableOCI11 enables experimental OCI 1.1 referrers API for attestation discovery\n\tEnableOCI11 bool `json:\"enable-oci11\"`\n}\n\nfunc NewPolicyControllerConfigFromMap(data map[string]string) (*PolicyControllerConfig, error) {\n\tret := &PolicyControllerConfig{NoMatchPolicy: \"deny\", FailOnEmptyAuthorities: true}\n\tswitch data[NoMatchPolicyKey] {\n\tcase DenyAll:\n\t\tret.NoMatchPolicy = DenyAll\n\tcase AllowAll:\n\t\tret.NoMatchPolicy = AllowAll\n\tcase WarnAll:\n\t\tret.NoMatchPolicy = WarnAll\n\tdefault:\n\t\tret.NoMatchPolicy = DenyAll\n\t}\n\tif val, ok := data[FailOnEmptyAuthorities]; ok {\n\t\tvar err error\n\t\tret.FailOnEmptyAuthorities, err = strconv.ParseBool(val)\n\t\tif err != nil {\n\t\t\treturn ret, err\n\t\t}\n\t}\n\tif val, ok := data[EnableOCI11]; ok {\n\t\tvar err error\n\t\tret.EnableOCI11, err = strconv.ParseBool(val)\n\t\tif err != nil {\n\t\t\treturn ret, err\n\t\t}\n\t}\n\treturn ret, nil\n}\n\nfunc NewPolicyControllerConfigFromConfigMap(config *corev1.ConfigMap) (*PolicyControllerConfig, error) {\n\treturn NewPolicyControllerConfigFromMap(config.Data)\n}\n\n// FromContext extracts a PolicyControllerConfig from the provided context.\nfunc FromContext(ctx context.Context) *PolicyControllerConfig {\n\tx, ok := ctx.Value(cfgKey{}).(*PolicyControllerConfig)\n\tif ok {\n\t\treturn x\n\t}\n\treturn nil\n}\n\n// FromContextOrDefaults is like FromContext, but when no\n// PolicyControllerConfig is attached, it returns a PolicyControllerConfig\n// populated with the defaults for each of the fields.\nfunc FromContextOrDefaults(ctx context.Context) *PolicyControllerConfig {\n\tif cfg := FromContext(ctx); cfg != nil {\n\t\treturn cfg\n\t}\n\treturn &PolicyControllerConfig{\n\t\tNoMatchPolicy: DenyAll,\n\t\tFailOnEmptyAuthorities: true,\n\t\tEnableOCI11: false,\n\t}\n}\n\n// ToContext attaches the provided PolicyControllerConfig to the provided\n// context, returning the new context with the Config attached.\nfunc ToContext(ctx context.Context, c *PolicyControllerConfig) context.Context {\n\treturn context.WithValue(ctx, cfgKey{}, c)\n}\n\n// Store is a typed wrapper around configmap.Untyped store to handle our configmaps.\n// +k8s:deepcopy-gen=false\ntype Store struct {\n\t*configmap.UntypedStore\n}\n\n// NewStore creates a new store of Configs and optionally calls functions when ConfigMaps are updated.\nfunc NewStore(logger configmap.Logger, onAfterStore ...func(name string, value interface{})) *Store {\n\tstore := &Store{\n\t\tUntypedStore: configmap.NewUntypedStore(\n\t\t\tPolicyControllerConfigName,\n\t\t\tlogger,\n\t\t\tconfigmap.Constructors{\n\t\t\t\tPolicyControllerConfigName: NewPolicyControllerConfigFromConfigMap,\n\t\t\t},\n\t\t\tonAfterStore...,\n\t\t),\n\t}\n\n\treturn store\n}\n\n// ToContext attaches the current PolicyControllerConfig state to the provided\n// context.\nfunc (s *Store) ToContext(ctx context.Context) context.Context {\n\treturn ToContext(ctx, s.Load())\n}\n\n// Load creates a PolicyControllerConfig from the current config state of the\n// Store.\nfunc (s *Store) Load() *PolicyControllerConfig {\n\treturn s.UntypedLoad(PolicyControllerConfigName).(*PolicyControllerConfig)\n}\n" }, { "path": "pkg/config/store_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage config\n\nimport (\n\t\"context\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\tlogtesting \"knative.dev/pkg/logging/testing\"\n\n\t. \"knative.dev/pkg/configmap/testing\"\n)\n\ntype testData struct {\n\tnoMatchPolicy string\n\tfailOnEmptyAuthorities bool\n\tenableOCI11 bool\n}\n\nvar testfiles = map[string]testData{\n\t\"allow-all\": {noMatchPolicy: AllowAll, failOnEmptyAuthorities: true, enableOCI11: false},\n\t\"deny-all-explicit\": {noMatchPolicy: DenyAll, failOnEmptyAuthorities: true, enableOCI11: false},\n\t\"warn-all\": {noMatchPolicy: WarnAll, failOnEmptyAuthorities: true, enableOCI11: false},\n\t\"deny-all-default\": {noMatchPolicy: DenyAll, failOnEmptyAuthorities: true, enableOCI11: false},\n\t\"allow-empty-authorities\": {noMatchPolicy: DenyAll, failOnEmptyAuthorities: false, enableOCI11: false},\n}\n\nfunc TestStoreLoadWithContext(t *testing.T) {\n\tstore := NewStore(logtesting.TestLogger(t))\n\n\tfor file, want := range testfiles {\n\t\t_, policyControllerConfig := ConfigMapsFromTestFile(t, file)\n\n\t\tstore.OnConfigChanged(policyControllerConfig)\n\n\t\tconfig := FromContextOrDefaults(store.ToContext(context.Background()))\n\n\t\tt.Run(\"policy-controller-config-test-\"+file, func(t *testing.T) {\n\t\t\texpected, _ := NewPolicyControllerConfigFromConfigMap(policyControllerConfig)\n\t\t\tif diff := cmp.Diff(want.noMatchPolicy, expected.NoMatchPolicy); diff != \"\" {\n\t\t\t\tt.Error(\"Unexpected defaults config (-want, +got):\", diff)\n\t\t\t}\n\t\t\tif diff := cmp.Diff(want.failOnEmptyAuthorities, expected.FailOnEmptyAuthorities); diff != \"\" {\n\t\t\t\tt.Error(\"Unexpected defaults config (-want, +got):\", diff)\n\t\t\t}\n\t\t\tif diff := cmp.Diff(want.enableOCI11, expected.EnableOCI11); diff != \"\" {\n\t\t\t\tt.Error(\"Unexpected EnableOCI11 config (-want, +got):\", diff)\n\t\t\t}\n\t\t\tif diff := cmp.Diff(expected, config); diff != \"\" {\n\t\t\t\tt.Error(\"Unexpected defaults config (-want, +got):\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestStoreLoadWithContextOrDefaults(t *testing.T) {\n\tfor file := range testfiles {\n\t\tpolicyControllerConfig := ConfigMapFromTestFile(t, file)\n\t\tconfig := FromContextOrDefaults(context.Background())\n\n\t\tt.Run(\"policy-controller-config-tests-\"+file, func(t *testing.T) {\n\t\t\texpected, _ := NewPolicyControllerConfigFromConfigMap(policyControllerConfig)\n\t\t\t// These all should have the default, because we don't parse the\n\t\t\t// _example in these tests.\n\t\t\tif diff := cmp.Diff(DenyAll, expected.NoMatchPolicy); diff != \"\" {\n\t\t\t\tt.Error(\"Unexpected defaults config (-want, +got):\", diff)\n\t\t\t}\n\t\t\tif diff := cmp.Diff(expected, config); diff != \"\" {\n\t\t\t\tt.Error(\"Unexpected defaults config (-want, +got):\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestEnableOCI11Config(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tdata map[string]string\n\t\twantOCI11 bool\n\t\twantErr bool\n\t}{\n\t\t{\n\t\t\tname: \"enable-oci11 true\",\n\t\t\tdata: map[string]string{\"enable-oci11\": \"true\"},\n\t\t\twantOCI11: true,\n\t\t\twantErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"enable-oci11 false\",\n\t\t\tdata: map[string]string{\"enable-oci11\": \"false\"},\n\t\t\twantOCI11: false,\n\t\t\twantErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"enable-oci11 not set (default false)\",\n\t\t\tdata: map[string]string{},\n\t\t\twantOCI11: false,\n\t\t\twantErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"enable-oci11 invalid value\",\n\t\t\tdata: map[string]string{\"enable-oci11\": \"not-a-boolean\"},\n\t\t\twantErr: true,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tcfg, err := NewPolicyControllerConfigFromMap(tt.data)\n\n\t\t\tif (err != nil) != tt.wantErr {\n\t\t\t\tt.Errorf(\"NewPolicyControllerConfigFromMap() error = %v, wantErr %v\", err, tt.wantErr)\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tif !tt.wantErr {\n\t\t\t\tif cfg.EnableOCI11 != tt.wantOCI11 {\n\t\t\t\t\tt.Errorf(\"EnableOCI11 = %v, want %v\", cfg.EnableOCI11, tt.wantOCI11)\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestFromContextOrDefaultsWithOCI11(t *testing.T) {\n\t// Test default returns EnableOCI11 = false\n\tcfg := FromContextOrDefaults(context.Background())\n\tif cfg.EnableOCI11 != false {\n\t\tt.Errorf(\"Default EnableOCI11 = %v, want false\", cfg.EnableOCI11)\n\t}\n\n\t// Test with EnableOCI11 = true in context\n\tcustomCfg := &PolicyControllerConfig{\n\t\tNoMatchPolicy: DenyAll,\n\t\tFailOnEmptyAuthorities: true,\n\t\tEnableOCI11: true,\n\t}\n\tctx := ToContext(context.Background(), customCfg)\n\n\tcfg = FromContextOrDefaults(ctx)\n\tif cfg.EnableOCI11 != true {\n\t\tt.Errorf(\"Context EnableOCI11 = %v, want true\", cfg.EnableOCI11)\n\t}\n}\n" }, { "path": "pkg/config/testdata/allow-all.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-policy-controller\n namespace: cosign-system\n labels:\n policy.sigstore.dev/release: devel\n\ndata:\n _example: |\n no-match-policy: allow\n" }, { "path": "pkg/config/testdata/allow-empty-authorities.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-policy-controller\n namespace: cosign-system\n labels:\n policy.sigstore.dev/release: devel\n\ndata:\n _example: |\n no-match-policy: deny\n fail-on-empty-authorities: false\n" }, { "path": "pkg/config/testdata/deny-all-default.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-policy-controller\n namespace: cosign-system\n labels:\n policy.sigstore.dev/release: devel\n\ndata:\n _example: |\n some-other-key: somethingelse\n" }, { "path": "pkg/config/testdata/deny-all-explicit.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-policy-controller\n namespace: cosign-system\n labels:\n policy.sigstore.dev/release: devel\n\ndata:\n _example: |\n no-match-policy: deny\n" }, { "path": "pkg/config/testdata/enable-oci11-invalid.yaml", "content": "# Copyright 2025 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-policy-controller\n namespace: cosign-system\ndata:\n enable-oci11: \"not-a-boolean\"\n\n" }, { "path": "pkg/config/testdata/enable-oci11.yaml", "content": "# Copyright 2025 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-policy-controller\n namespace: cosign-system\ndata:\n enable-oci11: \"true\"\n\n" }, { "path": "pkg/config/testdata/warn-all.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config-policy-controller\n namespace: cosign-system\n labels:\n policy.sigstore.dev/release: devel\n\ndata:\n _example: |\n no-match-policy: warn\n" }, { "path": "pkg/policy/README.md", "content": "# Integrating Policy Verification\n\nThe goal of this package is to make it easy for downstream tools to incorporate\nthe verification capabilities of `ClusterImagePolicy` in other contexts where\nOCI artifacts are consumed.\n\nThe most straightforward example of this is to enable OCI build tooling to\nincorporate policies over the base images on top of which an application image\nis built (e.g. `ko`, `kaniko`). However, this can be used by other tooling\nthat stores artifacts in OCI registries to verify those as well, examples of\nthis could include the way Buildpacks v3 and Crossplane store elements in OCI\nregistries.\n\n## Configuration\n\nVerification is configured via `policy.Verification`:\n\n```golang\ntype Verification struct {\n\t// NoMatchPolicy specifies the behavior when a base image doesn't match any\n\t// of the listed policies. It allows the values: allow, deny, and warn.\n\tNoMatchPolicy string `yaml:\"no-match-policy,omitempty\"`\n\n\t// Policies specifies a collection of policies to use to cover the base\n\t// images used as part of evaluation. See \"policy\" below for usage.\n\t// Policies can be nil so that we can distinguish between an explicitly\n\t// specified empty list and when policies is unspecified.\n\tPolicies *[]Source `yaml:\"policies,omitempty\"`\n}\n```\n\n`NoMatchPolicy` controls the behavior when an image reference is passed that\ndoes not match any of the configured policies.\n\n`Policies` can be specified via three possible sources:\n\n```golang\n// Source contains a set of options for specifying policies. Exactly\n// one of the fields may be specified for each Source entry.\ntype Source struct {\n\t// Data is a collection of one or more ClusterImagePolicy resources.\n\tData string `yaml:\"data,omitempty\"`\n\n\t// Path is a path to a file containing one or more ClusterImagePolicy\n\t// resources.\n\t// TODO(mattmoor): Make this support taking a directory similar to kubectl.\n\t// TODO(mattmoor): How do we want to handle something like -R? Perhaps we\n\t// don't and encourage folks to list each directory individually?\n\tPath string `yaml:\"path,omitempty\"`\n\n\t// URL links to a file containing one or more ClusterImagePolicy resources.\n\tURL string `yaml:\"url,omitempty\"`\n}\n```\n\n### With `spf13/viper`\n\nMany tools leverage `spf13/viper` for configuration, and `policy.Verification`\nmay be used in conjunction with viper via:\n\n```golang\n\tvfy := policy.Verification{}\n\tif err := v.UnmarshalKey(\"verification\", &vfy); err != nil { ... }\n```\n\nThis allows a section of the viper config:\n\n```yaml\nverification:\n noMatchPolicy: deny\n policies:\n - data: ... # Inline policies\n - url: ... # URL to policies\n ...\n```\n\n## Compilation\n\nThe `policy.Verification` can be compiled into a `policy.Verifier` using\n`policy.Compile`, which also takes a `context.Context` and a function that\ncontrols how warnings are surfaced:\n\n```golang\n\tverifier, err := policy.Compile(ctx, verification,\n\t\tfunc(s string, i ...interface{}) {\n\t\t\t// Handle warnings your own way!\n\t\t})\n\tif err != nil { ... }\n```\n\nThe compilation process will surface compilation warnings via the supplied\nfunction and return any errors resolving or compiling the policies immediately.\n\n## Verification\n\nWith a compiled `policy.Verifier` many image references can be verified against\nthe compiled policies by invoking `Verify`:\n```golang\n// Verifier is the interface for checking that a given image digest satisfies\n// the policies backing this interface.\ntype Verifier interface {\n\t// Verify checks that the provided reference satisfies the backing policies.\n\tVerify(context.Context, name.Reference, authn.Keychain) error\n}\n```\n" }, { "path": "pkg/policy/parse.go", "content": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage policy\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\t\"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured\"\n\t\"k8s.io/apimachinery/pkg/runtime/schema\"\n\t\"knative.dev/pkg/apis\"\n\t\"sigs.k8s.io/yaml\"\n)\n\n// Parse decodes a provided YAML document containing zero or more objects into\n// a collection of unstructured.Unstructured objects.\nfunc Parse(_ context.Context, document string) ([]*unstructured.Unstructured, error) {\n\tdocs := strings.Split(document, \"\\n---\\n\")\n\n\tobjs := make([]*unstructured.Unstructured, 0, len(docs))\n\tfor i, doc := range docs {\n\t\tdoc = strings.TrimSpace(doc)\n\t\tif doc == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\tvar obj unstructured.Unstructured\n\t\tif err := yaml.Unmarshal([]byte(doc), &obj); err != nil {\n\t\t\treturn nil, fmt.Errorf(\"decoding object[%d]: %w\", i, err)\n\t\t}\n\t\tif obj.GetAPIVersion() == \"\" {\n\t\t\treturn nil, apis.ErrMissingField(\"apiVersion\").ViaIndex(i)\n\t\t}\n\t\tif obj.GetName() == \"\" {\n\t\t\treturn nil, apis.ErrMissingField(\"metadata.name\").ViaIndex(i)\n\t\t}\n\t\tobjs = append(objs, &obj)\n\t}\n\treturn objs, nil\n}\n\n// ParseClusterImagePolicies returns ClusterImagePolicy objects found in the\n// policy document.\nfunc ParseClusterImagePolicies(ctx context.Context, document string) (cips []*v1alpha1.ClusterImagePolicy, warns error, err error) {\n\tif warns, err = Validate(ctx, document); err != nil {\n\t\treturn nil, warns, err\n\t}\n\n\tol, err := Parse(ctx, document)\n\tif err != nil {\n\t\t// \"Validate\" above calls \"Parse\", so this is unreachable.\n\t\treturn nil, warns, err\n\t}\n\n\tcips = make([]*v1alpha1.ClusterImagePolicy, 0, len(ol))\n\tfor _, obj := range ol {\n\t\tgv, err := schema.ParseGroupVersion(obj.GetAPIVersion())\n\t\tif err != nil {\n\t\t\t// Practically speaking unstructured.Unstructured won't let this happen.\n\t\t\treturn nil, warns, fmt.Errorf(\"error parsing apiVersion of: %w\", err)\n\t\t}\n\n\t\tcip := &v1alpha1.ClusterImagePolicy{}\n\n\t\tswitch gv.WithKind(obj.GetKind()) {\n\t\tcase v1beta1.SchemeGroupVersion.WithKind(\"ClusterImagePolicy\"):\n\t\t\tv1b1 := &v1beta1.ClusterImagePolicy{}\n\t\t\tif err := convert(obj, v1b1); err != nil {\n\t\t\t\treturn nil, warns, err\n\t\t\t}\n\t\t\tif err := cip.ConvertFrom(ctx, v1b1); err != nil {\n\t\t\t\treturn nil, warns, err\n\t\t\t}\n\n\t\tcase v1alpha1.SchemeGroupVersion.WithKind(\"ClusterImagePolicy\"):\n\t\t\t// This is allowed, but we should convert things.\n\t\t\tif err := convert(obj, cip); err != nil {\n\t\t\t\treturn nil, warns, err\n\t\t\t}\n\n\t\tdefault:\n\t\t\tcontinue\n\t\t}\n\n\t\tcips = append(cips, cip)\n\t}\n\treturn cips, warns, nil\n}\n\nfunc convert(from interface{}, to interface{}) error {\n\tbs, err := json.Marshal(from)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"Marshal() = %w\", err)\n\t}\n\tif err := json.Unmarshal(bs, to); err != nil {\n\t\treturn fmt.Errorf(\"Unmarshal() = %w\", err)\n\t}\n\treturn nil\n}\n" }, { "path": "pkg/policy/parse_test.go", "content": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage policy\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tv1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured\"\n\t\"knative.dev/pkg/apis\"\n)\n\nfunc TestParse(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tdoc string\n\t\twant []*unstructured.Unstructured\n\t\twantErr error\n\t}{{\n\t\tname: \"good single object\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec: {}\n`,\n\t\twant: []*unstructured.Unstructured{{\n\t\t\tObject: map[string]interface{}{\n\t\t\t\t\"apiVersion\": \"policy.sigstore.dev/v1beta1\",\n\t\t\t\t\"kind\": \"ClusterImagePolicy\",\n\t\t\t\t\"metadata\": map[string]interface{}{\n\t\t\t\t\t\"name\": \"blah\",\n\t\t\t\t},\n\t\t\t\t\"spec\": map[string]interface{}{},\n\t\t\t},\n\t\t}},\n\t}, {\n\t\tname: \"good multi-object\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec: {}\n---\n---\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: foo\nspec: {}\n---\n---\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: bar\nspec: {}\n`,\n\t\twant: []*unstructured.Unstructured{{\n\t\t\tObject: map[string]interface{}{\n\t\t\t\t\"apiVersion\": \"policy.sigstore.dev/v1beta1\",\n\t\t\t\t\"kind\": \"ClusterImagePolicy\",\n\t\t\t\t\"metadata\": map[string]interface{}{\n\t\t\t\t\t\"name\": \"blah\",\n\t\t\t\t},\n\t\t\t\t\"spec\": map[string]interface{}{},\n\t\t\t},\n\t\t}, {\n\t\t\tObject: map[string]interface{}{\n\t\t\t\t\"apiVersion\": \"policy.sigstore.dev/v1beta1\",\n\t\t\t\t\"kind\": \"ClusterImagePolicy\",\n\t\t\t\t\"metadata\": map[string]interface{}{\n\t\t\t\t\t\"name\": \"foo\",\n\t\t\t\t},\n\t\t\t\t\"spec\": map[string]interface{}{},\n\t\t\t},\n\t\t}, {\n\t\t\tObject: map[string]interface{}{\n\t\t\t\t\"apiVersion\": \"policy.sigstore.dev/v1beta1\",\n\t\t\t\t\"kind\": \"ClusterImagePolicy\",\n\t\t\t\t\"metadata\": map[string]interface{}{\n\t\t\t\t\t\"name\": \"bar\",\n\t\t\t\t},\n\t\t\t\t\"spec\": map[string]interface{}{},\n\t\t\t},\n\t\t}},\n\t}, {\n\t\tname: \"bad missing apiVersion\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec: {}\n---\n# Missing: apiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: foo\nspec: {}\n---\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: bar\nspec: {}\n`,\n\t\twantErr: apis.ErrMissingField(\"[1].apiVersion\"),\n\t}, {\n\t\tname: \"bad missing kind\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec: {}\n---\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: foo\nspec: {}\n---\napiVersion: policy.sigstore.dev/v1beta1\n# Missing: kind: ClusterImagePolicy\nmetadata:\n name: bar\nspec: {}\n`,\n\t\twantErr: errors.New(`decoding object[2]: error unmarshaling JSON: while decoding JSON: Object 'Kind' is missing in '{\"apiVersion\":\"policy.sigstore.dev/v1beta1\",\"metadata\":{\"name\":\"bar\"},\"spec\":{}}'`),\n\t}, {\n\t\tname: \"bad missing apiVersion\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n # Missing: name: blah\nsp dec: {}\n---\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: foo\nspec: {}\n---\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: bar\nspec: {}\n`,\n\t\twantErr: apis.ErrMissingField(\"[0].metadata.name\"),\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tgot, gotErr := Parse(context.Background(), test.doc)\n\n\t\t\tswitch {\n\t\t\tcase (gotErr != nil) != (test.wantErr != nil):\n\t\t\t\tt.Fatalf(\"Parse() = %v, wanted %v\", gotErr, test.wantErr)\n\t\t\tcase gotErr != nil && gotErr.Error() != test.wantErr.Error():\n\t\t\t\tt.Fatalf(\"Parse() = %v, wanted %v\", gotErr, test.wantErr)\n\t\t\tcase gotErr != nil:\n\t\t\t\treturn // This was an error test.\n\t\t\t}\n\n\t\t\tif diff := cmp.Diff(got, test.want); diff != \"\" {\n\t\t\t\tt.Errorf(\"Parse (-got, +want) = %s\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestParseCIP(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tdoc string\n\t\twant []*v1alpha1.ClusterImagePolicy\n\t\twantErr error\n\t}{{\n\t\tname: \"good alpha object\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1alpha1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec:\n images:\n - glob: '**'\n authorities:\n - static:\n action: pass\n`,\n\t\twant: []*v1alpha1.ClusterImagePolicy{{\n\t\t\tTypeMeta: v1.TypeMeta{\n\t\t\t\tAPIVersion: \"policy.sigstore.dev/v1alpha1\",\n\t\t\t\tKind: \"ClusterImagePolicy\",\n\t\t\t},\n\t\t\tObjectMeta: v1.ObjectMeta{\n\t\t\t\tName: \"blah\",\n\t\t\t},\n\t\t\tSpec: v1alpha1.ClusterImagePolicySpec{\n\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\tGlob: \"**\",\n\t\t\t\t}},\n\t\t\t\tAuthorities: []v1alpha1.Authority{{\n\t\t\t\t\tStatic: &v1alpha1.StaticRef{\n\t\t\t\t\t\tAction: \"pass\",\n\t\t\t\t\t},\n\t\t\t\t}},\n\t\t\t},\n\t\t}},\n\t}, {\n\t\tname: \"good beta object\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec:\n images:\n - glob: '**'\n authorities:\n - static:\n action: pass\n`,\n\t\twant: []*v1alpha1.ClusterImagePolicy{{\n\t\t\t// TODO(mattmoor): We should be setting TypeMeta when converting.\n\t\t\t// TypeMeta: v1.TypeMeta{\n\t\t\t// \tAPIVersion: \"policy.sigstore.dev/v1alpha1\",\n\t\t\t// \tKind: \"ClusterImagePolicy\",\n\t\t\t// },\n\t\t\tObjectMeta: v1.ObjectMeta{\n\t\t\t\tName: \"blah\",\n\t\t\t},\n\t\t\tSpec: v1alpha1.ClusterImagePolicySpec{\n\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\tGlob: \"**\",\n\t\t\t\t}},\n\t\t\t\tAuthorities: []v1alpha1.Authority{{\n\t\t\t\t\tStatic: &v1alpha1.StaticRef{\n\t\t\t\t\t\tAction: \"pass\",\n\t\t\t\t\t},\n\t\t\t\t}},\n\t\t\t},\n\t\t}},\n\t}, {\n\t\tname: \"early validation failure\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec:\n bad: field\n`,\n\t\twantErr: errors.New(`unable to unmarshal: json: unknown field \"bad\"`),\n\t}, {\n\t\tname: \"non CIP resource\",\n\t\tdoc: `\napiVersion: v1\nkind: Secret\nmetadata:\n name: blah\n namespace: cosign-system\nstringData:\n key: value\n`,\n\t\twant: []*v1alpha1.ClusterImagePolicy{},\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tgot, _, gotErr := ParseClusterImagePolicies(context.Background(), test.doc)\n\n\t\t\tswitch {\n\t\t\tcase (gotErr != nil) != (test.wantErr != nil):\n\t\t\t\tt.Fatalf(\"Parse() = %v, wanted %v\", gotErr, test.wantErr)\n\t\t\tcase gotErr != nil && gotErr.Error() != test.wantErr.Error():\n\t\t\t\tt.Fatalf(\"Parse() = %v, wanted %v\", gotErr, test.wantErr)\n\t\t\tcase gotErr != nil:\n\t\t\t\treturn // This was an error test.\n\t\t\t}\n\n\t\t\tif diff := cmp.Diff(got, test.want); diff != \"\" {\n\t\t\t\tt.Errorf(\"Parse (-got, +want) = %s\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/policy/policy.go", "content": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage policy\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\n\t\"k8s.io/apimachinery/pkg/util/sets\"\n\t\"knative.dev/pkg/apis\"\n)\n\ntype Verification struct {\n\t// NoMatchPolicy specifies the behavior when a base image doesn't match any\n\t// of the listed policies. It allows the values: allow, deny, and warn.\n\tNoMatchPolicy string `yaml:\"no-match-policy,omitempty\"`\n\n\t// Policies specifies a set of Sources for fetching policies to use to cover\n\t// images used as part of evaluation. For more information about what each\n\t// Source supports, see its usage.\n\t// Policies can be nil so that we can distinguish between an explicitly\n\t// specified empty list and when policies is unspecified.\n\tPolicies *[]Source `yaml:\"policies,omitempty\"`\n}\n\n// Source contains a set of options for specifying policies. Exactly\n// one of the fields may be specified for each Source entry.\ntype Source struct {\n\t// Data is a collection of one or more ClusterImagePolicy resources.\n\tData string `yaml:\"data,omitempty\"`\n\n\t// Path is a path to a file containing one or more ClusterImagePolicy\n\t// resources.\n\tPath string `yaml:\"path,omitempty\"`\n\n\t// URL links to a file containing one or more ClusterImagePolicy resources.\n\tURL string `yaml:\"url,omitempty\"`\n}\n\nfunc (v *Verification) Validate(ctx context.Context) (errs *apis.FieldError) {\n\tswitch v.NoMatchPolicy {\n\tcase \"allow\", \"deny\", \"warn\":\n\t\t// Good!\n\tcase \"\":\n\t\terrs = errs.Also(apis.ErrMissingField(\"noMatchPolicy\"))\n\tdefault:\n\t\terrs = errs.Also(apis.ErrInvalidValue(v.NoMatchPolicy, \"noMatchPolicy\"))\n\t}\n\n\tif v.Policies == nil {\n\t\terrs = errs.Also(apis.ErrMissingField(\"policies\"))\n\t} else {\n\t\tfor i, p := range *v.Policies {\n\t\t\terrs = errs.Also(p.Validate(ctx).ViaFieldIndex(\"policies\", i))\n\t\t}\n\t}\n\n\treturn errs\n}\n\nfunc (pd *Source) Validate(ctx context.Context) *apis.FieldError {\n\t// Check that exactly one of the fields is set.\n\tset := sets.NewString()\n\tif pd.Data != \"\" {\n\t\tset.Insert(\"data\")\n\t}\n\tif pd.Path != \"\" {\n\t\tset.Insert(\"path\")\n\t}\n\tif pd.URL != \"\" {\n\t\tset.Insert(\"url\")\n\t}\n\t// This returns eagerly to avoid confusing `oneof` validation with errors\n\t// along multiple paths of the oneof.\n\tswitch set.Len() {\n\tcase 0:\n\t\treturn apis.ErrMissingOneOf(\"data\", \"path\", \"url\")\n\tcase 1:\n\t\t// What we want.\n\tdefault:\n\t\t// This will be unreachable until we add more than one thing\n\t\t// to our oneof.\n\t\treturn apis.ErrMultipleOneOf(set.List()...)\n\t}\n\t// We know (from the switch above) there is exactly one field name.\n\tfield, _ := set.PopAny()\n\n\tcontent, err := pd.fetch(ctx)\n\tif err != nil {\n\t\treturn &apis.FieldError{\n\t\t\tMessage: err.Error(),\n\t\t\tPaths: []string{field},\n\t\t}\n\t}\n\tif _, _, err := ParseClusterImagePolicies(ctx, content); err != nil {\n\t\treturn apis.ErrInvalidValue(err.Error(), field)\n\t}\n\treturn nil\n}\n\nfunc (pd *Source) fetch(ctx context.Context) (string, error) {\n\tswitch {\n\tcase pd.Data != \"\":\n\t\treturn pd.Data, nil\n\n\tcase pd.Path != \"\":\n\t\traw, err := os.ReadFile(pd.Path)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\treturn string(raw), nil\n\n\tcase pd.URL != \"\":\n\t\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, pd.URL, nil)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\tresp, err := http.DefaultClient.Do(req)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\tdefer resp.Body.Close()\n\t\traw, err := io.ReadAll(resp.Body)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\treturn string(raw), nil\n\n\tdefault:\n\t\t// This should never happen for a validated policy.\n\t\treturn \"\", fmt.Errorf(\"unsupported policy shape: %v\", pd)\n\t}\n}\n" }, { "path": "pkg/policy/policy_test.go", "content": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage policy\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"testing\"\n)\n\nconst (\n\t// This is an example of what the default ko policy should be\n\t// as of 2023/01/03.\n\tgoodPolicy = `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: ko-default-base-image-policy\nspec:\n images:\n - glob: cgr.dev/chainguard/static*\n authorities:\n - keyless:\n url: https://fulcio.sigstore.dev\n identities:\n - issuer: https://token.actions.githubusercontent.com\n subject: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main\n ctlog:\n url: https://rekor.sigstore.dev\n`\n\n\tbadPolicy = `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: ko-default-base-image-policy\nspec:\n bad: field\n`\n)\n\nfunc TestVerificationValidate(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tv Verification\n\t\twantErr error\n\t}{{\n\t\tname: \"legacy compatibility settings\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"allow\",\n\t\t\tPolicies: &[]Source{},\n\t\t},\n\t}, {\n\t\tname: \"sample ko default settings\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"warn\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tData: goodPolicy,\n\t\t\t}},\n\t\t},\n\t}, {\n\t\tname: \"sample strict settings\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"deny\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tData: goodPolicy,\n\t\t\t}},\n\t\t},\n\t}, {\n\t\tname: \"sample URL settings\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"deny\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tURL: \"https://raw.githubusercontent.com/sigstore/policy-controller/d6ef1f37c9c634fdb2693c11f8aa91c19e76e7d8/examples/policies/allow-only-pods.yaml\",\n\t\t\t}},\n\t\t},\n\t}, {\n\t\tname: \"sample path settings\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"deny\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tPath: \"../../examples/policies/allow-only-pods.yaml\",\n\t\t\t}},\n\t\t},\n\t}, {\n\t\tname: \"missing no match policy\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tData: goodPolicy,\n\t\t\t}},\n\t\t},\n\t\twantErr: errors.New(`missing field(s): noMatchPolicy`),\n\t}, {\n\t\tname: \"bad no match policy\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"bad\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tData: goodPolicy,\n\t\t\t}},\n\t\t},\n\t\twantErr: errors.New(`invalid value: bad: noMatchPolicy`),\n\t}, {\n\t\tname: \"missing policies\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"warn\",\n\t\t},\n\t\twantErr: errors.New(`missing field(s): policies`),\n\t}, {\n\t\tname: \"missing policy data\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"warn\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\t// NO BODY\n\t\t\t}},\n\t\t},\n\t\twantErr: errors.New(`expected exactly one, got neither: policies[0].data, policies[0].path, policies[0].url`),\n\t}, {\n\t\tname: \"bad policy data\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"warn\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tData: badPolicy,\n\t\t\t}},\n\t\t},\n\t\twantErr: errors.New(`invalid value: unable to unmarshal: json: unknown field \"bad\": policies[0].data`),\n\t}, {\n\t\tname: \"bad URL\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"deny\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tURL: \"bad\",\n\t\t\t}},\n\t\t},\n\t\twantErr: errors.New(`Get \"bad\": unsupported protocol scheme \"\": policies[0].url`),\n\t}, {\n\t\tname: \"bad URL content\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"deny\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tURL: \"https://raw.githubusercontent.com/sigstore/policy-controller/d6ef1f37c9c634fdb2693c11f8aa91c19e76e7d8/README.md\",\n\t\t\t}},\n\t\t},\n\t\twantErr: errors.New(`invalid value: decoding object[0]: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type map[string]interface {}: policies[0].url`),\n\t}, {\n\t\tname: \"both provided\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"deny\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tData: goodPolicy,\n\t\t\t\tURL: \"https://raw.githubusercontent.com/sigstore/policy-controller/d6ef1f37c9c634fdb2693c11f8aa91c19e76e7d8/examples/policies/allow-only-pods.yaml\",\n\t\t\t}},\n\t\t},\n\t\twantErr: errors.New(`expected exactly one, got both: policies[0].data, policies[0].url`),\n\t}, {\n\t\tname: \"path not found\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"deny\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tPath: \"not-found.yaml\",\n\t\t\t}},\n\t\t},\n\t\twantErr: errors.New(`open not-found.yaml: no such file or directory: policies[0].path`),\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\ttestContext := context.Background()\n\t\t\tgotErr := test.v.Validate(testContext)\n\t\t\tif (gotErr != nil) != (test.wantErr != nil) {\n\t\t\t\tt.Fatalf(\"Validate() = %v, wanted %v\", gotErr, test.wantErr)\n\t\t\t}\n\t\t\tif gotErr != nil && gotErr.Error() != test.wantErr.Error() {\n\t\t\t\tt.Fatalf(\"Validate() = %v, wanted %v\", gotErr, test.wantErr)\n\t\t\t}\n\t\t})\n\n\t\tt.Run(\"compile: \"+test.name, func(t *testing.T) {\n\t\t\ttestContext := context.Background()\n\t\t\t_, gotErr := Compile(testContext, test.v, t.Logf)\n\t\t\tif (gotErr != nil) != (test.wantErr != nil) {\n\t\t\t\tt.Fatalf(\"Validate() = %v, wanted %v\", gotErr, test.wantErr)\n\t\t\t}\n\t\t\tif gotErr != nil && gotErr.Error() != test.wantErr.Error() {\n\t\t\t\tt.Fatalf(\"Validate() = %v, wanted %v\", gotErr, test.wantErr)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/policy/validate.go", "content": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage policy\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\t\"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured\"\n\t\"knative.dev/pkg/apis\"\n)\n\nvar (\n\t// ErrEmptyDocument is the error returned when no document body is\n\t// specified.\n\tErrEmptyDocument = errors.New(\"document is required to create policy\")\n\n\t// ErrUnknownType is the error returned when a type contained in the policy\n\t// is unrecognized.\n\tErrUnknownType = errors.New(\"unknown type\")\n)\n\n// Validate decodes a provided YAML document containing zero or more objects\n// and performs limited validation on them, after applying defaulting (to\n// simulate the mutating webhook running before the validating webhook).\nfunc Validate(ctx context.Context, document string) (warns error, err error) {\n\tif len(document) == 0 {\n\t\treturn nil, ErrEmptyDocument\n\t}\n\n\tuol, err := Parse(ctx, document)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tfor i, uo := range uol {\n\t\tswitch uo.GroupVersionKind() {\n\t\tcase v1beta1.SchemeGroupVersion.WithKind(\"ClusterImagePolicy\"):\n\t\t\tif warns, err = validate(ctx, uo, &v1beta1.ClusterImagePolicy{}); err != nil {\n\t\t\t\treturn\n\t\t\t}\n\n\t\tcase v1alpha1.SchemeGroupVersion.WithKind(\"ClusterImagePolicy\"):\n\t\t\tif warns, err = validate(ctx, uo, &v1alpha1.ClusterImagePolicy{}); err != nil {\n\t\t\t\treturn\n\t\t\t}\n\n\t\tcase corev1.SchemeGroupVersion.WithKind(\"Secret\"):\n\t\t\tif uo.GetNamespace() != \"cosign-system\" {\n\t\t\t\treturn warns, apis.ErrInvalidValue(uo.GetNamespace(), \"metadata.namespace\").ViaIndex(i)\n\t\t\t}\n\t\t\t// Any additional validation worth performing? Should we check the\n\t\t\t// schema of the secret matches the expectations of cosigned?\n\n\t\tdefault:\n\t\t\treturn warns, fmt.Errorf(\"%w: %v\", ErrUnknownType, uo.GroupVersionKind())\n\t\t}\n\t}\n\treturn warns, nil\n}\n\ntype crd interface {\n\tapis.Validatable\n\tapis.Defaultable\n}\n\nfunc validate(ctx context.Context, uo *unstructured.Unstructured, v crd) (warns error, err error) {\n\tb, err := json.Marshal(uo)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to marshal: %w\", err)\n\t}\n\n\tdec := json.NewDecoder(bytes.NewBuffer(b))\n\tdec.DisallowUnknownFields()\n\tif err := dec.Decode(v); err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to unmarshal: %w\", err)\n\t}\n\n\t// Apply defaulting to simulate the defaulting webhook that runs prior\n\t// to validation.\n\tv.SetDefaults(ctx)\n\n\t// We can't just return v.Validate(ctx) because of Go's typed nils.\n\t// nolint:revive\n\tif ve := v.Validate(ctx); ve != nil {\n\t\t// Separate validation warnings from errors so the caller can discern between them.\n\t\tif warnFE := ve.Filter(apis.WarningLevel); warnFE != nil {\n\t\t\twarns = warnFE\n\t\t}\n\t\tif errorFE := ve.Filter(apis.ErrorLevel); errorFE != nil {\n\t\t\terr = errorFE\n\t\t}\n\t}\n\treturn\n}\n" }, { "path": "pkg/policy/validate_test.go", "content": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage policy\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"testing\"\n\n\tpolicycontrollerconfig \"github.com/sigstore/policy-controller/pkg/config\"\n\t\"knative.dev/pkg/apis\"\n)\n\nfunc TestValidate(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tdoc string\n\t\twantWarns error\n\t\twantErr error\n\t\tallowEmptyAuthorities bool\n\t}{{\n\t\tname: \"good single object\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec:\n images:\n - glob: '*'\n authorities:\n - keyless:\n identities:\n - issuer: https://issuer.example.com\n subject: foo@example.com\n url: https://fulcio.sigstore.dev\n`,\n\t\twantErr: nil,\n\t}, {\n\t\tname: \"good CIP and Secret\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec:\n images:\n - glob: '*'\n authorities:\n - keyless:\n identities:\n - issuer: https://issuer.example.com\n subject: foo@example.com\n url: https://fulcio.sigstore.dev\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: foo\n namespace: cosign-system\nstringData:\n foo: bar\n`,\n\t\twantErr: nil,\n\t}, {\n\t\tname: \"bad secret namespace\",\n\t\tdoc: `\napiVersion: v1\nkind: Secret\nmetadata:\n name: foo\n namespace: something-system\nstringData:\n foo: bar\n`,\n\t\twantErr: errors.New(`invalid value: something-system: [0].metadata.namespace`),\n\t}, {\n\t\tname: \"bad image policy\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1alpha1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec:\n images:\n - glob: '*'\n authorities:\n - key: {}\n`,\n\t\twantErr: apis.ErrMissingOneOf(\"data\", \"kms\", \"secretref\").ViaField(\"key\").ViaFieldIndex(\"authorities\", 0).ViaField(\"spec\"),\n\t}, {\n\t\tname: \"empty document\",\n\t\tdoc: ``,\n\t\twantErr: ErrEmptyDocument,\n\t}, {\n\t\tname: \"object missing kind\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\n# Missing: kind: ClusterImagePolicy\nmetadata:\n name: blah\nspec: {}\n`,\n\t\twantErr: errors.New(`decoding object[0]: error unmarshaling JSON: while decoding JSON: Object 'Kind' is missing in '{\"apiVersion\":\"policy.sigstore.dev/v1beta1\",\"metadata\":{\"name\":\"blah\"},\"spec\":{}}'`),\n\t}, {\n\t\tname: \"unknown field\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec:\n asdf: dfsadf\n`,\n\t\twantErr: errors.New(`unable to unmarshal: json: unknown field \"asdf\"`),\n\t}, {\n\t\tname: \"unknown type\",\n\t\tdoc: `\napiVersion: unknown.dev/v1\nkind: OtherPolicy\nmetadata:\n name: blah\nspec: {}\n`,\n\t\twantErr: errors.New(`unknown type: unknown.dev/v1, Kind=OtherPolicy`),\n\t}, {\n\t\tname: \"error - missing field\",\n\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec:\n images:\n - glob: '*'\n authorities:\n - keyless:\n url: https://fulcio.sigstore.dev\n`,\n\t\twantErr: errors.New(\"missing field(s): spec.authorities[0].keyless.identities\"),\n\t},\n\t\t{\n\t\t\tname: \"admit - missing authorities\",\n\t\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec:\n images:\n - glob: '*'\n`,\n\t\t\twantErr: nil,\n\t\t\tallowEmptyAuthorities: true,\n\t\t}, {\n\t\t\tname: \"deny - missing authorities\",\n\t\t\tdoc: `\napiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: blah\nspec:\n images:\n - glob: '*'\n`,\n\t\t\twantErr: errors.New(\"missing field(s): spec.authorities\"),\n\t\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\ttestContext := context.Background()\n\t\t\tif test.allowEmptyAuthorities {\n\t\t\t\ttestContext = policycontrollerconfig.ToContext(testContext, &policycontrollerconfig.PolicyControllerConfig{FailOnEmptyAuthorities: false})\n\t\t\t}\n\t\t\tgotWarns, gotErr := Validate(testContext, test.doc)\n\t\t\tif (gotErr != nil) != (test.wantErr != nil) {\n\t\t\t\tt.Fatalf(\"Validate() = %v, wanted %v\", gotErr, test.wantErr)\n\t\t\t}\n\t\t\tif (gotWarns != nil) != (test.wantWarns != nil) {\n\t\t\t\tt.Fatalf(\"Validate() = %v, wanted %v\", gotWarns, test.wantWarns)\n\t\t\t}\n\t\t\tif gotErr != nil && gotErr.Error() != test.wantErr.Error() {\n\t\t\t\tt.Fatalf(\"Validate() = %v, wanted %v\", gotErr, test.wantErr)\n\t\t\t}\n\t\t\tif gotWarns != nil && gotWarns.Error() != test.wantWarns.Error() {\n\t\t\t\tt.Fatalf(\"Validate() = %v, wanted %v\", gotWarns, test.wantWarns)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/policy/verifier.go", "content": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage policy\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\n\t\"github.com/google/go-containerregistry/pkg/authn\"\n\t\"github.com/google/go-containerregistry/pkg/name\"\n\t\"github.com/google/go-containerregistry/pkg/v1/remote\"\n\tociremote \"github.com/sigstore/cosign/v3/pkg/oci/remote\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\t\"github.com/sigstore/policy-controller/pkg/webhook\"\n\twebhookcip \"github.com/sigstore/policy-controller/pkg/webhook/clusterimagepolicy\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"knative.dev/pkg/apis\"\n)\n\n// Verifier is the interface for checking that a given image digest satisfies\n// the policies backing this interface.\ntype Verifier interface {\n\t// Verify checks that the provided reference satisfies the backing policies.\n\t//\n\t// For policies specifying `match:` criteria with apiVersion/kind, the\n\t// TypeMeta should be associated with `ctx` here using:\n\t// webhook.GetIncludeTypeMeta(ctx)\n\t//\n\t// For policies specifying `match:` criteria with label selectors, the\n\t// ObjectMeta should be associated with `ctx` here using:\n\t// webhook.GetIncludeObjectMeta(ctx)\n\tVerify(context.Context, name.Reference, authn.Keychain, ...ociremote.Option) error\n}\n\n// WarningWriter is used to surface warning messages in a manner that\n// is customizable by callers that's suitable for their execution\n// environment. The signature is intended to match the standard format string\n// signature (e.g. Printf, Infof, Logf, Errorf, Fatalf, ...), so functions like\n// log.Printf or t.Errorf can be passed here directly.\ntype WarningWriter func(string, ...interface{})\n\n// Compile turns a Verification into an executable Verifier.\n// Any compilation errors are returned here.\nfunc Compile(ctx context.Context, v Verification, ww WarningWriter) (Verifier, error) {\n\tif err := v.Validate(ctx); err != nil {\n\t\treturn nil, err\n\t}\n\n\tipc, err := gather(ctx, v, ww)\n\tif err != nil {\n\t\t// This should never hit for validated policies.\n\t\treturn nil, err\n\t}\n\n\treturn &impl{\n\t\tverification: v,\n\t\tipc: ipc,\n\t\tww: ww,\n\t}, nil\n}\n\nfunc gather(ctx context.Context, v Verification, ww WarningWriter) (*config.ImagePolicyConfig, error) {\n\tpol := *v.Policies\n\tipc := &config.ImagePolicyConfig{\n\t\tPolicies: make(map[string]webhookcip.ClusterImagePolicy, len(pol)),\n\t}\n\n\tfor i, p := range pol {\n\t\tcontent, err := p.fetch(ctx)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tl, warns, err := ParseClusterImagePolicies(ctx, content)\n\t\tif err != nil {\n\t\t\t// This path should be unreachable, since we already parse\n\t\t\t// things during compilation.\n\t\t\treturn nil, fmt.Errorf(\"parsing policies: %w\", err)\n\t\t}\n\t\tif warns != nil {\n\t\t\tww(\"policy %d: %v\", i, warns)\n\t\t}\n\n\t\t// TODO(mattmoor): Add additional checks for unsupported things,\n\t\t// like Match, IncludeSpec, etc.\n\n\t\tfor _, cip := range l {\n\t\t\tcip.SetDefaults(ctx)\n\t\t\tif _, ok := ipc.Policies[cip.Name]; ok {\n\t\t\t\tww(\"duplicate policy named %q, skipping\", cip.Name)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\t// We need to roundtrip the policy through JSON here because\n\t\t\t// the compiled policy expects to be decoded from JSON and only\n\t\t\t// sets up certain fields when being unmarshalled from JSON, so\n\t\t\t// things like keyful verification only work when we roundtrip\n\t\t\t// through JSON.\n\t\t\tvar compiled webhookcip.ClusterImagePolicy\n\t\t\tif err := convert(webhookcip.ConvertClusterImagePolicyV1alpha1ToWebhook(cip), &compiled); err != nil {\n\t\t\t\tww(\"roundtripping policy %v\", err)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tipc.Policies[cip.Name] = compiled\n\t\t}\n\t}\n\n\treturn ipc, nil\n}\n\ntype impl struct {\n\tverification Verification\n\n\tipc *config.ImagePolicyConfig\n\tww WarningWriter\n}\n\n// Check that impl implements Verifier\nvar _ Verifier = (*impl)(nil)\n\n// Verify implements Verifier\nfunc (i *impl) Verify(ctx context.Context, ref name.Reference, kc authn.Keychain, opts ...ociremote.Option) error {\n\ttm := getTypeMeta(ctx)\n\tom := getObjectMeta(ctx)\n\tmatches, err := i.ipc.GetMatchingPolicies(ref.Name(), tm.Kind, tm.APIVersion, om.Labels)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif len(matches) == 0 {\n\t\tswitch i.verification.NoMatchPolicy {\n\t\tcase \"allow\":\n\t\t\treturn nil\n\t\tcase \"warn\":\n\t\t\ti.ww(\"%s is uncovered by policy\", ref)\n\t\tcase \"deny\":\n\t\t\treturn fmt.Errorf(\"%s is uncovered by policy\", ref)\n\t\tdefault:\n\t\t\t// This is unreachable for a validated Verification.\n\t\t\treturn fmt.Errorf(\"unsupported noMatchPolicy: %q\", i.verification.NoMatchPolicy)\n\t\t}\n\t}\n\n\t// Add the keychain to our (optional) list of options.\n\topts = append(opts, ociremote.WithRemoteOptions(remote.WithAuthFromKeychain(kc)))\n\n\tfor _, p := range matches {\n\t\tres, errs := webhook.ValidatePolicy(ctx, \"\" /* namespace */, ref, p, kc, opts...)\n\t\tif res != nil { //nolint: revive\n\t\t\t// Ignore the errors for other authorities if we got a policy result.\n\t\t} else {\n\t\t\t// If we didn't get a policy result, then surface any errors.\n\t\t\tfor _, err := range errs {\n\t\t\t\tvar fe *apis.FieldError\n\t\t\t\tif errors.As(err, &fe) {\n\t\t\t\t\tif warnFE := fe.Filter(apis.WarningLevel); warnFE != nil {\n\t\t\t\t\t\ti.ww(\"%v\", warnFE)\n\t\t\t\t\t}\n\t\t\t\t\tif errorFE := fe.Filter(apis.ErrorLevel); errorFE != nil {\n\t\t\t\t\t\treturn errorFE\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc getTypeMeta(ctx context.Context) (tm metav1.TypeMeta) {\n\traw := webhook.GetIncludeTypeMeta(ctx)\n\tif raw == nil {\n\t\treturn\n\t}\n\t_ = convert(raw, &tm)\n\treturn\n}\n\nfunc getObjectMeta(ctx context.Context) (om metav1.ObjectMeta) {\n\traw := webhook.GetIncludeObjectMeta(ctx)\n\tif raw == nil {\n\t\treturn\n\t}\n\t_ = convert(raw, &om)\n\treturn\n}\n" }, { "path": "pkg/policy/verifier_test.go", "content": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage policy\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/google/go-containerregistry/pkg/authn\"\n\t\"github.com/google/go-containerregistry/pkg/name\"\n)\n\nconst (\n\t// This is the digest of cgr.dev/chainguard/static as of 2023/01/03.\n\t// It is verifiable with goodPolicy.\n\tstaticDigest = \"sha256:39ae0654d64cb72003216f6148e581e6d7cf239ac32325867af46666e31739d2\"\n\n\t// This is the digest of cgr.dev/chainguard/static as of 2023/01/03.\n\t// It is not verifiable with goodPolicy.\n\tancientDigest = \"sha256:a9650a15060275287ebf4530b34020b8d998bd2de9aea00d113c332d8c41eb0b\"\n)\n\nfunc TestVerifierDeny(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tv Verification\n\t\td name.Digest\n\t\twantErr error\n\t}{{\n\t\tname: \"successful policy evaluation\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"deny\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tData: goodPolicy,\n\t\t\t}},\n\t\t},\n\t\td: name.MustParseReference(\"cgr.dev/chainguard/static@\" + staticDigest).(name.Digest),\n\t}, {\n\t\tname: \"no match policy failure\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"deny\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tData: goodPolicy,\n\t\t\t}},\n\t\t},\n\t\td: name.MustParseReference(\"cgr.dev/chainguard/busybox@\" + staticDigest).(name.Digest),\n\t\twantErr: errors.New(\"cgr.dev/chainguard/busybox@sha256:39ae0654d64cb72003216f6148e581e6d7cf239ac32325867af46666e31739d2 is uncovered by policy\"),\n\t}, {\n\t\tname: \"policy evaluation failure\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"deny\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tData: goodPolicy,\n\t\t\t}},\n\t\t},\n\t\td: name.MustParseReference(\"cgr.dev/chainguard/static@\" + ancientDigest).(name.Digest),\n\t\twantErr: errors.New(\"signature keyless validation failed for authority authority-0 for cgr.dev/chainguard/static@sha256:a9650a15060275287ebf4530b34020b8d998bd2de9aea00d113c332d8c41eb0b: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://github.com/distroless/static/.github/workflows/release.yaml@refs/heads/main] with issuer https://token.actions.githubusercontent.com: \"),\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tvfy, err := Compile(context.Background(), test.v,\n\t\t\t\tt.Errorf /* we expect no warnings! */)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"Compile() = %v\", err)\n\t\t\t}\n\n\t\t\tgotErr := vfy.Verify(context.Background(), test.d, authn.DefaultKeychain)\n\t\t\tif (gotErr != nil) != (test.wantErr != nil) {\n\t\t\t\tt.Fatalf(\"Verify() = %v, wanted: %v\", gotErr, test.wantErr)\n\t\t\t}\n\t\t\tif gotErr != nil && gotErr.Error() != test.wantErr.Error() {\n\t\t\t\tt.Fatalf(\"Verify() = %v, wanted: %v\", gotErr, test.wantErr)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestVerifierWarn(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tv Verification\n\t\td name.Digest\n\t\twantErr error\n\t}{{\n\t\tname: \"successful policy evaluation (warn mode)\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"warn\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tData: goodPolicy,\n\t\t\t}},\n\t\t},\n\t\td: name.MustParseReference(\"cgr.dev/chainguard/static@\" + staticDigest).(name.Digest),\n\t}, {\n\t\tname: \"no match policy failure\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"warn\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tData: goodPolicy,\n\t\t\t}},\n\t\t},\n\t\td: name.MustParseReference(\"cgr.dev/chainguard/busybox@\" + staticDigest).(name.Digest),\n\t\twantErr: errors.New(\"cgr.dev/chainguard/busybox@sha256:39ae0654d64cb72003216f6148e581e6d7cf239ac32325867af46666e31739d2 is uncovered by policy\"),\n\t}, {\n\t\tname: \"policy evaluation failure (warn mode)\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"deny\",\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tData: goodPolicy + \" mode: warn\",\n\t\t\t}},\n\t\t},\n\t\td: name.MustParseReference(\"cgr.dev/chainguard/static@\" + ancientDigest).(name.Digest),\n\t\twantErr: errors.New(\"signature keyless validation failed for authority authority-0 for cgr.dev/chainguard/static@sha256:a9650a15060275287ebf4530b34020b8d998bd2de9aea00d113c332d8c41eb0b: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://github.com/distroless/static/.github/workflows/release.yaml@refs/heads/main] with issuer https://token.actions.githubusercontent.com: \"),\n\t}, {\n\t\tname: \"duplicate policies\",\n\t\tv: Verification{\n\t\t\tNoMatchPolicy: \"deny\", // This is always surfaced as a warning.\n\t\t\tPolicies: &[]Source{{\n\t\t\t\tData: goodPolicy,\n\t\t\t}, {\n\t\t\t\tData: goodPolicy,\n\t\t\t}},\n\t\t},\n\t\td: name.MustParseReference(\"cgr.dev/chainguard/static@\" + staticDigest).(name.Digest),\n\t\twantErr: errors.New(`duplicate policy named \"ko-default-base-image-policy\", skipping`),\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(\"warn: \"+test.name, func(t *testing.T) {\n\t\t\tvar gotErr error\n\t\t\tvfy, err := Compile(context.Background(), test.v,\n\t\t\t\tfunc(s string, i ...interface{}) {\n\t\t\t\t\tgotErr = fmt.Errorf(s, i...)\n\t\t\t\t})\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"Compile() = %v\", err)\n\t\t\t}\n\n\t\t\terr = vfy.Verify(context.Background(), test.d, authn.DefaultKeychain)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"Verify() = %v\", err)\n\t\t\t}\n\n\t\t\tif (gotErr != nil) != (test.wantErr != nil) {\n\t\t\t\tt.Fatalf(\"Verify() = %v, wanted: %v\", gotErr, test.wantErr)\n\t\t\t}\n\t\t\tif gotErr != nil && gotErr.Error() != test.wantErr.Error() {\n\t\t\t\tt.Fatalf(\"Verify() = %v, wanted: %v\", gotErr, test.wantErr)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage clusterimagepolicy\n\nimport (\n\t\"context\"\n\t\"crypto\"\n\t\"crypto/sha256\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"strings\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/signaturealgo\"\n\tclusterimagepolicyreconciler \"github.com/sigstore/policy-controller/pkg/client/injection/reconciler/policy/v1alpha1/clusterimagepolicy\"\n\t\"github.com/sigstore/policy-controller/pkg/reconciler/clusterimagepolicy/resources\"\n\twebhookcip \"github.com/sigstore/policy-controller/pkg/webhook/clusterimagepolicy\"\n\t\"github.com/sigstore/sigstore/pkg/cryptoutils\"\n\n\tcorev1 \"k8s.io/api/core/v1\"\n\tapierrs \"k8s.io/apimachinery/pkg/api/errors\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/types\"\n\t\"k8s.io/client-go/kubernetes\"\n\tcorev1listers \"k8s.io/client-go/listers/core/v1\"\n\n\t\"knative.dev/pkg/logging\"\n\t\"knative.dev/pkg/reconciler\"\n\t\"knative.dev/pkg/system\"\n\t\"knative.dev/pkg/tracker\"\n\n\tsigs \"github.com/sigstore/cosign/v3/pkg/signature\"\n\t\"github.com/sigstore/sigstore/pkg/signature/kms\"\n\tsignatureoptions \"github.com/sigstore/sigstore/pkg/signature/options\"\n)\n\n// Reconciler implements clusterimagepolicyreconciler.Interface for\n// ClusterImagePolicy resources.\ntype Reconciler struct {\n\t// Tracker builds an index of what resources are watching other resources\n\t// so that we can immediately react to changes tracked resources.\n\ttracker tracker.Interface\n\t// We need to be able to read Secrets, which are really holding public\n\t// keys.\n\tsecretlister corev1listers.SecretLister\n\tconfigmaplister corev1listers.ConfigMapLister\n\tkubeclient kubernetes.Interface\n}\n\n// Check that our Reconciler implements Interface as well as finalizer\nvar _ clusterimagepolicyreconciler.Interface = (*Reconciler)(nil)\nvar _ clusterimagepolicyreconciler.Finalizer = (*Reconciler)(nil)\n\n// ReconcileKind implements Interface.ReconcileKind.\nfunc (r *Reconciler) ReconcileKind(ctx context.Context, cip *v1alpha1.ClusterImagePolicy) reconciler.Event {\n\tcip.Status.InitializeConditions()\n\tcipCopy, cipErr := r.inlinePublicKeys(ctx, cip)\n\tif cipErr != nil {\n\t\tr.handleCIPError(ctx, cip.Name)\n\t\t// Update the status to reflect that we were unable to inline keys.\n\t\tcip.Status.MarkInlineKeysFailed(cipErr.Error())\n\t\t// Note that we return the error about the Invalid cip here to make\n\t\t// sure that it's surfaced.\n\t\treturn cipErr\n\t}\n\tcip.Status.MarkInlineKeysOk()\n\n\tcipErr = r.inlinePolicies(ctx, cipCopy)\n\tif cipErr != nil {\n\t\tr.handleCIPError(ctx, cip.Name)\n\t\t// Update the status to reflect that we were unable to inline policies.\n\t\tcip.Status.MarkInlinePoliciesFailed(cipErr.Error())\n\t\t// Note that we return the error about the Invalid cip here to make\n\t\t// sure that it's surfaced.\n\t\treturn cipErr\n\t}\n\tcip.Status.MarkInlinePoliciesOk()\n\n\twebhookCIP := webhookcip.ConvertClusterImagePolicyV1alpha1ToWebhook(cipCopy)\n\n\t// See if the CM holding configs exists\n\texisting, err := r.configmaplister.ConfigMaps(system.Namespace()).Get(config.ImagePoliciesConfigName)\n\tif err != nil {\n\t\tif !apierrs.IsNotFound(err) {\n\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to get configmap: %v\", err)\n\t\t\tcip.Status.MarkCMUpdateFailed(err.Error())\n\t\t\treturn err\n\t\t}\n\t\t// Does not exist, create it.\n\t\tcm, err := resources.NewConfigMap(system.Namespace(), config.ImagePoliciesConfigName, cip.Name, webhookCIP)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to construct configmap: %v\", err)\n\t\t\tcip.Status.MarkCMUpdateFailed(err.Error())\n\t\t\treturn err\n\t\t}\n\t\t_, err = r.kubeclient.CoreV1().ConfigMaps(system.Namespace()).Create(ctx, cm, metav1.CreateOptions{})\n\t\tif err != nil {\n\t\t\tcip.Status.MarkCMUpdateFailed(err.Error())\n\t\t\treturn err\n\t\t}\n\t\tcip.Status.MarkCMUpdatedOK()\n\t\treturn err\n\t}\n\n\t// Check if we need to update the configmap or not.\n\tpatchBytes, err := resources.CreatePatch(system.Namespace(), config.ImagePoliciesConfigName, cip.Name, existing.DeepCopy(), webhookCIP)\n\tif err != nil {\n\t\tlogging.FromContext(ctx).Errorf(\"Failed to create patch: %v\", err)\n\t\tcip.Status.MarkCMUpdateFailed(err.Error())\n\t\treturn err\n\t}\n\tif len(patchBytes) > 0 {\n\t\t_, err = r.kubeclient.CoreV1().ConfigMaps(system.Namespace()).Patch(ctx, config.ImagePoliciesConfigName, types.JSONPatchType, patchBytes, metav1.PatchOptions{})\n\t\tif err != nil {\n\t\t\tcip.Status.MarkCMUpdateFailed(err.Error())\n\t\t\treturn err\n\t\t}\n\t}\n\tcip.Status.MarkCMUpdatedOK()\n\treturn nil\n}\n\n// FinalizeKind implements Interface.ReconcileKind.\nfunc (r *Reconciler) FinalizeKind(ctx context.Context, cip *v1alpha1.ClusterImagePolicy) reconciler.Event {\n\t// See if the CM holding configs even exists\n\texisting, err := r.configmaplister.ConfigMaps(system.Namespace()).Get(config.ImagePoliciesConfigName)\n\tif err != nil {\n\t\tif !apierrs.IsNotFound(err) {\n\t\t\t// There's very little we can do here. This could happen if it's\n\t\t\t// intermittent error, which is fine when we retry. But if something\n\t\t\t// goofy happens like we lost access to it, then it's a bit of a\n\t\t\t// pickle since the entry will exist there and we can't remove it.\n\t\t\t// So keep trying. Other option would be just to bail.\n\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to get configmap: %v\", err)\n\t\t\treturn err\n\t\t}\n\t\t// Since the CM doesn't exist, there's nothing for us to clean up.\n\t\treturn nil\n\t}\n\t// CM exists, so remove our entry from it.\n\treturn r.removeCIPEntry(ctx, existing, cip.Name)\n}\n\nfunc (r *Reconciler) handleCIPError(ctx context.Context, cipName string) {\n\t// The CIP is invalid, try to remove CIP from the configmap\n\texisting, err := r.configmaplister.ConfigMaps(system.Namespace()).Get(config.ImagePoliciesConfigName)\n\tif err != nil {\n\t\tif !apierrs.IsNotFound(err) {\n\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to get configmap: %v\", err)\n\t\t}\n\t} else if err := r.removeCIPEntry(ctx, existing, cipName); err != nil {\n\t\tlogging.FromContext(ctx).Errorf(\"Failed to remove CIP entry from configmap: %v\", err)\n\t}\n}\n\n// inlinePublicKeys will go through the CIP and try to read the referenced\n// secrets, KMS keys and convert them into inlined data. Makes a copy of the CIP\n// before modifying it and returns the copy.\nfunc (r *Reconciler) inlinePublicKeys(ctx context.Context, cip *v1alpha1.ClusterImagePolicy) (*v1alpha1.ClusterImagePolicy, error) {\n\tret := cip.DeepCopy()\n\tfor _, authority := range ret.Spec.Authorities {\n\t\tif authority.Key != nil && authority.Key.SecretRef != nil {\n\t\t\tif err := r.inlineAndTrackSecret(ctx, ret, authority.Key); err != nil {\n\t\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to read secret %q: %v\", authority.Key.SecretRef.Name, err)\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t}\n\t\tif authority.Keyless != nil && authority.Keyless.CACert != nil &&\n\t\t\tauthority.Keyless.CACert.SecretRef != nil {\n\t\t\tif err := r.inlineAndTrackSecret(ctx, ret, authority.Keyless.CACert); err != nil {\n\t\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to read secret %q: %v\", authority.Keyless.CACert.SecretRef.Name, err)\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t}\n\t\tif authority.Key != nil && strings.Contains(authority.Key.KMS, \"://\") {\n\t\t\tpubKeyString, err := getKMSPublicKey(ctx, authority.Key.KMS, authority.Key.HashAlgorithm)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\n\t\t\tauthority.Key.Data = pubKeyString\n\t\t\tauthority.Key.KMS = \"\"\n\t\t}\n\t}\n\treturn ret, nil\n}\n\n// getKMSPublicKey returns the public key as a string from the configured KMS service using the key ID\nfunc getKMSPublicKey(ctx context.Context, keyID string, hashAlgorithm string) (string, error) {\n\talgorithm := crypto.SHA256\n\tif hashAlgorithm != \"\" {\n\t\tvar err error\n\t\talgorithm, err = signaturealgo.HashAlgorithm(hashAlgorithm)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to extract the signature hash algorithm: %w\", err)\n\t\t\treturn \"\", fmt.Errorf(\"failed to extract the signature hash algorithm: %w\", err)\n\t\t}\n\t}\n\tkmsSigner, err := kms.Get(ctx, keyID, algorithm)\n\tif err != nil {\n\t\tlogging.FromContext(ctx).Errorf(\"Failed to read KMS key ID %q: %v\", keyID, err)\n\t\treturn \"\", err\n\t}\n\tpemBytes, err := sigs.PublicKeyPem(kmsSigner, signatureoptions.WithContext(ctx))\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn string(pemBytes), nil\n}\n\n// inlineSecret will take in a KeyRef and tries to read the Secret, finding the\n// first key from it and will inline it in place of Data and then clear out\n// the SecretRef and return it.\n// Additionally, we set up a tracker so we will be notified if the secret\n// is modified.\n// There's still some discussion about how to handle multiple keys in a secret\n// for now, just grab one from it. For reference, the discussion is here:\n// TODO(vaikas): https://github.com/sigstore/cosign/issues/1573\nfunc (r *Reconciler) inlineAndTrackSecret(ctx context.Context, cip *v1alpha1.ClusterImagePolicy, keyref *v1alpha1.KeyRef) error {\n\tif err := r.tracker.TrackReference(tracker.Reference{\n\t\tAPIVersion: \"v1\",\n\t\tKind: \"Secret\",\n\t\tNamespace: system.Namespace(),\n\t\tName: keyref.SecretRef.Name,\n\t}, cip); err != nil {\n\t\treturn fmt.Errorf(\"failed to track changes to secret %q : %w\", keyref.SecretRef.Name, err)\n\t}\n\tsecret, err := r.secretlister.Secrets(system.Namespace()).Get(keyref.SecretRef.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif len(secret.Data) == 0 {\n\t\treturn fmt.Errorf(\"secret %q contains no data\", keyref.SecretRef.Name)\n\t}\n\tif len(secret.Data) > 1 {\n\t\treturn fmt.Errorf(\"secret %q contains multiple data entries, only one is supported\", keyref.SecretRef.Name)\n\t}\n\tfor k, v := range secret.Data {\n\t\tlogging.FromContext(ctx).Infof(\"inlining secret %q key %q\", keyref.SecretRef.Name, k)\n\t\tpublicKey, err := cryptoutils.UnmarshalPEMToPublicKey(v)\n\t\tif err != nil || publicKey == nil {\n\t\t\treturn fmt.Errorf(\"secret %q contains an invalid public key: %w\", keyref.SecretRef.Name, err)\n\t\t}\n\t\tkeyref.Data = string(v)\n\t\tkeyref.SecretRef = nil\n\t}\n\treturn nil\n}\n\n// inlinePolicies will go through the CIP and try to read the referenced\n// ConfigMapRefs and convert them into inlined data. Modifies the cip in-place\nfunc (r *Reconciler) inlinePolicies(ctx context.Context, cip *v1alpha1.ClusterImagePolicy) error {\n\tfor _, authority := range cip.Spec.Authorities {\n\t\tfor _, att := range authority.Attestations {\n\t\t\tif att.Policy != nil && att.Policy.ConfigMapRef != nil {\n\t\t\t\terr := r.inlineAndTrackConfigMap(ctx, cip, att.Policy)\n\t\t\t\tif err != nil {\n\t\t\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to read configmap %q: %v\", att.Policy.ConfigMapRef.Name, err)\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t\tif att.Policy != nil && att.Policy.Remote != nil {\n\t\t\t\terr := r.inlinePolicyURL(ctx, att.Policy)\n\t\t\t\tif err != nil {\n\t\t\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to read policy url %s: %v\", cip.Spec.Policy.Remote.URL.String(), err)\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\tif cip.Spec.Policy != nil && cip.Spec.Policy.ConfigMapRef != nil {\n\t\terr := r.inlineAndTrackConfigMap(ctx, cip, cip.Spec.Policy)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to read configmap %q: %v\", cip.Spec.Policy.ConfigMapRef.Name, err)\n\t\t\treturn err\n\t\t}\n\t}\n\tif cip.Spec.Policy != nil && cip.Spec.Policy.Remote != nil {\n\t\terr := r.inlinePolicyURL(ctx, cip.Spec.Policy)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to read policy url %s: %v\", cip.Spec.Policy.Remote.URL.String(), err)\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (r *Reconciler) inlinePolicyURL(ctx context.Context, policyRef *v1alpha1.Policy) error {\n\tlogging.FromContext(ctx).Infof(\"inlining policy url %q\", policyRef.Remote.URL.String())\n\tresp, err := http.Get(policyRef.Remote.URL.String())\n\tif err != nil {\n\t\treturn fmt.Errorf(\"failed to fetch content from policy url: %w\", err)\n\t}\n\tdefer resp.Body.Close()\n\tif resp.StatusCode < 200 || resp.StatusCode > 299 {\n\t\treturn fmt.Errorf(\"failed to fetch content from policy url with code %q\", resp.StatusCode)\n\t}\n\tdata, err := io.ReadAll(resp.Body)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"failed to read policy url response: %w\", err)\n\t}\n\t// Checking the sha256sum value in comparison with the one set in the policy\n\tsha256Sum := fmt.Sprintf(\"%x\", sha256.Sum256(data))\n\tif sha256Sum != policyRef.Remote.Sha256sum {\n\t\treturn fmt.Errorf(\"failed to check sha256sum from policy remote: %s got %s\", policyRef.Remote.Sha256sum, sha256Sum)\n\t}\n\tpolicyRef.Data = string(data)\n\tpolicyRef.Remote = nil\n\treturn nil\n}\n\n// inlineAndTrackConfigMap will take in a ConfigMapRef and tries to read the ConfigMap,\n// finding the first key from it and will inline it in place of Data and then\n// clear out the ConfigMapRef and return it.\n// Additionally, we set up a tracker so we will be notified if the ConfigMap\n// is modified.\nfunc (r *Reconciler) inlineAndTrackConfigMap(ctx context.Context, cip *v1alpha1.ClusterImagePolicy, policyRef *v1alpha1.Policy) error {\n\tcmName := policyRef.ConfigMapRef.Name\n\tkeyName := policyRef.ConfigMapRef.Key\n\tif err := r.tracker.TrackReference(tracker.Reference{\n\t\tAPIVersion: \"v1\",\n\t\tKind: \"ConfigMap\",\n\t\tNamespace: system.Namespace(),\n\t\tName: cmName,\n\t}, cip); err != nil {\n\t\treturn fmt.Errorf(\"failed to track changes to configmap %q : %w\", cmName, err)\n\t}\n\tcm, err := r.configmaplister.ConfigMaps(system.Namespace()).Get(cmName)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif len(cm.Data) == 0 {\n\t\treturn fmt.Errorf(\"configmap %q contains no data\", cmName)\n\t}\n\tif cm.Data[keyName] == \"\" {\n\t\treturn fmt.Errorf(\"configmap %q does not contain key %s\", cmName, keyName)\n\t}\n\tlogging.FromContext(ctx).Infof(\"inlining configmap %q key %q\", cmName, keyName)\n\tpolicyRef.Data = cm.Data[keyName]\n\tpolicyRef.ConfigMapRef = nil\n\treturn nil\n}\n\n// removeCIPEntry removes an entry from a CM. If no entry exists, it's a nop.\nfunc (r *Reconciler) removeCIPEntry(ctx context.Context, cm *corev1.ConfigMap, cipName string) error {\n\tpatchBytes, err := resources.CreateRemovePatch(system.Namespace(), config.ImagePoliciesConfigName, cm.DeepCopy(), cipName)\n\tif err != nil {\n\t\tlogging.FromContext(ctx).Errorf(\"Failed to create remove patch: %v\", err)\n\t\treturn err\n\t}\n\tif len(patchBytes) > 0 {\n\t\t_, err = r.kubeclient.CoreV1().ConfigMaps(system.Namespace()).Patch(ctx, config.ImagePoliciesConfigName, types.JSONPatchType, patchBytes, metav1.PatchOptions{})\n\t\treturn err\n\t}\n\treturn nil\n}\n" }, { "path": "pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage clusterimagepolicy\n\nimport (\n\t\"context\"\n\t\"crypto/ecdsa\"\n\t\"crypto/elliptic\"\n\t\"crypto/rand\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"strings\"\n\t\"testing\"\n\n\tlogtesting \"knative.dev/pkg/logging/testing\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/signaturealgo\"\n\tfakecosignclient \"github.com/sigstore/policy-controller/pkg/client/injection/client/fake\"\n\t\"github.com/sigstore/policy-controller/pkg/client/injection/reconciler/policy/v1alpha1/clusterimagepolicy\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/runtime\"\n\tclientgotesting \"k8s.io/client-go/testing\"\n\t\"knative.dev/pkg/apis\"\n\tfakekubeclient \"knative.dev/pkg/client/injection/kube/client/fake\"\n\t\"knative.dev/pkg/configmap\"\n\t\"knative.dev/pkg/controller\"\n\t\"knative.dev/pkg/system\"\n\t\"knative.dev/pkg/tracker\"\n\n\t. \"github.com/sigstore/policy-controller/pkg/reconciler/testing/v1alpha1\"\n\t. \"knative.dev/pkg/reconciler/testing\"\n\t_ \"knative.dev/pkg/system/testing\"\n\n\t\"github.com/sigstore/sigstore/pkg/signature/kms/fake\"\n)\n\nconst (\n\tcipName = \"test-cip\"\n\tcipKMSName = \"test-kms-cip\"\n\ttestKey = \"test-cip\"\n\tcipName2 = \"test-cip-2\"\n\ttestKey2 = \"test-cip-2\"\n\tkeySecretName = \"publickey-key\"\n\tkeylessSecretName = \"publickey-keyless\"\n\tglob = \"ghcr.io/example/*\"\n\tfakeKMSKey = \"fakekms://keycip\"\n\tpolicyCMName = \"policy-configmap\"\n\tpolicyCMKey = \"policy-configmap-key\"\n\n\ttestPolicy = `predicateType: \"cosign.sigstore.dev/attestation/v1\"\npredicate: Data: \"foobar key e2e test\"`\n\n\t// This is above ran through shasum -a 256. Note that there's no trailing\n\t// newline.\n\ttestPolicySHA256 = \"c694cc08146070e84751ce7416d4befd70ea779071f457df8127586a29ac6580\"\n\n\t// Same as above with one change just to make it fail\n\ttestPolicySHA256Bad = \"c694cc08146070e84751ce7416d4befd70ea779071f457df8107586a29ac6580\"\n\n\t// Just some public key that was laying around, only format matters.\n\tvalidPublicKeyData = `-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n-----END PUBLIC KEY-----`\n\n\t// This is the patch for replacing a single entry in the ConfigMap\n\treplaceCIPPatch = `[{\"op\":\"replace\",\"path\":\"/data/test-cip\",\"value\":\"{\\\"uid\\\":\\\"test-uid\\\",\\\"resourceVersion\\\":\\\"0123456789\\\",\\\"images\\\":[{\\\"glob\\\":\\\"ghcr.io/example/*\\\"}],\\\"authorities\\\":[{\\\"name\\\":\\\"authority-0\\\",\\\"key\\\":{\\\"data\\\":\\\"-----BEGIN PUBLIC KEY-----\\\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\\\n-----END PUBLIC KEY-----\\\",\\\"hashAlgorithm\\\":\\\"sha256\\\"}}],\\\"mode\\\":\\\"enforce\\\"}\"}]`\n\n\t// This is the patch for adding an entry for non-existing KMS for cipName2\n\taddCIP2Patch = `[{\"op\":\"add\",\"path\":\"/data/test-cip-2\",\"value\":\"{\\\"uid\\\":\\\"test-uid\\\",\\\"resourceVersion\\\":\\\"0123456789\\\",\\\"images\\\":[{\\\"glob\\\":\\\"ghcr.io/example/*\\\"}],\\\"authorities\\\":[{\\\"name\\\":\\\"authority-0\\\",\\\"key\\\":{\\\"data\\\":\\\"-----BEGIN PUBLIC KEY-----\\\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\\\n-----END PUBLIC KEY-----\\\",\\\"hashAlgorithm\\\":\\\"sha256\\\"}}],\\\"mode\\\":\\\"enforce\\\"}\"}]`\n\n\t// This is the patch for removing the last entry, leaving just the\n\t// configmap objectmeta, no data.\n\tremoveDataPatch = `[{\"op\":\"remove\",\"path\":\"/data\"}]`\n\n\t// This is the patch for removing only a single entry from a map that has\n\t// two entries but only one is being removed. For key entry\n\tremoveSingleEntryKeyPatch = `[{\"op\":\"remove\",\"path\":\"/data/test-cip\"}]`\n\n\t// This is the patch for removing only a single entry from a map that has\n\t// two entries but only one is being removed. For keyless entry.\n\tremoveSingleEntryKeylessPatch = `[{\"op\":\"remove\",\"path\":\"/data/test-cip-2\"}]`\n\n\t// This is the patch for inlined cip policy configmap ref.\n\tinlinedPolicyPatch = `[{\"op\":\"replace\",\"path\":\"/data/test-cip\",\"value\":\"{\\\"uid\\\":\\\"test-uid\\\",\\\"resourceVersion\\\":\\\"0123456789\\\",\\\"images\\\":[{\\\"glob\\\":\\\"ghcr.io/example/*\\\"}],\\\"authorities\\\":[{\\\"name\\\":\\\"authority-0\\\",\\\"static\\\":{\\\"action\\\":\\\"pass\\\"}}],\\\"policy\\\":{\\\"name\\\":\\\"\\\",\\\"predicateType\\\":\\\"\\\",\\\"type\\\":\\\"cue\\\",\\\"data\\\":\\\"predicateType: \\\\\\\"cosign.sigstore.dev/attestation/v1\\\\\\\"\\\\npredicate: Data: \\\\\\\"foobar key e2e test\\\\\\\"\\\"},\\\"mode\\\":\\\"enforce\\\"}\"}]`\n\n\t// This is the patch for inlined secret for keyless cakey ref data\n\tinlinedSecretKeylessPatch = `[{\"op\":\"replace\",\"path\":\"/data/test-cip-2\",\"value\":\"{\\\"uid\\\":\\\"test-uid\\\",\\\"resourceVersion\\\":\\\"0123456789\\\",\\\"images\\\":[{\\\"glob\\\":\\\"ghcr.io/example/*\\\"}],\\\"authorities\\\":[{\\\"name\\\":\\\"authority-0\\\",\\\"keyless\\\":{\\\"identities\\\":[{\\\"issuerRegExp\\\":\\\"iss.*\\\",\\\"subjectRegExp\\\":\\\"sub.*\\\"}],\\\"ca-cert\\\":{\\\"data\\\":\\\"-----BEGIN PUBLIC KEY-----\\\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\\\n-----END PUBLIC KEY-----\\\",\\\"hashAlgorithm\\\":\\\"sha256\\\"}}}],\\\"mode\\\":\\\"enforce\\\"}\"}]`\n\n\t// This is the patch for inlined secret with matching resource, version and group\n\tinlinedSecretKeylessMatchResourcePatch = `[{\"op\":\"replace\",\"path\":\"/data/test-cip-2\",\"value\":\"{\\\"uid\\\":\\\"test-uid\\\",\\\"resourceVersion\\\":\\\"0123456789\\\",\\\"images\\\":[{\\\"glob\\\":\\\"ghcr.io/example/*\\\"}],\\\"authorities\\\":[{\\\"name\\\":\\\"authority-0\\\",\\\"keyless\\\":{\\\"identities\\\":[{\\\"issuerRegExp\\\":\\\"iss.*\\\",\\\"subjectRegExp\\\":\\\"sub.*\\\"}],\\\"ca-cert\\\":{\\\"data\\\":\\\"-----BEGIN PUBLIC KEY-----\\\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\\\n-----END PUBLIC KEY-----\\\",\\\"hashAlgorithm\\\":\\\"sha256\\\"}}}],\\\"mode\\\":\\\"enforce\\\",\\\"match\\\":[{\\\"group\\\":\\\"apps\\\",\\\"version\\\":\\\"v1\\\",\\\"resource\\\":\\\"deployments\\\"}]}\"}]`\n\n\t// This is the patch for inlined secret with matching labels\n\tinlinedSecretKeylessMatchLabelsPatch = `[{\"op\":\"replace\",\"path\":\"/data/test-cip-2\",\"value\":\"{\\\"uid\\\":\\\"test-uid\\\",\\\"resourceVersion\\\":\\\"0123456789\\\",\\\"images\\\":[{\\\"glob\\\":\\\"ghcr.io/example/*\\\"}],\\\"authorities\\\":[{\\\"name\\\":\\\"authority-0\\\",\\\"keyless\\\":{\\\"identities\\\":[{\\\"issuerRegExp\\\":\\\"iss.*\\\",\\\"subjectRegExp\\\":\\\"sub.*\\\"}],\\\"ca-cert\\\":{\\\"data\\\":\\\"-----BEGIN PUBLIC KEY-----\\\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\\\n-----END PUBLIC KEY-----\\\",\\\"hashAlgorithm\\\":\\\"sha256\\\"}}}],\\\"mode\\\":\\\"enforce\\\",\\\"match\\\":[{\\\"group\\\":\\\"apps\\\",\\\"version\\\":\\\"v1\\\",\\\"resource\\\":\\\"replicasets\\\",\\\"selector\\\":{\\\"matchLabels\\\":{\\\"match\\\":\\\"match\\\"}}}]}\"}]`\n\n\treplaceCIPKeySourcePatch = `[{\"op\":\"replace\",\"path\":\"/data/test-cip\",\"value\":\"{\\\"uid\\\":\\\"test-uid\\\",\\\"resourceVersion\\\":\\\"0123456789\\\",\\\"images\\\":[{\\\"glob\\\":\\\"ghcr.io/example/*\\\"}],\\\"authorities\\\":[{\\\"name\\\":\\\"authority-0\\\",\\\"key\\\":{\\\"data\\\":\\\"-----BEGIN PUBLIC KEY-----\\\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\\\n-----END PUBLIC KEY-----\\\",\\\"hashAlgorithm\\\":\\\"sha256\\\"},\\\"source\\\":[{\\\"oci\\\":\\\"example.com/alternative/signature\\\",\\\"signaturePullSecrets\\\":[{\\\"name\\\":\\\"signaturePullSecretName\\\"}]}]}],\\\"mode\\\":\\\"enforce\\\"}\"}]`\n\n\treplaceCIPKeySourceWithoutOCIPatch = `[{\"op\":\"replace\",\"path\":\"/data/test-cip\",\"value\":\"{\\\"uid\\\":\\\"test-uid\\\",\\\"resourceVersion\\\":\\\"0123456789\\\",\\\"images\\\":[{\\\"glob\\\":\\\"ghcr.io/example/*\\\"}],\\\"authorities\\\":[{\\\"name\\\":\\\"authority-0\\\",\\\"key\\\":{\\\"data\\\":\\\"-----BEGIN PUBLIC KEY-----\\\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\\\n-----END PUBLIC KEY-----\\\",\\\"hashAlgorithm\\\":\\\"sha256\\\"},\\\"source\\\":[{\\\"signaturePullSecrets\\\":[{\\\"name\\\":\\\"signaturePullSecretName\\\"}]}]}],\\\"mode\\\":\\\"enforce\\\"}\"}]`\n\n\tresourceVersion = \"0123456789\"\n\tuid = \"test-uid\"\n\n\tstatusUpdateFailureFmt = `Failed to update status for \"test-cip\": invalid value: %s: spec.remote.url\nurl valid is invalid. host and https scheme are expected`\n\n\tinvalidSHAMsg = \"failed to check sha256sum from policy remote: c694cc08146070e84751ce7416d4befd70ea779071f457df8107586a29ac6580 got c694cc08146070e84751ce7416d4befd70ea779071f457df8127586a29ac6580\"\n)\n\nvar (\n\t// Just define these here so that we can use them in various identity\n\t// places where we just need a placeholder.\n\tplaceholderIdentities = []v1alpha1.Identity{{SubjectRegExp: \"sub.*\", IssuerRegExp: \"iss.*\"}}\n)\n\nfunc TestReconcile(t *testing.T) {\n\tprivKMSKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\tif err != nil {\n\t\tt.Fatalf(\"error generating ecdsa private key: %v\", err)\n\t}\n\tmainContext := context.WithValue(context.Background(), fake.KmsCtxKey{}, privKMSKey)\n\n\t// Note that this is just an HTTP server, so it will cause a problem\n\t// after the Status update because of the upstream does not appear to set\n\t// the apis.IsInStatusUpdate correctly in the tests. So it validates the\n\t// status update even though it shouldn't. This is tested elsewhere, so\n\t// we just work around it here by expecting that benign error.\n\tpolicyServerGood := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) {\n\t\trw.Write([]byte(testPolicy))\n\t}))\n\tt.Cleanup(policyServerGood.Close)\n\tpolicyURLGood, err := apis.ParseURL(policyServerGood.URL)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to parse the URL: %v\", err)\n\t}\n\tstatusUpdateFailureMsg := fmt.Sprintf(statusUpdateFailureFmt, policyURLGood.String())\n\n\ttable := TableTest{{\n\t\tName: \"bad workqueue key\",\n\t\t// Make sure Reconcile handles bad keys.\n\t\tKey: \"too/many/parts\",\n\t}, {\n\t\tName: \"key not found\",\n\t\t// Make sure Reconcile handles good keys that don't exist.\n\t\tKey: \"foo/not-found\",\n\t}, {\n\t\tName: \"ClusterImagePolicy not found\",\n\t\tKey: testKey,\n\t}, {\n\t\tName: \"ClusterImagePolicy is being deleted, doesn't exist, no changes\",\n\t\tKey: testKey,\n\t\tObjects: []runtime.Object{\n\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\tWithClusterImagePolicyDeletionTimestamp),\n\t\t},\n\t}, {\n\t\tName: \"ClusterImagePolicy with glob and inline key data, added to cm and finalizer\",\n\t\tKey: testKey,\n\n\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\tObjects: []runtime.Object{\n\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\tWithUID(uid),\n\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\tWithMode(\"warn\"),\n\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\tGlob: glob,\n\t\t\t\t}),\n\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t}}))},\n\t\tWantCreates: []runtime.Object{\n\t\t\tmakeConfigMapWithWarn(),\n\t\t},\n\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\tpatchFinalizers(system.Namespace(), cipName),\n\t\t},\n\t\tWantEvents: []string{\n\t\t\tEventf(corev1.EventTypeNormal, \"FinalizerUpdate\", `Updated \"test-cip\" finalizers`),\n\t\t},\n\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\tWithUID(uid),\n\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\tWithMode(\"warn\"),\n\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\tGlob: glob,\n\t\t\t\t}),\n\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t}}),\n\t\t\t\tMarkReady),\n\t\t}},\n\t}, {\n\t\tName: \"ClusterImagePolicy with glob and inline key data, already exists, no patch, no status update\",\n\t\tKey: testKey,\n\n\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\tObjects: []runtime.Object{\n\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\tWithUID(uid),\n\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\tWithMode(\"enforce\"),\n\t\t\t\tWithFinalizer,\n\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\tGlob: glob,\n\t\t\t\t}),\n\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t}}),\n\t\t\t\tMarkReady),\n\t\t\tmakeConfigMap(),\n\t\t},\n\t}, {\n\t\tName: \"ClusterImagePolicy with glob and inline key data, needs a patch\",\n\t\tKey: testKey,\n\n\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\tObjects: []runtime.Object{\n\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\tWithUID(uid),\n\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\tWithFinalizer,\n\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\tGlob: glob,\n\t\t\t\t}),\n\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t}})),\n\t\t\tmakeDifferentConfigMap(),\n\t\t},\n\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\tmakePatch(replaceCIPPatch),\n\t\t},\n\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\tWithUID(uid),\n\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\tWithFinalizer,\n\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\tGlob: glob,\n\t\t\t\t}),\n\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t}}),\n\t\t\t\tMarkReady),\n\t\t}},\n\t}, {\n\t\tName: \"ClusterImagePolicy with glob and inline key data, needs a patch but fails\",\n\t\tKey: testKey,\n\n\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\tObjects: []runtime.Object{\n\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\tWithUID(uid),\n\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\tWithFinalizer,\n\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\tGlob: glob,\n\t\t\t\t}),\n\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t}})),\n\t\t\tmakeDifferentConfigMap(),\n\t\t},\n\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\tmakePatch(replaceCIPPatch),\n\t\t},\n\t\tWithReactors: []clientgotesting.ReactionFunc{\n\t\t\tInduceFailure(\"patch\", \"configmaps\"),\n\t\t},\n\t\tWantErr: true,\n\t\tWantEvents: []string{\n\t\t\tEventf(corev1.EventTypeWarning, \"InternalError\", \"inducing failure for patch configmaps\"),\n\t\t},\n\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\tWithUID(uid),\n\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\tWithFinalizer,\n\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\tGlob: glob,\n\t\t\t\t}),\n\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t}}),\n\t\t\t\tWithInitConditions,\n\t\t\t\tWithObservedGeneration(1),\n\t\t\t\tWithMarkInlineKeysOk,\n\t\t\t\tWithMarkInlinePoliciesOk,\n\t\t\t\tWithMarkCMUpdateFailed(\"inducing failure for patch configmaps\"),\n\t\t\t),\n\t\t}},\n\t}, {\n\t\tName: \"ClusterImagePolicy with glob and KMS key data, added as a patch\",\n\t\tKey: testKey2,\n\n\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\tObjects: []runtime.Object{\n\t\t\tNewClusterImagePolicy(cipName2,\n\t\t\t\tWithUID(uid),\n\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\tWithFinalizer,\n\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\tGlob: glob,\n\t\t\t\t}),\n\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t}})),\n\t\t\tmakeConfigMap(), // Make the existing configmap\n\t\t},\n\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\tmakePatch(addCIP2Patch),\n\t\t},\n\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\tObject: NewClusterImagePolicy(cipName2,\n\t\t\t\tWithUID(uid),\n\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\tWithFinalizer,\n\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\tGlob: glob,\n\t\t\t\t}),\n\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t}}),\n\t\t\t\tMarkReady),\n\t\t}},\n\t},\n\t\t{\n\t\t\tName: \"ClusterImagePolicy with glob and inline key data, already exists, deleted\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithClusterImagePolicyDeletionTimestamp),\n\t\t\t\tmakeConfigMap(),\n\t\t\t},\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tpatchRemoveFinalizers(system.Namespace(), cipName),\n\t\t\t\tmakePatch(removeDataPatch),\n\t\t\t},\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeNormal, \"FinalizerUpdate\", `Updated \"test-cip\" finalizers`),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Two entries, remove only one\",\n\t\t\tKey: testKey2,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName2,\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithClusterImagePolicyDeletionTimestamp),\n\t\t\t\tmakeConfigMapWithTwoEntries(),\n\t\t\t},\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tpatchRemoveFinalizers(system.Namespace(), cipName2),\n\t\t\t\tmakePatch(removeSingleEntryKeylessPatch),\n\t\t\t},\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeNormal, \"FinalizerUpdate\", `Updated \"test-cip-2\" finalizers`),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Key with secret, secret does not exist, no entry in configmap\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t),\n\t\t\t\tmakeEmptyConfigMap(),\n\t\t\t},\n\t\t\tWantErr: true,\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeWarning, \"InternalError\", `secret \"publickey-key\" not found`),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithInitConditions,\n\t\t\t\t\tWithObservedGeneration(1),\n\t\t\t\t\tWithMarkInlineKeysFailed(`secret \"publickey-key\" not found`)),\n\t\t\t}},\n\n\t\t\tPostConditions: []func(*testing.T, *TableRow){\n\t\t\t\tAssertTrackingSecret(system.Namespace(), keySecretName),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Key with secret, secret does not exist, entry removed from configmap\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t),\n\t\t\t\tmakeConfigMapWithTwoEntries(),\n\t\t\t},\n\t\t\tWantErr: true,\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeWarning, \"InternalError\", `secret \"publickey-key\" not found`),\n\t\t\t},\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tmakePatch(removeSingleEntryKeyPatch),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithInitConditions,\n\t\t\t\t\tWithObservedGeneration(1),\n\t\t\t\t\tWithMarkInlineKeysFailed(`secret \"publickey-key\" not found`)),\n\t\t\t}},\n\t\t\tPostConditions: []func(*testing.T, *TableRow){\n\t\t\t\tAssertTrackingSecret(system.Namespace(), keySecretName),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Key with secret, secret does not exist, cm does not exist\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t),\n\t\t\t},\n\t\t\tWantErr: true,\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeWarning, \"InternalError\", `secret \"publickey-key\" not found`),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithInitConditions,\n\t\t\t\t\tWithObservedGeneration(1),\n\t\t\t\t\tWithMarkInlineKeysFailed(`secret \"publickey-key\" not found`)),\n\t\t\t}},\n\t\t\tPostConditions: []func(*testing.T, *TableRow){\n\t\t\t\tAssertTrackingSecret(system.Namespace(), keySecretName),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Keyless with secret, secret does not exist.\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKeyless: &v1alpha1.KeylessRef{\n\t\t\t\t\t\t\tCACert: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\t\tName: keylessSecretName,\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tIdentities: placeholderIdentities,\n\t\t\t\t\t\t}}),\n\t\t\t\t),\n\t\t\t\tmakeConfigMapWithTwoEntries(),\n\t\t\t},\n\t\t\tWantErr: true,\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeWarning, \"InternalError\", `secret \"publickey-keyless\" not found`),\n\t\t\t},\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tmakePatch(removeSingleEntryKeyPatch),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKeyless: &v1alpha1.KeylessRef{\n\t\t\t\t\t\t\tCACert: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\t\tName: keylessSecretName,\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tIdentities: placeholderIdentities,\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithInitConditions,\n\t\t\t\t\tWithObservedGeneration(1),\n\t\t\t\t\tWithMarkInlineKeysFailed(`secret \"publickey-keyless\" not found`)),\n\t\t\t}},\n\n\t\t\tPostConditions: []func(*testing.T, *TableRow){\n\t\t\t\tAssertTrackingSecret(system.Namespace(), keylessSecretName),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Key with secret, no data.\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t),\n\t\t\t\t&corev1.Secret{\n\t\t\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\t\t\tNamespace: system.Namespace(),\n\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tmakeEmptyConfigMap(),\n\t\t\t},\n\t\t\tWantErr: true,\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeWarning, \"InternalError\", `secret \"publickey-key\" contains no data`),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithInitConditions,\n\t\t\t\t\tWithObservedGeneration(1),\n\t\t\t\t\tWithMarkInlineKeysFailed(`secret \"publickey-key\" contains no data`)),\n\t\t\t}},\n\t\t\tPostConditions: []func(*testing.T, *TableRow){\n\t\t\t\tAssertTrackingSecret(system.Namespace(), keySecretName),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Key with secret, multiple data entries.\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t),\n\t\t\t\t&corev1.Secret{\n\t\t\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\t\t\tNamespace: system.Namespace(),\n\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t},\n\t\t\t\t\tData: map[string][]byte{\n\t\t\t\t\t\t\"first\": []byte(\"first data\"),\n\t\t\t\t\t\t\"second\": []byte(\"second data\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tmakeEmptyConfigMap(),\n\t\t\t},\n\t\t\tWantErr: true,\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeWarning, \"InternalError\", `secret \"publickey-key\" contains multiple data entries, only one is supported`),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithInitConditions,\n\t\t\t\t\tWithObservedGeneration(1),\n\t\t\t\t\tWithMarkInlineKeysFailed(`secret \"publickey-key\" contains multiple data entries, only one is supported`)),\n\t\t\t}},\n\t\t\tPostConditions: []func(*testing.T, *TableRow){\n\t\t\t\tAssertTrackingSecret(system.Namespace(), keySecretName),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Key with secret, secret exists, invalid public key\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t),\n\t\t\t\tmakeEmptyConfigMap(),\n\t\t\t\tmakeSecret(keySecretName, \"garbage secret value, not a public key\"),\n\t\t\t},\n\t\t\tWantErr: true,\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeWarning, \"InternalError\", `secret \"publickey-key\" contains an invalid public key: PEM decoding failed`),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithInitConditions,\n\t\t\t\t\tWithObservedGeneration(1),\n\t\t\t\t\tWithMarkInlineKeysFailed(`secret \"publickey-key\" contains an invalid public key: PEM decoding failed`)),\n\t\t\t}},\n\t\t\tPostConditions: []func(*testing.T, *TableRow){\n\t\t\t\tAssertTrackingSecret(system.Namespace(), keySecretName),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Key with secret, secret exists, inlined\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t),\n\t\t\t\tmakeSecret(keySecretName, validPublicKeyData),\n\t\t\t},\n\t\t\tWantCreates: []runtime.Object{\n\t\t\t\tmakeConfigMap(),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\tName: keySecretName,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}),\n\t\t\t\t\tMarkReady),\n\t\t\t}},\n\n\t\t\tPostConditions: []func(*testing.T, *TableRow){\n\t\t\t\tAssertTrackingSecret(system.Namespace(), keySecretName),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Keyless with secret, secret exists, inlined\",\n\t\t\tKey: testKey2,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName2,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKeyless: &v1alpha1.KeylessRef{\n\t\t\t\t\t\t\tCACert: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\t\tName: keylessSecretName,\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tIdentities: placeholderIdentities,\n\t\t\t\t\t\t}}),\n\t\t\t\t),\n\t\t\t\tmakeConfigMapWithTwoEntries(),\n\t\t\t\tmakeSecret(keylessSecretName, validPublicKeyData),\n\t\t\t},\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tmakePatch(inlinedSecretKeylessPatch),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName2,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKeyless: &v1alpha1.KeylessRef{\n\t\t\t\t\t\t\tCACert: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\t\tName: keylessSecretName,\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tIdentities: placeholderIdentities,\n\t\t\t\t\t\t}}),\n\t\t\t\t\tMarkReady),\n\t\t\t}},\n\t\t\tPostConditions: []func(*testing.T, *TableRow){\n\t\t\t\tAssertTrackingSecret(system.Namespace(), keylessSecretName),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"ClusterImagePolicy with glob and KMS key, added the data after querying the fake signer\",\n\t\t\tKey: cipKMSName,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipKMSName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tKMS: fakeKMSKey,\n\t\t\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\t\t}})),\n\t\t\t\tmakeEmptyConfigMap(), // Make the existing configmap\n\t\t\t},\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tpatchKMS(mainContext, t, fakeKMSKey, signaturealgo.DefaultSignatureAlgorithm),\n\t\t\t},\n\t\t\t// TODO(vaikas): We have to do some upstream work here. Doing\n\t\t\t// status updates does not behave correctly by setting the\n\t\t\t// IsInStatusUpdate in Table Driven tests.\n\t\t\t// This means, that even though we're sending a valid request to\n\t\t\t// only patch the status subResource, the validate logic is still\n\t\t\t// ran and results in an error that's not an error in real\n\t\t\t// reconciler.\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeWarning, \"UpdateFailed\", `Failed to update status for \"test-kms-cip\": invalid value: fakekms://keycip: spec.authorities[0].key.kms\nmalformed KMS format, should be prefixed by any of the supported providers: [awskms:// azurekms:// hashivault:// gcpkms://]`),\n\t\t\t},\n\t\t\tWantErr: true,\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipKMSName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tKMS: fakeKMSKey,\n\t\t\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\t\t}}),\n\t\t\t\t\tMarkReady),\n\t\t\t}},\n\t\t}, {\n\t\t\tName: \"Key with data, source, and signature pull secrets\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tSources: []v1alpha1.Source{{\n\t\t\t\t\t\t\tOCI: \"example.com/alternative/signature\",\n\t\t\t\t\t\t\tSignaturePullSecrets: []corev1.LocalObjectReference{\n\t\t\t\t\t\t\t\t{Name: \"signaturePullSecretName\"},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}},\n\t\t\t\t\t}),\n\t\t\t\t),\n\t\t\t\tmakeConfigMap(),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tSources: []v1alpha1.Source{{\n\t\t\t\t\t\t\tOCI: \"example.com/alternative/signature\",\n\t\t\t\t\t\t\tSignaturePullSecrets: []corev1.LocalObjectReference{\n\t\t\t\t\t\t\t\t{Name: \"signaturePullSecretName\"},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}}}),\n\t\t\t\t\tMarkReady),\n\t\t\t}},\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tmakePatch(replaceCIPKeySourcePatch),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Key with data, source, no oci but signature pull secrets\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tSources: []v1alpha1.Source{{\n\t\t\t\t\t\t\tSignaturePullSecrets: []corev1.LocalObjectReference{\n\t\t\t\t\t\t\t\t{Name: \"signaturePullSecretName\"},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}},\n\t\t\t\t\t}),\n\t\t\t\t),\n\t\t\t\tmakeConfigMap(),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tData: validPublicKeyData,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tSources: []v1alpha1.Source{{\n\t\t\t\t\t\t\tSignaturePullSecrets: []corev1.LocalObjectReference{\n\t\t\t\t\t\t\t\t{Name: \"signaturePullSecretName\"},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}},\n\t\t\t\t\t}),\n\t\t\t\t\tMarkReady),\n\t\t\t}},\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tmakePatch(replaceCIPKeySourceWithoutOCIPatch),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"ClusterImagePolicy with glob and KMS key, for invalid KMS key\",\n\t\t\tKey: cipKMSName,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipKMSName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tKMS: \"gcpkms://blah\",\n\t\t\t\t\t\t}},\n\t\t\t\t\t)),\n\t\t\t\tmakeEmptyConfigMap(), // Make the existing configmap\n\t\t\t},\n\t\t\tWantErr: true,\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tpatchFinalizers(system.Namespace(), cipKMSName),\n\t\t\t},\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeNormal, \"FinalizerUpdate\", `Updated \"test-kms-cip\" finalizers`),\n\t\t\t\tEventf(corev1.EventTypeWarning, \"InternalError\", `kms specification should be in the format gcpkms://projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEY_RING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]`),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipKMSName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKey: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\tKMS: \"gcpkms://blah\",\n\t\t\t\t\t\t}},\n\t\t\t\t\t),\n\t\t\t\t\tWithInitConditions,\n\t\t\t\t\tWithObservedGeneration(1),\n\t\t\t\t\tWithMarkInlineKeysFailed(`kms specification should be in the format gcpkms://projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEY_RING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]`)),\n\t\t\t}},\n\t\t}, {\n\t\t\tName: \"Keyless with match label selector\",\n\t\t\tKey: testKey2,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName2,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithMatch(v1alpha1.MatchResource{\n\t\t\t\t\t\tGroupVersionResource: metav1.GroupVersionResource{\n\t\t\t\t\t\t\tGroup: \"apps\",\n\t\t\t\t\t\t\tVersion: \"v1\",\n\t\t\t\t\t\t\tResource: \"replicasets\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tResourceSelector: &metav1.LabelSelector{\n\t\t\t\t\t\t\tMatchLabels: map[string]string{\"match\": \"match\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKeyless: &v1alpha1.KeylessRef{\n\t\t\t\t\t\t\tCACert: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\t\tName: keylessSecretName,\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tIdentities: placeholderIdentities,\n\t\t\t\t\t\t}}),\n\t\t\t\t),\n\t\t\t\tmakeConfigMapWithTwoEntries(),\n\t\t\t\tmakeSecret(keylessSecretName, validPublicKeyData),\n\t\t\t},\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tmakePatch(inlinedSecretKeylessMatchLabelsPatch),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName2,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithMatch(v1alpha1.MatchResource{\n\t\t\t\t\t\tGroupVersionResource: metav1.GroupVersionResource{\n\t\t\t\t\t\t\tGroup: \"apps\",\n\t\t\t\t\t\t\tVersion: \"v1\",\n\t\t\t\t\t\t\tResource: \"replicasets\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tResourceSelector: &metav1.LabelSelector{\n\t\t\t\t\t\t\tMatchLabels: map[string]string{\"match\": \"match\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKeyless: &v1alpha1.KeylessRef{\n\t\t\t\t\t\t\tCACert: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\t\tName: keylessSecretName,\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tIdentities: placeholderIdentities,\n\t\t\t\t\t\t}}),\n\t\t\t\t\tMarkReady),\n\t\t\t}},\n\t\t\tPostConditions: []func(*testing.T, *TableRow){\n\t\t\t\tAssertTrackingSecret(system.Namespace(), keylessSecretName),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Keyless with resource group and version selector\",\n\t\t\tKey: testKey2,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName2,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithMatch(v1alpha1.MatchResource{\n\t\t\t\t\t\tGroupVersionResource: metav1.GroupVersionResource{\n\t\t\t\t\t\t\tGroup: \"apps\",\n\t\t\t\t\t\t\tVersion: \"v1\",\n\t\t\t\t\t\t\tResource: \"deployments\",\n\t\t\t\t\t\t},\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKeyless: &v1alpha1.KeylessRef{\n\t\t\t\t\t\t\tCACert: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\t\tName: keylessSecretName,\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tIdentities: placeholderIdentities,\n\t\t\t\t\t\t}}),\n\t\t\t\t),\n\t\t\t\tmakeConfigMapWithTwoEntries(),\n\t\t\t\tmakeSecret(keylessSecretName, validPublicKeyData),\n\t\t\t},\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tmakePatch(inlinedSecretKeylessMatchResourcePatch),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName2,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithMatch(v1alpha1.MatchResource{\n\t\t\t\t\t\tGroupVersionResource: metav1.GroupVersionResource{\n\t\t\t\t\t\t\tGroup: \"apps\",\n\t\t\t\t\t\t\tVersion: \"v1\",\n\t\t\t\t\t\t\tResource: \"deployments\",\n\t\t\t\t\t\t},\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tKeyless: &v1alpha1.KeylessRef{\n\t\t\t\t\t\t\tCACert: &v1alpha1.KeyRef{\n\t\t\t\t\t\t\t\tSecretRef: &corev1.SecretReference{\n\t\t\t\t\t\t\t\t\tName: keylessSecretName,\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tIdentities: placeholderIdentities,\n\t\t\t\t\t\t}}),\n\t\t\t\t\tMarkReady),\n\t\t\t}},\n\t\t\tPostConditions: []func(*testing.T, *TableRow){\n\t\t\t\tAssertTrackingSecret(system.Namespace(), keylessSecretName),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Static with CIP level policy, configmapref exists, inlined\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tStatic: &v1alpha1.StaticRef{\n\t\t\t\t\t\t\tAction: \"pass\",\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithPolicy(&v1alpha1.Policy{\n\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\tConfigMapRef: &v1alpha1.ConfigMapReference{\n\t\t\t\t\t\t\tName: policyCMName,\n\t\t\t\t\t\t\tKey: policyCMKey,\n\t\t\t\t\t\t},\n\t\t\t\t\t}),\n\t\t\t\t),\n\t\t\t\tmakeConfigMap(),\n\t\t\t\tmakePolicyConfigMap(policyCMName, map[string]string{policyCMKey: testPolicy}),\n\t\t\t},\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tmakePatch(inlinedPolicyPatch),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tStatic: &v1alpha1.StaticRef{\n\t\t\t\t\t\t\tAction: \"pass\",\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithPolicy(&v1alpha1.Policy{\n\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\tConfigMapRef: &v1alpha1.ConfigMapReference{\n\t\t\t\t\t\t\tName: policyCMName,\n\t\t\t\t\t\t\tKey: policyCMKey,\n\t\t\t\t\t\t},\n\t\t\t\t\t}),\n\t\t\t\t\tMarkReady),\n\t\t\t}},\n\n\t\t\tPostConditions: []func(*testing.T, *TableRow){\n\t\t\t\tAssertTrackingConfigMap(system.Namespace(), policyCMName),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Static with CIP level policy, configmapref does not exist\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tStatic: &v1alpha1.StaticRef{\n\t\t\t\t\t\t\tAction: \"pass\",\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithPolicy(&v1alpha1.Policy{\n\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\tConfigMapRef: &v1alpha1.ConfigMapReference{\n\t\t\t\t\t\t\tName: policyCMName,\n\t\t\t\t\t\t\tKey: policyCMKey,\n\t\t\t\t\t\t},\n\t\t\t\t\t}),\n\t\t\t\t),\n\t\t\t\tmakeConfigMap(),\n\t\t\t},\n\t\t\tWantErr: true,\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tmakePatch(removeDataPatch),\n\t\t\t},\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeWarning, \"InternalError\", `configmap \"policy-configmap\" not found`),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tStatic: &v1alpha1.StaticRef{\n\t\t\t\t\t\t\tAction: \"pass\",\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithPolicy(&v1alpha1.Policy{\n\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\tConfigMapRef: &v1alpha1.ConfigMapReference{\n\t\t\t\t\t\t\tName: policyCMName,\n\t\t\t\t\t\t\tKey: policyCMKey,\n\t\t\t\t\t\t},\n\t\t\t\t\t}),\n\t\t\t\t\tWithInitConditions,\n\t\t\t\t\tWithObservedGeneration(1),\n\t\t\t\t\tWithMarkInlineKeysOk,\n\t\t\t\t\tWithMarkInlinePoliciesFailed(`configmap \"policy-configmap\" not found`),\n\t\t\t\t),\n\t\t\t}},\n\n\t\t\tPostConditions: []func(*testing.T, *TableRow){\n\t\t\t\tAssertTrackingConfigMap(system.Namespace(), policyCMName),\n\t\t\t},\n\t\t}, {\n\t\t\tName: \"Static with CIP level URL policy, works\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tStatic: &v1alpha1.StaticRef{\n\t\t\t\t\t\t\tAction: \"pass\",\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithPolicy(&v1alpha1.Policy{\n\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\tRemote: &v1alpha1.RemotePolicy{\n\t\t\t\t\t\t\tURL: *policyURLGood,\n\t\t\t\t\t\t\tSha256sum: testPolicySHA256,\n\t\t\t\t\t\t},\n\t\t\t\t\t}),\n\t\t\t\t),\n\t\t\t\tmakeConfigMap(),\n\t\t\t},\n\t\t\tWantErr: true,\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tmakePatch(inlinedPolicyPatch),\n\t\t\t},\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeWarning, \"UpdateFailed\", statusUpdateFailureMsg),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tStatic: &v1alpha1.StaticRef{\n\t\t\t\t\t\t\tAction: \"pass\",\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithPolicy(&v1alpha1.Policy{\n\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\tRemote: &v1alpha1.RemotePolicy{\n\t\t\t\t\t\t\tURL: *policyURLGood,\n\t\t\t\t\t\t\tSha256sum: testPolicySHA256,\n\t\t\t\t\t\t},\n\t\t\t\t\t}),\n\t\t\t\t\tMarkReady,\n\t\t\t\t),\n\t\t\t}},\n\t\t}, {\n\t\t\tName: \"Static with CIP level URL policy, SHA does not match\",\n\t\t\tKey: testKey,\n\n\t\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\t\tObjects: []runtime.Object{\n\t\t\t\tNewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tStatic: &v1alpha1.StaticRef{\n\t\t\t\t\t\t\tAction: \"pass\",\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithPolicy(&v1alpha1.Policy{\n\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\tRemote: &v1alpha1.RemotePolicy{\n\t\t\t\t\t\t\tURL: *policyURLGood,\n\t\t\t\t\t\t\tSha256sum: testPolicySHA256Bad,\n\t\t\t\t\t\t},\n\t\t\t\t\t}),\n\t\t\t\t),\n\t\t\t\tmakeConfigMap(),\n\t\t\t},\n\t\t\tWantErr: true,\n\t\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\t\tmakePatch(removeDataPatch),\n\t\t\t},\n\t\t\tWantEvents: []string{\n\t\t\t\tEventf(corev1.EventTypeWarning, \"UpdateFailed\", statusUpdateFailureMsg),\n\t\t\t},\n\t\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\t\tObject: NewClusterImagePolicy(cipName,\n\t\t\t\t\tWithUID(uid),\n\t\t\t\t\tWithResourceVersion(resourceVersion),\n\t\t\t\t\tWithFinalizer,\n\t\t\t\t\tWithImagePattern(v1alpha1.ImagePattern{\n\t\t\t\t\t\tGlob: glob,\n\t\t\t\t\t}),\n\t\t\t\t\tWithAuthority(v1alpha1.Authority{\n\t\t\t\t\t\tStatic: &v1alpha1.StaticRef{\n\t\t\t\t\t\t\tAction: \"pass\",\n\t\t\t\t\t\t}}),\n\t\t\t\t\tWithPolicy(&v1alpha1.Policy{\n\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\tRemote: &v1alpha1.RemotePolicy{\n\t\t\t\t\t\t\tURL: *policyURLGood,\n\t\t\t\t\t\t\tSha256sum: testPolicySHA256Bad,\n\t\t\t\t\t\t},\n\t\t\t\t\t}),\n\t\t\t\t\tWithInitConditions,\n\t\t\t\t\tWithObservedGeneration(1),\n\t\t\t\t\tWithMarkInlineKeysOk,\n\t\t\t\t\tWithMarkInlinePoliciesFailed(invalidSHAMsg),\n\t\t\t\t),\n\t\t\t}},\n\t\t}}\n\n\tlogger := logtesting.TestLogger(t)\n\ttable.Test(t, MakeFactory(func(ctx context.Context, listers *Listers, _ configmap.Watcher) controller.Reconciler {\n\t\tr := &Reconciler{\n\t\t\tsecretlister: listers.GetSecretLister(),\n\t\t\tconfigmaplister: listers.GetConfigMapLister(),\n\t\t\tkubeclient: fakekubeclient.Get(ctx),\n\t\t\ttracker: ctx.Value(TrackerKey).(tracker.Interface),\n\t\t}\n\t\treturn clusterimagepolicy.NewReconciler(ctx, logger,\n\t\t\tfakecosignclient.Get(ctx), listers.GetClusterImagePolicyLister(),\n\t\t\tcontroller.GetEventRecorder(ctx),\n\t\t\tr)\n\t},\n\t\tfalse,\n\t\tlogger,\n\t\tprivKMSKey,\n\t))\n}\n\nfunc makeSecret(name, secret string) *corev1.Secret {\n\treturn &corev1.Secret{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tNamespace: system.Namespace(),\n\t\t\tName: name,\n\t\t},\n\t\tData: map[string][]byte{\n\t\t\t\"publicKey\": []byte(secret),\n\t\t},\n\t}\n}\n\nfunc makePolicyConfigMap(name string, data map[string]string) *corev1.ConfigMap {\n\treturn &corev1.ConfigMap{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tNamespace: system.Namespace(),\n\t\t\tName: name,\n\t\t},\n\t\tData: data,\n\t}\n}\n\nfunc makeEmptyConfigMap() *corev1.ConfigMap {\n\treturn &corev1.ConfigMap{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tNamespace: system.Namespace(),\n\t\t\tName: config.ImagePoliciesConfigName,\n\t\t},\n\t}\n}\n\nfunc makeConfigMap() *corev1.ConfigMap {\n\treturn &corev1.ConfigMap{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tNamespace: system.Namespace(),\n\t\t\tName: config.ImagePoliciesConfigName,\n\t\t},\n\t\tData: map[string]string{\n\t\t\tcipName: `{\"uid\":\"test-uid\",\"resourceVersion\":\"0123456789\",\"images\":[{\"glob\":\"ghcr.io/example/*\"}],\"authorities\":[{\"name\":\"authority-0\",\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\",\"hashAlgorithm\":\"sha256\"}}],\"mode\":\"enforce\"}`,\n\t\t},\n\t}\n}\n\nfunc makeConfigMapWithWarn() *corev1.ConfigMap {\n\treturn &corev1.ConfigMap{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tNamespace: system.Namespace(),\n\t\t\tName: config.ImagePoliciesConfigName,\n\t\t},\n\t\tData: map[string]string{\n\t\t\tcipName: `{\"uid\":\"test-uid\",\"resourceVersion\":\"0123456789\",\"images\":[{\"glob\":\"ghcr.io/example/*\"}],\"authorities\":[{\"name\":\"authority-0\",\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\",\"hashAlgorithm\":\"sha256\"}}],\"mode\":\"warn\"}`,\n\t\t},\n\t}\n}\n\nfunc patchKMS(ctx context.Context, t *testing.T, kmsKey, hashAlgorithm string) clientgotesting.PatchActionImpl {\n\tpubKey, err := getKMSPublicKey(ctx, kmsKey, hashAlgorithm)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to read KMS key ID %q: %v\", kmsKey, err)\n\t}\n\n\tpatch := `[{\"op\":\"add\",\"path\":\"/data\",\"value\":{\"test-kms-cip\":\"{\\\"uid\\\":\\\"test-uid\\\",\\\"resourceVersion\\\":\\\"0123456789\\\",\\\"images\\\":[{\\\"glob\\\":\\\"ghcr.io/example/*\\\"}],\\\"authorities\\\":[{\\\"name\\\":\\\"authority-0\\\",\\\"key\\\":{\\\"data\\\":\\\"` + strings.ReplaceAll(pubKey, \"\\n\", \"\\\\\\\\n\") + `\\\",\\\"hashAlgorithm\\\":\\\"` + hashAlgorithm + `\\\"}}],\\\"mode\\\":\\\"enforce\\\"}\"}}]`\n\n\treturn clientgotesting.PatchActionImpl{\n\t\tActionImpl: clientgotesting.ActionImpl{\n\t\t\tNamespace: system.Namespace(),\n\t\t},\n\t\tName: config.ImagePoliciesConfigName,\n\t\tPatch: []byte(patch),\n\t}\n}\n\n// Same as above, just forcing an update by changing PUBLIC => NOTPUBLIC\nfunc makeDifferentConfigMap() *corev1.ConfigMap {\n\treturn &corev1.ConfigMap{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tNamespace: system.Namespace(),\n\t\t\tName: config.ImagePoliciesConfigName,\n\t\t},\n\t\tData: map[string]string{\n\t\t\tcipName: `{\"uid\":\"test-uid\",\"resourceVersion\":\"0123456789\",\nimages\":[{\"glob\":\"ghcr.io/example/*\"}],\"authorities\":[{\"name\":\"authority-0\",\"key\":{\"data\":\"-----BEGIN NOTPUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END NOTPUBLIC KEY-----\"}}]}`,\n\t\t},\n\t}\n}\n\n// Same as MakeConfigMap but a placeholder for second entry so we can remove it.\nfunc makeConfigMapWithTwoEntries() *corev1.ConfigMap {\n\treturn &corev1.ConfigMap{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tNamespace: system.Namespace(),\n\t\t\tName: config.ImagePoliciesConfigName,\n\t\t},\n\t\tData: map[string]string{\n\t\t\tcipName: `{\"images\":[{\"glob\":\"ghcr.io/example/*\"}],\"authorities\":[{\"name\":\"authority-0\",\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}],\"mode\":\"enforce\"}`,\n\t\t\tcipName2: \"remove me please\",\n\t\t},\n\t}\n}\n\nfunc makePatch(patch string) clientgotesting.PatchActionImpl {\n\treturn clientgotesting.PatchActionImpl{\n\t\tActionImpl: clientgotesting.ActionImpl{\n\t\t\tNamespace: system.Namespace(),\n\t\t},\n\t\tName: config.ImagePoliciesConfigName,\n\t\tPatch: []byte(patch),\n\t}\n}\n\nfunc patchFinalizers(namespace, name string) clientgotesting.PatchActionImpl {\n\taction := clientgotesting.PatchActionImpl{}\n\taction.Name = name\n\taction.Namespace = namespace\n\tpatch := `{\"metadata\":{\"finalizers\":[\"` + finalizerName + `\"],\"resourceVersion\":\"` + resourceVersion + `\"}}`\n\taction.Patch = []byte(patch)\n\treturn action\n}\n\nfunc patchRemoveFinalizers(namespace, name string) clientgotesting.PatchActionImpl {\n\taction := clientgotesting.PatchActionImpl{}\n\taction.Name = name\n\taction.Namespace = namespace\n\tpatch := `{\"metadata\":{\"finalizers\":[],\"resourceVersion\":\"` + resourceVersion + `\"}}`\n\taction.Patch = []byte(patch)\n\treturn action\n}\n" }, { "path": "pkg/reconciler/clusterimagepolicy/controller.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage clusterimagepolicy\n\nimport (\n\t\"context\"\n\t\"time\"\n\n\tcorev1 \"k8s.io/api/core/v1\"\n\t\"k8s.io/client-go/tools/cache\"\n\tkubeclient \"knative.dev/pkg/client/injection/kube/client\"\n\t\"knative.dev/pkg/configmap\"\n\t\"knative.dev/pkg/controller\"\n\t\"knative.dev/pkg/logging\"\n\n\t// Use the informer factory that restricts only to our namespace. This way\n\t// we won't have to grant too broad RBAC rights, nor have trouble starting\n\t// up if we don't have them.\n\n\tpkgreconciler \"knative.dev/pkg/reconciler\"\n\t\"knative.dev/pkg/system\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\tclusterimagepolicyinformer \"github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy\"\n\tclusterimagepolicyreconciler \"github.com/sigstore/policy-controller/pkg/client/injection/reconciler/policy/v1alpha1/clusterimagepolicy\"\n\tcminformer \"knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/configmap\"\n\tsecretinformer \"knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret\"\n)\n\n// This is what the default finalizer name is, but make it explicit so we can\n// use it in tests as well.\nconst finalizerName = \"clusterimagepolicies.policy.sigstore.dev\"\n\ntype policyResyncPeriodKey struct{}\n\n// NewController creates a Reconciler and returns the result of NewImpl.\nfunc NewController(\n\tctx context.Context,\n\t_ configmap.Watcher,\n) *controller.Impl {\n\tclusterimagepolicyInformer := clusterimagepolicyinformer.Get(ctx)\n\tsecretInformer := secretinformer.Get(ctx)\n\tconfigMapInformer := cminformer.Get(ctx)\n\n\tr := &Reconciler{\n\t\tsecretlister: secretInformer.Lister(),\n\t\tconfigmaplister: configMapInformer.Lister(),\n\t\tkubeclient: kubeclient.Get(ctx),\n\t}\n\timpl := clusterimagepolicyreconciler.NewImpl(ctx, r, func(_ *controller.Impl) controller.Options {\n\t\treturn controller.Options{FinalizerName: finalizerName}\n\t})\n\tr.tracker = impl.Tracker\n\n\tif _, err := clusterimagepolicyInformer.Informer().AddEventHandler(controller.HandleAll(impl.Enqueue)); err != nil {\n\t\tlogging.FromContext(ctx).Warnf(\"Failed clusterimagepolicyInformer AddEventHandler() %v\", err)\n\t}\n\n\tif _, err := secretInformer.Informer().AddEventHandler(controller.HandleAll(\n\t\t// Call the tracker's OnChanged method, but we've seen the objects\n\t\t// coming through this path missing TypeMeta, so ensure it is properly\n\t\t// populated.\n\t\tcontroller.EnsureTypeMeta(\n\t\t\tr.tracker.OnChanged,\n\t\t\tcorev1.SchemeGroupVersion.WithKind(\"Secret\"),\n\t\t),\n\t)); err != nil {\n\t\tlogging.FromContext(ctx).Warnf(\"Failed secretInformer AddEventHandler() %v\", err)\n\t}\n\n\tif _, err := configMapInformer.Informer().AddEventHandler(controller.HandleAll(\n\t\t// Call the tracker's OnChanged method, but we've seen the objects\n\t\t// coming through this path missing TypeMeta, so ensure it is properly\n\t\t// populated.\n\t\tcontroller.EnsureTypeMeta(\n\t\t\tr.tracker.OnChanged,\n\t\t\tcorev1.SchemeGroupVersion.WithKind(\"ConfigMap\"),\n\t\t),\n\t)); err != nil {\n\t\tlogging.FromContext(ctx).Warnf(\"Failed configMapInformer AddEventHandler() %v\", err)\n\t}\n\n\t// When the underlying ConfigMap changes,perform a global resync on\n\t// ClusterImagePolicies to make sure their state is correctly reflected\n\t// in the ConfigMap. This is admittedly a bit heavy handed, but I don't\n\t// really see a way around it, since if something is wrong with the\n\t// ConfigMap but there are no changes to the ClusterImagePolicy, it needs\n\t// to be synced.\n\tgrCb := func(_ interface{}) {\n\t\tlogging.FromContext(ctx).Info(\"Doing a global resync on ClusterImagePolicies due to ConfigMap changing or resync period.\")\n\t\timpl.GlobalResync(clusterimagepolicyInformer.Informer())\n\t}\n\t// Resync on only ConfigMap changes that pertain to the one I care about\n\t// or after a resync period.\n\t// We could also fetch/construct the store and use CM watcher for it, but\n\t// since we need a lister for it anyways in the reconciler, just set up\n\t// the watch here.\n\tif _, err := configMapInformer.Informer().AddEventHandlerWithResyncPeriod(cache.FilteringResourceEventHandler{\n\t\tFilterFunc: pkgreconciler.ChainFilterFuncs(\n\t\t\tpkgreconciler.NamespaceFilterFunc(system.Namespace()),\n\t\t\tpkgreconciler.NameFilterFunc(config.ImagePoliciesConfigName)),\n\t\tHandler: controller.HandleAll(grCb),\n\t}, FromContextOrDefaults(ctx)); err != nil {\n\t\tlogging.FromContext(ctx).Warnf(\"Failed configMapInformer AddEventHandlerWithResyncPeriod() %v\", err)\n\t}\n\n\treturn impl\n}\n\nfunc ToContext(ctx context.Context, duration time.Duration) context.Context {\n\treturn context.WithValue(ctx, policyResyncPeriodKey{}, duration)\n}\n\n// FromContextOrDefaults returns a stored policyResyncPeriod if attached.\n// If not found, it returns a default duration\nfunc FromContextOrDefaults(ctx context.Context) time.Duration {\n\tx, ok := ctx.Value(policyResyncPeriodKey{}).(time.Duration)\n\tif ok {\n\t\treturn x\n\t}\n\treturn controller.DefaultResyncPeriod\n}\n" }, { "path": "pkg/reconciler/clusterimagepolicy/controller_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage clusterimagepolicy\n\nimport (\n\t\"testing\"\n\t\"time\"\n\n\t\"knative.dev/pkg/configmap\"\n\t\"knative.dev/pkg/controller\"\n\trtesting \"knative.dev/pkg/reconciler/testing\"\n\n\t// Fake injection informers\n\t_ \"github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/fake\"\n\t_ \"knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/fake\"\n\t_ \"knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/configmap/fake\"\n\t_ \"knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret/fake\"\n\t_ \"knative.dev/pkg/injection/clients/namespacedkube/informers/factory/fake\"\n)\n\nfunc TestNew(t *testing.T) {\n\tctx, _ := rtesting.SetupFakeContext(t)\n\n\tc := NewController(ctx, &configmap.ManualWatcher{})\n\n\tif c == nil {\n\t\tt.Fatal(\"Expected NewController to return a non-nil value\")\n\t}\n}\n\nfunc TestContextDuration(t *testing.T) {\n\tctx, _ := rtesting.SetupFakeContext(t)\n\n\texpected := controller.DefaultResyncPeriod\n\tactual := FromContextOrDefaults(ctx)\n\tif expected != actual {\n\t\tt.Fatal(\"Expected the context to store the value and be retrievable\")\n\t}\n\n\texpected = time.Hour\n\tctx = ToContext(ctx, expected)\n\tactual = FromContextOrDefaults(ctx)\n\n\tif expected != actual {\n\t\tt.Fatal(\"Expected the context to store the value and be retrievable\")\n\t}\n}\n" }, { "path": "pkg/reconciler/clusterimagepolicy/resources/configmap.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage resources\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\n\twebhookcip \"github.com/sigstore/policy-controller/pkg/webhook/clusterimagepolicy\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"knative.dev/pkg/apis/duck\"\n)\n\n// NewConfigMap returns a new ConfigMap with an entry for the given\n// ClusterImagePolicy\nfunc NewConfigMap(ns, name, cipName string, cip *webhookcip.ClusterImagePolicy) (*corev1.ConfigMap, error) {\n\tentry, err := marshal(cip)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tcm := &corev1.ConfigMap{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tNamespace: ns,\n\t\t\tName: name,\n\t\t\t// TODO(vaikas): Set the ownerrefs. Don't want to keep adding one\n\t\t\t// for each CIP.\n\t\t},\n\t\tData: map[string]string{\n\t\t\tcipName: entry,\n\t\t},\n\t}\n\treturn cm, nil\n}\n\n// CreatePatch updates a particular entry to see if they are differing and\n// returning the patch bytes for it that's suitable for calling\n// ConfigMap.Patch with.\nfunc CreatePatch(ns, name, cipName string, cm *corev1.ConfigMap, cip *webhookcip.ClusterImagePolicy) ([]byte, error) { //nolint: revive\n\tentry, err := marshal(cip)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tafter := cm.DeepCopy()\n\tif after.Data == nil {\n\t\tafter.Data = make(map[string]string)\n\t}\n\tafter.Data[cipName] = entry\n\tjsonPatch, err := duck.CreatePatch(cm, after)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"creating JSON patch: %w\", err)\n\t}\n\tif len(jsonPatch) == 0 {\n\t\treturn nil, nil\n\t}\n\treturn jsonPatch.MarshalJSON()\n}\n\n// CreateRemovePatch removes an entry from the ConfigMap and returns the patch\n// bytes for it that's suitable for calling ConfigMap.Patch with.\nfunc CreateRemovePatch(ns, name string, cm *corev1.ConfigMap, cipName string) ([]byte, error) { //nolint: revive\n\tafter := cm.DeepCopy()\n\t// Just remove it without checking if it exists. If it doesn't, then no\n\t// patch bytes are created.\n\tdelete(after.Data, cipName)\n\tjsonPatch, err := duck.CreatePatch(cm, after)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"creating JSON patch: %w\", err)\n\t}\n\tif len(jsonPatch) == 0 {\n\t\treturn nil, nil\n\t}\n\treturn jsonPatch.MarshalJSON()\n}\n\nfunc marshal(spec *webhookcip.ClusterImagePolicy) (string, error) {\n\tbytes, err := json.Marshal(spec)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn string(bytes), nil\n}\n" }, { "path": "pkg/reconciler/testing/v1alpha1/clusterimagepolicy.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage testing\n\nimport (\n\t\"context\"\n\t\"time\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/types\"\n)\n\nconst finalizerName = \"clusterimagepolicies.policy.sigstore.dev\"\n\n// ClusterImagePolicyOption enables further configuration of a ClusterImagePolicy.\ntype ClusterImagePolicyOption func(*v1alpha1.ClusterImagePolicy)\n\n// NewClusterImagePolicy creates a ClusterImagePolicy with ClusterImagePolicyOptions.\nfunc NewClusterImagePolicy(name string, o ...ClusterImagePolicyOption) *v1alpha1.ClusterImagePolicy {\n\tcip := &v1alpha1.ClusterImagePolicy{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tName: name,\n\t\t\tGeneration: 1,\n\t\t},\n\t}\n\tfor _, opt := range o {\n\t\topt(cip)\n\t}\n\tcip.SetDefaults(context.Background())\n\treturn cip\n}\n\nfunc WithUID(uid string) ClusterImagePolicyOption {\n\treturn func(cip *v1alpha1.ClusterImagePolicy) {\n\t\tcip.UID = types.UID(uid)\n\t}\n}\n\nfunc WithResourceVersion(resourceVersion string) ClusterImagePolicyOption {\n\treturn func(cip *v1alpha1.ClusterImagePolicy) {\n\t\tcip.ResourceVersion = resourceVersion\n\t}\n}\n\nfunc WithClusterImagePolicyDeletionTimestamp(cip *v1alpha1.ClusterImagePolicy) {\n\tt := metav1.NewTime(time.Unix(1e9, 0))\n\tcip.SetDeletionTimestamp(&t)\n}\n\nfunc WithImagePattern(ip v1alpha1.ImagePattern) ClusterImagePolicyOption {\n\treturn func(cip *v1alpha1.ClusterImagePolicy) {\n\t\tcip.Spec.Images = append(cip.Spec.Images, ip)\n\t}\n}\n\nfunc WithAuthority(a v1alpha1.Authority) ClusterImagePolicyOption {\n\treturn func(cip *v1alpha1.ClusterImagePolicy) {\n\t\tcip.Spec.Authorities = append(cip.Spec.Authorities, a)\n\t}\n}\n\nfunc WithPolicy(p *v1alpha1.Policy) ClusterImagePolicyOption {\n\treturn func(cip *v1alpha1.ClusterImagePolicy) {\n\t\tcip.Spec.Policy = p\n\t}\n}\n\nfunc WithMatch(a v1alpha1.MatchResource) ClusterImagePolicyOption {\n\treturn func(cip *v1alpha1.ClusterImagePolicy) {\n\t\tcip.Spec.Match = append(cip.Spec.Match, a)\n\t}\n}\n\nfunc WithMode(m string) ClusterImagePolicyOption {\n\treturn func(cip *v1alpha1.ClusterImagePolicy) {\n\t\tcip.Spec.Mode = m\n\t}\n}\n\nfunc WithFinalizer(cip *v1alpha1.ClusterImagePolicy) {\n\tcip.Finalizers = []string{finalizerName}\n}\n\nfunc WithInitConditions(cip *v1alpha1.ClusterImagePolicy) {\n\tcip.Status.InitializeConditions()\n}\nfunc WithObservedGeneration(gen int64) ClusterImagePolicyOption {\n\treturn func(cip *v1alpha1.ClusterImagePolicy) {\n\t\tcip.Status.ObservedGeneration = gen\n\t}\n}\n\nfunc MarkReady(cip *v1alpha1.ClusterImagePolicy) {\n\tWithInitConditions(cip)\n\tcip.Status.MarkInlineKeysOk()\n\tcip.Status.MarkInlinePoliciesOk()\n\tcip.Status.MarkCMUpdatedOK()\n\tcip.Status.ObservedGeneration = cip.Generation\n}\n\nfunc WithMarkInlineKeysOk(cip *v1alpha1.ClusterImagePolicy) {\n\tcip.Status.MarkInlineKeysOk()\n}\n\nfunc WithMarkInlineKeysFailed(msg string) ClusterImagePolicyOption {\n\treturn func(cip *v1alpha1.ClusterImagePolicy) {\n\t\tcip.Status.MarkInlineKeysFailed(msg)\n\t}\n}\n\nfunc WithMarkInlinePoliciesOk(cip *v1alpha1.ClusterImagePolicy) {\n\tcip.Status.MarkInlinePoliciesOk()\n}\nfunc WithMarkInlinePoliciesFailed(msg string) ClusterImagePolicyOption {\n\treturn func(cip *v1alpha1.ClusterImagePolicy) {\n\t\tcip.Status.MarkInlinePoliciesFailed(msg)\n\t}\n}\n\nfunc WithMarkCMUpdateFailed(msg string) ClusterImagePolicyOption {\n\treturn func(cip *v1alpha1.ClusterImagePolicy) {\n\t\tcip.Status.MarkCMUpdateFailed(msg)\n\t}\n}\n" }, { "path": "pkg/reconciler/testing/v1alpha1/factory.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage testing\n\nimport (\n\t\"context\"\n\t\"crypto/ecdsa\"\n\t\"encoding/json\"\n\t\"testing\"\n\n\tcorev1 \"k8s.io/api/core/v1\"\n\t\"knative.dev/pkg/configmap\"\n\t\"knative.dev/pkg/logging\"\n\n\t\"k8s.io/apimachinery/pkg/api/meta\"\n\t\"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured\"\n\t\"k8s.io/apimachinery/pkg/runtime\"\n\t\"k8s.io/apimachinery/pkg/runtime/schema\"\n\t\"k8s.io/apimachinery/pkg/types\"\n\n\t\"k8s.io/client-go/tools/record\"\n\n\t\"go.uber.org/zap\"\n\tktesting \"k8s.io/client-go/testing\"\n\t\"knative.dev/pkg/controller\"\n\n\tfakecosignclient \"github.com/sigstore/policy-controller/pkg/client/injection/client/fake\"\n\tfakekubeclient \"knative.dev/pkg/client/injection/kube/client/fake\"\n\tfakedynamicclient \"knative.dev/pkg/injection/clients/dynamicclient/fake\"\n\n\t\"knative.dev/pkg/reconciler\"\n\treconcilertesting \"knative.dev/pkg/reconciler/testing\"\n\n\tfakekms \"github.com/sigstore/sigstore/pkg/signature/kms/fake\"\n)\n\nconst (\n\t// maxEventBufferSize is the estimated max number of event notifications that\n\t// can be buffered during reconciliation.\n\tmaxEventBufferSize = 10\n)\n\n// Ctor functions create a k8s controller with given params.\ntype Ctor func(context.Context, *Listers, configmap.Watcher) controller.Reconciler\n\n// MakeFactory creates a reconciler factory with fake clients and controller created by `ctor`.\nfunc MakeFactory(ctor Ctor, unstructured bool, logger *zap.SugaredLogger, privKMSKey *ecdsa.PrivateKey) reconcilertesting.Factory { //nolint: revive\n\treturn func(t *testing.T, r *reconcilertesting.TableRow) (controller.Reconciler, reconcilertesting.ActionRecorderList, reconcilertesting.EventList) {\n\t\tls := NewListers(r.Objects)\n\n\t\tvar ctx context.Context\n\t\tif r.Ctx != nil {\n\t\t\tctx = r.Ctx\n\t\t} else {\n\t\t\tctx = context.Background()\n\t\t}\n\t\tctx = logging.WithLogger(ctx, logger)\n\n\t\t// Add private key for KMS testing\n\t\tctx = context.WithValue(ctx, fakekms.KmsCtxKey{}, privKMSKey)\n\n\t\tctx, kubeClient := fakekubeclient.With(ctx, ls.GetKubeObjects()...)\n\t\tctx, client := fakecosignclient.With(ctx, ls.GetCosignObjects()...)\n\t\tctx, dynamicClient := fakedynamicclient.With(ctx,\n\t\t\tNewScheme(), ToUnstructured(t, r.Objects)...)\n\t\tctx = context.WithValue(ctx, TrackerKey, &reconcilertesting.FakeTracker{})\n\n\t\t// The dynamic client's support for patching is BS. Implement it\n\t\t// here via PrependReactor (this can be overridden below by the\n\t\t// provided reactors).\n\t\tdynamicClient.PrependReactor(\"patch\", \"*\",\n\t\t\tfunc(_ ktesting.Action) (bool, runtime.Object, error) {\n\t\t\t\treturn true, nil, nil\n\t\t\t})\n\n\t\teventRecorder := record.NewFakeRecorder(maxEventBufferSize)\n\t\tctx = controller.WithEventRecorder(ctx, eventRecorder)\n\n\t\t// Check the config maps in objects and add them to the fake cm watcher\n\t\tvar cms []*corev1.ConfigMap\n\t\tfor _, obj := range r.Objects {\n\t\t\tif cm, ok := obj.(*corev1.ConfigMap); ok {\n\t\t\t\tcms = append(cms, cm)\n\t\t\t}\n\t\t}\n\t\tconfigMapWatcher := configmap.NewStaticWatcher(cms...)\n\n\t\t// Set up our Controller from the fakes.\n\t\tc := ctor(ctx, &ls, configMapWatcher)\n\t\tr.Ctx = ctx\n\t\t// If the reconcilers is leader aware, then promote it.\n\t\tif la, ok := c.(reconciler.LeaderAware); ok {\n\t\t\tif la.Promote(reconciler.UniversalBucket(), func(reconciler.Bucket, types.NamespacedName) {}) != nil {\n\t\t\t\tpanic(\"failed to leader promote\")\n\t\t\t}\n\t\t}\n\n\t\tfor _, reactor := range r.WithReactors {\n\t\t\tkubeClient.PrependReactor(\"*\", \"*\", reactor)\n\t\t\tclient.PrependReactor(\"*\", \"*\", reactor)\n\t\t\tdynamicClient.PrependReactor(\"*\", \"*\", reactor)\n\t\t}\n\n\t\t// Validate all Create and Update operations\n\t\tclient.PrependReactor(\"create\", \"*\", func(action ktesting.Action) (handled bool, ret runtime.Object, err error) {\n\t\t\treturn reconcilertesting.ValidateCreates(ctx, action)\n\t\t})\n\t\tclient.PrependReactor(\"update\", \"*\", func(action ktesting.Action) (handled bool, ret runtime.Object, err error) {\n\t\t\treturn reconcilertesting.ValidateUpdates(ctx, action)\n\t\t})\n\n\t\tactionRecorderList := reconcilertesting.ActionRecorderList{dynamicClient, client, kubeClient}\n\t\teventList := reconcilertesting.EventList{Recorder: eventRecorder}\n\n\t\treturn c, actionRecorderList, eventList\n\t}\n}\n\n// ToUnstructured takes a list of k8s resources and converts them to\n// Unstructured objects.\n// We must pass objects as Unstructured to the dynamic client fake, or it\n// won't handle them properly.\nfunc ToUnstructured(t *testing.T, objs []runtime.Object) (us []runtime.Object) {\n\tsch := NewScheme()\n\tfor _, obj := range objs {\n\t\tobj = obj.DeepCopyObject() // Don't mess with the primary copy\n\t\t// Determine and set the TypeMeta for this object based on our test scheme.\n\t\tgvks, _, err := sch.ObjectKinds(obj)\n\t\tif err != nil {\n\t\t\tt.Fatal(\"Unable to determine kind for type:\", err)\n\t\t}\n\t\tapiv, k := gvks[0].ToAPIVersionAndKind()\n\t\tta, err := meta.TypeAccessor(obj)\n\t\tif err != nil {\n\t\t\tt.Fatal(\"Unable to create type accessor:\", err)\n\t\t}\n\t\tta.SetAPIVersion(apiv)\n\t\tta.SetKind(k)\n\n\t\tb, err := json.Marshal(obj)\n\t\tif err != nil {\n\t\t\tt.Fatal(\"Unable to marshal:\", err)\n\t\t}\n\t\tu := &unstructured.Unstructured{}\n\t\tif err := json.Unmarshal(b, u); err != nil {\n\t\t\tt.Fatal(\"Unable to unmarshal:\", err)\n\t\t}\n\t\tus = append(us, u)\n\t}\n\treturn\n}\n\ntype key struct{}\n\n// TrackerKey is used to looking a FakeTracker in a context.Context\nvar TrackerKey key = struct{}{}\n\n// AssertTrackingSecret will ensure the provided Secret is being tracked\nfunc AssertTrackingSecret(namespace, name string) func(*testing.T, *reconcilertesting.TableRow) {\n\tgvk := corev1.SchemeGroupVersion.WithKind(\"Secret\")\n\treturn AssertTrackingObject(gvk, namespace, name)\n}\n\n// AssertTrackingConfigMap will ensure the provided ConfigMap is being tracked\nfunc AssertTrackingConfigMap(namespace, name string) func(*testing.T, *reconcilertesting.TableRow) {\n\tgvk := corev1.SchemeGroupVersion.WithKind(\"ConfigMap\")\n\treturn AssertTrackingObject(gvk, namespace, name)\n}\n\n// AssertTrackingObject will ensure the following objects are being tracked\nfunc AssertTrackingObject(gvk schema.GroupVersionKind, namespace, name string) func(*testing.T, *reconcilertesting.TableRow) {\n\tapiVersion, kind := gvk.ToAPIVersionAndKind()\n\n\treturn func(t *testing.T, r *reconcilertesting.TableRow) {\n\t\ttracker := r.Ctx.Value(TrackerKey).(*reconcilertesting.FakeTracker)\n\t\trefs := tracker.References()\n\n\t\tfor _, ref := range refs {\n\t\t\tif ref.APIVersion == apiVersion &&\n\t\t\t\tref.Name == name &&\n\t\t\t\tref.Namespace == namespace &&\n\t\t\t\tref.Kind == kind {\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\n\t\tt.Errorf(\"Object was not tracked - %s, Name=%s, Namespace=%s\", gvk.String(), name, namespace)\n\t}\n}\n" }, { "path": "pkg/reconciler/testing/v1alpha1/listers.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.package testing\n\npackage testing\n\nimport (\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tfakecosignclientset \"github.com/sigstore/policy-controller/pkg/client/clientset/versioned/fake\"\n\tpolicylisters \"github.com/sigstore/policy-controller/pkg/client/listers/policy/v1alpha1\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\t\"k8s.io/apimachinery/pkg/runtime\"\n\tfakekubeclientset \"k8s.io/client-go/kubernetes/fake\"\n\tcorev1listers \"k8s.io/client-go/listers/core/v1\"\n\t\"k8s.io/client-go/tools/cache\"\n\t\"knative.dev/pkg/reconciler/testing\"\n)\n\nvar clientSetSchemes = []func(*runtime.Scheme) error{\n\tfakekubeclientset.AddToScheme,\n\tfakecosignclientset.AddToScheme,\n}\n\ntype Listers struct {\n\tsorter testing.ObjectSorter\n}\n\nfunc NewScheme() *runtime.Scheme {\n\tscheme := runtime.NewScheme()\n\n\tfor _, addTo := range clientSetSchemes {\n\t\tif addTo(scheme) != nil {\n\t\t\tpanic(\"Failed to add to scheme\")\n\t\t}\n\t}\n\treturn scheme\n}\n\nfunc NewListers(objs []runtime.Object) Listers {\n\tscheme := runtime.NewScheme()\n\n\tfor _, addTo := range clientSetSchemes {\n\t\tif addTo(scheme) != nil {\n\t\t\tpanic(\"Failed to add to scheme\")\n\t\t}\n\t}\n\n\tls := Listers{\n\t\tsorter: testing.NewObjectSorter(scheme),\n\t}\n\n\tls.sorter.AddObjects(objs...)\n\n\treturn ls\n}\n\nfunc (l *Listers) indexerFor(obj runtime.Object) cache.Indexer {\n\treturn l.sorter.IndexerForObjectType(obj)\n}\n\nfunc (l *Listers) GetKubeObjects() []runtime.Object {\n\treturn l.sorter.ObjectsForSchemeFunc(fakekubeclientset.AddToScheme)\n}\n\nfunc (l *Listers) GetCosignObjects() []runtime.Object {\n\treturn l.sorter.ObjectsForSchemeFunc(fakecosignclientset.AddToScheme)\n}\n\nfunc (l *Listers) GetAllObjects() []runtime.Object {\n\tall := l.GetCosignObjects()\n\tall = append(all, l.GetKubeObjects()...)\n\treturn all\n}\n\nfunc (l *Listers) GetClusterImagePolicyLister() policylisters.ClusterImagePolicyLister {\n\treturn policylisters.NewClusterImagePolicyLister(l.indexerFor(&v1alpha1.ClusterImagePolicy{}))\n}\n\nfunc (l *Listers) GetTrustRootLister() policylisters.TrustRootLister {\n\treturn policylisters.NewTrustRootLister(l.indexerFor(&v1alpha1.TrustRoot{}))\n}\n\nfunc (l *Listers) GetSecretLister() corev1listers.SecretLister {\n\treturn corev1listers.NewSecretLister(l.indexerFor(&corev1.Secret{}))\n}\n\nfunc (l *Listers) GetConfigMapLister() corev1listers.ConfigMapLister {\n\treturn corev1listers.NewConfigMapLister(l.indexerFor(&corev1.ConfigMap{}))\n}\n" }, { "path": "pkg/reconciler/testing/v1alpha1/trustroot.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage testing\n\nimport (\n\t\"context\"\n\t\"time\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/types\"\n\t\"knative.dev/pkg/apis\"\n)\n\nconst finalizerNameTrustRoot = \"trustroots.policy.sigstore.dev\"\n\n// TrustRootOption enables further configuration of a ClusterImagePolicy.\ntype TrustRootOption func(*v1alpha1.TrustRoot)\n\n// NewTrustRoot creates a TrustRoot with TrustRootOptions.\nfunc NewTrustRoot(name string, o ...TrustRootOption) *v1alpha1.TrustRoot {\n\ttr := &v1alpha1.TrustRoot{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tName: name,\n\t\t\tGeneration: 1,\n\t\t},\n\t}\n\tfor _, opt := range o {\n\t\topt(tr)\n\t}\n\ttr.SetDefaults(context.Background())\n\treturn tr\n}\n\nfunc WithTrustRootUID(uid string) TrustRootOption {\n\treturn func(tr *v1alpha1.TrustRoot) {\n\t\ttr.UID = types.UID(uid)\n\t}\n}\n\nfunc WithTrustRootResourceVersion(resourceVersion string) TrustRootOption {\n\treturn func(tr *v1alpha1.TrustRoot) {\n\t\ttr.ResourceVersion = resourceVersion\n\t}\n}\n\nfunc WithTrustRootDeletionTimestamp(tr *v1alpha1.TrustRoot) {\n\tt := metav1.NewTime(time.Unix(1e9, 0))\n\ttr.SetDeletionTimestamp(&t)\n}\n\nfunc WithTrustRootFinalizer(tr *v1alpha1.TrustRoot) {\n\ttr.Finalizers = []string{finalizerNameTrustRoot}\n}\n\n// WithSigstoreKeys constructs a TrustRootOption which is suitable\n// for reconciler table driven testing. It hardcodes things like\n// organizations/common names, and URI/BaseURLs with predictable\n// values.\nfunc WithSigstoreKeys(sk map[string]string) TrustRootOption {\n\treturn func(tr *v1alpha1.TrustRoot) {\n\t\ttr.Spec.SigstoreKeys = &v1alpha1.SigstoreKeys{\n\t\t\tCertificateAuthorities: []v1alpha1.CertificateAuthority{{\n\t\t\t\tSubject: v1alpha1.DistinguishedName{\n\t\t\t\t\tOrganization: \"fulcio-organization\",\n\t\t\t\t\tCommonName: \"fulcio-common-name\",\n\t\t\t\t},\n\t\t\t\tURI: *apis.HTTPS(\"fulcio.example.com\"),\n\t\t\t\tCertChain: []byte(sk[\"fulcio\"]),\n\t\t\t}},\n\t\t\tTLogs: []v1alpha1.TransparencyLogInstance{{\n\t\t\t\tBaseURL: *apis.HTTPS(\"rekor.example.com\"),\n\t\t\t\tHashAlgorithm: \"sha-256\",\n\t\t\t\tPublicKey: []byte(sk[\"rekor\"]),\n\t\t\t}},\n\t\t\tCTLogs: []v1alpha1.TransparencyLogInstance{{\n\t\t\t\tBaseURL: *apis.HTTPS(\"ctfe.example.com\"),\n\t\t\t\tHashAlgorithm: \"sha-256\",\n\t\t\t\tPublicKey: []byte(sk[\"ctfe\"]),\n\t\t\t}},\n\t\t\tTimeStampAuthorities: []v1alpha1.CertificateAuthority{{\n\t\t\t\tSubject: v1alpha1.DistinguishedName{\n\t\t\t\t\tOrganization: \"tsa-organization\",\n\t\t\t\t\tCommonName: \"tsa-common-name\",\n\t\t\t\t},\n\t\t\t\tURI: *apis.HTTPS(\"tsa.example.com\"),\n\t\t\t\tCertChain: []byte(sk[\"tsa\"]),\n\t\t\t}},\n\t\t}\n\t}\n}\n\n// WithRepository constructs a TrustRootOption which is suitable\n// for reconciler table driven testing.\nfunc WithRepository(targets string, root, repository []byte, trustedRootTarget string) TrustRootOption {\n\treturn func(tr *v1alpha1.TrustRoot) {\n\t\ttr.Spec.Repository = &v1alpha1.Repository{\n\t\t\tRoot: root,\n\t\t\tMirrorFS: repository,\n\t\t\tTargets: targets,\n\t\t\tTrustedRootTarget: trustedRootTarget,\n\t\t}\n\t}\n}\n\nfunc WithInitConditionsTrustRoot(tr *v1alpha1.TrustRoot) {\n\ttr.Status.InitializeConditions()\n}\nfunc WithObservedGenerationTrustRoot(gen int64) TrustRootOption {\n\treturn func(tr *v1alpha1.TrustRoot) {\n\t\ttr.Status.ObservedGeneration = gen\n\t}\n}\n\nfunc MarkReadyTrustRoot(tr *v1alpha1.TrustRoot) {\n\tWithInitConditionsTrustRoot(tr)\n\ttr.Status.MarkInlineKeysOk()\n\ttr.Status.MarkCMUpdatedOK()\n\ttr.Status.ObservedGeneration = tr.Generation\n}\n\nfunc WithMarkInlineKeysOkTrustRoot(tr *v1alpha1.TrustRoot) {\n\ttr.Status.MarkInlineKeysOk()\n}\n\nfunc WithMarkInlineKeysFailedTrustRoot(msg string) TrustRootOption {\n\treturn func(tr *v1alpha1.TrustRoot) {\n\t\ttr.Status.MarkInlineKeysFailed(msg)\n\t}\n}\n\nfunc WithMarkCMUpdateFailedTrustRoot(msg string) TrustRootOption {\n\treturn func(tr *v1alpha1.TrustRoot) {\n\t\ttr.Status.MarkCMUpdateFailed(msg)\n\t}\n}\n" }, { "path": "pkg/reconciler/trustroot/controller.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage trustroot\n\nimport (\n\t\"context\"\n\n\t\"k8s.io/client-go/tools/cache\"\n\tkubeclient \"knative.dev/pkg/client/injection/kube/client\"\n\t\"knative.dev/pkg/configmap\"\n\t\"knative.dev/pkg/controller\"\n\t\"knative.dev/pkg/logging\"\n\n\tpkgreconciler \"knative.dev/pkg/reconciler\"\n\t\"knative.dev/pkg/system\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\ttrustrootinformer \"github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1alpha1/trustroot\"\n\ttrustrootreconciler \"github.com/sigstore/policy-controller/pkg/client/injection/reconciler/policy/v1alpha1/trustroot\"\n\t\"github.com/sigstore/policy-controller/pkg/tuf\"\n\tcminformer \"knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/configmap\"\n)\n\n// This is what the default finalizer name is, but make it explicit so we can\n// use it in tests as well.\nconst FinalizerName = \"trustroots.policy.sigstore.dev\"\n\n// NewController creates a Reconciler and returns the result of NewImpl.\nfunc NewController(\n\tctx context.Context,\n\t_ configmap.Watcher,\n) *controller.Impl {\n\ttrustrootInformer := trustrootinformer.Get(ctx)\n\tconfigMapInformer := cminformer.Get(ctx)\n\n\tr := &Reconciler{\n\t\tconfigmaplister: configMapInformer.Lister(),\n\t\tkubeclient: kubeclient.Get(ctx),\n\t}\n\timpl := trustrootreconciler.NewImpl(ctx, r, func(_ *controller.Impl) controller.Options {\n\t\treturn controller.Options{FinalizerName: FinalizerName}\n\t})\n\n\tif _, err := trustrootInformer.Informer().AddEventHandler(controller.HandleAll(impl.Enqueue)); err != nil {\n\t\tlogging.FromContext(ctx).Warnf(\"Failed trustrootInformer AddEventHandler() %v\", err)\n\t}\n\n\t// When the underlying ConfigMap changes,perform a global resync on\n\t// TrustRoot to make sure their state is correctly reflected\n\t// in the ConfigMap. This is admittedly a bit heavy handed, but I don't\n\t// really see a way around it, since if something is wrong with the\n\t// ConfigMap but there are no changes to the TrustRoot, it needs\n\t// to be synced.\n\tgrCb := func(_ interface{}) {\n\t\tlogging.FromContext(ctx).Info(\"Doing a global resync on TrustRoot due to ConfigMap changing or resync period.\")\n\t\timpl.GlobalResync(trustrootInformer.Informer())\n\t}\n\t// Resync on only ConfigMap changes that pertain to the one I care about.\n\t// We could also fetch/construct the store and use CM watcher for it, but\n\t// since we need a lister for it anyways in the reconciler, just set up\n\t// the watch here.\n\tif _, err := configMapInformer.Informer().AddEventHandlerWithResyncPeriod(cache.FilteringResourceEventHandler{\n\t\tFilterFunc: pkgreconciler.ChainFilterFuncs(\n\t\t\tpkgreconciler.NamespaceFilterFunc(system.Namespace()),\n\t\t\tpkgreconciler.NameFilterFunc(config.SigstoreKeysConfigName)),\n\t\tHandler: controller.HandleAll(grCb),\n\t}, tuf.FromContextOrDefaults(ctx)); err != nil {\n\t\tlogging.FromContext(ctx).Warnf(\"Failed configMapInformer AddEventHandlerWithResyncPeriod() %v\", err)\n\t}\n\treturn impl\n}\n" }, { "path": "pkg/reconciler/trustroot/controller_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage trustroot\n\nimport (\n\t\"testing\"\n\n\t\"knative.dev/pkg/configmap\"\n\trtesting \"knative.dev/pkg/reconciler/testing\"\n\n\t// Fake injection informers\n\t_ \"github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1alpha1/trustroot/fake\"\n\t_ \"knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/fake\"\n\t_ \"knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/configmap/fake\"\n\t_ \"knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret/fake\"\n\t_ \"knative.dev/pkg/injection/clients/namespacedkube/informers/factory/fake\"\n)\n\nfunc TestNew(t *testing.T) {\n\tctx, _ := rtesting.SetupFakeContext(t)\n\n\tc := NewController(ctx, &configmap.ManualWatcher{})\n\n\tif c == nil {\n\t\tt.Fatal(\"Expected NewController to return a non-nil value\")\n\t}\n}\n" }, { "path": "pkg/reconciler/trustroot/resources/configmap.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage resources\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"knative.dev/pkg/apis/duck\"\n)\n\n// NewConfigMap returns a new ConfigMap with an entry for the given TrustRoot.\nfunc NewConfigMap(ns, name, trName string, sk *config.SigstoreKeys) (*corev1.ConfigMap, error) {\n\tentry, err := Marshal(sk)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tcm := &corev1.ConfigMap{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tNamespace: ns,\n\t\t\tName: name,\n\t\t},\n\t\tData: map[string]string{\n\t\t\ttrName: entry,\n\t\t},\n\t}\n\treturn cm, nil\n}\n\n// CreatePatch updates a particular entry to see if they are differing and\n// returning the patch bytes for it that's suitable for calling\n// ConfigMap.Patch with.\nfunc CreatePatch(ns, name, tkName string, cm *corev1.ConfigMap, sk *config.SigstoreKeys) ([]byte, error) { //nolint: revive\n\tentry, err := Marshal(sk)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tafter := cm.DeepCopy()\n\tif after.Data == nil {\n\t\tafter.Data = make(map[string]string)\n\t}\n\tafter.Data[tkName] = entry\n\tjsonPatch, err := duck.CreatePatch(cm, after)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"creating JSON patch: %w\", err)\n\t}\n\tif len(jsonPatch) == 0 {\n\t\treturn nil, nil\n\t}\n\treturn jsonPatch.MarshalJSON()\n}\n\n// CreateRemovePatch removes an entry from the ConfigMap and returns the patch\n// bytes for it that's suitable for calling ConfigMap.Patch with.\nfunc CreateRemovePatch(ns, name string, cm *corev1.ConfigMap, tkName string) ([]byte, error) { //nolint: revive\n\tafter := cm.DeepCopy()\n\t// Just remove it without checking if it exists. If it doesn't, then no\n\t// patch bytes are created.\n\tdelete(after.Data, tkName)\n\tjsonPatch, err := duck.CreatePatch(cm, after)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"creating JSON patch: %w\", err)\n\t}\n\tif len(jsonPatch) == 0 {\n\t\treturn nil, nil\n\t}\n\treturn jsonPatch.MarshalJSON()\n}\n\nfunc Marshal(spec *config.SigstoreKeys) (string, error) {\n\tbytes, err := protojson.Marshal(spec)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn string(bytes), nil\n}\n" }, { "path": "pkg/reconciler/trustroot/testdata/ctfeLogID.txt", "content": "d740b8dd64c961855e8953f4276369f184d833716a6a990844c923a9083d9296" }, { "path": "pkg/reconciler/trustroot/testdata/ctfePublicKey.pem", "content": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8CYN5Ck/g5tRZxuHcuTl8f8cp4Vn\n31lziP9oJ2PbJd8bjWVaD4PDTLk6PVcPtiHtEeEN/JN1TtqQkUgsMlCfaw==\n-----END PUBLIC KEY-----\n" }, { "path": "pkg/reconciler/trustroot/testdata/fulcioCert.pem", "content": "-----BEGIN CERTIFICATE-----\nMIIFwzCCA6ugAwIBAgIIfUmh4cIZr8QwDQYJKoZIhvcNAQELBQAwfjEMMAoGA1UE\nBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNp\nc2NvMRYwFAYDVQQJEw01NDggTWFya2V0IFN0MQ4wDAYDVQQREwU1NzI3NDEZMBcG\nA1UEChMQTGludXggRm91bmRhdGlvbjAeFw0yMzEyMTQxODUxMzlaFw0yNDEyMTQx\nODUxMzlaMH4xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG\nA1UEBxMNU2FuIEZyYW5jaXNjbzEWMBQGA1UECRMNNTQ4IE1hcmtldCBTdDEOMAwG\nA1UEERMFNTcyNzQxGTAXBgNVBAoTEExpbnV4IEZvdW5kYXRpb24wggIiMA0GCSqG\nSIb3DQEBAQUAA4ICDwAwggIKAoICAQDHVwB8bv84fUgVOqjjWtMAK4i5Zl93I9ai\nzh9S/qIuJNnKx1tA87xZcAuO5riq/kXA2fZGnnP4Vsp9VaVjK9o7+1QP2rFJ4p5r\nrQlZFovvrD1e6jEaoMc06v+YY4yl37b17W9sfd+5x5wZ0ArRjPAihpdVjYJwlqDR\nB0AlSo6Vq/aM9QejMG4CS1jXrEEUV8MwRNjyT2xdR4vkc6wj47A1/rknjCtMsieS\neSmH/ZDamUGuUh5ej4/dmCiLw93Rou/yLlDcvAcFVzrrLMF/lRwUDUgoH1XDlpeC\nC1r5HB6jp1Huap9gcLNS3UCIZVpNDO0A3pjYaLBQ3bfHe6QxKuQcEd+VKqyP9SoP\ndNn31cygF28VR+k+0jU5uXxW7ilXrv7DVYMOcMNZCDA0BQdH/A3fO0ri+8t2Luo+\nEilRWROBsJTuC28sesYc5NUUoszxVUoQFAhkxE6k5rGIzxO8XplgLjx0IPxU0wjj\nVhcBa7AKkAMT7gDrPXijhJbv7Q3QVkChOdj6VTPagCS+JtWBkzGvCNJmaIrbLdWF\nTtDMXfSSZoRyn/aXjQr/OFzBf6dDxJqEMvdD5T5Gg1sldZ00KLKqEx25i8HVZ8Xo\nV4jrZOH1b9nZa3DGZOPmditlqUppvJ7c6OIGqkpE1o8mcNKko/p0dCwcHQtXgIN5\n76foyNG+twIDAQABo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB\n/wIBATAdBgNVHQ4EFgQU6A9czPqMog/PFdvjxH3V/56BBhcwDQYJKoZIhvcNAQEL\nBQADggIBAAGqm7dJS+pNgCEUDE79S2r6c+BcH6DwTFvAujE0yvdTRdAVIo73CsqP\nW4cDFuCw2ekOhD17JUT+9PEGJv++u16X4tLHVI5QHPleU/qzZHSEIYt0AE+y9JEL\nR2RT0g11YToGzhIAto5OpOvBb1z+Q8uP5g4eK7Y8J2lVRkDk/62EtsaHTWgv9hJJ\nqsdwoUMVWxn/s0oanPjyGBMSwpoFDXX/k14NDsCGp7d2e5/DxjgYAenDTtnID3VK\nkvP46spBZ4yEbNIywjaubSXnNLsx2cY8Ypih23e8c1uQJ3O44FDYXVcqYZX9UOrK\nHS0aE5VpU5J/j2fr4hGE3SfRXXDizcZJcVWPL+k1DHKWlCREMYw12ha3Oe0uIlwK\nW7syTNnn8NgxxRgM4f83n0C/00CSqiTm8MYya3ue0m2gmCg6TguALbcIqZ3tEK3K\nvvNIbgxM0ZSePI8YktvtLTQsRK8bbianOht+CwYD2NnFKo68G0l57ByKXze0wG18\ni943+NTOvU/Le+8SEwJ4asRld3v3L8pCpNAM7JX12zoqisAnCCj3hu6waA5XvMeh\nSTj8yYtIxP1l1I1qfRJzMB9nGv9KzwmozHiw3oGJr/G3j1u1krrQfj4S6z16Bq29\nnfILFnmk/MoeqYS6DBRY80b60289+R7CSCB5OQbQYvmjy/sxvcNO\n-----END CERTIFICATE-----\n" }, { "path": "pkg/reconciler/trustroot/testdata/fulcioCertChain.pem", "content": "-----BEGIN CERTIFICATE-----\nMIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI2\nMDExODA4MjQxMloXDTM2MDExODA4MjQxMlowDzENMAsGA1UEAxMEbGVhZjBZMBMG\nByqGSM49AgEGCCqGSM49AwEHA0IABCnMX5oDLqAe/zsE5lxppdszsKB9svC/LhXU\nBLOk8T65kND9SyXG8MA1+SqW2Ic6YRnm5r2j+v/CRi6lGXs0GD6jMzAxMA4GA1Ud\nDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBR3tK56OWKX6omj1P/kEWkvkiREpTAKBggq\nhkjOPQQDAgNJADBGAiEA9LiET+4DScPcPLP6IZqok40C7v3Pyo0FdUkYVC4RrdYC\nIQCRfJwlFjbw3HMQLNviY0CAhg8GAsMmsqFU/AJOlI8bgw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI2\nMDExODA4MjQxMloXDTM2MDExODA4MjQxMlowDTELMAkGA1UEAxMCY2EwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARU9i+UOuHKRJslqkeIPM8Hvr/Onxo+rWaxEov1\nxBE+vjXl/feFCmi38gAII5/UgqEVZlF5VBBdelEZB1i4ysbwo0IwQDAOBgNVHQ8B\nAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUd7Suejlil+qJo9T/\n5BFpL5IkRKUwCgYIKoZIzj0EAwIDRwAwRAIgaFt5RQfkYGl2tQyOX/9TfBci580r\ngnM/ECKeerqByKICIBvBOG3zfWB7qFUCosjgslm5aTxWLYblddNaKGbrjz99\n-----END CERTIFICATE-----\n" }, { "path": "pkg/reconciler/trustroot/testdata/marshalledEntry.json", "content": "{\n \"mediaType\": \"application/vnd.dev.sigstore.trustedroot+json;version=0.1\",\n \"tlogs\": [\n {\n \"baseUrl\": \"https://rekor.example.com\",\n \"hashAlgorithm\": \"SHA2_256\",\n \"publicKey\": {\n \"rawBytes\": \"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdHzrblmwf4hME3+Ot7L2B8FkTd1RRfssnlhi2SyUyQY8OnpN6PjF6t7XdayNxJ7XYVWeLZA/G4Kg51QC7ybJ1g==\",\n \"keyDetails\": \"PKIX_ECDSA_P256_SHA_256\",\n \"validFor\": {\n \"start\": \"1970-01-01T00:00:00Z\"\n }\n },\n \"logId\": {\n \"keyId\": \"M2E3ZWZjYTk3MGUzMGY2N2U2MTI0MzQ3MzZlMzVkNTRjMDYxZDM4OThlZmY1YjA2Mjc5ZmQ3MjIwNDM4OTY4NQ==\"\n }\n }\n ],\n \"certificateAuthorities\": [\n {\n \"subject\": {\n \"organization\": \"fulcio-organization\",\n \"commonName\": \"fulcio-common-name\"\n },\n \"uri\": \"https://fulcio.example.com\",\n \"certChain\": {\n \"certificates\": [\n {\n \"rawBytes\": \"MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI2MDExODA4MjQxMloXDTM2MDExODA4MjQxMlowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCnMX5oDLqAe/zsE5lxppdszsKB9svC/LhXUBLOk8T65kND9SyXG8MA1+SqW2Ic6YRnm5r2j+v/CRi6lGXs0GD6jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBR3tK56OWKX6omj1P/kEWkvkiREpTAKBggqhkjOPQQDAgNJADBGAiEA9LiET+4DScPcPLP6IZqok40C7v3Pyo0FdUkYVC4RrdYCIQCRfJwlFjbw3HMQLNviY0CAhg8GAsMmsqFU/AJOlI8bgw==\"\n },\n {\n \"rawBytes\": \"MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI2MDExODA4MjQxMloXDTM2MDExODA4MjQxMlowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARU9i+UOuHKRJslqkeIPM8Hvr/Onxo+rWaxEov1xBE+vjXl/feFCmi38gAII5/UgqEVZlF5VBBdelEZB1i4ysbwo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUd7Suejlil+qJo9T/5BFpL5IkRKUwCgYIKoZIzj0EAwIDRwAwRAIgaFt5RQfkYGl2tQyOX/9TfBci580rgnM/ECKeerqByKICIBvBOG3zfWB7qFUCosjgslm5aTxWLYblddNaKGbrjz99\"\n }\n ]\n },\n \"validFor\": {\n \"start\": \"1970-01-01T00:00:00Z\"\n }\n }\n ],\n \"ctlogs\": [\n {\n \"baseUrl\": \"https://ctfe.example.com\",\n \"hashAlgorithm\": \"SHA2_256\",\n \"publicKey\": {\n \"rawBytes\": \"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8CYN5Ck/g5tRZxuHcuTl8f8cp4Vn31lziP9oJ2PbJd8bjWVaD4PDTLk6PVcPtiHtEeEN/JN1TtqQkUgsMlCfaw==\",\n \"keyDetails\": \"PKIX_ECDSA_P256_SHA_256\",\n \"validFor\": {\n \"start\": \"1970-01-01T00:00:00Z\"\n }\n },\n \"logId\": {\n \"keyId\": \"ZDc0MGI4ZGQ2NGM5NjE4NTVlODk1M2Y0Mjc2MzY5ZjE4NGQ4MzM3MTZhNmE5OTA4NDRjOTIzYTkwODNkOTI5Ng==\"\n }\n }\n ],\n \"timestampAuthorities\": [\n {\n \"subject\": {\n \"organization\": \"tsa-organization\",\n \"commonName\": \"tsa-common-name\"\n },\n \"uri\": \"https://tsa.example.com\",\n \"certChain\": {\n \"certificates\": [\n {\n \"rawBytes\": \"MIIBOzCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI2MDExODA4MjQxMloXDTM2MDExODA4MjQxMlowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHwOEW5q24H4uVDrH17YcWhI/LpzrOZzHCOkbQMU7IoLzpjgPydzaQWQp83vQdFai/OHe5vI7r+zKS1oyu675V+jMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBTFKWL5YXMWOmTHuhZWTiocLIkMcTAKBggqhkjOPQQDAgNGADBDAiBTsXT0nv40DIsqkLmMFxWxsBm+0mkc+ySwXEEG3LbCEAIfGS/GLJZmABwvlAfjkvVZLuzyWA4uCX3hBK6ocqm8Dw==\"\n },\n {\n \"rawBytes\": \"MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI2MDExODA4MjQxMloXDTM2MDExODA4MjQxMlowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARUAPrDDnECjXNrkWdfUsIt7ceI3XHMmBakiX0Z8wabBO9U2SdiS4qWE1QGIIcOxFVtnoOb2WQJSYW14C/I+ipyo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxSli+WFzFjpkx7oWVk4qHCyJDHEwCgYIKoZIzj0EAwIDRwAwRAIgdqkiRNmnW2fA9Fg6dG7ee0gQKP7MY/XSQo8vte++W/wCIFO9GS7HG4CIwb9nFfNw9zI8yW6Kqi4rClx2fRNNiMKy\"\n }\n ]\n },\n \"validFor\": {\n \"start\": \"1970-01-01T00:00:00Z\"\n }\n }\n ]\n}" }, { "path": "pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json", "content": "{\n \"tlogs\": [\n {\n \"hashAlgorithm\": \"SHA2_256\",\n \"publicKey\": {\n \"rawBytes\": \"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdHzrblmwf4hME3+Ot7L2B8FkTd1RRfssnlhi2SyUyQY8OnpN6PjF6t7XdayNxJ7XYVWeLZA/G4Kg51QC7ybJ1g==\",\n \"keyDetails\": \"PKIX_ECDSA_P256_SHA_256\",\n \"validFor\": {\n \"start\": \"1970-01-01T00:00:00Z\"\n }\n },\n \"logId\": {\n \"keyId\": \"M2E3ZWZjYTk3MGUzMGY2N2U2MTI0MzQ3MzZlMzVkNTRjMDYxZDM4OThlZmY1YjA2Mjc5ZmQ3MjIwNDM4OTY4NQ==\"\n }\n }\n ],\n \"certificateAuthorities\": [\n {\n \"certChain\": {\n \"certificates\": [\n {\n \"rawBytes\": \"MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI2MDExODA4MjQxMloXDTM2MDExODA4MjQxMlowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCnMX5oDLqAe/zsE5lxppdszsKB9svC/LhXUBLOk8T65kND9SyXG8MA1+SqW2Ic6YRnm5r2j+v/CRi6lGXs0GD6jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBR3tK56OWKX6omj1P/kEWkvkiREpTAKBggqhkjOPQQDAgNJADBGAiEA9LiET+4DScPcPLP6IZqok40C7v3Pyo0FdUkYVC4RrdYCIQCRfJwlFjbw3HMQLNviY0CAhg8GAsMmsqFU/AJOlI8bgw==\"\n },\n {\n \"rawBytes\": \"MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI2MDExODA4MjQxMloXDTM2MDExODA4MjQxMlowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARU9i+UOuHKRJslqkeIPM8Hvr/Onxo+rWaxEov1xBE+vjXl/feFCmi38gAII5/UgqEVZlF5VBBdelEZB1i4ysbwo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUd7Suejlil+qJo9T/5BFpL5IkRKUwCgYIKoZIzj0EAwIDRwAwRAIgaFt5RQfkYGl2tQyOX/9TfBci580rgnM/ECKeerqByKICIBvBOG3zfWB7qFUCosjgslm5aTxWLYblddNaKGbrjz99\"\n }\n ]\n },\n \"validFor\": {\n \"start\": \"1970-01-01T00:00:00Z\"\n }\n }\n ],\n \"ctlogs\": [\n {\n \"hashAlgorithm\": \"SHA2_256\",\n \"publicKey\": {\n \"rawBytes\": \"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8CYN5Ck/g5tRZxuHcuTl8f8cp4Vn31lziP9oJ2PbJd8bjWVaD4PDTLk6PVcPtiHtEeEN/JN1TtqQkUgsMlCfaw==\",\n \"keyDetails\": \"PKIX_ECDSA_P256_SHA_256\",\n \"validFor\": {\n \"start\": \"1970-01-01T00:00:00Z\"\n }\n },\n \"logId\": {\n \"keyId\": \"ZDc0MGI4ZGQ2NGM5NjE4NTVlODk1M2Y0Mjc2MzY5ZjE4NGQ4MzM3MTZhNmE5OTA4NDRjOTIzYTkwODNkOTI5Ng==\"\n }\n }\n ]\n}" }, { "path": "pkg/reconciler/trustroot/testdata/rekorLogID.txt", "content": "3a7efca970e30f67e612434736e35d54c061d3898eff5b06279fd72204389685" }, { "path": "pkg/reconciler/trustroot/testdata/rekorPublicKey.pem", "content": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdHzrblmwf4hME3+Ot7L2B8FkTd1R\nRfssnlhi2SyUyQY8OnpN6PjF6t7XdayNxJ7XYVWeLZA/G4Kg51QC7ybJ1g==\n-----END PUBLIC KEY-----\n" }, { "path": "pkg/reconciler/trustroot/testdata/root.json", "content": "{\n \"signed\": {\n \"_type\": \"root\",\n \"spec_version\": \"1.0\",\n \"version\": 1,\n \"expires\": \"2026-07-18T08:24:13Z\",\n \"keys\": {\n \"0f052ad399560d75c43f80dd44fcf6a10c4971fba73517a063aab27140676628\": {\n \"keytype\": \"ed25519\",\n \"scheme\": \"ed25519\",\n \"keyid_hash_algorithms\": [\n \"sha256\",\n \"sha512\"\n ],\n \"keyval\": {\n \"public\": \"01fbf6ed31f4a60f4ddc20684c9b6a62210f7cc81bf37c8abb2f18e2518a1c59\"\n }\n },\n \"47f22c6ae82929f657e562ef5a5f7a44dab9f2a423ea60c963bef3f5a679a5b8\": {\n \"keytype\": \"ed25519\",\n \"scheme\": \"ed25519\",\n \"keyid_hash_algorithms\": [\n \"sha256\",\n \"sha512\"\n ],\n \"keyval\": {\n \"public\": \"8ca04f921b74224e3c7b8fda0d8e1c0a40d29e9ddaa4068268c6e1e945fe7b33\"\n }\n },\n \"98362a3b4a994284c5b72507d738ecdde8273e2cfe46639cbefec12d77ab3c81\": {\n \"keytype\": \"ed25519\",\n \"scheme\": \"ed25519\",\n \"keyid_hash_algorithms\": [\n \"sha256\",\n \"sha512\"\n ],\n \"keyval\": {\n \"public\": \"b42259ceb0a929e7f0e34de7c6f1014562878c531f1cca89008862723f0604e3\"\n }\n },\n \"b52e38b87fcd86befd146b05c90c021a8f8ac4c12f737e95488f5c4732e176be\": {\n \"keytype\": \"ed25519\",\n \"scheme\": \"ed25519\",\n \"keyid_hash_algorithms\": [\n \"sha256\",\n \"sha512\"\n ],\n \"keyval\": {\n \"public\": \"666a150b3824c76d0b1fd12b4f078d56a413ebc7e52af27ea4143dc5fefe9ebd\"\n }\n }\n },\n \"roles\": {\n \"root\": {\n \"keyids\": [\n \"98362a3b4a994284c5b72507d738ecdde8273e2cfe46639cbefec12d77ab3c81\"\n ],\n \"threshold\": 1\n },\n \"snapshot\": {\n \"keyids\": [\n \"b52e38b87fcd86befd146b05c90c021a8f8ac4c12f737e95488f5c4732e176be\"\n ],\n \"threshold\": 1\n },\n \"targets\": {\n \"keyids\": [\n \"47f22c6ae82929f657e562ef5a5f7a44dab9f2a423ea60c963bef3f5a679a5b8\"\n ],\n \"threshold\": 1\n },\n \"timestamp\": {\n \"keyids\": [\n \"0f052ad399560d75c43f80dd44fcf6a10c4971fba73517a063aab27140676628\"\n ],\n \"threshold\": 1\n }\n },\n \"consistent_snapshot\": true\n },\n \"signatures\": [\n {\n \"keyid\": \"98362a3b4a994284c5b72507d738ecdde8273e2cfe46639cbefec12d77ab3c81\",\n \"sig\": \"3222c66bcedf8bc6a9d0dc32d2fe5c8c8599dbfb8948a744a30a7e6bd628299b86674864446236a59e6742d2236e38c2b56f786b3d257db2e6ed2c2383c73405\"\n }\n ]\n}" }, { "path": "pkg/reconciler/trustroot/testdata/rootWithCustomTrustedRootJSON.json", "content": "{\n \"signed\": {\n \"_type\": \"root\",\n \"spec_version\": \"1.0\",\n \"version\": 1,\n \"expires\": \"2026-07-18T08:24:13Z\",\n \"keys\": {\n \"09d76913304c807681f051c1f6a405e69dce88567987a9a05ef832619c37a515\": {\n \"keytype\": \"ed25519\",\n \"scheme\": \"ed25519\",\n \"keyid_hash_algorithms\": [\n \"sha256\",\n \"sha512\"\n ],\n \"keyval\": {\n \"public\": \"c708835bb3f9da4e15246f1fe2bd6307c2bbdc790fa4dd706ab326737ecf18ac\"\n }\n },\n \"98e2eb5de033b49093df9c572db565df0c419c6ee8f966ef283ede2b9605e3f6\": {\n \"keytype\": \"ed25519\",\n \"scheme\": \"ed25519\",\n \"keyid_hash_algorithms\": [\n \"sha256\",\n \"sha512\"\n ],\n \"keyval\": {\n \"public\": \"2d412e542604beb9d3f8d3c6297db756ae7867ad464b04113223f6e296ae619c\"\n }\n },\n \"99c6f2ed68ee12a1f79774e065c2aaf64926474903fc635df181c69354b42a45\": {\n \"keytype\": \"ed25519\",\n \"scheme\": \"ed25519\",\n \"keyid_hash_algorithms\": [\n \"sha256\",\n \"sha512\"\n ],\n \"keyval\": {\n \"public\": \"a8074014766cd5e954d8fb0052c1d96a3ea24a8f57713f8b565bf59738fbd930\"\n }\n },\n \"ef4513aee940067b6e65576b145c78bf4e4b0578937ac90a5988fad0015aa7d2\": {\n \"keytype\": \"ed25519\",\n \"scheme\": \"ed25519\",\n \"keyid_hash_algorithms\": [\n \"sha256\",\n \"sha512\"\n ],\n \"keyval\": {\n \"public\": \"f5843909df3a7ee84bceda784a600f533d5068f0a4d8386dd0e4af385e761aeb\"\n }\n }\n },\n \"roles\": {\n \"root\": {\n \"keyids\": [\n \"98e2eb5de033b49093df9c572db565df0c419c6ee8f966ef283ede2b9605e3f6\"\n ],\n \"threshold\": 1\n },\n \"snapshot\": {\n \"keyids\": [\n \"99c6f2ed68ee12a1f79774e065c2aaf64926474903fc635df181c69354b42a45\"\n ],\n \"threshold\": 1\n },\n \"targets\": {\n \"keyids\": [\n \"ef4513aee940067b6e65576b145c78bf4e4b0578937ac90a5988fad0015aa7d2\"\n ],\n \"threshold\": 1\n },\n \"timestamp\": {\n \"keyids\": [\n \"09d76913304c807681f051c1f6a405e69dce88567987a9a05ef832619c37a515\"\n ],\n \"threshold\": 1\n }\n },\n \"consistent_snapshot\": true\n },\n \"signatures\": [\n {\n \"keyid\": \"98e2eb5de033b49093df9c572db565df0c419c6ee8f966ef283ede2b9605e3f6\",\n \"sig\": \"03f03fab4f85f76889ab26fb1c7c9e062c9bc1deb0682f892930d1ab5b8754027d1fc68ea4525288d75215b52908ac409e4d31f4978a239adef46e5143a8030a\"\n }\n ]\n}" }, { "path": "pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json", "content": "{\n \"signed\": {\n \"_type\": \"root\",\n \"spec_version\": \"1.0\",\n \"version\": 1,\n \"expires\": \"2026-07-18T08:24:13Z\",\n \"keys\": {\n \"3148238dd2571a8ab01d2f7ca1dcbd2ef39a2d8a8ac4e119239619ecd7f64073\": {\n \"keytype\": \"ed25519\",\n \"scheme\": \"ed25519\",\n \"keyid_hash_algorithms\": [\n \"sha256\",\n \"sha512\"\n ],\n \"keyval\": {\n \"public\": \"0b28494b749a5ae017b322c8523e24495bc7f50033447f510932aef2858d4932\"\n }\n },\n \"37c1f6aac7da789076c751c18a47136aff269196076faa48fb990923a0489882\": {\n \"keytype\": \"ed25519\",\n \"scheme\": \"ed25519\",\n \"keyid_hash_algorithms\": [\n \"sha256\",\n \"sha512\"\n ],\n \"keyval\": {\n \"public\": \"7c0b12362a6238bf8894aa2bf7b1f4c12c8c2060eeeaff9be9ad46c599210b65\"\n }\n },\n \"a967817408b2856cbaca2df5504d1632a7a50898daf5f1c8a9aa5e061ffd3556\": {\n \"keytype\": \"ed25519\",\n \"scheme\": \"ed25519\",\n \"keyid_hash_algorithms\": [\n \"sha256\",\n \"sha512\"\n ],\n \"keyval\": {\n \"public\": \"aa1f6ee30b54597b7b18fe40d29abde301cf3cf7bbfab15e5b326be465f20293\"\n }\n },\n \"b75ab36dcd12107f9f22fe6438e0653ca9053bb98d94db85f1be0468d5a46974\": {\n \"keytype\": \"ed25519\",\n \"scheme\": \"ed25519\",\n \"keyid_hash_algorithms\": [\n \"sha256\",\n \"sha512\"\n ],\n \"keyval\": {\n \"public\": \"aefcc8af52bdb4c46cf00521d74e4fce5579ac74be43f3bf0079b5e1f6d7fbc8\"\n }\n }\n },\n \"roles\": {\n \"root\": {\n \"keyids\": [\n \"3148238dd2571a8ab01d2f7ca1dcbd2ef39a2d8a8ac4e119239619ecd7f64073\"\n ],\n \"threshold\": 1\n },\n \"snapshot\": {\n \"keyids\": [\n \"a967817408b2856cbaca2df5504d1632a7a50898daf5f1c8a9aa5e061ffd3556\"\n ],\n \"threshold\": 1\n },\n \"targets\": {\n \"keyids\": [\n \"b75ab36dcd12107f9f22fe6438e0653ca9053bb98d94db85f1be0468d5a46974\"\n ],\n \"threshold\": 1\n },\n \"timestamp\": {\n \"keyids\": [\n \"37c1f6aac7da789076c751c18a47136aff269196076faa48fb990923a0489882\"\n ],\n \"threshold\": 1\n }\n },\n \"consistent_snapshot\": true\n },\n \"signatures\": [\n {\n \"keyid\": \"3148238dd2571a8ab01d2f7ca1dcbd2ef39a2d8a8ac4e119239619ecd7f64073\",\n \"sig\": \"7fc9e6ee840c2b617a6feb54d9896769f50c51a6b01fece37f4417a1fab379fb523f1f48632076693af6b04f7e736a5e9ee8a9673c4294f2735749ddd456ab0c\"\n }\n ]\n}" }, { "path": "pkg/reconciler/trustroot/testdata/testdata.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n//\n// Package testdata contains test data for the trustroot reconciler. To\n// regenerate, run `make generate-testdata` from the root of the repository.\n\npackage testdata\n\nimport (\n\t\"embed\"\n)\n\n//go:embed *\nvar FS embed.FS\n\nfunc Get(filename string) []byte {\n\tfile, err := FS.ReadFile(filename)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn file\n}\n" }, { "path": "pkg/reconciler/trustroot/testdata/tsaCertChain.pem", "content": "-----BEGIN CERTIFICATE-----\nMIIBOzCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI2\nMDExODA4MjQxMloXDTM2MDExODA4MjQxMlowDzENMAsGA1UEAxMEbGVhZjBZMBMG\nByqGSM49AgEGCCqGSM49AwEHA0IABHwOEW5q24H4uVDrH17YcWhI/LpzrOZzHCOk\nbQMU7IoLzpjgPydzaQWQp83vQdFai/OHe5vI7r+zKS1oyu675V+jMzAxMA4GA1Ud\nDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBTFKWL5YXMWOmTHuhZWTiocLIkMcTAKBggq\nhkjOPQQDAgNGADBDAiBTsXT0nv40DIsqkLmMFxWxsBm+0mkc+ySwXEEG3LbCEAIf\nGS/GLJZmABwvlAfjkvVZLuzyWA4uCX3hBK6ocqm8Dw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI2\nMDExODA4MjQxMloXDTM2MDExODA4MjQxMlowDTELMAkGA1UEAxMCY2EwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARUAPrDDnECjXNrkWdfUsIt7ceI3XHMmBakiX0Z\n8wabBO9U2SdiS4qWE1QGIIcOxFVtnoOb2WQJSYW14C/I+ipyo0IwQDAOBgNVHQ8B\nAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxSli+WFzFjpkx7oW\nVk4qHCyJDHEwCgYIKoZIzj0EAwIDRwAwRAIgdqkiRNmnW2fA9Fg6dG7ee0gQKP7M\nY/XSQo8vte++W/wCIFO9GS7HG4CIwb9nFfNw9zI8yW6Kqi4rClx2fRNNiMKy\n-----END CERTIFICATE-----\n" }, { "path": "pkg/reconciler/trustroot/trustroot.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage trustroot\n\nimport (\n\t\"context\"\n\t\"crypto\"\n\t\"crypto/ecdsa\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/sigstore/cosign/v3/pkg/cosign\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\ttrustrootreconciler \"github.com/sigstore/policy-controller/pkg/client/injection/reconciler/policy/v1alpha1/trustroot\"\n\t\"github.com/sigstore/policy-controller/pkg/reconciler/trustroot/resources\"\n\t\"github.com/sigstore/policy-controller/pkg/tuf\"\n\tpbcommon \"github.com/sigstore/protobuf-specs/gen/pb-go/common/v1\"\n\t\"github.com/sigstore/sigstore/pkg/cryptoutils\"\n\tsigstoretuf \"github.com/sigstore/sigstore/pkg/tuf\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\tapierrs \"k8s.io/apimachinery/pkg/api/errors\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/types\"\n\t\"k8s.io/client-go/kubernetes\"\n\tcorev1listers \"k8s.io/client-go/listers/core/v1\"\n\n\t\"knative.dev/pkg/logging\"\n\t\"knative.dev/pkg/reconciler\"\n\t\"knative.dev/pkg/system\"\n)\n\n// Reconciler implements ConfigMap reconciler.\n// TrustRoot resources.\ntype Reconciler struct {\n\tconfigmaplister corev1listers.ConfigMapLister\n\tkubeclient kubernetes.Interface\n}\n\n// Check that our Reconciler implements Interface as well as finalizer\nvar _ trustrootreconciler.Interface = (*Reconciler)(nil)\nvar _ trustrootreconciler.Finalizer = (*Reconciler)(nil)\n\n// ReconcileKind implements Interface.ReconcileKind.\nfunc (r *Reconciler) ReconcileKind(ctx context.Context, trustroot *v1alpha1.TrustRoot) reconciler.Event {\n\ttrustroot.Status.InitializeConditions()\n\tvar sigstoreKeys *config.SigstoreKeys\n\tvar err error\n\tswitch {\n\tcase trustroot.Spec.Repository != nil:\n\t\tsigstoreKeys, err = r.getSigstoreKeysFromMirrorFS(ctx, trustroot.Spec.Repository)\n\tcase trustroot.Spec.Remote != nil:\n\t\tsigstoreKeys, err = r.getSigstoreKeysFromRemote(ctx, trustroot.Spec.Remote)\n\tcase trustroot.Spec.SigstoreKeys != nil:\n\t\tsigstoreKeys, err = config.ConvertSigstoreKeys(ctx, trustroot.Spec.SigstoreKeys)\n\tdefault:\n\t\t// This should not happen since the CRD has been validated.\n\t\terr = fmt.Errorf(\"invalid TrustRoot entry: %s missing repository,remote, and sigstoreKeys\", trustroot.Name)\n\t\tlogging.FromContext(ctx).Errorf(\"Invalid trustroot entry: %s missing repository,remote, and sigstoreKeys\", trustroot.Name)\n\t}\n\n\tif err != nil {\n\t\tlogging.FromContext(ctx).Errorf(\"Failed to get Sigstore Keys: %v\", err)\n\t\ttrustroot.Status.MarkInlineKeysFailed(err.Error())\n\t\treturn err\n\t}\n\ttrustroot.Status.MarkInlineKeysOk()\n\t// LogIDs for Rekor get created from the PublicKey, so we need to construct\n\t// them before serializing.\n\t// Note this is identical to what we do with CTLog PublicKeys, but they\n\t// are not restricted to being only ecdsa.PublicKey.\n\tfor i, tlog := range sigstoreKeys.Tlogs {\n\t\tpk, logID, err := pemToKeyAndID(config.SerializePublicKey(tlog.PublicKey))\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"invalid rekor public key %d: %w\", i, err)\n\t\t}\n\t\t// This needs to be ecdsa instead of crypto.PublicKey\n\t\t// https://github.com/sigstore/cosign/issues/2540\n\t\t_, ok := pk.(*ecdsa.PublicKey)\n\t\tif !ok {\n\t\t\treturn fmt.Errorf(\"public key %d is not ecdsa.PublicKey\", i)\n\t\t}\n\t\tsigstoreKeys.Tlogs[i].LogId = &config.LogID{KeyId: []byte(logID)}\n\t}\n\tfor i, ctlog := range sigstoreKeys.Ctlogs {\n\t\t_, logID, err := pemToKeyAndID(config.SerializePublicKey(ctlog.PublicKey))\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"invalid ctlog public key %d: %w\", i, err)\n\t\t}\n\t\tsigstoreKeys.Ctlogs[i].LogId = &config.LogID{KeyId: []byte(logID)}\n\t}\n\n\t// See if the CM holding configs exists\n\texisting, err := r.configmaplister.ConfigMaps(system.Namespace()).Get(config.SigstoreKeysConfigName)\n\tif err != nil {\n\t\tif !apierrs.IsNotFound(err) {\n\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to get configmap: %v\", err)\n\t\t\ttrustroot.Status.MarkCMUpdateFailed(err.Error())\n\t\t\treturn err\n\t\t}\n\t\t// Does not exist, create it.\n\t\tcm, err := resources.NewConfigMap(system.Namespace(), config.SigstoreKeysConfigName, trustroot.Name, sigstoreKeys)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to construct configmap: %v\", err)\n\t\t\ttrustroot.Status.MarkCMUpdateFailed(err.Error())\n\t\t\treturn err\n\t\t}\n\t\t_, err = r.kubeclient.CoreV1().ConfigMaps(system.Namespace()).Create(ctx, cm, metav1.CreateOptions{})\n\t\tif err != nil {\n\t\t\ttrustroot.Status.MarkCMUpdateFailed(err.Error())\n\t\t\treturn err\n\t\t}\n\t\ttrustroot.Status.MarkCMUpdatedOK()\n\t\treturn nil\n\t}\n\n\t// Check if we need to update the configmap or not.\n\tpatchBytes, err := resources.CreatePatch(system.Namespace(), config.SigstoreKeysConfigName, trustroot.Name, existing.DeepCopy(), sigstoreKeys)\n\tif err != nil {\n\t\tlogging.FromContext(ctx).Errorf(\"Failed to construct patch: %v\", err)\n\t\ttrustroot.Status.MarkCMUpdateFailed(err.Error())\n\t\treturn err\n\t}\n\tif len(patchBytes) > 0 {\n\t\t_, err = r.kubeclient.CoreV1().ConfigMaps(system.Namespace()).Patch(ctx, config.SigstoreKeysConfigName, types.JSONPatchType, patchBytes, metav1.PatchOptions{})\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to patch: %v\", err)\n\t\t\ttrustroot.Status.MarkCMUpdateFailed(err.Error())\n\t\t\treturn err\n\t\t}\n\t}\n\ttrustroot.Status.MarkCMUpdatedOK()\n\treturn nil\n}\n\n// FinalizeKind implements Interface.ReconcileKind.\nfunc (r *Reconciler) FinalizeKind(ctx context.Context, trustroot *v1alpha1.TrustRoot) reconciler.Event {\n\t// See if the CM holding configs even exists\n\texisting, err := r.configmaplister.ConfigMaps(system.Namespace()).Get(config.SigstoreKeysConfigName)\n\tif err != nil {\n\t\tif !apierrs.IsNotFound(err) {\n\t\t\t// There's very little we can do here. This could happen if it's\n\t\t\t// intermittent error, which is fine when we retry. But if something\n\t\t\t// goofy happens like we lost access to it, then it's a bit of a\n\t\t\t// pickle since the entry will exist there and we can't remove it.\n\t\t\t// So keep trying. Other option would be just to bail.\n\t\t\tlogging.FromContext(ctx).Errorf(\"Failed to get configmap: %v\", err)\n\t\t\treturn err\n\t\t}\n\t\t// Since the CM doesn't exist, there's nothing for us to clean up.\n\t\treturn nil\n\t}\n\t// TrustRoot exists, so remove our entry from it.\n\treturn r.removeTrustRootEntry(ctx, existing, trustroot.Name)\n}\n\n// getSigstoreKeys will take a TUF Repository specification, and fetch the\n// necessary Keys / Certificates from there for Fulcio, Rekor, and CTLog.\nfunc (r *Reconciler) getSigstoreKeysFromMirrorFS(ctx context.Context, repository *v1alpha1.Repository) (*config.SigstoreKeys, error) {\n\ttufClient, err := tuf.ClientFromSerializedMirror(ctx, repository.MirrorFS, repository.Root, repository.Targets, v1alpha1.DefaultTUFRepoPrefix)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to construct TUF client from mirror: %w\", err)\n\t}\n\n\ttrustedRootTarget := \"trusted_root.json\"\n\tif repository.TrustedRootTarget != \"\" {\n\t\ttrustedRootTarget = repository.TrustedRootTarget\n\t}\n\n\treturn GetSigstoreKeysFromTuf(ctx, tufClient, trustedRootTarget)\n}\n\nfunc (r *Reconciler) getSigstoreKeysFromRemote(ctx context.Context, remote *v1alpha1.Remote) (*config.SigstoreKeys, error) {\n\ttufClient, err := tuf.ClientFromRemote(ctx, remote.Mirror.String(), remote.Root, remote.Targets)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to construct TUF client from remote: %w\", err)\n\t}\n\n\ttrustedRootTarget := \"trusted_root.json\"\n\tif remote.TrustedRootTarget != \"\" {\n\t\ttrustedRootTarget = remote.TrustedRootTarget\n\t}\n\n\treturn GetSigstoreKeysFromTuf(ctx, tufClient, trustedRootTarget)\n}\n\n// remoteTrustRootEntry removes a TrustRoot entry from a CM. If no entry exists, it's a nop.\nfunc (r *Reconciler) removeTrustRootEntry(ctx context.Context, cm *corev1.ConfigMap, trustrootName string) error {\n\tpatchBytes, err := resources.CreateRemovePatch(system.Namespace(), config.SigstoreKeysConfigName, cm.DeepCopy(), trustrootName)\n\tif err != nil {\n\t\tlogging.FromContext(ctx).Errorf(\"Failed to create remove patch: %v\", err)\n\t\treturn err\n\t}\n\tif len(patchBytes) > 0 {\n\t\t_, err = r.kubeclient.CoreV1().ConfigMaps(system.Namespace()).Patch(ctx, config.SigstoreKeysConfigName, types.JSONPatchType, patchBytes, metav1.PatchOptions{})\n\t\treturn err\n\t}\n\treturn nil\n}\n\n// pemToKeyAndID takes a public key in PEM format, and turns it into\n// crypto.PublicKey and the CTLog LogId.\nfunc pemToKeyAndID(pem []byte) (crypto.PublicKey, string, error) {\n\tpk, err := cryptoutils.UnmarshalPEMToPublicKey(pem)\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"unmarshaling PEM public key: %w\", err)\n\t}\n\tlogID, err := cosign.GetTransparencyLogID(pk)\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"failed to construct LogID for rekor: %w\", err)\n\t}\n\treturn pk, logID, nil\n}\n\n// These are private to sigstore/sigstore even though I don't think they should\n// be.\ntype customMetadata struct {\n\tUsage sigstoretuf.UsageKind `json:\"usage\"`\n\tStatus sigstoretuf.StatusKind `json:\"status\"`\n\tURI string `json:\"uri\"`\n}\n\ntype sigstoreCustomMetadata struct {\n\tSigstore customMetadata `json:\"sigstore\"`\n}\n\n// GetSigstoreKeysFromTuf returns the sigstore keys from the TUF updater. Note\n// that this should really be exposed from the sigstore/sigstore TUF pkg, but\n// is currently not.\nfunc GetSigstoreKeysFromTuf(ctx context.Context, tufClient *tuf.TUFClient, trustedRootTarget string) (*config.SigstoreKeys, error) {\n\tret := &config.SigstoreKeys{}\n\n\t// Try to get the trusted root target using GetTarget, which correctly\n\t// traverses TUF delegations (unlike GetTopLevelTargets).\n\tdata, err := tufClient.GetTarget(trustedRootTarget)\n\tif err == nil {\n\t\tif err := protojson.Unmarshal(data, ret); err != nil {\n\t\t\treturn nil, fmt.Errorf(\"parsing %s: %w\", trustedRootTarget, err)\n\t\t}\n\t\treturn ret, nil\n\t}\n\t// Only fall back to legacy path if the target was not found.\n\t// Other errors (network, hash mismatch, etc.) should be propagated.\n\tif !strings.Contains(err.Error(), \"not found\") {\n\t\treturn nil, fmt.Errorf(\"fetching %s: %w\", trustedRootTarget, err)\n\t}\n\n\t// Fall back to using custom metadata on top-level targets (e.g. for\n\t// older private TUF repositories that don't have trusted_root.json).\n\ttargets, err := tufClient.GetTopLevelTargets()\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"getting top-level targets: %w\", err)\n\t}\n\tfor name, targetMeta := range targets {\n\t\t// Skip any targets that do not include custom metadata.\n\t\tif targetMeta.Custom == nil {\n\t\t\tcontinue\n\t\t}\n\t\tvar scm sigstoreCustomMetadata\n\t\terr := json.Unmarshal(*targetMeta.Custom, &scm)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Warnf(\"Custom metadata not configured properly for target %s, skipping target: %v\", name, err)\n\t\t\tcontinue\n\t\t}\n\t\tdata, err := tufClient.GetTarget(name)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"downloading target %s: %w\", name, err)\n\t\t}\n\n\t\tswitch scm.Sigstore.Usage {\n\t\tcase sigstoretuf.Fulcio:\n\t\t\tcertChain, err := config.DeserializeCertChain(data)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"deserializing certificate chain: %w\", err)\n\t\t\t}\n\t\t\tret.CertificateAuthorities = append(ret.CertificateAuthorities,\n\t\t\t\t&config.CertificateAuthority{\n\t\t\t\t\tUri: scm.Sigstore.URI,\n\t\t\t\t\tCertChain: certChain,\n\t\t\t\t\tValidFor: &config.TimeRange{\n\t\t\t\t\t\tStart: &config.Timestamp{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t)\n\t\tcase sigstoretuf.CTFE:\n\t\t\ttlog, err := genTransparencyLogInstance(scm.Sigstore.URI, data)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"creating transparency log instance: %w\", err)\n\t\t\t}\n\t\t\tret.Ctlogs = append(ret.Ctlogs, tlog)\n\t\tcase sigstoretuf.Rekor:\n\t\t\ttlog, err := genTransparencyLogInstance(scm.Sigstore.URI, data)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"creating transparency log instance: %w\", err)\n\t\t\t}\n\t\t\tret.Tlogs = append(ret.Tlogs, tlog)\n\t\t}\n\t}\n\t// Make sure there's at least a single CertificateAuthority (Fulcio there).\n\t// Some others could be optional.\n\tif len(ret.CertificateAuthorities) == 0 {\n\t\treturn nil, errors.New(\"no certificate authorities found\")\n\t}\n\treturn ret, nil\n}\n\nfunc genTransparencyLogInstance(baseURL string, pkBytes []byte) (*config.TransparencyLogInstance, error) {\n\tpbpk, pk, err := config.DeserializePublicKey(pkBytes)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unmarshaling PEM public key: %w\", err)\n\t}\n\tlogID, err := cosign.GetTransparencyLogID(pk)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to construct LogID: %w\", err)\n\t}\n\treturn &config.TransparencyLogInstance{\n\t\tBaseUrl: baseURL,\n\t\tHashAlgorithm: pbcommon.HashAlgorithm_SHA2_256,\n\t\tPublicKey: pbpk,\n\t\tLogId: &pbcommon.LogId{KeyId: []byte(logID)},\n\t}, nil\n}\n" }, { "path": "pkg/reconciler/trustroot/trustroot_test.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage trustroot\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/ecdsa\"\n\t\"crypto/elliptic\"\n\t\"crypto/rand\"\n\t\"crypto/x509\"\n\t\"crypto/x509/pkix\"\n\t_ \"embed\"\n\t\"encoding/pem\"\n\t\"fmt\"\n\t\"math/big\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"google.golang.org/protobuf/encoding/protojson\"\n\t\"knative.dev/pkg/apis\"\n\tlogtesting \"knative.dev/pkg/logging/testing\"\n\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tfakecosignclient \"github.com/sigstore/policy-controller/pkg/client/injection/client/fake\"\n\t\"github.com/sigstore/policy-controller/pkg/client/injection/reconciler/policy/v1alpha1/trustroot\"\n\tpbcommon \"github.com/sigstore/protobuf-specs/gen/pb-go/common/v1\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/runtime\"\n\tclientgotesting \"k8s.io/client-go/testing\"\n\tfakekubeclient \"knative.dev/pkg/client/injection/kube/client/fake\"\n\t\"knative.dev/pkg/configmap\"\n\t\"knative.dev/pkg/controller\"\n\t\"knative.dev/pkg/system\"\n\n\t. \"github.com/sigstore/policy-controller/pkg/reconciler/testing/v1alpha1\"\n\t\"github.com/sigstore/policy-controller/pkg/reconciler/trustroot/resources\"\n\t\"github.com/sigstore/policy-controller/pkg/reconciler/trustroot/testdata\"\n\t. \"knative.dev/pkg/reconciler/testing\"\n\t_ \"knative.dev/pkg/system/testing\"\n)\n\nconst (\n\ttrName = \"test-trustroot\"\n\ttestKey = \"test-trustroot\"\n\ttkName2 = \"test-trustroot-2\"\n\ttestKey2 = \"test-trustroot-2\"\n\n\tresourceVersion = \"0123456789\"\n\tuid = \"test-uid\"\n\tuid2 = \"test-uid-2\"\n\n\t// These are the public keys from an airgapped TUF repository.\n\t/* TODO(vaikas): Uncomment and test these make the roundtrip\n\t\ttufCTFE = `-----BEGIN PUBLIC KEY-----\n\t\tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJvCJi707fv5tMJ1U2TVMZ+uO4dKG\n\t\taEcvjlCkgBCKXbrkumZV0m0dSlK1V1gxEiyQ8y6hk1MxJNe2AZrZUt7a4w==\n\t\t-----END PUBLIC KEY-----\n\t`\n\t\ttufFulcio = `-----BEGIN CERTIFICATE-----\n\t\tMIIFwzCCA6ugAwIBAgIIK7xb+rqY4gEwDQYJKoZIhvcNAQELBQAwfjEMMAoGA1UE\n\t\tBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNp\n\t\tc2NvMRYwFAYDVQQJEw01NDggTWFya2V0IFN0MQ4wDAYDVQQREwU1NzI3NDEZMBcG\n\t\tA1UEChMQTGludXggRm91bmRhdGlvbjAeFw0yMjEyMDgwMjE3NTFaFw0yMzEyMDgw\n\t\tMjE3NTFaMH4xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG\n\t\tA1UEBxMNU2FuIEZyYW5jaXNjbzEWMBQGA1UECRMNNTQ4IE1hcmtldCBTdDEOMAwG\n\t\tA1UEERMFNTcyNzQxGTAXBgNVBAoTEExpbnV4IEZvdW5kYXRpb24wggIiMA0GCSqG\n\t\tSIb3DQEBAQUAA4ICDwAwggIKAoICAQC142Ejlg2QxIwpNjbaeW/ft9sH1TXU6CWg\n\t\tbsvVp77vRgckSnpM3RTC/gwEwJHtX+GOTrP9ro6nFJN3G3hcFnaMHLKdGrof9iHu\n\t\t/w/lZLwQzXzVT+0ZyZxytHAWGFBvmYM4J33jH6Dj9PvqONwtSBSmZBPc/H/8EvYs\n\t\tUzxPWukhOtotSH3VXDqZ4jl96MLe0+5g2Wi7MxRX44X1RiPS14ba1ES538bThhcQ\n\t\t4SMj3uhbdsCIkcm7eF4EY3pEXQpXEEGnZGfwYgQr+6cT07Zd/WDM0NX3KxH6qRk9\n\t\tgDjPnfcMuFbOTbfD/nuvx6FNX6OUrzrZSglkLvcPIBVOW7Ln41LAb7aXmbWLFEJn\n\t\tuLooPpYYr+6NhnFDNGpsBKGKr/kvbQyDKKst3CKj9otPS1363ni41qnoA7YWSqxw\n\t\tz4185dKKc+Y7yvJQsRlr6qG1sNLO+c77fSS5VZImzNozBcRkuLJFlX+WB0uzgQU5\n\t\ts45IZW+fK92nfu8MmKjzHR+idyr4OyjS0YSN3GMgc0UP7K6hVphLedApFpykBSFG\n\t\tUgiPZwrT+mGSVgmOXq5n1dQTCD14lEh2qt3/rff8zNc0CMANWybaMGBGQ4bhVVXe\n\t\tRKYx9u2PZjPv53p7Yb/DCdqnGEDw/HCBDiCs4oYe4daE36xUojxDSm3DaeNG68z9\n\t\tRL7gfUjAxQIDAQABo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB\n\t\t/wIBATAdBgNVHQ4EFgQUf+lbNX0Wh4h+Q0SRthRK+KfLjqEwDQYJKoZIhvcNAQEL\n\t\tBQADggIBAEhJja0ZSKwXcaOXCYRXTE06+JbpezI5LevBhmbRQK789Rq10JeAXa7m\n\t\tEToRGlGFLH2uDT11msFKyM3v67KlE1SYVcqKmClYfIVEYH3La0uI+9rHZnWgb4Bl\n\t\ty1B8wblKJzhYQD9Z4H/gs+BAsoRX5VoFyIgkNBk1p3ftaVCbkQvS0OYtYs5iw4eK\n\t\tcI71/IsTIT3Zppj9R8IGsqwLKgzfnyNcFJdz+ohc6V22PjZMEBHCsHPO4av2LlWK\n\t\t5Y1flL+2bqTqbmO/bjfX0w4Z1DuojRcOZF7SH4O3Qu2Y7/69gH7Cp0niVCm5z+S5\n\t\t011V6PvMjrmiE+xVkxLHbYEgocbFhd5DciMCXpvsuDZojaI3FREmBqiIhKoki3rb\n\t\twuElya78bMwkZ1krp76nWso47/0+51io/WriAdr0cjmzonho7RqIE3DC77CEMkag\n\t\tZvKSmL3sff+WNSrnPlznK19NA2z4ImW9MszqPrCTQGP//BBu7SamzofVM9f4PAIr\n\t\tFTpnW6sGdpCzP8E0WUu9B+viKrtfM/9sxnI9WhfJPdrEP0iZW3vhwvgQbKb5D2OS\n\t\tU4nrVov6BWr/BnhQK8IXo1tq3j8FCRIoleXNhks4gnkOaDsW2KtVqwtK3iO3BvPb\n\t\tL5w0gdLjwMLkek72y61Xqz5WxZwNhl5YcmBKuSvmVSHvA68BVSbB\n\t\t-----END CERTIFICATE-----\n\t`\n\t\ttufRekor = `-----BEGIN PUBLIC KEY-----\n\t\tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEenlW+tMJ9ymhl858kKiD14CC06x9\n\t\tr36rTqTSiLYrdl2ZVE3mOD/KcbyBZM1/RHVKx/g1r3d0YSoVCKbF4DAvcQ==\n\t\t-----END PUBLIC KEY-----\n\t`\n\t*/\n\n\t// Just some formatting strings that make it easier to construct patches\n\t// to config map.\n\treplacePatchFmtString = `[{\"op\":\"replace\",\"path\":\"/data/%s\",\"value\":\"%s\"}]`\n\tremovePatchFmtString = `[{\"op\":\"remove\",\"path\":\"/data/%s\"}]`\n)\n\n// testmap with prepopulated entries for creating TrustRoot resource.\n// ctfe => CTLog Public Key\n// fulcio => CertificateAuthority certificate\n// rekor => TLog PublicKey\n// tsa => TimeStampAuthorities certificate chain (root, intermediate, leaf)\nvar sigstoreKeys = map[string]string{\n\t\"ctfe\": string(testdata.Get(\"ctfePublicKey.pem\")),\n\t\"fulcio\": string(testdata.Get(\"fulcioCertChain.pem\")),\n\t\"rekor\": string(testdata.Get(\"rekorPublicKey.pem\")),\n\t\"tsa\": string(testdata.Get(\"tsaCertChain.pem\")),\n}\n\n// canonicalizeSigstoreKeys round-trips the SigstoreKeys through protojson so\n// the output is deterministic for the current test run. This is necessary\n// because protojson has \"randomly deterministic\" output, meaning it will add\n// whitespace randomly depending on the digest of the executable.\n// See https://go-review.googlesource.com/c/protobuf/+/151340 and\n// https://github.com/golang/protobuf/issues/1121\nfunc canonicalizeSigstoreKeys(in []byte) []byte {\n\tkeys := &config.SigstoreKeys{}\n\terr := protojson.Unmarshal(in, keys)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tout, err := protojson.Marshal(keys)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn out\n}\n\n// This is the marshalled entry from above keys/certs with fixed values\n// (for ease of testing) for other parts.\nvar marshalledEntry = string(canonicalizeSigstoreKeys(testdata.Get(\"marshalledEntry.json\")))\n\n// this is the marshalled entry for when we construct from the repository.\nvar marshalledEntryFromMirrorFS = string(canonicalizeSigstoreKeys(testdata.Get(\"marshalledEntryFromMirrorFS.json\")))\n\nvar rekorLogID = string(testdata.Get(\"rekorLogID.txt\"))\nvar ctfeLogID = string(testdata.Get(\"ctfeLogID.txt\"))\n\n// validRepository is a valid tarred repository representing an air-gap\n// TUF repository.\nvar validRepository = testdata.Get(\"tufRepo.tar\")\n\n// IMPORTANT: The next expiration is on 2025-03-02\n// rootJSON is a valid root.json for above TUF repository.\nvar rootJSON = testdata.Get(\"root.json\")\n\n// validRepositoryWithTrustedRootJSON is a valid tarred repository representing\n// an air-gap TUF repository containing trusted_root.json.\nvar validRepositoryWithTrustedRootJSON = testdata.Get(\"tufRepoWithTrustedRootJSON.tar\")\n\n// IMPORTANT: The next expiration is on 2025-03-02\n// rootJSON is a valid root.json for above TUF repository.\nvar rootWithTrustedRootJSON = testdata.Get(\"rootWithTrustedRootJSON.json\")\n\n// validRepositoryWithCustomTrustedRootJSON is a valid tarred repository representing\n// an air-gap TUF repository containing custom_trusted_root.json.\nvar validRepositoryWithCustomTrustedRootJSON = testdata.Get(\"tufRepoWithCustomTrustedRootJSON.tar\")\n\n// rootWithCustomTrustedRootJSON is a valid root.json for above TUF repository.\nvar rootWithCustomTrustedRootJSON = testdata.Get(\"rootWithCustomTrustedRootJSON.json\")\n\nfunc TestReconcile(t *testing.T) {\n\ttable := TableTest{{\n\t\tName: \"bad workqueue key\",\n\t\t// Make sure Reconcile handles bad keys.\n\t\tKey: \"too/many/parts\",\n\t}, {\n\t\tName: \"key not found\",\n\t\t// Make sure Reconcile handles good keys that don't exist.\n\t\tKey: \"foo/not-found\",\n\t}, {\n\t\tName: \"TrustRoot not found\",\n\t\tKey: testKey,\n\t}, {\n\t\tName: \"TrustRoot is being deleted, doesn't exist, no changes\",\n\t\tKey: testKey,\n\t\tObjects: []runtime.Object{\n\t\t\tNewTrustRoot(trName,\n\t\t\t\tWithTrustRootDeletionTimestamp),\n\t\t},\n\t}, {\n\t\tName: \"TrustRoot with SigstoreKeys, cm created and finalizer\",\n\t\tKey: testKey,\n\n\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\tObjects: []runtime.Object{\n\t\t\tNewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithSigstoreKeys(sigstoreKeys),\n\t\t\t)},\n\t\tWantCreates: []runtime.Object{\n\t\t\tmakeConfigMapWithSigstoreKeys(),\n\t\t},\n\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\tpatchFinalizers(system.Namespace(), trName),\n\t\t},\n\t\tWantEvents: []string{\n\t\t\tEventf(corev1.EventTypeNormal, \"FinalizerUpdate\", `Updated \"test-trustroot\" finalizers`),\n\t\t},\n\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\tObject: NewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithSigstoreKeys(sigstoreKeys),\n\t\t\t\tMarkReadyTrustRoot,\n\t\t\t)}},\n\t}, {\n\t\tName: \"TrustRoot with SigstoreKeys, cm exists with entry, no changes\",\n\t\tKey: testKey,\n\n\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\tObjects: []runtime.Object{\n\t\t\tNewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithSigstoreKeys(sigstoreKeys),\n\t\t\t),\n\t\t\tmakeConfigMapWithSigstoreKeys(),\n\t\t},\n\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\tpatchFinalizers(system.Namespace(), trName),\n\t\t},\n\t\tWantEvents: []string{\n\t\t\tEventf(corev1.EventTypeNormal, \"FinalizerUpdate\", `Updated \"test-trustroot\" finalizers`),\n\t\t},\n\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\tObject: NewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithSigstoreKeys(sigstoreKeys),\n\t\t\t\tMarkReadyTrustRoot,\n\t\t\t)}},\n\t}, {\n\t\tName: \"TrustRoot with SigstoreKeys, cm exists with different, replace patched\",\n\t\tKey: testKey,\n\n\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\tObjects: []runtime.Object{\n\t\t\tNewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithSigstoreKeys(sigstoreKeys),\n\t\t\t\tWithTrustRootFinalizer,\n\t\t\t),\n\t\t\tmakeDifferentConfigMap(),\n\t\t},\n\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\tmakePatch(replacePatchFmtString, trName, marshalledEntry),\n\t\t},\n\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\tObject: NewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithSigstoreKeys(sigstoreKeys),\n\t\t\t\tWithTrustRootFinalizer,\n\t\t\t\tMarkReadyTrustRoot,\n\t\t\t)}},\n\t}, {\n\t\tName: \"TrustRoot with SigstoreKeys, cm exists with different, replace patched but fails\",\n\t\tKey: testKey,\n\n\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\tObjects: []runtime.Object{\n\t\t\tNewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithSigstoreKeys(sigstoreKeys),\n\t\t\t\tWithTrustRootFinalizer,\n\t\t\t),\n\t\t\tmakeDifferentConfigMap(),\n\t\t},\n\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\tmakePatch(replacePatchFmtString, trName, marshalledEntry),\n\t\t},\n\t\tWithReactors: []clientgotesting.ReactionFunc{\n\t\t\tInduceFailure(\"patch\", \"configmaps\"),\n\t\t},\n\t\tWantErr: true,\n\t\tWantEvents: []string{\n\t\t\tEventf(corev1.EventTypeWarning, \"InternalError\", \"inducing failure for patch configmaps\"),\n\t\t},\n\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\tObject: NewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithSigstoreKeys(sigstoreKeys),\n\t\t\t\tWithTrustRootFinalizer,\n\t\t\t\tWithInitConditionsTrustRoot,\n\t\t\t\tWithObservedGenerationTrustRoot(1),\n\t\t\t\tWithMarkInlineKeysOkTrustRoot,\n\t\t\t\tWithMarkCMUpdateFailedTrustRoot(\"inducing failure for patch configmaps\"),\n\t\t\t)}},\n\t}, {\n\t\tName: \"Two SigstoreKeys, one deleted, verify it is removed\",\n\t\tKey: testKey2,\n\n\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\tObjects: []runtime.Object{\n\t\t\tNewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithSigstoreKeys(sigstoreKeys),\n\t\t\t\tWithTrustRootFinalizer,\n\t\t\t),\n\t\t\tNewTrustRoot(tkName2,\n\t\t\t\tWithTrustRootUID(uid2),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithSigstoreKeys(sigstoreKeys),\n\t\t\t\tWithTrustRootFinalizer,\n\t\t\t\tWithTrustRootDeletionTimestamp,\n\t\t\t),\n\t\t\tmakeConfigMapWithTwoEntries(),\n\t\t},\n\t\tWantPatches: []clientgotesting.PatchActionImpl{\n\t\t\tpatchRemoveFinalizers(system.Namespace(), testKey2),\n\t\t\tmakeRemovePatch(tkName2),\n\t\t},\n\t\tWantEvents: []string{\n\t\t\tEventf(corev1.EventTypeNormal, \"FinalizerUpdate\", `Updated \"test-trustroot-2\" finalizers`),\n\t\t},\n\t}, {\n\t\tName: \"With repository\",\n\t\tKey: testKey,\n\n\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\tObjects: []runtime.Object{\n\t\t\tNewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithRepository(\"targets\", rootJSON, validRepository, \"\"),\n\t\t\t\tWithTrustRootFinalizer,\n\t\t\t),\n\t\t},\n\t\tWantCreates: []runtime.Object{\n\t\t\tmakeConfigMapWithMirrorFS(marshalledEntryFromMirrorFS),\n\t\t},\n\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\tObject: NewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithRepository(\"targets\", rootJSON, validRepository, \"\"),\n\t\t\t\tWithTrustRootFinalizer,\n\t\t\t\tMarkReadyTrustRoot,\n\t\t\t)}},\n\t}, {\n\t\tName: \"With repository containing trusted_root.json\",\n\t\tKey: testKey,\n\n\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\tObjects: []runtime.Object{\n\t\t\tNewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithRepository(\"targets\", rootWithTrustedRootJSON, validRepositoryWithTrustedRootJSON, \"\"),\n\t\t\t\tWithTrustRootFinalizer,\n\t\t\t),\n\t\t},\n\t\tWantCreates: []runtime.Object{\n\t\t\tmakeConfigMapWithMirrorFS(marshalledEntry),\n\t\t},\n\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\tObject: NewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithRepository(\"targets\", rootWithTrustedRootJSON, validRepositoryWithTrustedRootJSON, \"\"),\n\t\t\t\tWithTrustRootFinalizer,\n\t\t\t\tMarkReadyTrustRoot,\n\t\t\t)}},\n\t}, {\n\t\tName: \"With repository containing custom_trusted_root.json\",\n\t\tKey: testKey,\n\n\t\tSkipNamespaceValidation: true, // Cluster scoped\n\t\tObjects: []runtime.Object{\n\t\t\tNewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithRepository(\"targets\", rootWithCustomTrustedRootJSON, validRepositoryWithCustomTrustedRootJSON, \"custom_trusted_root.json\"),\n\t\t\t\tWithTrustRootFinalizer,\n\t\t\t),\n\t\t},\n\t\tWantCreates: []runtime.Object{\n\t\t\tmakeConfigMapWithMirrorFS(marshalledEntry),\n\t\t},\n\t\tWantStatusUpdates: []clientgotesting.UpdateActionImpl{{\n\t\t\tObject: NewTrustRoot(trName,\n\t\t\t\tWithTrustRootUID(uid),\n\t\t\t\tWithTrustRootResourceVersion(resourceVersion),\n\t\t\t\tWithRepository(\"targets\", rootWithCustomTrustedRootJSON, validRepositoryWithCustomTrustedRootJSON, \"custom_trusted_root.json\"),\n\t\t\t\tWithTrustRootFinalizer,\n\t\t\t\tMarkReadyTrustRoot,\n\t\t\t)}},\n\t}}\n\n\tlogger := logtesting.TestLogger(t)\n\ttable.Test(t, MakeFactory(func(ctx context.Context, listers *Listers, _ configmap.Watcher) controller.Reconciler {\n\t\tr := &Reconciler{\n\t\t\tconfigmaplister: listers.GetConfigMapLister(),\n\t\t\tkubeclient: fakekubeclient.Get(ctx),\n\t\t}\n\t\treturn trustroot.NewReconciler(ctx, logger,\n\t\t\tfakecosignclient.Get(ctx), listers.GetTrustRootLister(),\n\t\t\tcontroller.GetEventRecorder(ctx),\n\t\t\tr)\n\t},\n\t\tfalse,\n\t\tlogger,\n\t\tnil, // Only meaningful for CIP reconciler, but reuse the same factory.\n\t))\n}\n\nfunc makeConfigMapWithSigstoreKeys() *corev1.ConfigMap {\n\tret := &corev1.ConfigMap{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tNamespace: system.Namespace(),\n\t\t\tName: config.SigstoreKeysConfigName,\n\t\t},\n\t\tData: make(map[string]string),\n\t}\n\tsource := NewTrustRoot(trName, WithSigstoreKeys(sigstoreKeys))\n\tc, err := config.ConvertSigstoreKeys(context.Background(), source.Spec.SigstoreKeys)\n\tif err != nil {\n\t\tpanic(\"failed to convert test SigstoreKeys\")\n\t}\n\tfor i := range c.Tlogs {\n\t\tc.Tlogs[i].LogId = &config.LogID{KeyId: []byte(rekorLogID)}\n\t}\n\tfor i := range c.Ctlogs {\n\t\tc.Ctlogs[i].LogId = &config.LogID{KeyId: []byte(ctfeLogID)}\n\t}\n\tmarshalled, err := resources.Marshal(c)\n\tif err != nil {\n\t\tpanic(\"failed to marshal test SigstoreKeys\")\n\t}\n\tret.Data[trName] = marshalled\n\treturn ret\n}\n\nfunc makeConfigMapWithMirrorFS(entry string) *corev1.ConfigMap {\n\treturn &corev1.ConfigMap{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tNamespace: system.Namespace(),\n\t\t\tName: config.SigstoreKeysConfigName,\n\t\t},\n\t\tData: map[string]string{\"test-trustroot\": entry},\n\t}\n}\n\n// Same as above, just forcing an update because the entry in the configMap\n// is not what we expect, it doesn't really matter what it is.\nfunc makeDifferentConfigMap() *corev1.ConfigMap {\n\treturn &corev1.ConfigMap{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tNamespace: system.Namespace(),\n\t\t\tName: config.SigstoreKeysConfigName,\n\t\t},\n\t\tData: map[string]string{\n\t\t\ttrName: `{\"uid\":\"test-uid\",\"resourceVersion\":\"0123456789\",\nimages\":[{\"glob\":\"ghcr.io/example/*\"}],\"authorities\":[{\"name\":\"authority-0\",\"key\":{\"data\":\"-----BEGIN NOTPUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END NOTPUBLIC KEY-----\"}}]}`,\n\t\t},\n\t}\n}\n\n// Same as MakeConfigMap but a placeholder for second entry so we can remove it.\nfunc makeConfigMapWithTwoEntries() *corev1.ConfigMap {\n\treturn &corev1.ConfigMap{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tNamespace: system.Namespace(),\n\t\t\tName: config.SigstoreKeysConfigName,\n\t\t},\n\t\tData: map[string]string{\n\t\t\ttrName: marshalledEntry,\n\t\t\ttkName2: \"remove me please\",\n\t\t},\n\t}\n}\n\n// makePatch makes a patch that one would be able to patch ConfigMap with.\n// fmtstr defines the ops/targets, key is the actual key the operation is\n// in the configmap. patch is the unescape quoted (for ease of readability in\n// constants) that will then be escaped before creating the patch.\nfunc makePatch(fmtstr, key, patch string) clientgotesting.PatchActionImpl {\n\tescapedPatch := strings.ReplaceAll(patch, \"\\\"\", \"\\\\\\\"\")\n\tout := fmt.Sprintf(fmtstr, key, escapedPatch)\n\treturn clientgotesting.PatchActionImpl{\n\t\tActionImpl: clientgotesting.ActionImpl{\n\t\t\tNamespace: system.Namespace(),\n\t\t},\n\t\tName: config.SigstoreKeysConfigName,\n\t\tPatch: []byte(out),\n\t}\n}\n\n// makeRemovePatch makes a patch suitable for removing from a configmap.\nfunc makeRemovePatch(key string) clientgotesting.PatchActionImpl {\n\treturn clientgotesting.PatchActionImpl{\n\t\tActionImpl: clientgotesting.ActionImpl{\n\t\t\tNamespace: system.Namespace(),\n\t\t},\n\t\tName: config.SigstoreKeysConfigName,\n\t\tPatch: []byte(fmt.Sprintf(removePatchFmtString, key)),\n\t}\n}\n\nfunc patchFinalizers(namespace, name string) clientgotesting.PatchActionImpl {\n\taction := clientgotesting.PatchActionImpl{}\n\taction.Name = name\n\taction.Namespace = namespace\n\tpatch := `{\"metadata\":{\"finalizers\":[\"` + FinalizerName + `\"],\"resourceVersion\":\"` + resourceVersion + `\"}}`\n\taction.Patch = []byte(patch)\n\treturn action\n}\n\nfunc patchRemoveFinalizers(namespace, name string) clientgotesting.PatchActionImpl {\n\taction := clientgotesting.PatchActionImpl{}\n\taction.Name = name\n\taction.Namespace = namespace\n\tpatch := `{\"metadata\":{\"finalizers\":[],\"resourceVersion\":\"` + resourceVersion + `\"}}`\n\taction.Patch = []byte(patch)\n\treturn action\n}\n\n// TestConvertSigstoreKeys tests marshalling / unmarshalling to the configmap and back.\n// This is here instead of in the pkg/apis/config because of import cycles and\n// having both types v1alpha1.SigstoreTypes and config.SigstoreTypes being\n// available makes testing way easier, and due to import cycles we can't put\n// that in config and yet import v1alpha1.\nfunc TestConvertSigstoreKeys(t *testing.T) {\n\titemsPerEntry := 2\n\n\ttype key struct {\n\t\tpem []byte\n\t\tder []byte\n\t}\n\ttype testTlog struct {\n\t\turl string\n\t\thashAlgorithm string\n\t\tpublicKey key\n\t}\n\ttype testCA struct {\n\t\turl string\n\t\torg string\n\t\tcommonName string\n\t\tcertChain []key\n\t}\n\ttype testData struct {\n\t\ttlogs []testTlog\n\t\tctlogs []testTlog\n\t\tcas []testCA\n\t\ttsas []testCA\n\t}\n\n\thashAlgorithms := []string{\"sha-256\", \"sha-512\"}\n\thashAlgorithmMap := map[string]pbcommon.HashAlgorithm{\"sha-256\": pbcommon.HashAlgorithm_SHA2_256, \"sha-512\": pbcommon.HashAlgorithm_SHA2_512}\n\n\ttest := testData{}\n\n\t// construct test data\n\tfor i := 0; i < itemsPerEntry; i++ {\n\t\tfor _, service := range []string{\"tlog\", \"ctlog\"} {\n\t\t\tpriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to generate ecdsa key: %v\", err)\n\t\t\t}\n\t\t\tder, err := x509.MarshalPKIXPublicKey(priv.Public().(*ecdsa.PublicKey))\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to marshal ecdsa key: %v\", err)\n\t\t\t}\n\t\t\tpem := pem.EncodeToMemory(&pem.Block{Type: \"PUBLIC KEY\", Bytes: der})\n\t\t\ttlog := testTlog{\n\t\t\t\turl: fmt.Sprintf(\"https://%s-%d.example.com\", service, i),\n\t\t\t\thashAlgorithm: hashAlgorithms[i%2],\n\t\t\t\tpublicKey: key{pem, der},\n\t\t\t}\n\n\t\t\tswitch service {\n\t\t\tcase \"tlog\":\n\t\t\t\ttest.tlogs = append(test.tlogs, tlog)\n\t\t\tcase \"ctlog\":\n\t\t\t\ttest.ctlogs = append(test.ctlogs, tlog)\n\t\t\t}\n\t\t}\n\t\tfor _, service := range []string{\"fulcio\", \"tsa\"} {\n\t\t\tpriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to generate ecdsa key: %v\", err)\n\t\t\t}\n\t\t\ttemplate := x509.Certificate{\n\t\t\t\tSerialNumber: big.NewInt(1),\n\t\t\t\tSubject: pkix.Name{\n\t\t\t\t\tCommonName: \"Test Certificate\",\n\t\t\t\t},\n\t\t\t\tNotBefore: time.Now(),\n\t\t\t\tNotAfter: time.Now().AddDate(1, 0, 0),\n\t\t\t\tKeyUsage: x509.KeyUsageDigitalSignature,\n\t\t\t\tBasicConstraintsValid: true,\n\t\t\t}\n\t\t\tder, err := x509.CreateCertificate(rand.Reader, &template, &template, priv.Public(), priv)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to create x509 certificate: %v\", err)\n\t\t\t}\n\t\t\tpem := pem.EncodeToMemory(&pem.Block{Type: \"CERTIFICATE\", Bytes: der})\n\t\t\tca := testCA{\n\t\t\t\turl: fmt.Sprintf(\"https://%s-%d.example.com\", service, i),\n\t\t\t\torg: fmt.Sprintf(\"Test Org %d for %s\", i, service),\n\t\t\t\tcommonName: fmt.Sprintf(\"Test CA %d for %s\", i, service),\n\t\t\t\tcertChain: []key{{pem, der}},\n\t\t\t}\n\n\t\t\tswitch service {\n\t\t\tcase \"fulcio\":\n\t\t\t\ttest.cas = append(test.cas, ca)\n\t\t\tcase \"tsa\":\n\t\t\t\ttest.tsas = append(test.tsas, ca)\n\t\t\t}\n\t\t}\n\t}\n\n\t// create and populate source\n\tsource := v1alpha1.SigstoreKeys{}\n\n\tfor _, tlog := range test.tlogs {\n\t\turl, err := apis.ParseURL(tlog.url)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed to parse url: %v\", err)\n\t\t}\n\t\tsource.TLogs = append(source.TLogs, v1alpha1.TransparencyLogInstance{\n\t\t\tBaseURL: *url,\n\t\t\tHashAlgorithm: tlog.hashAlgorithm,\n\t\t\tPublicKey: tlog.publicKey.pem,\n\t\t})\n\t}\n\tfor _, ctlog := range test.ctlogs {\n\t\turl, err := apis.ParseURL(ctlog.url)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed to parse url: %v\", err)\n\t\t}\n\t\tsource.CTLogs = append(source.CTLogs, v1alpha1.TransparencyLogInstance{\n\t\t\tBaseURL: *url,\n\t\t\tHashAlgorithm: ctlog.hashAlgorithm,\n\t\t\tPublicKey: ctlog.publicKey.pem,\n\t\t})\n\t}\n\tfor _, ca := range test.cas {\n\t\turl, err := apis.ParseURL(ca.url)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed to parse url: %v\", err)\n\t\t}\n\t\tsource.CertificateAuthorities = append(source.CertificateAuthorities, v1alpha1.CertificateAuthority{\n\t\t\tSubject: v1alpha1.DistinguishedName{\n\t\t\t\tOrganization: ca.org,\n\t\t\t\tCommonName: ca.commonName,\n\t\t\t},\n\t\t\tURI: *url,\n\t\t\tCertChain: ca.certChain[0].pem,\n\t\t})\n\t}\n\tfor _, tsa := range test.tsas {\n\t\turl, err := apis.ParseURL(tsa.url)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed to parse url: %v\", err)\n\t\t}\n\t\tsource.TimeStampAuthorities = append(source.TimeStampAuthorities, v1alpha1.CertificateAuthority{\n\t\t\tSubject: v1alpha1.DistinguishedName{\n\t\t\t\tOrganization: tsa.org,\n\t\t\t\tCommonName: tsa.commonName,\n\t\t\t},\n\t\t\tURI: *url,\n\t\t\tCertChain: tsa.certChain[0].pem,\n\t\t})\n\t}\n\n\t// convert from v1alpha1 to config and let's marshal to configmap and back\n\t// to make sure we exercise the path from:\n\t// v1alpha1 => config => configMap => back (this is what reconciler will\n\t// use to call cosign verification functions with).\n\tconverted, err := config.ConvertSigstoreKeys(context.Background(), &source)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to convert entry: %v\", err)\n\t}\n\tmarshalled, err := resources.Marshal(converted)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to marshal entry: %v\", err)\n\t}\n\ttkMap := map[string]string{\"test-entry\": marshalled}\n\tskMap, err := config.NewSigstoreKeysFromMap(tkMap)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to construct from map entry: %v\", err)\n\t}\n\tsk := skMap.SigstoreKeys[\"test-entry\"]\n\tif len(sk.Tlogs) != 2 {\n\t\tt.Errorf(\"Not enough TLog entries, want 2 got %d\", len(sk.Tlogs))\n\t}\n\tif len(sk.Ctlogs) != 2 {\n\t\tt.Errorf(\"Not enough CTLog entries, want 2 got %d\", len(sk.Ctlogs))\n\t}\n\tif len(sk.CertificateAuthorities) != 2 {\n\t\tt.Errorf(\"Not enough CertificateAuthority entries, want 2 got %d\", len(sk.CertificateAuthorities))\n\t}\n\tif len(sk.TimestampAuthorities) != 2 {\n\t\tt.Errorf(\"Not enough TimestampAuthorities entries, want 2 got %d\", len(sk.TimestampAuthorities))\n\t}\n\t// Verify TLog, CTLog\n\tfor i := 0; i < itemsPerEntry; i++ {\n\t\tfor _, service := range []string{\"tlog\", \"ctlog\"} {\n\t\t\tvar entry *config.TransparencyLogInstance\n\t\t\tvar tlog testTlog\n\t\t\tswitch service {\n\t\t\tcase \"tlog\":\n\t\t\t\tentry = sk.Tlogs[i]\n\t\t\t\ttlog = test.tlogs[i]\n\t\t\tcase \"ctlog\":\n\t\t\t\tentry = sk.Ctlogs[i]\n\t\t\t\ttlog = test.ctlogs[i]\n\t\t\tdefault:\n\t\t\t\tpanic(\"invalid type\")\n\t\t\t}\n\t\t\tif entry.BaseUrl != tlog.url {\n\t\t\t\tt.Errorf(\"Unexpected BaseUrl for %s %d wanted %s got %s\", service, i, tlog.url, entry.BaseUrl)\n\t\t\t}\n\t\t\tif entry.HashAlgorithm != hashAlgorithmMap[tlog.hashAlgorithm] {\n\t\t\t\tt.Errorf(\"Unexpected HashAlgorithm for %s %d wanted %s got %s\", service, i, tlog.hashAlgorithm, entry.HashAlgorithm)\n\t\t\t}\n\t\t\tif !bytes.Equal(entry.PublicKey.RawBytes, tlog.publicKey.der) {\n\t\t\t\tt.Errorf(\"Unexpected PublicKey for %s %d wanted %s got %s\", service, i, tlog.publicKey.der, entry.PublicKey.RawBytes)\n\t\t\t}\n\t\t}\n\t}\n\t// Verify CertificateAuthority, TimestampAuthorities\n\tfor i := 0; i < itemsPerEntry; i++ {\n\t\tfor _, prefix := range []string{\"fulcio\", \"tsa\"} {\n\t\t\tvar entry *config.CertificateAuthority\n\t\t\tvar ca testCA\n\t\t\tswitch prefix {\n\t\t\tcase \"fulcio\":\n\t\t\t\tentry = sk.CertificateAuthorities[i]\n\t\t\t\tca = test.cas[i]\n\t\t\tcase \"tsa\":\n\t\t\t\tentry = sk.TimestampAuthorities[i]\n\t\t\t\tca = test.tsas[i]\n\t\t\tdefault:\n\t\t\t\tpanic(\"invalid type\")\n\t\t\t}\n\t\t\tif entry.Uri != ca.url {\n\t\t\t\tt.Errorf(\"Unexpected Uri for %s %d wanted %s got %s\", prefix, i, ca.url, entry.Uri)\n\t\t\t}\n\t\t\tif entry.Subject.Organization != ca.org {\n\t\t\t\tt.Errorf(\"Unexpected Organization for %s %d wanted %s got %s\", prefix, i, ca.org, entry.Subject.Organization)\n\t\t\t}\n\t\t\tif entry.Subject.CommonName != ca.commonName {\n\t\t\t\tt.Errorf(\"Unexpected CommonName for %s %d wanted %s got %s\", prefix, i, ca.commonName, entry.Subject.CommonName)\n\t\t\t}\n\t\t\tif !bytes.Equal(entry.CertChain.Certificates[0].RawBytes, ca.certChain[0].der) {\n\t\t\t\tt.Errorf(\"Unexpected CertChain for %s %d wanted %s got %s\", prefix, i, ca.certChain[0].der, entry.CertChain.Certificates[0].RawBytes)\n\t\t\t}\n\t\t}\n\t}\n}\n" }, { "path": "pkg/tuf/context.go", "content": "//\n// Copyright 2024 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage tuf\n\nimport (\n\t\"context\"\n\t\"time\"\n\n\t\"knative.dev/pkg/controller\"\n)\n\ntype trustrootResyncPeriodKey struct{}\n\n// ToContext returns a context that includes a key trustrootResyncPeriod\n// set to the included duration\nfunc ToContext(ctx context.Context, duration time.Duration) context.Context {\n\treturn context.WithValue(ctx, trustrootResyncPeriodKey{}, duration)\n}\n\n// FromContextOrDefaults returns a stored trustrootResyncPeriod if attached.\n// If not found, it returns a default duration\nfunc FromContextOrDefaults(ctx context.Context) time.Duration {\n\tx, ok := ctx.Value(trustrootResyncPeriodKey{}).(time.Duration)\n\tif ok {\n\t\treturn x\n\t}\n\treturn controller.DefaultResyncPeriod\n}\n" }, { "path": "pkg/tuf/context_test.go", "content": "//\n// Copyright 2024 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage tuf\n\nimport (\n\t\"testing\"\n\t\"time\"\n\n\t\"knative.dev/pkg/controller\"\n\trtesting \"knative.dev/pkg/reconciler/testing\"\n)\n\nfunc TestContextDuration(t *testing.T) {\n\tctx, _ := rtesting.SetupFakeContext(t)\n\n\texpected := controller.DefaultResyncPeriod\n\tactual := FromContextOrDefaults(ctx)\n\tif expected != actual {\n\t\tt.Fatal(\"Expected the context to store the value and be retrievable\")\n\t}\n\n\texpected = time.Hour\n\tctx = ToContext(ctx, expected)\n\tactual = FromContextOrDefaults(ctx)\n\n\tif expected != actual {\n\t\tt.Fatal(\"Expected the context to store the value and be retrievable\")\n\t}\n}\n" }, { "path": "pkg/tuf/repo.go", "content": "// Copyright 2022 The Sigstore Authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage tuf\n\nimport (\n\t\"archive/tar\"\n\t\"bytes\"\n\t\"compress/gzip\"\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/fs\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"strings\"\n\t\"sync\"\n\t\"testing/fstest\"\n\t\"time\"\n\n\t\"github.com/sigstore/sigstore-go/pkg/root\"\n\tsigstoretuf \"github.com/sigstore/sigstore-go/pkg/tuf\"\n\t\"github.com/sigstore/sigstore/pkg/tuf\"\n\t\"github.com/theupdateframework/go-tuf/v2/metadata\"\n\ttufconfig \"github.com/theupdateframework/go-tuf/v2/metadata/config\"\n\t\"github.com/theupdateframework/go-tuf/v2/metadata/fetcher\"\n\t\"github.com/theupdateframework/go-tuf/v2/metadata/updater\"\n\t\"sigs.k8s.io/release-utils/version\"\n)\n\nvar (\n\t// uaString is meant to resemble the User-Agent sent by browsers with requests.\n\t// See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent\n\tuaString = fmt.Sprintf(\"cosign/%s (%s; %s)\", version.GetVersionInfo().GitVersion, runtime.GOOS, runtime.GOARCH)\n)\n\nfunc CompressFS(fsys fs.FS, buf io.Writer, skipDirs map[string]bool) error {\n\t// tar > gzip > buf\n\tzr := gzip.NewWriter(buf)\n\ttw := tar.NewWriter(zr)\n\n\twalkErr := fs.WalkDir(fsys, \"repository\", func(file string, d fs.DirEntry, walkErr error) error {\n\t\tif walkErr != nil {\n\t\t\t// If we encounter an error walking, just return it and give up.\n\t\t\treturn walkErr\n\t\t}\n\t\t// Skip the 'keys' and 'staged' directory\n\t\tif d.IsDir() && skipDirs[d.Name()] {\n\t\t\treturn filepath.SkipDir\n\t\t}\n\n\t\t// Stat the file to get the details of it.\n\t\tfi, err := fs.Stat(fsys, file)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"fs.Stat %s: %w\", file, err)\n\t\t}\n\t\theader, err := tar.FileInfoHeader(fi, file)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"FileInfoHeader %s: %w\", file, err)\n\t\t}\n\t\theader.Name = filepath.ToSlash(file)\n\t\tif err := tw.WriteHeader(header); err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// For files, write the contents.\n\t\tif !d.IsDir() {\n\t\t\tdata, err := fsys.Open(file)\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"opening %s: %w\", file, err)\n\t\t\t}\n\t\t\tif _, err := io.Copy(tw, data); err != nil {\n\t\t\t\treturn fmt.Errorf(\"copying %s: %w\", file, err)\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n\n\tif walkErr != nil {\n\t\ttw.Close()\n\t\tzr.Close()\n\t\treturn fmt.Errorf(\"WalkDir: %w\", walkErr)\n\t}\n\n\tif err := tw.Close(); err != nil {\n\t\tzr.Close()\n\t\treturn fmt.Errorf(\"tar.NewWriter Close(): %w\", err)\n\t}\n\treturn zr.Close()\n}\n\nfunc Uncompress(src io.Reader, dst string) error {\n\tzr, err := gzip.NewReader(src)\n\tif err != nil {\n\t\treturn err\n\t}\n\ttr := tar.NewReader(zr)\n\n\t// uncompress each element\n\tfor {\n\t\theader, err := tr.Next()\n\t\tif errors.Is(err, io.EOF) {\n\t\t\tbreak // End of archive\n\t\t}\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\ttarget, err := sanitizeArchivePath(dst, header.Name)\n\t\t// validate name against path traversal\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\t// check the type\n\t\tswitch header.Typeflag {\n\t\t// Create directories\n\t\tcase tar.TypeDir:\n\t\t\tif _, err := os.Stat(target); err != nil {\n\t\t\t\tif err := os.MkdirAll(target, os.ModePerm); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t// Write out files\n\t\tcase tar.TypeReg:\n\t\t\tif header.Mode < 0 && int64(uint32(header.Mode)) != header.Mode { //nolint:gosec // disable G115\n\t\t\t\treturn errors.New(\"invalid mode value in tar header\")\n\t\t\t}\n\t\t\tfileToWrite, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode)) //nolint:gosec // disable G115\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\t// copy over contents in chunks for security reasons\n\t\t\t// G110: Potential DoS vulnerability via decompression bomb\n\t\t\tfor {\n\t\t\t\t_, err := io.CopyN(fileToWrite, tr, 1024)\n\t\t\t\tif err != nil {\n\t\t\t\t\tif errors.Is(err, io.EOF) {\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif err := fileToWrite.Close(); err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed to close file %s: %w\", target, err)\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\n// From https://github.com/securego/gosec/issues/324\nfunc sanitizeArchivePath(d, t string) (v string, err error) {\n\tv = filepath.Join(d, t)\n\tif strings.HasPrefix(v, filepath.Clean(d)) {\n\t\treturn v, nil\n\t}\n\n\treturn \"\", fmt.Errorf(\"%s: %s\", \"content filepath is tainted\", t)\n}\n\n// UncompressMemFS takes a TUF repository that's been compressed with CompressFS\n// and returns FS backed by memory.\nfunc UncompressMemFS(src io.Reader, stripPrefix string) (fs.FS, error) {\n\ttestFS := fstest.MapFS{}\n\n\tzr, err := gzip.NewReader(src)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer zr.Close()\n\ttr := tar.NewReader(zr)\n\n\t// uncompress each element\n\tfor {\n\t\theader, err := tr.Next()\n\t\t// EOF is unwrapped\n\t\t//nolint:errorlint\n\t\tif err == io.EOF {\n\t\t\tbreak // End of archive\n\t\t}\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\ttarget, err := sanitizeArchivePath(\"/\", header.Name)\n\t\t// validate name against path traversal\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\t// Remove the prefix if given. Note that paths are relative to root, so\n\t\t// no '/' is allowed, so we always remove that.\n\t\ttarget = strings.TrimPrefix(target, stripPrefix)\n\t\ttarget = strings.TrimPrefix(target, \"/\")\n\t\t// check the type\n\t\tswitch header.Typeflag {\n\t\t// Create directories\n\t\tcase tar.TypeDir:\n\t\t\ttestFS[target] = &fstest.MapFile{\n\t\t\t\tMode: os.ModeDir,\n\t\t\t\tModTime: header.ModTime,\n\t\t\t}\n\t\t// Write out files\n\t\tcase tar.TypeReg:\n\t\t\tdata := make([]byte, header.Size)\n\t\t\t_, err := tr.Read(data)\n\t\t\t// EOF is unwrapped\n\t\t\t//nolint:errorlint\n\t\t\tif err != nil && err != io.EOF {\n\t\t\t\treturn nil, fmt.Errorf(\"reading file %s : %w\", header.Name, err)\n\t\t\t}\n\t\t\tif header.Mode < 0 && int64(uint32(header.Mode)) != header.Mode { //nolint:gosec // disable G115\n\t\t\t\treturn nil, errors.New(\"invalid mode value in tar header\")\n\t\t\t}\n\t\t\ttestFS[target] = &fstest.MapFile{\n\t\t\t\tData: data,\n\t\t\t\tMode: os.FileMode(header.Mode), //nolint:gosec // disable G115\n\t\t\t\tModTime: header.ModTime,\n\t\t\t}\n\t\t}\n\t}\n\treturn testFS, nil\n}\n\n// fsFetcher implements the go-tuf v2 fetcher.Fetcher interface using an fs.FS.\ntype fsFetcher struct {\n\tfsys fs.FS\n\tbaseURL string\n}\n\nfunc (f *fsFetcher) DownloadFile(urlPath string, maxLength int64, timeout time.Duration) ([]byte, error) {\n\tpath := strings.TrimPrefix(urlPath, f.baseURL)\n\tpath = strings.TrimPrefix(path, \"/\")\n\tdata, err := fs.ReadFile(f.fsys, path)\n\tif err != nil {\n\t\tif errors.Is(err, fs.ErrNotExist) {\n\t\t\t// Return ErrDownloadHTTP with 404 so the TUF updater recognizes missing\n\t\t\t// files (e.g. during root rotation when 2.root.json doesn't exist).\n\t\t\treturn nil, &metadata.ErrDownloadHTTP{StatusCode: http.StatusNotFound, URL: urlPath}\n\t\t}\n\t\treturn nil, &metadata.ErrDownload{Msg: fmt.Sprintf(\"reading %s: %v\", path, err)}\n\t}\n\tif maxLength > 0 && int64(len(data)) > maxLength {\n\t\treturn nil, &metadata.ErrDownloadLengthMismatch{Msg: fmt.Sprintf(\"file %s is %d bytes, max %d\", path, len(data), maxLength)}\n\t}\n\treturn data, nil\n}\n\n// TUFClient wraps a sigstore-go TUF client for delegation-aware target\n// retrieval and provides lazy access to a raw go-tuf v2 updater for\n// legacy target enumeration via GetTopLevelTargets.\ntype TUFClient struct {\n\tclient *sigstoretuf.Client\n\n\t// Fields for lazy-initialized raw updater (legacy enumeration only).\n\tonce sync.Once\n\tupdater *updater.Updater\n\tupdaterErr error\n\tmetadataURL string\n\trootJSON []byte\n\ttargetsURL string\n\tfetcher fetcher.Fetcher\n}\n\n// GetTarget downloads a target by name, correctly traversing TUF delegations.\nfunc (c *TUFClient) GetTarget(target string) ([]byte, error) {\n\treturn c.client.GetTarget(target)\n}\n\n// GetTopLevelTargets returns the top-level target files metadata. This does\n// not traverse delegations and should only be used for legacy fallback paths.\n// The raw updater is lazily initialized on first call to avoid a double TUF\n// refresh when only GetTarget is needed.\nfunc (c *TUFClient) GetTopLevelTargets() (map[string]*metadata.TargetFiles, error) {\n\tc.once.Do(func() {\n\t\tc.updater, c.updaterErr = newRawUpdater(c.metadataURL, c.rootJSON, c.targetsURL, c.fetcher)\n\t})\n\tif c.updaterErr != nil {\n\t\treturn nil, c.updaterErr\n\t}\n\treturn c.updater.GetTopLevelTargets(), nil\n}\n\n// ClientFromSerializedMirror will construct a TUF client by\n// unzip/untar the repository and constructing an in-memory TUF\n// client for it.\nfunc ClientFromSerializedMirror(_ context.Context, repo, rootJSON []byte, targets, stripPrefix string) (*TUFClient, error) {\n\ttufFS, err := UncompressMemFS(bytes.NewReader(repo), stripPrefix)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to uncompress: %w\", err)\n\t}\n\n\tconst baseURL = \"mem://repo/\"\n\tf := &fsFetcher{fsys: tufFS, baseURL: baseURL}\n\n\topts := sigstoretuf.DefaultOptions().\n\t\tWithRoot(rootJSON).\n\t\tWithRepositoryBaseURL(baseURL).\n\t\tWithDisableLocalCache().\n\t\tWithFetcher(f)\n\n\tclient, err := sigstoretuf.New(opts)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create TUF client: %w\", err)\n\t}\n\n\treturn &TUFClient{\n\t\tclient: client,\n\t\tmetadataURL: baseURL,\n\t\trootJSON: rootJSON,\n\t\ttargetsURL: baseURL + targets + \"/\",\n\t\tfetcher: f,\n\t}, nil\n}\n\n// ClientFromRemote will construct a TUF client from a root and mirror.\nfunc ClientFromRemote(_ context.Context, mirror string, rootJSON []byte, targets string) (*TUFClient, error) {\n\tf := fetcher.NewDefaultFetcher()\n\tf.SetHTTPUserAgent(uaString)\n\tf.SetHTTPClient(&http.Client{Timeout: 30 * time.Second})\n\n\topts := sigstoretuf.DefaultOptions().\n\t\tWithRoot(rootJSON).\n\t\tWithRepositoryBaseURL(mirror).\n\t\tWithDisableLocalCache().\n\t\tWithFetcher(f)\n\n\tclient, err := sigstoretuf.New(opts)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create TUF client: %w\", err)\n\t}\n\n\treturn &TUFClient{\n\t\tclient: client,\n\t\tmetadataURL: mirror,\n\t\trootJSON: rootJSON,\n\t\ttargetsURL: mirror + \"/\" + targets + \"/\",\n\t\tfetcher: f,\n\t}, nil\n}\n\n// newRawUpdater creates a go-tuf v2 updater for legacy target enumeration.\nfunc newRawUpdater(metadataURL string, rootJSON []byte, targetsURL string, f fetcher.Fetcher) (*updater.Updater, error) {\n\tcfg, err := tufconfig.New(metadataURL, rootJSON)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tcfg.Fetcher = f\n\tcfg.RemoteTargetsURL = targetsURL\n\tcfg.DisableLocalCache = true\n\tcfg.PrefixTargetsWithHash = true\n\n\tu, err := updater.New(cfg)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif err := u.Refresh(); err != nil {\n\t\treturn nil, err\n\t}\n\treturn u, nil\n}\n\nvar (\n\tmu sync.RWMutex\n\ttimestamp time.Time\n\ttrustedRoot *root.TrustedRoot\n)\n\n// GetTrustedRoot returns the trusted root for the TUF repository.\nfunc GetTrustedRoot(ctx context.Context) (*root.TrustedRoot, error) {\n\tresyncPeriodDuration := FromContextOrDefaults(ctx)\n\tnow := time.Now().UTC()\n\t// check if timestamp has never been set or if the current time\n\t// is after the current timestamp value plus the included resync duration\n\tif timestamp.IsZero() || now.After(timestamp.Add(resyncPeriodDuration)) {\n\t\tmu.Lock()\n\t\tdefer mu.Unlock()\n\n\t\ttufClient, err := tuf.NewFromEnv(context.Background())\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"initializing tuf: %w\", err)\n\t\t}\n\t\t// TODO: add support for custom trusted root path\n\t\ttargetBytes, err := tufClient.GetTarget(\"trusted_root.json\")\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"error getting targets: %w\", err)\n\t\t}\n\t\ttrustedRoot, err = root.NewTrustedRootFromJSON(targetBytes)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"error creating trusted root: %w\", err)\n\t\t}\n\n\t\ttimestamp = now\n\n\t\treturn trustedRoot, nil\n\t}\n\n\tmu.RLock()\n\tdefer mu.RUnlock()\n\n\treturn trustedRoot, nil\n}\n" }, { "path": "pkg/tuf/repo_test.go", "content": "// Copyright 2022 The Sigstore Authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage tuf\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/base64\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"testing\"\n\t\"testing/fstest\"\n\t\"time\"\n\n\t\"github.com/theupdateframework/go-tuf\"\n\t\"github.com/theupdateframework/go-tuf/v2/metadata\"\n\t\"knative.dev/pkg/logging\"\n)\n\nconst (\n\tfulcioRootCert = `-----BEGIN CERTIFICATE-----\nMIICNzCCAd2gAwIBAgITPLBoBQhl1hqFND9S+SGWbfzaRTAKBggqhkjOPQQDAjBo\nMQswCQYDVQQGEwJVSzESMBAGA1UECBMJV2lsdHNoaXJlMRMwEQYDVQQHEwpDaGlw\ncGVuaGFtMQ8wDQYDVQQKEwZSZWRIYXQxDDAKBgNVBAsTA0NUTzERMA8GA1UEAxMI\ndGVzdGNlcnQwHhcNMjEwMzEyMjMyNDQ5WhcNMzEwMjI4MjMyNDQ5WjBoMQswCQYD\nVQQGEwJVSzESMBAGA1UECBMJV2lsdHNoaXJlMRMwEQYDVQQHEwpDaGlwcGVuaGFt\nMQ8wDQYDVQQKEwZSZWRIYXQxDDAKBgNVBAsTA0NUTzERMA8GA1UEAxMIdGVzdGNl\ncnQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRn+Alyof6xP3GQClSwgV0NFuY\nYEwmKP/WLWr/LwB6LUYzt5v49RlqG83KuaJSpeOj7G7MVABdpIZYWwqAiZV3o2Yw\nZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU\nT8Jwm6JuVb0dsiuHUROiHOOVHVkwHwYDVR0jBBgwFoAUT8Jwm6JuVb0dsiuHUROi\nHOOVHVkwCgYIKoZIzj0EAwIDSAAwRQIhAJkNZmP6sKA+8EebRXFkBa9DPjacBpTc\nOljJotvKidRhAiAuNrIazKEw2G4dw8x1z6EYk9G+7fJP5m93bjm/JfMBtA==\n-----END CERTIFICATE-----`\n\n\tctlogPublicKey = `-----BEGIN RSA PUBLIC KEY-----\nMIICCgKCAgEAu1Ah4n2P8JGt92Qg86FdR8f1pou43yndggMuRCX0JB+bLn1rUFRA\nKQVd+xnnd4PXJLLdml8ZohCr0lhBuMxZ7zBzt0T98kblUCxBgABPNpWIkTgacyC8\nMlIYY/yBSuDWAJOA5IKi4Hh9nI+Mmb/FXgbOz5a5mZx8w7pMiTMu0+Rd9cPzRkUZ\nDQfZsLONr6PwmyCAIL1oK80fevxKZPME0UV8bFPWnRxeVaFr5ddd/DOenV8H6SPy\nr4ODbSOItpl53y6Az0m3FTIUf8cSsyR7dfE4zpA3M4djjtoKDNFRsTjU2RWVQW9X\nMaxzznGVGhLEwkC+sYjR5NQvH5iiRvV18q+CGQqNX2+WWM3SPuty3nc86RBNR0FO\ngSQA0TL2OAs6bJNmfzcwZxAKYbj7/88tj6qrjLaQtFTbBm2a7+TAQfs3UTiQi00z\nEDYqeSj2WQvacNm1dWEAyx0QNLHiKGTn4TShGj8LUoGyjJ26Y6VPsotvCoj8jM0e\naN8Pc9/AYywVI+QktjaPZa7KGH3XJHJkTIQQRcUxOtDstKpcriAefDs8jjL5ju9t\n5J3qEvgzmclNJKRnla4p3maM0vk+8cC7EXMV4P1zuCwr3akaHFJo5Y0aFhKsnHqT\nc70LfiFo//8/QsvyjLIUtEWHTkGeuf4PpbYXr5qpJ6tWhG2MARxdeg8CAwEAAQ==\n-----END RSA PUBLIC KEY-----`\n\n\trekorPublicKey = `-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEF6j2sTItLcs0wKoOpMzI+9lJmCzf\nN6mY2prOeaBRV2dnsJzC94hOxkM5pSp9nbAK1TBOI45fOOPsH2rSR++HrA==\n-----END PUBLIC KEY-----`\n\n\t// validRepository is a valid tar/gzipped repository representing an air-gap\n\t// TUF repository.\n\tvalidRepository = `H4sIAAAAAAAA/+xcW1MbOdPOtX+Fi9t8G0stqSWlai9m7AEMGLBjjl+9ldLRGBsMHoOBt/a/vzXmTA5kF3Cyu/NUJfYcGLW6NU8/oiXG4WSU9yej8eW7NwMhhEghZp+EkKefs+9UUMYo5VDcRxlQ/q4q3s6ke5zlEzN+R8h4NJp8777nrj/t3N8E9/Gv0Q9FHz8c5qPj122j8Ady/q34cyD0SfwFI+JddS5O/JfH/7+V6kLe7x0Hv/Cx+t9KtbrweXJ5EhY+VheKHi/8X3EqPwnu83kY5/3RcXGFfiDXF+7P0dlxuDjpj0Ne3AME8Dcif6OqS9RH4B8p27/+oUG4zG8aqy6QSAQYz7QWSLwUjrOoiPecRxfRUOK4ljRaI5mg0hBkxliQlBOUiKBuHzR77K3lwYMQVM+aK8x3B+HoaxcG4bLvPx+Y/OCzGfZG4/7k4Kgw7f9nl6sL+YEBgTd3zw4FhYXZ0X/uH3FuhndWVBdOzuyw74rGCI02YvCMRm6QRO69A4KKO23RIAAlUTqnqI1MOmWshUhVAEGVoU7o64b+KP7/Y9baApcRwKEJCjToiEIGgRCiMCJKw7k3VkcwHFgwSJxGZkNkURiU2gj7KztLOUN41ECt5AA8MCetit4QrwJ1xHDiQQftvTGcoAJUDgMNmosYpGXsS2dpxRAMs9xozUFxJ6wEQaSXTAXnfVAgWQAXA0dk2tkQg6PgpTSWOUV/YWdZDiC0C5YYDTrISALjPkiHkRLKBYKSyglGI3XOKE2IUggSWCRIePiKs6yAwJRVMjqv0IboKUdLhNPEEaBGRWUcdxSiZDJowZWKwnHJIFCJNvzCzkJEQwWxTAF3Ej2xNHoKlkcilRdoOGXBOhkEmAgyGE45807EEIMO1j90VuXGYQvj0TDck9iMKR96oO8f2v/ikfioq5ODccgPRsOCsOmDEObH5iQ/+K4hL47yDxkyMeNemOTfsePFPPZjdvSPQj4xRyffseTF6ecZS+4GjBsd5/18Eo4nnx8EajI+C5XZHbMkbCZn19mzMO96aM0sLobxiwfRzSjp94qnMSgCgNYFH5V1aLQn3jHwEINwyimhtbfRKs2VkZwbRowMaD2CAq2tQpRcIeccgaEROqDk4AEYBqYcWIFRKrTMg5DeQsDgwQFTzEnGiSj89kel+p/KHz9bAP3L8Uj/347MV54DPKP/KRXwRP8jRVbq/3ngO/r/jqfeYA5wFCbmLn3eJIzZqLvn6mE47k0OiscyFDcEW2iE+7x7rwU+VheEVNyitdZqHxUz3FCjhVUuOiBUCqeUITE4E33gGqWODIC6aJ223oroopHKKMEkiIJNhZHSGwNSUBQsSK2cx2i8Uga9lFJFobHQXYFJq4m8kQk3hj5wyl0e+EGif3GSfkT03DOggQZOVBCojTFUAmHoCJNMeQfOQaA+ghSCaAUCBaWOBURKjDEcLVrjDUXGVNBEMeWokoEIghSLxB11JFojR+2EJQIQlEBng9MCI4GS6H9tPOL/hy/iK7bxDP+DAPGU/wmBkv/nge/w/62OfwP6fzJFWHCTGD6chKOvsb9Uz5M/RqEQBBVKqEidt045RzxDSYjTkjgSKPcO0CDVnmhLNAvSBggYHYlcKqSReu+9NpYq4ilqErjVIUYqNVgTiylKUFY75yUNRChiiLQSNIVAHpO/O8sno6OHhvZ7+WQ0vp8lV6sLZ7npzdxc7y5mt3Pb6kI+MZOzmfcSN+mfh/srZ+N+cfq6qev56KMpfDwbuv7oG17U+ge8SKNHzmIgIZAoOXPKiiK5gKXMoXFIlDdWyOgJiiCYRSG9Z2BBRaRWmUi5pagCISQSCZF5ydApzxQzaLykIiqmFCGRcuKkURhl5KCt8IwIeIkXF2e9fw0/jsNgNH7JYIxWEhGsVp4QkF56rRU3qC2KwJUCxzUKNCJEjtyZaBSSgExZ8C5KEQ1DDgDMqIiKokNBDRUcpSNMWSGJlMRGBhSASBOohagVpww0KFTcvcSNnaLzL/Pin5A6L/49wCOp45QPwiPTIphCqEQRhEUlbTBCREqN9BqoBialgWIaa2JELiJTkRLqQGqC1kltJVhNkGMstBGjRAmromHKcycJJUFp4FJYSXURSCG0YToS9beUOg/y/xtVf/5S/YdyLPP/PFDWf8r6z6/grLL+U9Z/yvpPWf8p6z9l/afE/PBA/79R9ecv1X8I8FL/zwNl/aes/5T1n38vHvD/zWv4+m2QP73+myOKcv33PPBl/Gub5mI5GB/G+QdSe42awDfifhd/EI/HAgEhGL6rXszDAbfxn0dbvyAoquqJmRz8/pWB8LPrQR/uS1qVn+2nfyrmEfbn9L/k+Jj/GaFMlvp/HvitQJotNder9azTbS4260k3m52ttJrNdPOwnorVpJH0snrxr5WMlur106VPLa7TpFVvJeSifpWspL317TRpdZOj9YNWyncb3SZUWo3sYqOR8NZh+6I1HO02ui14cm7auMrWW0m+lNCtLLloZXZp+2D/MN1vpa2lSnp53VLSy+5aTabZckKaSVo/bu2KUWPtNAm1qzwTw4uTE59f5aupzs/rtbWD3a1KurYxUF0Ug/WG/nS5u6RaCX3/6XQHmg73OsdHYgyH789r9U4fh0u7OVlq4GHrKrloJbywyFca0yytTdtZMm0uTRtJLPq5/KmVLTWSnV7aYZNVgRs7q7s4Ojqkm7VBtjM4H/Q72Uk3WU17vdPKweBwY7PdbiS99ZWkkS4l/SzRa/2s+543PrlNt7m2ic3909GAk7o8Z5uXI7LotwZ723XeGfu9eqXZrnfiynS4eGinbLnVXls/7++RenLQU0tJ3jrKTxe3asnKxrCpbG/6+++VWfCy9caXAX0u2J+69VSZu2Cnrx/sbrbWSga3wa7vQTbd6SbdtOduPdVMC7ddf2+l6XS9niSdLd1/v7VxtrzaWcmHp4PQ3Gyp5fNxbeP4YvR+vGMustE5rVyk2fvzw91hLYbF+lGfqV7SbIraVu80294fLortNPVhmO2ntM8vczsdkea03Ug2ZjFtq7SSRJUV/Ux67WljutfY7pBu0l6upcnWNCkGwlXir2/m2WKvveXlp7NwOOwP35+ujHS3VhHp4smaaA46q1vTem+vuTrab14dkmL0NDrTZNpJmj2zOBGddhzsLQ1h0r7c2K3pbkxdXygyrvSOW7WsvhrC+DS9XG3Wm+l5urHEruJOKk8Xt+qj/LCXD4+E6V7srO3ZoffrZnXJjg+vtP5O4L/9/j+n/15jZc2z+o/jU/0HXJb6bx6giN/Ufz97VdWH22Vhpfp7M8wj7M/oPwIIX+g/Tkr9Nw88kASbW+las15dzfZuFMHiYJpN95Zvklg9ad8ltEbSdo12L8lUfW9d1Ae1nph09i/Olt1Zd6iicid8+7jC6PCqv6lHK7BpV7yyhzvbpsE3G921AW5uu81Jf3mShWy9trJOu5PT9mCrl7eG9WgeqZinZv1sj/2z8Fz+f43FjM/nf/k0/zPJy/w/D1CU38z/P3sh64e7pbjlS/9WmEfY/3T+Bylpuf9jLnhh/vfLV2M7PJpGftDK2PuNiVyDVC0Oup52Kp2Y58fDgz58uty6bO+pjeOTddw8XMSJ3PXmcv1iRe7ube+Etf2ktsRXe4K26/LSrtBemf/nhS/f/9dfAv7M+/+V/V8Cebn/dy4o93+V+7/K/V/l/q9y/9e/fv/X3XrpOe//plSwL/7+h6Rl/p8Hvpf/79bPv/UC0Ecrj79Cu0h/RANAoCQSTRmitSFCIJIwQMkjMdKiIJ4rpFwwKr0UTNFoXVDceOlJ8ER5KpkGSwn10jJ0hmtPDZXRW2+shwhFd0Bawp3QIhrFuC74GhljUr3aAtAX70l4xIpKcgyMExaVA8PQWoLKU+RUOWKIi5I5cMEEL50R3AvDKNOUMWBguLPaUO44KzhVWMK1DdHGSJUQgRLhvVQiBssEOCNVcKCNpDwqpqnkQAj/W7JiiRIlSvzz8b8AAAD//1nncb4AXAAA`\n\n\t// IMPORTANT: The next expiration is on '2026-07-18T08:24:13Z'\n\t// Steps to generate:\n\t// 1. cgit clone github.com/sigstore/scaffolding\n\t// 2. run ./hack/setup-kind.sh\n\t// 3. export KO_DOCKER_REPO=registry.local:5001/sigstore\n\t// 4. run ./hack/setup-scaffolding.sh\n\t// 5. get the secrets from the kind cluster\n\t// kubectl get secrets -o yaml -n tuf-system tuf-root\n\trootJSON = `ewogInNpZ25lZCI6IHsKICAiX3R5cGUiOiAicm9vdCIsCiAgInNwZWNfdmVyc2lvbiI6ICIxLjAiLAogICJ2ZXJzaW9uIjogMSwKICAiZXhwaXJlcyI6ICIyMDI2LTA3LTE4VDA4OjI0OjEzWiIsCiAgImtleXMiOiB7CiAgICIwZjA1MmFkMzk5NTYwZDc1YzQzZjgwZGQ0NGZjZjZhMTBjNDk3MWZiYTczNTE3YTA2M2FhYjI3MTQwNjc2NjI4IjogewogICAgImtleXR5cGUiOiAiZWQyNTUxOSIsCiAgICAic2NoZW1lIjogImVkMjU1MTkiLAogICAgImtleWlkX2hhc2hfYWxnb3JpdGhtcyI6IFsKICAgICAic2hhMjU2IiwKICAgICAic2hhNTEyIgogICAgXSwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICIwMWZiZjZlZDMxZjRhNjBmNGRkYzIwNjg0YzliNmE2MjIxMGY3Y2M4MWJmMzdjOGFiYjJmMThlMjUxOGExYzU5IgogICAgfQogICB9LAogICAiNDdmMjJjNmFlODI5MjlmNjU3ZTU2MmVmNWE1ZjdhNDRkYWI5ZjJhNDIzZWE2MGM5NjNiZWYzZjVhNjc5YTViOCI6IHsKICAgICJrZXl0eXBlIjogImVkMjU1MTkiLAogICAgInNjaGVtZSI6ICJlZDI1NTE5IiwKICAgICJrZXlpZF9oYXNoX2FsZ29yaXRobXMiOiBbCiAgICAgInNoYTI1NiIsCiAgICAgInNoYTUxMiIKICAgIF0sCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiOGNhMDRmOTIxYjc0MjI0ZTNjN2I4ZmRhMGQ4ZTFjMGE0MGQyOWU5ZGRhYTQwNjgyNjhjNmUxZTk0NWZlN2IzMyIKICAgIH0KICAgfSwKICAgIjk4MzYyYTNiNGE5OTQyODRjNWI3MjUwN2Q3MzhlY2RkZTgyNzNlMmNmZTQ2NjM5Y2JlZmVjMTJkNzdhYjNjODEiOiB7CiAgICAia2V5dHlwZSI6ICJlZDI1NTE5IiwKICAgICJzY2hlbWUiOiAiZWQyNTUxOSIsCiAgICAia2V5aWRfaGFzaF9hbGdvcml0aG1zIjogWwogICAgICJzaGEyNTYiLAogICAgICJzaGE1MTIiCiAgICBdLAogICAgImtleXZhbCI6IHsKICAgICAicHVibGljIjogImI0MjI1OWNlYjBhOTI5ZTdmMGUzNGRlN2M2ZjEwMTQ1NjI4NzhjNTMxZjFjY2E4OTAwODg2MjcyM2YwNjA0ZTMiCiAgICB9CiAgIH0sCiAgICJiNTJlMzhiODdmY2Q4NmJlZmQxNDZiMDVjOTBjMDIxYThmOGFjNGMxMmY3MzdlOTU0ODhmNWM0NzMyZTE3NmJlIjogewogICAgImtleXR5cGUiOiAiZWQyNTUxOSIsCiAgICAic2NoZW1lIjogImVkMjU1MTkiLAogICAgImtleWlkX2hhc2hfYWxnb3JpdGhtcyI6IFsKICAgICAic2hhMjU2IiwKICAgICAic2hhNTEyIgogICAgXSwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICI2NjZhMTUwYjM4MjRjNzZkMGIxZmQxMmI0ZjA3OGQ1NmE0MTNlYmM3ZTUyYWYyN2VhNDE0M2RjNWZlZmU5ZWJkIgogICAgfQogICB9CiAgfSwKICAicm9sZXMiOiB7CiAgICJyb290IjogewogICAgImtleWlkcyI6IFsKICAgICAiOTgzNjJhM2I0YTk5NDI4NGM1YjcyNTA3ZDczOGVjZGRlODI3M2UyY2ZlNDY2MzljYmVmZWMxMmQ3N2FiM2M4MSIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9LAogICAic25hcHNob3QiOiB7CiAgICAia2V5aWRzIjogWwogICAgICJiNTJlMzhiODdmY2Q4NmJlZmQxNDZiMDVjOTBjMDIxYThmOGFjNGMxMmY3MzdlOTU0ODhmNWM0NzMyZTE3NmJlIgogICAgXSwKICAgICJ0aHJlc2hvbGQiOiAxCiAgIH0sCiAgICJ0YXJnZXRzIjogewogICAgImtleWlkcyI6IFsKICAgICAiNDdmMjJjNmFlODI5MjlmNjU3ZTU2MmVmNWE1ZjdhNDRkYWI5ZjJhNDIzZWE2MGM5NjNiZWYzZjVhNjc5YTViOCIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9LAogICAidGltZXN0YW1wIjogewogICAgImtleWlkcyI6IFsKICAgICAiMGYwNTJhZDM5OTU2MGQ3NWM0M2Y4MGRkNDRmY2Y2YTEwYzQ5NzFmYmE3MzUxN2EwNjNhYWIyNzE0MDY3NjYyOCIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9CiAgfSwKICAiY29uc2lzdGVudF9zbmFwc2hvdCI6IHRydWUKIH0sCiAic2lnbmF0dXJlcyI6IFsKICB7CiAgICJrZXlpZCI6ICI5ODM2MmEzYjRhOTk0Mjg0YzViNzI1MDdkNzM4ZWNkZGU4MjczZTJjZmU0NjYzOWNiZWZlYzEyZDc3YWIzYzgxIiwKICAgInNpZyI6ICIzMjIyYzY2YmNlZGY4YmM2YTlkMGRjMzJkMmZlNWM4Yzg1OTlkYmZiODk0OGE3NDRhMzBhN2U2YmQ2MjgyOTliODY2NzQ4NjQ0NDYyMzZhNTllNjc0MmQyMjM2ZTM4YzJiNTZmNzg2YjNkMjU3ZGIyZTZlZDJjMjM4M2M3MzQwNSIKICB9CiBdCn0=`\n)\n\nfunc TestCompressUncompressFS(t *testing.T) {\n\tfiles := map[string][]byte{\n\t\t\"fulcio_v1.crt.pem\": []byte(fulcioRootCert),\n\t\t\"ctfe.pub\": []byte(ctlogPublicKey),\n\t\t\"rekor.pub\": []byte(rekorPublicKey),\n\t}\n\trepo, dir, err := createRepo(context.Background(), files)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to CreateRepo: %s\", err)\n\t}\n\tdefer os.RemoveAll(dir)\n\n\tvar buf bytes.Buffer\n\tfsys := os.DirFS(dir)\n\tif err = CompressFS(fsys, &buf, map[string]bool{\"keys\": true, \"staged\": true}); err != nil {\n\t\tt.Fatalf(\"Failed to compress: %v\", err)\n\t}\n\tos.WriteFile(\"/tmp/newcompressed\", buf.Bytes(), os.ModePerm)\n\tdstDir := t.TempDir()\n\tif err = Uncompress(&buf, dstDir); err != nil {\n\t\tt.Fatalf(\"Failed to uncompress: %v\", err)\n\t}\n\t// Then check that files have been uncompressed there.\n\tmeta, err := repo.GetMeta()\n\tif err != nil {\n\t\tt.Errorf(\"Failed to GetMeta: %s\", err)\n\t}\n\troot := meta[\"root.json\"]\n\n\t// This should have roundtripped to the new directory.\n\trtRoot, err := os.ReadFile(filepath.Join(dstDir, \"repository\", \"root.json\"))\n\tif err != nil {\n\t\tt.Errorf(\"Failed to read the roundtripped root %v\", err)\n\t}\n\tif !bytes.Equal(root, rtRoot) {\n\t\tt.Errorf(\"Roundtripped root differs:\\n%s\\n%s\", string(root), string(rtRoot))\n\t}\n\n\t// As well as, say rekor.pub under targets dir\n\trtRekor, err := os.ReadFile(filepath.Join(dstDir, \"repository\", \"targets\", \"rekor.pub\"))\n\tif err != nil {\n\t\tt.Errorf(\"Failed to read the roundtripped rekor %v\", err)\n\t}\n\tif !bytes.Equal(files[\"rekor.pub\"], rtRekor) {\n\t\tt.Errorf(\"Roundtripped rekor differs:\\n%s\\n%s\", rekorPublicKey, string(rtRekor))\n\t}\n}\n\nfunc createRepo(ctx context.Context, files map[string][]byte) (tuf.LocalStore, string, error) {\n\t// TODO: Make this an in-memory fileystem.\n\t//\ttmpDir := os.TempDir()\n\t//\tdir := tmpDir + \"tuf\"\n\tdir := \"/tmp/tuf\"\n\terr := os.Mkdir(dir, os.ModePerm)\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"failed to create tmp TUF dir: %w\", err)\n\t}\n\tdir += \"/\"\n\tlogging.FromContext(ctx).Infof(\"Creating the FS in %q\", dir)\n\tlocal := tuf.FileSystemStore(dir, nil)\n\n\t// Create and commit a new TUF repo with the targets to the store.\n\tlogging.FromContext(ctx).Infof(\"Creating new repo in %q\", dir)\n\tr, err := tuf.NewRepoIndent(local, \"\", \" \")\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"failed to NewRepoIndent: %w\", err)\n\t}\n\n\t// Added by vaikas\n\tif err := r.Init(false); err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"failed to Init repo: %w\", err)\n\t}\n\n\t// Make all metadata files expire in 6 months.\n\texpires := time.Now().AddDate(0, 6, 0)\n\n\tfor _, role := range []string{\"root\", \"targets\", \"snapshot\", \"timestamp\"} {\n\t\t_, err := r.GenKeyWithExpires(role, expires)\n\t\tif err != nil {\n\t\t\treturn nil, \"\", fmt.Errorf(\"failed to GenKeyWithExpires: %w\", err)\n\t\t}\n\t}\n\n\ttargets := make([]string, 0, len(files))\n\tfor k, v := range files {\n\t\tlogging.FromContext(ctx).Infof(\"Adding %s file\", k)\n\t\tif err := writeStagedTarget(dir, k, v); err != nil {\n\t\t\treturn nil, \"\", fmt.Errorf(\"failed to write staged target %s: %w\", k, err)\n\t\t}\n\t\ttargets = append(targets, k)\n\t}\n\terr = r.AddTargetsWithExpires(targets, nil, expires)\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"failed to add AddTargetsWithExpires: %w\", err)\n\t}\n\n\t// Snapshot, Timestamp, and Publish the repository.\n\tif err := r.SnapshotWithExpires(expires); err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"failed to add SnapShotWithExpires: %w\", err)\n\t}\n\tif err := r.TimestampWithExpires(expires); err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"failed to add TimestampWithExpires: %w\", err)\n\t}\n\tif err := r.Commit(); err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"failed to Commit: %w\", err)\n\t}\n\treturn local, dir, nil\n}\n\nfunc writeStagedTarget(dir, path string, data []byte) error {\n\tpath = filepath.Join(dir, \"staged\", \"targets\", path)\n\tif err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {\n\t\treturn err\n\t}\n\n\treturn os.WriteFile(path, data, 0644)\n}\n\nfunc TestFsFetcherNotFound(t *testing.T) {\n\ttestFS := fstest.MapFS{\n\t\t\"existing.json\": &fstest.MapFile{Data: []byte(`{\"hello\":\"world\"}`)},\n\t}\n\tf := &fsFetcher{fsys: testFS, baseURL: \"mem://test/\"}\n\n\t// Existing file should succeed\n\tdata, err := f.DownloadFile(\"mem://test/existing.json\", 0, 0)\n\tif err != nil {\n\t\tt.Fatalf(\"unexpected error for existing file: %v\", err)\n\t}\n\tif string(data) != `{\"hello\":\"world\"}` {\n\t\tt.Errorf(\"unexpected data: %s\", data)\n\t}\n\n\t// Missing file should return ErrDownloadHTTP with 404\n\t_, err = f.DownloadFile(\"mem://test/missing.json\", 0, 0)\n\tif err == nil {\n\t\tt.Fatal(\"expected error for missing file\")\n\t}\n\tvar httpErr *metadata.ErrDownloadHTTP\n\tif !errors.As(err, &httpErr) || httpErr.StatusCode != 404 {\n\t\tt.Errorf(\"expected ErrDownloadHTTP{404}, got: %v\", err)\n\t}\n}\n\nfunc TestFsFetcherMaxLength(t *testing.T) {\n\ttestFS := fstest.MapFS{\n\t\t\"big.json\": &fstest.MapFile{Data: make([]byte, 100)},\n\t}\n\tf := &fsFetcher{fsys: testFS, baseURL: \"mem://test/\"}\n\n\t// Should succeed when maxLength is 0 (unlimited)\n\t_, err := f.DownloadFile(\"mem://test/big.json\", 0, 0)\n\tif err != nil {\n\t\tt.Fatalf(\"unexpected error: %v\", err)\n\t}\n\n\t// Should fail when file exceeds maxLength\n\t_, err = f.DownloadFile(\"mem://test/big.json\", 50, 0)\n\tif err == nil {\n\t\tt.Fatal(\"expected error for oversized file\")\n\t}\n\tvar lenErr *metadata.ErrDownloadLengthMismatch\n\tif !errors.As(err, &lenErr) {\n\t\tt.Errorf(\"expected ErrDownloadLengthMismatch, got: %v\", err)\n\t}\n}\n\nfunc TestDownloadTargetFromSerializedMirror(t *testing.T) {\n\trepo, err := base64.StdEncoding.DecodeString(validRepository)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to decode validrepository: %v\", err)\n\t}\n\troot, err := base64.StdEncoding.DecodeString(rootJSON)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to decode rootJSON: %v\", err)\n\t}\n\ttufClient, err := ClientFromSerializedMirror(context.Background(), repo, root, \"targets\", \"/repository/\")\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to create client: %v\", err)\n\t}\n\n\t// Download each target via GetTarget and verify it has content\n\ttargets, err := tufClient.GetTopLevelTargets()\n\tif err != nil {\n\t\tt.Fatalf(\"GetTopLevelTargets error: %v\", err)\n\t}\n\tfor name := range targets {\n\t\tdata, err := tufClient.GetTarget(name)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"GetTarget(%s) error: %v\", name, err)\n\t\t\tcontinue\n\t\t}\n\t\tif len(data) == 0 {\n\t\t\tt.Errorf(\"GetTarget(%s) returned empty data\", name)\n\t\t}\n\t}\n}\n\nfunc TestClientFromSerializedMirror(t *testing.T) {\n\trepo, err := base64.StdEncoding.DecodeString(validRepository)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to decode validrepository: %v\", err)\n\t}\n\troot, err := base64.StdEncoding.DecodeString(rootJSON)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to decode rootJSON: %v\", err)\n\t}\n\ttufClient, err := ClientFromSerializedMirror(context.Background(), repo, root, \"targets\", \"/repository/\")\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to unserialize repo: %v\", err)\n\t}\n\ttargets, err := tufClient.GetTopLevelTargets()\n\tif err != nil {\n\t\tt.Fatalf(\"GetTopLevelTargets error: %v\", err)\n\t}\n\tif len(targets) == 0 {\n\t\tt.Errorf(\"Got no targets from the TUF client\")\n\t}\n}\n\nfunc TestClientFromRemoteMirror(t *testing.T) {\n\tfiles := map[string][]byte{\n\t\t\"fulcio_v1.crt.pem\": []byte(fulcioRootCert),\n\t\t\"ctfe.pub\": []byte(ctlogPublicKey),\n\t\t\"rekor.pub\": []byte(rekorPublicKey),\n\t}\n\tlocal, dir, err := createRepo(context.Background(), files)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to CreateRepo: %s\", err)\n\t}\n\tdefer os.RemoveAll(dir)\n\tmeta, err := local.GetMeta()\n\tif err != nil {\n\t\tt.Fatalf(\"getting meta: %v\", err)\n\t}\n\trootJSON, ok := meta[\"root.json\"]\n\tif !ok {\n\t\tt.Fatalf(\"Getting root: %v\", err)\n\t}\n\tserveDir := filepath.Join(dir, \"repository\")\n\tt.Logf(\"tuf repository was created in: %s serving tuf root at %s\", dir, serveDir)\n\tfs := http.FileServer(http.Dir(serveDir))\n\thttp.Handle(\"/\", fs)\n\n\tts := httptest.NewServer(fs)\n\tdefer ts.Close()\n\n\ttufClient, err := ClientFromRemote(context.Background(), ts.URL, rootJSON, \"targets\")\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to get client from remote: %v\", err)\n\t}\n\ttargets, err := tufClient.GetTopLevelTargets()\n\tif err != nil {\n\t\tt.Fatalf(\"GetTopLevelTargets error: %v\", err)\n\t}\n\tif len(targets) == 0 {\n\t\tt.Errorf(\"Got no targets from the TUF client\")\n\t}\n}\n" }, { "path": "pkg/webhook/cache.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage webhook\n\nimport (\n\t\"context\"\n)\n\ntype cacheKey struct{}\n\n// CacheResult wraps PolicyResult and errors that are suitable for caching\n// purposes. By doing this we can make choices that control things like, should\n// errors be cached, and if so, for how long that's independent of the\n// successful validations.\ntype CacheResult struct {\n\tPolicyResult *PolicyResult\n\tErrors []error\n}\n\n// FromContext extracts a cache from the provided context. If one has not been\n// set, return the NoCache to fulfill the interface but it provides no caching.\nfunc FromContext(ctx context.Context) ResultCache {\n\tx, ok := ctx.Value(cacheKey{}).(ResultCache)\n\tif ok {\n\t\treturn x\n\t}\n\treturn &NoCache{}\n}\n\nfunc ToContext(ctx context.Context, cache ResultCache) context.Context {\n\treturn context.WithValue(ctx, cacheKey{}, cache)\n}\n\ntype ResultCache interface {\n\t// Set caches a PolicyResult for a given CIP evaluated for a given image at\n\t// a particular point in time. image, uid & resourceVersion will give a\n\t// unique point in time, so we can make sure we're not caching things that\n\t// are out of date.\n\tSet(ctx context.Context, image, name, uid, resourceVersion string, cacheResult *CacheResult)\n\n\t// Get returns a cached result for a given image or nil if there are none.\n\tGet(ctx context.Context, image, uid, resourceVersion string) *CacheResult\n}\n" }, { "path": "pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go", "content": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage clusterimagepolicy\n\nimport (\n\t\"context\"\n\t\"crypto\"\n\t\"encoding/json\"\n\t\"fmt\"\n\n\t\"github.com/google/go-containerregistry/pkg/authn/k8schain\"\n\t\"github.com/google/go-containerregistry/pkg/authn/kubernetes\"\n\t\"github.com/google/go-containerregistry/pkg/name\"\n\t\"github.com/google/go-containerregistry/pkg/v1/remote\"\n\tociremote \"github.com/sigstore/cosign/v3/pkg/oci/remote\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\tsignaturealgo \"github.com/sigstore/policy-controller/pkg/apis/signaturealgo\"\n\t\"github.com/sigstore/policy-controller/pkg/webhook/registryauth\"\n\t\"github.com/sigstore/sigstore/pkg/cryptoutils\"\n\t\"k8s.io/apimachinery/pkg/types\"\n\t\"knative.dev/pkg/apis\"\n\tkubeclient \"knative.dev/pkg/client/injection/kube/client\"\n\t\"knative.dev/pkg/logging\"\n\t\"knative.dev/pkg/ptr\"\n)\n\n// ClusterImagePolicy defines the images that go through verification\n// and the authorities used for verification.\n// This is the internal representation of the external v1alpha1.ClusterImagePolicy.\n// KeyRef does not store secretRefs in internal representation.\n// KeyRef does store parsed publicKeys from Data in internal representation.\ntype ClusterImagePolicy struct {\n\t// UID of the CIP so we can tell if they've been deleted/recreated\n\tUID types.UID `json:\"uid,inline\"`\n\t// ResourceVersion can be used to know if the CIP has been modified\n\tResourceVersion string `json:\"resourceVersion\"`\n\n\tImages []v1alpha1.ImagePattern `json:\"images\"`\n\tAuthorities []Authority `json:\"authorities\"`\n\t// Policy is an optional policy used to evaluate the results of valid\n\t// Authorities. Will not get evaluated unless at least one Authority\n\t// succeeds.\n\tPolicy *AttestationPolicy `json:\"policy,omitempty\"`\n\t// Mode controls whether a failing policy will be rejected (not admitted),\n\t// or if errors are converted to Warnings.\n\t// enforce - Reject (default)\n\t// warn - allow but warn\n\t// +optional\n\tMode string `json:\"mode,omitempty\"`\n\t// Match allows selecting resources based on their properties.\n\tMatch []v1alpha1.MatchResource `json:\"match,omitempty\"`\n}\n\ntype Authority struct {\n\t// Name is the name for this authority. Used by the CIP Policy\n\t// validator to be able to reference matching signature or attestation\n\t// verifications.\n\tName string `json:\"name\"`\n\t// +optional\n\tKey *KeyRef `json:\"key,omitempty\"`\n\t// +optional\n\tKeyless *KeylessRef `json:\"keyless,omitempty\"`\n\t// +optional\n\tStatic *StaticRef `json:\"static,omitempty\"`\n\t// +optional\n\tSources []v1alpha1.Source `json:\"source,omitempty\"`\n\t// +optional\n\tCTLog *v1alpha1.TLog `json:\"ctlog,omitempty\"`\n\t// RemoteOpts are not marshalled because they are an unsupported type\n\t// RemoteOpts will be populated by the Authority UnmarshalJSON override\n\t// +optional\n\tRemoteOpts []ociremote.Option `json:\"-\"`\n\t// +optional\n\tAttestations []AttestationPolicy `json:\"attestations,omitempty\"`\n\t// +optional\n\tRFC3161Timestamp *RFC3161Timestamp `json:\"rfc3161timestamp,omitempty\"`\n\t// +optional\n\tSignatureFormat string `json:\"signatureFormat,omitempty\"`\n}\n\n// This references a public verification key stored in\n// a secret in the cosign-system namespace.\ntype KeyRef struct {\n\t// Data contains the inline public key\n\t// +optional\n\tData string `json:\"data,omitempty\"`\n\t// HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set\n\t// +optional\n\tHashAlgorithm string `json:\"hashAlgorithm,omitempty\"`\n\t// HashAlgorithmCode sets the crypto.Hash code based on the value of HashAlgorithm.\n\t// HashAlgorithmCode is not marshalled, but we use the calculated crypto.Hash in the validations\n\t// +optional\n\tHashAlgorithmCode crypto.Hash `json:\"-\"`\n\t// PublicKeys are not marshalled because JSON unmarshalling\n\t// errors for *big.Int\n\t// +optional\n\tPublicKeys []crypto.PublicKey `json:\"-\"`\n}\n\ntype KeylessRef struct {\n\t// +optional\n\tURL *apis.URL `json:\"url,omitempty\"`\n\t// +optional\n\tIdentities []v1alpha1.Identity `json:\"identities,omitempty\"`\n\t// +optional\n\tCACert *KeyRef `json:\"ca-cert,omitempty\"`\n\t// Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog\n\t// +optional\n\tTrustRootRef string `json:\"trustRootRef,omitempty\"`\n\t// InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT\n\t// +optional\n\tInsecureIgnoreSCT *bool `json:\"insecureIgnoreSCT,omitempty\"`\n}\n\ntype StaticRef struct {\n\tAction string `json:\"action\"`\n\tMessage string `json:\"message,omitempty\"`\n}\n\ntype AttestationPolicy struct {\n\t// Name of the Attestation\n\tName string `json:\"name\"`\n\t// PredicateType to attest, one of the accepted in verify-attestation\n\tPredicateType string `json:\"predicateType\"`\n\t// Type specifies how to evaluate policy, only rego/cue are understood.\n\tType string `json:\"type,omitempty\"`\n\t// Data is the inlined version of the Policy used to evaluate the\n\t// Attestation.\n\tData string `json:\"data,omitempty\"`\n\t// FetchConfigFile controls whether ConfigFile will be fetched and made\n\t// available for CIP level policy evaluation. Note that this only gets\n\t// evaluated (and hence fetched) iff at least one authority matches.\n\t// The ConfigFile will then be available in this format:\n\t// https://github.com/opencontainers/image-spec/blob/main/config.md\n\tFetchConfigFile *bool `json:\"fetchConfigFile,omitempty\"`\n\t// IncludeSpec controls whether resource `Spec` will be included and\n\t// made available for CIP level policy evaluation. Note that this only gets\n\t// evaluated iff at least one authority matches.\n\tIncludeSpec *bool `json:\"includeSpec,omitempty\"`\n\t// IncludeObjectMeta controls whether the ObjectMeta will be included and\n\t// made available for CIP level policy evalutation. Note that this only gets\n\t// evaluated iff at least one authority matches.\n\t// +optional\n\tIncludeObjectMeta *bool `json:\"includeObjectMeta,omitempty\"`\n\t// IncludeTypeMeta controls whether the TypeMeta will be included and\n\t// made available for CIP level policy evalutation. Note that this only gets\n\t// evaluated iff at least one authority matches.\n\t// +optional\n\tIncludeTypeMeta *bool `json:\"includeTypeMeta,omitempty\"`\n}\n\n// RFC3161Timestamp specifies the URL to a RFC3161 time-stamping server that holds\n// the time-stamped verification for the signature\ntype RFC3161Timestamp struct {\n\t// Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities\n\t// +optional\n\tTrustRootRef string `json:\"trustRootRef,omitempty\"`\n}\n\n// UnmarshalJSON populates the PublicKeys using Data because\n// JSON unmashalling errors for *big.Int\nfunc (k *KeyRef) UnmarshalJSON(data []byte) error {\n\tvar publicKeys []crypto.PublicKey\n\tvar err error\n\n\tret := make(map[string]string)\n\tif err = json.Unmarshal(data, &ret); err != nil {\n\t\treturn err\n\t}\n\n\tk.Data = ret[\"data\"]\n\tk.HashAlgorithmCode = crypto.SHA256\n\tk.HashAlgorithm = signaturealgo.DefaultSignatureAlgorithm\n\tif ret[\"hashAlgorithm\"] != \"\" {\n\t\tk.HashAlgorithm = ret[\"hashAlgorithm\"]\n\t\tk.HashAlgorithmCode, err = signaturealgo.HashAlgorithm(ret[\"hashAlgorithm\"])\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tif ret[\"data\"] != \"\" {\n\t\tpublicKey, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(ret[\"data\"]))\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to unmarshal PEM public key %w\", err)\n\t\t}\n\t\tpublicKeys = append(publicKeys, publicKey)\n\t}\n\tk.PublicKeys = publicKeys\n\n\treturn nil\n}\n\n// UnmarshalJSON populates the authority with the remoteOpts\n// from authority sources\nfunc (a *Authority) UnmarshalJSON(data []byte) error {\n\t// Create a new type to avoid recursion\n\ttype RawAuthority Authority\n\n\tvar rawAuthority RawAuthority\n\terr := json.Unmarshal(data, &rawAuthority)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Determine additional RemoteOpts\n\tif len(rawAuthority.Sources) > 0 {\n\t\tfor _, source := range rawAuthority.Sources {\n\t\t\tif source.OCI != \"\" {\n\t\t\t\tif targetRepoOverride, err := name.NewRepository(source.OCI); err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"failed to determine source: %w\", err)\n\t\t\t\t} else if (targetRepoOverride != name.Repository{}) {\n\t\t\t\t\trawAuthority.RemoteOpts = append(rawAuthority.RemoteOpts, ociremote.WithTargetRepository(targetRepoOverride))\n\t\t\t\t}\n\t\t\t}\n\t\t\tif source.TagPrefix != nil && *source.TagPrefix != \"\" {\n\t\t\t\trawAuthority.RemoteOpts = append(rawAuthority.RemoteOpts,\n\t\t\t\t\tociremote.WithPrefix(*source.TagPrefix))\n\t\t\t}\n\t\t}\n\t}\n\n\t// Set the new type instance to casted original\n\t*a = Authority(rawAuthority)\n\treturn nil\n}\n\n// SourceSignaturePullSecretsOpts creates the signaturePullSecrets remoteOpts\n// This is not stored in the Authority under RemoteOpts as the namespace can be different\nfunc (a *Authority) SourceSignaturePullSecretsOpts(ctx context.Context, namespace string) ([]ociremote.Option, error) {\n\tvar ret []ociremote.Option\n\tfor _, source := range a.Sources {\n\t\tif len(source.SignaturePullSecrets) > 0 {\n\t\t\tsignaturePullSecrets := make([]string, 0, len(source.SignaturePullSecrets))\n\t\t\tfor _, s := range source.SignaturePullSecrets {\n\t\t\t\tsignaturePullSecrets = append(signaturePullSecrets, s.Name)\n\t\t\t}\n\n\t\t\t// Use NoServiceAccount when setting a signaturePullSecrets to avoid unnecessary API calls.\n\t\t\topt := k8schain.Options{\n\t\t\t\tNamespace: namespace,\n\t\t\t\tServiceAccountName: kubernetes.NoServiceAccount,\n\t\t\t\tImagePullSecrets: signaturePullSecrets,\n\t\t\t}\n\n\t\t\tkc, err := registryauth.NewK8sKeychain(ctx, kubeclient.Get(ctx), opt)\n\t\t\tif err != nil {\n\t\t\t\tlogging.FromContext(ctx).Errorf(\"failed creating keychain: %+v\", err)\n\t\t\t\treturn nil, err\n\t\t\t}\n\n\t\t\tret = append(ret, ociremote.WithRemoteOptions(\n\t\t\t\tremote.WithContext(ctx),\n\t\t\t\tremote.WithAuthFromKeychain(kc),\n\t\t\t))\n\t\t}\n\t}\n\n\treturn ret, nil\n}\n\nfunc ConvertClusterImagePolicyV1alpha1ToWebhook(in *v1alpha1.ClusterImagePolicy) *ClusterImagePolicy {\n\tcopyIn := in.DeepCopy()\n\n\toutAuthorities := make([]Authority, 0)\n\tfor _, authority := range copyIn.Spec.Authorities {\n\t\toutAuthority := convertAuthorityV1Alpha1ToWebhook(authority)\n\t\toutAuthorities = append(outAuthorities, *outAuthority)\n\t}\n\n\t// If there's a ClusterImagePolicy level AttestationPolicy, convert it here.\n\tvar cipAttestationPolicy *AttestationPolicy\n\tif in.Spec.Policy != nil {\n\t\tcipAttestationPolicy = &AttestationPolicy{\n\t\t\tType: in.Spec.Policy.Type,\n\t\t\tData: in.Spec.Policy.Data,\n\t\t}\n\t\tif in.Spec.Policy.FetchConfigFile != nil {\n\t\t\tcipAttestationPolicy.FetchConfigFile = ptr.Bool(*in.Spec.Policy.FetchConfigFile)\n\t\t}\n\t\tif in.Spec.Policy.IncludeSpec != nil {\n\t\t\tcipAttestationPolicy.IncludeSpec = ptr.Bool(*in.Spec.Policy.IncludeSpec)\n\t\t}\n\t\tif in.Spec.Policy.IncludeObjectMeta != nil {\n\t\t\tcipAttestationPolicy.IncludeObjectMeta = ptr.Bool(*in.Spec.Policy.IncludeObjectMeta)\n\t\t}\n\t\tif in.Spec.Policy.IncludeTypeMeta != nil {\n\t\t\tcipAttestationPolicy.IncludeTypeMeta = ptr.Bool(*in.Spec.Policy.IncludeTypeMeta)\n\t\t}\n\t}\n\treturn &ClusterImagePolicy{\n\t\tUID: copyIn.UID,\n\t\tResourceVersion: copyIn.ResourceVersion,\n\t\tImages: copyIn.Spec.Images,\n\t\tAuthorities: outAuthorities,\n\t\tPolicy: cipAttestationPolicy,\n\t\tMode: in.Spec.Mode,\n\t\tMatch: in.Spec.Match,\n\t}\n}\n\nfunc convertAuthorityV1Alpha1ToWebhook(in v1alpha1.Authority) *Authority {\n\tkeyRef := convertKeyRefV1Alpha1ToWebhook(in.Key)\n\tkeylessRef := convertKeylessRefV1Alpha1ToWebhook(in.Keyless)\n\tstaticRef := convertStaticRefV1Alpha1ToWebhook(in.Static)\n\tattestations := convertAttestationsV1Alpha1ToWebhook(in.Attestations)\n\trfc3161Timestamp := convertRFC3161TimestampV1Alpha1ToWebhook(in.RFC3161Timestamp)\n\n\treturn &Authority{\n\t\tName: in.Name,\n\t\tKey: keyRef,\n\t\tKeyless: keylessRef,\n\t\tStatic: staticRef,\n\t\tSources: in.Sources,\n\t\tCTLog: in.CTLog,\n\t\tRFC3161Timestamp: rfc3161Timestamp,\n\t\tAttestations: attestations,\n\t\tSignatureFormat: in.SignatureFormat,\n\t}\n}\n\nfunc convertRFC3161TimestampV1Alpha1ToWebhook(in *v1alpha1.RFC3161Timestamp) *RFC3161Timestamp {\n\tif in == nil {\n\t\treturn nil\n\t}\n\n\treturn &RFC3161Timestamp{\n\t\tTrustRootRef: in.TrustRootRef,\n\t}\n}\n\nfunc convertAttestationsV1Alpha1ToWebhook(in []v1alpha1.Attestation) []AttestationPolicy {\n\tret := []AttestationPolicy{}\n\tfor _, inAtt := range in {\n\t\toutAtt := AttestationPolicy{\n\t\t\tName: inAtt.Name,\n\t\t\tPredicateType: inAtt.PredicateType,\n\t\t}\n\t\tif inAtt.Policy != nil {\n\t\t\toutAtt.Type = inAtt.Policy.Type\n\t\t\toutAtt.Data = inAtt.Policy.Data\n\t\t\tif inAtt.Policy.FetchConfigFile != nil {\n\t\t\t\toutAtt.FetchConfigFile = ptr.Bool(*inAtt.Policy.FetchConfigFile)\n\t\t\t}\n\t\t\tif inAtt.Policy.IncludeSpec != nil {\n\t\t\t\toutAtt.IncludeSpec = ptr.Bool(*inAtt.Policy.IncludeSpec)\n\t\t\t}\n\t\t\tif inAtt.Policy.IncludeObjectMeta != nil {\n\t\t\t\toutAtt.IncludeObjectMeta = ptr.Bool(*inAtt.Policy.IncludeObjectMeta)\n\t\t\t}\n\t\t\tif inAtt.Policy.IncludeTypeMeta != nil {\n\t\t\t\toutAtt.IncludeTypeMeta = ptr.Bool(*inAtt.Policy.IncludeTypeMeta)\n\t\t\t}\n\t\t}\n\t\tret = append(ret, outAtt)\n\t}\n\treturn ret\n}\n\nfunc convertKeyRefV1Alpha1ToWebhook(in *v1alpha1.KeyRef) *KeyRef {\n\tif in == nil {\n\t\treturn nil\n\t}\n\t// Convert the hash algorithm name to the code and reuse it everywhere else\n\talgorithmCode := crypto.SHA256\n\talgorithm := signaturealgo.DefaultSignatureAlgorithm\n\tif in.HashAlgorithm != \"\" {\n\t\talgorithm = in.HashAlgorithm\n\t\t// Ignore the error. It was already validated by the validation webhook\n\t\talgorithmCode, _ = signaturealgo.HashAlgorithm(in.HashAlgorithm) // nolint: staticcheck\n\t}\n\n\treturn &KeyRef{\n\t\tData: in.Data,\n\t\tHashAlgorithm: algorithm,\n\t\tHashAlgorithmCode: algorithmCode,\n\t}\n}\n\nfunc convertKeylessRefV1Alpha1ToWebhook(in *v1alpha1.KeylessRef) *KeylessRef {\n\tif in == nil {\n\t\treturn nil\n\t}\n\n\tCACertRef := convertKeyRefV1Alpha1ToWebhook(in.CACert)\n\n\treturn &KeylessRef{\n\t\tURL: in.URL,\n\t\tIdentities: in.Identities,\n\t\tCACert: CACertRef,\n\t\tTrustRootRef: in.TrustRootRef,\n\t\tInsecureIgnoreSCT: in.InsecureIgnoreSCT,\n\t}\n}\n\nfunc convertStaticRefV1Alpha1ToWebhook(in *v1alpha1.StaticRef) *StaticRef {\n\tif in == nil {\n\t\treturn nil\n\t}\n\n\treturn &StaticRef{\n\t\tAction: in.Action,\n\t\tMessage: in.Message,\n\t}\n}\n" }, { "path": "pkg/webhook/nocache.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage webhook\n\nimport \"context\"\n\n// NoCache is pretty much what it says, it caches nothing. Just meant to\n// implement the interface that we can test with as well as if there is no\n// caching wanted, we can do that by injecting this.\ntype NoCache struct {\n}\n\nfunc (nc *NoCache) Get(ctx context.Context, image, uid, resourceVersion string) *CacheResult { //nolint: revive\n\treturn nil\n}\n\nfunc (nc *NoCache) Set(ctx context.Context, image, name, uid, resourceVersion string, cacheResult *CacheResult) { //nolint: revive\n}\n" }, { "path": "pkg/webhook/registryauth/azure/acrhelper.go", "content": "//\n// Copyright 2024 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage azure\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/url\"\n\t\"os\"\n\t\"strings\"\n\n\t\"github.com/Azure/azure-sdk-for-go/profiles/preview/preview/containerregistry/runtime/containerregistry\"\n\t\"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy\"\n\t\"github.com/Azure/azure-sdk-for-go/sdk/azidentity\"\n\t\"github.com/docker/docker-credential-helpers/credentials\"\n)\n\ntype ACRHelper struct{}\n\nfunc NewACRHelper() credentials.Helper {\n\treturn &ACRHelper{}\n}\n\nfunc (a ACRHelper) Add(_ *credentials.Credentials) error {\n\treturn fmt.Errorf(\"add is unimplemented\")\n}\n\nfunc (a ACRHelper) Delete(_ string) error {\n\treturn fmt.Errorf(\"delete is unimplemented\")\n}\n\nfunc (a ACRHelper) Get(registryURL string) (string, string, error) {\n\tif !isACR(registryURL) {\n\t\treturn \"\", \"\", fmt.Errorf(\"not an ACR registry\")\n\t}\n\n\tazCred, err := azidentity.NewDefaultAzureCredential(nil)\n\tif err != nil {\n\t\treturn \"\", \"\", fmt.Errorf(\"failed to obtain a credential: %w\", err)\n\t}\n\n\t// We need to set the desired token policy to https://management.azure.com\n\t// to get a token that can be used to authenticate to the Azure Container Registry.\n\topts := policy.TokenRequestOptions{\n\t\tScopes: []string{\"https://management.azure.com/.default\"},\n\t}\n\taccessToken, err := azCred.GetToken(context.Background(), opts)\n\tif err != nil {\n\t\treturn \"\", \"\", fmt.Errorf(\"failed to get token: %w\", err)\n\t}\n\n\tregistryWithScheme, err := url.Parse(fmt.Sprintf(\"https://%s\", registryURL))\n\tif err != nil {\n\t\treturn \"\", \"\", fmt.Errorf(\"failed to parse registry URL: %w\", err)\n\t}\n\n\ttenantID := os.Getenv(\"AZURE_TENANT_ID\")\n\tif tenantID == \"\" {\n\t\treturn \"\", \"\", fmt.Errorf(\"AZURE_TENANT_ID environment variable not found\")\n\t}\n\n\trepoClient := containerregistry.NewRefreshTokensClient(registryWithScheme.String())\n\trefreshToken, err := repoClient.GetFromExchange(context.Background(), \"access_token\", registryURL, tenantID, \"\", accessToken.Token)\n\tif err != nil {\n\t\treturn \"\", \"\", fmt.Errorf(\"failed to get refresh token: %w\", err)\n\t}\n\n\t// we use a special username when authenticating with ACR using an access token\n\t// associated with a managed identity\n\treturn \"00000000-0000-0000-0000-000000000000\", *refreshToken.RefreshToken, nil\n}\n\nfunc (a ACRHelper) List() (map[string]string, error) {\n\treturn nil, fmt.Errorf(\"list is unimplemented\")\n}\n\nfunc isACR(registryURL string) bool {\n\treturn strings.HasSuffix(registryURL, \".azurecr.io\")\n}\n" }, { "path": "pkg/webhook/registryauth/registryauth.go", "content": "//\n// Copyright 2024 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage registryauth\n\nimport (\n\t\"context\"\n\t\"io\"\n\n\tecr \"github.com/awslabs/amazon-ecr-credential-helper/ecr-login\"\n\t\"github.com/google/go-containerregistry/pkg/authn\"\n\t\"github.com/google/go-containerregistry/pkg/authn/k8schain\"\n\tkauth \"github.com/google/go-containerregistry/pkg/authn/kubernetes\"\n\t\"github.com/google/go-containerregistry/pkg/v1/google\"\n\t\"github.com/sigstore/policy-controller/pkg/webhook/registryauth/azure\"\n\t\"k8s.io/client-go/kubernetes\"\n)\n\n/*\nThis file is based the K8s auth key chain constructor defined in the\ngo-containerregistry library in\nhttps://github.com/google/go-containerregistry/blob/ff385a972813c79bbd5fc89357ff2cefe3e5b43c/pkg/authn/k8schain/k8schain.go\n\nThe ony difference in this implementation is the Azure key chain. It is created\nusing the current Azure credential handler defined in github.com/Azure/azure-sdk-for-go/sdk/azidentity.\n\nThe K8s auth key chain constructor in go-containerregistry uses an old Azure credential handler.\nWe should eventually try to get the Azure credential handler updated upstream in\ngo-containerregistry and remove this file. But for now, this custom constructor\nshould fix authentication errors encountered when using the policy controller\nwith ACR and AKS clusters.\n*/\nvar amazonKeychain authn.Keychain = authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard)))\n\nfunc NewK8sKeychain(ctx context.Context, client kubernetes.Interface, opt k8schain.Options) (authn.Keychain, error) {\n\tk8s, err := kauth.New(ctx, client, opt)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn authn.NewMultiKeychain(\n\t\tk8s,\n\t\tauthn.DefaultKeychain,\n\t\tgoogle.Keychain,\n\t\tamazonKeychain,\n\t\tauthn.NewKeychainFromHelper(azure.NewACRHelper()),\n\t), nil\n}\n" }, { "path": "pkg/webhook/testdata/cert.pem", "content": "-----BEGIN CERTIFICATE-----\nMIHwMIGXoAMCAQICAQEwCgYIKoZIzj0EAwIwADAiGA8wMDAxMDEwMTAwMDAwMFoY\nDzAwMDEwMTAxMDAwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMP4j\n1NMREAE3IpA1ihHN1xZFThO4oFdeRWbVTIUDhgOcCDVh5K/pmquzDE3uqG1D9TmZ\nwC5pPyURDgJ9dzTvjDAKBggqhkjOPQQDAgNIADBFAiEAtCfQlhemMkHHz+Brj9ls\nf1iHbBF+q2r9Ijud52yFeYoCIESU129jdhqmhm1yWb0bI95dCTEaiKLZaQ8mK+OV\n1yr2\n-----END CERTIFICATE-----\n" }, { "path": "pkg/webhook/validation.go", "content": "//\n// Copyright 2021 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage webhook\n\nimport (\n\t\"context\"\n\t\"crypto\"\n\t\"encoding/json\"\n\t\"encoding/pem\"\n\t\"fmt\"\n\t\"io\"\n\t\"strings\"\n\n\t\"github.com/google/go-containerregistry/pkg/name\"\n\tv1 \"github.com/google/go-containerregistry/pkg/v1\"\n\t\"knative.dev/pkg/logging\"\n\n\t\"github.com/sigstore/cosign/v3/pkg/cosign\"\n\t\"github.com/sigstore/cosign/v3/pkg/oci\"\n\tociremote \"github.com/sigstore/cosign/v3/pkg/oci/remote\"\n\t\"github.com/sigstore/cosign/v3/pkg/oci/static\"\n\tpolicycontrollerconfig \"github.com/sigstore/policy-controller/pkg/config\"\n\t\"github.com/sigstore/sigstore/pkg/signature\"\n)\n\nfunc valid(ctx context.Context, ref name.Reference, keys []crypto.PublicKey, hashAlgo crypto.Hash, checkOpts *cosign.CheckOpts) ([]oci.Signature, error) {\n\tif len(keys) == 0 {\n\t\treturn validSignatures(ctx, ref, checkOpts)\n\t}\n\t// We return nil if ANY key matches\n\tvar lastErr error\n\tfor _, k := range keys {\n\t\tverifier, err := signature.LoadVerifier(k, hashAlgo)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Errorf(\"error creating verifier: %v\", err)\n\t\t\tlastErr = err\n\t\t\tcontinue\n\t\t}\n\t\tcheckOpts.SigVerifier = verifier\n\t\tsps, err := validSignatures(ctx, ref, checkOpts)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Errorf(\"error validating signatures: %v\", err)\n\t\t\tlastErr = err\n\t\t\tcontinue\n\t\t}\n\t\treturn sps, nil\n\t}\n\tlogging.FromContext(ctx).Debug(\"No valid signatures were found.\")\n\treturn nil, lastErr\n}\n\n// For testing\nvar cosignVerifySignatures = cosign.VerifyImageSignatures\nvar cosignVerifyAttestations = cosign.VerifyImageAttestations\nvar ociremoteResolveDigest = ociremote.ResolveDigest\nvar ociremoteReferrers = ociremote.Referrers\nvar ociremoteSignedImage = ociremote.SignedImage\nvar testProcessAttestationArtifact = processAttestationArtifact\n\nfunc validSignatures(ctx context.Context, ref name.Reference, checkOpts *cosign.CheckOpts) ([]oci.Signature, error) {\n\tcheckOpts.ClaimVerifier = cosign.SimpleClaimVerifier\n\tsigs, _, err := cosignVerifySignatures(ctx, ref, checkOpts)\n\treturn sigs, err\n}\n\nfunc validAttestations(ctx context.Context, ref name.Reference, checkOpts *cosign.CheckOpts) ([]oci.Signature, error) {\n\tcfg := policycontrollerconfig.FromContextOrDefaults(ctx)\n\tif cfg.EnableOCI11 {\n\t\tif attestations, err := discoverAttestationsOCI11(ctx, ref, checkOpts); err == nil {\n\t\t\treturn attestations, nil\n\t\t}\n\t}\n\n\tcheckOpts.ClaimVerifier = cosign.IntotoSubjectClaimVerifier\n\tattestations, _, err := cosignVerifyAttestations(ctx, ref, checkOpts)\n\treturn attestations, err\n}\n\nfunc discoverAttestationsOCI11(ctx context.Context, ref name.Reference, checkOpts *cosign.CheckOpts) ([]oci.Signature, error) {\n\tdigest, err := ociremoteResolveDigest(ref, checkOpts.RegistryClientOpts...)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tindexManifest, err := ociremoteReferrers(digest, \"\", checkOpts.RegistryClientOpts...)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar allSigs []oci.Signature\n\tfor _, manifest := range indexManifest.Manifests {\n\t\tif strings.Contains(manifest.ArtifactType, \"in-toto\") {\n\t\t\tsigs, err := testProcessAttestationArtifact(manifest, digest.Repository, checkOpts.RegistryClientOpts)\n\t\t\tif err != nil {\n\t\t\t\tlogging.FromContext(ctx).Debugf(\"Failed to process attestation artifact: %v\", err)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tallSigs = append(allSigs, sigs...)\n\t\t}\n\t}\n\n\tif len(allSigs) == 0 {\n\t\treturn nil, fmt.Errorf(\"no attestations found\")\n\t}\n\treturn allSigs, nil\n}\n\nfunc processAttestationArtifact(result v1.Descriptor, repository name.Repository, registryOpts []ociremote.Option) ([]oci.Signature, error) {\n\tattRef, err := name.ParseReference(fmt.Sprintf(\"%s@%s\", repository, result.Digest.String()))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tsignedEntity, err := ociremoteSignedImage(attRef, registryOpts...)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tlayers, err := signedEntity.Layers()\n\tif err != nil || len(layers) == 0 {\n\t\treturn nil, fmt.Errorf(\"no layers found\")\n\t}\n\n\trc, err := layers[0].Uncompressed()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rc.Close()\n\n\tdsseEnvelope, err := io.ReadAll(rc)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar envelope struct {\n\t\tPayload string `json:\"payload\"`\n\t\tSignatures []struct {\n\t\t\tSig string `json:\"sig\"`\n\t\t} `json:\"signatures\"`\n\t}\n\n\tif err := json.Unmarshal(dsseEnvelope, &envelope); err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar signatures []oci.Signature\n\tfor _, sig := range envelope.Signatures {\n\t\tpayloadStruct := map[string]interface{}{\n\t\t\t\"payload\": envelope.Payload,\n\t\t}\n\t\tpayloadBytes, _ := json.Marshal(payloadStruct)\n\t\tif ociSig, err := static.NewSignature(payloadBytes, sig.Sig); err == nil {\n\t\t\tsignatures = append(signatures, ociSig)\n\t\t}\n\t}\n\n\treturn signatures, nil\n}\n\nfunc parsePems(b []byte) []*pem.Block {\n\tp, rest := pem.Decode(b)\n\tif p == nil {\n\t\treturn nil\n\t}\n\tpems := []*pem.Block{p}\n\n\tif rest != nil {\n\t\treturn append(pems, parsePems(rest)...)\n\t}\n\treturn pems\n}\n" }, { "path": "pkg/webhook/validator.go", "content": "//\n// Copyright 2021 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage webhook\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/ecdsa\"\n\t\"crypto/sha256\"\n\t\"crypto/x509\"\n\t\"encoding/hex\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"strings\"\n\t\"sync\"\n\n\t\"github.com/google/go-containerregistry/pkg/authn\"\n\t\"github.com/google/go-containerregistry/pkg/authn/k8schain\"\n\t\"github.com/google/go-containerregistry/pkg/name\"\n\tv1 \"github.com/google/go-containerregistry/pkg/v1\"\n\t\"github.com/google/go-containerregistry/pkg/v1/remote\"\n\t\"github.com/google/go-containerregistry/pkg/v1/types\"\n\t\"github.com/sigstore/cosign/v3/pkg/cosign\"\n\t\"github.com/sigstore/cosign/v3/pkg/oci\"\n\tociremote \"github.com/sigstore/cosign/v3/pkg/oci/remote\"\n\t\"github.com/sigstore/cosign/v3/pkg/policy\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\tpolicyduckv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/duck/v1beta1\"\n\tpolicycontrollerconfig \"github.com/sigstore/policy-controller/pkg/config\"\n\tpctuf \"github.com/sigstore/policy-controller/pkg/tuf\"\n\twebhookcip \"github.com/sigstore/policy-controller/pkg/webhook/clusterimagepolicy\"\n\t\"github.com/sigstore/policy-controller/pkg/webhook/registryauth\"\n\trekor \"github.com/sigstore/rekor/pkg/client\"\n\t\"github.com/sigstore/rekor/pkg/generated/client\"\n\t\"github.com/sigstore/sigstore-go/pkg/root\"\n\t\"github.com/sigstore/sigstore/pkg/cryptoutils\"\n\t\"github.com/sigstore/sigstore/pkg/fulcioroots\"\n\t\"github.com/sigstore/sigstore/pkg/signature\"\n\t\"github.com/sigstore/sigstore/pkg/tuf\"\n\tadmissionv1 \"k8s.io/api/admission/v1\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"knative.dev/pkg/apis\"\n\tduckv1 \"knative.dev/pkg/apis/duck/v1\"\n\n\tkubeclient \"knative.dev/pkg/client/injection/kube/client\"\n\t\"knative.dev/pkg/logging\"\n)\n\ntype Validator struct{}\n\nfunc NewValidator(_ context.Context) *Validator {\n\treturn &Validator{}\n}\n\n// isDeletedOrStatusUpdate returns true if the resource in question is being\n// deleted, is already deleted or Status is being updated. In any of those\n// cases, we do not validate the resource\nfunc isDeletedOrStatusUpdate(ctx context.Context, deletionTimestamp *metav1.Time) bool {\n\treturn apis.IsInDelete(ctx) || deletionTimestamp != nil || apis.IsInStatusUpdate(ctx)\n}\n\n// This is attached to contexts passed to webhook methods so that if the\n// user wants to get the Spec for the PolicyResult we can attach it.\ntype includeSpecKey struct{}\n\n// IncludeSpec adds the spec to context so it's later available for\n// inclusion in PolicyResult. This is safe to call multiple times, first\n// one \"wins\". This is on purpose so that since we call down the various\n// levels and we want the highest resource level to be available, otherwise\n// everything boils down to PodSpec and it's lossy then.\nfunc IncludeSpec(ctx context.Context, spec interface{}) context.Context {\n\tif GetIncludeSpec(ctx) == nil {\n\t\treturn context.WithValue(ctx, includeSpecKey{}, spec)\n\t}\n\treturn ctx\n}\n\n// GetIncludeSpec returns the highest level spec for a resource possible.\n// For example, for Deployment it would return Deployment.Spec\nfunc GetIncludeSpec(ctx context.Context) interface{} {\n\treturn ctx.Value(includeSpecKey{})\n}\n\n// This is attached to contexts passed to webhook methods so that if the\n// user wants to get the ObjectMeta for the PolicyResult we can attach it.\ntype includeObjectMetaKey struct{}\n\n// This is attached to contexts passed to webhook methods so that if the\n// user wants to get the TypeMeta for the PolicyResult we can attach it.\ntype includeTypeMetaKey struct{}\n\n// IncludeObjectMeta adds the ObjectMeta to context so it's later available for\n// inclusion in PolicyResult. This is safe to call multiple times, first\n// one \"wins\". This is on purpose so that since we call down the various\n// levels and we want the highest resource level to be available, otherwise\n// everything boils down to PodSpec and it's lossy then.\nfunc IncludeObjectMeta(ctx context.Context, meta interface{}) context.Context {\n\tif GetIncludeObjectMeta(ctx) == nil {\n\t\treturn context.WithValue(ctx, includeObjectMetaKey{}, meta)\n\t}\n\treturn ctx\n}\n\n// GetIncludeObjectMeta returns the highest level ObjectMeta for a resource\n// possible. For example, for Deployment it would return Deployment.Spec\nfunc GetIncludeObjectMeta(ctx context.Context) interface{} {\n\treturn ctx.Value(includeObjectMetaKey{})\n}\n\n// IncludeTypeMeta adds the TypeMeta to context so it's later available for\n// inclusion in PolicyResult. This is safe to call multiple times, first\n// one \"wins\". This is on purpose so that since we call down the various\n// levels and we want the highest resource level to be available, otherwise\n// everything boils down to PodSpec and it's lossy then.\nfunc IncludeTypeMeta(ctx context.Context, meta interface{}) context.Context {\n\tif GetIncludeTypeMeta(ctx) == nil {\n\t\treturn context.WithValue(ctx, includeTypeMetaKey{}, meta)\n\t}\n\treturn ctx\n}\n\n// GetIncludeTypeMeta returns the highest level TypeMeta for a resource\n// possible. For example, for Deployment it would return:\n// apiVersion: apps/v1\n// kind: Deployment\nfunc GetIncludeTypeMeta(ctx context.Context) interface{} {\n\treturn ctx.Value(includeTypeMetaKey{})\n}\n\n// ValidatePodScalable implements policyduckv1beta1.PodScalableValidator\n// It is very similar to ValidatePodSpecable, but allows for spec.replicas\n// to be decremented. This allows for scaling down pods with non-compliant\n// images that would otherwise be forbidden.\nfunc (v *Validator) ValidatePodScalable(ctx context.Context, ps *policyduckv1beta1.PodScalable) *apis.FieldError {\n\t// If we are deleting (or already deleted) or updating status, don't block.\n\tif isDeletedOrStatusUpdate(ctx, ps.DeletionTimestamp) {\n\t\treturn nil\n\t}\n\n\t// If we are being scaled down don't block it.\n\tif ps.IsScalingDown(ctx) {\n\t\tlogging.FromContext(ctx).Debugf(\"Skipping validations due to scale down request %s/%s\", &ps.Name, &ps.Namespace)\n\t\treturn nil\n\t}\n\n\t// Attach the spec for down the line to be attached if it's required by\n\t// policy to be included in the PolicyResult.\n\tctx = IncludeSpec(ctx, ps.Spec)\n\tctx = IncludeObjectMeta(ctx, ps.ObjectMeta)\n\tctx = IncludeTypeMeta(ctx, ps.TypeMeta)\n\n\timagePullSecrets := make([]string, 0, len(ps.Spec.Template.Spec.ImagePullSecrets))\n\tfor _, s := range ps.Spec.Template.Spec.ImagePullSecrets {\n\t\timagePullSecrets = append(imagePullSecrets, s.Name)\n\t}\n\tns := getNamespace(ctx, ps.Namespace)\n\topt := k8schain.Options{\n\t\tNamespace: ns,\n\t\tServiceAccountName: ps.Spec.Template.Spec.ServiceAccountName,\n\t\tImagePullSecrets: imagePullSecrets,\n\t}\n\n\treturn v.validatePodSpec(ctx, ns, ps.Kind, ps.APIVersion, ps.ObjectMeta.Labels, &ps.Spec.Template.Spec, opt).ViaField(\"spec.template.spec\")\n}\n\n// ValidatePodSpecable implements duckv1.PodSpecValidator\nfunc (v *Validator) ValidatePodSpecable(ctx context.Context, wp *duckv1.WithPod) *apis.FieldError {\n\t// If we are deleting (or already deleted) or updating status, don't block.\n\tif isDeletedOrStatusUpdate(ctx, wp.DeletionTimestamp) {\n\t\treturn nil\n\t}\n\n\t// Attach the spec/metadata for down the line to be attached if it's\n\t// required by policy to be included in the PolicyResult.\n\tctx = IncludeSpec(ctx, wp.Spec)\n\tctx = IncludeObjectMeta(ctx, wp.ObjectMeta)\n\tctx = IncludeTypeMeta(ctx, wp.TypeMeta)\n\n\timagePullSecrets := make([]string, 0, len(wp.Spec.Template.Spec.ImagePullSecrets))\n\tfor _, s := range wp.Spec.Template.Spec.ImagePullSecrets {\n\t\timagePullSecrets = append(imagePullSecrets, s.Name)\n\t}\n\tns := getNamespace(ctx, wp.Namespace)\n\topt := k8schain.Options{\n\t\tNamespace: ns,\n\t\tServiceAccountName: wp.Spec.Template.Spec.ServiceAccountName,\n\t\tImagePullSecrets: imagePullSecrets,\n\t}\n\treturn v.validatePodSpec(ctx, ns, wp.Kind, wp.APIVersion, wp.ObjectMeta.Labels, &wp.Spec.Template.Spec, opt).ViaField(\"spec.template.spec\")\n}\n\n// ValidatePod implements duckv1.PodValidator\nfunc (v *Validator) ValidatePod(ctx context.Context, p *duckv1.Pod) *apis.FieldError {\n\t// If we are deleting (or already deleted) or updating status, don't block.\n\tif isDeletedOrStatusUpdate(ctx, p.DeletionTimestamp) {\n\t\treturn nil\n\t}\n\n\t// Attach the spec/metadata for down the line to be attached if it's\n\t// required by policy to be included in the PolicyResult.\n\tctx = IncludeSpec(ctx, p.Spec)\n\tctx = IncludeObjectMeta(ctx, p.ObjectMeta)\n\n\timagePullSecrets := make([]string, 0, len(p.Spec.ImagePullSecrets))\n\tfor _, s := range p.Spec.ImagePullSecrets {\n\t\timagePullSecrets = append(imagePullSecrets, s.Name)\n\t}\n\tns := getNamespace(ctx, p.Namespace)\n\topt := k8schain.Options{\n\t\tNamespace: ns,\n\t\tServiceAccountName: p.Spec.ServiceAccountName,\n\t\tImagePullSecrets: imagePullSecrets,\n\t}\n\treturn v.validatePodSpec(ctx, ns, p.Kind, p.APIVersion, p.ObjectMeta.Labels, &p.Spec, opt).ViaField(\"spec\")\n}\n\n// ValidateCronJob implements duckv1.CronJobValidator\nfunc (v *Validator) ValidateCronJob(ctx context.Context, c *duckv1.CronJob) *apis.FieldError {\n\t// If we are deleting (or already deleted) or updating status, don't block.\n\tif isDeletedOrStatusUpdate(ctx, c.DeletionTimestamp) {\n\t\treturn nil\n\t}\n\n\t// Attach the spec/metadata for down the line to be attached if it's\n\t// required by policy to be included in the PolicyResult.\n\tctx = IncludeSpec(ctx, c.Spec)\n\tctx = IncludeObjectMeta(ctx, c.ObjectMeta)\n\tctx = IncludeTypeMeta(ctx, c.TypeMeta)\n\n\timagePullSecrets := make([]string, 0, len(c.Spec.JobTemplate.Spec.Template.Spec.ImagePullSecrets))\n\tfor _, s := range c.Spec.JobTemplate.Spec.Template.Spec.ImagePullSecrets {\n\t\timagePullSecrets = append(imagePullSecrets, s.Name)\n\t}\n\tns := getNamespace(ctx, c.Namespace)\n\topt := k8schain.Options{\n\t\tNamespace: ns,\n\t\tServiceAccountName: c.Spec.JobTemplate.Spec.Template.Spec.ServiceAccountName,\n\t\tImagePullSecrets: imagePullSecrets,\n\t}\n\n\treturn v.validatePodSpec(ctx, ns, c.Kind, c.APIVersion, c.ObjectMeta.Labels, &c.Spec.JobTemplate.Spec.Template.Spec, opt).ViaField(\"spec.jobTemplate.spec.template.spec\")\n}\n\nfunc (v *Validator) validatePodSpec(ctx context.Context, namespace, kind, apiVersion string, labels map[string]string, ps *corev1.PodSpec, opt k8schain.Options) (errs *apis.FieldError) {\n\tkc, err := registryauth.NewK8sKeychain(ctx, kubeclient.Get(ctx), opt)\n\tif err != nil {\n\t\tlogging.FromContext(ctx).Warnf(\"Unable to build k8schain: %v\", err)\n\t\treturn apis.ErrGeneric(err.Error(), apis.CurrentField)\n\t}\n\n\ttype containerCheckResult struct {\n\t\tindex int\n\t\tcontainerCheckResult *apis.FieldError\n\t}\n\tcheckContainers := func(cs []corev1.Container, field string) {\n\t\tresults := make(chan containerCheckResult, len(cs))\n\t\twg := new(sync.WaitGroup)\n\t\tfor i, c := range cs {\n\t\t\ti := i\n\t\t\tc := c\n\t\t\twg.Add(1)\n\t\t\tgo func() {\n\t\t\t\tdefer wg.Done()\n\n\t\t\t\t// Require digests, otherwise the validation is meaningless\n\t\t\t\t// since the tag can move.\n\t\t\t\tfe := refOrFieldError(c.Image, field, i)\n\t\t\t\tif fe != nil {\n\t\t\t\t\tresults <- containerCheckResult{index: i, containerCheckResult: fe}\n\t\t\t\t\treturn\n\t\t\t\t}\n\n\t\t\t\tcontainerErrors := v.validateContainerImage(ctx, c.Image, namespace, field, i, kind, apiVersion, labels, kc, ociremote.WithRemoteOptions(\n\t\t\t\t\tremote.WithContext(ctx),\n\t\t\t\t\tremote.WithAuthFromKeychain(kc),\n\t\t\t\t))\n\t\t\t\tresults <- containerCheckResult{index: i, containerCheckResult: containerErrors}\n\t\t\t}()\n\t\t}\n\t\tfor i := 0; i < len(cs); i++ {\n\t\t\tselect {\n\t\t\tcase <-ctx.Done():\n\t\t\t\terrs = errs.Also(apis.ErrGeneric(\"context was canceled before validation completed\"))\n\t\t\tcase result, ok := <-results:\n\t\t\t\tif !ok {\n\t\t\t\t\terrs = errs.Also(apis.ErrGeneric(\"results channel failed to produce a result\"))\n\t\t\t\t} else {\n\t\t\t\t\terrs = errs.Also(result.containerCheckResult)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\twg.Wait()\n\t}\n\n\tcheckEphemeralContainers := func(cs []corev1.EphemeralContainer, field string) {\n\t\tresults := make(chan containerCheckResult, len(cs))\n\t\twg := new(sync.WaitGroup)\n\t\tfor i, c := range cs {\n\t\t\ti := i\n\t\t\tc := c\n\t\t\twg.Add(1)\n\t\t\tgo func() {\n\t\t\t\tdefer wg.Done()\n\n\t\t\t\t// Require digests, otherwise the validation is meaningless\n\t\t\t\t// since the tag can move.\n\t\t\t\tfe := refOrFieldError(c.Image, field, i)\n\t\t\t\tif fe != nil {\n\t\t\t\t\tresults <- containerCheckResult{index: i, containerCheckResult: fe}\n\t\t\t\t\treturn\n\t\t\t\t}\n\n\t\t\t\tcontainerErrors := v.validateContainerImage(ctx, c.Image, namespace, field, i, kind, apiVersion, labels, kc, ociremote.WithRemoteOptions(\n\t\t\t\t\tremote.WithContext(ctx),\n\t\t\t\t\tremote.WithAuthFromKeychain(kc),\n\t\t\t\t))\n\t\t\t\tresults <- containerCheckResult{index: i, containerCheckResult: containerErrors}\n\t\t\t}()\n\t\t}\n\t\tfor i := 0; i < len(cs); i++ {\n\t\t\tselect {\n\t\t\tcase <-ctx.Done():\n\t\t\t\terrs = errs.Also(apis.ErrGeneric(\"context was canceled before validation completed\"))\n\t\t\tcase result, ok := <-results:\n\t\t\t\tif !ok {\n\t\t\t\t\terrs = errs.Also(apis.ErrGeneric(\"results channel failed to produce a result\"))\n\t\t\t\t} else {\n\t\t\t\t\terrs = errs.Also(result.containerCheckResult)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\twg.Wait()\n\t}\n\n\tcheckContainers(ps.InitContainers, \"initContainers\")\n\tcheckContainers(ps.Containers, \"containers\")\n\tcheckEphemeralContainers(ps.EphemeralContainers, \"ephemeralContainers\")\n\n\treturn errs\n}\n\n// setNoMatchingPoliciesError returns nil if the no matching policies behaviour\n// has been set to allow or has not been set. Otherwise returns either a warning\n// or error based on the NoMatchPolicy.\nfunc setNoMatchingPoliciesError(ctx context.Context, image, field string, index int) *apis.FieldError {\n\t// Check what the configuration is and act accordingly.\n\tpcConfig := policycontrollerconfig.FromContextOrDefaults(ctx)\n\n\tnoMatchingPolicyError := apis.ErrGeneric(\"no matching policies\", \"image\").ViaFieldIndex(field, index)\n\tnoMatchingPolicyError.Details = image\n\tif pcConfig == nil {\n\t\t// This should not happen, but handle it as fail close\n\t\treturn noMatchingPolicyError\n\t}\n\tswitch pcConfig.NoMatchPolicy {\n\tcase policycontrollerconfig.AllowAll:\n\t\t// Allow it through, nothing to do.\n\t\treturn nil\n\tcase policycontrollerconfig.DenyAll:\n\t\tlogging.FromContext(ctx).Errorf(\"no matching policies for image %s\", image)\n\t\treturn noMatchingPolicyError\n\tcase policycontrollerconfig.WarnAll:\n\t\tlogging.FromContext(ctx).Warnf(\"no matching policies for image %s\", image)\n\t\treturn noMatchingPolicyError.At(apis.WarningLevel)\n\tdefault:\n\t\t// Fail closed.\n\t\treturn noMatchingPolicyError\n\t}\n}\n\n// validatePolicies will go through all the matching Policies and their\n// Authorities for a given image. Returns the map of policy=>Validated\n// signatures. From the map you can see the number of matched policies along\n// with the signatures that were verified.\n// If there's a policy that did not match, it will be returned in the errors map\n// along with all the errors that caused it to fail.\n// Note that if an image does not match any policies, it's perfectly\n// reasonable that the return value is 0, nil since there were no errors, but\n// the image was not validated against any matching policy and hence authority.\nfunc validatePolicies(ctx context.Context, namespace string, ref name.Reference, policies map[string]webhookcip.ClusterImagePolicy, kc authn.Keychain, remoteOpts ...ociremote.Option) (map[string]*PolicyResult, map[string][]error) {\n\ttype retChannelType struct {\n\t\tname string\n\t\tpolicyResult *PolicyResult\n\t\terrors []error\n\t}\n\tresults := make(chan retChannelType, len(policies))\n\n\twg := new(sync.WaitGroup)\n\n\t// For each matching policy it must validate at least one Authority within\n\t// it.\n\t// From the Design document, the part about multiple Policies matching:\n\t// \"If multiple policies match a particular image, then ALL of those\n\t// policies must be satisfied for the image to be admitted.\"\n\t// If none of the Authorities for a given policy pass the checks, gather\n\t// the errors here. If one passes, do not return the errors.\n\tfor cipName, cip := range policies {\n\t\t// Due to running in gofunc\n\t\tcipName := cipName\n\t\tcip := cip\n\t\tlogging.FromContext(ctx).Debugf(\"Checking Policy: %s\", cipName)\n\t\twg.Add(1)\n\t\tgo func() {\n\t\t\tdefer wg.Done()\n\t\t\tresult := retChannelType{name: cipName}\n\n\t\t\tresult.policyResult, result.errors = ValidatePolicy(ctx, namespace, ref, cip, kc, remoteOpts...)\n\t\t\t// Cache the result.\n\t\t\tFromContext(ctx).Set(ctx, ref.Name(), cipName, string(cip.UID), cip.ResourceVersion, &CacheResult{\n\t\t\t\tPolicyResult: result.policyResult,\n\t\t\t\tErrors: result.errors,\n\t\t\t})\n\t\t\tresults <- result\n\t\t}()\n\t}\n\t// Gather all validated policies here.\n\tpolicyResults := make(map[string]*PolicyResult)\n\t// For a policy that does not pass at least one authority, gather errors\n\t// here so that we can give meaningful errors to the user.\n\tret := map[string][]error{}\n\n\tfor i := 0; i < len(policies); i++ {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\tret[\"internalerror\"] = append(ret[\"internalerror\"], fmt.Errorf(\"context was canceled before validation completed\"))\n\t\tcase result, ok := <-results:\n\t\t\tif !ok {\n\t\t\t\tret[\"internalerror\"] = append(ret[\"internalerror\"], fmt.Errorf(\"results channel failed to produce a result\"))\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tswitch {\n\t\t\t// Return AuthorityMatches before errors, since even if there\n\t\t\t// are errors, if there are 0 or more authorities that match,\n\t\t\t// it will pass the Policy. Of course, a CIP level policy can\n\t\t\t// override this behaviour, but that has been checked above and\n\t\t\t// if it failed, it will nil out the policyResult.\n\t\t\tcase result.policyResult != nil:\n\t\t\t\tpolicyResults[result.name] = result.policyResult\n\t\t\tcase len(result.errors) > 0:\n\t\t\t\tret[result.name] = append(ret[result.name], result.errors...)\n\t\t\tdefault:\n\t\t\t\tret[result.name] = append(ret[result.name], fmt.Errorf(\"failed to process policy: %s\", result.name))\n\t\t\t}\n\t\t}\n\t}\n\twg.Wait()\n\treturn policyResults, ret\n}\n\nfunc asFieldError(warn bool, err error) *apis.FieldError {\n\tr := &apis.FieldError{Message: err.Error()}\n\tif warn {\n\t\treturn r.At(apis.WarningLevel)\n\t}\n\treturn r.At(apis.ErrorLevel)\n}\n\n// ValidatePolicy will go through all the Authorities for a given image/policy\n// and return validated authorities if at least one of the Authorities\n// validated the signatures OR attestations if atttestations were specified.\n// Returns PolicyResult if one or more authorities matched, otherwise nil.\n// In any case returns all errors encountered if none of the authorities\n// passed.\n// kc is the Keychain to use for fetching ConfigFile that's independent of the\n// signatures / attestations.\nfunc ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, cip webhookcip.ClusterImagePolicy, kc authn.Keychain, remoteOpts ...ociremote.Option) (*PolicyResult, []error) {\n\t// Check the cache and return if hit, otherwise, check the policy\n\tcacheResult := FromContext(ctx).Get(ctx, ref.String(), string(cip.UID), cip.ResourceVersion)\n\tif cacheResult != nil {\n\t\treturn cacheResult.PolicyResult, cacheResult.Errors\n\t}\n\n\t// Each gofunc creates and puts one of these into a results channel.\n\t// Once each gofunc finishes, we go through the channel and pull out\n\t// the results.\n\ttype retChannelType struct {\n\t\tname string\n\t\tstatic bool\n\t\tattestations map[string][]PolicyAttestation\n\t\tsignatures []PolicySignature\n\t\terr error\n\t}\n\twg := new(sync.WaitGroup)\n\n\tresults := make(chan retChannelType, len(cip.Authorities))\n\tfor _, authority := range cip.Authorities {\n\t\tauthority := authority // due to gofunc\n\t\tlogging.FromContext(ctx).Debugf(\"Checking Authority: %s\\n\", authority.Name)\n\n\t\twg.Add(1)\n\t\tgo func() {\n\t\t\tdefer wg.Done()\n\t\t\tresult := retChannelType{name: authority.Name}\n\t\t\t// Assignment for appendAssign lint error\n\t\t\tauthorityRemoteOpts := remoteOpts\n\t\t\tauthorityRemoteOpts = append(authorityRemoteOpts, authority.RemoteOpts...)\n\n\t\t\tsignaturePullSecretsOpts, err := authority.SourceSignaturePullSecretsOpts(ctx, namespace)\n\t\t\tif err != nil {\n\t\t\t\tresult.err = err\n\t\t\t\tresults <- result\n\t\t\t\treturn\n\t\t\t}\n\t\t\tauthorityRemoteOpts = append(authorityRemoteOpts, signaturePullSecretsOpts...)\n\n\t\t\tswitch {\n\t\t\tcase authority.Static != nil:\n\t\t\t\tif authority.Static.Action == \"fail\" {\n\t\t\t\t\tresult.err = fmt.Errorf(\"disallowed by static policy: %s\", authority.Static.Message)\n\t\t\t\t\tresults <- result\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tresult.static = true\n\n\t\t\tcase len(authority.Attestations) > 0:\n\t\t\t\t// We're doing the verify-attestations path, so validate (.att)\n\t\t\t\tresult.attestations, result.err = ValidatePolicyAttestationsForAuthority(ctx, ref, authority, authorityRemoteOpts...)\n\n\t\t\tdefault:\n\t\t\t\tresult.signatures, result.err = ValidatePolicySignaturesForAuthority(ctx, ref, authority, authorityRemoteOpts...)\n\t\t\t}\n\t\t\tresults <- result\n\t\t}()\n\t}\n\n\t// If none of the Authorities for a given policy pass the checks, gather\n\t// the errors here. Even if there are errors, return the matched\n\t// authoritypolicies.\n\tauthorityErrors := make([]error, 0, len(cip.Authorities))\n\t// We collect all the successfully satisfied Authorities into this and\n\t// return it.\n\tpolicyResult := &PolicyResult{\n\t\tAuthorityMatches: make(map[string]AuthorityMatch, len(cip.Authorities)),\n\t}\n\tfor range cip.Authorities {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\tauthorityErrors = append(authorityErrors, fmt.Errorf(\"%w before validation completed\", ctx.Err()))\n\n\t\tcase result, ok := <-results:\n\t\t\tif !ok {\n\t\t\t\tauthorityErrors = append(authorityErrors, errors.New(\"results channel closed before all results were sent\"))\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tswitch {\n\t\t\tcase result.err != nil:\n\t\t\t\t// We only wrap actual policy failures as FieldErrors with the\n\t\t\t\t// possibly Warn level. Other things imho should be still\n\t\t\t\t// be considered errors.\n\t\t\t\tauthorityErrors = append(authorityErrors, asFieldError(cip.Mode == \"warn\", result.err))\n\n\t\t\tcase len(result.signatures) > 0:\n\t\t\t\tpolicyResult.AuthorityMatches[result.name] = AuthorityMatch{Signatures: result.signatures}\n\n\t\t\tcase len(result.attestations) > 0:\n\t\t\t\tpolicyResult.AuthorityMatches[result.name] = AuthorityMatch{Attestations: result.attestations}\n\n\t\t\tcase result.static:\n\t\t\t\t// This happens when we encounter a policy with:\n\t\t\t\t// static:\n\t\t\t\t// action: \"pass\"\n\t\t\t\tpolicyResult.AuthorityMatches[result.name] = AuthorityMatch{\n\t\t\t\t\tStatic: true,\n\t\t\t\t}\n\n\t\t\tdefault:\n\t\t\t\tauthorityErrors = append(authorityErrors, fmt.Errorf(\"failed to process authority: %s\", result.name))\n\t\t\t}\n\t\t}\n\t}\n\twg.Wait()\n\t// Even if there are errors, return the policies, since as per the\n\t// spec, we just need one authority to pass checks. If more than\n\t// one are required, that is enforced at the CIP policy level.\n\t// If however there are no authorityMatches, return nil so we don't have\n\t// to keep checking the length on the returned calls.\n\tif len(policyResult.AuthorityMatches) == 0 {\n\t\treturn nil, authorityErrors\n\t}\n\t// Ok, there's at least one valid authority that matched. If there's a CIP\n\t// level policy, validate it here before returning.\n\tif cip.Policy != nil {\n\t\tif cip.Policy.FetchConfigFile != nil && *cip.Policy.FetchConfigFile {\n\t\t\tlogging.FromContext(ctx).Debug(\"Fetching ConfigFiles\")\n\t\t\t// It's unfortunate that we have to keep having the kc here. It\n\t\t\t// would be nice if we could just unwrap/generate the ggcr remote\n\t\t\t// options from the oci remote options, but for now this is how\n\t\t\t// we're rolling.\n\t\t\trOpts := []remote.Option{\n\t\t\t\tremote.WithContext(ctx),\n\t\t\t\tremote.WithAuthFromKeychain(kc),\n\t\t\t}\n\t\t\tconfigFiles, errs := getConfigs(ctx, ref, rOpts...)\n\t\t\tif len(errs) > 0 {\n\t\t\t\tfor _, e := range errs {\n\t\t\t\t\tauthorityErrors = append(authorityErrors, asFieldError(cip.Mode == \"warn\", e))\n\t\t\t\t}\n\t\t\t\treturn nil, authorityErrors\n\t\t\t}\n\t\t\tpolicyResult.Config = configFiles\n\t\t}\n\t\tif cip.Policy.IncludeSpec != nil && *cip.Policy.IncludeSpec {\n\t\t\tpolicyResult.Spec = GetIncludeSpec(ctx)\n\t\t}\n\t\tif cip.Policy.IncludeObjectMeta != nil && *cip.Policy.IncludeObjectMeta {\n\t\t\tpolicyResult.ObjectMeta = GetIncludeObjectMeta(ctx)\n\t\t}\n\t\tif cip.Policy.IncludeTypeMeta != nil && *cip.Policy.IncludeTypeMeta {\n\t\t\tpolicyResult.TypeMeta = GetIncludeTypeMeta(ctx)\n\t\t}\n\n\t\tlogging.FromContext(ctx).Info(\"Validating CIP level policy\")\n\t\tpolicyJSON, err := json.Marshal(policyResult)\n\t\tif err != nil {\n\t\t\treturn nil, append(authorityErrors, err)\n\t\t}\n\t\tlogging.FromContext(ctx).Infof(\"CIP level policy: %s\", string(policyJSON))\n\t\twarn, err := policy.EvaluatePolicyAgainstJSON(ctx, \"ClusterImagePolicy\", cip.Policy.Type, cip.Policy.Data, policyJSON)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Warnf(\"Failed to validate CIP level policy; err: %w; against %s\", err, string(policyJSON))\n\t\t\treturn nil, append(authorityErrors, asFieldError(cip.Mode == \"warn\", err))\n\t\t}\n\t\tif warn != nil {\n\t\t\tlogging.FromContext(ctx).Warnf(\"Failed to validate CIP level policy; warn: %w; against %s\", warn, string(policyJSON))\n\t\t\treturn nil, append(authorityErrors, asFieldError(cip.Mode == \"warn\", warn))\n\t\t}\n\t}\n\treturn policyResult, authorityErrors\n}\n\nfunc ociSignatureToPolicySignature(ctx context.Context, sigs []oci.Signature) []PolicySignature {\n\tret := make([]PolicySignature, 0, len(sigs))\n\tfor _, ociSig := range sigs {\n\t\tlogging.FromContext(ctx).Debugf(\"Converting signature %+v\", ociSig)\n\n\t\tsigID, err := signatureID(ociSig)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Debugf(\"Error fetching signature %+v\", err)\n\t\t\tcontinue\n\t\t}\n\n\t\tif cert, err := ociSig.Cert(); err == nil && cert != nil {\n\t\t\tce := cosign.CertExtensions{\n\t\t\t\tCert: cert,\n\t\t\t}\n\t\t\tsub := \"\"\n\t\t\tif sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 {\n\t\t\t\tsub = sans[0]\n\t\t\t}\n\t\t\tret = append(ret, PolicySignature{\n\t\t\t\tID: sigID,\n\t\t\t\tSubject: sub,\n\t\t\t\tIssuer: ce.GetIssuer(),\n\t\t\t\tGithubExtensions: GithubExtensions{\n\t\t\t\t\tWorkflowTrigger: ce.GetCertExtensionGithubWorkflowTrigger(),\n\t\t\t\t\tWorkflowSHA: ce.GetExtensionGithubWorkflowSha(),\n\t\t\t\t\tWorkflowName: ce.GetCertExtensionGithubWorkflowName(),\n\t\t\t\t\tWorkflowRepo: ce.GetCertExtensionGithubWorkflowRepository(),\n\t\t\t\t\tWorkflowRef: ce.GetCertExtensionGithubWorkflowRef(),\n\t\t\t\t},\n\t\t\t})\n\t\t} else {\n\t\t\tret = append(ret, PolicySignature{\n\t\t\t\tID: sigID,\n\t\t\t\t// TODO(mattmoor): Is there anything we should encode for key-based?\n\t\t\t})\n\t\t}\n\t}\n\treturn ret\n}\n\n// signatureID creates a unique hash for the Signature, using both the signature itself + the cert.\nfunc signatureID(sig oci.Signature) (string, error) {\n\th := sha256.New()\n\ts, err := sig.Signature()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tif _, err := h.Write(s); err != nil {\n\t\treturn \"\", err\n\t}\n\n\tcert, err := sig.Cert()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tif cert != nil {\n\t\tc, err := cryptoutils.MarshalCertificateToPEM(cert)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\tif _, err := h.Write(c); err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t}\n\n\treturn hex.EncodeToString(h.Sum(nil)), nil\n}\n\n// attestation is used to accumulate the signature along with extracted and\n// validated metadata during validation to construct a list of\n// PolicyAttestations upon completion without needing to refetch any of the\n// parts.\ntype attestation struct {\n\toci.Signature\n\n\tPredicateType string\n\tPayload []byte\n\tDigest string\n}\n\nfunc attestationToPolicyAttestations(ctx context.Context, atts []attestation) []PolicyAttestation {\n\tret := make([]PolicyAttestation, 0, len(atts))\n\tfor _, att := range atts {\n\t\tlogging.FromContext(ctx).Debugf(\"Converting attestation with digest %s\\n\", att.Digest)\n\n\t\tsigID, err := signatureID(att.Signature)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Debugf(\"Error fetching attestation signature %+v\", err)\n\t\t\tcontinue\n\t\t}\n\n\t\tif cert, err := att.Cert(); err == nil && cert != nil {\n\t\t\tce := cosign.CertExtensions{\n\t\t\t\tCert: cert,\n\t\t\t}\n\t\t\tsub := \"\"\n\t\t\tif sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 {\n\t\t\t\tsub = sans[0]\n\t\t\t}\n\t\t\tret = append(ret, PolicyAttestation{\n\t\t\t\tPolicySignature: PolicySignature{\n\t\t\t\t\tID: sigID,\n\t\t\t\t\tSubject: sub,\n\t\t\t\t\tIssuer: ce.GetIssuer(),\n\t\t\t\t\tGithubExtensions: GithubExtensions{\n\t\t\t\t\t\tWorkflowTrigger: ce.GetCertExtensionGithubWorkflowTrigger(),\n\t\t\t\t\t\tWorkflowSHA: ce.GetExtensionGithubWorkflowSha(),\n\t\t\t\t\t\tWorkflowName: ce.GetCertExtensionGithubWorkflowName(),\n\t\t\t\t\t\tWorkflowRepo: ce.GetCertExtensionGithubWorkflowRepository(),\n\t\t\t\t\t\tWorkflowRef: ce.GetCertExtensionGithubWorkflowRef(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tDigest: att.Digest,\n\t\t\t\tPredicateType: att.PredicateType,\n\t\t\t\tPayload: att.Payload,\n\t\t\t})\n\t\t} else {\n\t\t\tret = append(ret, PolicyAttestation{\n\t\t\t\tPolicySignature: PolicySignature{\n\t\t\t\t\tID: sigID,\n\t\t\t\t\t// TODO(mattmoor): Is there anything we should encode for key-based?\n\t\t\t\t},\n\t\t\t\tPredicateType: att.PredicateType,\n\t\t\t\tPayload: att.Payload,\n\t\t\t\tDigest: att.Digest,\n\t\t\t})\n\t\t}\n\t}\n\treturn ret\n}\n\n// ValidatePolicySignaturesForAuthority takes the Authority and tries to\n// verify a signature against it.\nfunc ValidatePolicySignaturesForAuthority(ctx context.Context, ref name.Reference, authority webhookcip.Authority, remoteOpts ...ociremote.Option) ([]PolicySignature, error) {\n\tname := authority.Name\n\n\tcheckOpts, err := checkOptsFromAuthority(ctx, authority, remoteOpts...)\n\tif err != nil {\n\t\tlogging.FromContext(ctx).Errorf(\"failed constructing checkOpts for %s: +v\", name, err)\n\t\treturn nil, fmt.Errorf(\"constructing checkOpts for %s: %w\", name, err)\n\t}\n\tswitch {\n\tcase authority.Key != nil:\n\t\tif len(authority.Key.PublicKeys) == 0 {\n\t\t\treturn nil, fmt.Errorf(\"there are no public keys for authority %s\", name)\n\t\t}\n\t\t// TODO(vaikas): What should happen if there are multiple keys\n\t\t// Is it even allowed? 'valid' returns success if any key\n\t\t// matches.\n\t\t// https://github.com/sigstore/policy-controller/issues/1652\n\t\tsps, err := valid(ctx, ref, authority.Key.PublicKeys, authority.Key.HashAlgorithmCode, checkOpts)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"signature key validation failed for authority %s for %s: %w\", name, ref.Name(), err)\n\t\t}\n\t\tlogging.FromContext(ctx).Debugf(\"validated signature for %s for authority %s got %d signatures\", ref.Name(), authority.Name, len(sps))\n\t\treturn ociSignatureToPolicySignature(ctx, sps), nil\n\n\tcase authority.Keyless != nil:\n\t\tif authority.Keyless.URL != nil {\n\t\t\tsps, err := validSignatures(ctx, ref, checkOpts)\n\t\t\tif err != nil {\n\t\t\t\tlogging.FromContext(ctx).Errorf(\"failed validSignatures for authority %s with fulcio for %s: %v\", name, ref.Name(), err)\n\t\t\t\treturn nil, fmt.Errorf(\"signature keyless validation failed for authority %s for %s: %w\", name, ref.Name(), err)\n\t\t\t}\n\t\t\tlogging.FromContext(ctx).Debugf(\"validated signature for %s, got %d signatures\", ref.Name(), len(sps))\n\t\t\treturn ociSignatureToPolicySignature(ctx, sps), nil\n\t\t}\n\t\treturn nil, fmt.Errorf(\"no Keyless URL specified\")\n\tcase authority.RFC3161Timestamp != nil:\n\t\tsps, err := validSignatures(ctx, ref, checkOpts)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Errorf(\"failed validSignatures for authority %s with fulcio for %s: %v\", name, ref.Name(), err)\n\t\t\treturn nil, fmt.Errorf(\"signature TSA validation failed for authority %s for %s: %w\", name, ref.Name(), err)\n\t\t}\n\t\tlogging.FromContext(ctx).Debugf(\"validated TSA signature for %s, got %d signatures\", ref.Name(), len(sps))\n\t\treturn ociSignatureToPolicySignature(ctx, sps), nil\n\t}\n\n\t// This should never happen because authority has to have been validated to\n\t// be either having a Key, Keyless, or Static (handled elsewhere)\n\treturn nil, errors.New(\"authority has neither key, keyless, or static specified\")\n}\n\n// ValidatePolicyAttestationsForAuthority takes the Authority and tries to\n// verify attestations against it.\nfunc ValidatePolicyAttestationsForAuthority(ctx context.Context, ref name.Reference, authority webhookcip.Authority, remoteOpts ...ociremote.Option) (map[string][]PolicyAttestation, error) {\n\tname := authority.Name\n\tcheckOpts, err := checkOptsFromAuthority(ctx, authority, remoteOpts...)\n\tif err != nil {\n\t\tlogging.FromContext(ctx).Errorf(\"failed creating checkopts client: %v\", err)\n\t\treturn nil, fmt.Errorf(\"creating CheckOpts: %w\", err)\n\t}\n\n\tverifiedAttestations := []oci.Signature{}\n\tswitch {\n\tcase authority.Key != nil && len(authority.Key.PublicKeys) > 0:\n\t\tfor _, k := range authority.Key.PublicKeys {\n\t\t\tverifier, err := signature.LoadVerifier(k, authority.Key.HashAlgorithmCode)\n\t\t\tif err != nil {\n\t\t\t\tlogging.FromContext(ctx).Errorf(\"error creating verifier: %v\", err)\n\t\t\t\treturn nil, fmt.Errorf(\"creating verifier: %w\", err)\n\t\t\t}\n\t\t\tcheckOpts.SigVerifier = verifier\n\t\t\tva, err := validAttestations(ctx, ref, checkOpts)\n\t\t\tif err != nil {\n\t\t\t\tlogging.FromContext(ctx).Errorf(\"error validating attestations: %v\", err)\n\t\t\t\treturn nil, fmt.Errorf(\"attestation key validation failed for authority %s for %s: %w\", name, ref.Name(), err)\n\t\t\t}\n\t\t\tverifiedAttestations = append(verifiedAttestations, va...)\n\t\t}\n\n\tcase authority.Keyless != nil:\n\t\tif authority.Keyless != nil && authority.Keyless.URL != nil {\n\t\t\tva, err := validAttestations(ctx, ref, checkOpts)\n\t\t\tif err != nil {\n\t\t\t\tlogging.FromContext(ctx).Errorf(\"failed validAttestationsWithFulcio for authority %s with fulcio for %s: %v\", name, ref.Name(), err)\n\t\t\t\treturn nil, fmt.Errorf(\"attestation keyless validation failed for authority %s for %s: %w\", name, ref.Name(), err)\n\t\t\t}\n\t\t\tverifiedAttestations = append(verifiedAttestations, va...)\n\t\t}\n\tcase authority.RFC3161Timestamp != nil:\n\t\tva, err := validAttestations(ctx, ref, checkOpts)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Errorf(\"failed validAttestations for authority %s with fulcio for %s: %v\", name, ref.Name(), err)\n\t\t\treturn nil, fmt.Errorf(\"signature TSA validAttestations failed for authority %s for %s: %w\", name, ref.Name(), err)\n\t\t}\n\t\tlogging.FromContext(ctx).Debugf(\"validated TSA signature for %s, got %d signatures\", ref.Name(), len(va))\n\t\tverifiedAttestations = append(verifiedAttestations, va...)\n\t}\n\n\t// If we didn't get any verified attestations either from the Key or Keyless\n\t// path, then error out\n\tif len(verifiedAttestations) == 0 {\n\t\tlogging.FromContext(ctx).Errorf(\"no valid attestations found for authority %s for %s\", name, ref.Name())\n\t\treturn nil, fmt.Errorf(\"%s for authority %s for %s\", \"no matching attestations\", name, ref.Name())\n\t}\n\tlogging.FromContext(ctx).Debugf(\"Found %d valid attestations, validating policies for them\", len(verifiedAttestations))\n\n\t// Now spin through the Attestations that the user specified and validate\n\t// them.\n\t// TODO(vaikas): Pretty inefficient here, figure out a better way if\n\t// possible.\n\tret := make(map[string][]PolicyAttestation, len(authority.Attestations))\n\n\t// Keep track of all the predicate types that we checked so that we can\n\t// provide the user with a helpful error message in cases where the\n\t// precicateType specified is not found (typoed, using different than\n\t// expected, etc.).\n\t// We keep these in the map since there can be duplicates, so just use\n\t// map as uniquifier.\n\tcheckedPredicateTypes := map[string]struct{}{}\n\tfor _, wantedAttestation := range authority.Attestations {\n\t\t// Since there can be multiple verified attestations that matched, for\n\t\t// example multiple 'custom' attestations. We keep the first error that\n\t\t// we encounter here but do not exit on it, in case another attestation\n\t\t// satisfies the policy.\n\t\tvar reterror error\n\t\t// There's a particular type, so we need to go through all the verified\n\t\t// attestations and make sure that our particular one is satisfied.\n\t\tcheckedAttestations := make([]attestation, 0, len(verifiedAttestations))\n\t\tfor _, va := range verifiedAttestations {\n\t\t\tattDigest, err := va.Digest()\n\t\t\tif err != nil {\n\t\t\t\tlogging.FromContext(ctx).Errorf(\"failed to get the attestation digest for %s: %v\", wantedAttestation.Name, err)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tattBytes, gotPredicateType, err := policy.AttestationToPayloadJSON(ctx, wantedAttestation.PredicateType, va)\n\t\t\tif gotPredicateType != \"\" {\n\t\t\t\tcheckedPredicateTypes[gotPredicateType] = struct{}{}\n\t\t\t}\n\t\t\tif err != nil {\n\t\t\t\tif reterror == nil {\n\t\t\t\t\t// Only stash the first error\n\t\t\t\t\treterror = err\n\t\t\t\t}\n\t\t\t\tlogging.FromContext(ctx).Warnf(\"failed to convert attestation payload to json: %v\", err)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif attBytes == nil {\n\t\t\t\t// This happens when we ask for a predicate type that this\n\t\t\t\t// attestation is not for. It's not an error, so we skip it.\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif wantedAttestation.Type != \"\" {\n\t\t\t\tif warn, err := policy.EvaluatePolicyAgainstJSON(ctx, wantedAttestation.Name, wantedAttestation.Type, wantedAttestation.Data, attBytes); err != nil || warn != nil {\n\t\t\t\t\tif reterror == nil {\n\t\t\t\t\t\t// Only stash the first error\n\t\t\t\t\t\treterror = err\n\t\t\t\t\t\tif err == nil {\n\t\t\t\t\t\t\treterror = warn\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tlogging.FromContext(ctx).Warnf(\"failed policy validation for %s: %v\", wantedAttestation.Name, err)\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tlogging.FromContext(ctx).Debugf(\"found verified attestation with digest: %s\\n\", attDigest.String())\n\t\t\t// Ok, so this passed aok, jot it down to our result set as\n\t\t\t// verified attestation with the predicate type match\n\t\t\tcheckedAttestations = append(checkedAttestations, attestation{\n\t\t\t\tSignature: va,\n\t\t\t\tPredicateType: wantedAttestation.PredicateType,\n\t\t\t\tPayload: attBytes,\n\t\t\t\tDigest: attDigest.String(),\n\t\t\t})\n\t\t}\n\t\tif len(checkedAttestations) == 0 {\n\t\t\tif reterror != nil {\n\t\t\t\t// If there was a matching policy, but it failed to be validated\n\t\t\t\t// then return that more specific error instead of the more\n\t\t\t\t// generic 'no matching attestations'.\n\t\t\t\treturn nil, reterror\n\t\t\t}\n\t\t\tcpt := make([]string, 0, len(checkedPredicateTypes))\n\t\t\tfor pt := range checkedPredicateTypes {\n\t\t\t\tcpt = append(cpt, pt)\n\t\t\t}\n\t\t\treturn nil, fmt.Errorf(\"%s with type %s, checked the following predicateTypes: %q\", \"no matching attestations\", wantedAttestation.PredicateType, strings.Join(cpt, \",\"))\n\t\t}\n\t\tret[wantedAttestation.Name] = attestationToPolicyAttestations(ctx, checkedAttestations)\n\t}\n\treturn ret, nil\n}\n\n// ResolvePodScalable implements policyduckv1beta1.PodScalableValidator\nfunc (v *Validator) ResolvePodScalable(ctx context.Context, ps *policyduckv1beta1.PodScalable) {\n\t// Don't mess with things that are being deleted or already deleted or\n\t// if status is being updated\n\tif isDeletedOrStatusUpdate(ctx, ps.DeletionTimestamp) {\n\t\treturn\n\t}\n\n\tif ps.IsScalingDown(ctx) {\n\t\tlogging.FromContext(ctx).Debugf(\"Skipping validations due to scale down request %s/%s\", &ps.Name, &ps.Namespace)\n\t\treturn\n\t}\n\n\timagePullSecrets := make([]string, 0, len(ps.Spec.Template.Spec.ImagePullSecrets))\n\tfor _, s := range ps.Spec.Template.Spec.ImagePullSecrets {\n\t\timagePullSecrets = append(imagePullSecrets, s.Name)\n\t}\n\topt := k8schain.Options{\n\t\tNamespace: getNamespace(ctx, ps.Namespace),\n\t\tServiceAccountName: ps.Spec.Template.Spec.ServiceAccountName,\n\t\tImagePullSecrets: imagePullSecrets,\n\t}\n\tv.resolvePodSpec(ctx, &ps.Spec.Template.Spec, opt)\n}\n\n// ResolvePodSpecable implements duckv1.PodSpecValidator\nfunc (v *Validator) ResolvePodSpecable(ctx context.Context, wp *duckv1.WithPod) {\n\t// Don't mess with things that are being deleted or already deleted or\n\t// status update.\n\tif isDeletedOrStatusUpdate(ctx, wp.DeletionTimestamp) {\n\t\treturn\n\t}\n\n\timagePullSecrets := make([]string, 0, len(wp.Spec.Template.Spec.ImagePullSecrets))\n\tfor _, s := range wp.Spec.Template.Spec.ImagePullSecrets {\n\t\timagePullSecrets = append(imagePullSecrets, s.Name)\n\t}\n\topt := k8schain.Options{\n\t\tNamespace: getNamespace(ctx, wp.Namespace),\n\t\tServiceAccountName: wp.Spec.Template.Spec.ServiceAccountName,\n\t\tImagePullSecrets: imagePullSecrets,\n\t}\n\tv.resolvePodSpec(ctx, &wp.Spec.Template.Spec, opt)\n}\n\n// ResolvePod implements duckv1.PodValidator\nfunc (v *Validator) ResolvePod(ctx context.Context, p *duckv1.Pod) {\n\t// Don't mess with things that are being deleted or already deleted or\n\t// status update.\n\tif isDeletedOrStatusUpdate(ctx, p.DeletionTimestamp) {\n\t\treturn\n\t}\n\timagePullSecrets := make([]string, 0, len(p.Spec.ImagePullSecrets))\n\tfor _, s := range p.Spec.ImagePullSecrets {\n\t\timagePullSecrets = append(imagePullSecrets, s.Name)\n\t}\n\topt := k8schain.Options{\n\t\tNamespace: getNamespace(ctx, p.Namespace),\n\t\tServiceAccountName: p.Spec.ServiceAccountName,\n\t\tImagePullSecrets: imagePullSecrets,\n\t}\n\tv.resolvePodSpec(ctx, &p.Spec, opt)\n}\n\n// ResolveCronJob implements duckv1.CronJobValidator\nfunc (v *Validator) ResolveCronJob(ctx context.Context, c *duckv1.CronJob) {\n\t// Don't mess with things that are being deleted or already deleted or\n\t// status update.\n\tif isDeletedOrStatusUpdate(ctx, c.DeletionTimestamp) {\n\t\treturn\n\t}\n\n\timagePullSecrets := make([]string, 0, len(c.Spec.JobTemplate.Spec.Template.Spec.ImagePullSecrets))\n\tfor _, s := range c.Spec.JobTemplate.Spec.Template.Spec.ImagePullSecrets {\n\t\timagePullSecrets = append(imagePullSecrets, s.Name)\n\t}\n\topt := k8schain.Options{\n\t\tNamespace: getNamespace(ctx, c.Namespace),\n\t\tServiceAccountName: c.Spec.JobTemplate.Spec.Template.Spec.ServiceAccountName,\n\t\tImagePullSecrets: imagePullSecrets,\n\t}\n\tv.resolvePodSpec(ctx, &c.Spec.JobTemplate.Spec.Template.Spec, opt)\n}\n\n// For testing\nvar remoteResolveDigest = ociremote.ResolveDigest\n\nfunc (v *Validator) resolvePodSpec(ctx context.Context, ps *corev1.PodSpec, opt k8schain.Options) {\n\tkc, err := registryauth.NewK8sKeychain(ctx, kubeclient.Get(ctx), opt)\n\tif err != nil {\n\t\tlogging.FromContext(ctx).Warnf(\"Unable to build k8schain: %v\", err)\n\t\treturn\n\t}\n\n\tresolveContainers := func(cs []corev1.Container) {\n\t\tfor i, c := range cs {\n\t\t\tref, err := name.ParseReference(c.Image)\n\t\t\tif err != nil {\n\t\t\t\tlogging.FromContext(ctx).Debugf(\"Unable to parse reference: %v\", err)\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\t// If we are in the context of a mutating webhook, then resolve the tag to a digest.\n\t\t\tswitch {\n\t\t\tcase apis.IsInCreate(ctx), apis.IsInUpdate(ctx):\n\t\t\t\tdigest, err := remoteResolveDigest(ref, ociremote.WithRemoteOptions(\n\t\t\t\t\tremote.WithContext(ctx),\n\t\t\t\t\tremote.WithAuthFromKeychain(kc),\n\t\t\t\t))\n\t\t\t\tif err != nil {\n\t\t\t\t\tlogging.FromContext(ctx).Debugf(\"Unable to resolve digest %q: %v\", ref.String(), err)\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\t// Keep the original tag and append the digest\n\t\t\t\tif tagRef, ok := ref.(name.Tag); ok {\n\t\t\t\t\tcs[i].Image = fmt.Sprintf(\"%s@%s\", tagRef.Name(), digest.DigestStr())\n\t\t\t\t} else {\n\t\t\t\t\tcs[i].Image = digest.String()\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\tresolveEphemeralContainers := func(cs []corev1.EphemeralContainer) {\n\t\tfor i, c := range cs {\n\t\t\tref, err := name.ParseReference(c.Image)\n\t\t\tif err != nil {\n\t\t\t\tlogging.FromContext(ctx).Debugf(\"Unable to parse reference: %v\", err)\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\t// If we are in the context of a mutating webhook, then resolve the tag to a digest.\n\t\t\tswitch {\n\t\t\tcase apis.IsInCreate(ctx), apis.IsInUpdate(ctx):\n\t\t\t\tdigest, err := remoteResolveDigest(ref, ociremote.WithRemoteOptions(\n\t\t\t\t\tremote.WithContext(ctx),\n\t\t\t\t\tremote.WithAuthFromKeychain(kc),\n\t\t\t\t))\n\t\t\t\tif err != nil {\n\t\t\t\t\tlogging.FromContext(ctx).Debugf(\"Unable to resolve digest %q: %v\", ref.String(), err)\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\t// Keep the original tag and append the digest\n\t\t\t\tif tagRef, ok := ref.(name.Tag); ok {\n\t\t\t\t\tcs[i].Image = fmt.Sprintf(\"%s@%s\", tagRef.Name(), digest.DigestStr())\n\t\t\t\t} else {\n\t\t\t\t\tcs[i].Image = digest.String()\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\tresolveContainers(ps.InitContainers)\n\tresolveContainers(ps.Containers)\n\tresolveEphemeralContainers(ps.EphemeralContainers)\n}\n\n// getNamespace tries to extract the namespace from the HTTPRequest\n// if the namespace passed as argument is empty. This is a workaround\n// for a bug in k8s <= 1.24.\nfunc getNamespace(ctx context.Context, namespace string) string {\n\tif namespace == \"\" {\n\t\tr := apis.GetHTTPRequest(ctx)\n\t\tif r != nil && r.Body != nil {\n\t\t\tvar review admissionv1.AdmissionReview\n\t\t\tif err := json.NewDecoder(r.Body).Decode(&review); err != nil {\n\t\t\t\tlogging.FromContext(ctx).Errorf(\"could not decode body: %v\", err)\n\t\t\t\treturn \"\"\n\t\t\t}\n\t\t\treturn review.Request.Namespace\n\t\t}\n\t}\n\treturn namespace\n}\n\n// validateContainer will validate the container image, and any errors will use\n// field & index to craft the meaningful error message.\n// field is necessary because higher level resources come here from different\n// contexts and the container could be nested at different levels in the\n// resource\n// index is the number in the containers array from the said context.\n//\n// Returns any encountered errors, or nil in two cases:\n// All the matched policies were validated, or\n// no matching policies were found, but the PolicyControllerConfig has been\n// configured to allow images not matching any policies.\nfunc (v *Validator) validateContainerImage(ctx context.Context, containerImage string, namespace, field string, index int, kind, apiVersion string, labels map[string]string, kc authn.Keychain, ociRemoteOpts ...ociremote.Option) *apis.FieldError {\n\tref, err := name.ParseReference(containerImage)\n\tif err != nil {\n\t\treturn apis.ErrGeneric(err.Error(), \"image\").ViaFieldIndex(field, index)\n\t}\n\tconfig := config.FromContext(ctx)\n\n\tif config != nil {\n\t\tpolicies, err := config.ImagePolicyConfig.GetMatchingPolicies(ref.Name(), kind, apiVersion, labels)\n\t\tif err != nil {\n\t\t\terrorField := apis.ErrGeneric(err.Error(), \"image\").ViaFieldIndex(field, index)\n\t\t\terrorField.Details = containerImage\n\t\t\treturn errorField\n\t\t}\n\n\t\t// If there is at least one policy that matches, that means it\n\t\t// has to be satisfied.\n\t\tif len(policies) > 0 {\n\t\t\tsignatures, fieldErrors := validatePolicies(ctx, namespace, ref, policies, kc, ociRemoteOpts...)\n\t\t\tif len(signatures) != len(policies) {\n\t\t\t\tlogging.FromContext(ctx).Warnf(\"Failed to validate at least one policy for %s wanted %d policies, only validated %d\", ref.Name(), len(policies), len(signatures))\n\t\t\t} else {\n\t\t\t\tlogging.FromContext(ctx).Infof(\"Validated %d policies for image %s\", len(signatures), containerImage)\n\t\t\t}\n\t\t\treturn errorsToFieldErrors(containerImage, field, index, fieldErrors)\n\t\t}\n\t\t// Container matched no policies, so return based on the configured\n\t\t// NoMatchPolicy.\n\t\treturn setNoMatchingPoliciesError(ctx, containerImage, field, index)\n\t}\n\treturn nil\n}\n\nfunc errorsToFieldErrors(image, field string, index int, fieldErrors map[string][]error) (errs *apis.FieldError) {\n\t// Do we really want to add all the error details here?\n\t// Seems like we can just say which policy failed, so\n\t// doing that for now.\n\t// Split the errors and warnings to their own\n\t// error levels.\n\thasWarnings := false\n\thasErrors := false\n\tfor failingPolicy, policyErrs := range fieldErrors {\n\t\terrDetails := image\n\t\twarnDetails := image\n\t\tfor _, policyErr := range policyErrs {\n\t\t\tvar fe *apis.FieldError\n\t\t\tif errors.As(policyErr, &fe) {\n\t\t\t\tif fe.Filter(apis.WarningLevel) != nil {\n\t\t\t\t\twarnDetails = warnDetails + \" \" + fe.Message\n\t\t\t\t\thasWarnings = true\n\t\t\t\t} else {\n\t\t\t\t\terrDetails = errDetails + \" \" + fe.Message\n\t\t\t\t\thasErrors = true\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t// Just a regular error.\n\t\t\t\terrDetails = errDetails + \" \" + policyErr.Error()\n\t\t\t}\n\t\t}\n\t\tif hasWarnings {\n\t\t\twarnField := apis.ErrGeneric(fmt.Sprintf(\"failed policy: %s\", failingPolicy), \"image\").ViaFieldIndex(field, index)\n\t\t\twarnField.Details = warnDetails\n\t\t\terrs = errs.Also(warnField).At(apis.WarningLevel)\n\t\t}\n\t\tif hasErrors {\n\t\t\terrorField := apis.ErrGeneric(fmt.Sprintf(\"failed policy: %s\", failingPolicy), \"image\").ViaFieldIndex(field, index)\n\t\t\terrorField.Details = errDetails\n\t\t\terrs = errs.Also(errorField)\n\t\t}\n\t}\n\treturn\n}\n\n// refOrFieldError parses the given image into a name.Reference, or returns\n// a properly constructed FieldError for a given field/index in the resource\n// spec.\nfunc refOrFieldError(image, field string, index int) *apis.FieldError {\n\tref, err := name.ParseReference(image)\n\tif err != nil {\n\t\treturn apis.ErrGeneric(err.Error(), \"image\").ViaFieldIndex(field, index)\n\t}\n\tif _, ok := ref.(name.Digest); !ok {\n\t\treturn apis.ErrInvalidValue(\n\t\t\tfmt.Sprintf(\"%s must be an image digest\", image),\n\t\t\t\"image\",\n\t\t).ViaFieldIndex(field, index)\n\t}\n\treturn nil\n}\n\n// configFileResult is used to communicate results from gofuncs that fetch\n// ConfigFiles for a given image.\n// Because this can be recursive (say, multi-arch image), returns a map where\n// key is the architecture of the container image.\ntype configFileResult struct {\n\tret map[string]*v1.ConfigFile\n\terrs []error\n}\n\n// getConfigs will fetch ConfigFile(s) for a given image. In case the image\n// is an index, we'll fetch the arch images recursively.\nfunc getConfigs(ctx context.Context, ref name.Reference, options ...remote.Option) (map[string]*v1.ConfigFile, []error) {\n\tdescriptor, err := remote.Get(ref, options...)\n\tif err != nil {\n\t\treturn nil, []error{fmt.Errorf(\"failed to get ref %s : %w\", ref.String(), err)}\n\t}\n\tswitch descriptor.MediaType {\n\tcase types.OCIImageIndex, types.DockerManifestList:\n\t\tii, err := descriptor.ImageIndex()\n\t\tif err != nil {\n\t\t\treturn nil, []error{fmt.Errorf(\"getting ImageIndex for %s : %w\", ref.String(), err)}\n\t\t}\n\t\tim, err := ii.IndexManifest()\n\t\tif err != nil {\n\t\t\treturn nil, []error{fmt.Errorf(\"getting IndexManifest for %s : %w\", ref.String(), err)}\n\t\t}\n\t\twg := new(sync.WaitGroup)\n\n\t\tresults := make(chan configFileResult, len(im.Manifests))\n\t\tfor _, manifest := range im.Manifests {\n\t\t\tmanifest := manifest\n\t\t\twg.Add(1)\n\t\t\tgo func() {\n\t\t\t\tdefer wg.Done()\n\t\t\t\tnewRefString := ref.Context().Digest(manifest.Digest.String()).String()\n\t\t\t\tnewRef, err := name.ParseReference(newRefString)\n\t\t\t\tif err != nil {\n\t\t\t\t\tresults <- configFileResult{ret: nil, errs: []error{fmt.Errorf(\"failed to ParseReference for: %s: %w\", newRefString, err)}}\n\t\t\t\t\treturn\n\t\t\t\t}\n\n\t\t\t\tnewRefConfigs, errs := getConfigs(ctx, newRef, options...)\n\t\t\t\tresults <- configFileResult{ret: newRefConfigs, errs: errs}\n\t\t\t}()\n\t\t}\n\t\terrs := []error{}\n\t\tret := make(map[string]*v1.ConfigFile, len(im.Manifests))\n\t\tfor i := 0; i < len(im.Manifests); i++ {\n\t\t\tselect {\n\t\t\tcase <-ctx.Done():\n\t\t\t\terrs = append(errs, errors.New(\"context canceled\"))\n\t\t\tcase result, ok := <-results:\n\t\t\t\tif !ok {\n\t\t\t\t\terrs = append(errs, errors.New(\"channel closed before all results were gathered\"))\n\t\t\t\t} else {\n\t\t\t\t\tif len(result.errs) != 0 {\n\t\t\t\t\t\terrs = append(errs, fmt.Errorf(\"failed to get a ConfigFile: %v\", result.errs))\n\t\t\t\t\t} else {\n\t\t\t\t\t\tfor k, v := range result.ret {\n\t\t\t\t\t\t\tret[k] = v\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\twg.Wait()\n\t\tif len(errs) > 0 {\n\t\t\treturn nil, errs\n\t\t}\n\t\treturn ret, nil\n\tcase types.OCIManifestSchema1, types.DockerManifestSchema2:\n\t\t// This is an Image, so just return it.\n\t\timage, err := descriptor.Image()\n\t\tif err != nil {\n\t\t\treturn nil, []error{fmt.Errorf(\"getting Image for %s: %w\", ref.String(), err)}\n\t\t}\n\t\tcf, err := image.ConfigFile()\n\t\tif err != nil {\n\t\t\treturn nil, []error{fmt.Errorf(\"getting ConfigFile for %s: %w\", ref.String(), err)}\n\t\t}\n\t\treturn map[string]*v1.ConfigFile{normalizeArchitecture(cf): cf}, nil\n\tdefault:\n\t\treturn nil, []error{fmt.Errorf(\"unknown mime type for %s: %v\", ref.String(), descriptor.MediaType)}\n\t}\n}\n\n// normalizeArchitecture normalizes the os/architecture/variant to:\n// {OS}/{Architecture}[/{Variant}]\n//\n// Some examples are:\n// linux/arm64\n// linux/arm/v7\n// linux/arm/v6\nfunc normalizeArchitecture(cf *v1.ConfigFile) string {\n\treturn v1.Platform{\n\t\tArchitecture: cf.Architecture,\n\t\tOS: cf.OS,\n\t\tOSVersion: cf.OSVersion,\n\t\tVariant: cf.Variant,\n\t}.String()\n}\n\n// checkOptsFromAuthority creates the necessary options for calling Cosign\n// verify functions (signatures and attestations).\nfunc checkOptsFromAuthority(ctx context.Context, authority webhookcip.Authority, remoteOpts ...ociremote.Option) (*cosign.CheckOpts, error) {\n\t// Get the policy controller configuration to check if OCI 1.1 is enabled\n\tcfg := policycontrollerconfig.FromContextOrDefaults(ctx)\n\n\tret := &cosign.CheckOpts{\n\t\tRegistryClientOpts: remoteOpts,\n\t\tNewBundleFormat: authority.SignatureFormat == \"bundle\",\n\t\tExperimentalOCI11: cfg.EnableOCI11,\n\t}\n\n\t// Add in the identities for verification purposes\n\tif authority.Keyless != nil {\n\t\tfor _, id := range authority.Keyless.Identities {\n\t\t\tret.Identities = append(ret.Identities,\n\t\t\t\tcosign.Identity{\n\t\t\t\t\tIssuer: id.Issuer,\n\t\t\t\t\tSubject: id.Subject,\n\t\t\t\t\tIssuerRegExp: id.IssuerRegExp,\n\t\t\t\t\tSubjectRegExp: id.SubjectRegExp})\n\t\t}\n\t}\n\n\tif ret.NewBundleFormat {\n\t\t// The new bundle format is only supported for keyless authorities\n\t\t// and the trustRootRef must be set.\n\t\tif authority.Keyless == nil {\n\t\t\t// TODO: Support the new bundle format for non-keyless authorities\n\t\t\treturn nil, fmt.Errorf(\"when using the new bundle format, the authority must be keyless\")\n\t\t}\n\t\ttrustRootRef := authority.Keyless.TrustRootRef\n\t\tif trustRootRef != \"\" {\n\t\t\t// Set up TrustedMaterial\n\t\t\tsigstoreKeys, err := sigstoreKeysFromContext(ctx, trustRootRef)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"getting SigstoreKeys: %w\", err)\n\t\t\t}\n\t\t\tsk, ok := sigstoreKeys.SigstoreKeys[trustRootRef]\n\t\t\tif !ok {\n\t\t\t\treturn nil, fmt.Errorf(\"trustRootRef %s not found\", trustRootRef)\n\t\t\t}\n\t\t\tret.TrustedMaterial, err = root.NewTrustedRootFromProtobuf(sk)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"failed to create trusted root from protobuf: %w\", err)\n\t\t\t}\n\t\t} else {\n\t\t\tvar err error\n\t\t\tret.TrustedMaterial, err = pctuf.GetTrustedRoot(ctx)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"failed to fetch trusted root: %w\", err)\n\t\t\t}\n\t\t}\n\t\tif authority.Keyless.InsecureIgnoreSCT != nil && *authority.Keyless.InsecureIgnoreSCT {\n\t\t\tret.IgnoreSCT = *authority.Keyless.InsecureIgnoreSCT\n\t\t}\n\n\t\t// Check for custom TSA\n\t\ttsa := authority.RFC3161Timestamp\n\t\tif tsa != nil {\n\t\t\tif tsa.TrustRootRef != authority.Keyless.TrustRootRef {\n\t\t\t\treturn nil, fmt.Errorf(\"when using the new bundle format, the trustRootRef for the TSA must be the same as the trustRootRef for the Keyless authority\")\n\t\t\t}\n\t\t\tret.UseSignedTimestamps = true\n\t\t\tret.IgnoreTlog = true\n\t\t}\n\n\t\t// Check for custom Rekor\n\t\ttlog := authority.CTLog\n\t\tif tlog != nil {\n\t\t\tif tlog.TrustRootRef != authority.Keyless.TrustRootRef {\n\t\t\t\treturn nil, fmt.Errorf(\"when using the new bundle format, the trustRootRef for the TLog must be the same as the trustRootRef for the Keyless authority\")\n\t\t\t}\n\t\t\t// Only require the TLog if we're not using signed timestamps\n\t\t\tif ret.UseSignedTimestamps {\n\t\t\t\tret.IgnoreTlog = true\n\t\t\t}\n\t\t}\n\t\treturn ret, nil\n\t}\n\n\t// If we're not using the new bundle verifier (TrustedMaterial), we need to assemble the other CheckOpts (Fulcio, Rekor, TSA, etc.)\n\n\tif authority.Keyless != nil {\n\t\tfulcioRoots, fulcioIntermediates, ctlogKeys, err := fulcioCertsFromAuthority(ctx, authority.Keyless)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"getting Fulcio certs: %s: %w\", authority.Name, err)\n\t\t}\n\t\tret.RootCerts = fulcioRoots\n\t\tret.IntermediateCerts = fulcioIntermediates\n\t\tret.CTLogPubKeys = ctlogKeys\n\t\tif authority.Keyless.InsecureIgnoreSCT != nil && *authority.Keyless.InsecureIgnoreSCT {\n\t\t\tret.IgnoreSCT = *authority.Keyless.InsecureIgnoreSCT\n\t\t}\n\t}\n\trekorClient, rekorPubKeys, err := rekorClientAndKeysFromAuthority(ctx, authority)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"getting Rekor public keys: %s: %w\", authority.Name, err)\n\t}\n\tret.RekorClient = rekorClient\n\tret.RekorPubKeys = rekorPubKeys\n\n\t// Skip the TLog verification if we have no client or keys to validate\n\t// against.\n\tif ret.RekorClient == nil {\n\t\tif ret.RekorPubKeys != nil {\n\t\t\t// If there's keys however, use offline for verification.\n\t\t\tret.Offline = true\n\t\t} else {\n\t\t\t// If there is not a rekor client definition then skip tlog verification.\n\t\t\tret.IgnoreTlog = true\n\t\t}\n\t}\n\n\tif authority.RFC3161Timestamp != nil && authority.RFC3161Timestamp.TrustRootRef != \"\" {\n\t\tlogging.FromContext(ctx).Debug(\"Using RFC3161Timestamp...\")\n\t\t// TODO: By default, we disable any tlog verification when using the RFC3161Timestamp validation.\n\t\t// There are use cases when the validation is only handled by TSA, and there isn't any TLog involved.\n\t\tret.IgnoreTlog = true\n\t\tret.UseSignedTimestamps = true\n\n\t\tsigstoreKeys, err := sigstoreKeysFromContext(ctx, authority.RFC3161Timestamp.TrustRootRef)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tsk, ok := sigstoreKeys.SigstoreKeys[authority.RFC3161Timestamp.TrustRootRef]\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"trustRootRef %s not found\", authority.RFC3161Timestamp.TrustRootRef)\n\t\t}\n\t\tfor _, timestampAuthority := range sk.TimestampAuthorities {\n\t\t\tleaves, intermediates, roots, err := splitPEMCertificateChain(config.SerializeCertChain(timestampAuthority.CertChain)) // TODO: this is less efficient than it could be\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"error splitting certificates: %w\", err)\n\t\t\t}\n\t\t\tif len(leaves) > 1 {\n\t\t\t\treturn nil, fmt.Errorf(\"certificate chain must contain at most one TSA certificate\")\n\t\t\t}\n\t\t\tif len(leaves) == 1 {\n\t\t\t\tret.TSACertificate = leaves[0]\n\t\t\t}\n\t\t\tret.TSAIntermediateCertificates = intermediates\n\t\t\tret.TSARootCertificates = roots\n\t\t}\n\t}\n\treturn ret, nil\n}\n\nfunc sigstoreKeysFromContext(ctx context.Context, trustRootRef string) (*config.SigstoreKeysMap, error) {\n\tconfig := config.FromContext(ctx)\n\tif config == nil {\n\t\t// No config, can't fetch certificates, bail.\n\t\treturn nil, fmt.Errorf(\"trustRootRef %s not found, config missing\", trustRootRef)\n\t}\n\tif config.SigstoreKeysConfig == nil {\n\t\t// No config, can't fetch keys, bail.\n\t\treturn nil, fmt.Errorf(\"trustRootRef %s not found, SigstoreKeys missing\", trustRootRef)\n\t}\n\treturn config.SigstoreKeysConfig, nil\n}\n\n// fulcioCertsFromAuthority gets the necessary Fulcio certificates, this is\n// rootPool and an optional intermediatePool. Additionally fetches the CTLog\n// public keys.\n// Preference is given to TrustRoot if specified, from which the certificates\n// are fetched and returned. If there's no TrustRoot, the certificates are\n// fetched from embedded or cached TUF root.\nfunc fulcioCertsFromAuthority(ctx context.Context, keylessRef *webhookcip.KeylessRef) (*x509.CertPool, *x509.CertPool, *cosign.TrustedTransparencyLogPubKeys, error) {\n\t// If this is not Keyless, there's no Fulcio, so just return\n\tif keylessRef.TrustRootRef == \"\" {\n\t\troots, err := fulcioroots.Get()\n\t\tif err != nil {\n\t\t\treturn nil, nil, nil, fmt.Errorf(\"failed to fetch Fulcio roots: %w\", err)\n\t\t}\n\t\tintermediates, err := fulcioroots.GetIntermediates()\n\t\tif err != nil {\n\t\t\treturn nil, nil, nil, fmt.Errorf(\"failed to fetch Fulcio intermediates: %w\", err)\n\t\t}\n\t\tctPubs, err := cosign.GetCTLogPubs(ctx)\n\t\tif err != nil {\n\t\t\treturn nil, nil, nil, fmt.Errorf(\"failed to fetch CTLog public keys: %w\", err)\n\t\t}\n\t\treturn roots, intermediates, ctPubs, nil\n\t}\n\n\t// There's TrustRootRef, so fetch it\n\ttrustRootRef := keylessRef.TrustRootRef\n\tsigstoreKeys, err := sigstoreKeysFromContext(ctx, trustRootRef)\n\tif err != nil {\n\t\treturn nil, nil, nil, fmt.Errorf(\"getting SigstoreKeys: %w\", err)\n\t}\n\trootCertsPool := x509.NewCertPool()\n\tintermediateCertsPool := x509.NewCertPool()\n\n\tsk, ok := sigstoreKeys.SigstoreKeys[trustRootRef]\n\tif !ok {\n\t\treturn nil, nil, nil, fmt.Errorf(\"trustRootRef %s not found\", trustRootRef)\n\t}\n\tfor _, ca := range sk.CertificateAuthorities {\n\t\tcerts, err := cryptoutils.UnmarshalCertificatesFromPEM(config.SerializeCertChain(ca.CertChain)) // TODO: this is less efficient than it could be\n\t\tif err != nil {\n\t\t\treturn nil, nil, nil, fmt.Errorf(\"error unmarshalling certificates: %w\", err)\n\t\t}\n\t\tfor _, cert := range certs {\n\t\t\t// root certificates are self-signed\n\t\t\tif bytes.Equal(cert.RawSubject, cert.RawIssuer) {\n\t\t\t\trootCertsPool.AddCert(cert)\n\t\t\t} else {\n\t\t\t\tintermediateCertsPool.AddCert(cert)\n\t\t\t}\n\t\t}\n\t}\n\n\tctlogKeys := &cosign.TrustedTransparencyLogPubKeys{\n\t\tKeys: make(map[string]cosign.TransparencyLogPubKey, len(sk.Ctlogs)),\n\t}\n\tfor i, ctlog := range sk.Ctlogs {\n\t\tpk, err := cryptoutils.UnmarshalPEMToPublicKey(config.SerializePublicKey(ctlog.PublicKey)) // TODO: this is less efficient than it could be\n\t\tif err != nil {\n\t\t\treturn nil, nil, nil, fmt.Errorf(\"unmarshaling public key %d failed: %w\", i, err)\n\t\t}\n\t\tctlogKeys.Keys[string(ctlog.LogId.KeyId)] = cosign.TransparencyLogPubKey{\n\t\t\tPubKey: pk,\n\t\t\tStatus: tuf.Active,\n\t\t}\n\t}\n\tif len(ctlogKeys.Keys) == 0 {\n\t\t// if keys are empty just return a nil map to make easier for the caller\n\t\t// to see if it's empty.\n\t\tctlogKeys = nil\n\t}\n\treturn rootCertsPool, intermediateCertsPool, ctlogKeys, nil\n}\n\n// rekorClientAndKeysFromAuthority creates a Rekor client that should be used\n// and public keys to go with it.\n// Note that if Rekor is not specified, it's not an error and nil will be\n// returned for it.\n// Preference is given to TrustRoot if specified, from which the URL and public\n// keys are fetched and returned. If there's no TrustRoot but a URL, then\n// a Rekor client is returned and the keys from the embedded or cached TUF root.\nfunc rekorClientAndKeysFromAuthority(ctx context.Context, authority webhookcip.Authority) (*client.Rekor, *cosign.TrustedTransparencyLogPubKeys, error) {\n\t// In keyless, if no TrustRoot was defined and CTLog is nil, then default to rekor pub keys as done in cosign\n\tif authority.Keyless != nil && authority.Keyless.TrustRootRef == \"\" && authority.CTLog == nil {\n\t\trekorPubKeys, err := cosign.GetRekorPubs(ctx)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Errorf(\"failed getting rekor public keys: %v\", err)\n\t\t\treturn nil, nil, fmt.Errorf(\"getting Rekor public keys: %w\", err)\n\t\t}\n\t\treturn nil, rekorPubKeys, nil\n\t}\n\ttlog := authority.CTLog\n\tif tlog == nil {\n\t\treturn nil, nil, nil\n\t}\n\tif tlog.TrustRootRef != \"\" {\n\t\ttrustRootRef := tlog.TrustRootRef\n\t\trekorPubKeys, rekorURL, err := rekorKeysFromTrustRef(ctx, trustRootRef)\n\t\tif err != nil {\n\t\t\treturn nil, nil, fmt.Errorf(\"fetching keys for trustRootRef: %w\", err)\n\t\t}\n\t\tif rekorURL == \"\" && tlog.URL != nil {\n\t\t\t// Pull this from the tlog entry in this case.\n\t\t\trekorURL = tlog.URL.String()\n\t\t}\n\t\trekorClient, err := rekor.GetRekorClient(rekorURL)\n\t\tif err != nil {\n\t\t\tlogging.FromContext(ctx).Errorf(\"failed creating rekor client: %v\", err)\n\t\t\treturn nil, nil, fmt.Errorf(\"creating Rekor client: %w\", err)\n\t\t}\n\t\treturn rekorClient, rekorPubKeys, nil\n\t}\n\n\t// No TrustRoot, so see if there's one specified in the authority and if\n\t// not just return that no Rekor is to be used.\n\tif tlog.URL == nil {\n\t\treturn nil, nil, nil\n\t}\n\trekorClient, err := rekor.GetRekorClient(tlog.URL.String())\n\tif err != nil {\n\t\tlogging.FromContext(ctx).Errorf(\"failed creating rekor client: %v\", err)\n\t\treturn nil, nil, fmt.Errorf(\"creating Rekor client: %w\", err)\n\t}\n\trekorPubKeys, err := cosign.GetRekorPubs(ctx)\n\tif err != nil {\n\t\tlogging.FromContext(ctx).Errorf(\"failed getting rekor public keys: %v\", err)\n\t\treturn nil, nil, fmt.Errorf(\"getting Rekor public keys: %w\", err)\n\t}\n\treturn rekorClient, rekorPubKeys, nil\n}\n\nfunc rekorKeysFromTrustRef(ctx context.Context, trustRootRef string) (*cosign.TrustedTransparencyLogPubKeys, string, error) {\n\tsigstoreKeys, err := sigstoreKeysFromContext(ctx, trustRootRef)\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"getting SigstoreKeys: %w\", err)\n\t}\n\n\tif sk, ok := sigstoreKeys.SigstoreKeys[trustRootRef]; ok {\n\t\tretKeys := &cosign.TrustedTransparencyLogPubKeys{\n\t\t\tKeys: make(map[string]cosign.TransparencyLogPubKey, len(sk.Tlogs)),\n\t\t}\n\t\trekorURL := \"\"\n\t\tfor i, tlog := range sk.Tlogs {\n\t\t\tpk, err := cryptoutils.UnmarshalPEMToPublicKey(config.SerializePublicKey(tlog.PublicKey))\n\t\t\tif err != nil {\n\t\t\t\treturn nil, \"\", fmt.Errorf(\"unmarshaling public key %d failed: %w\", i, err)\n\t\t\t}\n\t\t\t// This needs to be ecdsa instead of crypto.PublicKey\n\t\t\t// https://github.com/sigstore/cosign/issues/2540\n\t\t\tpkecdsa, ok := pk.(*ecdsa.PublicKey)\n\t\t\tif !ok {\n\t\t\t\treturn nil, \"\", fmt.Errorf(\"public key %d is not ecdsa.PublicKey\", i)\n\t\t\t}\n\t\t\tretKeys.Keys[string(tlog.LogId.KeyId)] = cosign.TransparencyLogPubKey{\n\t\t\t\tPubKey: pkecdsa,\n\t\t\t\tStatus: tuf.Active,\n\t\t\t}\n\t\t\trekorURL = tlog.BaseUrl\n\t\t}\n\t\treturn retKeys, rekorURL, nil\n\t}\n\treturn nil, \"\", fmt.Errorf(\"trustRootRef %s not found\", trustRootRef)\n}\n\n// splitPEMCertificateChain returns a list of leaf (non-CA) certificates, a certificate pool for\n// intermediate CA certificates, and a certificate pool for root CA certificates\nfunc splitPEMCertificateChain(pem []byte) (leaves, intermediates, roots []*x509.Certificate, err error) {\n\tcerts, err := cryptoutils.UnmarshalCertificatesFromPEM(pem)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\n\tfor _, cert := range certs {\n\t\tif !cert.IsCA {\n\t\t\tleaves = append(leaves, cert)\n\t\t} else {\n\t\t\t// root certificates are self-signed\n\t\t\tif bytes.Equal(cert.RawSubject, cert.RawIssuer) {\n\t\t\t\troots = append(roots, cert)\n\t\t\t} else {\n\t\t\t\tintermediates = append(intermediates, cert)\n\t\t\t}\n\t\t}\n\t}\n\n\treturn leaves, intermediates, roots, nil\n}\n" }, { "path": "pkg/webhook/validator_result.go", "content": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage webhook\n\nimport (\n\tv1 \"github.com/google/go-containerregistry/pkg/v1\"\n)\n\n// PolicyResult is the result of a successful ValidatePolicy call.\n// These are meant to be consumed by a higher level Policy engine that\n// can reason about validated results. The 'first' level pass will verify\n// signatures and attestations, and make the results then available for\n// a policy that can be used to gate a passing of a ClusterImagePolicy.\n// Some examples are, at least 'vulnerability' has to have been done\n// and the scan must have been attested by a particular entity (sujbect/issuer)\n// or a particular key.\n// Other examples are N-of-M must be satisfied and so forth.\n// We do not expose the low level details of signatures / attestations here\n// since they have already been validated as per the Authority configuration\n// and optionally by the Attestations which contain a particular policy that\n// can be used to validate the Attestations (say vulnerability scanner must not\n// have any High sev issues).\ntype PolicyResult struct {\n\t// AuthorityMatches will have an entry for each successful Authority check\n\t// on it. Key in the map is the Attestation.Name\n\tAuthorityMatches map[string]AuthorityMatch `json:\"authorityMatches,omitempty\"`\n\n\t// Config contains the Config for each of the normalized os/architectures\n\t// where key to the map is the {OS}/{Architecture}[/{Variant}]\n\t//\n\t// Some examples are:\n\t// linux/arm64\n\t// linux/arm/v7\n\t// linux/arm/v6\n\t//\n\t// This field is only available for evaluation if\n\t// CIP.Spec.Policy.FetchConfigFile is set to true.\n\tConfig map[string]*v1.ConfigFile `json:\"config,omitempty\"`\n\n\t// Spec contains the Spec for the resource that was evaluated. Note\n\t// that because this is resource specific, so you can use MatchResource\n\t// to filter to only specific resource to get only the Specs you want.\n\t//\n\t// This field is only available for evaluation if\n\t// CIP.Spec.Policy.IncludeSpec is set to true.\n\tSpec interface{} `json:\"spec,omitempty\"`\n\n\t// ObjectMeta contains the ObjectMeta for the resource that was evaluated.\n\t//\n\t// This field is only available for evaluation if\n\t// CIP.Spec.Policy.IncludeObjectMeta is set to true.\n\tObjectMeta interface{} `json:\"metadata,omitempty\"`\n\n\t// TypeMeta contains the TypeMeta for the resource that was evaluated.\n\t//\n\t// This field is only available for evaluation if\n\t// CIP.Spec.Policy.IncludeTypeMeta is set to true.\n\tTypeMeta interface{} `json:\"typemeta,omitempty\"`\n}\n\n// AuthorityMatch returns either Signatures (if there are no Attestations\n// specified), or Attestations if there are Attestations specified.\ntype AuthorityMatch struct {\n\t// All of the matching signatures for this authority\n\t// Wonder if for consistency this should also have the matching\n\t// attestations name, aka, make this into a map.\n\tSignatures []PolicySignature `json:\"signatures,omitempty\"`\n\n\t// Mapping from attestation name to all of verified attestations\n\tAttestations map[string][]PolicyAttestation `json:\"attestations,omitempty\"`\n\n\t// Static indicates whether this authority matched due to static\n\t// e.g. static: { action: pass }\n\tStatic bool `json:\"static,omitempty\"`\n}\n\n// PolicySignature contains a normalized result of a validated signature, where\n// signature could be a signature on the Image (.sig) or on an Attestation\n// (.att).\ntype PolicySignature struct {\n\t// A unique identifier describing this signature.\n\t// This is typically the hash of this signature's OCI layer for images.\n\tID string `json:\"id,omitempty\"`\n\n\t// Subject that was found to match on the Cert.\n\tSubject string `json:\"subject,omitempty\"`\n\t// Issure that was found to match on the Cert.\n\tIssuer string `json:\"issuer,omitempty\"`\n\n\t// GithubExtensions holds the Github-related OID extensions.\n\t// See also: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md\n\tGithubExtensions `json:\",inline\"`\n}\n\n// PolicyAttestation contains a normalized result of a validated attestation,\n// which consists of the PolicySignature part, and some additional attestation\n// specific fields.\ntype PolicyAttestation struct {\n\tPolicySignature `json:\",inline\"`\n\n\t// PredicateType is the in-toto predicate type of this attestation.\n\tPredicateType string `json:\"predicateType,omitempty\"`\n\n\t// Payload is the bytes of the in-toto statement's predicate payload.\n\t// This is included for the benefit of the caller of ValidatePolicy, and is\n\t// not intended for consumption in the ClusterImagePolicy's outer policy\n\t// block.\n\tPayload []byte `json:\"-\"`\n\n\t// Digest of the attestation\n\tDigest string `json:\"digest,omitempty\"`\n}\n\n// GithubExtensions holds the Github-related OID extensions.\n// See also: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md\n// NOTE: these field correlate with the names given in the cosign\n// CertExtensionMap and must be prefixed with \"github\" to avoid ambiguity.\ntype GithubExtensions struct {\n\t// OID: 1.3.6.1.4.1.57264.1.2\n\tWorkflowTrigger string `json:\"githubWorkflowTrigger,omitempty\"`\n\t// OID: 1.3.6.1.4.1.57264.1.3\n\tWorkflowSHA string `json:\"githubWorkflowSha,omitempty\"`\n\t// OID: 1.3.6.1.4.1.57264.1.4\n\tWorkflowName string `json:\"githubWorkflowName,omitempty\"`\n\t// OID: 1.3.6.1.4.1.57264.1.5\n\tWorkflowRepo string `json:\"githubWorkflowRepo,omitempty\"`\n\t// OID: 1.3.6.1.4.1.57264.1.6\n\tWorkflowRef string `json:\"githubWorkflowRef,omitempty\"`\n}\n" }, { "path": "pkg/webhook/validator_test.go", "content": "//\n// Copyright 2021 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage webhook\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto\"\n\t\"crypto/ecdsa\"\n\t\"crypto/x509\"\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/go-cmp/cmp/cmpopts\"\n\t\"github.com/google/go-containerregistry/pkg/authn/k8schain\"\n\t\"github.com/google/go-containerregistry/pkg/name\"\n\tv1 \"github.com/google/go-containerregistry/pkg/v1\"\n\tv1types \"github.com/google/go-containerregistry/pkg/v1/types\"\n\t\"github.com/sigstore/cosign/v3/pkg/cosign\"\n\t\"github.com/sigstore/cosign/v3/pkg/cosign/bundle\"\n\t\"github.com/sigstore/cosign/v3/pkg/oci\"\n\t\"github.com/sigstore/cosign/v3/pkg/oci/remote\"\n\t\"github.com/sigstore/cosign/v3/pkg/oci/static\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/config\"\n\tpolicyduckv1beta1 \"github.com/sigstore/policy-controller/pkg/apis/duck/v1beta1\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1\"\n\t\"github.com/sigstore/policy-controller/pkg/apis/signaturealgo\"\n\tpolicycontrollerconfig \"github.com/sigstore/policy-controller/pkg/config\"\n\twebhookcip \"github.com/sigstore/policy-controller/pkg/webhook/clusterimagepolicy\"\n\tpbcommon \"github.com/sigstore/protobuf-specs/gen/pb-go/common/v1\"\n\t\"github.com/sigstore/sigstore-go/pkg/root\"\n\t\"github.com/sigstore/sigstore/pkg/cryptoutils\"\n\t\"github.com/sigstore/sigstore/pkg/fulcioroots\"\n\t\"github.com/sigstore/sigstore/pkg/tuf\"\n\tadmissionv1 \"k8s.io/api/admission/v1\"\n\tbatchv1 \"k8s.io/api/batch/v1\"\n\tcorev1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/runtime\"\n\t\"k8s.io/apimachinery/pkg/types\"\n\t\"knative.dev/pkg/apis\"\n\tduckv1 \"knative.dev/pkg/apis/duck/v1\"\n\tkubeclient \"knative.dev/pkg/client/injection/kube/client\"\n\tfakekube \"knative.dev/pkg/client/injection/kube/client/fake\"\n\t\"knative.dev/pkg/ptr\"\n\trtesting \"knative.dev/pkg/reconciler/testing\"\n\t\"knative.dev/pkg/system\"\n)\n\nconst (\n\tfulcioRootCert = \"-----BEGIN CERTIFICATE-----\\nMIICNzCCAd2gAwIBAgITPLBoBQhl1hqFND9S+SGWbfzaRTAKBggqhkjOPQQDAjBo\\nMQswCQYDVQQGEwJVSzESMBAGA1UECBMJV2lsdHNoaXJlMRMwEQYDVQQHEwpDaGlw\\ncGVuaGFtMQ8wDQYDVQQKEwZSZWRIYXQxDDAKBgNVBAsTA0NUTzERMA8GA1UEAxMI\\ndGVzdGNlcnQwHhcNMjEwMzEyMjMyNDQ5WhcNMzEwMjI4MjMyNDQ5WjBoMQswCQYD\\nVQQGEwJVSzESMBAGA1UECBMJV2lsdHNoaXJlMRMwEQYDVQQHEwpDaGlwcGVuaGFt\\nMQ8wDQYDVQQKEwZSZWRIYXQxDDAKBgNVBAsTA0NUTzERMA8GA1UEAxMIdGVzdGNl\\ncnQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRn+Alyof6xP3GQClSwgV0NFuY\\nYEwmKP/WLWr/LwB6LUYzt5v49RlqG83KuaJSpeOj7G7MVABdpIZYWwqAiZV3o2Yw\\nZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU\\nT8Jwm6JuVb0dsiuHUROiHOOVHVkwHwYDVR0jBBgwFoAUT8Jwm6JuVb0dsiuHUROi\\nHOOVHVkwCgYIKoZIzj0EAwIDSAAwRQIhAJkNZmP6sKA+8EebRXFkBa9DPjacBpTc\\nOljJotvKidRhAiAuNrIazKEw2G4dw8x1z6EYk9G+7fJP5m93bjm/JfMBtA==\\n-----END CERTIFICATE-----\"\n\trekorResponse = \"bad response\"\n\n\t// Random public key (cosign generate-key-pair) 2022-03-18\n\tauthorityKeyCosignPubString = `-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENAyijLvRu5QpCPp2uOj8C79ZW1VJ\nSID/4H61ZiRzN4nqONzp+ZF22qQTk3MFO3D0/ZKmWHAosIf2pf2GHH7myA==\n-----END PUBLIC KEY-----`\n\n\tcertChain = `-----BEGIN CERTIFICATE-----\nMIIBzDCCAXKgAwIBAgIUfyGKDoFa7y6s/W1p1CiTmBRs1eAwCgYIKoZIzj0EAwIw\nMDEOMAwGA1UEChMFbG9jYWwxHjAcBgNVBAMTFVRlc3QgVFNBIEludGVybWVkaWF0\nZTAeFw0yMjExMDkyMDMxMzRaFw0zMTExMDkyMDM0MzRaMDAxDjAMBgNVBAoTBWxv\nY2FsMR4wHAYDVQQDExVUZXN0IFRTQSBUaW1lc3RhbXBpbmcwWTATBgcqhkjOPQIB\nBggqhkjOPQMBBwNCAAR3KcDy9jwARX0rDvyr+MGGkG3n1OA0MU5+ZiDmgusFyk6U\n6bovKWVMfD8J8NTcJZE0RaYJr8/dE9kgcIIXlhMwo2owaDAOBgNVHQ8BAf8EBAMC\nB4AwHQYDVR0OBBYEFHNn5R3b3MtUdSNrFO49Q6XDVSnkMB8GA1UdIwQYMBaAFNLS\n6gno7Om++Qt5zIa+H9o0HiT2MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMAoGCCqG\nSM49BAMCA0gAMEUCIQCF0olohnvdUq6T7/wPk19Z5aQP/yxRTjCWYuhn/TCyHgIg\nazV3air4GRZbN9bdYtcQ7JUAKq89GOhtFfl6kcoVUvU=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIB0jCCAXigAwIBAgIUXpBmYJFFaGW3cC8p6b/DHr1i8IowCgYIKoZIzj0EAwIw\nKDEOMAwGA1UEChMFbG9jYWwxFjAUBgNVBAMTDVRlc3QgVFNBIFJvb3QwHhcNMjIx\nMTA5MjAyOTM0WhcNMzIxMTA5MjAzNDM0WjAwMQ4wDAYDVQQKEwVsb2NhbDEeMBwG\nA1UEAxMVVGVzdCBUU0EgSW50ZXJtZWRpYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0D\nAQcDQgAEKDPDRIwDS1ZCymub6yanCG5ma0qDjLpNonDvooSkRHEgU0TNibeJn6M+\n5W608hCw8nwuucMbXQ41kNeuBeevyqN4MHYwDgYDVR0PAQH/BAQDAgEGMBMGA1Ud\nJQQMMAoGCCsGAQUFBwMIMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNLS6gno\n7Om++Qt5zIa+H9o0HiT2MB8GA1UdIwQYMBaAFB1nvXpNK7AuQlbJ+ya6nPSqWi+T\nMAoGCCqGSM49BAMCA0gAMEUCIGiwqCI29w7C4V8TltCsi728s5DtklCPySDASUSu\na5y5AiEA40Ifdlwf7Uj8q8NSD6Z4g/0js0tGNdLSUJ1do/WoN0s=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIBlDCCATqgAwIBAgIUYZx9sS14En7SuHDOJJP4IPopMjUwCgYIKoZIzj0EAwIw\nKDEOMAwGA1UEChMFbG9jYWwxFjAUBgNVBAMTDVRlc3QgVFNBIFJvb3QwHhcNMjIx\nMTA5MjAyOTM0WhcNMzIxMTA5MjAzNDM0WjAoMQ4wDAYDVQQKEwVsb2NhbDEWMBQG\nA1UEAxMNVGVzdCBUU0EgUm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAbB\nB0SU8G75hVIUphChA4nfOwNWP347TjScIdsEPrKVn+/Y1HmmLHJDjSfn+xhEFoEk\n7jqgrqon48i4xbo7xAujQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTAD\nAQH/MB0GA1UdDgQWBBQdZ716TSuwLkJWyfsmupz0qlovkzAKBggqhkjOPQQDAgNI\nADBFAiBe5P56foqmFcZAVpEeAOFZrAlEiq05CCpMNYh5EjLvmAIhAKNF6xIV5uFd\npSTJsAwzjW78CKQm7qol0uPmPPu6mNaw\n-----END CERTIFICATE-----\n`\n\n\trekorPublicKey = `-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7D2WvgqSzs9jpdJsOJ5Nl6xg8JXm\nNmo7M3bN7+dQddw9Ibc2R3SV8tzBZw0rST8FKcn4apJepcKM4qUpYUeNfw==\n-----END PUBLIC KEY-----\n`\n\t// This is the Rekor LogID constructed from above public key.\n\trekorLogID = \"0bac0fddd0c15fbc46f8b1bf51c2b57676a9f262294fe13417d85602e73f392a\"\n\n\tctfePublicKey = `-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJvCJi707fv5tMJ1U2TVMZ+uO4dKG\naEcvjlCkgBCKXbrkumZV0m0dSlK1V1gxEiyQ8y6hk1MxJNe2AZrZUt7a4w==\n-----END PUBLIC KEY-----\n`\n\t// This is the LogID for above PublicKey\n\tctfeLogID = \"39d1c085f7d5f3fe7a0de9e52a3ead14186891e52a9269d90de7990a30b55083\"\n)\n\nfunc TestValidatePodSpec(t *testing.T) {\n\ttag := name.MustParseReference(\"gcr.io/distroless/static:nonroot\")\n\t// Resolved via crane digest on 2021/09/25\n\tdigest := name.MustParseReference(\"gcr.io/distroless/static:nonroot@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4\")\n\n\t// Resolved via crane digest on 2022/09/29\n\tdigestNewer := name.MustParseReference(\"gcr.io/distroless/static:nonroot@sha256:2a9e2b4fa771d31fe3346a873be845bfc2159695b9f90ca08e950497006ccc2e\")\n\n\tctx, _ := rtesting.SetupFakeContext(t)\n\n\t// Non-existent URL for testing complete failure\n\tbadURL := apis.HTTP(\"http://example.com/\")\n\n\tfulcioURL, err := apis.ParseURL(\"https://fulcio.sigstore.dev\")\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to parse fake Fulcio URL\")\n\t}\n\n\trekorServer := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) {\n\t\trw.Write([]byte(rekorResponse))\n\t}))\n\tt.Cleanup(rekorServer.Close)\n\trekorURL, err := apis.ParseURL(rekorServer.URL)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to parse fake Rekor URL\")\n\t}\n\n\tvar authorityKeyCosignPub *ecdsa.PublicKey\n\n\tpems := parsePems([]byte(authorityKeyCosignPubString))\n\tif len(pems) > 0 {\n\t\tkey, _ := x509.ParsePKIXPublicKey(pems[0].Bytes)\n\t\tauthorityKeyCosignPub = key.(*ecdsa.PublicKey)\n\t} else {\n\t\tt.Errorf(\"Error parsing authority key from string\")\n\t}\n\n\tkc := fakekube.Get(ctx)\n\t// Setup service acc and fakeSignaturePullSecrets for \"default\" and \"cosign-system\" namespace\n\tfor _, ns := range []string{\"default\", system.Namespace()} {\n\t\tkc.CoreV1().ServiceAccounts(ns).Create(ctx, &corev1.ServiceAccount{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"default\",\n\t\t\t},\n\t\t}, metav1.CreateOptions{})\n\n\t\tkc.CoreV1().Secrets(ns).Create(ctx, &corev1.Secret{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"fakeSignaturePullSecrets\",\n\t\t\t},\n\t\t\tData: map[string][]byte{\n\t\t\t\t\"dockerconfigjson\": []byte(`{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"username\",\"password\":\"password\",\"auth\":\"dXNlcm5hbWU6cGFzc3dvcmQ=\"}}`),\n\t\t\t},\n\t\t}, metav1.CreateOptions{})\n\t}\n\n\tv := NewValidator(ctx)\n\n\tcvs := cosignVerifySignatures\n\tdefer func() {\n\t\tcosignVerifySignatures = cvs\n\t}()\n\t// Let's just say that everything is verified.\n\tpass := func(_ context.Context, _ name.Reference, _ *cosign.CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {\n\t\tsig, err := static.NewSignature(nil, \"\")\n\t\tif err != nil {\n\t\t\treturn nil, false, err\n\t\t}\n\t\treturn []oci.Signature{sig}, true, nil\n\t}\n\t// Let's just say that everything is not verified.\n\tfail := func(_ context.Context, _ name.Reference, _ *cosign.CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {\n\t\treturn nil, false, errors.New(\"bad signature\")\n\t}\n\n\t// Let's say it is verified if it is the expected Public Key\n\tauthorityPublicKeyCVS := func(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {\n\t\tactualPublicKey, _ := co.SigVerifier.PublicKey()\n\t\tactualECDSAPubkey := actualPublicKey.(*ecdsa.PublicKey)\n\n\t\tactualPubKey, err := actualECDSAPubkey.ECDH()\n\t\tif err != nil {\n\t\t\treturn nil, false, errors.New(\"failed to get edch pub key\")\n\t\t}\n\n\t\tauthorityKeyPubKey, err := authorityKeyCosignPub.ECDH()\n\t\tif err != nil {\n\t\t\treturn nil, false, errors.New(\"failed to get edch pub key\")\n\t\t}\n\n\t\tif bytes.Equal(actualPubKey.Bytes(), authorityKeyPubKey.Bytes()) {\n\t\t\treturn pass(ctx, signedImgRef, co)\n\t\t}\n\n\t\treturn fail(ctx, signedImgRef, co)\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tps *corev1.PodSpec\n\t\twant *apis.FieldError\n\t\tcvs func(context.Context, name.Reference, *cosign.CheckOpts) ([]oci.Signature, bool, error)\n\t\tcustomContext context.Context\n\t}{{\n\t\tname: \"simple, no error\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcvs: pass,\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\t\t\t\t\t\t\tData: authorityKeyCosignPubString,\n\t\t\t\t\t\t\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\t\t\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\t\t\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t}, {\n\t\tname: \"bad reference\",\n\t\tps: &corev1.PodSpec{\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: \"in@valid\",\n\t\t\t}},\n\t\t},\n\t\twant: &apis.FieldError{\n\t\t\tMessage: `could not parse reference: in@valid`,\n\t\t\tPaths: []string{\"containers[0].image\"},\n\t\t},\n\t\tcvs: fail,\n\t}, {\n\t\tname: \"not digest\",\n\t\tps: &corev1.PodSpec{\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: tag.String(),\n\t\t\t}},\n\t\t},\n\t\twant: &apis.FieldError{\n\t\t\tMessage: `invalid value: gcr.io/distroless/static:nonroot must be an image digest`,\n\t\t\tPaths: []string{\"containers[0].image\"},\n\t\t},\n\t\tcvs: fail,\n\t}, {\n\t\tname: \"simple, no error, authority key\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\t\t\t\t\t\t\tData: authorityKeyCosignPubString,\n\t\t\t\t\t\t\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\t\t\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\t\t\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\tcvs: authorityPublicKeyCVS,\n\t}, {\n\t\tname: \"simple, error, authority keyless, bad fulcio\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy-keyless\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\t\t\t\t\t\tURL: badURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\twant: func() *apis.FieldError {\n\t\t\tvar errs *apis.FieldError\n\t\t\tfe := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"containers\", 0)\n\t\t\tfe.Details = fmt.Sprintf(\"%s %s\", digest.String(), `signature keyless validation failed for authority for gcr.io/distroless/static@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4: bad signature`)\n\t\t\terrs = errs.Also(fe)\n\t\t\tfe2 := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"initContainers\", 0)\n\t\t\tfe2.Details = fe.Details\n\t\t\terrs = errs.Also(fe2)\n\t\t\treturn errs\n\t\t}(),\n\t\tcvs: fail,\n\t}, {\n\t\tname: \"simple, error, authority keyless, good fulcio, no rekor\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy-keyless\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\t\t\t\t\t\tURL: fulcioURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\twant: func() *apis.FieldError {\n\t\t\tvar errs *apis.FieldError\n\t\t\tfe := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"initContainers\", 0)\n\t\t\tfe.Details = fmt.Sprintf(\"%s signature keyless validation failed for authority for %s: bad signature\", digest.String(), digest.Name())\n\t\t\terrs = errs.Also(fe)\n\t\t\tfe2 := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"containers\", 0)\n\t\t\tfe2.Details = fmt.Sprintf(\"%s signature keyless validation failed for authority for %s: bad signature\", digest.String(), digest.Name())\n\t\t\terrs = errs.Also(fe2)\n\t\t\treturn errs\n\t\t}(),\n\t\tcvs: fail,\n\t}, {\n\t\tname: \"simple, authority keyless checks out, good fulcio, bad cip policy\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy-keyless-bad-cip\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\t\t\t\t\t\tURL: fulcioURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tPolicy: &webhookcip.AttestationPolicy{\n\t\t\t\t\t\t\t\tName: \"invalid json policy\",\n\t\t\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\t\t\tData: `{\"wontgo`,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\twant: func() *apis.FieldError {\n\t\t\tvar errs *apis.FieldError\n\t\t\tfe := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless-bad-cip\", \"image\").ViaFieldIndex(\"initContainers\", 0)\n\t\t\tfe.Details = fmt.Sprintf(\"%s failed evaluating cue policy for ClusterImagePolicy: failed to compile the cue policy with error: string literal not terminated\", digest.String())\n\t\t\terrs = errs.Also(fe)\n\t\t\tfe2 := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless-bad-cip\", \"image\").ViaFieldIndex(\"containers\", 0)\n\t\t\tfe2.Details = fmt.Sprintf(\"%s failed evaluating cue policy for ClusterImagePolicy: failed to compile the cue policy with error: string literal not terminated\", digest.String())\n\t\t\terrs = errs.Also(fe2)\n\t\t\treturn errs\n\t\t}(),\n\t\tcvs: pass,\n\t}, {\n\t\tname: \"simple, no error, authority keyless, good fulcio\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy-keyless\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\t\t\t\t\t\tURL: fulcioURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\tcvs: pass,\n\t}, {\n\t\tname: \"simple, error, authority keyless, good fulcio, bad rekor\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy-keyless\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\t\t\t\t\t\tURL: fulcioURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tCTLog: &v1alpha1.TLog{\n\t\t\t\t\t\t\t\t\t\tURL: rekorURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\twant: func() *apis.FieldError {\n\t\t\tvar errs *apis.FieldError\n\t\t\tfe := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"initContainers\", 0)\n\t\t\tfe.Details = fmt.Sprintf(\"%s signature keyless validation failed for authority for %s: bad signature\", digest.String(), digest.Name())\n\t\t\terrs = errs.Also(fe)\n\t\t\tfe2 := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"containers\", 0)\n\t\t\tfe2.Details = fmt.Sprintf(\"%s signature keyless validation failed for authority for %s: bad signature\", digest.String(), digest.Name())\n\t\t\terrs = errs.Also(fe2)\n\t\t\treturn errs\n\t\t}(),\n\t\tcvs: fail,\n\t}, {\n\t\tname: \"simple with 2 containers, error, authority keyless, good fulcio, bad rekor\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}, {\n\t\t\t\tName: \"user-container-2\",\n\t\t\t\tImage: digestNewer.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy-keyless\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\t\t\t\t\t\tURL: fulcioURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tCTLog: &v1alpha1.TLog{\n\t\t\t\t\t\t\t\t\t\tURL: rekorURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\twant: func() *apis.FieldError {\n\t\t\tvar errs *apis.FieldError\n\t\t\tfe := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"initContainers\", 0)\n\t\t\tfe.Details = fmt.Sprintf(\"%s signature keyless validation failed for authority for %s: bad signature\", digest.String(), digest.Name())\n\t\t\terrs = errs.Also(fe)\n\t\t\tfe2 := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"containers\", 0)\n\t\t\tfe2.Details = fmt.Sprintf(\"%s signature keyless validation failed for authority for %s: bad signature\", digest.String(), digest.Name())\n\t\t\terrs = errs.Also(fe2)\n\t\t\tfe3 := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"containers\", 1)\n\t\t\tfe3.Details = fmt.Sprintf(\"%s signature keyless validation failed for authority for %s: bad signature\", digestNewer.String(), digestNewer.Name())\n\t\t\terrs = errs.Also(fe3)\n\t\t\treturn errs\n\t\t}(),\n\t\tcvs: fail,\n\t}, {\n\t\tname: \"simple, no error, authority source signaturePullSecrets, non existing secret\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(ctx,\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\t\t\t\t\t\t\tData: authorityKeyCosignPubString,\n\t\t\t\t\t\t\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\t\t\t\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t\t\t\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tSources: []v1alpha1.Source{{\n\t\t\t\t\t\t\t\t\t\tOCI: \"example.com/alternative/signature\",\n\t\t\t\t\t\t\t\t\t\tSignaturePullSecrets: []corev1.LocalObjectReference{{\n\t\t\t\t\t\t\t\t\t\t\tName: \"non-existing-secret\",\n\t\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\tcvs: pass,\n\t}, {\n\t\tname: \"simple, no error, authority source signaturePullSecrets, valid secret\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}, {\n\t\t\t\tName: \"user-container-2\",\n\t\t\t\tImage: digestNewer.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(ctx,\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\t\t\t\t\t\t\tData: authorityKeyCosignPubString,\n\t\t\t\t\t\t\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\t\t\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\t\t\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tSources: []v1alpha1.Source{{\n\t\t\t\t\t\t\t\t\t\tOCI: \"example.com/alternative/signature\",\n\t\t\t\t\t\t\t\t\t\tSignaturePullSecrets: []corev1.LocalObjectReference{{\n\t\t\t\t\t\t\t\t\t\t\tName: \"fakeSignaturePullSecrets\",\n\t\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\tcvs: authorityPublicKeyCVS,\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tfor _, mode := range []string{\"\", \"enforce\", \"warn\"} {\n\t\t\t\tcosignVerifySignatures = test.cvs\n\t\t\t\ttestContext := context.Background()\n\t\t\t\t// By default we want errors. However, iff the mode above is\n\t\t\t\t// warn, and we're using a custom context and therefore\n\t\t\t\t// triggering the CIP.mode twiddling below, check for warnings.\n\t\t\t\twantWarn := false\n\t\t\t\tif test.customContext != nil {\n\t\t\t\t\tif mode == \"warn\" {\n\t\t\t\t\t\twantWarn = true\n\t\t\t\t\t}\n\t\t\t\t\t// If we are testing with custom context, loop through\n\t\t\t\t\t// all the modes here. It's a bit silly that we spin through\n\t\t\t\t\t// all the tests 3 times, but for now this is better than\n\t\t\t\t\t// duplicating all the CIPs with just different modes.\n\t\t\t\t\ttestContext = test.customContext\n\n\t\t\t\t\t// Twiddle the mode for tests.\n\t\t\t\t\tcfg := config.FromContext(testContext)\n\t\t\t\t\tnewPolicies := make(map[string]webhookcip.ClusterImagePolicy, len(cfg.ImagePolicyConfig.Policies))\n\t\t\t\t\tfor k, v := range cfg.ImagePolicyConfig.Policies {\n\t\t\t\t\t\tv.Mode = mode\n\t\t\t\t\t\tnewPolicies[k] = v\n\t\t\t\t\t}\n\t\t\t\t\tcfg.ImagePolicyConfig.Policies = newPolicies\n\t\t\t\t\tconfig.ToContext(testContext, cfg)\n\t\t\t\t}\n\n\t\t\t\ttestContext = context.WithValue(testContext, kubeclient.Key{}, kc)\n\n\t\t\t\t// Check the core mechanics\n\t\t\t\tgot := v.validatePodSpec(testContext, system.Namespace(), \"Pod\", \"v1\", map[string]string{}, test.ps, k8schain.Options{})\n\t\t\t\tif (got != nil) != (test.want != nil) {\n\t\t\t\t\tt.Errorf(\"validatePodSpec() = %v, wanted %v\", got, test.want)\n\t\t\t\t} else if got != nil && got.Error() != test.want.Error() {\n\t\t\t\t\tt.Errorf(\"validatePodSpec() = %v, wanted %v\", got, test.want)\n\t\t\t\t}\n\n\t\t\t\tif test.want != nil {\n\t\t\t\t\tif wantWarn {\n\t\t\t\t\t\ttest.want.Level = apis.WarningLevel\n\t\t\t\t\t} else {\n\t\t\t\t\t\ttest.want.Level = apis.ErrorLevel\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t// Check wrapped in a Pod\n\t\t\t\tpod := &duckv1.Pod{\n\t\t\t\t\tSpec: *test.ps,\n\t\t\t\t}\n\t\t\t\tgot = v.ValidatePod(testContext, pod)\n\t\t\t\twant := test.want.ViaField(\"spec\")\n\t\t\t\tif (got != nil) != (want != nil) {\n\t\t\t\t\tt.Errorf(\"ValidatePod() = %v, wanted %v\", got, want)\n\t\t\t\t} else if got != nil && got.Error() != want.Error() {\n\t\t\t\t\tt.Errorf(\"ValidatePod() = %v, wanted %v\", got, want)\n\t\t\t\t}\n\t\t\t\t// Check the warning/error level.\n\t\t\t\tif got != nil && test.want != nil {\n\t\t\t\t\tif got.Level != want.Level {\n\t\t\t\t\t\tt.Errorf(\"ValidatePod() Wrong Level = %v, wanted %v\", got.Level, want.Level)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t// Check that we don't block things being deleted.\n\t\t\t\tif got := v.ValidatePod(apis.WithinDelete(testContext), pod); got != nil {\n\t\t\t\t\tt.Errorf(\"ValidatePod() = %v, wanted nil\", got)\n\t\t\t\t}\n\n\t\t\t\t// Check wrapped in a WithPod\n\t\t\t\twithPod := &duckv1.WithPod{\n\t\t\t\t\tSpec: duckv1.WithPodSpec{\n\t\t\t\t\t\tTemplate: duckv1.PodSpecable{\n\t\t\t\t\t\t\tSpec: *test.ps,\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t\tgot = v.ValidatePodSpecable(testContext, withPod)\n\t\t\t\twant = test.want.ViaField(\"spec.template.spec\")\n\t\t\t\tif (got != nil) != (want != nil) {\n\t\t\t\t\tt.Errorf(\"ValidatePodSpecable() = %v, wanted %v\", got, want)\n\t\t\t\t} else if got != nil && got.Error() != want.Error() {\n\t\t\t\t\tt.Errorf(\"ValidatePodSpecable() = %v, wanted %v\", got, want)\n\t\t\t\t}\n\t\t\t\t// Check the warning/error level.\n\t\t\t\tif got != nil && test.want != nil {\n\t\t\t\t\tif got.Level != want.Level {\n\t\t\t\t\t\tt.Errorf(\"ValidatePodSpecable() Wrong Level = %v, wanted %v\", got.Level, want.Level)\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// Check that we don't block things being deleted.\n\t\t\t\tif got := v.ValidatePodSpecable(apis.WithinDelete(testContext), withPod); got != nil {\n\t\t\t\t\tt.Errorf(\"ValidatePodSpecable() = %v, wanted nil\", got)\n\t\t\t\t}\n\n\t\t\t\t// Check wrapped in a podScalable\n\t\t\t\tpodScalable := &policyduckv1beta1.PodScalable{\n\t\t\t\t\tSpec: policyduckv1beta1.PodScalableSpec{\n\t\t\t\t\t\tReplicas: ptr.Int32(3),\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: *test.ps,\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t\tgot = v.ValidatePodScalable(testContext, podScalable)\n\t\t\t\twant = test.want.ViaField(\"spec.template.spec\")\n\t\t\t\tif (got != nil) != (want != nil) {\n\t\t\t\t\tt.Errorf(\"ValidatePodScalable() = %v, wanted %v\", got, want)\n\t\t\t\t} else if got != nil && got.Error() != want.Error() {\n\t\t\t\t\tt.Errorf(\"ValidatePodScalable() = %v, wanted %v\", got, want)\n\t\t\t\t}\n\t\t\t\t// Check the warning/error level.\n\t\t\t\tif got != nil && test.want != nil {\n\t\t\t\t\tif got.Level != want.Level {\n\t\t\t\t\t\tt.Errorf(\"ValidatePodScalable() Wrong Level = %v, wanted %v\", got.Level, want.Level)\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// Check that we don't block things being deleted.\n\t\t\t\tif got := v.ValidatePodScalable(apis.WithinDelete(testContext), podScalable); got != nil {\n\t\t\t\t\tt.Errorf(\"ValidatePodSpecable() = %v, wanted nil\", got)\n\t\t\t\t}\n\n\t\t\t\t// Check that we don't block things being scaled down.\n\t\t\t\toriginal := podScalable.DeepCopy()\n\t\t\t\toriginal.Spec.Replicas = ptr.Int32(4)\n\t\t\t\tif got := v.ValidatePodScalable(apis.WithinUpdate(testContext, original), podScalable); got != nil {\n\t\t\t\t\tt.Errorf(\"ValidatePodSpecable() scaling down = %v, wanted nil\", got)\n\t\t\t\t}\n\n\t\t\t\t// Check that we fail as expected if being scaled up.\n\t\t\t\toriginal.Spec.Replicas = ptr.Int32(2)\n\t\t\t\tgot = v.ValidatePodScalable(apis.WithinUpdate(testContext, original), podScalable)\n\t\t\t\twant = test.want.ViaField(\"spec.template.spec\")\n\t\t\t\tif (got != nil) != (want != nil) {\n\t\t\t\t\tt.Errorf(\"ValidatePodScalable() scaling up = %v, wanted %v\", got, want)\n\t\t\t\t} else if got != nil && got.Error() != want.Error() {\n\t\t\t\t\tt.Errorf(\"ValidatePodScalable() scaling up = %v, wanted %v\", got, want)\n\t\t\t\t}\n\t\t\t\t// Check the warning/error level.\n\t\t\t\tif got != nil && test.want != nil {\n\t\t\t\t\tif got.Level != want.Level {\n\t\t\t\t\t\tt.Errorf(\"ValidatePodScalable() scaling up Wrong Level = %v, wanted %v\", got.Level, want.Level)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestValidateCronJob(t *testing.T) {\n\ttag := name.MustParseReference(\"gcr.io/distroless/static:nonroot\")\n\t// Resolved via crane digest on 2021/09/25\n\tdigest := name.MustParseReference(\"gcr.io/distroless/static:nonroot@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4\")\n\n\tctx, _ := rtesting.SetupFakeContext(t)\n\n\tkc := fakekube.Get(ctx)\n\tkc.CoreV1().ServiceAccounts(\"default\").Create(ctx, &corev1.ServiceAccount{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tName: \"default\",\n\t\t},\n\t}, metav1.CreateOptions{})\n\n\tv := NewValidator(ctx)\n\n\tcvs := cosignVerifySignatures\n\tdefer func() {\n\t\tcosignVerifySignatures = cvs\n\t}()\n\t// Let's just say that everything is verified.\n\t/*pass := func(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {\n\t\tsig, err := static.NewSignature(nil, \"\")\n\t\tif err != nil {\n\t\t\treturn nil, false, err\n\t\t}\n\t\treturn []oci.Signature{sig}, true, nil\n\t}*/\n\t// Let's just say that everything is not verified.\n\tfail := func(_ context.Context, _ name.Reference, _ *cosign.CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {\n\t\treturn nil, false, errors.New(\"bad signature\")\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tc *duckv1.CronJob\n\t\twant *apis.FieldError\n\t\tcvs func(context.Context, name.Reference, *cosign.CheckOpts) ([]oci.Signature, bool, error)\n\t}{{\n\t\tname: \"k8schain ignore (bad service account)\",\n\t\tc: &duckv1.CronJob{\n\t\t\tSpec: batchv1.CronJobSpec{\n\t\t\t\tJobTemplate: batchv1.JobTemplateSpec{\n\t\t\t\t\tSpec: batchv1.JobSpec{\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\t\t\tServiceAccountName: \"not-found\",\n\t\t\t\t\t\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"setup-stuff\",\n\t\t\t\t\t\t\t\t\tImage: digest.String(),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"user-container\",\n\t\t\t\t\t\t\t\t\tImage: digest.String(),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"k8schain ignore (bad pull secret)\",\n\t\tc: &duckv1.CronJob{\n\t\t\tSpec: batchv1.CronJobSpec{\n\t\t\t\tJobTemplate: batchv1.JobTemplateSpec{\n\t\t\t\t\tSpec: batchv1.JobSpec{\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\t\t\tImagePullSecrets: []corev1.LocalObjectReference{{\n\t\t\t\t\t\t\t\t\tName: \"not-found\",\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"setup-stuff\",\n\t\t\t\t\t\t\t\t\tImage: digest.String(),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"user-container\",\n\t\t\t\t\t\t\t\t\tImage: digest.String(),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"bad reference\",\n\t\tc: &duckv1.CronJob{\n\t\t\tSpec: batchv1.CronJobSpec{\n\t\t\t\tJobTemplate: batchv1.JobTemplateSpec{\n\t\t\t\t\tSpec: batchv1.JobSpec{\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"user-container\",\n\t\t\t\t\t\t\t\t\tImage: \"in@valid\",\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\twant: &apis.FieldError{\n\t\t\tMessage: `could not parse reference: in@valid`,\n\t\t\tPaths: []string{\"spec.jobTemplate.spec.template.spec.containers[0].image\"},\n\t\t},\n\t\tcvs: fail,\n\t}, {\n\t\tname: \"not digest\",\n\t\tc: &duckv1.CronJob{\n\t\t\tSpec: batchv1.CronJobSpec{\n\t\t\t\tJobTemplate: batchv1.JobTemplateSpec{\n\t\t\t\t\tSpec: batchv1.JobSpec{\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"user-container\",\n\t\t\t\t\t\t\t\t\tImage: tag.String(),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\twant: &apis.FieldError{\n\t\t\tMessage: `invalid value: gcr.io/distroless/static:nonroot must be an image digest`,\n\t\t\tPaths: []string{\"spec.jobTemplate.spec.template.spec.containers[0].image\"},\n\t\t},\n\t\tcvs: fail,\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tcosignVerifySignatures = test.cvs\n\n\t\t\ttestContext := context.WithValue(context.Background(), kubeclient.Key{}, kc)\n\n\t\t\t// Check the core mechanics\n\t\t\tgot := v.ValidateCronJob(testContext, test.c)\n\t\t\tif (got != nil) != (test.want != nil) {\n\t\t\t\tt.Errorf(\"validateCronJob() = %v, wanted %v\", got, test.want)\n\t\t\t} else if got != nil && got.Error() != test.want.Error() {\n\t\t\t\tt.Errorf(\"validateCronJob() = %v, wanted %v\", got, test.want)\n\t\t\t}\n\t\t\t// Check that we don't block things being deleted.\n\t\t\tcronJob := test.c.DeepCopy()\n\t\t\tif got := v.ValidateCronJob(apis.WithinDelete(testContext), cronJob); got != nil {\n\t\t\t\tt.Errorf(\"ValidateCronJob() = %v, wanted nil\", got)\n\t\t\t}\n\t\t\t// Check that we don't block things already deleted.\n\t\t\tcronJob = test.c.DeepCopy()\n\t\t\tcronJob.DeletionTimestamp = &metav1.Time{Time: time.Now()}\n\t\t\tif got := v.ValidateCronJob(context.Background(), cronJob); got != nil {\n\t\t\t\tt.Errorf(\"ValidateCronJob() = %v, wanted nil\", got)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestResolvePodSpec(t *testing.T) {\n\ttag := name.MustParseReference(\"gcr.io/distroless/static:nonroot\")\n\t// Resolved via crane digest on 2021/09/25\n\tdigest := name.MustParseReference(\"gcr.io/distroless/static:nonroot@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4\")\n\tdigestWithoutTag := name.MustParseReference(\"gcr.io/distroless/static@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4\")\n\n\tctx, _ := rtesting.SetupFakeContext(t)\n\n\tkc := fakekube.Get(ctx)\n\tkc.CoreV1().ServiceAccounts(\"default\").Create(ctx, &corev1.ServiceAccount{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tName: \"default\",\n\t\t},\n\t}, metav1.CreateOptions{})\n\n\tv := NewValidator(ctx)\n\n\trrd := remoteResolveDigest\n\tdefer func() {\n\t\tremoteResolveDigest = rrd\n\t}()\n\tresolve := func(_ name.Reference, _ ...remote.Option) (name.Digest, error) {\n\t\treturn tag.Context().Digest(digestWithoutTag.Identifier()), nil\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tps *corev1.PodSpec\n\t\twant *corev1.PodSpec\n\t\twc func(context.Context) context.Context\n\t\trrd func(name.Reference, ...remote.Option) (name.Digest, error)\n\t}{{\n\t\tname: \"nothing changed (not the right update)\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: tag.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: tag.String(),\n\t\t\t}},\n\t\t},\n\t\twant: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: tag.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: tag.String(),\n\t\t\t}},\n\t\t},\n\t\trrd: resolve,\n\t}, {\n\t\tname: \"nothing changed (bad reference)\",\n\t\tps: &corev1.PodSpec{\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: \"in@valid\",\n\t\t\t}},\n\t\t},\n\t\twant: &corev1.PodSpec{\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: \"in@valid\",\n\t\t\t}},\n\t\t},\n\t\twc: apis.WithinCreate,\n\t\trrd: resolve,\n\t}, {\n\t\tname: \"nothing changed (unable to resolve)\",\n\t\tps: &corev1.PodSpec{\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: tag.String(),\n\t\t\t}},\n\t\t},\n\t\twant: &corev1.PodSpec{\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: tag.String(),\n\t\t\t}},\n\t\t},\n\t\twc: apis.WithinCreate,\n\t\trrd: func(_ name.Reference, _ ...remote.Option) (name.Digest, error) {\n\t\t\treturn name.Digest{}, errors.New(\"boom\")\n\t\t},\n\t}, {\n\t\tname: \"digests resolve (in create)\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: tag.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: tag.String(),\n\t\t\t}},\n\t\t},\n\t\twant: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\twc: apis.WithinCreate,\n\t\trrd: resolve,\n\t}, {\n\t\tname: \"digests without tag resolve (in create)\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digestWithoutTag.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digestWithoutTag.String(),\n\t\t\t}},\n\t\t},\n\t\twant: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digestWithoutTag.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digestWithoutTag.String(),\n\t\t\t}},\n\t\t},\n\t\twc: apis.WithinCreate,\n\t\trrd: resolve,\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tremoteResolveDigest = test.rrd\n\t\t\tctx := context.Background()\n\t\t\tif test.wc != nil {\n\t\t\t\tctx = test.wc(context.Background())\n\t\t\t}\n\n\t\t\tctx = context.WithValue(ctx, kubeclient.Key{}, kc)\n\n\t\t\t// Check the core mechanics.\n\t\t\tgot := test.ps.DeepCopy()\n\t\t\tv.resolvePodSpec(ctx, got, k8schain.Options{})\n\t\t\tif !cmp.Equal(got, test.want) {\n\t\t\t\tt.Errorf(\"resolvePodSpec = %s\", cmp.Diff(got, test.want))\n\t\t\t}\n\n\t\t\tvar want runtime.Object\n\n\t\t\t// Check wrapped in a Pod\n\t\t\tpod := &duckv1.Pod{Spec: *test.ps.DeepCopy()}\n\t\t\twant = &duckv1.Pod{Spec: *test.want.DeepCopy()}\n\t\t\tv.ResolvePod(ctx, pod)\n\t\t\tif !cmp.Equal(pod, want) {\n\t\t\t\tt.Errorf(\"ResolvePod = %s\", cmp.Diff(pod, want))\n\t\t\t}\n\n\t\t\t// Check that nothing happens when it's being deleted.\n\t\t\tpod = &duckv1.Pod{Spec: *test.ps.DeepCopy()}\n\t\t\twant = pod.DeepCopy()\n\t\t\tv.ResolvePod(apis.WithinDelete(ctx), pod)\n\t\t\tif !cmp.Equal(pod, want) {\n\t\t\t\tt.Errorf(\"ResolvePod = %s\", cmp.Diff(pod, want))\n\t\t\t}\n\n\t\t\t// Check that nothing happens when it's already deleted.\n\t\t\tpod = &duckv1.Pod{Spec: *test.ps.DeepCopy()}\n\t\t\tpod.DeletionTimestamp = &metav1.Time{Time: time.Now()}\n\t\t\twant = pod.DeepCopy()\n\t\t\tv.ResolvePod(ctx, pod)\n\t\t\tif !cmp.Equal(pod, want) {\n\t\t\t\tt.Errorf(\"ResolvePod = %s\", cmp.Diff(pod, want))\n\t\t\t}\n\n\t\t\t// Check wrapped in a WithPod\n\t\t\twithPod := &duckv1.WithPod{\n\t\t\t\tSpec: duckv1.WithPodSpec{\n\t\t\t\t\tTemplate: duckv1.PodSpecable{\n\t\t\t\t\t\tSpec: *test.ps.DeepCopy(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}\n\t\t\twant = &duckv1.WithPod{\n\t\t\t\tSpec: duckv1.WithPodSpec{\n\t\t\t\t\tTemplate: duckv1.PodSpecable{\n\t\t\t\t\t\tSpec: *test.want.DeepCopy(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}\n\t\t\tv.ResolvePodSpecable(ctx, withPod)\n\t\t\tif !cmp.Equal(withPod, want) {\n\t\t\t\tt.Errorf(\"ResolvePodSpecable = %s\", cmp.Diff(withPod, want))\n\t\t\t}\n\n\t\t\t// Check that nothing happens when it's being deleted.\n\t\t\twithPod = &duckv1.WithPod{\n\t\t\t\tSpec: duckv1.WithPodSpec{\n\t\t\t\t\tTemplate: duckv1.PodSpecable{\n\t\t\t\t\t\tSpec: *test.ps.DeepCopy(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}\n\t\t\twant = withPod.DeepCopy()\n\t\t\tv.ResolvePodSpecable(apis.WithinDelete(ctx), withPod)\n\t\t\tif !cmp.Equal(withPod, want) {\n\t\t\t\tt.Errorf(\"ResolvePodSpecable = %s\", cmp.Diff(withPod, want))\n\t\t\t}\n\n\t\t\t// Check that nothing happens when it's already deleted.\n\t\t\twithPod = &duckv1.WithPod{\n\t\t\t\tSpec: duckv1.WithPodSpec{\n\t\t\t\t\tTemplate: duckv1.PodSpecable{\n\t\t\t\t\t\tSpec: *test.ps.DeepCopy(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}\n\t\t\twithPod.DeletionTimestamp = &metav1.Time{Time: time.Now()}\n\t\t\twant = withPod.DeepCopy()\n\t\t\tv.ResolvePodSpecable(ctx, withPod)\n\t\t\tif !cmp.Equal(withPod, want) {\n\t\t\t\tt.Errorf(\"ResolvePodSpecable = %s\", cmp.Diff(withPod, want))\n\t\t\t}\n\n\t\t\t// Check wrapped in a PodScalable\n\t\t\tpodScalable := &policyduckv1beta1.PodScalable{\n\t\t\t\tSpec: policyduckv1beta1.PodScalableSpec{\n\t\t\t\t\tReplicas: ptr.Int32(3),\n\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\tSpec: *test.ps.DeepCopy(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}\n\t\t\twant = &policyduckv1beta1.PodScalable{\n\t\t\t\tSpec: policyduckv1beta1.PodScalableSpec{\n\t\t\t\t\tReplicas: ptr.Int32(3),\n\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\tSpec: *test.want.DeepCopy(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}\n\t\t\tv.ResolvePodScalable(ctx, podScalable)\n\t\t\tif !cmp.Equal(podScalable, want) {\n\t\t\t\tt.Errorf(\"ResolvePodSpecable = %s\", cmp.Diff(podScalable, want))\n\t\t\t}\n\n\t\t\t// Check that nothing happens when it's being deleted.\n\t\t\tpodScalable = &policyduckv1beta1.PodScalable{\n\t\t\t\tSpec: policyduckv1beta1.PodScalableSpec{\n\t\t\t\t\tReplicas: ptr.Int32(2),\n\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\tSpec: *test.ps.DeepCopy(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}\n\t\t\twant = podScalable.DeepCopy()\n\t\t\tv.ResolvePodScalable(apis.WithinDelete(ctx), podScalable)\n\t\t\tif !cmp.Equal(podScalable, want) {\n\t\t\t\tt.Errorf(\"ResolvePodSpecable = %s\", cmp.Diff(podScalable, want))\n\t\t\t}\n\n\t\t\t// Check that nothing happens when it's already deleted.\n\t\t\tpodScalable = &policyduckv1beta1.PodScalable{\n\t\t\t\tSpec: policyduckv1beta1.PodScalableSpec{\n\t\t\t\t\tReplicas: ptr.Int32(2),\n\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\tSpec: *test.ps.DeepCopy(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}\n\t\t\tpodScalable.DeletionTimestamp = &metav1.Time{Time: time.Now()}\n\t\t\twant = podScalable.DeepCopy()\n\t\t\tv.ResolvePodScalable(ctx, podScalable)\n\t\t\tif !cmp.Equal(podScalable, want) {\n\t\t\t\tt.Errorf(\"ResolvePodSpecable = %s\", cmp.Diff(podScalable, want))\n\t\t\t}\n\n\t\t\t// Check that nothing happens when it's being scaled down.\n\t\t\tpodScalable = &policyduckv1beta1.PodScalable{\n\t\t\t\tSpec: policyduckv1beta1.PodScalableSpec{\n\t\t\t\t\tReplicas: ptr.Int32(2),\n\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\tSpec: *test.ps.DeepCopy(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}\n\t\t\twant = podScalable.DeepCopy()\n\t\t\toriginal := &policyduckv1beta1.PodScalable{\n\t\t\t\tSpec: policyduckv1beta1.PodScalableSpec{\n\t\t\t\t\tReplicas: ptr.Int32(3),\n\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\tSpec: *test.ps.DeepCopy(),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}\n\n\t\t\tv.ResolvePodScalable(apis.WithinUpdate(ctx, original), podScalable)\n\t\t\tif !cmp.Equal(podScalable, want) {\n\t\t\t\tt.Errorf(\"ResolvePodSpecable = %s\", cmp.Diff(podScalable, want))\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestResolveCronJob(t *testing.T) {\n\ttag := name.MustParseReference(\"gcr.io/distroless/static:nonroot\")\n\t// Resolved via crane digest on 2021/09/25\n\tdigest := name.MustParseReference(\"gcr.io/distroless/static:nonroot@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4\")\n\n\tctx, _ := rtesting.SetupFakeContext(t)\n\n\tkc := fakekube.Get(ctx)\n\tkc.CoreV1().ServiceAccounts(\"default\").Create(ctx, &corev1.ServiceAccount{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tName: \"default\",\n\t\t},\n\t}, metav1.CreateOptions{})\n\n\tv := NewValidator(ctx)\n\n\trrd := remoteResolveDigest\n\tdefer func() {\n\t\tremoteResolveDigest = rrd\n\t}()\n\tresolve := func(_ name.Reference, _ ...remote.Option) (name.Digest, error) {\n\t\treturn digest.(name.Digest), nil\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tc *duckv1.CronJob\n\t\twant *duckv1.CronJob\n\t\twc func(context.Context) context.Context\n\t\trrd func(name.Reference, ...remote.Option) (name.Digest, error)\n\t}{{\n\t\tname: \"nothing changed (not the right update)\",\n\t\tc: &duckv1.CronJob{\n\t\t\tSpec: batchv1.CronJobSpec{\n\t\t\t\tJobTemplate: batchv1.JobTemplateSpec{\n\t\t\t\t\tSpec: batchv1.JobSpec{\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"setup-stuff\",\n\t\t\t\t\t\t\t\t\tImage: tag.String(),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"user-container\",\n\t\t\t\t\t\t\t\t\tImage: tag.String(),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\twant: &duckv1.CronJob{\n\t\t\tSpec: batchv1.CronJobSpec{\n\t\t\t\tJobTemplate: batchv1.JobTemplateSpec{\n\t\t\t\t\tSpec: batchv1.JobSpec{\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"setup-stuff\",\n\t\t\t\t\t\t\t\t\tImage: tag.String(),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"user-container\",\n\t\t\t\t\t\t\t\t\tImage: tag.String(),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\trrd: resolve,\n\t}, {\n\t\tname: \"nothing changed (bad reference)\",\n\t\tc: &duckv1.CronJob{\n\t\t\tSpec: batchv1.CronJobSpec{\n\t\t\t\tJobTemplate: batchv1.JobTemplateSpec{\n\t\t\t\t\tSpec: batchv1.JobSpec{\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"user-container\",\n\t\t\t\t\t\t\t\t\tImage: \"in@valid\",\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\twant: &duckv1.CronJob{\n\t\t\tSpec: batchv1.CronJobSpec{\n\t\t\t\tJobTemplate: batchv1.JobTemplateSpec{\n\t\t\t\t\tSpec: batchv1.JobSpec{\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"user-container\",\n\t\t\t\t\t\t\t\t\tImage: \"in@valid\",\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\twc: apis.WithinCreate,\n\t\trrd: resolve,\n\t}, {\n\t\tname: \"nothing changed (unable to resolve)\",\n\t\tc: &duckv1.CronJob{\n\t\t\tSpec: batchv1.CronJobSpec{\n\t\t\t\tJobTemplate: batchv1.JobTemplateSpec{\n\t\t\t\t\tSpec: batchv1.JobSpec{\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"user-container\",\n\t\t\t\t\t\t\t\t\tImage: \"in@valid\",\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\twant: &duckv1.CronJob{\n\t\t\tSpec: batchv1.CronJobSpec{\n\t\t\t\tJobTemplate: batchv1.JobTemplateSpec{\n\t\t\t\t\tSpec: batchv1.JobSpec{\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"user-container\",\n\t\t\t\t\t\t\t\t\tImage: \"in@valid\",\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\twc: apis.WithinCreate,\n\t\trrd: func(_ name.Reference, _ ...remote.Option) (name.Digest, error) {\n\t\t\treturn name.Digest{}, errors.New(\"boom\")\n\t\t},\n\t}, {\n\t\tname: \"digests resolve (in create)\",\n\t\tc: &duckv1.CronJob{\n\t\t\tSpec: batchv1.CronJobSpec{\n\t\t\t\tJobTemplate: batchv1.JobTemplateSpec{\n\t\t\t\t\tSpec: batchv1.JobSpec{\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"setup-stuff\",\n\t\t\t\t\t\t\t\t\tImage: tag.String(),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"user-container\",\n\t\t\t\t\t\t\t\t\tImage: tag.String(),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\twant: &duckv1.CronJob{\n\t\t\tSpec: batchv1.CronJobSpec{\n\t\t\t\tJobTemplate: batchv1.JobTemplateSpec{\n\t\t\t\t\tSpec: batchv1.JobSpec{\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: corev1.PodSpec{\n\t\t\t\t\t\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"setup-stuff\",\n\t\t\t\t\t\t\t\t\tImage: digest.String(),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\tContainers: []corev1.Container{{\n\t\t\t\t\t\t\t\t\tName: \"user-container\",\n\t\t\t\t\t\t\t\t\tImage: digest.String(),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\twc: apis.WithinCreate,\n\t\trrd: resolve,\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tremoteResolveDigest = test.rrd\n\t\t\tctx := context.Background()\n\t\t\tif test.wc != nil {\n\t\t\t\tctx = test.wc(context.Background())\n\t\t\t}\n\n\t\t\tctx = context.WithValue(ctx, kubeclient.Key{}, kc)\n\n\t\t\tvar want runtime.Object\n\n\t\t\tcronJob := test.c.DeepCopy()\n\t\t\twant = test.want.DeepCopy()\n\t\t\tv.ResolveCronJob(ctx, cronJob)\n\t\t\tif !cmp.Equal(cronJob, want) {\n\t\t\t\tt.Errorf(\"ResolveCronJob = %s\", cmp.Diff(cronJob, want))\n\t\t\t}\n\n\t\t\t// Check that nothing happens when it's being deleted.\n\t\t\tcronJob = test.c.DeepCopy()\n\t\t\twant = cronJob.DeepCopy()\n\t\t\tv.ResolveCronJob(apis.WithinDelete(ctx), cronJob)\n\t\t\tif !cmp.Equal(cronJob, want) {\n\t\t\t\tt.Errorf(\"ResolveCronJob = %s\", cmp.Diff(cronJob, want))\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestValidatePolicy(t *testing.T) {\n\t// Resolved via crane digest on 2021/09/25\n\tdigest := name.MustParseReference(\"gcr.io/distroless/static:nonroot@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4\")\n\n\t// Non-existent URL for testing complete failure\n\tbadURL := apis.HTTP(\"http://example.com/\")\n\tt.Logf(\"badURL: %s\", badURL.String())\n\n\t// Spin up a Fulcio that responds with a Root Cert\n\tfulcioServer := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) {\n\t\trw.Write([]byte(fulcioRootCert))\n\t}))\n\tt.Cleanup(fulcioServer.Close)\n\n\tfulcioURL, err := apis.ParseURL(\"https://fulcio.sigstore.dev\")\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to parse fake Fulcio URL\")\n\t}\n\n\trekorServer := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) {\n\t\trw.Write([]byte(rekorResponse))\n\t}))\n\tt.Cleanup(rekorServer.Close)\n\trekorURL, err := apis.ParseURL(rekorServer.URL)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to parse fake Rekor URL\")\n\t}\n\tt.Logf(\"rekorURL: %s\", rekorURL.String())\n\tvar authorityKeyCosignPub *ecdsa.PublicKey\n\n\tpems := parsePems([]byte(authorityKeyCosignPubString))\n\tif len(pems) > 0 {\n\t\tkey, _ := x509.ParsePKIXPublicKey(pems[0].Bytes)\n\t\tauthorityKeyCosignPub = key.(*ecdsa.PublicKey)\n\t} else {\n\t\tt.Errorf(\"Error parsing authority key from string\")\n\t}\n\n\tcvs := cosignVerifySignatures\n\tdefer func() {\n\t\tcosignVerifySignatures = cvs\n\t}()\n\t// Let's just say that everything is verified.\n\tpass := func(_ context.Context, _ name.Reference, _ *cosign.CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {\n\t\tsig, err := static.NewSignature(nil, \"\")\n\t\tif err != nil {\n\t\t\treturn nil, false, err\n\t\t}\n\t\treturn []oci.Signature{sig}, true, nil\n\t}\n\t// Let's just say that everything is verified.\n\tpassKeyless := func(_ context.Context, _ name.Reference, _ *cosign.CheckOpts, _ ...name.Option) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {\n\t\t// This is from 2022/07/29\n\t\t// ghcr.io/distroless/static@sha256:a1e82f6a5f6dfc735165d3442e7cc5a615f72abac3db19452481f5f3c90fbfa8\n\t\tpayload := []byte(`{\"payloadType\":\"application/vnd.in-toto+json\",\"payload\":\"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2Nvc2lnbi5zaWdzdG9yZS5kZXYvYXR0ZXN0YXRpb24vdnVsbi92MSIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGNyLmlvL2Rpc3Ryb2xlc3Mvc3RhdGljIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImExZTgyZjZhNWY2ZGZjNzM1MTY1ZDM0NDJlN2NjNWE2MTVmNzJhYmFjM2RiMTk0NTI0ODFmNWYzYzkwZmJmYTgifX1dLCJwcmVkaWNhdGUiOnsiaW52b2NhdGlvbiI6eyJwYXJhbWV0ZXJzIjpudWxsLCJ1cmkiOiJodHRwczovL2dpdGh1Yi5jb20vZGlzdHJvbGVzcy9zdGF0aWMvYWN0aW9ucy9ydW5zLzI3NTc5NTMxMzkiLCJldmVudF9pZCI6IjI3NTc5NTMxMzkiLCJidWlsZGVyLmlkIjoiQ3JlYXRlIFJlbGVhc2UifSwic2Nhbm5lciI6eyJ1cmkiOiJodHRwczovL2dpdGh1Yi5jb20vYXF1YXNlY3VyaXR5L3RyaXZ5IiwidmVyc2lvbiI6IjAuMjkuMiIsImRiIjp7InVyaSI6IiIsInZlcnNpb24iOiIifSwicmVzdWx0Ijp7IiRzY2hlbWEiOiJodHRwczovL2pzb24uc2NoZW1hc3RvcmUub3JnL3NhcmlmLTIuMS4wLXJ0bS41Lmpzb24iLCJydW5zIjpbeyJjb2x1bW5LaW5kIjoidXRmMTZDb2RlVW5pdHMiLCJvcmlnaW5hbFVyaUJhc2VJZHMiOnsiUk9PVFBBVEgiOnsidXJpIjoiZmlsZTovLy8ifX0sInJlc3VsdHMiOltdLCJ0b29sIjp7ImRyaXZlciI6eyJmdWxsTmFtZSI6IlRyaXZ5IFZ1bG5lcmFiaWxpdHkgU2Nhbm5lciIsImluZm9ybWF0aW9uVXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2FxdWFzZWN1cml0eS90cml2eSIsIm5hbWUiOiJUcml2eSIsInJ1bGVzIjpbXSwidmVyc2lvbiI6IjAuMjkuMiJ9fX1dLCJ2ZXJzaW9uIjoiMi4xLjAifX0sIm1ldGFkYXRhIjp7InNjYW5TdGFydGVkT24iOiIyMDIyLTA3LTI5VDAyOjI4OjQyWiIsInNjYW5GaW5pc2hlZE9uIjoiMjAyMi0wNy0yOVQwMjoyODo0OFoifX19\",\"signatures\":[{\"keyid\":\"\",\"sig\":\"MEYCIQDeQXMMojIpNvxEDLDXUC5aAwCbPPr/0uckP8TCcdTLjgIhAJG6M00kY40bz/C90W0FeUc2YcWY+txD4BPXhzd8E+tP\"}]}`)\n\t\tset, err := base64.StdEncoding.DecodeString(\"MEQCIDBYWwwDW+nH+1vFoTOqHS4jAtVm4Yezq2nAy7vjcV8zAiBkznmgMrz9em4NuB/hl5X/umubhLgwoXgUAY2NJJwu5A==\")\n\t\tif err != nil {\n\t\t\treturn nil, false, err\n\t\t}\n\t\tsig, err := static.NewSignature(payload, \"\", static.WithCertChain(\n\t\t\t[]byte(\"-----BEGIN CERTIFICATE-----\\nMIIDnDCCAyOgAwIBAgIUVGZ4TQgYi4VCLLFghYMU/taKrD8wCgYIKoZIzj0EAwMw\\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\\ncm1lZGlhdGUwHhcNMjIwNzI5MDIyODQ4WhcNMjIwNzI5MDIzODQ4WjAAMFkwEwYH\\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEhiVvK5Tqk1+HnXSstf/8byA1RDpZu+Jvn9X6\\nZoaCL/IjSJ7fBakvKAQ0BlzFg/JEtDreg/TFNiX2wnlMBlMV16OCAkIwggI+MA4G\\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUiMn3\\nza+9v+99n385GpkXzZxZiBIwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\\nZD8wYQYDVR0RAQH/BFcwVYZTaHR0cHM6Ly9naXRodWIuY29tL2Rpc3Ryb2xlc3Mv\\nc3RhdGljLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueWFtbEByZWZzL2hlYWRz\\nL21haW4wOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1\\nYnVzZXJjb250ZW50LmNvbTAWBgorBgEEAYO/MAECBAhzY2hlZHVsZTA2BgorBgEE\\nAYO/MAEDBCg3ZTc1NzJlNTc4ZGU3YzUxYTJmMWExNzkxZjAyNWNmMzE1NTAzYWEy\\nMBwGCisGAQQBg78wAQQEDkNyZWF0ZSBSZWxlYXNlMB8GCisGAQQBg78wAQUEEWRp\\nc3Ryb2xlc3Mvc3RhdGljMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjCB\\nigYKKwYBBAHWeQIEAgR8BHoAeAB2AAhgkvAoUv9oRdHRayeEnEVnGKwWPcM40m3m\\nvCIGNm9yAAABgkfI9c8AAAQDAEcwRQIgPm4AoftGQF2abbFxMLvtzTjXy+sxwxTp\\nCh5ZsoesBDMCIQCNlwmLpuu1KiqjY74l5527AffSd4kOapDMfpHAlMrpCTAKBggq\\nhkjOPQQDAwNnADBkAjAe7jfVc1OJNhbaZF8BJRJ9nQOAcY6kwFYMav1XfQsJPE0x\\naYpNg/oXVA5UrFcSBLkCMFa4124w3qUzrXSTGq99nlALKQ8HFR8ri17wM5/ZiWxi\\nrtABq5eub32TXpAnfqGSmw==\\n-----END CERTIFICATE-----\\n\"),\n\t\t\t[]byte(\"-----BEGIN CERTIFICATE-----\\nMIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw\\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\\nMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl\\nLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C\\nAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7\\n7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS\\n0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB\\nBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp\\nKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI\\nzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR\\nnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP\\nmygUY7Ii2zbdCdliiow=\\n-----END CERTIFICATE-----\\n-----BEGIN CERTIFICATE-----\\nMIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw\\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\\nMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl\\nLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7\\nXeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex\\nX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j\\nYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY\\nwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ\\nKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM\\nWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9\\nTNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ\\n-----END CERTIFICATE-----\"),\n\t\t), static.WithBundle(&bundle.RekorBundle{\n\t\t\tSignedEntryTimestamp: set,\n\t\t\tPayload: bundle.RekorPayload{\n\t\t\t\tBody: \"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIyYjY1Y2JmMGU3OTAxYmEzMWQ1NWIxMmQzMTliY2EzOTQyMGFmNDM4OGQzZTU3MTRkMTZmMjAxOWQ3NGUzYWI3In0sInBheWxvYWRIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiYzFiNWYwZjRiOGVjZDU1ZWRhMjUwY2Q4NDk2NGQwYzFmYjVkN2E4YTM0OGY0YjdmZmI3ZGFhMmUwNmM0ODM3MyJ9fSwicHVibGljS2V5IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUnVSRU5EUVhsUFowRjNTVUpCWjBsVlZrZGFORlJSWjFscE5GWkRURXhHWjJoWlRWVXZkR0ZMY2tRNGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEpkMDU2U1RWTlJFbDVUMFJSTkZkb1kwNU5ha2wzVG5wSk5VMUVTWHBQUkZFMFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZvYVZaMlN6VlVjV3N4SzBodVdGTnpkR1l2T0dKNVFURlNSSEJhZFN0S2RtNDVXRFlLV205aFEwd3ZTV3BUU2pkbVFtRnJka3RCVVRCQ2JIcEdaeTlLUlhSRWNtVm5MMVJHVG1sWU1uZHViRTFDYkUxV01UWlBRMEZyU1hkblowa3JUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZwVFc0ekNucGhLemwyS3prNWJqTTROVWR3YTFoNlduaGFhVUpKZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFsUldVUldVakJTUVZGSUwwSkdZM2RXV1ZwVVlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKU2NHTXpVbmxpTW5oc1l6Tk5kZ3BqTTFKb1pFZHNha3g1Tlc1aFdGSnZaRmRKZG1ReU9YbGhNbHB6WWpOa2Vrd3pTbXhpUjFab1l6SlZkV1ZYUm5SaVJVSjVXbGRhZWt3eWFHeFpWMUo2Q2t3eU1XaGhWelIzVDFGWlMwdDNXVUpDUVVkRWRucEJRa0ZSVVhKaFNGSXdZMGhOTmt4NU9UQmlNblJzWW1rMWFGa3pVbkJpTWpWNlRHMWtjR1JIYURFS1dXNVdlbHBZU21waU1qVXdXbGMxTUV4dFRuWmlWRUZYUW1kdmNrSm5SVVZCV1U4dlRVRkZRMEpCYUhwWk1taHNXa2hXYzFwVVFUSkNaMjl5UW1kRlJRcEJXVTh2VFVGRlJFSkRaek5hVkdNeFRucEtiRTVVWXpSYVIxVXpXWHBWZUZsVVNtMU5WMFY0VG5wcmVGcHFRWGxPVjA1dFRYcEZNVTVVUVhwWlYwVjVDazFDZDBkRGFYTkhRVkZSUW1jM09IZEJVVkZGUkd0T2VWcFhSakJhVTBKVFdsZDRiRmxZVG14TlFqaEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVVlhVbkFLWXpOU2VXSXllR3hqTTAxMll6TlNhR1JIYkdwTlFqQkhRMmx6UjBGUlVVSm5OemgzUVZGWlJVUXpTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbXBEUWdwcFoxbExTM2RaUWtKQlNGZGxVVWxGUVdkU09FSkliMEZsUVVJeVFVRm9aMnQyUVc5VmRqbHZVbVJJVW1GNVpVVnVSVlp1UjB0M1YxQmpUVFF3YlROdENuWkRTVWRPYlRsNVFVRkJRbWRyWmtrNVl6aEJRVUZSUkVGRlkzZFNVVWxuVUcwMFFXOW1kRWRSUmpKaFltSkdlRTFNZG5SNlZHcFllU3R6ZUhkNFZIQUtRMmcxV25OdlpYTkNSRTFEU1ZGRFRteDNiVXh3ZFhVeFMybHhhbGszTkd3MU5USTNRV1ptVTJRMGEwOWhjRVJOWm5CSVFXeE5jbkJEVkVGTFFtZG5jUXBvYTJwUFVGRlJSRUYzVG01QlJFSnJRV3BCWlRkcVpsWmpNVTlLVG1oaVlWcEdPRUpLVWtvNWJsRlBRV05aTm10M1JsbE5ZWFl4V0daUmMwcFFSVEI0Q21GWmNFNW5MMjlZVmtFMVZYSkdZMU5DVEd0RFRVWmhOREV5TkhjemNWVjZjbGhUVkVkeE9UbHViRUZNUzFFNFNFWlNPSEpwTVRkM1RUVXZXbWxYZUdrS2NuUkJRbkUxWlhWaU16SlVXSEJCYm1aeFIxTnRkejA5Q2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19\",\n\t\t\t\tIntegratedTime: 1659061729,\n\t\t\t\tLogIndex: 3059470,\n\t\t\t\tLogID: \"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\",\n\t\t\t},\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn nil, false, err\n\t\t}\n\t\treturn []oci.Signature{sig}, true, nil\n\t}\n\t// Let's just say that everything is not verified.\n\tfail := func(_ context.Context, _ name.Reference, _ *cosign.CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {\n\t\treturn nil, false, errors.New(\"bad signature\")\n\t}\n\n\t// Let's say it is verified if it is the expected Public Key\n\tauthorityPublicKeyCVS := func(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {\n\t\t// Because we use this below and it gets called for both key / keyless\n\t\t// in the keyless case there's no SigVerifier, so fail it.\n\t\tif co.SigVerifier == nil {\n\t\t\treturn nil, false, errors.New(\"Keyless used for key\")\n\t\t}\n\t\tactualPublicKey, _ := co.SigVerifier.PublicKey()\n\t\tactualECDSAPubkey := actualPublicKey.(*ecdsa.PublicKey)\n\n\t\tactualPubKey, err := actualECDSAPubkey.ECDH()\n\t\tif err != nil {\n\t\t\treturn nil, false, errors.New(\"failed to get edch pub key\")\n\t\t}\n\n\t\tauthorityKeyPubKey, err := authorityKeyCosignPub.ECDH()\n\t\tif err != nil {\n\t\t\treturn nil, false, errors.New(\"failed to get edch pub key\")\n\t\t}\n\n\t\tif bytes.Equal(actualPubKey.Bytes(), authorityKeyPubKey.Bytes()) {\n\t\t\treturn pass(ctx, signedImgRef, co)\n\t\t}\n\n\t\treturn fail(ctx, signedImgRef, co)\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tpolicy webhookcip.ClusterImagePolicy\n\t\twant *PolicyResult\n\t\twantErrs []string\n\t\tcva func(context.Context, name.Reference, *cosign.CheckOpts, ...name.Option) ([]oci.Signature, bool, error)\n\t\tcvs func(context.Context, name.Reference, *cosign.CheckOpts) ([]oci.Signature, bool, error)\n\t\tcustomContext context.Context\n\t}{{\n\t\tname: \"fail with no public key\",\n\t\tpolicy: webhookcip.ClusterImagePolicy{\n\t\t\tAuthorities: []webhookcip.Authority{{\n\t\t\t\tName: \"authority-0\",\n\t\t\t\tKey: &webhookcip.KeyRef{},\n\t\t\t}},\n\t\t},\n\t\twantErrs: []string{\"there are no public keys for authority authority-0\"},\n\t}, {\n\t\tname: \"simple, public key, no matches\",\n\t\tpolicy: webhookcip.ClusterImagePolicy{\n\t\t\tAuthorities: []webhookcip.Authority{{\n\t\t\t\tName: \"authority-0\",\n\t\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t\t},\n\t\t\t}},\n\t\t},\n\t\twantErrs: []string{\"key validation failed for authority authority-0 for gcr.io/distroless/static@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4: bad signature\"},\n\t\tcvs: fail,\n\t}, {\n\t\tname: \"simple, public key, works\",\n\t\tpolicy: webhookcip.ClusterImagePolicy{\n\t\t\tAuthorities: []webhookcip.Authority{{\n\t\t\t\tName: \"authority-0\",\n\t\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t\t},\n\t\t\t}},\n\t\t},\n\t\twant: &PolicyResult{\n\t\t\tAuthorityMatches: map[string]AuthorityMatch{\n\t\t\t\t\"authority-0\": {\n\t\t\t\t\tSignatures: []PolicySignature{{\n\t\t\t\t\t\tID: \"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\n\t\t\t\t\t\t// TODO(mattmoor): Is there anything we should encode for key-based?\n\t\t\t\t\t}},\n\t\t\t\t}},\n\t\t},\n\t\tcvs: pass,\n\t}, {\n\t\tname: \"simple, public key and keyless, one works, one doesn't\",\n\t\tpolicy: webhookcip.ClusterImagePolicy{\n\t\t\tAuthorities: []webhookcip.Authority{{\n\t\t\t\tName: \"authority-0\",\n\t\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t\t},\n\t\t\t}, {\n\t\t\t\tName: \"authority-1\",\n\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\tURL: badURL,\n\t\t\t\t},\n\t\t\t}},\n\t\t},\n\t\twant: &PolicyResult{\n\t\t\tAuthorityMatches: map[string]AuthorityMatch{\n\t\t\t\t\"authority-0\": {\n\t\t\t\t\tSignatures: []PolicySignature{{\n\t\t\t\t\t\tID: \"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\n\t\t\t\t\t\t// TODO(mattmoor): Is there anything we should encode for key-based?\n\t\t\t\t\t}},\n\t\t\t\t}},\n\t\t},\n\t\twantErrs: []string{`signature keyless validation failed for authority authority-1 for gcr.io/distroless/static@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4: Keyless used for key`},\n\t\tcvs: authorityPublicKeyCVS,\n\t}, {\n\t\tname: \"simple, static set to pass\",\n\t\tpolicy: webhookcip.ClusterImagePolicy{\n\t\t\tAuthorities: []webhookcip.Authority{{\n\t\t\t\tName: \"authority-0\",\n\t\t\t\tStatic: &webhookcip.StaticRef{\n\t\t\t\t\tAction: \"pass\",\n\t\t\t\t},\n\t\t\t}},\n\t\t},\n\t\twant: &PolicyResult{\n\t\t\tAuthorityMatches: map[string]AuthorityMatch{\n\t\t\t\t\"authority-0\": {\n\t\t\t\t\tStatic: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, {\n\t\tname: \"simple, static set to fail\",\n\t\tpolicy: webhookcip.ClusterImagePolicy{\n\t\t\tAuthorities: []webhookcip.Authority{{\n\t\t\t\tName: \"authority-0\",\n\t\t\t\tStatic: &webhookcip.StaticRef{\n\t\t\t\t\tAction: \"fail\",\n\t\t\t\t},\n\t\t\t}},\n\t\t},\n\t\twantErrs: []string{\"disallowed by static policy\"},\n\t}, {\n\t\tname: \"simple, static set to fail with custom message\",\n\t\tpolicy: webhookcip.ClusterImagePolicy{\n\t\t\tAuthorities: []webhookcip.Authority{{\n\t\t\t\tName: \"authority-0\",\n\t\t\t\tStatic: &webhookcip.StaticRef{\n\t\t\t\t\tAction: \"fail\",\n\t\t\t\t\tMessage: \"test custom message here\",\n\t\t\t\t},\n\t\t\t}},\n\t\t},\n\t\twantErrs: []string{\"disallowed by static policy: test custom message here\"},\n\t}, {\n\t\tname: \"simple, public key, no error\",\n\t\tpolicy: webhookcip.ClusterImagePolicy{\n\t\t\tAuthorities: []webhookcip.Authority{{\n\t\t\t\tName: \"authority-0\",\n\t\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t\t},\n\t\t\t}},\n\t\t},\n\t\twant: &PolicyResult{\n\t\t\tAuthorityMatches: map[string]AuthorityMatch{\n\t\t\t\t\"authority-0\": {\n\t\t\t\t\tSignatures: []PolicySignature{{\n\t\t\t\t\t\tID: \"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\n\t\t\t\t\t\t// TODO(mattmoor): Is there anything we should encode for key-based?\n\t\t\t\t\t}},\n\t\t\t\t}},\n\t\t},\n\t\tcvs: authorityPublicKeyCVS,\n\t}, {\n\t\tname: \"simple, keyless attestation, works\",\n\t\tpolicy: webhookcip.ClusterImagePolicy{\n\t\t\tAuthorities: []webhookcip.Authority{{\n\t\t\t\tName: \"authority-0\",\n\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\tURL: fulcioURL,\n\t\t\t\t},\n\t\t\t\tAttestations: []webhookcip.AttestationPolicy{{\n\t\t\t\t\tName: \"test-att\",\n\t\t\t\t\tPredicateType: \"vuln\",\n\t\t\t\t}},\n\t\t\t},\n\t\t\t},\n\t\t},\n\t\twant: &PolicyResult{\n\t\t\tAuthorityMatches: map[string]AuthorityMatch{\n\t\t\t\t\"authority-0\": {\n\t\t\t\t\tAttestations: map[string][]PolicyAttestation{\n\t\t\t\t\t\t\"test-att\": {{\n\t\t\t\t\t\t\tPolicySignature: PolicySignature{\n\t\t\t\t\t\t\t\tID: \"00016978d0723c9bc73c599d296ab4052a392e37746509c1f5038494ca4bf34a\",\n\t\t\t\t\t\t\t\tSubject: \"https://github.com/distroless/static/.github/workflows/release.yaml@refs/heads/main\",\n\t\t\t\t\t\t\t\tIssuer: \"https://token.actions.githubusercontent.com\",\n\t\t\t\t\t\t\t\tGithubExtensions: GithubExtensions{\n\t\t\t\t\t\t\t\t\tWorkflowTrigger: \"schedule\",\n\t\t\t\t\t\t\t\t\tWorkflowSHA: \"7e7572e578de7c51a2f1a1791f025cf315503aa2\",\n\t\t\t\t\t\t\t\t\tWorkflowName: \"Create Release\",\n\t\t\t\t\t\t\t\t\tWorkflowRepo: \"distroless/static\",\n\t\t\t\t\t\t\t\t\tWorkflowRef: \"refs/heads/main\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tPredicateType: \"vuln\",\n\t\t\t\t\t\t\tDigest: \"sha256:01bd6aec99ad7c5d045d9aab649fd95b7af2b3b23887d34d7fce8b2e3c38ca0e\",\n\t\t\t\t\t\t\tPayload: []byte(`{\"_type\":\"https://in-toto.io/Statement/v0.1\",\"predicateType\":\"https://cosign.sigstore.dev/attestation/vuln/v1\",\"subject\":[{\"name\":\"ghcr.io/distroless/static\",\"digest\":{\"sha256\":\"a1e82f6a5f6dfc735165d3442e7cc5a615f72abac3db19452481f5f3c90fbfa8\"}}],\"predicate\":{\"invocation\":{\"parameters\":null,\"uri\":\"https://github.com/distroless/static/actions/runs/2757953139\",\"event_id\":\"2757953139\",\"builder.id\":\"Create Release\"},\"scanner\":{\"uri\":\"https://github.com/aquasecurity/trivy\",\"version\":\"0.29.2\",\"db\":{\"uri\":\"\",\"version\":\"\"},\"result\":{\"$schema\":\"https://json.schemastore.org/sarif-2.1.0-rtm.5.json\",\"runs\":[{\"columnKind\":\"utf16CodeUnits\",\"originalUriBaseIds\":{\"ROOTPATH\":{\"uri\":\"file:///\"}},\"results\":[],\"tool\":{\"driver\":{\"fullName\":\"Trivy Vulnerability Scanner\",\"informationUri\":\"https://github.com/aquasecurity/trivy\",\"name\":\"Trivy\",\"rules\":[],\"version\":\"0.29.2\"}}}],\"version\":\"2.1.0\"}},\"metadata\":{\"scanStartedOn\":\"2022-07-29T02:28:42Z\",\"scanFinishedOn\":\"2022-07-29T02:28:48Z\"}}}`),\n\t\t\t\t\t\t}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tcva: passKeyless,\n\t}, {\n\t\tname: \"simple, wrong predicate keyless attestation, error\",\n\t\tpolicy: webhookcip.ClusterImagePolicy{\n\t\t\tAuthorities: []webhookcip.Authority{{\n\t\t\t\tName: \"authority-0\",\n\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\tURL: fulcioURL,\n\t\t\t\t},\n\t\t\t\tAttestations: []webhookcip.AttestationPolicy{{\n\t\t\t\t\tName: \"test-att\",\n\t\t\t\t\tPredicateType: \"custom\", // attestation with predicate type vuln\n\t\t\t\t}},\n\t\t\t},\n\t\t\t},\n\t\t},\n\t\twantErrs: []string{\"no matching attestations with type custom, checked the following predicateTypes: \\\"https://cosign.sigstore.dev/attestation/vuln/v1\\\"\"},\n\t\tcva: passKeyless,\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tcosignVerifySignatures = test.cvs\n\t\t\tcosignVerifyAttestations = test.cva\n\t\t\ttestContext := context.Background()\n\n\t\t\tif test.customContext != nil {\n\t\t\t\ttestContext = test.customContext\n\t\t\t}\n\t\t\tkc, err := k8schain.NewNoClient(testContext)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"Failed to construct no client k8schain for testing\")\n\t\t\t}\n\t\t\tgot, gotErrs := ValidatePolicy(testContext, system.Namespace(), digest, test.policy, kc)\n\t\t\tvalidateErrors(t, test.wantErrs, gotErrs)\n\t\t\tif diff := cmp.Diff(test.want, got); diff != \"\" {\n\t\t\t\tt.Errorf(\"unexpected PolicyResult, %s\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestValidatePolicyAttestation(t *testing.T) {\n\t// Resolved via crane digest on 2023/08/08\n\tdigestAtt := name.MustParseReference(\"ghcr.io/mattmoor/sbom-attestations/spdx-test@sha256:ba4037061b76ad8f306dd9e442877236015747ec42141caf504dc0df4d10708d\")\n\n\tattPayload := []byte(`{\"_type\":\"https://in-toto.io/Statement/v0.1\",\"predicateType\":\"https://spdx.dev/Document\",\"subject\":[{\"name\":\"ghcr.io/chainguard-dev/log4shell-demo/app\",\"digest\":{\"sha256\":\"ba4037061b76ad8f306dd9e442877236015747ec42141caf504dc0df4d10708d\"}}],\"predicate\":{\"Data\":{\"Reviews\":[],\"SPDXID\":\"SPDXRef-SPDXRef-DOCUMENT\",\"annotations\":[],\"creationInfo\":{\"comment\":\"\",\"created\":\"2022-06-08T15:31:05Z\",\"creators\":[\"Tool: spdx-maven-plugin\"],\"licenseListVersion\":\"3.5\"},\"dataLicense\":\"CC0-1.0\",\"documentNamespace\":\"http://spdx.org/spdxpackages/log4shell-1.0-SNAPSHOT\",\"files\":[],\"hasExtractedLicensingInfos\":[],\"name\":\"log4shell\",\"packages\":[{\"Files\":null,\"IsFilesAnalyzedTagPresent\":true,\"IsUnpackaged\":false,\"SPDXID\":\"SPDXRef-4\",\"annotations\":null,\"checksums\":null,\"comment\":\"This package was created for a Maven dependency. No SPDX or license information could be found in the Maven POM file.\",\"copyrightText\":\"UNSPECIFIED\",\"downloadLocation\":\"NOASSERTION\",\"licenseConcluded\":\"NOASSERTION\",\"licenseDeclared\":\"NOASSERTION\",\"licenseInfoFromFiles\":[\"NOASSERTION\"],\"name\":\"javax.servlet-api\",\"packageVerificationCode\":{\"packageVerificationCodeExcludedFiles\":null,\"packageVerificationCodeValue\":\"\"},\"versionInfo\":\"4.0.1\"},{\"Files\":null,\"IsFilesAnalyzedTagPresent\":true,\"IsUnpackaged\":false,\"SPDXID\":\"SPDXRef-9\",\"annotations\":null,\"checksums\":null,\"comment\":\"This package was created for a Maven dependency. No SPDX or license information could be found in the Maven POM file.\",\"copyrightText\":\"UNSPECIFIED\",\"downloadLocation\":\"NOASSERTION\",\"licenseConcluded\":\"NOASSERTION\",\"licenseDeclared\":\"NOASSERTION\",\"licenseInfoFromFiles\":[\"NOASSERTION\"],\"name\":\"log4j-api\",\"packageVerificationCode\":{\"packageVerificationCodeExcludedFiles\":null,\"packageVerificationCodeValue\":\"\"},\"versionInfo\":\"2.14.1\"},{\"Files\":null,\"IsFilesAnalyzedTagPresent\":true,\"IsUnpackaged\":false,\"SPDXID\":\"SPDXRef-7\",\"annotations\":null,\"checksums\":null,\"comment\":\"This package was created for a Maven dependency. No SPDX or license information could be found in the Maven POM file.\",\"copyrightText\":\"UNSPECIFIED\",\"downloadLocation\":\"NOASSERTION\",\"licenseConcluded\":\"NOASSERTION\",\"licenseDeclared\":\"NOASSERTION\",\"licenseInfoFromFiles\":[\"NOASSERTION\"],\"name\":\"deploy-jar\",\"packageVerificationCode\":{\"packageVerificationCodeExcludedFiles\":null,\"packageVerificationCodeValue\":\"\"},\"versionInfo\":\"1.0\"},{\"Files\":null,\"IsFilesAnalyzedTagPresent\":true,\"IsUnpackaged\":false,\"SPDXID\":\"SPDXRef-6\",\"annotations\":null,\"checksums\":null,\"comment\":\"This package was created for a Maven dependency. No SPDX or license information could be found in the Maven POM file.\",\"copyrightText\":\"UNSPECIFIED\",\"downloadLocation\":\"NOASSERTION\",\"licenseConcluded\":\"NOASSERTION\",\"licenseDeclared\":\"NOASSERTION\",\"licenseInfoFromFiles\":[\"NOASSERTION\"],\"name\":\"junit-jupiter-engine\",\"packageVerificationCode\":{\"packageVerificationCodeExcludedFiles\":null,\"packageVerificationCodeValue\":\"\"},\"versionInfo\":\"5.7.1\"},{\"Files\":null,\"IsFilesAnalyzedTagPresent\":true,\"IsUnpackaged\":false,\"SPDXID\":\"SPDXRef-8\",\"annotations\":null,\"checksums\":null,\"comment\":\"This package was created for a Maven dependency. No SPDX or license information could be found in the Maven POM file.\",\"copyrightText\":\"UNSPECIFIED\",\"downloadLocation\":\"NOASSERTION\",\"licenseConcluded\":\"NOASSERTION\",\"licenseDeclared\":\"NOASSERTION\",\"licenseInfoFromFiles\":[\"NOASSERTION\"],\"name\":\"log4j-core\",\"packageVerificationCode\":{\"packageVerificationCodeExcludedFiles\":null,\"packageVerificationCodeValue\":\"\"},\"versionInfo\":\"2.14.1\"},{\"Files\":null,\"IsFilesAnalyzedTagPresent\":true,\"IsUnpackaged\":false,\"SPDXID\":\"SPDXRef-5\",\"annotations\":null,\"checksums\":null,\"comment\":\"This package was created for a Maven dependency. No SPDX or license information could be found in the Maven POM file.\",\"copyrightText\":\"UNSPECIFIED\",\"downloadLocation\":\"NOASSERTION\",\"licenseConcluded\":\"NOASSERTION\",\"licenseDeclared\":\"NOASSERTION\",\"licenseInfoFromFiles\":[\"NOASSERTION\"],\"name\":\"junit-jupiter-api\",\"packageVerificationCode\":{\"packageVerificationCodeExcludedFiles\":null,\"packageVerificationCodeValue\":\"\"},\"versionInfo\":\"5.7.1\"},{\"Files\":[{\"SPDXID\":\"SPDXRef-2\",\"checksums\":[{\"algorithm\":\"SHA1\",\"checksumValue\":\"9e58ba0426bed767f8da4d76afde1ee629d97c41\"}],\"copyrightText\":\"http://spdx.org/rdf/terms#noassertion\",\"fileName\":\"./src/main/java/com/example/log4shell/log4j.java\",\"fileTypes\":[\"source\"],\"licenseConcluded\":\"NOASSERTION\",\"licenseInfoInFiles\":[\"NOASSERTION\"]},{\"SPDXID\":\"SPDXRef-3\",\"checksums\":[{\"algorithm\":\"SHA1\",\"checksumValue\":\"26df176b1904e473fddc8ca654bce5607b3fc64f\"}],\"copyrightText\":\"\",\"fileName\":\"./src/main/java/com/example/log4shell/LoginServlet.java\",\"fileTypes\":[\"source\"],\"licenseConcluded\":\"NOASSERTION\",\"licenseInfoInFiles\":[\"NOASSERTION\"]}],\"IsFilesAnalyzedTagPresent\":true,\"IsUnpackaged\":false,\"SPDXID\":\"SPDXRef-1\",\"annotations\":null,\"checksums\":null,\"copyrightText\":\"http://spdx.org/rdf/terms#noassertion\",\"downloadLocation\":\"NOASSERTION\",\"filesAnalyzed\":true,\"licenseConcluded\":\"NOASSERTION\",\"licenseDeclared\":\"NOASSERTION\",\"licenseInfoFromFiles\":[\"NOASSERTION\"],\"name\":\"log4shell\",\"packageFileName\":\"http://spdx.org/rdf/terms#noassertion\",\"packageVerificationCode\":{\"packageVerificationCodeExcludedFiles\":null,\"packageVerificationCodeValue\":\"b5dabb87df1acb05636fe4dbc19afdfe18298a38\"},\"versionInfo\":\"1.0-SNAPSHOT\"}],\"relationships\":[{\"comment\":\"Relationship based on Maven POM file dependency information\",\"relatedSpdxElement\":\"SPDXRef-4\",\"relationshipType\":\"other\",\"spdxElementId\":\"SPDXRef-1\"},{\"comment\":\"Relationship based on Maven POM file dependency information\",\"relatedSpdxElement\":\"SPDXRef-9\",\"relationshipType\":\"dynamicLink\",\"spdxElementId\":\"SPDXRef-1\"},{\"comment\":\"Relationship based on Maven POM file dependency information\",\"relatedSpdxElement\":\"SPDXRef-7\",\"relationshipType\":\"other\",\"spdxElementId\":\"SPDXRef-1\"},{\"relatedSpdxElement\":\"SPDXRef-1\",\"relationshipType\":\"generates\",\"spdxElementId\":\"SPDXRef-2\"},{\"comment\":\"Relationship based on Maven POM file dependency information\",\"relatedSpdxElement\":\"SPDXRef-6\",\"relationshipType\":\"testcaseOf\",\"spdxElementId\":\"SPDXRef-1\"},{\"relatedSpdxElement\":\"SPDXRef-1\",\"relationshipType\":\"generates\",\"spdxElementId\":\"SPDXRef-3\"},{\"comment\":\"Relationship based on Maven POM file dependency information\",\"relatedSpdxElement\":\"SPDXRef-8\",\"relationshipType\":\"dynamicLink\",\"spdxElementId\":\"SPDXRef-1\"},{\"comment\":\"Relationship based on Maven POM file dependency information\",\"relatedSpdxElement\":\"SPDXRef-5\",\"relationshipType\":\"testcaseOf\",\"spdxElementId\":\"SPDXRef-1\"},{\"relatedSpdxElement\":\"SPDXRef-1\",\"relationshipType\":\"describes\",\"spdxElementId\":\"SPDXRef-DOCUMENT\"}],\"snippets\":null,\"spdxVersion\":\"SPDX-2.2\"},\"Timestamp\":\"\"}}`)\n\n\tfulcioURL, err := apis.ParseURL(\"https://fulcio.sigstore.dev\")\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to parse fake Fulcio URL\")\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tpolicy webhookcip.ClusterImagePolicy\n\t\twant *PolicyResult\n\t\twantErrs []string\n\t\tcustomContext context.Context\n\t}{{\n\t\tname: \"simple test\",\n\t\tpolicy: webhookcip.ClusterImagePolicy{\n\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\tGlob: \"**\",\n\t\t\t}},\n\t\t\tAuthorities: []webhookcip.Authority{{\n\t\t\t\tName: \"authority-0\",\n\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\tURL: fulcioURL,\n\t\t\t\t\tIdentities: []v1alpha1.Identity{{\n\t\t\t\t\t\tIssuerRegExp: \".*\",\n\t\t\t\t\t\tSubjectRegExp: \".*\",\n\t\t\t\t\t}},\n\t\t\t\t},\n\t\t\t\tAttestations: []webhookcip.AttestationPolicy{{\n\t\t\t\t\tName: \"test-att\",\n\t\t\t\t\tPredicateType: \"https://spdx.dev/Document\",\n\t\t\t\t\tType: \"cue\",\n\t\t\t\t\tData: `{\"predicateType\": \"https://spdx.dev/Document\"}`,\n\t\t\t\t}},\n\t\t\t},\n\t\t\t},\n\t\t},\n\t\twant: &PolicyResult{\n\t\t\tAuthorityMatches: map[string]AuthorityMatch{\n\t\t\t\t\"authority-0\": {\n\t\t\t\t\tAttestations: map[string][]PolicyAttestation{\n\t\t\t\t\t\t\"test-att\": {{\n\t\t\t\t\t\t\tPolicySignature: PolicySignature{\n\t\t\t\t\t\t\t\tID: \"2906bbcbb40870d95b19e1bafe1db915ae73e5cd2ae1bdfee539ab6272ae7774\",\n\t\t\t\t\t\t\t\tSubject: \"josh@dolit.ski\",\n\t\t\t\t\t\t\t\tIssuer: \"https://github.com/login/oauth\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tPredicateType: \"https://spdx.dev/Document\",\n\t\t\t\t\t\t\tDigest: \"sha256:f764a4251b2fe3c85dd46896b9d6e65361c9683755099d6dcd13009836d2e0e4\",\n\t\t\t\t\t\t\tPayload: attPayload,\n\t\t\t\t\t\t}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tcosignVerifySignatures = cosign.VerifyImageSignatures\n\t\t\tcosignVerifyAttestations = cosign.VerifyImageAttestations\n\t\t\ttestContext := context.Background()\n\n\t\t\tif test.customContext != nil {\n\t\t\t\ttestContext = test.customContext\n\t\t\t}\n\t\t\tkc, err := k8schain.NewNoClient(testContext)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"Failed to construct no client k8schain for testing\")\n\t\t\t}\n\t\t\tgot, gotErrs := ValidatePolicy(testContext, system.Namespace(), digestAtt, test.policy, kc)\n\t\t\tvalidateErrors(t, test.wantErrs, gotErrs)\n\t\t\tif diff := cmp.Diff(test.want, got); diff != \"\" {\n\t\t\t\tt.Errorf(\"unexpected PolicyResult, %s with gotErrs %v\", diff, gotErrs)\n\t\t\t}\n\t\t})\n\t}\n}\nfunc validateErrors(t *testing.T, wantErr []string, got []error) {\n\tt.Helper()\n\tif len(wantErr) != len(got) {\n\t\tt.Errorf(\"Wanted %d errors got %d\", len(wantErr), len(got))\n\t} else {\n\t\tfor i, want := range wantErr {\n\t\t\tif !strings.Contains(got[i].Error(), want) {\n\t\t\t\tt.Errorf(\"Unwanted error at %d want: %s got: %s\", i, want, got[i])\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc TestValidatePodSpecNonDefaultNamespace(t *testing.T) {\n\ttag := name.MustParseReference(\"gcr.io/distroless/static:nonroot\")\n\t// Resolved via crane digest on 2021/09/25\n\tdigest := name.MustParseReference(\"gcr.io/distroless/static:nonroot@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4\")\n\n\tctx, _ := rtesting.SetupFakeContext(t)\n\n\t// Non-existent URL for testing complete failure\n\tbadURL := apis.HTTP(\"http://example.com/\")\n\n\t// Spin up a Fulcio that responds with a Root Cert\n\tfulcioServer := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) {\n\t\trw.Write([]byte(fulcioRootCert))\n\t}))\n\tt.Cleanup(fulcioServer.Close)\n\tfulcioURL, err := apis.ParseURL(\"https://fulcio.sigstore.dev\")\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to parse fake Fulcio URL\")\n\t}\n\n\trekorServer := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) {\n\t\trw.Write([]byte(rekorResponse))\n\t}))\n\tt.Cleanup(rekorServer.Close)\n\trekorURL, err := apis.ParseURL(rekorServer.URL)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to parse fake Rekor URL\")\n\t}\n\n\tvar authorityKeyCosignPub *ecdsa.PublicKey\n\n\tpems := parsePems([]byte(authorityKeyCosignPubString))\n\tif len(pems) > 0 {\n\t\tkey, _ := x509.ParsePKIXPublicKey(pems[0].Bytes)\n\t\tauthorityKeyCosignPub = key.(*ecdsa.PublicKey)\n\t} else {\n\t\tt.Errorf(\"Error parsing authority key from string\")\n\t}\n\n\tkc := fakekube.Get(ctx)\n\t// Setup service acc and fakeSignaturePullSecrets for \"default\", \"cosign-system\" and \"my-secure-ns\" namespace\n\tfor _, ns := range []string{\"default\", system.Namespace(), \"my-secure-ns\"} {\n\t\tkc.CoreV1().ServiceAccounts(ns).Create(ctx, &corev1.ServiceAccount{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"default\",\n\t\t\t},\n\t\t}, metav1.CreateOptions{})\n\n\t\tkc.CoreV1().Secrets(ns).Create(ctx, &corev1.Secret{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"fakeSignaturePullSecrets\",\n\t\t\t},\n\t\t\tData: map[string][]byte{\n\t\t\t\t\"dockerconfigjson\": []byte(`{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"username\",\"password\":\"password\",\"auth\":\"dXNlcm5hbWU6cGFzc3dvcmQ=\"}}`),\n\t\t\t},\n\t\t}, metav1.CreateOptions{})\n\t}\n\n\t// Create fake secret in a non-default namespace and patch the default service acc\n\tkc.CoreV1().Secrets(\"my-secure-ns\").Create(ctx, &corev1.Secret{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tName: \"fakeSignaturePullSecretsNonDefault\",\n\t\t},\n\t\tData: map[string][]byte{\n\t\t\t\"dockerconfigjson\": []byte(`{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"username\",\"password\":\"password\",\"auth\":\"dXNlcm5hbWU6cGFzc3dvcmQ=\"}}`),\n\t\t},\n\t}, metav1.CreateOptions{})\n\n\tmergePatch := map[string]interface{}{\n\t\t\"imagePullSecrets\": map[string]interface{}{\n\t\t\t\"name\": \"fakeSignaturePullSecretsNonDefault\",\n\t\t},\n\t}\n\tpatch, err := json.Marshal(mergePatch)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to marshal merge patch: %v\", err)\n\t}\n\tkc.CoreV1().ServiceAccounts(\"my-secure-ns\").Patch(ctx, \"default\", types.MergePatchType, patch, metav1.PatchOptions{})\n\n\tv := NewValidator(ctx)\n\n\tcvs := cosignVerifySignatures\n\tdefer func() {\n\t\tcosignVerifySignatures = cvs\n\t}()\n\t// Let's just say that everything is verified.\n\tpass := func(_ context.Context, _ name.Reference, _ *cosign.CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {\n\t\tsig, err := static.NewSignature(nil, \"\")\n\t\tif err != nil {\n\t\t\treturn nil, false, err\n\t\t}\n\t\treturn []oci.Signature{sig}, true, nil\n\t}\n\t// Let's just say that everything is not verified.\n\tfail := func(_ context.Context, _ name.Reference, _ *cosign.CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {\n\t\treturn nil, false, errors.New(\"bad signature\")\n\t}\n\n\t// Let's say it is verified if it is the expected Public Key\n\tauthorityPublicKeyCVS := func(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {\n\t\tactualPublicKey, _ := co.SigVerifier.PublicKey()\n\t\tactualECDSAPubkey := actualPublicKey.(*ecdsa.PublicKey)\n\n\t\tactualPubKey, err := actualECDSAPubkey.ECDH()\n\t\tif err != nil {\n\t\t\treturn nil, false, errors.New(\"failed to get edch pub key\")\n\t\t}\n\n\t\tauthorityKeyPubKey, err := authorityKeyCosignPub.ECDH()\n\t\tif err != nil {\n\t\t\treturn nil, false, errors.New(\"failed to get edch pub key\")\n\t\t}\n\n\t\tif bytes.Equal(actualPubKey.Bytes(), authorityKeyPubKey.Bytes()) {\n\t\t\treturn pass(ctx, signedImgRef, co)\n\t\t}\n\n\t\treturn fail(ctx, signedImgRef, co)\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tps *corev1.PodSpec\n\t\twant *apis.FieldError\n\t\tcvs func(context.Context, name.Reference, *cosign.CheckOpts) ([]oci.Signature, bool, error)\n\t\tcustomContext context.Context\n\t}{{\n\t\tname: \"simple, no error\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\t\t\t\t\t\t\tData: authorityKeyCosignPubString,\n\t\t\t\t\t\t\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\t\t\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\t\t\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\tcvs: pass,\n\t}, {\n\t\tname: \"bad reference\",\n\t\tps: &corev1.PodSpec{\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: \"in@valid\",\n\t\t\t}},\n\t\t},\n\t\twant: &apis.FieldError{\n\t\t\tMessage: `could not parse reference: in@valid`,\n\t\t\tPaths: []string{\"containers[0].image\"},\n\t\t},\n\t\tcvs: fail,\n\t}, {\n\t\tname: \"not digest\",\n\t\tps: &corev1.PodSpec{\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: tag.String(),\n\t\t\t}},\n\t\t},\n\t\twant: &apis.FieldError{\n\t\t\tMessage: `invalid value: gcr.io/distroless/static:nonroot must be an image digest`,\n\t\t\tPaths: []string{\"containers[0].image\"},\n\t\t},\n\t\tcvs: fail,\n\t}, {\n\t\tname: \"simple, no error, authority key\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\t\t\t\t\t\t\tData: authorityKeyCosignPubString,\n\t\t\t\t\t\t\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\t\t\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\t\t\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\tcvs: authorityPublicKeyCVS,\n\t}, {\n\t\tname: \"simple, error, authority keyless, bad fulcio\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy-keyless\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\t\t\t\t\t\tURL: badURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\twant: func() *apis.FieldError {\n\t\t\tvar errs *apis.FieldError\n\t\t\tfe := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"containers\", 0)\n\t\t\tfe.Details = fmt.Sprintf(\"%s %s\", digest.String(), `signature keyless validation failed for authority for gcr.io/distroless/static@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4: bad signature`)\n\t\t\terrs = errs.Also(fe)\n\t\t\tfe2 := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"initContainers\", 0)\n\t\t\tfe2.Details = fe.Details\n\t\t\terrs = errs.Also(fe2)\n\t\t\treturn errs\n\t\t}(),\n\t\tcvs: fail,\n\t}, {\n\t\tname: \"simple, error, authority keyless, good fulcio, no rekor\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy-keyless\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\t\t\t\t\t\tURL: fulcioURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\twant: func() *apis.FieldError {\n\t\t\tvar errs *apis.FieldError\n\t\t\tfe := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"initContainers\", 0)\n\t\t\tfe.Details = fmt.Sprintf(\"%s signature keyless validation failed for authority for %s: bad signature\", digest.String(), digest.Name())\n\t\t\terrs = errs.Also(fe)\n\t\t\tfe2 := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"containers\", 0)\n\t\t\tfe2.Details = fmt.Sprintf(\"%s signature keyless validation failed for authority for %s: bad signature\", digest.String(), digest.Name())\n\t\t\terrs = errs.Also(fe2)\n\t\t\treturn errs\n\t\t}(),\n\t\tcvs: fail,\n\t}, {\n\t\tname: \"simple, authority keyless checks out, good fulcio, bad cip policy\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy-keyless-bad-cip\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\t\t\t\t\t\tURL: fulcioURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tPolicy: &webhookcip.AttestationPolicy{\n\t\t\t\t\t\t\t\tName: \"invalid json policy\",\n\t\t\t\t\t\t\t\tType: \"cue\",\n\t\t\t\t\t\t\t\tData: `{\"wontgo`,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\twant: func() *apis.FieldError {\n\t\t\tvar errs *apis.FieldError\n\t\t\tfe := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless-bad-cip\", \"image\").ViaFieldIndex(\"initContainers\", 0)\n\t\t\tfe.Details = fmt.Sprintf(\"%s failed evaluating cue policy for ClusterImagePolicy: failed to compile the cue policy with error: string literal not terminated\", digest.String())\n\t\t\terrs = errs.Also(fe)\n\t\t\tfe2 := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless-bad-cip\", \"image\").ViaFieldIndex(\"containers\", 0)\n\t\t\tfe2.Details = fmt.Sprintf(\"%s failed evaluating cue policy for ClusterImagePolicy: failed to compile the cue policy with error: string literal not terminated\", digest.String())\n\t\t\terrs = errs.Also(fe2)\n\t\t\treturn errs\n\t\t}(),\n\t\tcvs: pass,\n\t}, {\n\t\tname: \"simple, no error, authority keyless, good fulcio\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy-keyless\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\t\t\t\t\t\tURL: fulcioURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\tcvs: pass,\n\t}, {\n\t\tname: \"simple, error, authority keyless, good fulcio, bad rekor\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy-keyless\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\t\t\t\t\t\tURL: fulcioURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tCTLog: &v1alpha1.TLog{\n\t\t\t\t\t\t\t\t\t\tURL: rekorURL,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\twant: func() *apis.FieldError {\n\t\t\tvar errs *apis.FieldError\n\t\t\tfe := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"initContainers\", 0)\n\t\t\tfe.Details = fmt.Sprintf(\"%s signature keyless validation failed for authority for %s: bad signature\", digest.String(), digest.Name())\n\t\t\terrs = errs.Also(fe)\n\t\t\tfe2 := apis.ErrGeneric(\"failed policy: cluster-image-policy-keyless\", \"image\").ViaFieldIndex(\"containers\", 0)\n\t\t\tfe2.Details = fmt.Sprintf(\"%s signature keyless validation failed for authority for %s: bad signature\", digest.String(), digest.Name())\n\t\t\terrs = errs.Also(fe2)\n\t\t\treturn errs\n\t\t}(),\n\t\tcvs: fail,\n\t}, {\n\t\tname: \"simple, error, authority source signaturePullSecrets, non existing secret\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(ctx,\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\t\t\t\t\t\t\tData: authorityKeyCosignPubString,\n\t\t\t\t\t\t\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\t\t\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\t\t\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tSources: []v1alpha1.Source{{\n\t\t\t\t\t\t\t\t\t\tOCI: \"example.com/alternative/signature\",\n\t\t\t\t\t\t\t\t\t\tSignaturePullSecrets: []corev1.LocalObjectReference{{\n\t\t\t\t\t\t\t\t\t\t\tName: \"non-existing-secret\",\n\t\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\tcvs: pass,\n\t}, {\n\t\tname: \"simple, no error, authority source signaturePullSecrets, valid secret\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(ctx,\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\t\t\t\t\t\t\tData: authorityKeyCosignPubString,\n\t\t\t\t\t\t\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\t\t\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\t\t\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tSources: []v1alpha1.Source{{\n\t\t\t\t\t\t\t\t\t\tOCI: \"example.com/alternative/signature\",\n\t\t\t\t\t\t\t\t\t\tSignaturePullSecrets: []corev1.LocalObjectReference{{\n\t\t\t\t\t\t\t\t\t\t\tName: \"fakeSignaturePullSecrets\",\n\t\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\tcvs: authorityPublicKeyCVS,\n\t}, {\n\t\tname: \"simple, no error, with a resource selector based on labels and resource version\",\n\t\tps: &corev1.PodSpec{\n\t\t\tInitContainers: []corev1.Container{{\n\t\t\t\tName: \"setup-stuff\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t\tContainers: []corev1.Container{{\n\t\t\t\tName: \"user-container\",\n\t\t\t\tImage: digest.String(),\n\t\t\t}},\n\t\t},\n\t\tcustomContext: config.ToContext(context.Background(),\n\t\t\t&config.Config{\n\t\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\t\"cluster-image-policy\": {\n\t\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\tMatch: []v1alpha1.MatchResource{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tGroupVersionResource: metav1.GroupVersionResource{\n\t\t\t\t\t\t\t\t\t\tGroup: \"\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"v1\",\n\t\t\t\t\t\t\t\t\t\tResource: \"pods\",\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tResourceSelector: &metav1.LabelSelector{\n\t\t\t\t\t\t\t\t\t\tMatchLabels: map[string]string{\"test\": \"test\"},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\t\t\t\t\t\t\tData: authorityKeyCosignPubString,\n\t\t\t\t\t\t\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\t\t\t\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\t\t\t\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t),\n\t\tcvs: pass,\n\t}}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tfor _, mode := range []string{\"\", \"enforce\", \"warn\"} {\n\t\t\t\tcosignVerifySignatures = test.cvs\n\t\t\t\ttestContext := context.Background()\n\t\t\t\t// By default we want errors. However, iff the mode above is\n\t\t\t\t// warn, and we're using a custom context and therefore\n\t\t\t\t// triggering the CIP.mode twiddling below, check for warnings.\n\t\t\t\twantWarn := false\n\t\t\t\tif test.customContext != nil {\n\t\t\t\t\tif mode == \"warn\" {\n\t\t\t\t\t\twantWarn = true\n\t\t\t\t\t}\n\t\t\t\t\t// If we are testing with custom context, loop through\n\t\t\t\t\t// all the modes here. It's a bit silly that we spin through\n\t\t\t\t\t// all the tests 3 times, but for now this is better than\n\t\t\t\t\t// duplicating all the CIPs with just different modes.\n\t\t\t\t\ttestContext = test.customContext\n\n\t\t\t\t\t// Twiddle the mode for tests.\n\t\t\t\t\tcfg := config.FromContext(testContext)\n\t\t\t\t\tnewPolicies := make(map[string]webhookcip.ClusterImagePolicy, len(cfg.ImagePolicyConfig.Policies))\n\t\t\t\t\tfor k, v := range cfg.ImagePolicyConfig.Policies {\n\t\t\t\t\t\tv.Mode = mode\n\t\t\t\t\t\tnewPolicies[k] = v\n\t\t\t\t\t}\n\t\t\t\t\tcfg.ImagePolicyConfig.Policies = newPolicies\n\t\t\t\t\tconfig.ToContext(testContext, cfg)\n\t\t\t\t}\n\n\t\t\t\t// The Request body bytes are consumed in every call, so we need\n\t\t\t\t// to set an new request for every call\n\t\t\t\tattachHTTPRequestToContext := func(context.Context) context.Context {\n\t\t\t\t\t// Build fake HTTP Request\n\t\t\t\t\tadmissionreq := &admissionv1.AdmissionReview{\n\t\t\t\t\t\tRequest: &admissionv1.AdmissionRequest{\n\t\t\t\t\t\t\tOperation: admissionv1.Create,\n\t\t\t\t\t\t\tKind: metav1.GroupVersionKind{\n\t\t\t\t\t\t\t\tGroup: \"\",\n\t\t\t\t\t\t\t\tVersion: \"v1\",\n\t\t\t\t\t\t\t\tKind: \"Pod\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tNamespace: \"my-secure-ns\",\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\n\t\t\t\t\treqBuf := new(bytes.Buffer)\n\t\t\t\t\terr = json.NewEncoder(reqBuf).Encode(&admissionreq)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tt.Fatalf(\"Failed to marshal admission review: %v\", err)\n\t\t\t\t\t}\n\t\t\t\t\treq, err := http.NewRequest(\"GET\", \"foo\", reqBuf)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tt.Fatalf(\"NewRequest() = %v\", err)\n\t\t\t\t\t}\n\t\t\t\t\treturn apis.WithHTTPRequest(testContext, req)\n\t\t\t\t}\n\n\t\t\t\ttestContext = attachHTTPRequestToContext(testContext)\n\t\t\t\ttestContext = context.WithValue(testContext, kubeclient.Key{}, kc)\n\n\t\t\t\t// Check the core mechanics\n\t\t\t\tgot := v.validatePodSpec(testContext, \"my-secure-ns\", \"Pod\", \"v1\", map[string]string{\"test\": \"test\"}, test.ps, k8schain.Options{})\n\t\t\t\tif (got != nil) != (test.want != nil) {\n\t\t\t\t\tt.Errorf(\"validatePodSpec() = %v, wanted %v\", got, test.want)\n\t\t\t\t} else if got != nil && got.Error() != test.want.Error() {\n\t\t\t\t\tt.Errorf(\"validatePodSpec() = %v, wanted %v\", got, test.want)\n\t\t\t\t}\n\n\t\t\t\tif test.want != nil {\n\t\t\t\t\tif wantWarn {\n\t\t\t\t\t\ttest.want.Level = apis.WarningLevel\n\t\t\t\t\t} else {\n\t\t\t\t\t\ttest.want.Level = apis.ErrorLevel\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t// Check wrapped in a Pod\n\t\t\t\tpod := &duckv1.Pod{\n\t\t\t\t\tSpec: *test.ps,\n\t\t\t\t}\n\t\t\t\ttestContext = attachHTTPRequestToContext(testContext)\n\t\t\t\t// Set the policy config to pass anything that doesn't match any\n\t\t\t\t// policies.\n\t\t\t\ttestContext = policycontrollerconfig.ToContext(testContext, &policycontrollerconfig.PolicyControllerConfig{NoMatchPolicy: policycontrollerconfig.AllowAll, FailOnEmptyAuthorities: true})\n\n\t\t\t\tgot = v.ValidatePod(testContext, pod)\n\t\t\t\twant := test.want.ViaField(\"spec\")\n\t\t\t\tif (got != nil) != (want != nil) {\n\t\t\t\t\tt.Errorf(\"ValidatePod() = %v, wanted %v\", got, want)\n\t\t\t\t} else if got != nil && got.Error() != want.Error() {\n\t\t\t\t\tt.Errorf(\"ValidatePod() = %v, wanted %v\", got, want)\n\t\t\t\t}\n\t\t\t\t// Check the warning/error level.\n\t\t\t\tif got != nil && test.want != nil {\n\t\t\t\t\tif got.Level != want.Level {\n\t\t\t\t\t\tt.Errorf(\"ValidatePod() Wrong Level = %v, wanted %v\", got.Level, want.Level)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t// Check that we don't block things being deleted.\n\t\t\t\ttestContext = attachHTTPRequestToContext(testContext)\n\t\t\t\tif got := v.ValidatePod(apis.WithinDelete(testContext), pod); got != nil {\n\t\t\t\t\tt.Errorf(\"ValidatePod() = %v, wanted nil\", got)\n\t\t\t\t}\n\n\t\t\t\t// Check wrapped in a WithPod\n\t\t\t\twithPod := &duckv1.WithPod{\n\t\t\t\t\tSpec: duckv1.WithPodSpec{\n\t\t\t\t\t\tTemplate: duckv1.PodSpecable{\n\t\t\t\t\t\t\tSpec: *test.ps,\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t\ttestContext = attachHTTPRequestToContext(testContext)\n\t\t\t\tgot = v.ValidatePodSpecable(testContext, withPod)\n\t\t\t\twant = test.want.ViaField(\"spec.template.spec\")\n\t\t\t\tif (got != nil) != (want != nil) {\n\t\t\t\t\tt.Errorf(\"ValidatePodSpecable() = %v, wanted %v\", got, want)\n\t\t\t\t} else if got != nil && got.Error() != want.Error() {\n\t\t\t\t\tt.Errorf(\"ValidatePodSpecable() = %v, wanted %v\", got, want)\n\t\t\t\t}\n\t\t\t\t// Check the warning/error level.\n\t\t\t\tif got != nil && test.want != nil {\n\t\t\t\t\tif got.Level != want.Level {\n\t\t\t\t\t\tt.Errorf(\"ValidatePodSpecable() Wrong Level = %v, wanted %v\", got.Level, want.Level)\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// Check that we don't block things being deleted.\n\t\t\t\ttestContext = attachHTTPRequestToContext(testContext)\n\t\t\t\tif got := v.ValidatePodSpecable(apis.WithinDelete(testContext), withPod); got != nil {\n\t\t\t\t\tt.Errorf(\"ValidatePodSpecable() = %v, wanted nil\", got)\n\t\t\t\t}\n\n\t\t\t\t// Check wrapped in a podScalable\n\t\t\t\tpodScalable := &policyduckv1beta1.PodScalable{\n\t\t\t\t\tSpec: policyduckv1beta1.PodScalableSpec{\n\t\t\t\t\t\tReplicas: ptr.Int32(3),\n\t\t\t\t\t\tTemplate: corev1.PodTemplateSpec{\n\t\t\t\t\t\t\tSpec: *test.ps,\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t\ttestContext = attachHTTPRequestToContext(testContext)\n\t\t\t\tgot = v.ValidatePodScalable(testContext, podScalable)\n\t\t\t\twant = test.want.ViaField(\"spec.template.spec\")\n\t\t\t\tif (got != nil) != (want != nil) {\n\t\t\t\t\tt.Errorf(\"ValidatePodScalable() = %v, wanted %v\", got, want)\n\t\t\t\t} else if got != nil && got.Error() != want.Error() {\n\t\t\t\t\tt.Errorf(\"ValidatePodScalable() = %v, wanted %v\", got, want)\n\t\t\t\t}\n\t\t\t\t// Check the warning/error level.\n\t\t\t\tif got != nil && test.want != nil {\n\t\t\t\t\tif got.Level != want.Level {\n\t\t\t\t\t\tt.Errorf(\"ValidatePodScalable() Wrong Level = %v, wanted %v\", got.Level, want.Level)\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// Check that we don't block things being deleted.\n\t\t\t\ttestContext = attachHTTPRequestToContext(testContext)\n\t\t\t\tif got := v.ValidatePodScalable(apis.WithinDelete(testContext), podScalable); got != nil {\n\t\t\t\t\tt.Errorf(\"ValidatePodSpecable() = %v, wanted nil\", got)\n\t\t\t\t}\n\n\t\t\t\t// Check that we don't block things being scaled down.\n\t\t\t\toriginal := podScalable.DeepCopy()\n\t\t\t\toriginal.Spec.Replicas = ptr.Int32(4)\n\t\t\t\ttestContext = attachHTTPRequestToContext(testContext)\n\t\t\t\tif got := v.ValidatePodScalable(apis.WithinUpdate(testContext, original), podScalable); got != nil {\n\t\t\t\t\tt.Errorf(\"ValidatePodSpecable() scaling down = %v, wanted nil\", got)\n\t\t\t\t}\n\n\t\t\t\t// Check that we fail as expected if being scaled up.\n\t\t\t\toriginal.Spec.Replicas = ptr.Int32(2)\n\t\t\t\ttestContext = attachHTTPRequestToContext(testContext)\n\t\t\t\tgot = v.ValidatePodScalable(apis.WithinUpdate(testContext, original), podScalable)\n\t\t\t\twant = test.want.ViaField(\"spec.template.spec\")\n\t\t\t\tif (got != nil) != (want != nil) {\n\t\t\t\t\tt.Errorf(\"ValidatePodScalable() scaling up = %v, wanted %v\", got, want)\n\t\t\t\t} else if got != nil && got.Error() != want.Error() {\n\t\t\t\t\tt.Errorf(\"ValidatePodScalable() scaling up = %v, wanted %v\", got, want)\n\t\t\t\t}\n\t\t\t\t// Check the warning/error level.\n\t\t\t\tif got != nil && test.want != nil {\n\t\t\t\t\tif got.Level != want.Level {\n\t\t\t\t\t\tt.Errorf(\"ValidatePodScalable() scaling up Wrong Level = %v, wanted %v\", got.Level, want.Level)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestValidatePodSpecCancelled(t *testing.T) {\n\t// Resolved via crane digest on 2021/09/25\n\tdigest := name.MustParseReference(\"gcr.io/distroless/static:nonroot@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4\")\n\n\tctx, _ := rtesting.SetupFakeContext(t)\n\tkc := fakekube.Get(ctx)\n\t// Setup service account and fakeSignaturePullSecrets for \"default\"\n\t// namespace\n\tkc.CoreV1().ServiceAccounts(\"default\").Create(ctx, &corev1.ServiceAccount{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tName: \"default\",\n\t\t},\n\t}, metav1.CreateOptions{})\n\n\tkc.CoreV1().Secrets(\"default\").Create(ctx, &corev1.Secret{\n\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\tName: \"fakeSignaturePullSecrets\",\n\t\t},\n\t\tData: map[string][]byte{\n\t\t\t\"dockerconfigjson\": []byte(`{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"username\",\"password\":\"password\",\"auth\":\"dXNlcm5hbWU6cGFzc3dvcmQ=\"}}`),\n\t\t},\n\t}, metav1.CreateOptions{})\n\n\tv := NewValidator(ctx)\n\n\tps := &corev1.PodSpec{\n\t\tInitContainers: []corev1.Container{{\n\t\t\tName: \"setup-stuff\",\n\t\t\tImage: digest.String(),\n\t\t}},\n\t\tContainers: []corev1.Container{{\n\t\t\tName: \"user-container\",\n\t\t\tImage: digest.String(),\n\t\t}},\n\t}\n\tctx = config.ToContext(ctx,\n\t\t&config.Config{\n\t\t\tImagePolicyConfig: &config.ImagePolicyConfig{\n\t\t\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{\n\t\t\t\t\t\"cluster-image-policy\": {\n\t\t\t\t\t\tImages: []v1alpha1.ImagePattern{{\n\t\t\t\t\t\t\tGlob: \"gcr.io/*/*\",\n\t\t\t\t\t\t}},\n\t\t\t\t\t\tAuthorities: []webhookcip.Authority{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\t\t\t\t\t\tURL: apis.HTTP(\"fulcio.sigstore.dev\"),\n\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\n\tcancelledContext, cancelFunc := context.WithCancel(ctx)\n\twantErr := \"context was canceled before validation completed\"\n\tcancelFunc()\n\tgotErrs := v.validatePodSpec(cancelledContext, \"default\", \"pod\", \"v1\", map[string]string{}, ps, k8schain.Options{})\n\tif gotErrs == nil {\n\t\tt.Errorf(\"Did not get an error on canceled context\")\n\t} else if !strings.Contains(gotErrs.Error(), wantErr) {\n\t\tt.Errorf(\"Did not get canceled error, got: %s\", gotErrs.Error())\n\t}\n}\n\nfunc TestValidatePolicyCancelled(t *testing.T) {\n\tvar authorityKeyCosignPub *ecdsa.PublicKey\n\tpems := parsePems([]byte(authorityKeyCosignPubString))\n\tif len(pems) > 0 {\n\t\tkey, _ := x509.ParsePKIXPublicKey(pems[0].Bytes)\n\t\tauthorityKeyCosignPub = key.(*ecdsa.PublicKey)\n\t} else {\n\t\tt.Errorf(\"Error parsing authority key from string\")\n\t}\n\t// Resolved via crane digest on 2021/09/25\n\tdigest := name.MustParseReference(\"gcr.io/distroless/static:nonroot@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4\")\n\n\ttestContext, cancelFunc := context.WithCancel(context.Background())\n\tcip := webhookcip.ClusterImagePolicy{\n\t\tAuthorities: []webhookcip.Authority{{\n\t\t\tName: \"authority-0\",\n\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t},\n\t\t}},\n\t}\n\tkc, err := k8schain.NewNoClient(testContext)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to construct no client k8schain for testing\")\n\t}\n\n\twantErrs := []string{\"context canceled before validation completed\"}\n\tcancelFunc()\n\t_, gotErrs := ValidatePolicy(testContext, system.Namespace(), digest, cip, kc)\n\tvalidateErrors(t, wantErrs, gotErrs)\n}\n\nfunc TestValidatePoliciesCancelled(t *testing.T) {\n\tvar authorityKeyCosignPub *ecdsa.PublicKey\n\tpems := parsePems([]byte(authorityKeyCosignPubString))\n\tif len(pems) > 0 {\n\t\tkey, _ := x509.ParsePKIXPublicKey(pems[0].Bytes)\n\t\tauthorityKeyCosignPub = key.(*ecdsa.PublicKey)\n\t} else {\n\t\tt.Errorf(\"Error parsing authority key from string\")\n\t}\n\t// Resolved via crane digest on 2021/09/25\n\tdigest := name.MustParseReference(\"gcr.io/distroless/static:nonroot@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4\")\n\n\ttestContext, cancelFunc := context.WithCancel(context.Background())\n\tcip := webhookcip.ClusterImagePolicy{\n\t\tAuthorities: []webhookcip.Authority{{\n\t\t\tName: \"authority-0\",\n\t\t\tKey: &webhookcip.KeyRef{\n\t\t\t\tPublicKeys: []crypto.PublicKey{authorityKeyCosignPub},\n\t\t\t\tHashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,\n\t\t\t\tHashAlgorithmCode: crypto.SHA256,\n\t\t\t},\n\t\t}},\n\t}\n\tkc, err := k8schain.NewNoClient(testContext)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to construct no client k8schain for testing\")\n\t}\n\twantErrs := []string{\"context was canceled before validation completed\"}\n\tcancelFunc()\n\t_, gotErrs := validatePolicies(testContext, system.Namespace(), digest, map[string]webhookcip.ClusterImagePolicy{\"testcip\": cip}, kc)\n\tvalidateErrors(t, wantErrs, gotErrs[\"internalerror\"])\n}\n\nfunc TestPolicyControllerConfigNoMatchPolicy(t *testing.T) {\n\tdigest := \"gcr.io/distroless/static:nonroot@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4\"\n\n\ttestPodSpec := &corev1.PodSpec{\n\t\tContainers: []corev1.Container{{\n\t\t\tName: \"test-container\",\n\t\t\tImage: digest,\n\t\t}},\n\t}\n\n\tctx, _ := rtesting.SetupFakeContext(t)\n\tpolicies := &config.ImagePolicyConfig{\n\t\tPolicies: map[string]webhookcip.ClusterImagePolicy{},\n\t}\n\tctx = config.ToContext(ctx, &config.Config{ImagePolicyConfig: policies})\n\tv := NewValidator(ctx)\n\t// no policies\n\tkc := fakekube.Get(ctx)\n\t// Setup service acc and fakeSignaturePullSecrets for \"default\", \"cosign-system\" and \"my-secure-ns\" namespace\n\tfor _, ns := range []string{\"default\", system.Namespace()} {\n\t\tkc.CoreV1().ServiceAccounts(ns).Create(ctx, &corev1.ServiceAccount{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"default\",\n\t\t\t},\n\t\t}, metav1.CreateOptions{})\n\n\t\tkc.CoreV1().Secrets(ns).Create(ctx, &corev1.Secret{\n\t\t\tObjectMeta: metav1.ObjectMeta{\n\t\t\t\tName: \"fakeSignaturePullSecrets\",\n\t\t\t},\n\t\t\tData: map[string][]byte{\n\t\t\t\t\"dockerconfigjson\": []byte(`{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"username\",\"password\":\"password\",\"auth\":\"dXNlcm5hbWU6cGFzc3dvcmQ=\"}}`),\n\t\t\t},\n\t\t}, metav1.CreateOptions{})\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tnoMatchPolicy string\n\t\twant *apis.FieldError\n\t\t// If above should be at warning level.\n\t\twantWarn bool\n\t}{{\n\t\tname: \"empty value - implicit deny\", // this will fail because default is deny.\n\t\twant: func() *apis.FieldError {\n\t\t\tvar errs *apis.FieldError\n\t\t\tfe := apis.ErrGeneric(\"no matching policies\", \"image\").ViaFieldIndex(\"containers\", 0)\n\t\t\tfe.Details = digest\n\t\t\terrs = errs.Also(fe)\n\t\t\treturn errs\n\t\t}(),\n\t}, {\n\t\tname: \"explicit deny\",\n\t\tnoMatchPolicy: \"deny\",\n\t\twant: func() *apis.FieldError {\n\t\t\tvar errs *apis.FieldError\n\t\t\tfe := apis.ErrGeneric(\"no matching policies\", \"image\").ViaFieldIndex(\"containers\", 0)\n\t\t\tfe.Details = digest\n\t\t\terrs = errs.Also(fe)\n\t\t\treturn errs\n\t\t}(),\n\t}, {\n\t\tname: \"warn\",\n\t\tnoMatchPolicy: \"warn\",\n\t\twant: func() *apis.FieldError {\n\t\t\tvar errs *apis.FieldError\n\t\t\tfe := apis.ErrGeneric(\"no matching policies\", \"image\").ViaFieldIndex(\"containers\", 0)\n\t\t\tfe.Details = digest\n\t\t\terrs = errs.Also(fe)\n\t\t\treturn errs\n\t\t}(),\n\t}, {\n\t\tname: \"allow\",\n\t\tnoMatchPolicy: \"allow\",\n\t}}\n\tfor _, tc := range tests {\n\t\ttestCtx := policycontrollerconfig.ToContext(ctx, &policycontrollerconfig.PolicyControllerConfig{NoMatchPolicy: tc.noMatchPolicy, FailOnEmptyAuthorities: true})\n\n\t\tgot := v.validatePodSpec(testCtx, system.Namespace(), \"pod\", \"v1\", map[string]string{}, testPodSpec, k8schain.Options{})\n\t\tif (got != nil) != (tc.want != nil) {\n\t\t\tt.Errorf(\"ValidatePodSpecable() = %v, wanted %v\", got, tc.want)\n\t\t} else if got != nil && got.Error() != tc.want.Error() {\n\t\t\tt.Errorf(\"ValidatePodSpecable() = %v, wanted %v\", got, tc.want)\n\t\t}\n\t\tif tc.want != nil && tc.wantWarn {\n\t\t\ttc.want.Level = apis.WarningLevel\n\t\t}\n\t\t// Check the warning/error level.\n\t\tif got != nil && tc.want != nil {\n\t\t\tif got.Level != tc.want.Level {\n\t\t\t\tt.Errorf(\"ValidatePod() Wrong Level = %v, wanted %v\", got.Level, tc.want.Level)\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc TestFulcioCertsFromAuthority(t *testing.T) {\n\tcerts, err := cryptoutils.UnmarshalCertificatesFromPEM([]byte(certChain))\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to unmarshal certs for testing: %v\", err)\n\t}\n\n\troots := x509.NewCertPool()\n\t// last cert is the root\n\troots.AddCert(certs[2])\n\tintermediates := x509.NewCertPool()\n\tintermediates.AddCert(certs[0])\n\tintermediates.AddCert(certs[1])\n\n\tembeddedRoots, err := fulcioroots.Get()\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to get embedded fulcioroots for testing\")\n\t}\n\tembeddedIntermediates, err := fulcioroots.GetIntermediates()\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to get embedded fulcioroots for testing\")\n\t}\n\n\tembeddedCTLogKeys, err := cosign.GetCTLogPubs(context.Background())\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to get embedded CTLog Public keys for testing\")\n\t}\n\tpbpk, marshalledPK, err := config.DeserializePublicKey([]byte(ctfePublicKey))\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to deserialize CTLog public key: %v\", err)\n\t}\n\tcertChain, err := config.DeserializeCertChain([]byte(certChain))\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to deserialize cert chain: %v\", err)\n\t}\n\tsk := config.SigstoreKeys{\n\t\tCertificateAuthorities: []*config.CertificateAuthority{{\n\t\t\tSubject: &config.DistinguishedName{\n\t\t\t\tOrganization: \"testorg\",\n\t\t\t\tCommonName: \"testcommonname\",\n\t\t\t},\n\t\t\tCertChain: certChain,\n\t\t}},\n\t\tCtlogs: []*config.TransparencyLogInstance{{\n\t\t\tLogId: &config.LogID{KeyId: []byte(ctfeLogID)},\n\t\t\tPublicKey: pbpk,\n\t\t}},\n\t}\n\tc := &config.Config{\n\t\tSigstoreKeysConfig: &config.SigstoreKeysMap{\n\t\t\tSigstoreKeys: map[string]*config.SigstoreKeys{\n\t\t\t\t\"test-trust-root\": &sk,\n\t\t\t},\n\t\t},\n\t}\n\n\ttestCtx := config.ToContext(context.Background(), c)\n\n\ttests := []struct {\n\t\tname string\n\t\tkeylessRef *webhookcip.KeylessRef\n\t\twantErr string\n\t\twantRoots *x509.CertPool\n\t\twantIntermediates *x509.CertPool\n\t\twantCTLogKeys *cosign.TrustedTransparencyLogPubKeys\n\t\tctx context.Context\n\t}{{\n\t\tname: \"no trustroots, uses embedded\",\n\t\tkeylessRef: &webhookcip.KeylessRef{},\n\t\twantRoots: embeddedRoots,\n\t\twantIntermediates: embeddedIntermediates,\n\t\twantCTLogKeys: embeddedCTLogKeys,\n\t}, {\n\t\tname: \"config does not exist\",\n\t\tkeylessRef: &webhookcip.KeylessRef{TrustRootRef: \"not-there\"},\n\t\twantErr: \"getting SigstoreKeys: trustRootRef not-there not found, config missing\",\n\t\tctx: config.ToContext(context.Background(), nil),\n\t}, {\n\t\tname: \"SigstoreKeys does not exist\",\n\t\tkeylessRef: &webhookcip.KeylessRef{TrustRootRef: \"not-there\"},\n\t\twantErr: \"getting SigstoreKeys: trustRootRef not-there not found, SigstoreKeys missing\",\n\t\tctx: config.ToContext(context.Background(), &config.Config{}),\n\t}, {\n\t\tname: \"trustroot does not exist\",\n\t\tkeylessRef: &webhookcip.KeylessRef{TrustRootRef: \"not-there\"},\n\t\tctx: testCtx,\n\t\twantErr: \"trustRootRef not-there not found\",\n\t}, {\n\t\tname: \"trustroot found\",\n\t\tkeylessRef: &webhookcip.KeylessRef{TrustRootRef: \"test-trust-root\"},\n\t\tctx: testCtx,\n\t\twantRoots: roots,\n\t\twantIntermediates: intermediates,\n\t\twantCTLogKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{ctfeLogID: {PubKey: marshalledPK, Status: tuf.Active}}},\n\t}}\n\n\tfor _, tc := range tests {\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\ttCtx := tc.ctx\n\t\t\tif tCtx == nil {\n\t\t\t\ttCtx = context.Background()\n\t\t\t}\n\t\t\troots, intermediates, ctlogKeys, err := fulcioCertsFromAuthority(tCtx, tc.keylessRef)\n\t\t\tif err != nil {\n\t\t\t\tif tc.wantErr == \"\" {\n\t\t\t\t\tt.Errorf(\"unexpected error: %v wanted none\", err)\n\t\t\t\t} else if err.Error() != tc.wantErr {\n\t\t\t\t\tt.Errorf(\"unexpected error: %v wanted %q\", err, tc.wantErr)\n\t\t\t\t}\n\t\t\t} else if tc.wantErr != \"\" {\n\t\t\t\tt.Errorf(\"wanted error: %q got none\", tc.wantErr)\n\t\t\t}\n\t\t\tif !roots.Equal(tc.wantRoots) {\n\t\t\t\tt.Errorf(\"Roots differ\")\n\t\t\t}\n\t\t\tif !intermediates.Equal(tc.wantIntermediates) {\n\t\t\t\tt.Errorf(\"Intermediates differ\")\n\t\t\t}\n\t\t\tif diff := cmp.Diff(tc.wantCTLogKeys, ctlogKeys); diff != \"\" {\n\t\t\t\tt.Errorf(\"CTLog keys differ: %s\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestRekorClientAndKeysFromAuthority(t *testing.T) {\n\tpbpk, pk, err := config.DeserializePublicKey([]byte(rekorPublicKey))\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to unmarshal public key for testing: %v\", err)\n\t}\n\tecpk, ok := pk.(*ecdsa.PublicKey)\n\tif !ok {\n\t\tt.Fatalf(\"pk is not a ecsda public key\")\n\t}\n\n\tembeddedPKs, err := cosign.GetRekorPubs(context.Background())\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to get embedded rekor pubs for testing\")\n\t}\n\tif len(embeddedPKs.Keys) != 1 {\n\t\tt.Fatalf(\"Did not get a single Public Key for Rekor\")\n\t}\n\tvar embeddedLogID string\n\tvar embeddedPK crypto.PublicKey\n\tfor k, v := range embeddedPKs.Keys {\n\t\tembeddedLogID = k\n\t\tembeddedPK = v.PubKey\n\t}\n\n\tsk := config.SigstoreKeys{\n\t\tTlogs: []*config.TransparencyLogInstance{{\n\t\t\tPublicKey: pbpk,\n\t\t\tLogId: &config.LogID{KeyId: []byte(rekorLogID)},\n\t\t\tBaseUrl: \"rekor.example.com\",\n\t\t}},\n\t}\n\tc := &config.Config{\n\t\tSigstoreKeysConfig: &config.SigstoreKeysMap{\n\t\t\tSigstoreKeys: map[string]*config.SigstoreKeys{\n\t\t\t\t\"test-trust-root\": &sk,\n\t\t\t},\n\t\t},\n\t}\n\ttestCtx := config.ToContext(context.Background(), c)\n\n\ttests := []struct {\n\t\tname string\n\t\ttlog *v1alpha1.TLog\n\t\twantErr string\n\t\twantPK crypto.PublicKey\n\t\twantLogID string\n\t\twantClient bool\n\t\tctx context.Context\n\t}{{\n\t\tname: \"no trustroots, uses embedded\",\n\t\ttlog: &v1alpha1.TLog{URL: apis.HTTPS(\"rekor.sigstore.dev\")},\n\t\twantPK: embeddedPK,\n\t\twantLogID: embeddedLogID,\n\t\twantClient: true,\n\t}, {\n\n\t\tname: \"config does not exist\",\n\t\ttlog: &v1alpha1.TLog{TrustRootRef: \"not-there\"},\n\t\twantErr: \"fetching keys for trustRootRef: getting SigstoreKeys: trustRootRef not-there not found, config missing\",\n\t\tctx: config.ToContext(context.Background(), nil),\n\t}, {\n\t\tname: \"SigstoreKeys does not exist\",\n\t\ttlog: &v1alpha1.TLog{TrustRootRef: \"not-there\"},\n\t\twantErr: \"fetching keys for trustRootRef: getting SigstoreKeys: trustRootRef not-there not found, SigstoreKeys missing\",\n\t\tctx: config.ToContext(context.Background(), &config.Config{}),\n\t}, {\n\t\tname: \"trustroot does not exist\",\n\t\ttlog: &v1alpha1.TLog{TrustRootRef: \"not-there\"},\n\t\tctx: testCtx,\n\t\twantErr: \"fetching keys for trustRootRef: trustRootRef not-there not found\",\n\t}, {\n\t\tname: \"trustroot found\",\n\t\ttlog: &v1alpha1.TLog{TrustRootRef: \"test-trust-root\"},\n\t\twantPK: ecpk,\n\t\twantLogID: rekorLogID,\n\t\tctx: testCtx,\n\t\twantClient: true,\n\t}}\n\n\tfor _, tc := range tests {\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\ttCtx := tc.ctx\n\t\t\tif tCtx == nil {\n\t\t\t\ttCtx = context.Background()\n\t\t\t}\n\t\t\trekorClient, gotPKs, err := rekorClientAndKeysFromAuthority(tCtx, webhookcip.Authority{CTLog: tc.tlog})\n\t\t\tif err != nil {\n\t\t\t\tif tc.wantErr == \"\" {\n\t\t\t\t\tt.Errorf(\"unexpected error: %v wanted none\", err)\n\t\t\t\t} else if err.Error() != tc.wantErr {\n\t\t\t\t\tt.Errorf(\"unexpected error: %v wanted %q\", err, tc.wantErr)\n\t\t\t\t}\n\t\t\t} else if tc.wantErr != \"\" {\n\t\t\t\tt.Errorf(\"wanted error: %q got none\", tc.wantErr)\n\t\t\t}\n\t\t\tif tc.wantLogID != \"\" {\n\t\t\t\tif gotPKs == nil || gotPKs.Keys == nil {\n\t\t\t\t\tt.Errorf(\"Wanted logid %s got none\", tc.wantLogID)\n\t\t\t\t} else if diff := cmp.Diff(gotPKs.Keys[tc.wantLogID].PubKey, tc.wantPK); diff != \"\" {\n\t\t\t\t\tt.Errorf(\"did not get wanted PK: %s\", diff)\n\t\t\t\t}\n\t\t\t} else if gotPKs != nil {\n\t\t\t\tt.Errorf(\"did not want PK, %+v\", gotPKs)\n\t\t\t}\n\t\t\tif tc.wantClient && rekorClient == nil {\n\t\t\t\tt.Errorf(\"wanted rekor client, but got none\")\n\t\t\t} else if !tc.wantClient && rekorClient != nil {\n\t\t\t\tt.Errorf(\"did not want rekor client, but got one\")\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestCheckOptsFromAuthority(t *testing.T) {\n\tpbpkRekor, pkRekor, err := config.DeserializePublicKey([]byte(rekorPublicKey))\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to unmarshal public key for testing: %v\", err)\n\t}\n\tpbpkCTFE, pkCTFE, err := config.DeserializePublicKey([]byte(ctfePublicKey))\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to unmarshal public key for testing: %v\", err)\n\t}\n\tecpk, ok := pkRekor.(*ecdsa.PublicKey)\n\tif !ok {\n\t\tt.Fatalf(\"pk is not a ecsda public key\")\n\t}\n\n\tembeddedPKs, err := cosign.GetRekorPubs(context.Background())\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to get embedded rekor pubs for testing\")\n\t}\n\tif len(embeddedPKs.Keys) != 1 {\n\t\tt.Fatalf(\"Did not get a single Public Key for Rekor\")\n\t}\n\tvar embeddedLogID string\n\tvar embeddedPK crypto.PublicKey\n\tfor k, v := range embeddedPKs.Keys {\n\t\tembeddedLogID = k\n\t\tembeddedPK = v.PubKey\n\t}\n\n\tcerts, err := cryptoutils.UnmarshalCertificatesFromPEM([]byte(certChain))\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to unmarshal certs for testing: %v\", err)\n\t}\n\n\troots := x509.NewCertPool()\n\t// last cert is the root\n\troots.AddCert(certs[2])\n\tintermediates := x509.NewCertPool()\n\tintermediates.AddCert(certs[0])\n\tintermediates.AddCert(certs[1])\n\n\tembeddedRoots, err := fulcioroots.Get()\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to get embedded fulcioroots for testing\")\n\t}\n\tembeddedIntermediates, err := fulcioroots.GetIntermediates()\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to get embedded fulcioroots for testing\")\n\t}\n\n\tembeddedCTLogKeys, err := cosign.GetCTLogPubs(context.Background())\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to get embedded CTLog Public keys for testing\")\n\t}\n\n\tskRekor := config.SigstoreKeys{\n\t\tTlogs: []*config.TransparencyLogInstance{{\n\t\t\tPublicKey: pbpkRekor,\n\t\t\tLogId: &config.LogID{KeyId: []byte(\"rekor-logid\")},\n\t\t\tBaseUrl: \"rekor.example.com\",\n\t\t}},\n\t}\n\tcertChainPB, err := config.DeserializeCertChain([]byte(certChain))\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to unmarshal cert chain for testing: %v\", err)\n\t}\n\tskFulcio := config.SigstoreKeys{\n\t\tCertificateAuthorities: []*config.CertificateAuthority{{\n\t\t\tSubject: &config.DistinguishedName{\n\t\t\t\tOrganization: \"testorg\",\n\t\t\t\tCommonName: \"testcommonname\",\n\t\t\t},\n\t\t\tCertChain: certChainPB,\n\t\t}},\n\t\tCtlogs: []*config.TransparencyLogInstance{{\n\t\t\tLogId: &config.LogID{KeyId: []byte(ctfeLogID)},\n\t\t\tPublicKey: pbpkCTFE,\n\t\t}},\n\t}\n\tskCombined := config.SigstoreKeys{\n\t\tMediaType: \"application/vnd.dev.sigstore.trustedroot+json;version=0.1\",\n\t\tTlogs: []*config.TransparencyLogInstance{{\n\t\t\tPublicKey: pbpkRekor,\n\t\t\tLogId: &config.LogID{KeyId: []byte(\"rekor-logid\")},\n\t\t\tBaseUrl: \"rekor.example.com\",\n\t\t\tHashAlgorithm: pbcommon.HashAlgorithm_SHA2_256,\n\t\t}},\n\t\tCertificateAuthorities: []*config.CertificateAuthority{{\n\t\t\tSubject: &config.DistinguishedName{\n\t\t\t\tOrganization: \"testorg\",\n\t\t\t\tCommonName: \"testcommonname\",\n\t\t\t},\n\t\t\tCertChain: certChainPB,\n\t\t}},\n\t\tCtlogs: []*config.TransparencyLogInstance{{\n\t\t\tLogId: &config.LogID{KeyId: []byte(ctfeLogID)},\n\t\t\tPublicKey: pbpkCTFE,\n\t\t\tHashAlgorithm: pbcommon.HashAlgorithm_SHA2_256,\n\t\t}},\n\t}\n\tc := &config.Config{\n\t\tSigstoreKeysConfig: &config.SigstoreKeysMap{\n\t\t\tSigstoreKeys: map[string]*config.SigstoreKeys{\n\t\t\t\t\"test-trust-rekor\": &skRekor,\n\t\t\t\t\"test-trust-fulcio\": &skFulcio,\n\t\t\t\t\"test-trust-combined\": &skCombined,\n\t\t\t},\n\t\t},\n\t}\n\ttestCtx := config.ToContext(context.Background(), c)\n\n\ttests := []struct {\n\t\tname string\n\t\tauthority webhookcip.Authority\n\t\twantErr string\n\t\twantCheckOpts *cosign.CheckOpts\n\t\tctx context.Context\n\t\twantClient bool\n\t}{{\n\t\tname: \"no trustroots, uses embedded\",\n\t\tauthority: webhookcip.Authority{\n\t\t\tCTLog: &v1alpha1.TLog{URL: apis.HTTPS(\"rekor.sigstore.dev\")},\n\t\t\tKeyless: &webhookcip.KeylessRef{URL: apis.HTTPS(\"fulcio.sigstore.dev\")},\n\t\t},\n\t\twantCheckOpts: &cosign.CheckOpts{\n\t\t\tRekorPubKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{embeddedLogID: {PubKey: embeddedPK, Status: tuf.Active}}},\n\t\t\tRootCerts: embeddedRoots,\n\t\t\tIntermediateCerts: embeddedIntermediates,\n\t\t\tCTLogPubKeys: embeddedCTLogKeys,\n\t\t},\n\t\twantClient: true,\n\t}, {\n\t\tname: \"SigstoreKeys does not exist for Rekor\",\n\t\tauthority: webhookcip.Authority{\n\t\t\tName: \"test-authority\",\n\t\t\tCTLog: &v1alpha1.TLog{\n\t\t\t\tURL: apis.HTTPS(\"rekor.example.com\"),\n\t\t\t\tTrustRootRef: \"not-there\"}},\n\t\twantErr: \"getting Rekor public keys: test-authority: fetching keys for trustRootRef: trustRootRef not-there not found\",\n\t\tctx: testCtx,\n\t}, {\n\t\tname: \"SigstoreKeys does not exist for Fulcio\",\n\t\tauthority: webhookcip.Authority{\n\t\t\tName: \"test-authority\",\n\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\tURL: apis.HTTPS(\"fulcio.example.com\"),\n\t\t\t\tTrustRootRef: \"not-there\"}},\n\t\twantErr: \"getting Fulcio certs: test-authority: trustRootRef not-there not found\",\n\t\tctx: testCtx,\n\t}, {\n\t\tname: \"trustroot found, Rekor\",\n\t\tauthority: webhookcip.Authority{\n\t\t\tCTLog: &v1alpha1.TLog{\n\t\t\t\tURL: apis.HTTPS(\"rekor.example.com\"),\n\t\t\t\tTrustRootRef: \"test-trust-rekor\"}},\n\t\tctx: testCtx,\n\t\twantClient: true,\n\t\twantCheckOpts: &cosign.CheckOpts{\n\t\t\tRekorPubKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{\"rekor-logid\": {PubKey: ecpk, Status: tuf.Active}}},\n\t\t},\n\t}, {\n\t\tname: \"trustroot found, Fulcio\",\n\t\tauthority: webhookcip.Authority{\n\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\tURL: apis.HTTPS(\"fulcio.example.com\"),\n\t\t\t\tTrustRootRef: \"test-trust-fulcio\"}},\n\t\tctx: testCtx,\n\t\twantCheckOpts: &cosign.CheckOpts{\n\t\t\tRootCerts: roots,\n\t\t\tIntermediateCerts: intermediates,\n\t\t\tIgnoreTlog: true,\n\t\t\tCTLogPubKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{ctfeLogID: {PubKey: pkCTFE, Status: tuf.Active}}},\n\t\t},\n\t}, {\n\t\tname: \"trustroot found, combined, with Identities\",\n\t\tauthority: webhookcip.Authority{\n\t\t\tCTLog: &v1alpha1.TLog{\n\t\t\t\tURL: apis.HTTPS(\"rekor.example.com\"),\n\t\t\t\tTrustRootRef: \"test-trust-rekor\"},\n\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\tIdentities: []v1alpha1.Identity{{\n\t\t\t\t\tIssuer: \"issuer\",\n\t\t\t\t\tSubject: \"subject\",\n\t\t\t\t}},\n\t\t\t\tURL: apis.HTTPS(\"rekor.example.com\"),\n\t\t\t\tTrustRootRef: \"test-trust-combined\"}},\n\t\tctx: testCtx,\n\t\twantClient: true,\n\t\twantCheckOpts: &cosign.CheckOpts{\n\t\t\tRootCerts: roots,\n\t\t\tIntermediateCerts: intermediates,\n\t\t\tRekorPubKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{\"rekor-logid\": {PubKey: ecpk, Status: tuf.Active}}},\n\t\t\tIdentities: []cosign.Identity{{\n\t\t\t\tIssuer: \"issuer\",\n\t\t\t\tSubject: \"subject\",\n\t\t\t}},\n\t\t\tCTLogPubKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{ctfeLogID: {PubKey: pkCTFE, Status: tuf.Active}}},\n\t\t},\n\t}, {\n\t\tname: \"bundle format, with Identities and Rekor\",\n\t\tauthority: webhookcip.Authority{\n\t\t\tSignatureFormat: \"bundle\",\n\t\t\tCTLog: &v1alpha1.TLog{\n\t\t\t\tURL: apis.HTTPS(\"rekor.example.com\"),\n\t\t\t\tTrustRootRef: \"test-trust-combined\",\n\t\t\t},\n\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\tTrustRootRef: \"test-trust-combined\",\n\t\t\t\tIdentities: []v1alpha1.Identity{{\n\t\t\t\t\tIssuer: \"issuer\",\n\t\t\t\t\tSubject: \"subject\",\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t\tctx: testCtx,\n\t\twantCheckOpts: &cosign.CheckOpts{\n\t\t\tNewBundleFormat: true,\n\t\t\tIdentities: []cosign.Identity{{\n\t\t\t\tIssuer: \"issuer\",\n\t\t\t\tSubject: \"subject\",\n\t\t\t}},\n\t\t\tTrustedMaterial: &root.TrustedRoot{},\n\t\t},\n\t}, {\n\t\tname: \"bundle format, with TSA\",\n\t\tauthority: webhookcip.Authority{\n\t\t\tSignatureFormat: \"bundle\",\n\t\t\t// Test keys do not contain a TSA but that is okay as we are just constructing the checkOpts\n\t\t\tRFC3161Timestamp: &webhookcip.RFC3161Timestamp{\n\t\t\t\tTrustRootRef: \"test-trust-combined\",\n\t\t\t},\n\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\tTrustRootRef: \"test-trust-combined\",\n\t\t\t},\n\t\t},\n\t\tctx: testCtx,\n\t\twantCheckOpts: &cosign.CheckOpts{\n\t\t\tNewBundleFormat: true,\n\t\t\tUseSignedTimestamps: true,\n\t\t\tTrustedMaterial: &root.TrustedRoot{},\n\t\t\tIgnoreTlog: true,\n\t\t},\n\t}, {\n\t\tname: \"bundle format, bad TrustRootRef\",\n\t\tauthority: webhookcip.Authority{\n\t\t\tSignatureFormat: \"bundle\",\n\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\tTrustRootRef: \"not-there\",\n\t\t\t},\n\t\t},\n\t\tctx: testCtx,\n\t\twantErr: \"trustRootRef not-there not found\",\n\t}, {\n\t\tname: \"bundle format, unsupported different trustroots\",\n\t\tauthority: webhookcip.Authority{\n\t\t\tSignatureFormat: \"bundle\",\n\t\t\tCTLog: &v1alpha1.TLog{\n\t\t\t\tTrustRootRef: \"test-trust-rekor\",\n\t\t\t},\n\t\t\tKeyless: &webhookcip.KeylessRef{\n\t\t\t\tTrustRootRef: \"test-trust-combined\",\n\t\t\t},\n\t\t},\n\t\tctx: testCtx,\n\t\twantErr: \"when using the new bundle format, the trustRootRef for the TLog must be the same as the trustRootRef for the Keyless authority\",\n\t}, {\n\t\tname: \"bundle format, unsupported non-keyless\",\n\t\tauthority: webhookcip.Authority{\n\t\t\tSignatureFormat: \"bundle\",\n\t\t},\n\t\tctx: testCtx,\n\t\twantErr: \"when using the new bundle format, the authority must be keyless\",\n\t}}\n\n\tfor _, tc := range tests {\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\ttCtx := tc.ctx\n\t\t\tif tCtx == nil {\n\t\t\t\ttCtx = context.Background()\n\t\t\t}\n\t\t\tgotCheckOpts, err := checkOptsFromAuthority(tCtx, tc.authority)\n\t\t\tif err != nil {\n\t\t\t\tif tc.wantErr == \"\" {\n\t\t\t\t\tt.Errorf(\"unexpected error: %v wanted none\", err)\n\t\t\t\t} else if err.Error() != tc.wantErr {\n\t\t\t\t\tt.Errorf(\"unexpected error: %v wanted %q\", err, tc.wantErr)\n\t\t\t\t}\n\t\t\t} else if tc.wantErr != \"\" {\n\t\t\t\tt.Errorf(\"wanted error: %q got none\", tc.wantErr)\n\t\t\t}\n\t\t\tif tc.wantClient && (gotCheckOpts == nil || gotCheckOpts.RekorClient == nil) {\n\t\t\t\tt.Errorf(\"wanted rekor client, but got none\")\n\t\t\t} else if !tc.wantClient && gotCheckOpts != nil && gotCheckOpts.RekorClient != nil {\n\t\t\t\tt.Errorf(\"did not want rekor client, but got one\")\n\t\t\t}\n\t\t\t// nil out the rekorclient since we can't meaningfully diff it, and\n\t\t\t// we check above that we get one when we expect one, and don't when\n\t\t\t// we don't.\n\t\t\tif gotCheckOpts != nil {\n\t\t\t\tgotCheckOpts.RekorClient = nil\n\t\t\t}\n\t\t\tif diff := cmp.Diff(gotCheckOpts, tc.wantCheckOpts, cmpopts.IgnoreUnexported(root.TrustedRoot{})); diff != \"\" {\n\t\t\t\tt.Errorf(\"CheckOpts differ: %s\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestSignatureID(t *testing.T) {\n\tcert := mustRead(t, \"testdata/cert.pem\")\n\tfor _, tc := range []struct {\n\t\tname string\n\t\tsig oci.Signature\n\t\twant string\n\t}{\n\t\t{\n\t\t\tname: \"no cert\",\n\t\t\tsig: newStaticSig(t, []byte(\"foo\"), nil),\n\t\t\twant: \"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\n\t\t},\n\t\t{\n\t\t\tname: \"with cert\",\n\t\t\tsig: newStaticSig(t, []byte(\"foo\"), cert),\n\t\t\twant: \"0b413181a61e85e0426d9f49ccd58d2205314297ee0c3bb515ad9d0f89480995\",\n\t\t},\n\t} {\n\t\tgot, err := signatureID(tc.sig)\n\t\tif err != nil {\n\t\t\tt.Fatal(err)\n\t\t}\n\t\tif tc.want != got {\n\t\t\tt.Errorf(\"want %s, got %s\", tc.want, got)\n\t\t}\n\t}\n}\n\nfunc mustRead(t *testing.T, path string) []byte {\n\tt.Helper()\n\tb, err := os.ReadFile(path)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\treturn b\n}\n\nfunc newStaticSig(t *testing.T, payload []byte, cert []byte) oci.Signature {\n\tt.Helper()\n\n\tvar opts []static.Option\n\tif cert != nil {\n\t\topts = append(opts, static.WithCertChain(cert, nil))\n\t}\n\tout, err := static.NewSignature(payload, \"\", opts...)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\treturn out\n}\n\n// TODO: This test needs a more realistic DSSE envelope mock\nfunc TestValidAttestationsOCI11Enabled_DISABLED(t *testing.T) {\n\tt.Skip(\"Skipping until DSSE envelope mocking is improved\")\n\tctx := context.Background()\n\tref := name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\")\n\tcheckOpts := &cosign.CheckOpts{}\n\n\t// Save originals\n\torigResolve := ociremoteResolveDigest\n\torigReferrers := ociremoteReferrers\n\torigVerifyAtt := cosignVerifyAttestations\n\tdefer func() {\n\t\tociremoteResolveDigest = origResolve\n\t\tociremoteReferrers = origReferrers\n\t\tcosignVerifyAttestations = origVerifyAtt\n\t}()\n\n\t// Test with EnableOCI11 = true\n\tcfg := &policycontrollerconfig.PolicyControllerConfig{\n\t\tEnableOCI11: true,\n\t}\n\tctx = policycontrollerconfig.ToContext(ctx, cfg)\n\n\t// Mock successful OCI 1.1 discovery\n\tociremoteResolveDigest = func(ref name.Reference, opts ...remote.Option) (name.Digest, error) {\n\t\treturn name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\").(name.Digest), nil\n\t}\n\n\tmockManifest := &v1.IndexManifest{\n\t\tManifests: []v1.Descriptor{\n\t\t\t{\n\t\t\t\tArtifactType: \"application/vnd.in-toto+json\",\n\t\t\t\tDigest: v1.Hash{\n\t\t\t\t\tAlgorithm: \"sha256\",\n\t\t\t\t\tHex: \"attestationdigest\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tociremoteReferrers = func(d name.Digest, artifactType string, opts ...remote.Option) (*v1.IndexManifest, error) {\n\t\treturn mockManifest, nil\n\t}\n\n\t// Create a mock signed image with DSSE envelope\n\tdsseContent := []byte(`{\"payload\":\"eyJmb28iOiJiYXIifQ==\",\"signatures\":[{\"sig\":\"c2lnbmF0dXJl\"}]}`)\n\n\tociremoteSignedImage = func(ref name.Reference, opts ...remote.Option) (oci.SignedImage, error) {\n\t\treturn &mockSignedImage{\n\t\t\tlayers: []v1.Layer{\n\t\t\t\t&mockLayer{content: dsseContent},\n\t\t\t},\n\t\t}, nil\n\t}\n\n\t// Should call OCI 1.1 path, not legacy\n\tlegacyCalled := false\n\tcosignVerifyAttestations = func(ctx context.Context, ref name.Reference, co *cosign.CheckOpts, nameOpts ...name.Option) ([]oci.Signature, bool, error) {\n\t\tlegacyCalled = true\n\t\treturn nil, false, errors.New(\"should not call legacy\")\n\t}\n\n\t_, err := validAttestations(ctx, ref, checkOpts)\n\n\t// OCI 1.1 should succeed and legacy should not be called\n\tif legacyCalled {\n\t\tt.Error(\"Legacy cosignVerifyAttestations should not have been called when OCI 1.1 succeeds\")\n\t}\n\tif err != nil {\n\t\tt.Errorf(\"Expected OCI 1.1 to succeed, got error: %v\", err)\n\t}\n}\n\nfunc TestValidAttestationsOCI11Fallback(t *testing.T) {\n\tctx := context.Background()\n\tref := name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\")\n\tcheckOpts := &cosign.CheckOpts{}\n\n\t// Save originals\n\torigResolve := ociremoteResolveDigest\n\torigVerifyAtt := cosignVerifyAttestations\n\tdefer func() {\n\t\tociremoteResolveDigest = origResolve\n\t\tcosignVerifyAttestations = origVerifyAtt\n\t}()\n\n\t// Test with EnableOCI11 = true but OCI 1.1 fails\n\tcfg := &policycontrollerconfig.PolicyControllerConfig{\n\t\tEnableOCI11: true,\n\t}\n\tctx = policycontrollerconfig.ToContext(ctx, cfg)\n\n\t// Mock OCI 1.1 to fail\n\tociremoteResolveDigest = func(ref name.Reference, opts ...remote.Option) (name.Digest, error) {\n\t\treturn name.Digest{}, errors.New(\"OCI 1.1 not supported\")\n\t}\n\n\t// Mock legacy to succeed\n\tlegacyCalled := false\n\tmockSig, _ := static.NewSignature(nil, \"\")\n\tcosignVerifyAttestations = func(ctx context.Context, ref name.Reference, co *cosign.CheckOpts, nameOpts ...name.Option) ([]oci.Signature, bool, error) {\n\t\tlegacyCalled = true\n\t\treturn []oci.Signature{mockSig}, true, nil\n\t}\n\n\tsigs, err := validAttestations(ctx, ref, checkOpts)\n\n\tif !legacyCalled {\n\t\tt.Error(\"Legacy cosignVerifyAttestations should have been called as fallback\")\n\t}\n\tif err != nil {\n\t\tt.Errorf(\"Expected fallback to succeed, got error: %v\", err)\n\t}\n\tif len(sigs) != 1 {\n\t\tt.Errorf(\"Expected 1 signature from fallback, got %d\", len(sigs))\n\t}\n}\n\nfunc TestValidAttestationsOCI11Disabled(t *testing.T) {\n\tctx := context.Background()\n\tref := name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\")\n\tcheckOpts := &cosign.CheckOpts{}\n\n\t// Save originals\n\torigResolve := ociremoteResolveDigest\n\torigVerifyAtt := cosignVerifyAttestations\n\tdefer func() {\n\t\tociremoteResolveDigest = origResolve\n\t\tcosignVerifyAttestations = origVerifyAtt\n\t}()\n\n\t// Test with EnableOCI11 = false (default)\n\tcfg := &policycontrollerconfig.PolicyControllerConfig{\n\t\tEnableOCI11: false,\n\t}\n\tctx = policycontrollerconfig.ToContext(ctx, cfg)\n\n\t// Mock OCI 1.1 - should not be called\n\toci11Called := false\n\tociremoteResolveDigest = func(ref name.Reference, opts ...remote.Option) (name.Digest, error) {\n\t\toci11Called = true\n\t\treturn name.Digest{}, errors.New(\"should not call\")\n\t}\n\n\t// Mock legacy to succeed\n\tmockSig, _ := static.NewSignature(nil, \"\")\n\tcosignVerifyAttestations = func(ctx context.Context, ref name.Reference, co *cosign.CheckOpts, nameOpts ...name.Option) ([]oci.Signature, bool, error) {\n\t\treturn []oci.Signature{mockSig}, true, nil\n\t}\n\n\tsigs, err := validAttestations(ctx, ref, checkOpts)\n\n\tif oci11Called {\n\t\tt.Error(\"OCI 1.1 path should not have been called when disabled\")\n\t}\n\tif err != nil {\n\t\tt.Errorf(\"Expected legacy to succeed, got error: %v\", err)\n\t}\n\tif len(sigs) != 1 {\n\t\tt.Errorf(\"Expected 1 signature, got %d\", len(sigs))\n\t}\n}\n\nfunc TestDiscoverAttestationsOCI11NoAttestations(t *testing.T) {\n\tctx := context.Background()\n\tref := name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\")\n\tcheckOpts := &cosign.CheckOpts{}\n\n\t// Save originals\n\torigResolve := ociremoteResolveDigest\n\torigReferrers := ociremoteReferrers\n\tdefer func() {\n\t\tociremoteResolveDigest = origResolve\n\t\tociremoteReferrers = origReferrers\n\t}()\n\n\tociremoteResolveDigest = func(ref name.Reference, opts ...remote.Option) (name.Digest, error) {\n\t\treturn name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\").(name.Digest), nil\n\t}\n\n\t// Return index with no in-toto artifacts\n\tmockManifest := &v1.IndexManifest{\n\t\tManifests: []v1.Descriptor{\n\t\t\t{\n\t\t\t\tArtifactType: \"application/vnd.oci.image.manifest.v1+json\",\n\t\t\t\tDigest: v1.Hash{\n\t\t\t\t\tAlgorithm: \"sha256\",\n\t\t\t\t\tHex: \"somedigest\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tociremoteReferrers = func(d name.Digest, artifactType string, opts ...remote.Option) (*v1.IndexManifest, error) {\n\t\treturn mockManifest, nil\n\t}\n\n\t_, err := discoverAttestationsOCI11(ctx, ref, checkOpts)\n\n\tif err == nil {\n\t\tt.Error(\"Expected error when no attestations found\")\n\t}\n\tif !strings.Contains(err.Error(), \"no attestations found\") {\n\t\tt.Errorf(\"Expected 'no attestations found' error, got: %v\", err)\n\t}\n}\n\nfunc TestDiscoverAttestationsOCI11ResolveDigestFails(t *testing.T) {\n\tctx := context.Background()\n\tref := name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\")\n\tcheckOpts := &cosign.CheckOpts{}\n\n\t// Save original\n\torigResolve := ociremoteResolveDigest\n\tdefer func() {\n\t\tociremoteResolveDigest = origResolve\n\t}()\n\n\tociremoteResolveDigest = func(ref name.Reference, opts ...remote.Option) (name.Digest, error) {\n\t\treturn name.Digest{}, errors.New(\"resolve failed\")\n\t}\n\n\t_, err := discoverAttestationsOCI11(ctx, ref, checkOpts)\n\n\tif err == nil {\n\t\tt.Error(\"Expected error when resolve digest fails\")\n\t}\n\tif !strings.Contains(err.Error(), \"resolve failed\") {\n\t\tt.Errorf(\"Expected 'resolve failed' error, got: %v\", err)\n\t}\n}\n\nfunc TestDiscoverAttestationsOCI11ReferrersFails(t *testing.T) {\n\tctx := context.Background()\n\tref := name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\")\n\tcheckOpts := &cosign.CheckOpts{}\n\n\t// Save originals\n\torigResolve := ociremoteResolveDigest\n\torigReferrers := ociremoteReferrers\n\tdefer func() {\n\t\tociremoteResolveDigest = origResolve\n\t\tociremoteReferrers = origReferrers\n\t}()\n\n\tociremoteResolveDigest = func(ref name.Reference, opts ...remote.Option) (name.Digest, error) {\n\t\treturn name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\").(name.Digest), nil\n\t}\n\n\tociremoteReferrers = func(d name.Digest, artifactType string, opts ...remote.Option) (*v1.IndexManifest, error) {\n\t\treturn nil, errors.New(\"referrers API not supported\")\n\t}\n\n\t_, err := discoverAttestationsOCI11(ctx, ref, checkOpts)\n\n\tif err == nil {\n\t\tt.Error(\"Expected error when referrers call fails\")\n\t}\n\tif !strings.Contains(err.Error(), \"referrers API not supported\") {\n\t\tt.Errorf(\"Expected 'referrers API not supported' error, got: %v\", err)\n\t}\n}\n\n// Mock types for testing\ntype mockSignedImage struct {\n\tlayers []v1.Layer\n}\n\nfunc (m *mockSignedImage) Digest() (v1.Hash, error) {\n\treturn v1.Hash{}, nil\n}\n\nfunc (m *mockSignedImage) Signatures() (oci.Signatures, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockSignedImage) Attestations() (oci.Signatures, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockSignedImage) Attachment(name string) (oci.File, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockSignedImage) Layers() ([]v1.Layer, error) {\n\treturn m.layers, nil\n}\n\nfunc (m *mockSignedImage) ConfigName() (v1.Hash, error) {\n\treturn v1.Hash{}, nil\n}\n\nfunc (m *mockSignedImage) ConfigFile() (*v1.ConfigFile, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockSignedImage) RawConfigFile() ([]byte, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockSignedImage) Manifest() (*v1.Manifest, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockSignedImage) RawManifest() ([]byte, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockSignedImage) LayerByDigest(hash v1.Hash) (v1.Layer, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockSignedImage) LayerByDiffID(hash v1.Hash) (v1.Layer, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockSignedImage) MediaType() (v1types.MediaType, error) {\n\treturn v1types.OCIManifestSchema1, nil\n}\n\nfunc (m *mockSignedImage) Size() (int64, error) {\n\treturn 0, nil\n}\n\ntype mockLayer struct {\n\tcontent []byte\n}\n\nfunc (m *mockLayer) Digest() (v1.Hash, error) {\n\treturn v1.Hash{}, nil\n}\n\nfunc (m *mockLayer) DiffID() (v1.Hash, error) {\n\treturn v1.Hash{}, nil\n}\n\nfunc (m *mockLayer) Compressed() (io.ReadCloser, error) {\n\treturn io.NopCloser(bytes.NewReader(m.content)), nil\n}\n\nfunc (m *mockLayer) Uncompressed() (io.ReadCloser, error) {\n\treturn io.NopCloser(bytes.NewReader(m.content)), nil\n}\n\nfunc (m *mockLayer) Size() (int64, error) {\n\treturn int64(len(m.content)), nil\n}\n\nfunc (m *mockLayer) MediaType() (v1types.MediaType, error) {\n\treturn v1types.OCILayer, nil\n}\n\nfunc TestProcessAttestationArtifact(t *testing.T) {\n\t// Save original\n\torigSignedImage := ociremoteSignedImage\n\tdefer func() {\n\t\tociremoteSignedImage = origSignedImage\n\t}()\n\n\trepo, _ := name.NewRepository(\"example.com/test\")\n\tdescriptor := v1.Descriptor{\n\t\tDigest: v1.Hash{\n\t\t\tAlgorithm: \"sha256\",\n\t\t\tHex: \"abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\",\n\t\t},\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tdescriptor v1.Descriptor\n\t\tmockImage func(name.Reference, ...remote.Option) (oci.SignedImage, error)\n\t\twantErr bool\n\t\twantSigCount int\n\t}{\n\t\t{\n\t\t\tname: \"valid DSSE envelope\",\n\t\t\tdescriptor: descriptor,\n\t\t\tmockImage: func(ref name.Reference, opts ...remote.Option) (oci.SignedImage, error) {\n\t\t\t\t// Valid DSSE envelope with proper base64 payload\n\t\t\t\tdsseContent := []byte(`{\"payload\":\"eyJ0ZXN0IjoidmFsdWUifQ==\",\"signatures\":[{\"sig\":\"c2lnbmF0dXJl\"}]}`)\n\t\t\t\treturn &mockSignedImage{\n\t\t\t\t\tlayers: []v1.Layer{\n\t\t\t\t\t\t&mockLayer{content: dsseContent},\n\t\t\t\t\t},\n\t\t\t\t}, nil\n\t\t\t},\n\t\t\twantErr: false,\n\t\t\twantSigCount: 1,\n\t\t},\n\t\t{\n\t\t\tname: \"multiple signatures in envelope\",\n\t\t\tdescriptor: descriptor,\n\t\t\tmockImage: func(ref name.Reference, opts ...remote.Option) (oci.SignedImage, error) {\n\t\t\t\tdsseContent := []byte(`{\"payload\":\"eyJ0ZXN0IjoidmFsdWUifQ==\",\"signatures\":[{\"sig\":\"c2lnMQ==\"},{\"sig\":\"c2lnMg==\"}]}`)\n\t\t\t\treturn &mockSignedImage{\n\t\t\t\t\tlayers: []v1.Layer{\n\t\t\t\t\t\t&mockLayer{content: dsseContent},\n\t\t\t\t\t},\n\t\t\t\t}, nil\n\t\t\t},\n\t\t\twantErr: false,\n\t\t\twantSigCount: 2,\n\t\t},\n\t\t{\n\t\t\tname: \"invalid digest format\",\n\t\t\tdescriptor: v1.Descriptor{\n\t\t\t\tDigest: v1.Hash{\n\t\t\t\t\tAlgorithm: \"sha256\",\n\t\t\t\t\tHex: \"invalid\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tmockImage: func(ref name.Reference, opts ...remote.Option) (oci.SignedImage, error) {\n\t\t\t\treturn nil, nil\n\t\t\t},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"failed to get signed image\",\n\t\t\tdescriptor: descriptor,\n\t\t\tmockImage: func(ref name.Reference, opts ...remote.Option) (oci.SignedImage, error) {\n\t\t\t\treturn nil, errors.New(\"failed to fetch image\")\n\t\t\t},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"no layers in image\",\n\t\t\tdescriptor: descriptor,\n\t\t\tmockImage: func(ref name.Reference, opts ...remote.Option) (oci.SignedImage, error) {\n\t\t\t\treturn &mockSignedImage{\n\t\t\t\t\tlayers: []v1.Layer{},\n\t\t\t\t}, nil\n\t\t\t},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"invalid JSON in layer\",\n\t\t\tdescriptor: descriptor,\n\t\t\tmockImage: func(ref name.Reference, opts ...remote.Option) (oci.SignedImage, error) {\n\t\t\t\treturn &mockSignedImage{\n\t\t\t\t\tlayers: []v1.Layer{\n\t\t\t\t\t\t&mockLayer{content: []byte(\"not json\")},\n\t\t\t\t\t},\n\t\t\t\t}, nil\n\t\t\t},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"empty signatures array\",\n\t\t\tdescriptor: descriptor,\n\t\t\tmockImage: func(ref name.Reference, opts ...remote.Option) (oci.SignedImage, error) {\n\t\t\t\tdsseContent := []byte(`{\"payload\":\"eyJ0ZXN0IjoidmFsdWUifQ==\",\"signatures\":[]}`)\n\t\t\t\treturn &mockSignedImage{\n\t\t\t\t\tlayers: []v1.Layer{\n\t\t\t\t\t\t&mockLayer{content: dsseContent},\n\t\t\t\t\t},\n\t\t\t\t}, nil\n\t\t\t},\n\t\t\twantErr: false,\n\t\t\twantSigCount: 0,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tociremoteSignedImage = tt.mockImage\n\n\t\t\tsigs, err := processAttestationArtifact(tt.descriptor, repo, nil)\n\n\t\t\tif (err != nil) != tt.wantErr {\n\t\t\t\tt.Errorf(\"wantErr=%v, got err=%v\", tt.wantErr, err)\n\t\t\t}\n\t\t\tif !tt.wantErr && len(sigs) != tt.wantSigCount {\n\t\t\t\tt.Errorf(\"wanted %d signatures, got %d\", tt.wantSigCount, len(sigs))\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestDiscoverAttestationsOCI11SuccessfulDiscovery(t *testing.T) {\n\tctx := context.Background()\n\tref := name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\")\n\tcheckOpts := &cosign.CheckOpts{}\n\n\t// Save originals\n\torigResolve := ociremoteResolveDigest\n\torigReferrers := ociremoteReferrers\n\torigProcessAtt := testProcessAttestationArtifact\n\tdefer func() {\n\t\tociremoteResolveDigest = origResolve\n\t\tociremoteReferrers = origReferrers\n\t\ttestProcessAttestationArtifact = origProcessAtt\n\t}()\n\n\tociremoteResolveDigest = func(ref name.Reference, opts ...remote.Option) (name.Digest, error) {\n\t\treturn name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\").(name.Digest), nil\n\t}\n\n\t// Return manifest with in-toto attestations\n\tmockManifest := &v1.IndexManifest{\n\t\tManifests: []v1.Descriptor{\n\t\t\t{\n\t\t\t\tArtifactType: \"application/vnd.in-toto+json\",\n\t\t\t\tDigest: v1.Hash{\n\t\t\t\t\tAlgorithm: \"sha256\",\n\t\t\t\t\tHex: \"att1111111111111111111111111111111111111111111111111111111111\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tArtifactType: \"application/vnd.in-toto.provenance\",\n\t\t\t\tDigest: v1.Hash{\n\t\t\t\t\tAlgorithm: \"sha256\",\n\t\t\t\t\tHex: \"att2222222222222222222222222222222222222222222222222222222222\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tociremoteReferrers = func(d name.Digest, artifactType string, opts ...remote.Option) (*v1.IndexManifest, error) {\n\t\treturn mockManifest, nil\n\t}\n\n\t// Mock processAttestationArtifact to return valid signatures\n\ttestProcessAttestationArtifact = func(result v1.Descriptor, repository name.Repository, registryOpts []remote.Option) ([]oci.Signature, error) {\n\t\tmockSig, _ := static.NewSignature(nil, \"\")\n\t\treturn []oci.Signature{mockSig}, nil\n\t}\n\n\tsigs, err := discoverAttestationsOCI11(ctx, ref, checkOpts)\n\n\tif err != nil {\n\t\tt.Errorf(\"Expected success, got error: %v\", err)\n\t}\n\t// Should have 2 signatures (one from each in-toto artifact)\n\tif len(sigs) != 2 {\n\t\tt.Errorf(\"Expected 2 signatures from 2 in-toto artifacts, got %d\", len(sigs))\n\t}\n}\n\nfunc TestDiscoverAttestationsOCI11MixedArtifacts(t *testing.T) {\n\tctx := context.Background()\n\tref := name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\")\n\tcheckOpts := &cosign.CheckOpts{}\n\n\t// Save originals\n\torigResolve := ociremoteResolveDigest\n\torigReferrers := ociremoteReferrers\n\torigProcessAtt := testProcessAttestationArtifact\n\tdefer func() {\n\t\tociremoteResolveDigest = origResolve\n\t\tociremoteReferrers = origReferrers\n\t\ttestProcessAttestationArtifact = origProcessAtt\n\t}()\n\n\tociremoteResolveDigest = func(ref name.Reference, opts ...remote.Option) (name.Digest, error) {\n\t\treturn name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\").(name.Digest), nil\n\t}\n\n\t// Mix of in-toto and non-in-toto artifacts (should only process in-toto)\n\tmockManifest := &v1.IndexManifest{\n\t\tManifests: []v1.Descriptor{\n\t\t\t{\n\t\t\t\tArtifactType: \"application/vnd.oci.image.manifest.v1+json\",\n\t\t\t\tDigest: v1.Hash{\n\t\t\t\t\tAlgorithm: \"sha256\",\n\t\t\t\t\tHex: \"img1111111111111111111111111111111111111111111111111111111111\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tArtifactType: \"application/vnd.in-toto+dsse\",\n\t\t\t\tDigest: v1.Hash{\n\t\t\t\t\tAlgorithm: \"sha256\",\n\t\t\t\t\tHex: \"att1111111111111111111111111111111111111111111111111111111111\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tArtifactType: \"application/vnd.oci.artifact.manifest.v1+json\",\n\t\t\t\tDigest: v1.Hash{\n\t\t\t\t\tAlgorithm: \"sha256\",\n\t\t\t\t\tHex: \"art1111111111111111111111111111111111111111111111111111111111\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tociremoteReferrers = func(d name.Digest, artifactType string, opts ...remote.Option) (*v1.IndexManifest, error) {\n\t\treturn mockManifest, nil\n\t}\n\n\tprocessedCount := 0\n\ttestProcessAttestationArtifact = func(result v1.Descriptor, repository name.Repository, registryOpts []remote.Option) ([]oci.Signature, error) {\n\t\tprocessedCount++\n\t\tmockSig, _ := static.NewSignature(nil, \"\")\n\t\treturn []oci.Signature{mockSig}, nil\n\t}\n\n\tsigs, err := discoverAttestationsOCI11(ctx, ref, checkOpts)\n\n\tif err != nil {\n\t\tt.Errorf(\"Expected success, got error: %v\", err)\n\t}\n\t// Should only process the one in-toto artifact\n\tif processedCount != 1 {\n\t\tt.Errorf(\"Expected processAttestationArtifact to be called once, called %d times\", processedCount)\n\t}\n\tif len(sigs) != 1 {\n\t\tt.Errorf(\"Expected 1 signature from 1 in-toto artifact, got %d\", len(sigs))\n\t}\n}\n\nfunc TestDiscoverAttestationsOCI11PartialProcessingFailure(t *testing.T) {\n\tctx := context.Background()\n\tref := name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\")\n\tcheckOpts := &cosign.CheckOpts{}\n\n\t// Save originals\n\torigResolve := ociremoteResolveDigest\n\torigReferrers := ociremoteReferrers\n\torigProcessAtt := testProcessAttestationArtifact\n\tdefer func() {\n\t\tociremoteResolveDigest = origResolve\n\t\tociremoteReferrers = origReferrers\n\t\ttestProcessAttestationArtifact = origProcessAtt\n\t}()\n\n\tociremoteResolveDigest = func(ref name.Reference, opts ...remote.Option) (name.Digest, error) {\n\t\treturn name.MustParseReference(\"example.com/test@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\").(name.Digest), nil\n\t}\n\n\t// Multiple in-toto artifacts\n\tmockManifest := &v1.IndexManifest{\n\t\tManifests: []v1.Descriptor{\n\t\t\t{\n\t\t\t\tArtifactType: \"application/vnd.in-toto+json\",\n\t\t\t\tDigest: v1.Hash{\n\t\t\t\t\tAlgorithm: \"sha256\",\n\t\t\t\t\tHex: \"good111111111111111111111111111111111111111111111111111111111\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tArtifactType: \"application/vnd.in-toto+json\",\n\t\t\t\tDigest: v1.Hash{\n\t\t\t\t\tAlgorithm: \"sha256\",\n\t\t\t\t\tHex: \"bad2222222222222222222222222222222222222222222222222222222222\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tArtifactType: \"application/vnd.in-toto+json\",\n\t\t\t\tDigest: v1.Hash{\n\t\t\t\t\tAlgorithm: \"sha256\",\n\t\t\t\t\tHex: \"good333333333333333333333333333333333333333333333333333333333\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tociremoteReferrers = func(d name.Digest, artifactType string, opts ...remote.Option) (*v1.IndexManifest, error) {\n\t\treturn mockManifest, nil\n\t}\n\n\tcallCount := 0\n\ttestProcessAttestationArtifact = func(result v1.Descriptor, repository name.Repository, registryOpts []remote.Option) ([]oci.Signature, error) {\n\t\tcallCount++\n\t\tif callCount == 2 {\n\t\t\t// Second call fails\n\t\t\treturn nil, errors.New(\"processing failed for second artifact\")\n\t\t}\n\t\t// First and third succeed\n\t\tmockSig, _ := static.NewSignature(nil, \"\")\n\t\treturn []oci.Signature{mockSig}, nil\n\t}\n\n\tsigs, err := discoverAttestationsOCI11(ctx, ref, checkOpts)\n\n\t// Should succeed with 2 signatures (second one failed but was skipped with logging)\n\tif err != nil {\n\t\tt.Errorf(\"Expected success with partial failures, got error: %v\", err)\n\t}\n\tif callCount != 3 {\n\t\tt.Errorf(\"Expected processAttestationArtifact called 3 times, got %d\", callCount)\n\t}\n\tif len(sigs) != 2 {\n\t\tt.Errorf(\"Expected 2 signatures (second failed), got %d\", len(sigs))\n\t}\n}\n" }, { "path": "release/README.md", "content": "# Release\n\nThis directory contain the files and scripts to run a policy-controller release.\n\n# Cutting a Policy Controller Release\n\n1. Release notes: Create a PR to update and review release notes in CHANGELOG.md.\n - Check merged pull requests since the last release and make sure enhancements, bug fixes, and authors are reflected in the notes.\n\nYou can get a list of pull requests since the last release by substituting in the date of the last release and running:\n\n```\ngit log --pretty=\"* %s\" --after=\"YYYY-MM-DD\"\n```\n\nand a list of authors by running:\n\n```\ngit log --pretty=\"* %an\" --after=\"YYYY-MM-DD\" | sort -u\n```\n\n2. Tag the repository\n\n```shell\n$ export RELEASE_TAG=\n$ git tag -s ${RELEASE_TAG} -m \"${RELEASE_TAG}\"\n$ git push origin ${RELEASE_TAG}\n```\n\n3. The tag push will start the https://github.com/sigstore/policy-controller/blob/main/.github/workflows/release.yaml job and will build and release all the artifacts and images.\n\n4. Send an announcement email to `sigstore-dev@googlegroups.com` mailing list\n\n5. Tweet about the new release with a fun new trigonometry pun!\n\n6. Honk!\n\n#### After the release:\n\n* Add a pending new section in CHANGELOG.md to set up for the next release\n" }, { "path": "release/ko-sign-release-images.sh", "content": "#!/usr/bin/env bash\n\n# Copyright 2022 The Sigstore Authors\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\"\";\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n: \"${GIT_HASH:?Environment variable empty or not defined.}\"\n: \"${GIT_VERSION:?Environment variable empty or not defined.}\"\n\nif [[ ! -f policyControllerImagerefs ]]; then\n echo \"policyControllerImagerefs not found\"\n exit 1\nfi\n\necho \"Signing images with Keyless...\"\ncosign sign --yes -a GIT_HASH=\"$GIT_HASH\" -a GIT_VERSION=\"$GIT_VERSION\" $(cat policyControllerImagerefs)\n" }, { "path": "release/ldflags.sh", "content": "#!/usr/bin/env bash\n\n# Copyright 2022 The Sigstore Authors\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\"\";\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Output LDFlAGS for a given environment. LDFLAGS are applied to all go binary\n# builds.\n#\n# Args: env\nfunction ldflags() {\n local GIT_VERSION=$(git describe --tags --always --dirty)\n local GIT_COMMIT=$(git rev-parse HEAD)\n\n local GIT_TREESTATE=\"clean\"\n if [[ $(git diff --stat) != '' ]]; then\n GIT_TREESTATE=\"dirty\"\n fi\n\n local DATE_FMT=\"+%Y-%m-%dT%H:%M:%SZ\"\n local BUILD_DATE=$(date \"$DATE_FMT\")\n local SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)\n if [ $SOURCE_DATE_EPOCH ]\n then\n local BUILD_DATE=$(date -u -d \"@$SOURCE_DATE_EPOCH\" \"$DATE_FMT\" 2>/dev/null || date -u -r \"$SOURCE_DATE_EPOCH\" \"$DATE_FMT\" 2>/dev/null || date -u \"$DATE_FMT\")\n fi\n\n echo \"-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$GIT_VERSION \\\n -X sigs.k8s.io/release-utils/version.gitCommit=$GIT_COMMIT \\\n -X sigs.k8s.io/release-utils/version.gitTreeState=$GIT_TREESTATE \\\n -X sigs.k8s.io/release-utils/version.buildDate=$BUILD_DATE\"\n}\n" }, { "path": "release/release.mk", "content": "######################\n# sign section\n######################\n\n.PHONY: build-sign-release-images\nbuild-sign-release-images: ko\n\tGIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \\\n\t./release/ko-sign-release-images.sh\n\n####################\n# copy image to GHCR\n####################\n\n.PHONY: copy-policy-controller-signed-release-to-ghcr\ncopy-policy-controller-signed-release-to-ghcr:\n\tcosign copy $(KO_PREFIX)/policy-controller:$(GIT_VERSION) $(GHCR_PREFIX)/policy-controller:$(GIT_VERSION)\n\n.PHONY: copy-signed-release-to-ghcr\ncopy-signed-release-to-ghcr: copy-policy-controller-signed-release-to-ghcr\n" }, { "path": "test/cert_utils.go", "content": "// Copyright 2022 The Sigstore Authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage test\n\nimport (\n\t\"crypto\"\n\t\"crypto/ecdsa\"\n\t\"crypto/elliptic\"\n\t\"crypto/rand\"\n\t\"crypto/x509\"\n\t\"crypto/x509/pkix\"\n\t\"encoding/asn1\"\n\t\"math/big\"\n\t\"net\"\n\t\"net/url\"\n\t\"time\"\n)\n\n/*\nTo use:\n\nrootCert, rootKey, _ := GenerateRootCa()\nsubCert, subKey, _ := GenerateSubordinateCa(rootCert, rootKey)\nleafCert, _, _ := GenerateLeafCert(\"subject\", \"oidc-issuer\", subCert, subKey)\n\nroots := x509.NewCertPool()\nsubs := x509.NewCertPool()\nroots.AddCert(rootCert)\nsubs.AddCert(subCert)\nopts := x509.VerifyOptions{\n\tRoots: roots,\n\tIntermediates: subs,\n\tKeyUsages: []x509.ExtKeyUsage{\n\t\tx509.ExtKeyUsageCodeSigning,\n\t},\n}\n_, err := leafCert.Verify(opts)\n*/\n\nfunc createCertificate(template *x509.Certificate, parent *x509.Certificate, pub interface{}, priv crypto.Signer) (*x509.Certificate, error) {\n\tcertBytes, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tcert, err := x509.ParseCertificate(certBytes)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn cert, nil\n}\n\nfunc GenerateRootCa() (*x509.Certificate, *ecdsa.PrivateKey, error) {\n\trootTemplate := &x509.Certificate{\n\t\tSerialNumber: big.NewInt(1),\n\t\tSubject: pkix.Name{\n\t\t\tCommonName: \"sigstore\",\n\t\t\tOrganization: []string{\"sigstore.dev\"},\n\t\t},\n\t\tNotBefore: time.Now().Add(-5 * time.Minute),\n\t\tNotAfter: time.Now().Add(5 * time.Hour),\n\t\tKeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,\n\t\tBasicConstraintsValid: true,\n\t\tIsCA: true,\n\t}\n\n\tpriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\tcert, err := createCertificate(rootTemplate, rootTemplate, &priv.PublicKey, priv)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\treturn cert, priv, nil\n}\n\nfunc GenerateSubordinateCa(rootTemplate *x509.Certificate, rootPriv crypto.Signer) (*x509.Certificate, *ecdsa.PrivateKey, error) {\n\tsubTemplate := &x509.Certificate{\n\t\tSerialNumber: big.NewInt(1),\n\t\tSubject: pkix.Name{\n\t\t\tCommonName: \"sigstore-sub\",\n\t\t\tOrganization: []string{\"sigstore.dev\"},\n\t\t},\n\t\tNotBefore: time.Now().Add(-2 * time.Minute),\n\t\tNotAfter: time.Now().Add(2 * time.Hour),\n\t\tKeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,\n\t\tExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},\n\t\tBasicConstraintsValid: true,\n\t\tIsCA: true,\n\t}\n\n\tpriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\tcert, err := createCertificate(subTemplate, rootTemplate, &priv.PublicKey, rootPriv)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\treturn cert, priv, nil\n}\n\nfunc GenerateLeafCert(subject string, oidcIssuer string, parentTemplate *x509.Certificate, parentPriv crypto.Signer) (*x509.Certificate, *ecdsa.PrivateKey, error) {\n\tcertTemplate := &x509.Certificate{\n\t\tSerialNumber: big.NewInt(1),\n\t\tEmailAddresses: []string{subject},\n\t\tNotBefore: time.Now().Add(-1 * time.Minute),\n\t\tNotAfter: time.Now().Add(time.Hour),\n\t\tKeyUsage: x509.KeyUsageDigitalSignature,\n\t\tExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},\n\t\tIsCA: false,\n\t\tExtraExtensions: []pkix.Extension{{\n\t\t\t// OID for OIDC Issuer extension\n\t\t\tId: asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1},\n\t\t\tCritical: false,\n\t\t\tValue: []byte(oidcIssuer),\n\t\t}},\n\t}\n\n\tpriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\tcert, err := createCertificate(certTemplate, parentTemplate, &priv.PublicKey, parentPriv)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\treturn cert, priv, nil\n}\n\nfunc GenerateLeafCertWithSubjectAlternateNames(dnsNames []string, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL, oidcIssuer string, parentTemplate *x509.Certificate, parentPriv crypto.Signer) (*x509.Certificate, *ecdsa.PrivateKey, error) {\n\tcertTemplate := &x509.Certificate{\n\t\tSerialNumber: big.NewInt(1),\n\t\tEmailAddresses: emailAddresses,\n\t\tDNSNames: dnsNames,\n\t\tIPAddresses: ipAddresses,\n\t\tURIs: uris,\n\t\tNotBefore: time.Now().Add(-1 * time.Minute),\n\t\tNotAfter: time.Now().Add(time.Hour),\n\t\tKeyUsage: x509.KeyUsageDigitalSignature,\n\t\tExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},\n\t\tIsCA: false,\n\t\tExtraExtensions: []pkix.Extension{{\n\t\t\t// OID for OIDC Issuer extension\n\t\t\tId: asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1},\n\t\t\tCritical: false,\n\t\t\tValue: []byte(oidcIssuer),\n\t\t}},\n\t}\n\n\tpriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\tcert, err := createCertificate(certTemplate, parentTemplate, &priv.PublicKey, parentPriv)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\treturn cert, priv, nil\n}\n" }, { "path": "test/ci.mk", "content": "############\n# signing ci\n############\n\n.PHONY: sign-policy-images\nsign-policy-images:\n\tcosign sign -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/policy-controller:$(GIT_HASH)\n\n.PHONY: build-sign-containers\nbuild-sign-containers: ko sign-policy-images\n" }, { "path": "test/cmd/getoidctoken/main.go", "content": "// Copyright 2022 The Sigstore Authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage main\n\nimport (\n\t\"fmt\"\n\t\"log\"\n\t\"net/http\"\n\t\"os\"\n\t\"time\"\n\n\t\"github.com/kelseyhightower/envconfig\"\n)\n\ntype envConfig struct {\n\tFileName string `envconfig:\"OIDC_FILE\" default:\"/var/run/sigstore/policy-controller/oidc-token\" required:\"true\"`\n}\n\nfunc tokenWriter(filename string) func(http.ResponseWriter, *http.Request) {\n\treturn func(w http.ResponseWriter, req *http.Request) {\n\t\tgetToken(filename, w, req)\n\t}\n}\nfunc getToken(tokenFile string, w http.ResponseWriter, _ *http.Request) {\n\tcontent, err := os.ReadFile(tokenFile)\n\tif err != nil {\n\t\tlog.Print(\"failed to read token file\", err)\n\t\thttp.Error(w, err.Error(), http.StatusInternalServerError)\n\t\treturn\n\t}\n\t_, err = fmt.Fprint(w, string(content))\n\tif err != nil {\n\t\tlog.Print(\"failed to write token file to response\", err)\n\t\thttp.Error(w, err.Error(), http.StatusInternalServerError)\n\t}\n}\n\nfunc main() {\n\tvar env envConfig\n\tif err := envconfig.Process(\"\", &env); err != nil {\n\t\tlog.Fatalf(\"failed to process env var: %s\", err)\n\t}\n\n\thttp.HandleFunc(\"/\", tokenWriter(env.FileName))\n\tserver := &http.Server{\n\t\tAddr: \":8080\",\n\t\tReadHeaderTimeout: 5 * time.Second,\n\t}\n\tif err := server.ListenAndServe(); err != nil {\n\t\tpanic(err)\n\t}\n}\n" }, { "path": "test/config/gettoken/gettoken.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: serving.knative.dev/v1\nkind: Service\nmetadata:\n name: gettoken\nspec:\n template:\n spec:\n containers:\n - name: gettoken\n image: ko://github.com/sigstore/policy-controller/test/cmd/getoidctoken\n env:\n - name: OIDC_FILE\n value: \"/var/run/sigstore/cosign/oidc-token\"\n volumeMounts:\n - name: oidc-info\n mountPath: /var/run/sigstore/cosign\n volumes:\n - name: oidc-info\n projected:\n sources:\n - serviceAccountToken:\n path: oidc-token\n expirationSeconds: 600\n audience: sigstore\n" }, { "path": "test/e2e_test_cluster_image_policy.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\nset -ex\n\nif [[ -z \"${OIDC_TOKEN}\" ]]; then\n if [[ -z \"${ISSUER_URL}\" ]]; then\n echo \"Must specify either env variable OIDC_TOKEN or ISSUER_URL\"\n exit 1\n else\n export OIDC_TOKEN=`curl -s ${ISSUER_URL}`\n fi\nfi\n\nif [[ -z \"${KO_DOCKER_REPO}\" ]]; then\n echo \"Must specify env variable KO_DOCKER_REPO\"\n exit 1\nfi\n\nif [[ -z \"${FULCIO_URL}\" ]]; then\n echo \"Must specify env variable FULCIO_URL\"\n exit 1\nfi\n\nif [[ -z \"${REKOR_URL}\" ]]; then\n echo \"Must specify env variable REKOR_URL\"\n exit 1\nfi\n\nif [[ -z \"${TUF_ROOT_FILE}\" ]]; then\n echo \"must specify env variable TUF_ROOT_FILE\"\n exit 1\nfi\n\nif [[ -z \"${TUF_MIRROR}\" ]]; then\n echo \"must specify env variable TUF_MIRROR\"\n exit 1\nfi\n\nif [[ \"${NON_REPRODUCIBLE}\"==\"1\" ]]; then\n echo \"creating non-reproducible build by adding a timestamp\"\n export TIMESTAMP=`date +%s`\nelse\n export TIMESTAMP=\"TIMESTAMP\"\nfi\n\n# Initialize cosign with our TUF root\ncosign initialize --mirror ${TUF_MIRROR} --root ${TUF_ROOT_FILE}\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our job and verify that the failure is expected.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job job-that-fails -n ${NS} --ignore-not-found=true\n if kubectl create -n ${NS} job job-that-fails --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Job failure!\n exit 1\n else\n echo Successfully blocked Job creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\n# Publish the first test image\necho '::group:: publish test image demoimage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport \"fmt\"\nfunc main() {\n fmt.Println(\"hello world TIMESTAMP\")\n}\nEOF\n\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage=`ko publish -B example.com/demo`\necho Created image $demoimage\npopd\necho '::endgroup::'\n\n# Publish the second test image\necho '::group:: publish test image demoimage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport \"fmt\"\nfunc main() {\n fmt.Println(\"hello world 2 TIMESTAMP\")\n}\nEOF\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage2=`ko publish -B example.com/demo`\npopd\necho '::endgroup::'\n\necho '::group:: Deploy ClusterImagePolicy with keyless signing'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless.yaml\necho '::endgroup::'\n\necho '::group:: Sign demo image'\nif ! cosign sign --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --yes --allow-insecure-registry ${demoimage} --identity-token ${OIDC_TOKEN} ; then\n echo \"failed to sign with keyless\"\n exit 1\nfi\necho '::endgroup::'\n\necho '::group:: Verify demo image'\nif ! cosign verify --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage} ; then\n echo \"failed to verify with keyless\"\nfi\necho '::endgroup::'\n\necho '::group:: Create test namespace and label for verification'\nkubectl create namespace demo-keyless-signing\nkubectl label namespace demo-keyless-signing policy.sigstore.dev/include=true\nexport NS=demo-keyless-signing\necho '::endgroup::'\n\necho '::group:: test job success'\n# We signed this above, this should work\nif ! kubectl create -n demo-keyless-signing job demo --image=${demoimage} ; then\n echo Failed to create Job in namespace with matching signature!\n exit 1\nelse\n echo Succcessfully created Job with signed image\nfi\necho '::endgroup::'\n\n# Create a CIP with static fail, since they are ANDed together, even though it\n# passed above will now fail.\necho '::group:: Create CIP that always fails'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-static-fail.yaml\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: test with static fail'\nexpected_error='disallowed by static policy'\nassert_error ${expected_error}\necho '::endgroup::'\n\necho '::group:: Create CIP that always passes'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-static-pass.yaml\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: test with static fail and static pass'\nexpected_error='disallowed by static policy'\nassert_error ${expected_error}\necho '::endgroup::'\n\necho '::group:: Delete CIP that always fails'\nkubectl delete cip image-policy-static-fail\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: test with static pass should work'\n# We signed this above, and there's pass always so should work\nif ! kubectl create -n demo-keyless-signing job demo-works --image=${demoimage} ; then\n echo Failed to create Job in namespace with matching signature and static pass!\n exit 1\nelse\n echo Succcessfully created Job with signed image and static pass\nfi\necho '::endgroup::'\n\n\n# We did not sign this, should fail\necho '::group:: test job rejection'\nif kubectl create -n demo-keyless-signing job demo2 --image=${demoimage2} ; then\n echo Failed to block unsigned Job creation!\n exit 1\nelse\n echo Successfully blocked Job creation with unsigned image\nfi\necho '::endgroup::'\n\necho '::group:: Add cip with identities that match issuer/subject'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless-with-identities.yaml\n# make sure the reconciler has enough time to update the configmap\nsleep 5\necho '::endgroup::'\n\n# This has correct issuer/subject, so should work\necho '::group:: test job success with identities'\nif ! kubectl create -n demo-keyless-signing job demo-identities-works --image=${demoimage} ; then\n echo Failed to create Job in namespace with matching issuer/subject!\n exit 1\nelse\n echo Succcessfully created Job with signed image keyless\nfi\necho '::endgroup::'\n\necho '::group:: Add cip with identities that do not match issuer/subject'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless-with-identities-mismatch.yaml\n# make sure the reconciler has enough time to update the configmap\nsleep 5\necho '::endgroup::'\n\necho '::group:: test job block with mismatching issuer/subject'\nexpected_error='none of the expected identities matched what was in the certificate'\nassert_error ${expected_error}\necho '::endgroup::'\n\necho '::group:: Remove mismatching cip, start fresh for key'\nkubectl delete cip --all\necho 'done deleting cips'\nsleep 5\necho '::endgroup::'\n\necho '::group:: Generate New Signing Key For Colocated Signature'\nCOSIGN_PASSWORD=\"\" cosign generate-key-pair\nmv cosign.key cosign-colocated-signing.key\nmv cosign.pub cosign-colocated-signing.pub\necho '::endgroup::'\n\necho '::group:: Deploy ClusterImagePolicy With Key Signing'\nyq '. | .spec.authorities[0].key.data |= load_str(\"cosign-colocated-signing.pub\")' \\\n ./test/testdata/policy-controller/e2e/cip-key.yaml | \\\n kubectl apply -f -\necho '::endgroup::'\n\necho '::group:: Create and label new namespace for verification'\nkubectl create namespace demo-key-signing\nkubectl label namespace demo-key-signing policy.sigstore.dev/include=true\n\necho '::group:: Verify blocks unsigned with the key'\nif kubectl create -n demo-key-signing job demo --image=${demoimage}; then\n echo Failed to block unsigned Job creation!\n exit 1\nfi\necho '::endgroup::'\n\necho '::group:: Sign demoimage with cosign key'\nif ! COSIGN_PASSWORD=\"\" cosign sign --key cosign-colocated-signing.key --yes --allow-insecure-registry --rekor-url ${REKOR_URL} ${demoimage} ; then\n echo failed to sign demoimage with key\n exit 1\nfi\necho '::endgroup::'\n\necho '::group:: Verify demoimage with cosign key'\nif ! cosign verify --key cosign-colocated-signing.pub --allow-insecure-registry --rekor-url ${REKOR_URL} --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage} ; then\n echo failed to verify demo image with cosign key\n exit 1\nfi\necho '::endgroup::'\n\necho '::group:: test job success'\n# We signed this above, this should work\nif ! kubectl create -n demo-key-signing job demo --image=${demoimage} ; then\n echo Failed to create Job in namespace after signing with key!\n exit 1\nelse\n echo Succcessfully created Job with signed image\nfi\necho '::endgroup::'\n\n# Deploy a CIP that adds a keyless entry, that tests OR.\necho '::group:: Deploy ClusterImagePolicy With Key Signing'\nyq '. | .spec.authorities[0].key.data |= load_str(\"cosign-colocated-signing.pub\")' \\\n ./test/testdata/policy-controller/e2e/cip-key-and-keyless.yaml | \\\n kubectl apply -f -\n\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\necho '::group:: test with key and keyless, authorities OR'\nif ! kubectl create -n demo-key-signing job demo-with-or --image=${demoimage} ; then\n echo Failed to create Job in namespace after adding a keyless authority, OR is not working\n exit 1\nelse\n echo Succcessfully created Job with signed image\nfi\necho '::endgroup::'\n\necho '::group:: test job rejection'\n# We did not sign this, should fail\nif kubectl create -n demo-key-signing job demo2 --image=${demoimage2} ; then\n echo Failed to block unsigned Job creation!\n exit 1\nelse\n echo Successfully blocked Job creation with unsigned image\nfi\necho '::endgroup::'\n\n# Deploy a CIP that adds a keyless entry, that tests OR.\necho '::group:: Deploy ClusterImagePolicy With Key Signing and Ignore SCT'\nyq '. | .spec.authorities[0].key.data |= load_str(\"cosign-colocated-signing.pub\")' \\\n ./test/testdata/policy-controller/e2e/cip-key-and-keyless-ignore-sct.yaml | \\\n kubectl apply -f -\n\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\necho '::group:: test with key and keyless ignoring sct'\nif ! kubectl create -n demo-key-signing job demo-ignore-sct --image=${demoimage} ; then\n echo Failed to create Job in namespace after adding a keyless authority ignoring sct, OR is not working\n exit 1\nelse\n echo Succcessfully created Job with signed image\nfi\necho '::endgroup::'\n\necho '::group:: test job rejection ignoring sct'\n# We did not sign this, should fail\nif kubectl create -n demo-key-signing job demo2-ignore-sct --image=${demoimage2} ; then\n echo Failed to block unsigned Job creation!\n exit 1\nelse\n echo Successfully blocked Job creation with unsigned image\nfi\necho '::endgroup::'\n\necho '::group:: Generate new Signing key and secret used for validating secret'\nCOSIGN_PASSWORD=\"\" cosign generate-key-pair\nmv cosign.key cosign-secret.key\nmv cosign.pub cosign-secret.pub\nkubectl -n cosign-system create secret generic cip-secret --from-file=secret=./cosign-secret.pub\necho '::endgroup::'\n\necho '::group:: Deploy ClusterImagePolicy with secret as the key'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-key-secret.yaml\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\necho '::group:: test with key and keyless, authorities OR'\nif kubectl create -n demo-key-signing job demo-with-secret --image=${demoimage} ; then\n echo Failed to block Job in namespace after adding a secretRef\n exit 1\nelse\n echo Succcessfully blocked Job with secretRef key but not signed with it.\nfi\necho '::endgroup::'\n\necho '::group:: Sign demoimage with cosign key secret'\nif ! COSIGN_PASSWORD=\"\" cosign sign --key cosign-secret.key --yes --allow-insecure-registry --rekor-url ${REKOR_URL} ${demoimage} ; then\n echo failed to sign demoimage with key secret\n exit 1\nfi\necho '::endgroup::'\n\necho '::group:: Verify demoimage with cosign key secret'\nif ! cosign verify --key cosign-secret.pub --allow-insecure-registry --rekor-url ${REKOR_URL} --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage} ; then\n echo failed to verify demo image with cosign key\n exit 1\nfi\necho '::endgroup::'\n\necho '::group:: test with secret signed'\nif ! kubectl create -n demo-key-signing job demo-with-secret --image=${demoimage} ; then\n echo Failed to create Job in namespace after signing with secretRef\n exit 1\nelse\n echo Succcessfully created Job with secretRef signed.\nfi\necho '::endgroup::'\n\n\necho '::group:: Generate New Signing Key For Remote Signature'\nCOSIGN_PASSWORD=\"\" cosign generate-key-pair\nmv cosign.key cosign-remote-signing.key\nmv cosign.pub cosign-remote-signing.pub\necho '::endgroup::'\n\necho '::group:: Deploy ClusterImagePolicy With Remote Public Key But Missing Source'\nyq '. | .metadata.name = \"image-policy-remote-source\"\n | .spec.authorities[0].key.data |= load_str(\"cosign-remote-signing.pub\")' \\\n ./test/testdata/policy-controller/e2e/cip-key.yaml | \\\n kubectl apply -f -\n\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\necho '::group:: Sign demoimage with cosign remote key'\nif ! COSIGN_PASSWORD=\"\" COSIGN_REPOSITORY=\"${KO_DOCKER_REPO}/remote-signature\" cosign sign --key cosign-remote-signing.key --yes --allow-insecure-registry --rekor-url ${REKOR_URL} ${demoimage} ; then\n echo \"failed to sign with remote key\"\n exit 1\nfi\necho '::endgroup::'\n\necho '::group:: Verify demoimage with cosign remote key'\nif cosign verify --key cosign-remote-signing.pub --allow-insecure-registry --rekor-url ${REKOR_URL} --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}; then\n echo \"Signature should not have been verified unless COSIGN_REPOSITORY was defined\"\n exit 1\nfi\n\nif ! COSIGN_REPOSITORY=\"${KO_DOCKER_REPO}/remote-signature\" cosign verify --key cosign-remote-signing.pub --allow-insecure-registry --rekor-url ${REKOR_URL} --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}; then\n echo \"Signature should have been verified when COSIGN_REPOSITORY was defined\"\n exit 1\nfi\necho '::endgroup::'\n\necho '::group:: Create test namespace and label for remote key verification'\nkubectl create namespace demo-key-remote\nkubectl label namespace demo-key-remote policy.sigstore.dev/include=true\necho '::endgroup::'\n\necho '::group:: Verify with three CIP, one without correct Source set'\nif kubectl create -n demo-key-remote job demo --image=${demoimage}; then\n echo Failed to block unsigned Job creation!\n exit 1\nfi\necho '::endgroup::'\n\necho '::group:: Deploy ClusterImagePolicy With Remote Public Key With Source'\nyq '. | .metadata.name = \"image-policy-remote-source\"\n | .spec.authorities[0].key.data |= load_str(\"cosign-remote-signing.pub\")\n | .spec.authorities[0] += {\"source\": [{\"oci\": env(KO_DOCKER_REPO)+\"/remote-signature\"}]}' \\\n ./test/testdata/policy-controller/e2e/cip-key.yaml | \\\n kubectl apply -f -\n\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\necho '::group:: Verify with three CIP, one with correct Source set'\n# We signed this above and applied remote signature source location above\nif ! kubectl create -n demo-key-remote job demo --image=${demoimage}; then\n echo Failed to create Job with Remote Public Key with Source\n exit 1\nelse\n echo Succcessfully created Job with signed image\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns demo-key-signing demo-keyless-signing demo-key-remote\nrm cosign*.key cosign*.pub\necho '::endgroup::'\n\necho '::group:: Generate New Signing Key For Matching Resources with Labels'\nCOSIGN_PASSWORD=\"\" cosign generate-key-pair\nmv cosign.key cosign-match-signing.key\nmv cosign.pub cosign-match-signing.pub\necho '::endgroup::'\n\necho '::group:: Create test namespace and label for matching Pods only in namespace'\nkubectl create namespace demo-match-res-label-only\nkubectl label namespace demo-match-res-label-only policy.sigstore.dev/include=true\necho '::endgroup::'\n\necho '::group:: Deploy ClusterImagePolicy With Matching Resource Labels for Pods'\nyq '. | .metadata.name = \"image-policy-match-label\"\n | .spec.authorities[0].key.data |= load_str(\"cosign-match-signing.pub\")' \\\n ./test/testdata/policy-controller/e2e/cip-match-resource-label.yaml | \\\n kubectl apply -f -\n\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\n# For pods that do not match labels, meaning there are no matching policies, we\n# need to flip the default behaviour of deny => allow.\n# But, let's flip it here before the tests to make sure matched pods are\n# denied properly.\necho '::group:: Change no-match policy to warn'\nkubectl patch configmap/config-policy-controller \\\n --namespace cosign-system \\\n --type merge \\\n --patch '{\"data\":{\"no-match-policy\":\"allow\"}}'\n# allow for propagation\nsleep 5\necho '::endgroup::'\n\necho '::group:: Verify with CIP that blocks a pod with valid labels but a different key'\nif kubectl run -n demo-match-res-label-only demo-invalid-key --image=${demoimage} -l match=match; then\n echo Failed to block signed Pod with wrong key creation!\n exit 1\nfi\necho '::endgroup::'\n\n\necho '::group:: Verify with CIP that pods can get deployed due to unmatching labels'\nif ! kubectl run -n demo-match-res-label-only demo-valid-key --image=${demoimage} -l test=staging; then\n echo Failed to create Pod when labels are not matching the CIP\n exit 1\nelse\n echo Succcessfully created Pod when labels are not matching the CIP\nfi\necho '::endgroup::'\n\necho '::group:: Sign demoimage with cosign key'\nif ! COSIGN_PASSWORD=\"\" cosign sign --key cosign-match-signing.key --yes --allow-insecure-registry --rekor-url ${REKOR_URL} ${demoimage} ; then\n echo failed to sign demoimage with key\n exit 1\nfi\necho '::endgroup::'\n\necho '::group:: Verify demoimage with cosign key'\nif ! cosign verify --key cosign-match-signing.pub --allow-insecure-registry --rekor-url ${REKOR_URL} --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage} ; then\n echo failed to verify demo image with cosign key\n exit 1\nfi\necho '::endgroup::'\n\necho '::group:: Verify with CIP that blocks the pod using a valid key and labels'\nif ! kubectl run -n demo-match-res-label-only demo-valid-key-labels --image=${demoimage} -l match=match; then\n echo Failed to create Pod with a valid key and matching labels\n exit 1\nelse\n echo Succcessfully created Pod with a valid key and matching labels\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns demo-match-res-label-only\nrm cosign*.key cosign*.pub\necho '::endgroup::'\n\ndemoimageSignature=\"quay.io/jetstack/cert-manager-acmesolver:v1.9.1\"\n\necho '::group:: Create test namespace and label for signature digest sha512'\nkubectl create namespace demo-key-sha512\nkubectl label namespace demo-key-sha512 policy.sigstore.dev/include=true\necho '::endgroup::'\n\necho '::group:: Deploy ClusterImagePolicy With signature digest sha512'\nyq '. | .metadata.name = \"image-policy-sha512-key\"' \\\n ./test/testdata/policy-controller/e2e/cip-key-hash-algorithm.yaml | \\\n kubectl apply -f -\necho '::endgroup::'\n\necho '::group:: Verify ClusterImagePolicy With signature digest sha512 using a pod'\n# We use a signed image provided by jetstack for cert-manager-acmesolver:v1.9.1\nif ! kubectl run -n demo-key-sha512 job demo-sha512-key --image=${demoimageSignature}; then\n echo Failed to create Pod with signature digest sha512\n exit 1\nelse\n echo Succcessfully created Pod with signature digest sha512\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns demo-key-sha512\necho '::endgroup::'\n\n# These tests have been running for awhile now, so grab a new OIDC_TOKEN since\n# we've seen them expire in the middle of the tests.\nexport OIDC_TOKEN=`curl -s ${ISSUER_URL}`\n\n# Publish the first test image\necho '::group:: publish test image demoEphemeralImage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport (\n \"fmt\"\n \"time\"\n)\nfunc main() {\n // Calling Sleep method\n time.Sleep(8 * time.Minute)\n\n fmt.Println(\"Sleep Over.....\")\n}\nEOF\n\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoEphemeralImage=`ko publish -B example.com/demo`\necho Created image $demoEphemeralImage\npopd\necho '::endgroup::'\n\necho '::group:: Deploy ClusterImagePolicy with keyless signing'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless.yaml\necho '::endgroup::'\n\necho '::group:: Sign demo image'\nif ! cosign sign --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --yes --allow-insecure-registry ${demoEphemeralImage} --identity-token ${OIDC_TOKEN} ; then\n echo \"failed to sign with keyless\"\n exit 1\nfi\necho '::endgroup::'\n\necho '::group:: Verify demo image'\nif ! cosign verify --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoEphemeralImage} ; then\n echo \"failed to verify with keyless\"\nfi\necho '::endgroup::'\n\necho '::group:: Create test namespace and label for verification'\nexport NS=demo-ephemeral-verification\nkubectl create namespace ${NS}\nkubectl label namespace ${NS} policy.sigstore.dev/include=true\necho '::endgroup::'\n\necho '::group:: test pod success'\n# We signed this above, this should work\nif ! kubectl run -n ${NS} poddemo --image=${demoEphemeralImage} ; then\n echo Failed to create Pod in namespace with matching signature!\n exit 1\nelse\n echo Succcessfully created Pod with signed image\nfi\necho '::endgroup::'\n\necho '::group:: Set no-match policy to deny'\nkubectl patch configmap/config-policy-controller \\\n --namespace cosign-system \\\n --type merge \\\n --patch '{\"data\":{\"no-match-policy\":\"deny\"}}'\n# allow for propagation\nsleep 10\necho '::endgroup::'\n\nephemeralContainerImage=\"busybox@sha256:9810966b5f712084ea05bf28fc8ba2c8fb110baa2531a10e2da52c1efc504698\"\n\necho '::group:: test rejection of ephemeral container that does not have any signature'\n# We want to validate that ephemeral containers are validated, and rejected for this example\nif kubectl debug poddemo -n ${NS} --image=${ephemeralContainerImage} ; then\n echo Failed to block EphemeralContainer for Pod in namespace with no matching signature!\n exit 1\nelse\n echo Succcessfully created EphemeralContainer for Pod without any valid signed image\nfi\necho '::endgroup::'\n\nkubernetesVersion=$(kubectl version -o json | jq -rj '.serverVersion|.major,\".\",.minor')\n\necho '::group:: Create Ephemeral Container with valid signature for the image'\nif ! kubectl debug poddemo -n ${NS} --image=${demoEphemeralImage}; then\n # Check if the kubernetes version is v1.22 then ignore the error as ephemeral containers are not supported\n if [ \"$(echo -e \"1.22\\n${kubernetesVersion}\" | sort -V | head -1)\" == \"1.22\" ]; then\n echo \"Ignore error: Ephemeral containers are not supported in Kubernetes v1.22\"\n else\n echo Failed to create Ephemeral Container with a valid signature ${kubernetesVersion}\n exit 1\n fi\nelse\n echo Succcessfully created Ephemeral Container with a valid signature\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n" }, { "path": "test/e2e_test_cluster_image_policy_from_configmap_with_fetch_config_file.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\n#set -ex\nset -e\n\n# This is a timestamp server that has multiarch that we just use for testing\n# evaluating CIP level policy validations.\nexport demoimage=\"ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d\"\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our job and verify that the failure is expected.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job job-that-fails -n ${NS} --ignore-not-found=true\n if kubectl create -n ${NS} job job-that-fails --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Job failure!\n exit 1\n else\n echo Successfully blocked Job creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\necho '::group:: Create test namespace and label for verification'\nkubectl create namespace demo-config-file-with-configmap\nkubectl label namespace demo-config-file-with-configmap policy.sigstore.dev/include=true\nexport NS=demo-config-file-with-configmap\necho '::endgroup::'\n\n# Create the configmap that contains our cue policy. Note that as is, it will\n# fail.\nkubectl create -n cosign-system configmap policy-config --from-file=policy=./test/testdata/policies/cue-policy-config.cue\n\n# Note that we put this in a for loop to make sure the webhook is actually\n# up and running before proceeding with the tests.\necho '::group:: Deploy ClusterImagePolicy with config file that should fail'\nfor i in {1..10}\ndo\n if kubectl apply -f ./test/testdata/policy-controller/e2e/cip-config-file-policy-from-configmap.yaml ; then\n echo successfully applied CIP\n break\n fi\n if [ \"$i\" == 10 ]; then\n echo failed to apply CIP\n exit 1\n fi\n echo failed to apply CIP. Attempt numer \"$i\", retrying\n sleep 2\ndone\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: validate failure'\nexpected_error='failed evaluating cue policy for ClusterImagePolicy: failed to evaluate the policy with error: config.\"linux/amd64\".config.User: conflicting values'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Note that we update the configmap here, which should propagate through to the\n# serialized CIP, so testing that as well here.\necho '::group:: Update configmap with passing values'\nkubectl -n cosign-system get cm -oyaml policy-config | sed 's/65530/65532/' | kubectl apply -f -\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: test job success'\n# This one should pass since the User is what we specified in the CIP policy.\nif ! kubectl create -n ${NS} job demo --image=${demoimage} ; then\n echo Failed to create Job in namespace with valid CIP policy!\n exit 1\nelse\n echo Succcessfully created Job with signed image\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n\n" }, { "path": "test/e2e_test_cluster_image_policy_from_url.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\n#set -ex\nset -e\n\n# This is a timestamp server that has multiarch that we just use for testing\n# evaluating CIP level policy validations.\nexport demoimage=\"ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d\"\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our job and verify that the failure is expected.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job job-that-fails -n ${NS} --ignore-not-found=true\n if kubectl create -n ${NS} job job-that-fails --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Job failure!\n exit 1\n else\n echo Successfully blocked Job creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\necho '::group:: Create test namespace and label for verification'\nkubectl create namespace demo-policy-with-url\nkubectl label namespace demo-policy-with-url policy.sigstore.dev/include=true\nexport NS=demo-policy-with-url\necho '::endgroup::'\n\n# Note that we put this in a for loop to make sure the webhook is actually\n# up and running before proceeding with the tests.\necho '::group:: Deploy ClusterImagePolicy with config file that should fail due to cue errors'\nfor i in {1..10}\ndo\n if kubectl apply -f ./test/testdata/policy-controller/e2e/cip-policy-from-url.yaml ; then\n echo successfully applied CIP\n break\n fi\n if [ \"$i\" == 10 ]; then\n echo failed to apply CIP\n exit 1\n fi\n echo failed to apply CIP. Attempt numer \"$i\", retrying\n sleep 2\ndone\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: validate failure'\nexpected_error='failed evaluating cue policy for ClusterImagePolicy: failed to evaluate the policy with error: config.\"linux/amd64\".config.User: conflicting values'\nassert_error ${expected_error}\necho '::endgroup::'\n\necho '::group:: Update policy url and sha256sum with passing cue values'\nkubectl patch cip image-policy-url --type \"json\" \\\n-p '[{\"op\":\"replace\", \"path\":\"/spec/policy/remote/url\", \"value\":\"https://gist.githubusercontent.com/hectorj2f/af0d32d4be4bf2710cff76c397a14751/raw/d4dd87fffdf9624a21e62b8719e3ce8d61334ab9/policy-controller-test-success-cue\"},{\"op\":\"replace\", \"path\":\"/spec/policy/remote/sha256sum\", \"value\":\"45eb2cce1c84418d615f3e56c701451b63d58b95f9559dfa1d5254cb851358d3\"}]'\n# allow for propagation\nsleep 5\necho '::endgroup::'\n\necho '::group:: test job success'\n# This one should pass since the User is what we specified in the CIP policy.\nif ! kubectl create -n ${NS} job demo --image=${demoimage} ; then\n echo Failed to create Job in namespace with valid CIP policy!\n exit 1\nelse\n echo Succcessfully created Job with signed image\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n\n" }, { "path": "test/e2e_test_cluster_image_policy_no_tuf.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\nset -ex\n\nif [[ -z \"${KO_DOCKER_REPO}\" ]]; then\n echo \"Must specify env variable KO_DOCKER_REPO\"\n exit 1\nfi\n\nif [[ -z \"${FULCIO_URL}\" ]]; then\n echo \"Must specify env variable FULCIO_URL\"\n exit 1\nfi\n\nif [[ -z \"${REKOR_URL}\" ]]; then\n echo \"Must specify env variable REKOR_URL\"\n exit 1\nfi\n\nif [[ \"${NON_REPRODUCIBLE}\"==\"1\" ]]; then\n echo \"creating non-reproducible build by adding a timestamp\"\n export TIMESTAMP=`date +%s`\nelse\n export TIMESTAMP=\"TIMESTAMP\"\nfi\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our job and verify that the failure is expected.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job demo -n ${NS} --ignore-not-found=true\n if kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Job failure!\n exit 1\n else\n echo Successfully blocked Job creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\n# Publish test image\necho '::group:: publish test image demoimage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport \"fmt\"\nfunc main() {\n fmt.Println(\"hello world TIMESTAMP\")\n}\nEOF\n\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage=`ko publish -B example.com/demo`\necho Created image $demoimage\npopd\necho '::endgroup::'\n\necho '::group:: Create and label new namespace for verification'\nkubectl create namespace demo-no-tuf\nkubectl label namespace demo-no-tuf policy.sigstore.dev/include=true\nexport NS=demo-no-tuf\necho '::endgroup::'\n\necho '::group:: Generate New Signing Key that we use for key-ful signing'\nCOSIGN_PASSWORD=\"\" cosign generate-key-pair\necho '::endgroup::'\n\n# Create CIP that requires a signature with a key.\necho '::group:: Create CIP that requires a keyful signature'\nyq '. | .spec.authorities[0].key.data |= load_str(\"cosign.pub\")' ./test/testdata/policy-controller/e2e/cip-key-no-rekor.yaml | kubectl apply -f -\n\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\n# This image has not been signed with our key\n# so should fail\necho '::group:: test job rejection'\nexpected_error='no signatures found'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Sign it with key\necho '::group:: Sign demoimage with key, do not add to rekor'\nCOSIGN_PASSWORD=\"\" cosign sign --tlog-upload=false --key cosign.key --allow-insecure-registry ${demoimage}\necho '::endgroup::'\n\n# TODO(vaikas): This fails because it doesn't have a Rekor entry. Which it obvs\n# does not because of --tlog-upload=false above.\n#echo '::group:: Verify demoimage with cosign key'\n#cosign verify --key cosign.pub --allow-insecure-registry ${demoimage}\n#echo '::endgroup::'\n\n# Then let's test attestations work too with key.\necho '::group:: Create CIP that requires a keyful attestation'\nyq '. | .spec.authorities[0].key.data |= load_str(\"cosign.pub\")' ./test/testdata/policy-controller/e2e/cip-key-with-attestations-no-rekor.yaml | kubectl apply -f -\n\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\n# This image has been signed with key, but does not have a key attestation\n# so should fail\necho '::group:: test job rejection'\nexpected_error='no matching attestations'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Fine, so create an attestation for it.\necho '::group:: create keyful attestation, do not add to rekor'\necho -n 'foobar key e2e test' > ./predicate-file-key-custom\nCOSIGN_PASSWORD=\"\" cosign attest --predicate ./predicate-file-key-custom --key ./cosign.key --allow-insecure-registry --tlog-upload=false ${demoimage}\n\n# TODO(vaikas): This again fails though it really shouldn't.\n#cosign verify-attestation --key ./cosign.pub --allow-insecure-registry ${demoimage}\necho '::endgroup::'\n\nexport KUBECTL_SUCCESS_FILE=\"/tmp/kubectl.success.out\"\necho '::group:: test job success with key signature and key attestation'\n# We signed this with key and it has a key attestation, so should pass.\nif ! kubectl create -n ${NS} job demo2 --image=${demoimage} 2> ${KUBECTL_SUCCESS_FILE} ; then\n echo Failed to create job with both key signature and attestation\n cat ${KUBECTL_SUCCESS_FILE}\n exit 1\nelse\n echo Created the job with key signature and an attestation\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns ${NS}\nrm cosign.key cosign.pub\necho '::endgroup::'\n" }, { "path": "test/e2e_test_cluster_image_policy_with_attestations.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\nset -ex\n\nif [[ -z \"${OIDC_TOKEN}\" ]]; then\n if [[ -z \"${ISSUER_URL}\" ]]; then\n echo \"Must specify either env variable OIDC_TOKEN or ISSUER_URL\"\n exit 1\n else\n export OIDC_TOKEN=`curl -s ${ISSUER_URL}`\n fi\nfi\n\nif [[ -z \"${KO_DOCKER_REPO}\" ]]; then\n echo \"Must specify env variable KO_DOCKER_REPO\"\n exit 1\nfi\n\nif [[ -z \"${FULCIO_URL}\" ]]; then\n echo \"Must specify env variable FULCIO_URL\"\n exit 1\nfi\n\nif [[ -z \"${REKOR_URL}\" ]]; then\n echo \"Must specify env variable REKOR_URL\"\n exit 1\nfi\n\nif [[ -z \"${TUF_ROOT_FILE}\" ]]; then\n echo \"must specify env variable TUF_ROOT_FILE\"\n exit 1\nfi\n\nif [[ -z \"${TUF_MIRROR}\" ]]; then\n echo \"must specify env variable TUF_MIRROR\"\n exit 1\nfi\n\nif [[ \"${NON_REPRODUCIBLE}\"==\"1\" ]]; then\n echo \"creating non-reproducible build by adding a timestamp\"\n export TIMESTAMP=`date +%s`\nelse\n export TIMESTAMP=\"TIMESTAMP\"\nfi\n\n# Initialize cosign with our TUF root\ncosign initialize --mirror ${TUF_MIRROR} --root ${TUF_ROOT_FILE}\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our job and verify that the failure is expected.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job demo -n ${NS} --ignore-not-found=true\n if kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Job failure!\n exit 1\n else\n echo Successfully blocked Job creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\n# Publish test image\necho '::group:: publish test image demoimage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport \"fmt\"\nfunc main() {\n fmt.Println(\"hello world TIMESTAMP\")\n}\nEOF\n\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage=`ko publish -B example.com/demo`\necho Created image $demoimage\npopd\necho '::endgroup::'\n\necho '::group:: Create and label new namespace for verification'\nkubectl create namespace demo-attestations\nkubectl label namespace demo-attestations policy.sigstore.dev/include=true\nexport NS=demo-attestations\necho '::endgroup::'\n\necho '::group:: Create CIP that requires keyless signature'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless.yaml\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\n# This image has not been signed at all, so should get auto-reject\necho '::group:: test job rejection'\nexpected_error='no signatures found'\nassert_error ${expected_error}\necho '::endgroup::'\n\necho '::group:: Sign demoimage with keyless'\ncosign sign --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --yes --allow-insecure-registry ${demoimage} --identity-token ${OIDC_TOKEN}\necho '::endgroup::'\n\necho '::group:: Create CIP that requires keyless custom attestation with policy'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless-with-attestations.yaml\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\n# This image has been signed, but does not have an attestation, so should fail.\necho '::group:: test job rejection'\nexpected_error='no matching attestations'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Ok, cool. So attest and it should pass.\necho '::group:: Create one keyless attestation and verify it'\necho -n 'foobar e2e test' > ./predicate-file-custom\ncosign attest --predicate ./predicate-file-custom --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --allow-insecure-registry --yes ${demoimage} --identity-token ${OIDC_TOKEN}\n\ncosign verify-attestation --type=custom --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\necho '::group:: test job success'\n# We signed this with keyless and it has a keyless attestation, so should\n# pass.\nexport KUBECTL_SUCCESS_FILE=\"/tmp/kubectl.success.out\"\nif ! kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_SUCCESS_FILE} ; then\n echo Failed to create job with keyless signature and an attestation\n cat ${KUBECTL_SUCCESS_FILE}\n exit 1\nelse\n echo Created the job with keyless signature and an attestation\nfi\nkubectl delete -n ${NS} job demo\necho '::endgroup::'\n\necho '::group:: Generate New Signing Key that we use for key-ful signing'\nCOSIGN_PASSWORD=\"\" cosign generate-key-pair\necho '::endgroup::'\n\n# Ok, so now we have satisfied the keyless requirements, one signature, one\n# custom attestation. Let's now do it for 'keyful' one.\necho '::group:: Create CIP that requires a keyful signature'\nyq '. | .spec.authorities[0].key.data |= load_str(\"cosign.pub\")' ./test/testdata/policy-controller/e2e/cip-key.yaml | kubectl apply -f -\n\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\n# This image has been signed with keyless, but does not have a keyful signature\n# so should fail\necho '::group:: test job rejection'\nexpected_error='no matching signatures'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Sign it with key\necho '::group:: Sign demoimage with key, and add to rekor'\nCOSIGN_PASSWORD=\"\" cosign sign --key cosign.key --yes --allow-insecure-registry --rekor-url ${REKOR_URL} ${demoimage}\necho '::endgroup::'\n\necho '::group:: Verify demoimage with cosign key'\ncosign verify --key cosign.pub --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\n# Ok, so now we have satisfied the keyless requirements, one signature, one\n# custom attestation, and one 'keyful' one. But it will now be missing a\n# keyful attestation, so let's add that requirement.\necho '::group:: Create CIP that requires a keyful attestation'\nyq '. | .spec.authorities[0].key.data |= load_str(\"cosign.pub\")' ./test/testdata/policy-controller/e2e/cip-key-with-attestations.yaml | kubectl apply -f -\n\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\n# This image has been signed with key, but does not have a key attestation\n# so should fail\necho '::group:: test job rejection'\nexpected_error='no matching attestations'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Fine, so create an attestation for it that's different from the keyless one\necho '::group:: create keyful attestation, add add to rekor'\necho -n 'foobar key e2e test' > ./predicate-file-key-custom\nCOSIGN_PASSWORD=\"\" cosign attest --predicate ./predicate-file-key-custom --rekor-url ${REKOR_URL} --key ./cosign.key --allow-insecure-registry --yes ${demoimage}\n\ncosign verify-attestation --key ./cosign.pub --allow-insecure-registry --rekor-url ${REKOR_URL} --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\necho '::group:: test job success with key / keyless'\n# We signed this with keyless and key and it has a key/keyless attestation, so\n# should pass.\nif ! kubectl create -n ${NS} job demo2 --image=${demoimage} 2> ${KUBECTL_SUCCESS_FILE} ; then\n echo Failed to create job with both key/keyless signatures and attestations\n cat ${KUBECTL_SUCCESS_FILE}\n exit 1\nelse\n echo Created the job with keyless/key signature and an attestations\nfi\necho '::endgroup::'\n\n# We have to fix this bug, so bail for now so we get passing tests.\n# https://github.com/sigstore/policy-controller/issues/130\necho \"***********Exiting early due to bug 130*********\"\nexit 0\n\n# So at this point, we have two CIP, one that requires keyless/key sig\n# and attestations with both. Let's take it up a notch.\n# Let's create a policy that requires both a keyless and keyful\n# signature on the image, as well as two attestations signed by the keyless and\n# one custom attestation that's signed by key.\n# Note we have to bake in the inline data from the keys above\necho '::group:: Add cip for two signatures and two attestations'\nyq '. | .spec.authorities[1].key.data |= load_str(\"cosign.pub\") | .spec.authorities[3].key.data |= load_str(\"cosign.pub\")' ./test/testdata/policy-controller/e2e/cip-requires-two-signatures-and-two-attestations.yaml | kubectl apply -f -\n\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\n# The CIP policy is the one that should fail now because it doesn't have enough\n# attestations\necho '::group:: test job rejection'\nexpected_error='failed to evaluate the policy with error: authorityMatches.keylessattMinAttestations'\nassert_error ${expected_error}\necho '::endgroup::'\n\necho '::group:: Create vuln keyless attestation and verify it'\ncosign attest --predicate ./test/testdata/attestations/vuln-predicate.json --type=vuln --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --allow-insecure-registry --yes ${demoimage} --identity-token ${OIDC_TOKEN}\n\ncosign verify-attestation --type=vuln --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\necho '::group:: test job success'\n# We signed this with key and keyless and it has two keyless attestations and\n# it has one key attestation, so it should succeed.\nif ! kubectl create -n ${NS} job demo3 --image=${demoimage} 2> ${KUBECTL_SUCCESS_FILE} ; then\n echo Failed to create job that has two signatures and 3 attestations\n cat ${KUBECTL_SUCCESS_FILE}\n exit 1\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns ${NS}\nrm cosign.key cosign.pub\necho '::endgroup::'\n" }, { "path": "test/e2e_test_cluster_image_policy_with_attestations_rego.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\nset -ex\n\nif [[ -z \"${OIDC_TOKEN}\" ]]; then\n if [[ -z \"${ISSUER_URL}\" ]]; then\n echo \"Must specify either env variable OIDC_TOKEN or ISSUER_URL\"\n exit 1\n else\n export OIDC_TOKEN=`curl -s ${ISSUER_URL}`\n fi\nfi\n\nif [[ -z \"${KO_DOCKER_REPO}\" ]]; then\n echo \"Must specify env variable KO_DOCKER_REPO\"\n exit 1\nfi\n\nif [[ -z \"${FULCIO_URL}\" ]]; then\n echo \"Must specify env variable FULCIO_URL\"\n exit 1\nfi\n\nif [[ -z \"${REKOR_URL}\" ]]; then\n echo \"Must specify env variable REKOR_URL\"\n exit 1\nfi\n\nif [[ -z \"${TUF_ROOT_FILE}\" ]]; then\n echo \"must specify env variable TUF_ROOT_FILE\"\n exit 1\nfi\n\nif [[ -z \"${TUF_MIRROR}\" ]]; then\n echo \"must specify env variable TUF_MIRROR\"\n exit 1\nfi\n\nif [[ \"${NON_REPRODUCIBLE}\"==\"1\" ]]; then\n echo \"creating non-reproducible build by adding a timestamp\"\n export TIMESTAMP=`date +%s`\nelse\n export TIMESTAMP=\"TIMESTAMP\"\nfi\n\n# Initialize cosign with our TUF root\ncosign initialize --mirror ${TUF_MIRROR} --root ${TUF_ROOT_FILE}\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our job and verify that the failure is expected.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job demo -n ${NS} --ignore-not-found=true\n if kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Job failure!\n exit 1\n else\n echo Successfully blocked Job creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\n# Publish test image\necho '::group:: publish test image demoimage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport \"fmt\"\nfunc main() {\n fmt.Println(\"hello world TIMESTAMP\")\n}\nEOF\n\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage=`ko publish -B example.com/demo`\necho Created image $demoimage\npopd\necho '::endgroup::'\n\necho '::group:: Create and label new namespace for verification'\nkubectl create namespace demo-attestations-rego\nkubectl label namespace demo-attestations-rego policy.sigstore.dev/include=true\nexport NS=demo-attestations-rego\necho '::endgroup::'\n\necho '::group:: Create CIP that requires keyless signature'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless.yaml\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\n# This image has not been signed at all, so should get auto-reject\necho '::group:: test job rejection'\nexpected_error='no signatures found'\nassert_error ${expected_error}\necho '::endgroup::'\n\necho '::group:: Sign demoimage with keyless'\ncosign sign --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --yes --allow-insecure-registry ${demoimage} --identity-token ${OIDC_TOKEN}\necho '::endgroup::'\n\necho '::group:: Create CIP that requires keyless custom attestation with policy that requires data == \"foobar e2e test\"'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless-with-attestations-rego.yaml\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\n# This image has been signed, but does not have an attestation, so should fail.\necho '::group:: test job rejection'\nexpected_error='no matching attestations'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Ok, cool. So attest and it should still fail because the data does not match.\necho '::group:: Create one keyless attestation with incorrect data and verify it'\necho -n 'barfoo e2e test' > ./predicate-file-custom-fails\ncosign attest --predicate ./predicate-file-custom-fails --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --allow-insecure-registry --yes ${demoimage} --identity-token ${OIDC_TOKEN}\n\ncosign verify-attestation --type=custom --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\n# This image has been signed, and has attestation, but data is not right\necho '::group:: test job rejection because the data does not match wanted policy'\nexpected_error='failed evaluating rego policy for type custom-match-predicate: policy is not compliant for query'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Create another attestation with the data to match what our policy wants.\necho '::group:: Create another keyless attestation with correct data and verify it'\necho -n 'foobar e2e test' > ./predicate-file-custom-works\ncosign attest --predicate ./predicate-file-custom-works --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --allow-insecure-registry --yes ${demoimage} --identity-token ${OIDC_TOKEN}\n\ncosign verify-attestation --type=custom --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\necho '::group:: test job success'\n# We signed this with keyless and it has a keyless attestation, so should\n# pass.\nexport KUBECTL_SUCCESS_FILE=\"/tmp/kubectl.success.out\"\nif ! kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_SUCCESS_FILE} ; then\n echo Failed to create job with keyless signature and an attestation\n cat ${KUBECTL_SUCCESS_FILE}\n exit 1\nelse\n echo Created the job with keyless signature and an attestation\nfi\nkubectl delete -n ${NS} job demo\necho '::endgroup::'\n\necho '::group:: Generate New Signing Key that we use for key-ful signing'\nCOSIGN_PASSWORD=\"\" cosign generate-key-pair\necho '::endgroup::'\n\n# Ok, so now we have satisfied the keyless requirements, one signature, one\n# custom attestation. Let's now do it for 'keyful' one.\necho '::group:: Create CIP that requires a keyful signature'\nyq '. | .spec.authorities[0].key.data |= load_str(\"cosign.pub\")' ./test/testdata/policy-controller/e2e/cip-key.yaml | kubectl apply -f -\n\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\n# This image has been signed with keyless, but does not have a keyful signature\n# so should fail\necho '::group:: test job rejection'\nexpected_error='no matching signatures'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Sign it with key\necho '::group:: Sign demoimage with key, and add to rekor'\nCOSIGN_PASSWORD=\"\" cosign sign --key cosign.key --yes --allow-insecure-registry --rekor-url ${REKOR_URL} ${demoimage}\necho '::endgroup::'\n\necho '::group:: Verify demoimage with cosign key'\ncosign verify --key cosign.pub --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\n# Ok, so now we have satisfied the keyless requirements, one signature, one\n# custom attestation, and one 'keyful' one. But it will now be missing a\n# keyful attestation, so let's add that requirement.\necho '::group:: Create CIP that requires a keyful attestation'\nyq '. | .spec.authorities[0].key.data |= load_str(\"cosign.pub\")' ./test/testdata/policy-controller/e2e/cip-key-with-attestations-rego.yaml | kubectl apply -f -\n\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\n# This image has been signed with key, but does not have a key attestation\n# so should fail\necho '::group:: test job rejection'\nexpected_error='no matching attestations'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Fine, so create an attestation for it that's different from the keyless one\necho '::group:: create keyful attestation, add add to rekor'\necho -n 'foobar key e2e test' > ./predicate-file-key-custom\nCOSIGN_PASSWORD=\"\" cosign attest --predicate ./predicate-file-key-custom --rekor-url ${REKOR_URL} --key ./cosign.key --allow-insecure-registry --yes ${demoimage}\n\ncosign verify-attestation --key ./cosign.pub --allow-insecure-registry --rekor-url ${REKOR_URL} --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\necho '::group:: test job success with key / keyless'\n# We signed this with keyless and key and it has a key/keyless attestation, so\n# should pass.\nif ! kubectl create -n ${NS} job demo2 --image=${demoimage} 2> ${KUBECTL_SUCCESS_FILE} ; then\n echo Failed to create job with both key/keyless signatures and attestations\n cat ${KUBECTL_SUCCESS_FILE}\n exit 1\nelse\n echo Created the job with keyless/key signature and an attestations\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns ${NS}\nrm cosign.key cosign.pub\necho '::endgroup::'\n" }, { "path": "test/e2e_test_cluster_image_policy_with_fetch_config_file.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\n#set -ex\nset -e\n\n# This is a timestamp server that has multiarch that we just use for testing\n# evaluating CIP level policy validations.\nexport demoimage=\"ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d\"\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our job and verify that the failure is expected.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job job-that-fails -n ${NS} --ignore-not-found=true\n if kubectl create -n ${NS} job job-that-fails --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Job failure!\n exit 1\n else\n echo Successfully blocked Job creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\necho '::group:: Create test namespace and label for verification'\nkubectl create namespace demo-config-file\nkubectl label namespace demo-config-file policy.sigstore.dev/include=true\nexport NS=demo-config-file\necho '::endgroup::'\n\n# Note that we put this in a for loop to make sure the webhook is actually\n# up and running before proceeding with the tests.\necho '::group:: Deploy ClusterImagePolicy with config file that should fail'\nfor i in {1..10}\ndo\n if kubectl apply -f ./test/testdata/policy-controller/e2e/cip-config-file-policy-fails.yaml ; then\n echo successfully applied failing CIP\n break\n fi\n if [ \"$i\" == 10 ]; then\n echo failed to apply failing CIP\n exit 1\n fi\n echo failed to apply failing CIP. Attempt numer \"$i\", retrying\n sleep 2\ndone\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: validate failure '\nexpected_error='failed evaluating cue policy for ClusterImagePolicy: failed to evaluate the policy with error: config.\"linux/amd64\".config.User: conflicting values'\nassert_error ${expected_error}\necho '::endgroup::'\n\necho '::group:: Remove failingClusterImagePolicy and create one that passes'\nkubectl delete -f ./test/testdata/policy-controller/e2e/cip-config-file-policy-fails.yaml\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-config-file-policy.yaml\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: test job success'\n# This one should pass since the User is what we specified in the CIP policy.\nif ! kubectl create -n ${NS} job demo --image=${demoimage} ; then\n echo Failed to create Job in namespace with valid CIP policy!\n exit 1\nelse\n echo Succcessfully created Job with signed image\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n\n" }, { "path": "test/e2e_test_cluster_image_policy_with_include_objectmeta.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\n#set -ex\nset -e\n\n# This is a timestamp server that we just use for testing evaluating CIP level\n# policy validations.\nexport demoimage=\"ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d\"\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our pod and verify that the failure is expected. Note that this sets a label\n# that we expect to fail\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete pod pod-that-fails -n ${NS} --ignore-not-found=true\n if kubectl run -n ${NS} -l=\"foo=bar\" pod-that-fails --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Pod failure!\n exit 1\n else\n echo Successfully blocked Pod creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\necho '::group:: Create test namespace and label for verification'\nkubectl create namespace demo-include-objectmeta\nkubectl label namespace demo-include-objectmeta policy.sigstore.dev/include=true\nexport NS=demo-include-objectmeta\necho '::endgroup::'\n\n# Note that we put this in a for loop to make sure the webhook is actually\n# up and running before proceeding with the tests.\necho '::group:: Deploy ClusterImagePolicy with label that should fail'\nfor i in {1..10}\ndo\n if kubectl apply -f ./test/testdata/policy-controller/e2e/cip-include-objectmeta-fails.yaml ; then\n echo successfully applied failing CIP\n break\n fi\n if [ \"$i\" == 10 ]; then\n echo failed to apply failing CIP\n exit 1\n fi\n echo failed to apply failing CIP. Attempt numer \"$i\", retrying\n sleep 2\ndone\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: validate failure '\nexpected_error='failed evaluating cue policy for ClusterImagePolicy: failed to evaluate the policy with error: metadata.labels.foo: conflicting values \"bar\" and \"non-bar\"'\nassert_error ${expected_error}\necho '::endgroup::'\n\necho '::group:: Remove failing ClusterImagePolicy and create one that passes'\nkubectl delete -f ./test/testdata/policy-controller/e2e/cip-include-objectmeta-fails.yaml\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-include-objectmeta.yaml\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: test job success'\n# This one should pass since the label is what we specified in the CIP\n# policy.\nif ! kubectl run -n ${NS} -l=\"foo=bar\" demo --image=${demoimage} ; then\n echo Failed to create Pod in namespace with valid CIP policy!\n exit 1\nelse\n echo Succcessfully created Pod with correct labels\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n\n" }, { "path": "test/e2e_test_cluster_image_policy_with_include_spec.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\n#set -ex\nset -e\n\n# This is a timestamp server that has multiarch that we just use for testing\n# evaluating CIP level policy validations.\nexport demoimage=\"ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d\"\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our pod and verify that the failure is expected.\n# Note that we run this as a pod since our spec checks for pod specs only.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete pod pod-that-fails -n ${NS} --ignore-not-found=true\n if kubectl run -n ${NS} pod-that-fails --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Pod failure!\n exit 1\n else\n echo Successfully blocked Pod creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\necho '::group:: Create test namespace and label for verification'\nkubectl create namespace demo-include-spec\nkubectl label namespace demo-include-spec policy.sigstore.dev/include=true\nexport NS=demo-include-spec\necho '::endgroup::'\n\n# Note that we put this in a for loop to make sure the webhook is actually\n# up and running before proceeding with the tests.\necho '::group:: Deploy ClusterImagePolicy with included spec that should fail'\nfor i in {1..10}\ndo\n if kubectl apply -f ./test/testdata/policy-controller/e2e/cip-include-spec-fails.yaml ; then\n echo successfully applied failing CIP\n break\n fi\n if [ \"$i\" == 10 ]; then\n echo failed to apply failing CIP\n exit 1\n fi\n echo failed to apply failing CIP. Attempt numer \"$i\", retrying\n sleep 2\ndone\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: validate failure '\nexpected_error='failed evaluating cue policy for ClusterImagePolicy: failed to evaluate the policy with error: spec.serviceAccount: conflicting values \"default\" and \"non-default\"'\nassert_error ${expected_error}\necho '::endgroup::'\n\necho '::group:: Remove failingClusterImagePolicy and create one that passes'\nkubectl delete -f ./test/testdata/policy-controller/e2e/cip-include-spec-fails.yaml\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-include-spec.yaml\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: test job success'\n# This one should pass since the serviceAccount is what we specified in the CIP\n# policy. Note that we run this as a pod since that's the spec that our cue\n# is looking for.\nif ! kubectl run -n ${NS} demo --image=${demoimage} ; then\n echo Failed to create Job in namespace with valid CIP policy!\n exit 1\nelse\n echo Succcessfully created Pod with correct serviceAccount\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n\n" }, { "path": "test/e2e_test_cluster_image_policy_with_include_typemeta.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\n#set -ex\nset -e\n\n# This is a timestamp server that we just use for testing evaluating CIP level\n# policy validations.\nexport demoimage=\"ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d\"\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our pod and verify that the failure is expected. Note that this sets a label\n# that we expect to fail\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job job-that-fails -n ${NS} --ignore-not-found=true\n if kubectl create -n ${NS} job job-that-fails --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Job failure!\n exit 1\n else\n echo Successfully blocked Job creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\necho '::group:: Create test namespace and label for verification'\nkubectl create namespace demo-include-typemeta\nkubectl label namespace demo-include-typemeta policy.sigstore.dev/include=true\nexport NS=demo-include-typemeta\necho '::endgroup::'\n\n# Note that we put this in a for loop to make sure the webhook is actually\n# up and running before proceeding with the tests.\necho '::group:: Deploy ClusterImagePolicy with our CIP that only allows Pods'\nfor i in {1..10}\ndo\n if kubectl apply -f ./test/testdata/policy-controller/e2e/cip-include-typemeta.yaml ; then\n echo successfully applied failing CIP\n break\n fi\n if [ \"$i\" == 10 ]; then\n echo failed to apply Pod only CIP\n exit 1\n fi\n echo failed to apply Pod only CIP. Attempt numer \"$i\", retrying\n sleep 2\ndone\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: validate failure that can not run Jobs'\nexpected_error='failed evaluating cue policy for ClusterImagePolicy: failed to evaluate the policy with error: typemeta.kind: conflicting values \"Job\" and \"Pod\"'\nassert_error ${expected_error}\necho '::endgroup::'\n\necho '::group:: test pod success'\n# This one should pass since the label is what we specified in the CIP\n# policy.\nif ! kubectl run -n ${NS} demo --image=${demoimage} ; then\n echo Failed to create Pod in namespace with valid CIP policy!\n exit 1\nelse\n echo Succcessfully created Pod\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete -n ${NS} pods --all\nkubectl delete cip --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n\n" }, { "path": "test/e2e_test_cluster_image_policy_with_oci11_attestations.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2025 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# This test validates that the policy controller can discover and verify\n# attestations stored using the OCI 1.1 referrers API (as opposed to the\n# legacy tag-based discovery). Google Cloud Build stores attestations this way.\n\nset -ex\n\n# Use a public image with OCI 1.1 attestations from Google Cloud Build\n# This image has attestations discoverable via the OCI 1.1 referrers API\nexport TEST_IMAGE=\"us-docker.pkg.dev/cloudrun/container/hello@sha256:ee5d02305108fd8d65a8299a26cf01b6f976986fd04062e31280f97f21a91e3d\"\n\n# Namespace for testing\nexport NS=\"demo-oci11-attest\"\n\necho '::group:: Create test namespace'\nkubectl create namespace ${NS}\necho '::endgroup::'\n\necho '::group:: Enable OCI 1.1 support in policy controller'\nkubectl patch configmap/config-policy-controller \\\n --namespace cosign-system \\\n --type merge \\\n --patch '{\"data\":{\"enable-oci11\":\"true\"}}'\n# Allow for propagation\nsleep 5\necho '::endgroup::'\n\necho '::group:: Create ClusterImagePolicy for OCI 1.1 attestations'\n# This policy uses a static key (Google Cloud Build public key) to verify\n# attestations discoverable via OCI 1.1 referrers API\nkubectl apply -f - < main.go\npackage main\nimport \"fmt\"\nfunc main() {\n fmt.Println(\"hello world TIMESTAMP\")\n}\nEOF\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our job and verify that the failure is expected.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job demo -n demo-keyless-source --ignore-not-found=true\n if kubectl create -n demo-keyless-source job demo --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Job failure!\n exit 1\n else\n echo Successfully blocked Job creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage=`ko publish -B example.com/demo`\necho Created image $demoimage\npopd\necho '::endgroup::'\n\necho '::group:: Deploy ClusterImagePolicy with keyless signing and source'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless-with-source.yaml\necho '::endgroup::'\n\necho '::group:: Sign demo image'\ncosign sign --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --yes --allow-insecure-registry ${demoimage} --identity-token ${OIDC_TOKEN}\necho '::endgroup::'\n\necho '::group:: Verify demo image'\ncosign verify --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\necho '::group:: Create test namespace and label for verification'\nkubectl create namespace demo-keyless-source\nkubectl label namespace demo-keyless-source policy.sigstore.dev/include=true\nexport NS=demo-keyless-source\necho '::endgroup::'\n\necho '::group:: test job success as source.oci points to the right repository'\n# We signed this above, this should work\nif ! kubectl create -n demo-keyless-source job demo --image=${demoimage} ; then\n echo Failed to create Job in namespace with matching signature and good OCI source!\n exit 1\nelse\n echo Succcessfully created Job with signed image and good OCI source\nfi\necho '::endgroup::'\n\necho '::group:: Change source.oci in policy to a wrong repository without signatures'\nkubectl patch cip image-policy-keyless-source --type \"json\" \\\n-p '[{\"op\":\"replace\", \"path\":\"/spec/authorities/0/source/0/oci\", \"value\":\"ghcr.io/sigstore/cosign/cosign\"}]'\n# allow for propagation\nsleep 5\necho '::endgroup::'\n\necho '::group:: test job rejection using an OCI source to a wrong repository without signatures'\nexpected_error='no signatures found'\nassert_error ${expected_error}\necho '::endgroup::'\n\necho '::group:: Remove the old CIP and create CIP that uses attestation with prefixes'\nkubectl delete cip --all\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless-with-source-prefix-tag.yaml\n# allow for propagation\nsleep 5\necho '::endgroup::'\n\necho '::group:: Create an attestation without prefix, make sure it fails'\necho -n 'foobar prefix e2e test' > ./predicate-file-prefix-custom\ncosign attest --predicate ./predicate-file-prefix-custom --rekor-url ${REKOR_URL} --allow-insecure-registry --yes ${demoimage} --fulcio-url ${FULCIO_URL} --identity-token ${OIDC_TOKEN}\ncosign verify-attestation --allow-insecure-registry --rekor-url ${REKOR_URL} --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\necho '::group:: test job rejection using an OCI source to a wrong repository without signatures'\nexpected_error='no matching attestations'\nassert_error ${expected_error}\necho '::endgroup::'\n\necho '::group:: Create an attestation with prefix, make sure it fails'\ncosign attest --predicate ./predicate-file-prefix-custom --rekor-url ${REKOR_URL} --allow-insecure-registry --yes ${demoimage} --attachment-tag-prefix=sigprefix --fulcio-url ${FULCIO_URL} --identity-token ${OIDC_TOKEN}\ncosign verify-attestation --allow-insecure-registry --rekor-url ${REKOR_URL} --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage} --attachment-tag-prefix=sigprefix\necho '::endgroup::'\n\necho '::group:: test job success since we have attestation with prefix'\n# We signed this above, this should work\nif ! kubectl create -n demo-keyless-source job demo --image=${demoimage} ; then\n echo Failed to create Job in namespace with matching attestation with prefix!\n exit 1\nelse\n echo Succcessfully created Job with attestation with prefix\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n" }, { "path": "test/e2e_test_cluster_image_policy_with_trustroot_bring_own_keys.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\nset -ex\n\nif [[ -z \"${OIDC_TOKEN}\" ]]; then\n if [[ -z \"${ISSUER_URL}\" ]]; then\n echo \"Must specify either env variable OIDC_TOKEN or ISSUER_URL\"\n exit 1\n else\n export OIDC_TOKEN=`curl -s ${ISSUER_URL}`\n fi\nfi\n\nif [[ -z \"${KO_DOCKER_REPO}\" ]]; then\n echo \"Must specify env variable KO_DOCKER_REPO\"\n exit 1\nfi\n\nif [[ -z \"${FULCIO_URL}\" ]]; then\n echo \"Must specify env variable FULCIO_URL\"\n exit 1\nfi\n\nif [[ -z \"${REKOR_URL}\" ]]; then\n echo \"Must specify env variable REKOR_URL\"\n exit 1\nfi\n\nif [[ -z \"${TUF_ROOT_FILE}\" ]]; then\n echo \"must specify env variable TUF_ROOT_FILE\"\n exit 1\nfi\n\nif [[ -z \"${TUF_MIRROR}\" ]]; then\n echo \"must specify env variable TUF_MIRROR\"\n exit 1\nfi\n\nif [[ \"${NON_REPRODUCIBLE}\"==\"1\" ]]; then\n echo \"creating non-reproducible build by adding a timestamp\"\n export TIMESTAMP=`date +%s`\nelse\n export TIMESTAMP=\"TIMESTAMP\"\nfi\n\n# Initialize cosign with our TUF root\ncosign initialize --mirror ${TUF_MIRROR} --root ${TUF_ROOT_FILE}\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our job and verify that the failure is expected.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job demo -n ${NS} --ignore-not-found=true\n if kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Job failure!\n exit 1\n else\n echo Successfully blocked Job creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\n# Publish test image\necho '::group:: publish test image demoimage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport \"fmt\"\nfunc main() {\n fmt.Println(\"hello world TIMESTAMP\")\n}\nEOF\n\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage=`ko publish -B example.com/demo`\necho Created image $demoimage\npopd\necho '::endgroup::'\n\necho '::group:: Create and label new namespace for verification'\nkubectl create namespace demo-trustroot-bring-your-keys\nkubectl label namespace demo-trustroot-bring-your-keys policy.sigstore.dev/include=true\nexport NS=demo-trustroot-bring-your-keys\necho '::endgroup::'\n\necho '::group:: Create CIP that requires keyless attestation with trustroot'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-with-attestations.yaml\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: Create TrustRoot that specifies Fulcio and Rekor certs/keys'\nexport FULCIO_CERT_CHAIN=`kubectl -n tuf-system get secrets fulcio-pub-key -ojsonpath='{.data.cert}'`\nexport REKOR_PUBLIC_KEY=`kubectl -n tuf-system get secrets rekor-pub-key -ojsonpath='{.data.public}'`\nexport CTFE_PUBLIC_KEY=`kubectl -n tuf-system get secrets ctlog-public-key -ojsonpath='{.data.public}'`\n\nsed -i'' -e \"s@FULCIO_CERT_CHAIN@${FULCIO_CERT_CHAIN}@g\" ./test/testdata/trustroot/e2e/bring-your-own-keys.yaml\nsed -i'' -e \"s@REKOR_PUBLIC_KEY@${REKOR_PUBLIC_KEY}@g\" ./test/testdata/trustroot/e2e/bring-your-own-keys.yaml\nsed -i'' -e \"s@CTFE_PUBLIC_KEY@${CTFE_PUBLIC_KEY}@g\" ./test/testdata/trustroot/e2e/bring-your-own-keys.yaml\nkubectl apply -f ./test/testdata/trustroot/e2e/bring-your-own-keys.yaml\n\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\n# This image does not have an attestation, so should fail\necho '::group:: test job rejection'\nexpected_error='no matching attestations'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Create attestation and it should pass.\necho '::group:: Create one keyless attestation and verify it'\necho -n 'foobar e2e test' > ./predicate-file-custom\ncosign attest --predicate ./predicate-file-custom --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --allow-insecure-registry --yes ${demoimage} --identity-token ${OIDC_TOKEN}\n\ncosign verify-attestation --type=custom --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\necho '::group:: test job success'\n# We created keyless attestation, so should pass.\nexport KUBECTL_SUCCESS_FILE=\"/tmp/kubectl.success.out\"\nif ! kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_SUCCESS_FILE} ; then\n echo Failed to create job with keyless attestation\n cat ${KUBECTL_SUCCESS_FILE}\n exit 1\nelse\n echo Created the job with keyless attestation\nfi\nkubectl delete -n ${NS} job demo\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete trustroot --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n" }, { "path": "test/e2e_test_cluster_image_policy_with_trustroot_remote.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\nset -ex\n\nif [[ -z \"${OIDC_TOKEN}\" ]]; then\n if [[ -z \"${ISSUER_URL}\" ]]; then\n echo \"Must specify either env variable OIDC_TOKEN or ISSUER_URL\"\n exit 1\n else\n export OIDC_TOKEN=`curl -s ${ISSUER_URL}`\n fi\nfi\n\nif [[ -z \"${KO_DOCKER_REPO}\" ]]; then\n echo \"Must specify env variable KO_DOCKER_REPO\"\n exit 1\nfi\n\nif [[ -z \"${FULCIO_URL}\" ]]; then\n echo \"Must specify env variable FULCIO_URL\"\n exit 1\nfi\n\nif [[ -z \"${REKOR_URL}\" ]]; then\n echo \"Must specify env variable REKOR_URL\"\n exit 1\nfi\n\nif [[ -z \"${TUF_ROOT_FILE}\" ]]; then\n echo \"must specify env variable TUF_ROOT_FILE\"\n exit 1\nfi\n\nif [[ -z \"${TUF_MIRROR}\" ]]; then\n echo \"must specify env variable TUF_MIRROR\"\n exit 1\nfi\n\nif [[ \"${NON_REPRODUCIBLE}\"==\"1\" ]]; then\n echo \"creating non-reproducible build by adding a timestamp\"\n export TIMESTAMP=`date +%s`\nelse\n export TIMESTAMP=\"TIMESTAMP\"\nfi\n\n# Initialize cosign with our TUF root\ncosign initialize --mirror ${TUF_MIRROR} --root ${TUF_ROOT_FILE}\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our job and verify that the failure is expected.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job demo -n ${NS} --ignore-not-found=true\n if kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Job failure!\n exit 1\n else\n echo Successfully blocked Job creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\n# Publish test image\necho '::group:: publish test image demoimage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport \"fmt\"\nfunc main() {\n fmt.Println(\"hello world TIMESTAMP\")\n}\nEOF\n\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage=`ko publish -B example.com/demo`\necho Created image $demoimage\npopd\necho '::endgroup::'\n\necho '::group:: Create and label new namespace for verification'\nkubectl create namespace demo-trustroot-remote\nkubectl label namespace demo-trustroot-remote policy.sigstore.dev/include=true\nexport NS=demo-trustroot-remote\necho '::endgroup::'\n\necho '::group:: Create CIP that requires keyless attestation with trustroot'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-remote-with-attestations.yaml\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: Create TrustRoot that specifies remote with mirror'\nexport ROOT_JSON=`kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}'`\n\nsed -i'' -e \"s@ROOT_JSON@${ROOT_JSON}@g\" ./test/testdata/trustroot/e2e/with-remote.yaml\nsed -i'' -e \"s@TUF_MIRROR@${TUF_MIRROR}@g\" ./test/testdata/trustroot/e2e/with-remote.yaml\nkubectl apply -f ./test/testdata/trustroot/e2e/with-remote.yaml\n\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\n# This image has no attestation, so should fail\necho '::group:: test job rejection'\nexpected_error='no matching attestations'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Create attestation and it should pass.\necho '::group:: Create one keyless attestation and verify it'\necho -n 'foobar e2e test' > ./predicate-file-custom\ncosign attest --predicate ./predicate-file-custom --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --allow-insecure-registry --yes ${demoimage} --identity-token ${OIDC_TOKEN}\n\ncosign verify-attestation --type=custom --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\necho '::group:: test job success'\n# This has now a keyless attestation, so should pass.\nexport KUBECTL_SUCCESS_FILE=\"/tmp/kubectl.success.out\"\nif ! kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_SUCCESS_FILE} ; then\n echo Failed to create job with keyless attestation\n cat ${KUBECTL_SUCCESS_FILE}\n exit 1\nelse\n echo Created the job with keyless attestation\nfi\nkubectl delete -n ${NS} job demo\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete trustroot --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n" }, { "path": "test/e2e_test_cluster_image_policy_with_trustroot_repository.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\nset -ex\n\nif [[ -z \"${OIDC_TOKEN}\" ]]; then\n if [[ -z \"${ISSUER_URL}\" ]]; then\n echo \"Must specify either env variable OIDC_TOKEN or ISSUER_URL\"\n exit 1\n else\n export OIDC_TOKEN=`curl -s ${ISSUER_URL}`\n fi\nfi\n\nif [[ -z \"${KO_DOCKER_REPO}\" ]]; then\n echo \"Must specify env variable KO_DOCKER_REPO\"\n exit 1\nfi\n\nif [[ -z \"${FULCIO_URL}\" ]]; then\n echo \"Must specify env variable FULCIO_URL\"\n exit 1\nfi\n\nif [[ -z \"${REKOR_URL}\" ]]; then\n echo \"Must specify env variable REKOR_URL\"\n exit 1\nfi\n\nif [[ -z \"${TUF_ROOT_FILE}\" ]]; then\n echo \"must specify env variable TUF_ROOT_FILE\"\n exit 1\nfi\n\nif [[ -z \"${TUF_MIRROR}\" ]]; then\n echo \"must specify env variable TUF_MIRROR\"\n exit 1\nfi\n\nif [[ \"${NON_REPRODUCIBLE}\"==\"1\" ]]; then\n echo \"creating non-reproducible build by adding a timestamp\"\n export TIMESTAMP=`date +%s`\nelse\n export TIMESTAMP=\"TIMESTAMP\"\nfi\n\n# Initialize cosign with our TUF root\ncosign initialize --mirror ${TUF_MIRROR} --root ${TUF_ROOT_FILE}\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our job and verify that the failure is expected.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job demo -n ${NS} --ignore-not-found=true\n if kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Job failure!\n exit 1\n else\n echo Successfully blocked Job creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\n# Publish test image\necho '::group:: publish test image demoimage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport \"fmt\"\nfunc main() {\n fmt.Println(\"hello world TIMESTAMP\")\n}\nEOF\n\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage=`ko publish -B example.com/demo`\necho Created image $demoimage\npopd\necho '::endgroup::'\n\necho '::group:: Create and label new namespace for verification'\nkubectl create namespace demo-trustroot-repository\nkubectl label namespace demo-trustroot-repository policy.sigstore.dev/include=true\nexport NS=demo-trustroot-repository\necho '::endgroup::'\n\necho '::group:: Create CIP that requires keyless attestation with trustroot'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-repository-with-attestations.yaml\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: Create TrustRoot that specifies marshalled repository'\nexport ROOT_JSON=`kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}'`\nexport REPOSITORY=`kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.repository}'`\n\nsed -i'' -e \"s@ROOT_JSON@${ROOT_JSON}@g\" ./test/testdata/trustroot/e2e/with-repository.yaml\nsed -i'' -e \"s@REPOSITORY@${REPOSITORY}@g\" ./test/testdata/trustroot/e2e/with-repository.yaml\nkubectl apply -f ./test/testdata/trustroot/e2e/with-repository.yaml\n\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\n# This image has no attestation, so should fail\necho '::group:: test job rejection'\nexpected_error='no matching attestations'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Create an attestation but do not add it to Rekor and since our attestation\n# specifies Rekor, this should still fail\necho '::group:: Create one keyless attestation and verify it, but no tlog upload'\necho -n 'foobar e2e test' > ./predicate-file-custom\ncosign attest --predicate ./predicate-file-custom --fulcio-url ${FULCIO_URL} --allow-insecure-registry ${demoimage} --tlog-upload=false --identity-token `curl $ISSUER_URL`\ncosign verify-attestation --insecure-ignore-tlog --type=custom --rekor-url= --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' --allow-insecure-registry ${demoimage}\necho '::endgroup::'\n\n# This image has an attestation, but was not added to TLog\necho '::group:: test job rejection'\nexpected_error='signature not found in transparency log'\nassert_error ${expected_error}\necho '::endgroup::'\n\n# Create attestation and upload to tlog and it should now pass.\necho '::group:: Create one keyless attestation and verify it'\ncosign attest --predicate ./predicate-file-custom --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --allow-insecure-registry --yes ${demoimage} --identity-token ${OIDC_TOKEN}\n\ncosign verify-attestation --type=custom --rekor-url ${REKOR_URL} --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' --allow-insecure-registry ${demoimage}\necho '::endgroup::'\n\necho '::group:: test job success'\n# This now has a keyless attestation, so should pass.\nexport KUBECTL_SUCCESS_FILE=\"/tmp/kubectl.success.out\"\nif ! kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_SUCCESS_FILE} ; then\n echo Failed to create job with keyless signature and an attestation\n cat ${KUBECTL_SUCCESS_FILE}\n exit 1\nelse\n echo Created the job with keyless signature and an attestation\nfi\nkubectl delete -n ${NS} job demo\necho '::endgroup::'\n\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete trustroot --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n" }, { "path": "test/e2e_test_cluster_image_policy_with_tsa.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\nset -ex\n\nif [[ -z \"${OIDC_TOKEN}\" ]]; then\n if [[ -z \"${ISSUER_URL}\" ]]; then\n echo \"Must specify either env variable OIDC_TOKEN or ISSUER_URL\"\n exit 1\n else\n export OIDC_TOKEN=`curl -s ${ISSUER_URL}`\n fi\nfi\n\nif [[ -z \"${KO_DOCKER_REPO}\" ]]; then\n echo \"Must specify env variable KO_DOCKER_REPO\"\n exit 1\nfi\n\nif [[ -z \"${FULCIO_URL}\" ]]; then\n echo \"Must specify env variable FULCIO_URL\"\n exit 1\nfi\n\nif [[ -z \"${REKOR_URL}\" ]]; then\n echo \"Must specify env variable REKOR_URL\"\n exit 1\nfi\n\nif [[ -z \"${TUF_ROOT_FILE}\" ]]; then\n echo \"must specify env variable TUF_ROOT_FILE\"\n exit 1\nfi\n\nif [[ -z \"${TUF_MIRROR}\" ]]; then\n echo \"must specify env variable TUF_MIRROR\"\n exit 1\nfi\n\nif [[ \"${NON_REPRODUCIBLE}\"==\"1\" ]]; then\n echo \"creating non-reproducible build by adding a timestamp\"\n export TIMESTAMP=`date +%s`\nelse\n export TIMESTAMP=\"TIMESTAMP\"\nfi\n\n# Initialize cosign with our TUF root\ncosign initialize --mirror ${TUF_MIRROR} --root ${TUF_ROOT_FILE}\n\n# To simplify testing failures, use this function to execute a kubectl to create\n# our job and verify that the failure is expected.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job demo -n ${NS} --ignore-not-found=true\n if kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected Job failure!\n exit 1\n else\n echo Successfully blocked Job creation with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\n# Publish test image\necho '::group:: publish test image demoimage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport \"fmt\"\nfunc main() {\n fmt.Println(\"hello world TIMESTAMP\")\n}\nEOF\n\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage=`ko publish -B example.com/demo`\necho Created image $demoimage\npopd\necho '::endgroup::'\n\necho '::group:: Create and label new namespace for verification'\nkubectl create namespace demo-tsa-remote\nkubectl label namespace demo-tsa-remote policy.sigstore.dev/include=true\nexport NS=demo-tsa-remote\necho '::endgroup::'\n\necho '::group:: Generate New Signing Key that we use for key-ful signing'\nCOSIGN_PASSWORD=\"\" cosign generate-key-pair\necho '::endgroup::'\n\n# Sign it with key\necho '::group:: Sign demoimage with key, and add to rekor and TSA'\nexport TSA_URL=`kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}'`\nexport TSA_URL=\"${TSA_URL}/api/v1/timestamp\"\nCOSIGN_YES=\"true\" COSIGN_PASSWORD=\"\" cosign sign --key cosign.key --allow-insecure-registry --rekor-url ${REKOR_URL} --timestamp-server-url ${TSA_URL} ${demoimage}\necho '::endgroup::'\n\necho '::group:: Verify demoimage with cosign key and TSA'\nexport TSA_CERT_CHAIN=`kubectl -n tsa-system get secrets tsa-cert-chain -ojsonpath='{.data.cert-chain}'`\necho \"$TSA_CERT_CHAIN\" | base64 -d > tsa-cert-chain.pem\ncosign verify --key cosign.pub --timestamp-certificate-chain tsa-cert-chain.pem --insecure-ignore-tlog --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\necho '::group:: Create TrustRoot that specifies TSA'\ncp ./test/testdata/trustroot/e2e/with-tsa.yaml ./with-tsa.yaml.bkp\nsed -i'' -e \"s@TSA_CERT_CHAIN@${TSA_CERT_CHAIN}@g\" ./test/testdata/trustroot/e2e/with-tsa.yaml\nsed -i'' -e \"s@TSA_URL@${TSA_URL}@g\" ./test/testdata/trustroot/e2e/with-tsa.yaml\nkubectl apply -f ./test/testdata/trustroot/e2e/with-tsa.yaml\n# allow things to propagate\nsleep 5\necho '::endgroup::'\n\necho '::group:: Create CIP that requires a keyful and includes a TSA verification'\nyq '. | .spec.authorities[0].key.data |= load_str(\"cosign.pub\")' ./test/testdata/policy-controller/e2e/cip-key-tsa.yaml | kubectl apply -f -\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\necho '::group:: test job success'\n# This has now a job signed and verified via a TSA, so should pass.\nexport KUBECTL_SUCCESS_FILE=\"/tmp/kubectl.success.out\"\nif ! kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_SUCCESS_FILE} ; then\n echo Failed to create job with a TSA verification\n cat ${KUBECTL_SUCCESS_FILE}\n exit 1\nelse\n echo Created the job with a TSA verification\nfi\nkubectl delete -n ${NS} job demo\necho '::endgroup::'\n\n# Publish the second test image\necho '::group:: publish test image demoimage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport \"fmt\"\nfunc main() {\n fmt.Println(\"hello world 2 TIMESTAMP\")\n}\nEOF\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage2=`ko publish -B example.com/demo`\npopd\necho '::endgroup::'\n\n# Sign it with key\necho '::group:: Sign demoimage2 with key, and add to rekor and TSA'\nexport TSA_URL=`kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}'`\n# Cosign TSA integration now requires passing the API endpoint URL\nexport TSA_URL=\"${TSA_URL}/api/v1/timestamp\"\nCOSIGN_YES=\"true\" COSIGN_PASSWORD=\"\" cosign sign --key cosign.key --allow-insecure-registry --rekor-url ${REKOR_URL} --timestamp-server-url ${TSA_URL} ${demoimage2}\necho '::endgroup::'\n\necho '::group:: Verify demoimage2 with cosign key and TSA'\nexport TSA_CERT_CHAIN=`kubectl -n tsa-system get secrets tsa-cert-chain -ojsonpath='{.data.cert-chain}'`\necho \"$TSA_CERT_CHAIN\" | base64 -d > tsa-cert-chain.pem\ncosign verify --key cosign.pub --timestamp-certificate-chain tsa-cert-chain.pem --insecure-ignore-tlog --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage2}\necho '::endgroup::'\n\necho '::group:: Change Certificate chain of TrustRoot to a wrong one for our TSA'\ncp ./with-tsa.yaml.bkp ./test/testdata/trustroot/e2e/with-tsa.yaml\n# This certificate chain belongs a different TSA server so any verification should fail\nexport TSA_CERT_CHAIN=\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ6RENDQVhLZ0F3SUJBZ0lVWFBCNWVWRWhZcVBPaEk0dE45ak4wM1ZkUW5rd0NnWUlLb1pJemowRUF3SXcKTURFT01Bd0dBMVVFQ2hNRmJHOWpZV3d4SGpBY0JnTlZCQU1URlZSbGMzUWdWRk5CSUVsdWRHVnliV1ZrYVdGMApaVEFlRncweU1qRXhNakV4TVRVNE1UaGFGdzB6TVRFeE1qRXhNakF4TVRoYU1EQXhEakFNQmdOVkJBb1RCV3h2ClkyRnNNUjR3SEFZRFZRUURFeFZVWlhOMElGUlRRU0JVYVcxbGMzUmhiWEJwYm1jd1dUQVRCZ2NxaGtqT1BRSUIKQmdncWhrak9QUU1CQndOQ0FBVEhvRUE3b05URWJDcjVxdnd6STlsN0ZJaHNqQlFnUDhGbFhEeFNDaFdYVDJZNQpMWDhQVlFYTHJFbHhNVzJ0dnk0SjQzdTJCRG9JQ1hHeW5xZ1pWMlBmbzJvd2FEQU9CZ05WSFE4QkFmOEVCQU1DCkI0QXdIUVlEVlIwT0JCWUVGQis4WEx2TTlWU3pyUmdFQiswOUZrdlhmYVM2TUI4R0ExVWRJd1FZTUJhQUZDWUIKSEc1eDVDVE9YLytueVlsanltWVZQT3ZqTUJZR0ExVWRKUUVCL3dRTU1Bb0dDQ3NHQVFVRkJ3TUlNQW9HQ0NxRwpTTTQ5QkFNQ0EwZ0FNRVVDSUFJd1IwMG5xRS96cG5OSEozY3VoWTRRZjEzTkd3anhUOTBSUWhxSjFNZlpBaUVBCm9lclFGQWVGYnZYU3VLTFdXK2lsdEh2dEsyUUF1VXZub1ZnZ0tCYzhpSTg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIwakNDQVhpZ0F3SUJBZ0lVVXgvd3NrMFNhVU5ZcUtKWEtLMlpyMmYzZlJFd0NnWUlLb1pJemowRUF3SXcKS0RFT01Bd0dBMVVFQ2hNRmJHOWpZV3d4RmpBVUJnTlZCQU1URFZSbGMzUWdWRk5CSUZKdmIzUXdIaGNOTWpJeApNVEl4TVRFMU5qRTRXaGNOTXpJeE1USXhNVEl3TVRFNFdqQXdNUTR3REFZRFZRUUtFd1ZzYjJOaGJERWVNQndHCkExVUVBeE1WVkdWemRDQlVVMEVnU1c1MFpYSnRaV1JwWVhSbE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMEQKQVFjRFFnQUVvUysxNFNXTmUxc2hwc280cERFMEhTNjZqdmYyenlJUS9jcHRuM2pyUTAyelJYZWQ5THBWS1A3YwpJbEVXWWNSaWw0anNXUkFsMU9zVjk4eGNFTUpvaktONE1IWXdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CTUdBMVVkCkpRUU1NQW9HQ0NzR0FRVUZCd01JTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkNZQkhHNXgKNUNUT1gvK255WWxqeW1ZVlBPdmpNQjhHQTFVZEl3UVlNQmFBRkYxWEFHbW4xQXdtdFk0L0RGVWQ4RzhkTFRIMQpNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJUUNoZTVTWVpsbVNWeXczczJOcDRQNE5FS1l0ODc4RGZ6M3JlRlZKCkVHemxJd0lnUEc4bHlaYXdLOWo2c3BlTHFtUy9Hei9LdjJJQ3FsSy9XOEFzNGN1OEtuRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJQmxUQ0NBVHFnQXdJQkFnSVVQY2NwVS95TUJkNmViMzM1YlZSOTZwTGZNQWN3Q2dZSUtvWkl6ajBFQXdJdwpLREVPTUF3R0ExVUVDaE1GYkc5allXd3hGakFVQmdOVkJBTVREVlJsYzNRZ1ZGTkJJRkp2YjNRd0hoY05Nakl4Ck1USXhNVEUxTmpFNFdoY05Nekl4TVRJeE1USXdNVEU0V2pBb01RNHdEQVlEVlFRS0V3VnNiMk5oYkRFV01CUUcKQTFVRUF4TU5WR1Z6ZENCVVUwRWdVbTl2ZERCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQklUWgpqZnVhTGJXbjloYjhtNVVabmtrcUs5K3dQam92b0F3VCtPQWRTK0kzZlptTFRnamdoMW8vUHhtb0UvT2RuOUtOCmtxcnVKWkJuaWQwb0VVT3BwWE9qUWpCQU1BNEdBMVVkRHdFQi93UUVBd0lCQmpBUEJnTlZIUk1CQWY4RUJUQUQKQVFIL01CMEdBMVVkRGdRV0JCUmRWd0JwcDlRTUpyV09Qd3hWSGZCdkhTMHg5VEFLQmdncWhrak9QUVFEQWdOSgpBREJHQWlFQWhFdW9xQ2JaRDA5bmx2WjNtcFJiR0paZFg0Nm1rUFUrVFFpUklFT2l5NGdDSVFEakRBWDdxT0x0Cm5RVEVrRGcwcklBU0hqaVVNTk5tRVFqTlZmaDlDMEx3OXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t\"\nsed -i'' -e \"s@TSA_CERT_CHAIN@${TSA_CERT_CHAIN}@g\" ./test/testdata/trustroot/e2e/with-tsa.yaml\nsed -i'' -e \"s@TSA_URL@${TSA_URL}@g\" ./test/testdata/trustroot/e2e/with-tsa.yaml\nkubectl apply -f ./test/testdata/trustroot/e2e/with-tsa.yaml\n# allow things to propagate\nsleep 10\necho '::endgroup::'\n\n# We did sign this, but should fail due to a different certificate chain for the TSA verification\necho '::group:: test job rejection with TSA using a different cert-chain'\nif kubectl create -n ${NS} job demo2 --image=${demoimage2} ; then\n echo Failed to block Job creation when TSA verification fails!\n exit 1\nelse\n echo Successfully blocked Job creation with TSA using a different certificate chain\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete trustroot --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n" }, { "path": "test/e2e_test_cluster_image_policy_with_warn.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n\nset -ex\n\nif [[ -z \"${OIDC_TOKEN}\" ]]; then\n if [[ -z \"${ISSUER_URL}\" ]]; then\n echo \"Must specify either env variable OIDC_TOKEN or ISSUER_URL\"\n exit 1\n else\n export OIDC_TOKEN=`curl -s ${ISSUER_URL}`\n fi\nfi\n\nif [[ -z \"${KO_DOCKER_REPO}\" ]]; then\n echo \"Must specify env variable KO_DOCKER_REPO\"\n exit 1\nfi\n\nif [[ -z \"${FULCIO_URL}\" ]]; then\n echo \"Must specify env variable FULCIO_URL\"\n exit 1\nfi\n\nif [[ -z \"${REKOR_URL}\" ]]; then\n echo \"Must specify env variable REKOR_URL\"\n exit 1\nfi\n\nif [[ -z \"${TUF_ROOT_FILE}\" ]]; then\n echo \"must specify env variable TUF_ROOT_FILE\"\n exit 1\nfi\n\nif [[ -z \"${TUF_MIRROR}\" ]]; then\n echo \"must specify env variable TUF_MIRROR\"\n exit 1\nfi\n\nif [[ \"${NON_REPRODUCIBLE}\"==\"1\" ]]; then\n echo \"creating non-reproducible build by adding a timestamp\"\n export TIMESTAMP=`date +%s`\nelse\n export TIMESTAMP=\"TIMESTAMP\"\nfi\n\n# Initialize cosign with our TUF root\ncosign initialize --mirror ${TUF_MIRROR} --root ${TUF_ROOT_FILE}\n\n# To simplify testing warnings, use this function to execute a kubectl to create\n# our job and verify that the warning is as expected.\nassert_warning() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.warning.out\"\n match=\"$@\"\n echo looking for ${match}\n kubectl delete job job-that-warns -n ${NS} --ignore-not-found=true\n if ! kubectl create -n ${NS} job job-that-warns --image=${demoimage2} 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to create Job when expected to warn!\n exit 1\n else\n echo Successfully created job, checking warning: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected warning message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\n# Publish the first test image\necho '::group:: publish test image demoimage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport \"fmt\"\nfunc main() {\n fmt.Println(\"hello world TIMESTAMP\")\n}\nEOF\n\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage=`ko publish -B example.com/demo`\necho Created image $demoimage\npopd\necho '::endgroup::'\n\n# Publish the second test image\necho '::group:: publish test image demoimage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport \"fmt\"\nfunc main() {\n fmt.Println(\"hello world 2 TIMESTAMP\")\n}\nEOF\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage2=`ko publish -B example.com/demo`\npopd\necho '::endgroup::'\n\necho '::group:: Deploy ClusterImagePolicy with keyless signing'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless-warn.yaml\necho '::endgroup::'\n\necho '::group:: Sign demo image'\ncosign sign --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --yes --allow-insecure-registry ${demoimage} --identity-token ${OIDC_TOKEN}\necho '::endgroup::'\n\necho '::group:: Verify demo image'\ncosign verify --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\necho '::group:: Create test namespace and label for verification'\nkubectl create namespace demo-keyless-signing\nkubectl label namespace demo-keyless-signing policy.sigstore.dev/include=true\nexport NS=demo-keyless-signing\necho '::endgroup::'\n\necho '::group:: test job success'\n# We signed this above, this should work\nif ! kubectl create -n demo-keyless-signing job demo --image=${demoimage} ; then\n echo Failed to create Job in namespace with matching signature!\n exit 1\nelse\n echo Succcessfully created Job with signed image\nfi\necho '::endgroup::'\n\n# We did not sign this, should warn but not fail\necho '::group:: test job admission with warning'\nexpected_warn='Warning: failed policy: image-policy-keyless-warn'\nassert_warning ${expected_warn}\necho '::endgroup::'\n\n# Change to an image that does not match any policies\ndemoimage2=\"quay.io/jetstack/cert-manager-acmesolver:v1.9.1\"\n\n# Then test the unmatched policy behaviour with default, which is deny\necho '::group:: test no-match default policy, which is deny'\nif kubectl create -n demo-keyless-signing job demo-should-not-work --image=${demoimage2} ; then\n echo Failed to block Job with no matching policy and default deny\n exit 1\nelse\n echo Successfully blocked Job in namespace with no matching policies, and deny\nfi\necho '::endgroup::'\n\necho '::group:: Change no-match policy to warn'\nkubectl patch configmap/config-policy-controller \\\n --namespace cosign-system \\\n --type merge \\\n --patch '{\"data\":{\"no-match-policy\":\"warn\"}}'\n# allow for propagation\nsleep 5\necho '::endgroup::'\n\necho '::group:: test job admission with warning'\nexpected_warn='Warning: no matching policies:'\nassert_warning ${expected_warn}\necho '::endgroup::'\n\necho '::group:: Change no-match policy to allow'\nkubectl patch configmap/config-policy-controller \\\n --namespace cosign-system \\\n --type merge \\\n --patch '{\"data\":{\"no-match-policy\":\"allow\"}}'\n# allow for propagation\nsleep 5\necho '::endgroup::'\n\necho '::group:: test no-match policy allow'\nif ! kubectl create -n demo-keyless-signing job demo-works --image=${demoimage2} ; then\n echo Failed to create Job in namespace with no matching policies, but allow\n exit 1\nelse\n echo Succcessfully created Job because no matching policy and allow\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n" }, { "path": "test/e2e_test_cluster_with_scalable.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nset -ex\n\nif [[ -z \"${OIDC_TOKEN}\" ]]; then\n if [[ -z \"${TOKEN_ISSUER}\" ]]; then\n echo \"Must specify either env variable OIDC_TOKEN or TOKEN_ISSUER\"\n exit 1\n else\n export OIDC_TOKEN=`curl -s ${ISSUER_URL}`\n fi\nfi\n\nif [[ -z \"${KO_DOCKER_REPO}\" ]]; then\n echo \"Must specify env variable KO_DOCKER_REPO\"\n exit 1\nfi\n\nif [[ -z \"${FULCIO_URL}\" ]]; then\n echo \"Must specify env variable FULCIO_URL\"\n exit 1\nfi\n\nif [[ -z \"${REKOR_URL}\" ]]; then\n echo \"Must specify env variable REKOR_URL\"\n exit 1\nfi\n\nif [[ -z \"${TUF_ROOT_FILE}\" ]]; then\n echo \"must specify env variable TUF_ROOT_FILE\"\n exit 1\nfi\n\nif [[ -z \"${TUF_MIRROR}\" ]]; then\n echo \"must specify env variable TUF_MIRROR\"\n exit 1\nfi\n\nif [[ \"${NON_REPRODUCIBLE}\"==\"1\" ]]; then\n echo \"creating non-reproducible build by adding a timestamp\"\n export TIMESTAMP=`date +%s`\nelse\n export TIMESTAMP=\"TIMESTAMP\"\nfi\n\n# Initialize cosign with our TUF root\ncosign initialize --mirror ${TUF_MIRROR} --root ${TUF_ROOT_FILE}\n\n# To simplify testing failures, use this function to execute a kubectl to scale\n# deployment up and verify that the failure is expected.\nassert_error() {\n local KUBECTL_OUT_FILE=\"/tmp/kubectl.failure.out\"\n match=\"$@\"\n echo looking for ${match}\n if kubectl patch -n ${NS} deployment test-deployment --type \"json\" -p '[{\"op\":\"replace\", \"path\":\"/spec/replicas\", \"value\":5}]' 2> ${KUBECTL_OUT_FILE} ; then\n echo Failed to block expected scaling failure!\n exit 1\n else\n echo Successfully blocked scaling with expected error: \"${match}\"\n if ! grep -q \"${match}\" ${KUBECTL_OUT_FILE} ; then\n echo Did not get expected failure message, wanted \"${match}\", got\n cat ${KUBECTL_OUT_FILE}\n exit 1\n fi\n fi\n}\n\n# Publish test image\necho '::group:: publish test image demoimage'\npushd $(mktemp -d)\ngo mod init example.com/demo\ncat < main.go\npackage main\nimport (\n\"fmt\"\n\"time\"\n)\nfunc main() {\n fmt.Println(\"hello world deployment TIMESTAMP\")\n time.Sleep(10*time.Minute)\n}\nEOF\n\nsed -i'' -e \"s@TIMESTAMP@${TIMESTAMP}@g\" main.go\ncat main.go\nexport demoimage=`ko publish -B example.com/demo`\necho Created image $demoimage\npopd\necho '::endgroup::'\n\necho '::group:: Create test namespace but do not label for verification'\nkubectl create namespace demo-scalable\nexport NS=demo-scalable\necho '::endgroup::'\n\necho '::group:: Deploy deployment with unsigned image'\nsed \"s#TEST_IMAGE#${demoimage}#\" ./test/testdata/policy-controller/e2e/test-deployment.yaml | kubectl apply -f -\necho '::endgroup::'\n\necho '::group:: Label test namespace for verification'\nkubectl label namespace ${NS} policy.sigstore.dev/include=true\necho '::endgroup::'\n\necho '::group:: Deploy ClusterImagePolicy with keyless signing'\nkubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless.yaml\n# Give the policy controller a moment to update the configmap\n# and pick up the change in the admission controller.\nsleep 5\necho '::endgroup::'\n\necho '::group:: Try to scale the Deployment up - should fail'\nexpected_error=\"failed policy: image-policy-keyless: spec.template.spec.containers\"\nassert_error ${expected_error}\necho '::endgroup::'\n\n\necho '::group:: Try to scale the Deployment down - should work'\nif ! kubectl patch -n ${NS} deployment test-deployment --type \"json\" -p '[{\"op\":\"replace\", \"path\":\"/spec/replicas\", \"value\":1}]' ; then\n echo Failed to scale down\n exit 1\nfi\necho '::endgroup::'\n\necho '::group:: Sign demo image'\ncosign sign --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --yes --allow-insecure-registry ${demoimage} --identity-token ${OIDC_TOKEN}\necho '::endgroup::'\n\necho '::group:: Verify demo image'\ncosign verify --rekor-url ${REKOR_URL} --allow-insecure-registry --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ${demoimage}\necho '::endgroup::'\n\necho '::group:: Try to scale the Deployment up - should work'\nif ! kubectl patch -n ${NS} deployment test-deployment --type \"json\" -p '[{\"op\":\"replace\", \"path\":\"/spec/replicas\", \"value\":5}]' ; then\n echo Failed to scale up with signed image\n exit 1\nfi\necho '::endgroup::'\n\necho '::group::' Cleanup\nkubectl delete cip --all\nkubectl delete ns ${NS}\necho '::endgroup::'\n" }, { "path": "test/e2e_test_policy_controller.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nset -ex\n\n\necho '::group:: publish test image'\nDIGEST=$(ko publish -B ./cmd/sample)\ncat > pod.yaml < distroless-pod.yaml < job.yaml < cronjob.yaml < ${err_file}; then\n echo \"${i} policy created when it should not have\"\n exit 1\n else\n for expected_error in ${expected_errors}\n do\n echo looking for error: ${expected_error}\n if ! grep --fixed-strings -q \"${expected_error}\" ${err_file} ; then\n echo Did not get expected failure message, wanted \"${expected_error}\", got\n cat ${err_file}\n exit 1\n else\n echo \"${i} rejected as expected\"\n fi\n done\n fi\ndone\necho '::endgroup:: Invalid policy test:'\n\necho '::group:: Warning policy tests:'\nfor i in `ls ./test/testdata/policy-controller/warn/`\ndo\n echo Testing: $i\n # Grab the expected error from the CIP\n expected_warnings=$(grep Warning: test/testdata/policy-controller/warn/${i} | cut -d ' ' -f 2-)\n warn_file=\"./kubectl_warn\"\n if ! kubectl create -f ./test/testdata/policy-controller/warn/$i 2> ${warn_file}; then\n echo \"${i} policy rejected when it should have only warned\"\n cat ${warn_file}\n exit 1\n else\n for expected_warning in ${expected_warnings}\n do\n echo looking for warning: ${expected_warning}\n if ! grep --fixed-strings -q \"${expected_warning}\" ${warn_file} ; then\n echo Did not get expected warning message, wanted \"${expected_warning}\", got\n cat ${warn_file}\n exit 1\n else\n echo \"${i} created and warning found as expected\"\n fi\n done\n fi\n kubectl delete -f ./test/testdata/policy-controller/warn/$i --ignore-not-found=true\ndone\necho '::endgroup:: Warning policy test:'\n\necho '::group:: Valid policy test:'\nfor i in `ls ./test/testdata/policy-controller/valid/`\ndo\n if kubectl create -f ./test/testdata/policy-controller/valid/$i ; then\n echo \"${i} created as expected\"\n else\n echo \"${i} failed when it should not have\"\n exit 1\n fi\n\n kubectl delete -f ./test/testdata/policy-controller/valid/$i --ignore-not-found=true\ndone\n\necho '::endgroup:: Valid policy test:'\n\necho '::group:: Set fail-on-empty-authorities to false'\nkubectl patch configmap/config-policy-controller \\\n --namespace cosign-system \\\n --type merge \\\n --patch '{\"data\":{\"no-match-policy\":\"deny\", \"fail-on-empty-authorities\":\"false\"}}'\n# allow for propagation\nsleep 10\necho '::endgroup::'\n\necho '::group:: Empty authorities policies:'\nfor i in `ls ./test/testdata/policy-controller/empty-authorities/`\ndo\n if kubectl create -f ./test/testdata/policy-controller/empty-authorities/$i ; then\n echo \"${i} created as expected\"\n else\n echo \"${i} failed when it should not have\"\n exit 1\n fi\n\n kubectl delete -f ./test/testdata/policy-controller/empty-authorities/$i --ignore-not-found=true\ndone\necho '::endgroup::'\n\necho '::group:: Set fail-on-empty-authorities to true'\nkubectl patch configmap/config-policy-controller \\\n --namespace cosign-system \\\n --type merge \\\n --patch '{\"data\":{\"no-match-policy\":\"deny\", \"fail-on-empty-authorities\":\"true\"}}'\n# allow for propagation\nsleep 10\necho '::endgroup::'\n" }, { "path": "test/e2e_test_trustroot_crd.sh", "content": "#!/usr/bin/env bash\n#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# This script will validate an e2e for given TrustRoot resources and validate\n# that they get reconciled correctly into the ConfigMap. For now we only\n# validate the keys/certs but we can add more tests. Reasoning being that the\n# certs/keys are the trickiest (I think) so let's start there.\n# The golden files live in the ./test/testdata/trustroot/golden where\n# rekor.pem is the public key for the TLog[0].PublicKey\n# ctfe.pem is the public key for the CTLog[0].PublicKey\n# fulcio.crt.pem is the certchain for the CertificateAuthority[0].CertChain\n# tsa.crt.pem is the certchain for the TimeStampAuthorities[0].CertChain\n# So we diff against those.\necho '::group:: Create a TrustRoot with bring your own keys:'\nkubectl create -f ./test/testdata/trustroot/valid/valid-sigstore-keys.yaml\n# Allow for changes to propagate to ConfigMap\nsleep 5\necho '::endgroup::'\n\necho '::group:: Validating the configmap entries'\necho \"Validating Fulcio entry\"\necho -n > ./got.fulcio.pem\nfor cert in $(kubectl -n cosign-system get cm config-sigstore-keys -ojsonpath='{.data.bring-your-own-sigstore-keys}' | yq '.certificateAuthorities[0].certChain.certificates[] | .rawBytes' ); do\n echo $cert | base64 -d | openssl x509 -inform der >> ./got.fulcio.pem\ndone\ndiff ./got.fulcio.pem ./test/testdata/trustroot/golden/fulcio.crt.pem\n\necho \"Validating TSA entry\"\necho -n > ./got.tsa.pem\nfor cert in $(kubectl -n cosign-system get cm config-sigstore-keys -ojsonpath='{.data.bring-your-own-sigstore-keys}' | yq '.timestampAuthorities[0].certChain.certificates[] | .rawBytes' ); do\n echo $cert | base64 -d | openssl x509 -inform der >> ./got.tsa.pem\ndone\ndiff ./got.tsa.pem ./test/testdata/trustroot/golden/tsa.crt.pem\n\necho \"Validating Rekor entry\"\nkubectl -n cosign-system get cm config-sigstore-keys -ojsonpath='{.data.bring-your-own-sigstore-keys}' | yq '.tlogs[0].publicKey.rawBytes' | base64 -d | openssl pkey -pubin -inform der > ./got.rekor.pem\ndiff ./got.rekor.pem ./test/testdata/trustroot/golden/rekor.pem\n\necho \"Validating CTLog entry\"\nkubectl -n cosign-system get cm config-sigstore-keys -ojsonpath='{.data.bring-your-own-sigstore-keys}' | yq '.ctlogs[0].publicKey.rawBytes' | base64 -d | openssl pkey -pubin -inform der > ./got.ctfe.pem\ndiff ./got.ctfe.pem ./test/testdata/trustroot/golden/ctfe.pem\n\nkubectl delete -f ./test/testdata/trustroot/valid/valid-sigstore-keys.yaml\necho '::endgroup::'\n" }, { "path": "test/kustomize/kustomization.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: kustomize.config.k8s.io/v1beta1\nkind: Kustomization\nresources:\n- policy-controller-e2e.yaml\n\npatches:\n- patch: |-\n - op: add\n path: /spec/template/spec/containers/0/args/-\n value: --tuf-mirror=http://tuf.tuf-system.svc\n - op: add\n path: /spec/template/spec/containers/0/args/-\n value: --tuf-root=/var/run/tuf/root.json\n\n target:\n kind: Deployment\n name: webhook\n" }, { "path": "test/kustomize-no-tuf/kustomization.yaml", "content": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: kustomize.config.k8s.io/v1beta1\nkind: Kustomization\nresources:\n- policy-controller-e2e.yaml\n\n# Note we give garbage arguments to tuf-root and tuf-mirror to make it a good\n# test to verify that these paths are not even executed.\npatches:\n- patch: |-\n - op: add\n path: /spec/template/spec/containers/0/args/-\n value: --tuf-mirror=http://sigstore.example.com\n - op: add\n path: /spec/template/spec/containers/0/args/-\n value: --tuf-root=/root-that-is-not-there.json\n - op: add\n path: /spec/template/spec/containers/0/args/-\n value: --disable-tuf=true\n\n target:\n kind: Deployment\n name: webhook\n" }, { "path": "test/testdata/attestations/vuln-predicate.json", "content": "{\n \"invocation\": {\n \"parameters\": null,\n \"uri\": \"invocation.example.com/cosign-testing\",\n \"event_id\": \"\",\n \"builder.id\": \"\"\n },\n \"scanner\": {\n \"uri\": \"fakescanner.example.com/cosign-testing\",\n \"version\": \"\",\n \"db\": {\n \"uri\": \"\",\n \"version\": \"\"\n },\n \"result\": null\n },\n \"metadata\": {\n \"scanStartedOn\": \"2022-04-12T00:00:00Z\",\n \"scanFinishedOn\": \"2022-04-12T00:10:00Z\"\n }\n}\n" }, { "path": "test/testdata/bom-go-mod.spdx", "content": "SPDXVersion: SPDX-2.2\nDataLicense: CC0-1.0\nSPDXID: SPDXRef-DOCUMENT\nDocumentName: github.com/sigstore/cosign\nDocumentNamespace: http://spdx.org/spdxpackages/github.com/sigstore/cosign-9a615223-fdf6-40cc-8156-666d7da86672\nCreator: Tool: spdx-sbom-generator-0.0.1\nCreated: 2021-06-27T13:42:53Z\n\n##### Package representing the github.com/sigstore/cosign\n\nPackageName: github.com/sigstore/cosign\nSPDXID: SPDXRef-Package-github.com.sigstore.cosign\nPackageVersion: ddd9132\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 0d8975f6ff7067f2adad485924e0854caec9c5d46306bf5b901d311c2fb05a7a\nPackageHomePage: https://github.com/sigstore/cosign\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-github.com.sigstore.cosign \n\nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-k8s.io.apimachinery-v0.21.2 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.leodido.go-urn-v1.2.1 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.peterbourgon.ff.v3-v3.0.0 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.cyberphone.json-canonicalization-v0.0.0-20210303052042-6bc126869bf4 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.pelletier.go-toml-v1.9.3 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.spf13.afero-v1.6.0 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.theupdateframework.go-tuf-v0.0.0-20201230183259-aee6270feb55 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.google.gofuzz-v1.2.0 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.pkg.errors-v0.9.1 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.prometheus.common-v0.29.0 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-go.uber.org.multierr-v1.7.0 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-golang.org.x.term-v0.0.0-20210615171337-6886f2dfbf5b \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-k8s.io.api-v0.21.2 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-k8s.io.client-go-v0.21.2 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.jedisct1.go-minisign-v0.0.0-20210414164026-819d7e2534ac \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.magiconair.properties-v1.8.5 \nRelationship SPDXRef-Package-github.com.sigstore.cosign DEPENDS_ON SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 \n\n##### Package representing the github.com/google/go-containerregistry\n\nPackageName: github.com/google/go-containerregistry\nSPDXID: SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1\nPackageVersion: v0.5.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 9f611b3f2b625e9f4af823b9833dfd4317f575a270cd6c156ee9f5b89ec49454\nPackageHomePage: https://github.com/google/go-containerregistry\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-cloud.google.com.go-v0.81.0 \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-github.com.docker.cli-v0.0.0-20191017083524-a8ff7f821017 \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-github.com.opencontainers.image-spec-v1.0.1 \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-github.com.sirupsen.logrus-v1.8.1 \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-golang.org.x.time-v0.0.0-20210220033141-f8bda1e9f3ba \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-k8s.io.klog.v2-v2.8.0 \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-github.com.containerd.stargz-snapshotter.estargz-v0.4.1 \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-github.com.docker.docker-v1.4.2-0.20200319182547-c7ad2b866182 \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-github.com.docker.docker-credential-helpers-v0.6.3 \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-github.com.spf13.cobra-v1.1.3 \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-github.com.gorilla.mux-v1.8.0 \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-github.com.docker.distribution-v2.7.1+incompatible \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 DEPENDS_ON SPDXRef-Package-golang.org.x.oauth2-v0.0.0-20210514164344-f6687ab2804c \n\n##### Package representing the github.com/peterbourgon/ff/v3\n\nPackageName: github.com/peterbourgon/ff/v3\nSPDXID: SPDXRef-Package-github.com.peterbourgon.ff.v3-v3.0.0\nPackageVersion: v3.0.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 717d2deecd326f89ac03355a0c60e7af8cec09cdf35c739c9db64677b7f767ae\nPackageHomePage: https://github.com/peterbourgon/ff/v3\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.peterbourgon.ff.v3-v3.0.0 DEPENDS_ON SPDXRef-Package-github.com.pelletier.go-toml-v1.9.3 \nRelationship SPDXRef-Package-github.com.peterbourgon.ff.v3-v3.0.0 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \n\n##### Package representing the github.com/pkg/errors\n\nPackageName: github.com/pkg/errors\nSPDXID: SPDXRef-Package-github.com.pkg.errors-v0.9.1\nPackageVersion: v0.9.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: e984effb1b0eef5e6cfefb3f37f23bfaee28d5180f11c64fb43a46b7f7421edb\nPackageHomePage: https://github.com/pkg/errors\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/docker/cli\n\nPackageName: github.com/docker/cli\nSPDXID: SPDXRef-Package-github.com.docker.cli-v0.0.0-20191017083524-a8ff7f821017\nPackageVersion: v0.0.0-20191017083524-a8ff7f821017\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 0e16595382ffbd6bd8cd20be937e87ad48d5e20d678fb52b4913740565cb5e26\nPackageHomePage: https://github.com/docker/cli\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/docker/docker-credential-helpers\n\nPackageName: github.com/docker/docker-credential-helpers\nSPDXID: SPDXRef-Package-github.com.docker.docker-credential-helpers-v0.6.3\nPackageVersion: v0.6.3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 0a83f71929507b20f2c695a3a5833519fcf606d470948b083847e31c09433bee\nPackageHomePage: https://github.com/docker/docker-credential-helpers\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/docker/docker\n\nPackageName: github.com/docker/docker\nSPDXID: SPDXRef-Package-github.com.docker.docker-v1.4.2-0.20200319182547-c7ad2b866182\nPackageVersion: v1.4.2-0.20200319182547-c7ad2b866182\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: b48d221328853f35e846891d066cbfbbfd0f0e8e15d37745d68215d4bfa663c5\nPackageHomePage: https://github.com/docker/docker\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/opencontainers/go-digest\n\nPackageName: github.com/opencontainers/go-digest\nSPDXID: SPDXRef-Package-github.com.opencontainers.go-digest-v1.0.0\nPackageVersion: v1.0.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 06744ce2bb1c85d4117a2ba9e9a817665e52ed5f36e9722e8fada53867a9fae1\nPackageHomePage: https://github.com/opencontainers/go-digest\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/opencontainers/image-spec\n\nPackageName: github.com/opencontainers/image-spec\nSPDXID: SPDXRef-Package-github.com.opencontainers.image-spec-v1.0.1\nPackageVersion: v1.0.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: e3790a1082e695077024de83b32cfc198508585d3e37d430aaa325cfbe0c4a0f\nPackageHomePage: https://github.com/opencontainers/image-spec\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/docker/distribution\n\nPackageName: github.com/docker/distribution\nSPDXID: SPDXRef-Package-github.com.docker.distribution-v2.7.1+incompatible\nPackageVersion: v2.7.1+incompatible\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 1e591e4b18738469da7205179340f527fe732e0c3cba080abd084828a3a16d7f\nPackageHomePage: https://github.com/docker/distribution\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the golang.org/x/sync\n\nPackageName: golang.org/x/sync\nSPDXID: SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c\nPackageVersion: v0.0.0-20210220032951-036812b2e83c\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: c2c8d8b8e332215da159aa126456187286e44d97353e0566e77e350e5a8522f7\nPackageHomePage: https://golang.org/x/sync\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/cyberphone/json-canonicalization\n\nPackageName: github.com/cyberphone/json-canonicalization\nSPDXID: SPDXRef-Package-github.com.cyberphone.json-canonicalization-v0.0.0-20210303052042-6bc126869bf4\nPackageVersion: v0.0.0-20210303052042-6bc126869bf4\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: c7ebd3e43ca55f29f282acbf5e9194741d64f027cf57cc6d8136c0e6a30451a6\nPackageHomePage: https://github.com/cyberphone/json-canonicalization\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/asaskevich/govalidator\n\nPackageName: github.com/asaskevich/govalidator\nSPDXID: SPDXRef-Package-github.com.asaskevich.govalidator-v0.0.0-20210307081110-f21760c49a8d\nPackageVersion: v0.0.0-20210307081110-f21760c49a8d\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 903cd7f5e7c6ac40eb2de2d6dfe3be0622f9bce5ad6c422fad4966939fcabf94\nPackageHomePage: https://github.com/asaskevich/govalidator\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/go-openapi/errors\n\nPackageName: github.com/go-openapi/errors\nSPDXID: SPDXRef-Package-github.com.go-openapi.errors-v0.20.0\nPackageVersion: v0.20.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 51ad642cf65adce9300b5ea390808246e8feeed0bcd81fbbb88e1b070a1238d2\nPackageHomePage: https://github.com/go-openapi/errors\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.go-openapi.errors-v0.20.0 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \n\n##### Package representing the github.com/mitchellh/mapstructure\n\nPackageName: github.com/mitchellh/mapstructure\nSPDXID: SPDXRef-Package-github.com.mitchellh.mapstructure-v1.4.1\nPackageVersion: v1.4.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 3b17e495d6eceeb7e78bedaca087bcfc81f454c9a8dbce3ccec9071a0ecea479\nPackageHomePage: https://github.com/mitchellh/mapstructure\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/oklog/ulid\n\nPackageName: github.com/oklog/ulid\nSPDXID: SPDXRef-Package-github.com.oklog.ulid-v1.3.1\nPackageVersion: v1.3.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: d906eb8403330115effa40cdde3173f4187286eea72acd78a7f0383c437b875d\nPackageHomePage: https://github.com/oklog/ulid\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the go.mongodb.org/mongo-driver\n\nPackageName: go.mongodb.org/mongo-driver\nSPDXID: SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3\nPackageVersion: v1.5.3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: a4ccad268cfd8a059f9b68ccd6f1ca5ae83cdab8c974dad74d75e53b9748fcb9\nPackageHomePage: https://go.mongodb.org/mongo-driver\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 DEPENDS_ON SPDXRef-Package-github.com.go-stack.stack-v1.8.0 \nRelationship SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 DEPENDS_ON SPDXRef-Package-github.com.golang.snappy-v0.0.3 \nRelationship SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 DEPENDS_ON SPDXRef-Package-github.com.pkg.errors-v0.9.1 \nRelationship SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 DEPENDS_ON SPDXRef-Package-github.com.sirupsen.logrus-v1.8.1 \nRelationship SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \nRelationship SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \nRelationship SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 DEPENDS_ON SPDXRef-Package-github.com.pelletier.go-toml-v1.9.3 \nRelationship SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \n\n##### Package representing the github.com/go-stack/stack\n\nPackageName: github.com/go-stack/stack\nSPDXID: SPDXRef-Package-github.com.go-stack.stack-v1.8.0\nPackageVersion: v1.8.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: fd3f25fb63423cea94320198b7efaa88ed8e38cd2862f1be66b644e263c751d9\nPackageHomePage: https://github.com/go-stack/stack\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/go-openapi/strfmt\n\nPackageName: github.com/go-openapi/strfmt\nSPDXID: SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1\nPackageVersion: v0.20.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 60fb8854b5971069860ab2102510a7eb28790a49eb2fb9d1aeb98a3f34833525\nPackageHomePage: https://github.com/go-openapi/strfmt\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.mitchellh.mapstructure-v1.4.1 \nRelationship SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.errors-v0.20.0 \nRelationship SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \nRelationship SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.asaskevich.govalidator-v0.0.0-20210307081110-f21760c49a8d \nRelationship SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 DEPENDS_ON SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 \nRelationship SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.oklog.ulid-v1.3.1 \nRelationship SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.mailru.easyjson-v0.7.7 \nRelationship SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.go-stack.stack-v1.8.0 \nRelationship SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \n\n##### Package representing the github.com/josharian/intern\n\nPackageName: github.com/josharian/intern\nSPDXID: SPDXRef-Package-github.com.josharian.intern-v1.0.0\nPackageVersion: v1.0.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 02952b87b56340b825e2381df45a0b5eff5dd1bf290fdfada7dbe6e993a42076\nPackageHomePage: https://github.com/josharian/intern\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/mailru/easyjson\n\nPackageName: github.com/mailru/easyjson\nSPDXID: SPDXRef-Package-github.com.mailru.easyjson-v0.7.7\nPackageVersion: v0.7.7\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 827a48dc29ec1ff4c2b1ec78221db470416ed364dac6a878893e9d21cefa6918\nPackageHomePage: https://github.com/mailru/easyjson\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.mailru.easyjson-v0.7.7 DEPENDS_ON SPDXRef-Package-github.com.josharian.intern-v1.0.0 \n\n##### Package representing the gopkg.in/yaml.v2\n\nPackageName: gopkg.in/yaml.v2\nSPDXID: SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0\nPackageVersion: v2.4.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 3aed1e3fc7b0a044fb38213f8c11cb20d5b45fd673e45de14c537648c446e6be\nPackageHomePage: https://gopkg.in/yaml.v2\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/go-openapi/swag\n\nPackageName: github.com/go-openapi/swag\nSPDXID: SPDXRef-Package-github.com.go-openapi.swag-v0.19.15\nPackageVersion: v0.19.15\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: e725f85ebbbcc1e303a950fe6dfb589e4a6003989316fda6ac5514b818bc0830\nPackageHomePage: https://github.com/go-openapi/swag\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 DEPENDS_ON SPDXRef-Package-github.com.mailru.easyjson-v0.7.7 \nRelationship SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \n\n##### Package representing the github.com/google/trillian\n\nPackageName: github.com/google/trillian\nSPDXID: SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f\nPackageVersion: v1.3.14-0.20210413093047-5e12fb368c8f\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 4dab9fd4947a0cb0710d75145cf7eeb32462b10c5a422170dff8aa54f0b64ae3\nPackageHomePage: https://github.com/google/trillian\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-github.com.olekukonko.tablewriter-v0.0.5 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-github.com.prometheus.client-model-v0.2.0 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-google.golang.org.grpc-v1.38.0 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-go.uber.org.zap-v1.16.0 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-github.com.mattn.go-runewidth-v0.0.9 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-github.com.spf13.cobra-v1.1.3 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-go.opencensus.io-v0.23.0 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-go.uber.org.multierr-v1.7.0 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-golang.org.x.time-v0.0.0-20210220033141-f8bda1e9f3ba \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-github.com.gogo.protobuf-v1.3.2 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-github.com.spf13.pflag-v1.0.5 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-google.golang.org.protobuf-v1.26.0 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-github.com.imdario.mergo-v0.3.9 \nRelationship SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f DEPENDS_ON SPDXRef-Package-google.golang.org.api-v0.46.0 \n\n##### Package representing the github.com/containerd/stargz-snapshotter/estargz\n\nPackageName: github.com/containerd/stargz-snapshotter/estargz\nSPDXID: SPDXRef-Package-github.com.containerd.stargz-snapshotter.estargz-v0.4.1\nPackageVersion: v0.4.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 7c5efb46f869997b7bd0902b05024d6b3d8575e9d42a5ea11e37855aa8a8f8ae\nPackageHomePage: https://github.com/containerd/stargz-snapshotter/estargz\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.containerd.stargz-snapshotter.estargz-v0.4.1 DEPENDS_ON SPDXRef-Package-github.com.opencontainers.go-digest-v1.0.0 \nRelationship SPDXRef-Package-github.com.containerd.stargz-snapshotter.estargz-v0.4.1 DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \nRelationship SPDXRef-Package-github.com.containerd.stargz-snapshotter.estargz-v0.4.1 DEPENDS_ON SPDXRef-Package-github.com.pkg.errors-v0.9.1 \n\n##### Package representing the github.com/sigstore/sigstore\n\nPackageName: github.com/sigstore/sigstore\nSPDXID: SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64\nPackageVersion: v0.0.0-20210609084117-386ea718fc64\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: ce32f696897cc9eea099740ba18e1f2e345516f1c1a8ddf294c2662a7fca2c68\nPackageHomePage: https://github.com/sigstore/sigstore\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.google.go-containerregistry-v0.5.1 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-golang.org.x.time-v0.0.0-20210220033141-f8bda1e9f3ba \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.asaskevich.govalidator-v0.0.0-20210307081110-f21760c49a8d \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.pkg.errors-v0.9.1 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-google.golang.org.protobuf-v1.26.0 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.spf13.cobra-v1.1.3 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.pierrec.lz4-v2.6.0+incompatible \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.errwrap-v1.1.0 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.errors-v0.20.0 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-gopkg.in.square.go-jose.v2-v2.5.1 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.go-multierror-v1.1.1 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.go-cleanhttp-v0.5.2 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.segmentio.ksuid-v1.0.3 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-cloud.google.com.go-v0.81.0 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.coreos.go-oidc.v3-v3.0.0 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-golang.org.x.oauth2-v0.0.0-20210514164344-f6687ab2804c \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.mitchellh.go-homedir-v1.1.0 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.skratchdot.open-golang-v0.0.0-20200116055534-eef842397966 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.spf13.viper-v1.7.1 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.go-retryablehttp-v0.6.8 \nRelationship SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 DEPENDS_ON SPDXRef-Package-github.com.golang.snappy-v0.0.3 \n\n##### Package representing the github.com/go-openapi/runtime\n\nPackageName: github.com/go-openapi/runtime\nSPDXID: SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29\nPackageVersion: v0.19.29\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 06262c89eea66a0d240bb2e2dcf20608e29cee7d946804545266e2e195f0399c\nPackageHomePage: https://github.com/go-openapi/runtime\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.opentracing.opentracing-go-v1.2.0 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.PuerkitoBio.purell-v1.1.1 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.jsonpointer-v0.19.5 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.asaskevich.govalidator-v0.0.0-20210307081110-f21760c49a8d \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.mailru.easyjson-v0.7.7 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.errors-v0.20.0 \nRelationship SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 DEPENDS_ON SPDXRef-Package-github.com.mitchellh.mapstructure-v1.4.1 \n\n##### Package representing the github.com/go-openapi/analysis\n\nPackageName: github.com/go-openapi/analysis\nSPDXID: SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1\nPackageVersion: v0.20.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 44e10c5f201ef8dd4a7700d7a8729665fe0b8e22a506c381cda0f1b95d2cbf7f\nPackageHomePage: https://github.com/go-openapi/analysis\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.mitchellh.mapstructure-v1.4.1 \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5 \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.asaskevich.govalidator-v0.0.0-20210307081110-f21760c49a8d \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.errors-v0.20.0 \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.jsonpointer-v0.19.5 \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 \nRelationship SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 DEPENDS_ON SPDXRef-Package-github.com.mailru.easyjson-v0.7.7 \n\n##### Package representing the github.com/go-openapi/jsonpointer\n\nPackageName: github.com/go-openapi/jsonpointer\nSPDXID: SPDXRef-Package-github.com.go-openapi.jsonpointer-v0.19.5\nPackageVersion: v0.19.5\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 1d3f0415980a62cec07254fc3e99ff4aebaa1f510b37968d6c44f7755520f3f0\nPackageHomePage: https://github.com/go-openapi/jsonpointer\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.go-openapi.jsonpointer-v0.19.5 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 \nRelationship SPDXRef-Package-github.com.go-openapi.jsonpointer-v0.19.5 DEPENDS_ON SPDXRef-Package-github.com.mailru.easyjson-v0.7.7 \nRelationship SPDXRef-Package-github.com.go-openapi.jsonpointer-v0.19.5 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-github.com.go-openapi.jsonpointer-v0.19.5 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \n\n##### Package representing the github.com/PuerkitoBio/urlesc\n\nPackageName: github.com/PuerkitoBio/urlesc\nSPDXID: SPDXRef-Package-github.com.PuerkitoBio.urlesc-v0.0.0-20170810143723-de5bf2ad4578\nPackageVersion: v0.0.0-20170810143723-de5bf2ad4578\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: cf5a45a083cd213c91fb7d67e61188f8eaa1d362903b9ec91d8cf8d2494a050e\nPackageHomePage: https://github.com/PuerkitoBio/urlesc\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the golang.org/x/text\n\nPackageName: golang.org/x/text\nSPDXID: SPDXRef-Package-golang.org.x.text-v0.3.6\nPackageVersion: v0.3.6\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: d880df5dea6c92d960d64f6fe6c27d88f226838eccbf4736497a5c9f1f7072fd\nPackageHomePage: https://golang.org/x/text\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the golang.org/x/net\n\nPackageName: golang.org/x/net\nSPDXID: SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5\nPackageVersion: v0.0.0-20210525063256-abc453219eb5\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 7796fea5e6483954436c0df99da0a78100ee5157c3b2e8fd99dcdaf157e7e398\nPackageHomePage: https://golang.org/x/net\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 DEPENDS_ON SPDXRef-Package-golang.org.x.term-v0.0.0-20210615171337-6886f2dfbf5b \nRelationship SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \nRelationship SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \n\n##### Package representing the github.com/PuerkitoBio/purell\n\nPackageName: github.com/PuerkitoBio/purell\nSPDXID: SPDXRef-Package-github.com.PuerkitoBio.purell-v1.1.1\nPackageVersion: v1.1.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 8c01b4b8b4e77bd82080a9a2072c7a9b8539d43b88cd419ee9dc3a04d4b905e0\nPackageHomePage: https://github.com/PuerkitoBio/purell\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/go-openapi/jsonreference\n\nPackageName: github.com/go-openapi/jsonreference\nSPDXID: SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5\nPackageVersion: v0.19.5\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: c9b645f4b15ac8886ae3f1f2ce467af096ecc6b74d0c89cfcb044ec90a05161a\nPackageHomePage: https://github.com/go-openapi/jsonreference\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5 DEPENDS_ON SPDXRef-Package-github.com.PuerkitoBio.urlesc-v0.0.0-20170810143723-de5bf2ad4578 \nRelationship SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5 DEPENDS_ON SPDXRef-Package-github.com.mailru.easyjson-v0.7.7 \nRelationship SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \nRelationship SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5 DEPENDS_ON SPDXRef-Package-github.com.PuerkitoBio.purell-v1.1.1 \nRelationship SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \nRelationship SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 \nRelationship SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.jsonpointer-v0.19.5 \n\n##### Package representing the github.com/go-openapi/spec\n\nPackageName: github.com/go-openapi/spec\nSPDXID: SPDXRef-Package-github.com.go-openapi.spec-v0.20.3\nPackageVersion: v0.20.3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: de8a34d1f7e6459c9343a159264930fcc394d1cf38d33505638e5713306cf684\nPackageHomePage: https://github.com/go-openapi/spec\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \nRelationship SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 DEPENDS_ON SPDXRef-Package-github.com.mailru.easyjson-v0.7.7 \nRelationship SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 \nRelationship SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5 \nRelationship SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.jsonpointer-v0.19.5 \nRelationship SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \nRelationship SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 DEPENDS_ON SPDXRef-Package-github.com.PuerkitoBio.purell-v1.1.1 \nRelationship SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 DEPENDS_ON SPDXRef-Package-github.com.PuerkitoBio.urlesc-v0.0.0-20170810143723-de5bf2ad4578 \nRelationship SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \nRelationship SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \n\n##### Package representing the github.com/go-openapi/loads\n\nPackageName: github.com/go-openapi/loads\nSPDXID: SPDXRef-Package-github.com.go-openapi.loads-v0.20.2\nPackageVersion: v0.20.2\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 93af64986aaf16f34f4a9fb02445573eda636219ecf4e5c03eece7d4b05a1231\nPackageHomePage: https://github.com/go-openapi/loads\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.jsonreference-v0.19.5 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.asaskevich.govalidator-v0.0.0-20210307081110-f21760c49a8d \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.errors-v0.20.0 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.jsonpointer-v0.19.5 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.mitchellh.mapstructure-v1.4.1 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.PuerkitoBio.purell-v1.1.1 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.mailru.easyjson-v0.7.7 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.PuerkitoBio.urlesc-v0.0.0-20170810143723-de5bf2ad4578 \n\n##### Package representing the github.com/go-openapi/validate\n\nPackageName: github.com/go-openapi/validate\nSPDXID: SPDXRef-Package-github.com.go-openapi.validate-v0.20.2\nPackageVersion: v0.20.2\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 57a89cb5a4af0a5df24c668749126006f2c0beb29e77d6915cdf54f07f1671b4\nPackageHomePage: https://github.com/go-openapi/validate\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.asaskevich.govalidator-v0.0.0-20210307081110-f21760c49a8d \nRelationship SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 \nRelationship SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 \nRelationship SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 \nRelationship SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.mitchellh.mapstructure-v1.4.1 \nRelationship SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 \nRelationship SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 DEPENDS_ON SPDXRef-Package-go.mongodb.org.mongo-driver-v1.5.3 \nRelationship SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.analysis-v0.20.1 \nRelationship SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.errors-v0.20.0 \nRelationship SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.jsonpointer-v0.19.5 \nRelationship SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 \n\n##### Package representing the github.com/opentracing/opentracing-go\n\nPackageName: github.com/opentracing/opentracing-go\nSPDXID: SPDXRef-Package-github.com.opentracing.opentracing-go-v1.2.0\nPackageVersion: v1.2.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: dceb5ae504b6c9ad9d36469642fa86f586698d17cc5fd156f9019c688a6b246d\nPackageHomePage: https://github.com/opentracing/opentracing-go\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/go-playground/locales\n\nPackageName: github.com/go-playground/locales\nSPDXID: SPDXRef-Package-github.com.go-playground.locales-v0.13.0\nPackageVersion: v0.13.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 5d0fbcd46768d469dcb9c098b5332a765f0ba65aeb4d46837f3a58aadf2d5f7c\nPackageHomePage: https://github.com/go-playground/locales\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.go-playground.locales-v0.13.0 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \n\n##### Package representing the github.com/go-playground/universal-translator\n\nPackageName: github.com/go-playground/universal-translator\nSPDXID: SPDXRef-Package-github.com.go-playground.universal-translator-v0.17.0\nPackageVersion: v0.17.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: e4729059a54c41612abd564f297f8b81c23a652da796a100243904de0621e292\nPackageHomePage: https://github.com/go-playground/universal-translator\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.go-playground.universal-translator-v0.17.0 DEPENDS_ON SPDXRef-Package-github.com.go-playground.locales-v0.13.0 \n\n##### Package representing the github.com/leodido/go-urn\n\nPackageName: github.com/leodido/go-urn\nSPDXID: SPDXRef-Package-github.com.leodido.go-urn-v1.2.1\nPackageVersion: v1.2.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 9ddea28cd322b11a0794bdbc9ef7c08e2e0a5756536c1e16dacfa5a2dacc1ed4\nPackageHomePage: https://github.com/leodido/go-urn\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/go-playground/validator\n\nPackageName: github.com/go-playground/validator\nSPDXID: SPDXRef-Package-github.com.go-playground.validator-v9.31.0+incompatible\nPackageVersion: v9.31.0+incompatible\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: f408f3474f4e7fc4db8a260b696a4907cd03fecf1e216aca2304230e1514392d\nPackageHomePage: https://github.com/go-playground/validator\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/mitchellh/go-homedir\n\nPackageName: github.com/mitchellh/go-homedir\nSPDXID: SPDXRef-Package-github.com.mitchellh.go-homedir-v1.1.0\nPackageVersion: v1.1.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 756f9483a6678379c27563b85c209466b5b22c2006c88ece4ac5eb122edf05e7\nPackageHomePage: https://github.com/mitchellh/go-homedir\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/spf13/pflag\n\nPackageName: github.com/spf13/pflag\nSPDXID: SPDXRef-Package-github.com.spf13.pflag-v1.0.5\nPackageVersion: v1.0.5\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 1da4c58c01b8de4af39bf5292cf75da8788105be7316cf33bfb9083bd7cc0f68\nPackageHomePage: https://github.com/spf13/pflag\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/spf13/cobra\n\nPackageName: github.com/spf13/cobra\nSPDXID: SPDXRef-Package-github.com.spf13.cobra-v1.1.3\nPackageVersion: v1.1.3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 13dae614a8a2f787f92a9e954ca6e630257bb651bd16bb47db56cd9307682759\nPackageHomePage: https://github.com/spf13/cobra\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.spf13.cobra-v1.1.3 DEPENDS_ON SPDXRef-Package-github.com.mitchellh.go-homedir-v1.1.0 \nRelationship SPDXRef-Package-github.com.spf13.cobra-v1.1.3 DEPENDS_ON SPDXRef-Package-github.com.spf13.pflag-v1.0.5 \nRelationship SPDXRef-Package-github.com.spf13.cobra-v1.1.3 DEPENDS_ON SPDXRef-Package-github.com.spf13.viper-v1.7.1 \nRelationship SPDXRef-Package-github.com.spf13.cobra-v1.1.3 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \n\n##### Package representing the golang.org/x/sys\n\nPackageName: golang.org/x/sys\nSPDXID: SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1\nPackageVersion: v0.0.0-20210615035016-665e8c7367d1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 094383cb925a141474b7d2dcff3d41acda43f0054ad69c3edf280dd185ddb14d\nPackageHomePage: https://golang.org/x/sys\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/fsnotify/fsnotify\n\nPackageName: github.com/fsnotify/fsnotify\nSPDXID: SPDXRef-Package-github.com.fsnotify.fsnotify-v1.4.9\nPackageVersion: v1.4.9\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 5f5fc2b994c0deb384de9002d35c224d469876760f4380d19fda6831c69ee708\nPackageHomePage: https://github.com/fsnotify/fsnotify\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.fsnotify.fsnotify-v1.4.9 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \n\n##### Package representing the github.com/hashicorp/hcl\n\nPackageName: github.com/hashicorp/hcl\nSPDXID: SPDXRef-Package-github.com.hashicorp.hcl-v1.0.0\nPackageVersion: v1.0.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 895bcea8d965251000f22fadd48cfafbe9540fd5d1bb53a412df05f4eb9ee209\nPackageHomePage: https://github.com/hashicorp/hcl\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.hashicorp.hcl-v1.0.0 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \n\n##### Package representing the github.com/magiconair/properties\n\nPackageName: github.com/magiconair/properties\nSPDXID: SPDXRef-Package-github.com.magiconair.properties-v1.8.5\nPackageVersion: v1.8.5\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 8279b773031b12daaff1682a11727d765b41ea7f8ba07d82f41c2151dabf50cf\nPackageHomePage: https://github.com/magiconair/properties\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/pelletier/go-toml\n\nPackageName: github.com/pelletier/go-toml\nSPDXID: SPDXRef-Package-github.com.pelletier.go-toml-v1.9.3\nPackageVersion: v1.9.3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: f21c71d15e543d7bf5ab0de02b01d438920f9cf8c82f6e0eea6ebf4e2f71dfca\nPackageHomePage: https://github.com/pelletier/go-toml\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.pelletier.go-toml-v1.9.3 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \nRelationship SPDXRef-Package-github.com.pelletier.go-toml-v1.9.3 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \n\n##### Package representing the github.com/spf13/afero\n\nPackageName: github.com/spf13/afero\nSPDXID: SPDXRef-Package-github.com.spf13.afero-v1.6.0\nPackageVersion: v1.6.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 0ad525eccf932adf4198a0f145cf92b2ee2dde1f372115a082060411ebc02567\nPackageHomePage: https://github.com/spf13/afero\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.spf13.afero-v1.6.0 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \nRelationship SPDXRef-Package-github.com.spf13.afero-v1.6.0 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \n\n##### Package representing the github.com/spf13/cast\n\nPackageName: github.com/spf13/cast\nSPDXID: SPDXRef-Package-github.com.spf13.cast-v1.3.1\nPackageVersion: v1.3.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 62b31a6b804bd52025bc90c20ebfb9330cc7d6d763fbdc4275daf18351526921\nPackageHomePage: https://github.com/spf13/cast\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.spf13.cast-v1.3.1 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \n\n##### Package representing the github.com/spf13/jwalterweatherman\n\nPackageName: github.com/spf13/jwalterweatherman\nSPDXID: SPDXRef-Package-github.com.spf13.jwalterweatherman-v1.1.0\nPackageVersion: v1.1.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 3a1bde328c7d9a65571ab45c07aedcc3a5ef9259fba27695e8b9b1e74332fd2b\nPackageHomePage: https://github.com/spf13/jwalterweatherman\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.spf13.jwalterweatherman-v1.1.0 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \n\n##### Package representing the github.com/subosito/gotenv\n\nPackageName: github.com/subosito/gotenv\nSPDXID: SPDXRef-Package-github.com.subosito.gotenv-v1.2.0\nPackageVersion: v1.2.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 100a4810859d117550e36abab7faacf5469ec9a5063af11c2eaf515e4788250f\nPackageHomePage: https://github.com/subosito/gotenv\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the gopkg.in/ini.v1\n\nPackageName: gopkg.in/ini.v1\nSPDXID: SPDXRef-Package-gopkg.in.ini.v1-v1.62.0\nPackageVersion: v1.62.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: cc6da295ac6329f0763b4d19e87016b801b044bf966e77dbe27bea5b7923d6d7\nPackageHomePage: https://gopkg.in/ini.v1\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/spf13/viper\n\nPackageName: github.com/spf13/viper\nSPDXID: SPDXRef-Package-github.com.spf13.viper-v1.7.1\nPackageVersion: v1.7.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 46ff1c376bdd16a5b299764c028eceeb618852e1e0b08e50d000e54e12000410\nPackageHomePage: https://github.com/spf13/viper\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-github.com.golang.groupcache-v0.0.0-20210331224755-41bb18bfe9da \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-github.com.spf13.cast-v1.3.1 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-github.com.subosito.gotenv-v1.2.0 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-go.uber.org.atomic-v1.7.0 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-github.com.spf13.jwalterweatherman-v1.1.0 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-golang.org.x.time-v0.0.0-20210220033141-f8bda1e9f3ba \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-github.com.fsnotify.fsnotify-v1.4.9 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-github.com.gogo.protobuf-v1.3.2 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-github.com.spf13.afero-v1.6.0 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-github.com.magiconair.properties-v1.8.5 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-gopkg.in.ini.v1-v1.62.0 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-google.golang.org.grpc-v1.38.0 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-go.uber.org.multierr-v1.7.0 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-go.uber.org.zap-v1.16.0 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.hcl-v1.0.0 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-github.com.mitchellh.mapstructure-v1.4.1 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-github.com.pelletier.go-toml-v1.9.3 \nRelationship SPDXRef-Package-github.com.spf13.viper-v1.7.1 DEPENDS_ON SPDXRef-Package-github.com.spf13.pflag-v1.0.5 \n\n##### Package representing the github.com/sigstore/rekor\n\nPackageName: github.com/sigstore/rekor\nSPDXID: SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6\nPackageVersion: v0.1.2-0.20210519014330-b5480728bde6\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 80f722ace48bbeb352bdf56fc02058f966d5cf924243194631b322f93a0208df\nPackageHomePage: https://github.com/sigstore/rekor\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.blang.semver-v3.5.1+incompatible \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.cavaliercoder.go-rpm-v0.0.0-20200122174316-8cb9fd9c31a8 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.howeyc.gopass-v0.0.0-20190910152052-7cb4b85ec19c \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.spf13.afero-v1.6.0 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.spf13.cast-v1.3.1 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.go-chi.chi-v4.1.2+incompatible \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.mitchellh.mapstructure-v1.4.1 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.mailru.easyjson-v0.7.7 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-google.golang.org.protobuf-v1.26.0 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.ghodss.yaml-v1.0.0 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.go-playground.validator-v9.31.0+incompatible \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-go.uber.org.zap-v1.16.0 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.magiconair.properties-v1.8.5 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.spf13.jwalterweatherman-v1.1.0 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.pelletier.go-toml-v1.9.3 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-gopkg.in.ini.v1-v1.62.0 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.asaskevich.govalidator-v0.0.0-20210307081110-f21760c49a8d \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.jedisct1.go-minisign-v0.0.0-20210414164026-819d7e2534ac \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.spf13.pflag-v1.0.5 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.zalando.go-keyring-v0.1.1 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-golang.org.x.term-v0.0.0-20210615171337-6886f2dfbf5b \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.cyberphone.json-canonicalization-v0.0.0-20210303052042-6bc126869bf4 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.errors-v0.20.0 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.pkg.errors-v0.9.1 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.sigstore.sigstore-v0.0.0-20210609084117-386ea718fc64 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.spf13.viper-v1.7.1 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.mitchellh.go-homedir-v1.1.0 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.sassoftware.relic-v7.2.1+incompatible \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.spf13.cobra-v1.1.3 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-google.golang.org.grpc-v1.38.0 \nRelationship SPDXRef-Package-github.com.sigstore.rekor-v0.1.2-0.20210519014330-b5480728bde6 DEPENDS_ON SPDXRef-Package-github.com.fsnotify.fsnotify-v1.4.9 \n\n##### Package representing the github.com/google/certificate-transparency-go\n\nPackageName: github.com/google/certificate-transparency-go\nSPDXID: SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1\nPackageVersion: v1.1.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 095ae65cdc8f710c01a841546db2d13d47decc49a7270c94e86351ef3a0cad8f\nPackageHomePage: https://github.com/google/certificate-transparency-go\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-google.golang.org.protobuf-v1.26.0 \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-github.com.golang.groupcache-v0.0.0-20210331224755-41bb18bfe9da \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-github.com.google.trillian-v1.3.14-0.20210413093047-5e12fb368c8f \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-github.com.spf13.cobra-v1.1.3 \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-google.golang.org.api-v0.46.0 \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-google.golang.org.grpc-v1.38.0 \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-github.com.mattn.go-runewidth-v0.0.9 \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-go.uber.org.multierr-v1.7.0 \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-go.uber.org.zap-v1.16.0 \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-github.com.olekukonko.tablewriter-v0.0.5 \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-go.uber.org.atomic-v1.7.0 \nRelationship SPDXRef-Package-github.com.google.certificate-transparency-go-v1.1.1 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \n\n##### Package representing the google.golang.org/protobuf\n\nPackageName: google.golang.org/protobuf\nSPDXID: SPDXRef-Package-google.golang.org.protobuf-v1.26.0\nPackageVersion: v1.26.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 121dc87761410a8622800b896b6f77b5b8ce26bd2484bcf85c8d6fd177116df1\nPackageHomePage: https://google.golang.org/protobuf\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-google.golang.org.protobuf-v1.26.0 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-google.golang.org.protobuf-v1.26.0 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-google.golang.org.protobuf-v1.26.0 DEPENDS_ON SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced \n\n##### Package representing the github.com/golang/protobuf\n\nPackageName: github.com/golang/protobuf\nSPDXID: SPDXRef-Package-github.com.golang.protobuf-v1.5.2\nPackageVersion: v1.5.2\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 6f2a16bbef47f86415aa7ab887df08d30c1d4e79917c370fe163dbf5b8bde6b8\nPackageHomePage: https://github.com/golang/protobuf\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.golang.protobuf-v1.5.2 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-github.com.golang.protobuf-v1.5.2 DEPENDS_ON SPDXRef-Package-google.golang.org.protobuf-v1.26.0 \n\n##### Package representing the google.golang.org/genproto\n\nPackageName: google.golang.org/genproto\nSPDXID: SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced\nPackageVersion: v0.0.0-20210617175327-b9e0b3197ced\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: fb5b2471725d8be3b0a0d39775d6379681c484e5320f1c28007c425e0dccda4c\nPackageHomePage: https://google.golang.org/genproto\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced DEPENDS_ON SPDXRef-Package-google.golang.org.protobuf-v1.26.0 \nRelationship SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \nRelationship SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \nRelationship SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced DEPENDS_ON SPDXRef-Package-google.golang.org.grpc-v1.38.0 \n\n##### Package representing the google.golang.org/grpc\n\nPackageName: google.golang.org/grpc\nSPDXID: SPDXRef-Package-google.golang.org.grpc-v1.38.0\nPackageVersion: v1.38.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 28897ebd9d678ee15f24ce7808810c9c1ae39317687b00a4bb5555ae1627ee8d\nPackageHomePage: https://google.golang.org/grpc\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-google.golang.org.grpc-v1.38.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-google.golang.org.grpc-v1.38.0 DEPENDS_ON SPDXRef-Package-google.golang.org.protobuf-v1.26.0 \nRelationship SPDXRef-Package-google.golang.org.grpc-v1.38.0 DEPENDS_ON SPDXRef-Package-cloud.google.com.go-v0.81.0 \nRelationship SPDXRef-Package-google.golang.org.grpc-v1.38.0 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \nRelationship SPDXRef-Package-google.golang.org.grpc-v1.38.0 DEPENDS_ON SPDXRef-Package-golang.org.x.oauth2-v0.0.0-20210514164344-f6687ab2804c \nRelationship SPDXRef-Package-google.golang.org.grpc-v1.38.0 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-google.golang.org.grpc-v1.38.0 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-google.golang.org.grpc-v1.38.0 DEPENDS_ON SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced \nRelationship SPDXRef-Package-google.golang.org.grpc-v1.38.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \nRelationship SPDXRef-Package-google.golang.org.grpc-v1.38.0 DEPENDS_ON SPDXRef-Package-github.com.gogo.protobuf-v1.3.2 \nRelationship SPDXRef-Package-google.golang.org.grpc-v1.38.0 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \n\n##### Package representing the github.com/go-chi/chi\n\nPackageName: github.com/go-chi/chi\nSPDXID: SPDXRef-Package-github.com.go-chi.chi-v4.1.2+incompatible\nPackageVersion: v4.1.2+incompatible\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 6c946a8dec9d21da32b4210fa7978a5cb94dfc2b1fb036486163d2da9c089ff9\nPackageHomePage: https://github.com/go-chi/chi\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the go.uber.org/atomic\n\nPackageName: go.uber.org/atomic\nSPDXID: SPDXRef-Package-go.uber.org.atomic-v1.7.0\nPackageVersion: v1.7.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 82f23ad2d95732cc976adb89249921f6115a4dd137b10fd3032b1bd71474c7f5\nPackageHomePage: https://go.uber.org/atomic\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-go.uber.org.atomic-v1.7.0 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \n\n##### Package representing the go.uber.org/multierr\n\nPackageName: go.uber.org/multierr\nSPDXID: SPDXRef-Package-go.uber.org.multierr-v1.7.0\nPackageVersion: v1.7.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 4bb6aa0b6cfb40ba982ee2226c46e4c582181690d25a68e8656b44e5013caeca\nPackageHomePage: https://go.uber.org/multierr\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-go.uber.org.multierr-v1.7.0 DEPENDS_ON SPDXRef-Package-go.uber.org.atomic-v1.7.0 \n\n##### Package representing the go.uber.org/zap\n\nPackageName: go.uber.org/zap\nSPDXID: SPDXRef-Package-go.uber.org.zap-v1.16.0\nPackageVersion: v1.16.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: cfd512fe5f2bc6c885d192cbe1db866a46527acce9adebaf598e8928418b9c08\nPackageHomePage: https://go.uber.org/zap\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-go.uber.org.zap-v1.16.0 DEPENDS_ON SPDXRef-Package-go.uber.org.multierr-v1.7.0 \nRelationship SPDXRef-Package-go.uber.org.zap-v1.16.0 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-go.uber.org.zap-v1.16.0 DEPENDS_ON SPDXRef-Package-github.com.pkg.errors-v0.9.1 \nRelationship SPDXRef-Package-go.uber.org.zap-v1.16.0 DEPENDS_ON SPDXRef-Package-go.uber.org.atomic-v1.7.0 \n\n##### Package representing the github.com/blang/semver\n\nPackageName: github.com/blang/semver\nSPDXID: SPDXRef-Package-github.com.blang.semver-v3.5.1+incompatible\nPackageVersion: v3.5.1+incompatible\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 668ac29febf2c8c7e99d84eb10030d39ca9042980df35475ef75ea1b5145d258\nPackageHomePage: https://github.com/blang/semver\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the golang.org/x/term\n\nPackageName: golang.org/x/term\nSPDXID: SPDXRef-Package-golang.org.x.term-v0.0.0-20210615171337-6886f2dfbf5b\nPackageVersion: v0.0.0-20210615171337-6886f2dfbf5b\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 8ee37192f7d4533352609092a0ce86b686643bae42cb6eb70eeaa09b46a50666\nPackageHomePage: https://golang.org/x/term\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-golang.org.x.term-v0.0.0-20210615171337-6886f2dfbf5b DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \n\n##### Package representing the golang.org/x/crypto\n\nPackageName: golang.org/x/crypto\nSPDXID: SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e\nPackageVersion: v0.0.0-20210616213533-5ff15b29337e\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 711b1960550951ba9f896f4a6cf9b9277385e2acc66930be13a94323edd1c81f\nPackageHomePage: https://golang.org/x/crypto\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e DEPENDS_ON SPDXRef-Package-golang.org.x.term-v0.0.0-20210615171337-6886f2dfbf5b \nRelationship SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \n\n##### Package representing the github.com/howeyc/gopass\n\nPackageName: github.com/howeyc/gopass\nSPDXID: SPDXRef-Package-github.com.howeyc.gopass-v0.0.0-20190910152052-7cb4b85ec19c\nPackageVersion: v0.0.0-20190910152052-7cb4b85ec19c\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 9d00d401b09f8d272a15d65b242541ed5acbf7b91a9dda6a75e58e5e1248f79f\nPackageHomePage: https://github.com/howeyc/gopass\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/zalando/go-keyring\n\nPackageName: github.com/zalando/go-keyring\nSPDXID: SPDXRef-Package-github.com.zalando.go-keyring-v0.1.1\nPackageVersion: v0.1.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 8a3f321827a4aeb85811bae37d83c6e438242a888f45552e22b596e8285168c3\nPackageHomePage: https://github.com/zalando/go-keyring\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/sassoftware/relic\n\nPackageName: github.com/sassoftware/relic\nSPDXID: SPDXRef-Package-github.com.sassoftware.relic-v7.2.1+incompatible\nPackageVersion: v7.2.1+incompatible\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 1ba58336c70227b09e6b95fee0fe3dd77e3e7e75538635595eb8caba7788eadb\nPackageHomePage: https://github.com/sassoftware/relic\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/jedisct1/go-minisign\n\nPackageName: github.com/jedisct1/go-minisign\nSPDXID: SPDXRef-Package-github.com.jedisct1.go-minisign-v0.0.0-20210414164026-819d7e2534ac\nPackageVersion: v0.0.0-20210414164026-819d7e2534ac\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 5c51edc535c9ef254999ddd03ca153a667e97ceebc9d78810dd74407186dd5c6\nPackageHomePage: https://github.com/jedisct1/go-minisign\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.jedisct1.go-minisign-v0.0.0-20210414164026-819d7e2534ac DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \n\n##### Package representing the github.com/ghodss/yaml\n\nPackageName: github.com/ghodss/yaml\nSPDXID: SPDXRef-Package-github.com.ghodss.yaml-v1.0.0\nPackageVersion: v1.0.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 8a601d3cc973a9e45f3c1c56f28377edf7d28cabaaca1668dce782c4607afdaa\nPackageHomePage: https://github.com/ghodss/yaml\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/cavaliercoder/go-rpm\n\nPackageName: github.com/cavaliercoder/go-rpm\nSPDXID: SPDXRef-Package-github.com.cavaliercoder.go-rpm-v0.0.0-20200122174316-8cb9fd9c31a8\nPackageVersion: v0.0.0-20200122174316-8cb9fd9c31a8\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 57cfc0c523cf3587fa4bc6430836c8da25b057b26826fb08b5d8b80964ae4ced\nPackageHomePage: https://github.com/cavaliercoder/go-rpm\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/googleapis/gax-go/v2\n\nPackageName: github.com/googleapis/gax-go/v2\nSPDXID: SPDXRef-Package-github.com.googleapis.gax-go.v2-v2.0.5\nPackageVersion: v2.0.5\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: b8b7e67cfe0beb74db70984ea7278c8a2644f7190000b0230a603cf73db9be94\nPackageHomePage: https://github.com/googleapis/gax-go/v2\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.googleapis.gax-go.v2-v2.0.5 DEPENDS_ON SPDXRef-Package-google.golang.org.grpc-v1.38.0 \n\n##### Package representing the cloud.google.com/go\n\nPackageName: cloud.google.com/go\nSPDXID: SPDXRef-Package-cloud.google.com.go-v0.81.0\nPackageVersion: v0.81.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 459733de8ac4d0d69eba97f5e4f4050395c9d9d05e6cba633e9247c7588232e9\nPackageHomePage: https://cloud.google.com/go\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-golang.org.x.oauth2-v0.0.0-20210514164344-f6687ab2804c \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-go.opencensus.io-v0.23.0 \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-github.com.googleapis.gax-go.v2-v2.0.5 \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-golang.org.x.time-v0.0.0-20210220033141-f8bda1e9f3ba \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-google.golang.org.grpc-v1.38.0 \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-google.golang.org.api-v0.46.0 \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-github.com.golang.groupcache-v0.0.0-20210331224755-41bb18bfe9da \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced \nRelationship SPDXRef-Package-cloud.google.com.go-v0.81.0 DEPENDS_ON SPDXRef-Package-google.golang.org.protobuf-v1.26.0 \n\n##### Package representing the google.golang.org/api\n\nPackageName: google.golang.org/api\nSPDXID: SPDXRef-Package-google.golang.org.api-v0.46.0\nPackageVersion: v0.46.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 9c27d3b7b736de1570971331811b59458ba57cf5d2cb57263c5c1b9cc1c4c474\nPackageHomePage: https://google.golang.org/api\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-google.golang.org.api-v0.46.0 DEPENDS_ON SPDXRef-Package-go.opencensus.io-v0.23.0 \nRelationship SPDXRef-Package-google.golang.org.api-v0.46.0 DEPENDS_ON SPDXRef-Package-google.golang.org.grpc-v1.38.0 \nRelationship SPDXRef-Package-google.golang.org.api-v0.46.0 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \nRelationship SPDXRef-Package-google.golang.org.api-v0.46.0 DEPENDS_ON SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced \nRelationship SPDXRef-Package-google.golang.org.api-v0.46.0 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-google.golang.org.api-v0.46.0 DEPENDS_ON SPDXRef-Package-cloud.google.com.go-v0.81.0 \nRelationship SPDXRef-Package-google.golang.org.api-v0.46.0 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-google.golang.org.api-v0.46.0 DEPENDS_ON SPDXRef-Package-github.com.googleapis.gax-go.v2-v2.0.5 \nRelationship SPDXRef-Package-google.golang.org.api-v0.46.0 DEPENDS_ON SPDXRef-Package-golang.org.x.oauth2-v0.0.0-20210514164344-f6687ab2804c \nRelationship SPDXRef-Package-google.golang.org.api-v0.46.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \nRelationship SPDXRef-Package-google.golang.org.api-v0.46.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-google.golang.org.api-v0.46.0 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \n\n##### Package representing the golang.org/x/oauth2\n\nPackageName: golang.org/x/oauth2\nSPDXID: SPDXRef-Package-golang.org.x.oauth2-v0.0.0-20210514164344-f6687ab2804c\nPackageVersion: v0.0.0-20210514164344-f6687ab2804c\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 334a2a1b320de68c665dfdb61282dad09b343cd93b494ac1241522898bf253d3\nPackageHomePage: https://golang.org/x/oauth2\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-golang.org.x.oauth2-v0.0.0-20210514164344-f6687ab2804c DEPENDS_ON SPDXRef-Package-cloud.google.com.go-v0.81.0 \nRelationship SPDXRef-Package-golang.org.x.oauth2-v0.0.0-20210514164344-f6687ab2804c DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-golang.org.x.oauth2-v0.0.0-20210514164344-f6687ab2804c DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \n\n##### Package representing the go.opencensus.io\n\nPackageName: go.opencensus.io\nSPDXID: SPDXRef-Package-go.opencensus.io-v0.23.0\nPackageVersion: v0.23.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 7c86fbad22be2d27398183a1288e4c2aabd20d14271492cd47651f23d3139bd6\nPackageHomePage: https://go.opencensus.io\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-go.opencensus.io-v0.23.0 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \nRelationship SPDXRef-Package-go.opencensus.io-v0.23.0 DEPENDS_ON SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced \nRelationship SPDXRef-Package-go.opencensus.io-v0.23.0 DEPENDS_ON SPDXRef-Package-google.golang.org.api-v0.46.0 \nRelationship SPDXRef-Package-go.opencensus.io-v0.23.0 DEPENDS_ON SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 \nRelationship SPDXRef-Package-go.opencensus.io-v0.23.0 DEPENDS_ON SPDXRef-Package-google.golang.org.grpc-v1.38.0 \nRelationship SPDXRef-Package-go.opencensus.io-v0.23.0 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-go.opencensus.io-v0.23.0 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-go.opencensus.io-v0.23.0 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-go.opencensus.io-v0.23.0 DEPENDS_ON SPDXRef-Package-github.com.golang.groupcache-v0.0.0-20210331224755-41bb18bfe9da \nRelationship SPDXRef-Package-go.opencensus.io-v0.23.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \n\n##### Package representing the github.com/golang/groupcache\n\nPackageName: github.com/golang/groupcache\nSPDXID: SPDXRef-Package-github.com.golang.groupcache-v0.0.0-20210331224755-41bb18bfe9da\nPackageVersion: v0.0.0-20210331224755-41bb18bfe9da\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 03f65147877c2e0084097490c88ede91762bc954dd9dcf77ddaf822ffc1ac168\nPackageHomePage: https://github.com/golang/groupcache\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/google/go-cmp\n\nPackageName: github.com/google/go-cmp\nSPDXID: SPDXRef-Package-github.com.google.go-cmp-v0.5.6\nPackageVersion: v0.5.6\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: e95afd232d9a38271d4252ccccc027ddc13aaea55345ca12be0df6462bb75687\nPackageHomePage: https://github.com/google/go-cmp\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/hashicorp/errwrap\n\nPackageName: github.com/hashicorp/errwrap\nSPDXID: SPDXRef-Package-github.com.hashicorp.errwrap-v1.1.0\nPackageVersion: v1.1.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 047a321b836f7f66764f46fc2887ac21a3eac0b22b6c8fb8896fab7db6da622f\nPackageHomePage: https://github.com/hashicorp/errwrap\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/hashicorp/go-cleanhttp\n\nPackageName: github.com/hashicorp/go-cleanhttp\nSPDXID: SPDXRef-Package-github.com.hashicorp.go-cleanhttp-v0.5.2\nPackageVersion: v0.5.2\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 850ecf5976cd640a31d2c94b7fe0fddeb3b40186965f372ad54a254e3bd0dd8f\nPackageHomePage: https://github.com/hashicorp/go-cleanhttp\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/hashicorp/go-multierror\n\nPackageName: github.com/hashicorp/go-multierror\nSPDXID: SPDXRef-Package-github.com.hashicorp.go-multierror-v1.1.1\nPackageVersion: v1.1.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: f903a790c3fd699e65977baa2c4bb911282266395b92a232e0ceeafc38b1eaf2\nPackageHomePage: https://github.com/hashicorp/go-multierror\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.hashicorp.go-multierror-v1.1.1 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.errwrap-v1.1.0 \n\n##### Package representing the github.com/hashicorp/go-retryablehttp\n\nPackageName: github.com/hashicorp/go-retryablehttp\nSPDXID: SPDXRef-Package-github.com.hashicorp.go-retryablehttp-v0.6.8\nPackageVersion: v0.6.8\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 7b1c176e794c9eac1776346636ac0f6a6e4b592a092d6263d518e2a230d7461c\nPackageHomePage: https://github.com/hashicorp/go-retryablehttp\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.hashicorp.go-retryablehttp-v0.6.8 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.go-cleanhttp-v0.5.2 \n\n##### Package representing the github.com/hashicorp/go-rootcerts\n\nPackageName: github.com/hashicorp/go-rootcerts\nSPDXID: SPDXRef-Package-github.com.hashicorp.go-rootcerts-v1.0.2\nPackageVersion: v1.0.2\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: d42cdbf7b568f432127ee9d549060acbfb08ab2a527d059e0e12e84224d9b590\nPackageHomePage: https://github.com/hashicorp/go-rootcerts\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.hashicorp.go-rootcerts-v1.0.2 DEPENDS_ON SPDXRef-Package-github.com.mitchellh.go-homedir-v1.1.0 \n\n##### Package representing the github.com/hashicorp/vault/sdk\n\nPackageName: github.com/hashicorp/vault/sdk\nSPDXID: SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0\nPackageVersion: v0.2.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 21e28009edebedb97dc5fc5d340838c747e25934dc1606af952be083cd9c6c66\nPackageHomePage: https://github.com/hashicorp/vault/sdk\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.errwrap-v1.1.0 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.go-cleanhttp-v0.5.2 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.mitchellh.mapstructure-v1.4.1 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.opencontainers.image-spec-v1.0.1 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.pierrec.lz4-v2.6.0+incompatible \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-golang.org.x.time-v0.0.0-20210220033141-f8bda1e9f3ba \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.docker.distribution-v2.7.1+incompatible \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.gorilla.mux-v1.8.0 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.opencontainers.go-digest-v1.0.0 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-google.golang.org.protobuf-v1.26.0 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.go-sockaddr-v1.0.2 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.pkg.errors-v0.9.1 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.ryanuber.go-glob-v1.0.0 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.docker.docker-v1.4.2-0.20200319182547-c7ad2b866182 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.go-multierror-v1.1.1 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.hcl-v1.0.0 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-google.golang.org.grpc-v1.38.0 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-gopkg.in.square.go-jose.v2-v2.5.1 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.golang.snappy-v0.0.3 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.go-retryablehttp-v0.6.8 \n\n##### Package representing the github.com/golang/snappy\n\nPackageName: github.com/golang/snappy\nSPDXID: SPDXRef-Package-github.com.golang.snappy-v0.0.3\nPackageVersion: v0.0.3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: ec86cb9791c62c2bc5f0f9dd332d61198c4cf6f40818e67135a45cde051b40b4\nPackageHomePage: https://github.com/golang/snappy\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/pierrec/lz4\n\nPackageName: github.com/pierrec/lz4\nSPDXID: SPDXRef-Package-github.com.pierrec.lz4-v2.6.0+incompatible\nPackageVersion: v2.6.0+incompatible\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 4de292b0e083fe4176c7b02ae284a4b4c24c88744cfa0398f94b0d2229184192\nPackageHomePage: https://github.com/pierrec/lz4\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/hashicorp/go-sockaddr\n\nPackageName: github.com/hashicorp/go-sockaddr\nSPDXID: SPDXRef-Package-github.com.hashicorp.go-sockaddr-v1.0.2\nPackageVersion: v1.0.2\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 3b91d4c2b863af23838e2f6b983ffe9c2cf4741995ce97e6ecf781876443ccc9\nPackageHomePage: https://github.com/hashicorp/go-sockaddr\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.hashicorp.go-sockaddr-v1.0.2 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.errwrap-v1.1.0 \n\n##### Package representing the github.com/ryanuber/go-glob\n\nPackageName: github.com/ryanuber/go-glob\nSPDXID: SPDXRef-Package-github.com.ryanuber.go-glob-v1.0.0\nPackageVersion: v1.0.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: e4a59b9bcddd0bfaebb26f2cd34aae2c85f80acf9d97c5cc6e98a262a3deefbd\nPackageHomePage: https://github.com/ryanuber/go-glob\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the golang.org/x/time\n\nPackageName: golang.org/x/time\nSPDXID: SPDXRef-Package-golang.org.x.time-v0.0.0-20210220033141-f8bda1e9f3ba\nPackageVersion: v0.0.0-20210220033141-f8bda1e9f3ba\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 9eb556e6f8c487b07629dbd90cf04320501894e9f491d2a22b89593e28e24df2\nPackageHomePage: https://golang.org/x/time\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the gopkg.in/square/go-jose.v2\n\nPackageName: gopkg.in/square/go-jose.v2\nSPDXID: SPDXRef-Package-gopkg.in.square.go-jose.v2-v2.5.1\nPackageVersion: v2.5.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: b35860f881c48c56d045f6600a446bc8ccb4d849932abdb2a4b5bb8d3efd14a2\nPackageHomePage: https://gopkg.in/square/go-jose.v2\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/hashicorp/vault/api\n\nPackageName: github.com/hashicorp/vault/api\nSPDXID: SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0\nPackageVersion: v1.1.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 7384684d18b6cdf97e9ac93b246657168a65f656a5ef7501e5972de8f20b25b6\nPackageHomePage: https://github.com/hashicorp/vault/api\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.go-cleanhttp-v0.5.2 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.go-multierror-v1.1.1 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.go-retryablehttp-v0.6.8 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.go-rootcerts-v1.0.2 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.vault.sdk-v0.2.0 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.errwrap-v1.1.0 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0 DEPENDS_ON SPDXRef-Package-github.com.hashicorp.hcl-v1.0.0 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0 DEPENDS_ON SPDXRef-Package-github.com.mitchellh.mapstructure-v1.4.1 \nRelationship SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0 DEPENDS_ON SPDXRef-Package-golang.org.x.time-v0.0.0-20210220033141-f8bda1e9f3ba \nRelationship SPDXRef-Package-github.com.hashicorp.vault.api-v1.1.0 DEPENDS_ON SPDXRef-Package-gopkg.in.square.go-jose.v2-v2.5.1 \n\n##### Package representing the github.com/theupdateframework/go-tuf\n\nPackageName: github.com/theupdateframework/go-tuf\nSPDXID: SPDXRef-Package-github.com.theupdateframework.go-tuf-v0.0.0-20201230183259-aee6270feb55\nPackageVersion: v0.0.0-20201230183259-aee6270feb55\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: ed391d786e0359002979453c3fc82a8eadf5e3e275ef4a15027a9e9147644262\nPackageHomePage: https://github.com/theupdateframework/go-tuf\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.theupdateframework.go-tuf-v0.0.0-20201230183259-aee6270feb55 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \n\n##### Package representing the github.com/coreos/go-oidc/v3\n\nPackageName: github.com/coreos/go-oidc/v3\nSPDXID: SPDXRef-Package-github.com.coreos.go-oidc.v3-v3.0.0\nPackageVersion: v3.0.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 9b01858cab936242c2c4957f7c158cd678af5eb7151bd2af80f33eef9ec12ad2\nPackageHomePage: https://github.com/coreos/go-oidc/v3\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.coreos.go-oidc.v3-v3.0.0 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.coreos.go-oidc.v3-v3.0.0 DEPENDS_ON SPDXRef-Package-golang.org.x.oauth2-v0.0.0-20210514164344-f6687ab2804c \nRelationship SPDXRef-Package-github.com.coreos.go-oidc.v3-v3.0.0 DEPENDS_ON SPDXRef-Package-gopkg.in.square.go-jose.v2-v2.5.1 \nRelationship SPDXRef-Package-github.com.coreos.go-oidc.v3-v3.0.0 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \n\n##### Package representing the github.com/sigstore/fulcio\n\nPackageName: github.com/sigstore/fulcio\nSPDXID: SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca\nPackageVersion: v0.0.0-20210405115948-e7630f533fca\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: e9fed9477691b8fbffc2f6bef6ca60b9f167db0cb53898280b49cfd930a54e05\nPackageHomePage: https://github.com/sigstore/fulcio\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-google.golang.org.genproto-v0.0.0-20210617175327-b9e0b3197ced \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-go.uber.org.zap-v1.16.0 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.pelletier.go-toml-v1.9.3 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-cloud.google.com.go-v0.81.0 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-google.golang.org.protobuf-v1.26.0 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.go-openapi.loads-v0.20.2 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.go-openapi.errors-v0.20.0 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.go-openapi.strfmt-v0.20.1 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.mailru.easyjson-v0.7.7 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.spf13.afero-v1.6.0 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.spf13.jwalterweatherman-v1.1.0 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.spf13.cobra-v1.1.3 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.mitchellh.mapstructure-v1.4.1 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.go-openapi.spec-v0.20.3 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.go-openapi.runtime-v0.19.29 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.spf13.viper-v1.7.1 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.go-openapi.swag-v0.19.15 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.go-chi.chi-v4.1.2+incompatible \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.fsnotify.fsnotify-v1.4.9 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.coreos.go-oidc.v3-v3.0.0 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.magiconair.properties-v1.8.5 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-golang.org.x.oauth2-v0.0.0-20210514164344-f6687ab2804c \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.segmentio.ksuid-v1.0.3 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.mitchellh.go-homedir-v1.1.0 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-gopkg.in.ini.v1-v1.62.0 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.spf13.pflag-v1.0.5 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.spf13.cast-v1.3.1 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.skratchdot.open-golang-v0.0.0-20200116055534-eef842397966 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-github.com.go-openapi.validate-v0.20.2 \nRelationship SPDXRef-Package-github.com.sigstore.fulcio-v0.0.0-20210405115948-e7630f533fca DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \n\n##### Package representing the github.com/segmentio/ksuid\n\nPackageName: github.com/segmentio/ksuid\nSPDXID: SPDXRef-Package-github.com.segmentio.ksuid-v1.0.3\nPackageVersion: v1.0.3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 58179fe001a088e616b1848aec64d6fd5c8a8e79e88856e58812b58f3835500d\nPackageHomePage: https://github.com/segmentio/ksuid\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/skratchdot/open-golang\n\nPackageName: github.com/skratchdot/open-golang\nSPDXID: SPDXRef-Package-github.com.skratchdot.open-golang-v0.0.0-20200116055534-eef842397966\nPackageVersion: v0.0.0-20200116055534-eef842397966\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 0977118b561a46782a4ec19fcf21d79280b78fde20bc3c77219e70d5aa878e46\nPackageHomePage: https://github.com/skratchdot/open-golang\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/gogo/protobuf\n\nPackageName: github.com/gogo/protobuf\nSPDXID: SPDXRef-Package-github.com.gogo.protobuf-v1.3.2\nPackageVersion: v1.3.2\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 95d3fe25fc8e393da0e7135467b6699f4d0bf5f62ac93014def07a6ebc840536\nPackageHomePage: https://github.com/gogo/protobuf\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the gopkg.in/inf.v0\n\nPackageName: gopkg.in/inf.v0\nSPDXID: SPDXRef-Package-gopkg.in.inf.v0-v0.9.1\nPackageVersion: v0.9.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 771fadad552618ff0ae1e08892c4c5e06bab75c14304e2dccdfa390dc2db2a86\nPackageHomePage: https://gopkg.in/inf.v0\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the k8s.io/apimachinery\n\nPackageName: k8s.io/apimachinery\nSPDXID: SPDXRef-Package-k8s.io.apimachinery-v0.21.2\nPackageVersion: v0.21.2\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 99a73f202aa86722321431e4bd1cd3f88ed1d4e680cddbe4d1d16c1794a02c4e\nPackageHomePage: https://k8s.io/apimachinery\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-k8s.io.klog.v2-v2.8.0 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-sigs.k8s.io.structured-merge-diff.v4-v4.1.0 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-gopkg.in.inf.v0-v0.9.1 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-sigs.k8s.io.yaml-v1.2.0 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.pkg.errors-v0.9.1 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.json-iterator.go-v1.1.11 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.google.gofuzz-v1.2.0 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.gogo.protobuf-v1.3.2 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-google.golang.org.protobuf-v1.26.0 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.spf13.pflag-v1.0.5 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.modern-go.reflect2-v1.0.1 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.golang.groupcache-v0.0.0-20210331224755-41bb18bfe9da \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.googleapis.gnostic-v0.4.1 \nRelationship SPDXRef-Package-k8s.io.apimachinery-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \n\n##### Package representing the github.com/google/gofuzz\n\nPackageName: github.com/google/gofuzz\nSPDXID: SPDXRef-Package-github.com.google.gofuzz-v1.2.0\nPackageVersion: v1.2.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 9f90c7a974671a73dfacee0304a7b34959a807ae0dced51d0aa6f4883b296827\nPackageHomePage: https://github.com/google/gofuzz\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/go-logr/logr\n\nPackageName: github.com/go-logr/logr\nSPDXID: SPDXRef-Package-github.com.go-logr.logr-v0.4.0\nPackageVersion: v0.4.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 729410377448d47553cbc0b4dd2894ca3c1aa69e6426e18aa31f2bae3ab6a1c8\nPackageHomePage: https://github.com/go-logr/logr\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the k8s.io/klog/v2\n\nPackageName: k8s.io/klog/v2\nSPDXID: SPDXRef-Package-k8s.io.klog.v2-v2.8.0\nPackageVersion: v2.8.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: f3843055d8b518fac6bd96d36d10cda14ef347848023df47e0ae510cfc668c9d\nPackageHomePage: https://k8s.io/klog/v2\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-k8s.io.klog.v2-v2.8.0 DEPENDS_ON SPDXRef-Package-github.com.go-logr.logr-v0.4.0 \n\n##### Package representing the github.com/modern-go/concurrent\n\nPackageName: github.com/modern-go/concurrent\nSPDXID: SPDXRef-Package-github.com.modern-go.concurrent-v0.0.0-20180306012644-bacd9c7ef1dd\nPackageVersion: v0.0.0-20180306012644-bacd9c7ef1dd\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: c6081e6ce83b52eb5415b1eaaa3920fcbdff17d1c3fa789b5b89d2cbbc6ace2e\nPackageHomePage: https://github.com/modern-go/concurrent\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/modern-go/reflect2\n\nPackageName: github.com/modern-go/reflect2\nSPDXID: SPDXRef-Package-github.com.modern-go.reflect2-v1.0.1\nPackageVersion: v1.0.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 95aa5db9774824ade90b1b53c29f23e331139bed8b757f2c715ea0efc7399fc8\nPackageHomePage: https://github.com/modern-go/reflect2\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/json-iterator/go\n\nPackageName: github.com/json-iterator/go\nSPDXID: SPDXRef-Package-github.com.json-iterator.go-v1.1.11\nPackageVersion: v1.1.11\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 254625d8d2b1f7077ee5b424343f8a20c77e36b8d825fae1edf817949c9b3e84\nPackageHomePage: https://github.com/json-iterator/go\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.json-iterator.go-v1.1.11 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \nRelationship SPDXRef-Package-github.com.json-iterator.go-v1.1.11 DEPENDS_ON SPDXRef-Package-github.com.google.gofuzz-v1.2.0 \nRelationship SPDXRef-Package-github.com.json-iterator.go-v1.1.11 DEPENDS_ON SPDXRef-Package-github.com.modern-go.concurrent-v0.0.0-20180306012644-bacd9c7ef1dd \nRelationship SPDXRef-Package-github.com.json-iterator.go-v1.1.11 DEPENDS_ON SPDXRef-Package-github.com.modern-go.reflect2-v1.0.1 \n\n##### Package representing the sigs.k8s.io/structured-merge-diff/v4\n\nPackageName: sigs.k8s.io/structured-merge-diff/v4\nSPDXID: SPDXRef-Package-sigs.k8s.io.structured-merge-diff.v4-v4.1.0\nPackageVersion: v4.1.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 223818142048052ae7e0e13055d154f4e681983fa3fabd380ed59d459f9bbea7\nPackageHomePage: https://sigs.k8s.io/structured-merge-diff/v4\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-sigs.k8s.io.structured-merge-diff.v4-v4.1.0 DEPENDS_ON SPDXRef-Package-github.com.modern-go.concurrent-v0.0.0-20180306012644-bacd9c7ef1dd \nRelationship SPDXRef-Package-sigs.k8s.io.structured-merge-diff.v4-v4.1.0 DEPENDS_ON SPDXRef-Package-github.com.modern-go.reflect2-v1.0.1 \nRelationship SPDXRef-Package-sigs.k8s.io.structured-merge-diff.v4-v4.1.0 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-sigs.k8s.io.structured-merge-diff.v4-v4.1.0 DEPENDS_ON SPDXRef-Package-github.com.google.gofuzz-v1.2.0 \nRelationship SPDXRef-Package-sigs.k8s.io.structured-merge-diff.v4-v4.1.0 DEPENDS_ON SPDXRef-Package-github.com.json-iterator.go-v1.1.11 \n\n##### Package representing the k8s.io/api\n\nPackageName: k8s.io/api\nSPDXID: SPDXRef-Package-k8s.io.api-v0.21.2\nPackageVersion: v0.21.2\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 0f91c64066f5e8b2de142b2d3b155d66d6edcf720aa0f30af9929be542aa6ffe\nPackageHomePage: https://k8s.io/api\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-k8s.io.api-v0.21.2 DEPENDS_ON SPDXRef-Package-k8s.io.apimachinery-v0.21.2 \nRelationship SPDXRef-Package-k8s.io.api-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.gogo.protobuf-v1.3.2 \n\n##### Package representing the github.com/googleapis/gnostic\n\nPackageName: github.com/googleapis/gnostic\nSPDXID: SPDXRef-Package-github.com.googleapis.gnostic-v0.4.1\nPackageVersion: v0.4.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 2e1455e8d4d3a3ca2c1429f4dfd223227c5d875a0b9fec12c7a8b6540e606a58\nPackageHomePage: https://github.com/googleapis/gnostic\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.googleapis.gnostic-v0.4.1 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-github.com.googleapis.gnostic-v0.4.1 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \n\n##### Package representing the sigs.k8s.io/yaml\n\nPackageName: sigs.k8s.io/yaml\nSPDXID: SPDXRef-Package-sigs.k8s.io.yaml-v1.2.0\nPackageVersion: v1.2.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 76d8cd575a926fc427aa57cf0574548aac399ee84e3e313e841c1cccf99ffac7\nPackageHomePage: https://sigs.k8s.io/yaml\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-sigs.k8s.io.yaml-v1.2.0 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-sigs.k8s.io.yaml-v1.2.0 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \n\n##### Package representing the k8s.io/client-go\n\nPackageName: k8s.io/client-go\nSPDXID: SPDXRef-Package-k8s.io.client-go-v0.21.2\nPackageVersion: v0.21.2\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 49c966ba6a48e4cb8e520ae8c8285d0d19fdf7706b4ba3f7e50acdcddaa560f3\nPackageHomePage: https://k8s.io/client-go\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-golang.org.x.oauth2-v0.0.0-20210514164344-f6687ab2804c \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.googleapis.gnostic-v0.4.1 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-golang.org.x.time-v0.0.0-20210220033141-f8bda1e9f3ba \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.imdario.mergo-v0.3.9 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.Azure.go-autorest.autorest-v0.11.18 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.Azure.go-autorest.autorest.adal-v0.9.13 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.gogo.protobuf-v1.3.2 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.google.gofuzz-v1.2.0 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.spf13.pflag-v1.0.5 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-golang.org.x.term-v0.0.0-20210615171337-6886f2dfbf5b \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-k8s.io.apimachinery-v0.21.2 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-cloud.google.com.go-v0.81.0 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.golang.groupcache-v0.0.0-20210331224755-41bb18bfe9da \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-sigs.k8s.io.yaml-v1.2.0 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-k8s.io.utils-v0.0.0-20201110183641-67b214c5f920 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-k8s.io.klog.v2-v2.8.0 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-sigs.k8s.io.structured-merge-diff.v4-v4.1.0 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-k8s.io.api-v0.21.2 \nRelationship SPDXRef-Package-k8s.io.client-go-v0.21.2 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \n\n##### Package representing the github.com/davecgh/go-spew\n\nPackageName: github.com/davecgh/go-spew\nSPDXID: SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1\nPackageVersion: v1.1.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 77d53af0a568b8c213c0a761194a7cb44abeb0c005359ec1b41ffdab10d7bb13\nPackageHomePage: https://github.com/davecgh/go-spew\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the k8s.io/utils\n\nPackageName: k8s.io/utils\nSPDXID: SPDXRef-Package-k8s.io.utils-v0.0.0-20201110183641-67b214c5f920\nPackageVersion: v0.0.0-20201110183641-67b214c5f920\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: e27d3708c47807fa1e142d0d0043af60498463f429ea0932ffc50249e3efa6c6\nPackageHomePage: https://k8s.io/utils\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-k8s.io.utils-v0.0.0-20201110183641-67b214c5f920 DEPENDS_ON SPDXRef-Package-k8s.io.klog.v2-v2.8.0 \nRelationship SPDXRef-Package-k8s.io.utils-v0.0.0-20201110183641-67b214c5f920 DEPENDS_ON SPDXRef-Package-github.com.spf13.afero-v1.6.0 \nRelationship SPDXRef-Package-k8s.io.utils-v0.0.0-20201110183641-67b214c5f920 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \n\n##### Package representing the github.com/Azure/go-autorest/autorest/date\n\nPackageName: github.com/Azure/go-autorest/autorest/date\nSPDXID: SPDXRef-Package-github.com.Azure.go-autorest.autorest.date-v0.3.0\nPackageVersion: v0.3.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: e6ac66ef043540fb1bd849b36ae1582dc360d9a274cbd9cc9768d1659f9e59fa\nPackageHomePage: https://github.com/Azure/go-autorest/autorest/date\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/Azure/go-autorest/logger\n\nPackageName: github.com/Azure/go-autorest/logger\nSPDXID: SPDXRef-Package-github.com.Azure.go-autorest.logger-v0.2.1\nPackageVersion: v0.2.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 6f980aaf27fee26a7f7017d638e0b9092a26c1c7af79b8263bf4a6e2a20452c6\nPackageHomePage: https://github.com/Azure/go-autorest/logger\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/Azure/go-autorest/tracing\n\nPackageName: github.com/Azure/go-autorest/tracing\nSPDXID: SPDXRef-Package-github.com.Azure.go-autorest.tracing-v0.6.0\nPackageVersion: v0.6.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: e9b2a988aca23d841384a17068de9dcd59ccb7032cd6eadf05430edd426134c2\nPackageHomePage: https://github.com/Azure/go-autorest/tracing\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/form3tech-oss/jwt-go\n\nPackageName: github.com/form3tech-oss/jwt-go\nSPDXID: SPDXRef-Package-github.com.form3tech-oss.jwt-go-v3.2.2+incompatible\nPackageVersion: v3.2.2+incompatible\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 4a559f8950d5014570c484552049fa65e1c9eaa3ee5aac02920020103d345f9c\nPackageHomePage: https://github.com/form3tech-oss/jwt-go\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/Azure/go-autorest/autorest/adal\n\nPackageName: github.com/Azure/go-autorest/autorest/adal\nSPDXID: SPDXRef-Package-github.com.Azure.go-autorest.autorest.adal-v0.9.13\nPackageVersion: v0.9.13\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 1d8888e699a769d032389aa3de1f49bbdda2bf7c250baf1376146ec54228851b\nPackageHomePage: https://github.com/Azure/go-autorest/autorest/adal\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.Azure.go-autorest.autorest.adal-v0.9.13 DEPENDS_ON SPDXRef-Package-github.com.Azure.go-autorest.autorest.date-v0.3.0 \nRelationship SPDXRef-Package-github.com.Azure.go-autorest.autorest.adal-v0.9.13 DEPENDS_ON SPDXRef-Package-github.com.Azure.go-autorest.tracing-v0.6.0 \nRelationship SPDXRef-Package-github.com.Azure.go-autorest.autorest.adal-v0.9.13 DEPENDS_ON SPDXRef-Package-github.com.form3tech-oss.jwt-go-v3.2.2+incompatible \nRelationship SPDXRef-Package-github.com.Azure.go-autorest.autorest.adal-v0.9.13 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \nRelationship SPDXRef-Package-github.com.Azure.go-autorest.autorest.adal-v0.9.13 DEPENDS_ON SPDXRef-Package-github.com.Azure.go-autorest.logger-v0.2.1 \n\n##### Package representing the github.com/Azure/go-autorest/autorest\n\nPackageName: github.com/Azure/go-autorest/autorest\nSPDXID: SPDXRef-Package-github.com.Azure.go-autorest.autorest-v0.11.18\nPackageVersion: v0.11.18\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 7b85debcce807a016fbdae358971274f74c396ab20b58a73e8fa69fcaed58912\nPackageHomePage: https://github.com/Azure/go-autorest/autorest\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.Azure.go-autorest.autorest-v0.11.18 DEPENDS_ON SPDXRef-Package-github.com.Azure.go-autorest.autorest.adal-v0.9.13 \nRelationship SPDXRef-Package-github.com.Azure.go-autorest.autorest-v0.11.18 DEPENDS_ON SPDXRef-Package-github.com.Azure.go-autorest.logger-v0.2.1 \nRelationship SPDXRef-Package-github.com.Azure.go-autorest.autorest-v0.11.18 DEPENDS_ON SPDXRef-Package-github.com.Azure.go-autorest.tracing-v0.6.0 \nRelationship SPDXRef-Package-github.com.Azure.go-autorest.autorest-v0.11.18 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \n\n##### Package representing the github.com/imdario/mergo\n\nPackageName: github.com/imdario/mergo\nSPDXID: SPDXRef-Package-github.com.imdario.mergo-v0.3.9\nPackageVersion: v0.3.9\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 0ee96fdd2abc1d04b65d2bc2fcc2de4ae71b231e9543893db38016cd6822ae5c\nPackageHomePage: https://github.com/imdario/mergo\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/OneOfOne/xxhash\n\nPackageName: github.com/OneOfOne/xxhash\nSPDXID: SPDXRef-Package-github.com.OneOfOne.xxhash-v1.2.8\nPackageVersion: v1.2.8\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 72ca3234e0a2f98565da9eef27df8a5a3f8652e74066cd454feba34fe160787e\nPackageHomePage: https://github.com/OneOfOne/xxhash\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/open-policy-agent/opa\n\nPackageName: github.com/open-policy-agent/opa\nSPDXID: SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4\nPackageVersion: v0.29.4\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: d45f3fe23dd8e18a1bd1ef0aa85ab059ed17d7a27bfd3d060d0c625186729110\nPackageHomePage: https://github.com/open-policy-agent/opa\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.yashtewari.glob-intersection-v0.0.0-20180916065949-5c77d914dd0b \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.xeipuuv.gojsonreference-v0.0.0-20180127040603-bd5ef7bd5415 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.spf13.cobra-v1.1.3 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.peterh.liner-v0.0.0-20170211195444-bf27d3ba8e1d \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.gorilla.mux-v1.8.0 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-golang.org.x.time-v0.0.0-20210220033141-f8bda1e9f3ba \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.prometheus.common-v0.29.0 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.olekukonko.tablewriter-v0.0.5 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.fsnotify.fsnotify-v1.4.9 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.xeipuuv.gojsonpointer-v0.0.0-20190905194746-02993c407bfb \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.pkg.errors-v0.9.1 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.gobwas.glob-v0.2.3 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.prometheus.procfs-v0.6.0 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-go.uber.org.automaxprocs-v1.4.0 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.spf13.pflag-v1.0.5 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.sirupsen.logrus-v1.8.1 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.rcrowley.go-metrics-v0.0.0-20200313005456-10cdbea86bc0 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.ghodss.yaml-v1.0.0 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-github.com.OneOfOne.xxhash-v1.2.8 \nRelationship SPDXRef-Package-github.com.open-policy-agent.opa-v0.29.4 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \n\n##### Package representing the github.com/xeipuuv/gojsonpointer\n\nPackageName: github.com/xeipuuv/gojsonpointer\nSPDXID: SPDXRef-Package-github.com.xeipuuv.gojsonpointer-v0.0.0-20190905194746-02993c407bfb\nPackageVersion: v0.0.0-20190905194746-02993c407bfb\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 63a2e8a1e3a190e1bc3280e3940d846c646ef3e908736ae72db9076029fcc706\nPackageHomePage: https://github.com/xeipuuv/gojsonpointer\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/xeipuuv/gojsonreference\n\nPackageName: github.com/xeipuuv/gojsonreference\nSPDXID: SPDXRef-Package-github.com.xeipuuv.gojsonreference-v0.0.0-20180127040603-bd5ef7bd5415\nPackageVersion: v0.0.0-20180127040603-bd5ef7bd5415\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 0200ca87486b0155e8c199eec9323c321665bb4938eccbac72d8547ed2082d6b\nPackageHomePage: https://github.com/xeipuuv/gojsonreference\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/rcrowley/go-metrics\n\nPackageName: github.com/rcrowley/go-metrics\nSPDXID: SPDXRef-Package-github.com.rcrowley.go-metrics-v0.0.0-20200313005456-10cdbea86bc0\nPackageVersion: v0.0.0-20200313005456-10cdbea86bc0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: bd748d8975427958e55da8adae7bcbe43186d696e49a4804df848d113506ca45\nPackageHomePage: https://github.com/rcrowley/go-metrics\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/mattn/go-runewidth\n\nPackageName: github.com/mattn/go-runewidth\nSPDXID: SPDXRef-Package-github.com.mattn.go-runewidth-v0.0.9\nPackageVersion: v0.0.9\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: c0e249b2e49600457b866fa58f7075c833cd697601317bc0d8814817a4546987\nPackageHomePage: https://github.com/mattn/go-runewidth\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/olekukonko/tablewriter\n\nPackageName: github.com/olekukonko/tablewriter\nSPDXID: SPDXRef-Package-github.com.olekukonko.tablewriter-v0.0.5\nPackageVersion: v0.0.5\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 9e2c85817b12fce5ea554bb854c62ce8c10ae5124532ea9c3abee1c8d76f4105\nPackageHomePage: https://github.com/olekukonko/tablewriter\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.olekukonko.tablewriter-v0.0.5 DEPENDS_ON SPDXRef-Package-github.com.mattn.go-runewidth-v0.0.9 \nRelationship SPDXRef-Package-github.com.olekukonko.tablewriter-v0.0.5 DEPENDS_ON SPDXRef-Package-github.com.olekukonko.tablewriter-v0.0.5 \n\n##### Package representing the github.com/gobwas/glob\n\nPackageName: github.com/gobwas/glob\nSPDXID: SPDXRef-Package-github.com.gobwas.glob-v0.2.3\nPackageVersion: v0.2.3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 15b4a39767c64f15c6f6bc35d96f85768413a25bdfa4e46fa49a6374c9b7968b\nPackageHomePage: https://github.com/gobwas/glob\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/yashtewari/glob-intersection\n\nPackageName: github.com/yashtewari/glob-intersection\nSPDXID: SPDXRef-Package-github.com.yashtewari.glob-intersection-v0.0.0-20180916065949-5c77d914dd0b\nPackageVersion: v0.0.0-20180916065949-5c77d914dd0b\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 4ff4c9ffae6f6732584eb088757d9fcb30d0dc960c5b4e00c0cd4e05bacc04e4\nPackageHomePage: https://github.com/yashtewari/glob-intersection\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/sirupsen/logrus\n\nPackageName: github.com/sirupsen/logrus\nSPDXID: SPDXRef-Package-github.com.sirupsen.logrus-v1.8.1\nPackageVersion: v1.8.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: adea913fb1c1be8bf12e8b69d1da7f226c014c55caf8e56335bbe4e114e41b50\nPackageHomePage: https://github.com/sirupsen/logrus\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.sirupsen.logrus-v1.8.1 DEPENDS_ON SPDXRef-Package-github.com.davecgh.go-spew-v1.1.1 \nRelationship SPDXRef-Package-github.com.sirupsen.logrus-v1.8.1 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-github.com.sirupsen.logrus-v1.8.1 DEPENDS_ON SPDXRef-Package-golang.org.x.crypto-v0.0.0-20210616213533-5ff15b29337e \n\n##### Package representing the github.com/gorilla/mux\n\nPackageName: github.com/gorilla/mux\nSPDXID: SPDXRef-Package-github.com.gorilla.mux-v1.8.0\nPackageVersion: v1.8.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 2dffd95dd340d7e6948873a146da12fd4146c08eb6eb8c420f76e8d9a742814c\nPackageHomePage: https://github.com/gorilla/mux\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/beorn7/perks\n\nPackageName: github.com/beorn7/perks\nSPDXID: SPDXRef-Package-github.com.beorn7.perks-v1.0.1\nPackageVersion: v1.0.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 3f909457dc97a398f2d35bf26e5a7ba7af74a4b47f83b79dea360415ed24a98e\nPackageHomePage: https://github.com/beorn7/perks\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/cespare/xxhash/v2\n\nPackageName: github.com/cespare/xxhash/v2\nSPDXID: SPDXRef-Package-github.com.cespare.xxhash.v2-v2.1.1\nPackageVersion: v2.1.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 7d5ac3d632362d4e19965eb9745b4092e9e62bd9bccde15d4975cc5a97649c63\nPackageHomePage: https://github.com/cespare/xxhash/v2\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/prometheus/client_model\n\nPackageName: github.com/prometheus/client_model\nSPDXID: SPDXRef-Package-github.com.prometheus.client-model-v0.2.0\nPackageVersion: v0.2.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 4cc56642e11499313e9e0c16d30a8ba751e2f9c591dc6a1e7d675cf0e09e03d0\nPackageHomePage: https://github.com/prometheus/client_model\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.prometheus.client-model-v0.2.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \nRelationship SPDXRef-Package-github.com.prometheus.client-model-v0.2.0 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \n\n##### Package representing the github.com/prometheus/client_golang\n\nPackageName: github.com/prometheus/client_golang\nSPDXID: SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0\nPackageVersion: v1.11.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: ed14dd907bac61d8ae65bcb0211771c661e1cf1f7fd2b1394b9b124893705177\nPackageHomePage: https://github.com/prometheus/client_golang\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-github.com.beorn7.perks-v1.0.1 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-github.com.modern-go.reflect2-v1.0.1 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-github.com.matttproud.golang-protobuf-extensions-v1.0.1 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-github.com.json-iterator.go-v1.1.11 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-github.com.prometheus.common-v0.29.0 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-github.com.modern-go.concurrent-v0.0.0-20180306012644-bacd9c7ef1dd \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-github.com.prometheus.client-model-v0.2.0 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-github.com.prometheus.procfs-v0.6.0 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-golang.org.x.text-v0.3.6 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-google.golang.org.protobuf-v1.26.0 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-github.com.cespare.xxhash.v2-v2.1.1 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \n\n##### Package representing the github.com/matttproud/golang_protobuf_extensions\n\nPackageName: github.com/matttproud/golang_protobuf_extensions\nSPDXID: SPDXRef-Package-github.com.matttproud.golang-protobuf-extensions-v1.0.1\nPackageVersion: v1.0.1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: d8a0ce3a4b0ec610a7ee215ad6b63ee7f83fa14f7ecea46ad86dad3f8f3b99e7\nPackageHomePage: https://github.com/matttproud/golang_protobuf_extensions\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the github.com/prometheus/common\n\nPackageName: github.com/prometheus/common\nSPDXID: SPDXRef-Package-github.com.prometheus.common-v0.29.0\nPackageVersion: v0.29.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: dab655f661cec4b716fb97640b5c38306ce26552865eeacab4a3bc73d43966e7\nPackageHomePage: https://github.com/prometheus/common\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-github.com.gogo.protobuf-v1.3.2 \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-github.com.prometheus.procfs-v0.6.0 \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-github.com.matttproud.golang-protobuf-extensions-v1.0.1 \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-github.com.prometheus.client-golang-v1.11.0 \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-github.com.prometheus.client-model-v0.2.0 \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-golang.org.x.net-v0.0.0-20210525063256-abc453219eb5 \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-github.com.beorn7.perks-v1.0.1 \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-github.com.go-stack.stack-v1.8.0 \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-github.com.golang.protobuf-v1.5.2 \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-github.com.sirupsen.logrus-v1.8.1 \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-gopkg.in.yaml.v2-v2.4.0 \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-golang.org.x.oauth2-v0.0.0-20210514164344-f6687ab2804c \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-github.com.pkg.errors-v0.9.1 \nRelationship SPDXRef-Package-github.com.prometheus.common-v0.29.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \n\n##### Package representing the github.com/prometheus/procfs\n\nPackageName: github.com/prometheus/procfs\nSPDXID: SPDXRef-Package-github.com.prometheus.procfs-v0.6.0\nPackageVersion: v0.6.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 86bd64823e49f5c1bedae11007fb801c88d3b28ac5e712d4002355a3101a2ddd\nPackageHomePage: https://github.com/prometheus/procfs\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\nRelationship SPDXRef-Package-github.com.prometheus.procfs-v0.6.0 DEPENDS_ON SPDXRef-Package-github.com.google.go-cmp-v0.5.6 \nRelationship SPDXRef-Package-github.com.prometheus.procfs-v0.6.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sync-v0.0.0-20210220032951-036812b2e83c \nRelationship SPDXRef-Package-github.com.prometheus.procfs-v0.6.0 DEPENDS_ON SPDXRef-Package-golang.org.x.sys-v0.0.0-20210615035016-665e8c7367d1 \n\n##### Package representing the github.com/peterh/liner\n\nPackageName: github.com/peterh/liner\nSPDXID: SPDXRef-Package-github.com.peterh.liner-v0.0.0-20170211195444-bf27d3ba8e1d\nPackageVersion: v0.0.0-20170211195444-bf27d3ba8e1d\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 246b8db15eff422e821053ea3d13e8d076779b5c62fcdbefdd1f18b71235b67f\nPackageHomePage: https://github.com/peterh/liner\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n##### Package representing the go.uber.org/automaxprocs\n\nPackageName: go.uber.org/automaxprocs\nSPDXID: SPDXRef-Package-go.uber.org.automaxprocs-v1.4.0\nPackageVersion: v1.4.0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageChecksum: SHA256: 32be51bf668d3280000ab7aa1f970025fb49ef841201405a37d4cc98aaf7c71f\nPackageHomePage: https://go.uber.org/automaxprocs\nPackageLicenseConcluded: NOASSERTION\nPackageLicenseDeclared: NOASSERTION\nPackageCopyrightText: NOASSERTION\nPackageLicenseComments: NOASSERTION\nPackageComment: NOASSERTION\n\n" }, { "path": "test/testdata/fancy_from.Dockerfile", "content": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http:#www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nFROM --platform=linux/amd64 ghcr.io/chainguard-images/alpine-base AS base\n\n# blah blah\n" }, { "path": "test/testdata/policies/cue-fails.cue", "content": "import \"time\"\n\nbefore: time.Parse(time.RFC3339, \"2049-10-09T17:10:27Z\")\n\n// Test with invalid predicate type. It should be this, so change it\n//predicateType: \"cosign.sigstore.dev/attestation/v1\"\npredicateType: \"cosignnotreally.sigstore.dev/attestation/v1\"\n\n// The predicate must match the following constraints.\npredicate: {\n Timestamp: after\n scanFinishedOn: after\n }\n}\n" }, { "path": "test/testdata/policies/cue-vuln-works.cue", "content": "import \"time\"\n\nbefore: time.Parse(time.RFC3339, \"2022-04-15T17:10:27Z\")\nafter: time.Parse(time.RFC3339, \"2022-03-09T17:10:27Z\")\n\n// The predicateType field must match this string\npredicateType: \"https://cosign.sigstore.dev/attestation/vuln/v1\"\n\npredicate: {\n invocation: {\n uri: \"invocation.example.com/cosign-testing\"\n }\n scanner: {\n uri: \"fakescanner.example.com/cosign-testing\"\n }\n metadata: {\n scanStartedOn: after\n scanFinishedOn: after\n }\n}\n" }, { "path": "test/testdata/policies/cue-works.cue", "content": "import \"time\"\n\nbefore: time.Parse(time.RFC3339, \"2049-10-09T17:10:27Z\")\n\n// The predicateType field must match this string\npredicateType: \"https://cosign.sigstore.dev/attestation/v1\"\n\n// The predicate must match the following constraints.\npredicate: {\n Timestamp: \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/blang/semver/v4/LICENSE", "content": "The MIT License\n\nCopyright (c) 2014 Benedikt Lang \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/blendle/zapdriver/LICENSE", "content": "ISC License\n\nCopyright (c) Blendle\n\nPermission to use, copy, modify, and/or distribute this software for any\npurpose with or without fee is hereby granted, provided that the above\ncopyright notice and this permission notice appear in all copies.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\nWITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\nANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\nWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\nACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\nOR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/cenkalti/backoff/v4/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2014 Cenk Altı\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS\nFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\nCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER\nIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN\nCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/cenkalti/backoff/v5/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2014 Cenk Altı\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS\nFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\nCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER\nIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN\nCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/census-instrumentation/opencensus-proto/gen-go/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/cespare/xxhash/v2/LICENSE.txt", "content": "Copyright (c) 2016 Caleb Spare\n\nMIT License\n\nPermission is hereby granted, free of charge, to any person obtaining\na copy of this software and associated documentation files (the\n\"Software\"), to deal in the Software without restriction, including\nwithout limitation the rights to use, copy, modify, merge, publish,\ndistribute, sublicense, and/or sell copies of the Software, and to\npermit persons to whom the Software is furnished to do so, subject to\nthe following conditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\nNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE\nLIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION\nOF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION\nWITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/chrismellard/docker-credential-acr-env/pkg/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/clbanning/mxj/v2/LICENSE", "content": "Copyright (c) 2012-2021 Charles Banning . All rights reserved.\n\nThe MIT License (MIT)\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/cockroachdb/apd/v3/LICENSE", "content": "Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/common-nighthawk/go-figure/LICENSE", "content": "MIT License\n\nCopyright (c) 2018 Daniel Deutsch\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/containerd/errdefs/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n https://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n Copyright The containerd Authors\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n https://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/containerd/errdefs/pkg/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n https://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n Copyright The containerd Authors\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n https://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/containerd/stargz-snapshotter/estargz/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/coreos/go-oidc/v3/oidc/LICENSE", "content": "Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/coreos/go-oidc/v3/oidc/NOTICE", "content": "CoreOS Project\nCopyright 2014 CoreOS, Inc\n\nThis product includes software developed at CoreOS, Inc.\n(http://www.coreos.com/).\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer/LICENSE", "content": " Copyright 2018 Anders Rundgren\r\n\r\n Licensed under the Apache License, Version 2.0 (the \"License\");\r\n you may not use this file except in compliance with the License.\r\n You may obtain a copy of the License at\r\n\r\n https://www.apache.org/licenses/LICENSE-2.0\r\n\r\n Unless required by applicable law or agreed to in writing, software\r\n distributed under the License is distributed on an \"AS IS\" BASIS,\r\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r\n See the License for the specific language governing permissions and\r\n limitations under the License.\r\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/davecgh/go-spew/spew/LICENSE", "content": "ISC License\n\nCopyright (c) 2012-2016 Dave Collins \n\nPermission to use, copy, modify, and/or distribute this software for any\npurpose with or without fee is hereby granted, provided that the above\ncopyright notice and this permission notice appear in all copies.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\nWITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\nANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\nWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\nACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\nOR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/digitorus/pkcs7/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2015 Andrew Smith\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/digitorus/timestamp/LICENSE", "content": "BSD 2-Clause License\n\nCopyright (c) 2017, Digitorus B.V.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n1. Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/dimchansky/utfbom/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright (c) 2018-2020, Dmitrij Koniajev (dimchansky@gmail.com)\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/distribution/reference/LICENSE", "content": "Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/docker/cli/cli/config/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n https://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n Copyright 2013-2017 Docker, Inc.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n https://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/docker/cli/cli/config/NOTICE", "content": "Docker\nCopyright 2012-2017 Docker, Inc.\n\nThis product includes software developed at Docker, Inc. (https://www.docker.com).\n\nThis product contains software (https://github.com/creack/pty) developed\nby Keith Rarick, licensed under the MIT License.\n\nThe following is courtesy of our legal counsel:\n\n\nUse and transfer of Docker may be subject to certain restrictions by the\nUnited States and other governments.\nIt is your responsibility to ensure that your use and/or transfer does not\nviolate applicable laws.\n\nFor more information, see https://www.bis.doc.gov\n\nSee also https://www.apache.org/dev/crypto.html and/or seek legal counsel.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/docker/distribution/registry/client/auth/challenge/LICENSE", "content": "Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/docker/docker/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n https://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n Copyright 2013-2018 Docker, Inc.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n https://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/docker/docker/NOTICE", "content": "Docker\nCopyright 2012-2017 Docker, Inc.\n\nThis product includes software developed at Docker, Inc. (https://www.docker.com).\n\nThis product contains software (https://github.com/creack/pty) developed\nby Keith Rarick, licensed under the MIT License.\n\nThe following is courtesy of our legal counsel:\n\n\nUse and transfer of Docker may be subject to certain restrictions by the\nUnited States and other governments.\nIt is your responsibility to ensure that your use and/or transfer does not\nviolate applicable laws.\n\nFor more information, please see https://www.bis.doc.gov\n\nSee also https://www.apache.org/dev/crypto.html and/or seek legal counsel.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/docker/docker-credential-helpers/LICENSE", "content": "Copyright (c) 2016 David Calavera\n\nPermission is hereby granted, free of charge, to any person obtaining\na copy of this software and associated documentation files (the\n\"Software\"), to deal in the Software without restriction, including\nwithout limitation the rights to use, copy, modify, merge, publish,\ndistribute, sublicense, and/or sell copies of the Software, and to\npermit persons to whom the Software is furnished to do so, subject to\nthe following conditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.\nIN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY\nCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,\nTORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE\nSOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/docker/go-connections/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n https://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n Copyright 2015 Docker, Inc.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n https://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/docker/go-units/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n https://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n Copyright 2015 Docker, Inc.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n https://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/dustin/go-humanize/LICENSE", "content": "Copyright (c) 2005-2008 Dustin Sallings \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/emicklei/go-restful/v3/LICENSE", "content": "Copyright (c) 2012,2013 Ernest Micklei\n\nMIT License\n\nPermission is hereby granted, free of charge, to any person obtaining\na copy of this software and associated documentation files (the\n\"Software\"), to deal in the Software without restriction, including\nwithout limitation the rights to use, copy, modify, merge, publish,\ndistribute, sublicense, and/or sell copies of the Software, and to\npermit persons to whom the Software is furnished to do so, subject to\nthe following conditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\nNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE\nLIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION\nOF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION\nWITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." }, { "path": "third_party/VENDOR-LICENSE/github.com/emicklei/proto/LICENSE", "content": "Copyright (c) 2017 Ernest Micklei\n\nMIT License\n\nPermission is hereby granted, free of charge, to any person obtaining\na copy of this software and associated documentation files (the\n\"Software\"), to deal in the Software without restriction, including\nwithout limitation the rights to use, copy, modify, merge, publish,\ndistribute, sublicense, and/or sell copies of the Software, and to\npermit persons to whom the Software is furnished to do so, subject to\nthe following conditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\nNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE\nLIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION\nOF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION\nWITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." }, { "path": "third_party/VENDOR-LICENSE/github.com/evanphx/json-patch/v5/LICENSE", "content": "Copyright (c) 2014, Evan Phoenix\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without \nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n* Neither the name of the Evan Phoenix nor the names of its contributors \n may be used to endorse or promote products derived from this software \n without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" \nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE \nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE \nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE \nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL \nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER \nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, \nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE \nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/felixge/httpsnoop/LICENSE.txt", "content": "Copyright (c) 2016 Felix Geisendörfer (felix@debuggable.com)\n\n Permission is hereby granted, free of charge, to any person obtaining a copy\n of this software and associated documentation files (the \"Software\"), to deal\n in the Software without restriction, including without limitation the rights\n to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n copies of the Software, and to permit persons to whom the Software is\n furnished to do so, subject to the following conditions:\n\n The above copyright notice and this permission notice shall be included in\n all copies or substantial portions of the Software.\n\n THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\n THE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/fsnotify/fsnotify/LICENSE", "content": "Copyright © 2012 The Go Authors. All rights reserved.\nCopyright © fsnotify Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without modification,\nare permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n* Redistributions in binary form must reproduce the above copyright notice, this\n list of conditions and the following disclaimer in the documentation and/or\n other materials provided with the distribution.\n* Neither the name of Google Inc. nor the names of its contributors may be used\n to endorse or promote products derived from this software without specific\n prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\nLOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON\nANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/fxamacker/cbor/v2/LICENSE", "content": "MIT License\n\nCopyright (c) 2019-present Faye Amacker\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE." }, { "path": "third_party/VENDOR-LICENSE/github.com/go-chi/chi/v5/LICENSE", "content": "Copyright (c) 2015-present Peter Kieltyka (https://github.com/pkieltyka), Google Inc.\n\nMIT License\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS\nFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\nCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER\nIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN\nCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-ini/ini/LICENSE", "content": "Apache License\nVersion 2.0, January 2004\nhttp://www.apache.org/licenses/\n\nTERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n1. Definitions.\n\n\"License\" shall mean the terms and conditions for use, reproduction, and\ndistribution as defined by Sections 1 through 9 of this document.\n\n\"Licensor\" shall mean the copyright owner or entity authorized by the copyright\nowner that is granting the License.\n\n\"Legal Entity\" shall mean the union of the acting entity and all other entities\nthat control, are controlled by, or are under common control with that entity.\nFor the purposes of this definition, \"control\" means (i) the power, direct or\nindirect, to cause the direction or management of such entity, whether by\ncontract or otherwise, or (ii) ownership of fifty percent (50%) or more of the\noutstanding shares, or (iii) beneficial ownership of such entity.\n\n\"You\" (or \"Your\") shall mean an individual or Legal Entity exercising\npermissions granted by this License.\n\n\"Source\" form shall mean the preferred form for making modifications, including\nbut not limited to software source code, documentation source, and configuration\nfiles.\n\n\"Object\" form shall mean any form resulting from mechanical transformation or\ntranslation of a Source form, including but not limited to compiled object code,\ngenerated documentation, and conversions to other media types.\n\n\"Work\" shall mean the work of authorship, whether in Source or Object form, made\navailable under the License, as indicated by a copyright notice that is included\nin or attached to the work (an example is provided in the Appendix below).\n\n\"Derivative Works\" shall mean any work, whether in Source or Object form, that\nis based on (or derived from) the Work and for which the editorial revisions,\nannotations, elaborations, or other modifications represent, as a whole, an\noriginal work of authorship. For the purposes of this License, Derivative Works\nshall not include works that remain separable from, or merely link (or bind by\nname) to the interfaces of, the Work and Derivative Works thereof.\n\n\"Contribution\" shall mean any work of authorship, including the original version\nof the Work and any modifications or additions to that Work or Derivative Works\nthereof, that is intentionally submitted to Licensor for inclusion in the Work\nby the copyright owner or by an individual or Legal Entity authorized to submit\non behalf of the copyright owner. For the purposes of this definition,\n\"submitted\" means any form of electronic, verbal, or written communication sent\nto the Licensor or its representatives, including but not limited to\ncommunication on electronic mailing lists, source code control systems, and\nissue tracking systems that are managed by, or on behalf of, the Licensor for\nthe purpose of discussing and improving the Work, but excluding communication\nthat is conspicuously marked or otherwise designated in writing by the copyright\nowner as \"Not a Contribution.\"\n\n\"Contributor\" shall mean Licensor and any individual or Legal Entity on behalf\nof whom a Contribution has been received by Licensor and subsequently\nincorporated within the Work.\n\n2. Grant of Copyright License.\n\nSubject to the terms and conditions of this License, each Contributor hereby\ngrants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,\nirrevocable copyright license to reproduce, prepare Derivative Works of,\npublicly display, publicly perform, sublicense, and distribute the Work and such\nDerivative Works in Source or Object form.\n\n3. Grant of Patent License.\n\nSubject to the terms and conditions of this License, each Contributor hereby\ngrants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,\nirrevocable (except as stated in this section) patent license to make, have\nmade, use, offer to sell, sell, import, and otherwise transfer the Work, where\nsuch license applies only to those patent claims licensable by such Contributor\nthat are necessarily infringed by their Contribution(s) alone or by combination\nof their Contribution(s) with the Work to which such Contribution(s) was\nsubmitted. If You institute patent litigation against any entity (including a\ncross-claim or counterclaim in a lawsuit) alleging that the Work or a\nContribution incorporated within the Work constitutes direct or contributory\npatent infringement, then any patent licenses granted to You under this License\nfor that Work shall terminate as of the date such litigation is filed.\n\n4. Redistribution.\n\nYou may reproduce and distribute copies of the Work or Derivative Works thereof\nin any medium, with or without modifications, and in Source or Object form,\nprovided that You meet the following conditions:\n\nYou must give any other recipients of the Work or Derivative Works a copy of\nthis License; and\nYou must cause any modified files to carry prominent notices stating that You\nchanged the files; and\nYou must retain, in the Source form of any Derivative Works that You distribute,\nall copyright, patent, trademark, and attribution notices from the Source form\nof the Work, excluding those notices that do not pertain to any part of the\nDerivative Works; and\nIf the Work includes a \"NOTICE\" text file as part of its distribution, then any\nDerivative Works that You distribute must include a readable copy of the\nattribution notices contained within such NOTICE file, excluding those notices\nthat do not pertain to any part of the Derivative Works, in at least one of the\nfollowing places: within a NOTICE text file distributed as part of the\nDerivative Works; within the Source form or documentation, if provided along\nwith the Derivative Works; or, within a display generated by the Derivative\nWorks, if and wherever such third-party notices normally appear. The contents of\nthe NOTICE file are for informational purposes only and do not modify the\nLicense. You may add Your own attribution notices within Derivative Works that\nYou distribute, alongside or as an addendum to the NOTICE text from the Work,\nprovided that such additional attribution notices cannot be construed as\nmodifying the License.\nYou may add Your own copyright statement to Your modifications and may provide\nadditional or different license terms and conditions for use, reproduction, or\ndistribution of Your modifications, or for any such Derivative Works as a whole,\nprovided Your use, reproduction, and distribution of the Work otherwise complies\nwith the conditions stated in this License.\n\n5. Submission of Contributions.\n\nUnless You explicitly state otherwise, any Contribution intentionally submitted\nfor inclusion in the Work by You to the Licensor shall be under the terms and\nconditions of this License, without any additional terms or conditions.\nNotwithstanding the above, nothing herein shall supersede or modify the terms of\nany separate license agreement you may have executed with Licensor regarding\nsuch Contributions.\n\n6. Trademarks.\n\nThis License does not grant permission to use the trade names, trademarks,\nservice marks, or product names of the Licensor, except as required for\nreasonable and customary use in describing the origin of the Work and\nreproducing the content of the NOTICE file.\n\n7. Disclaimer of Warranty.\n\nUnless required by applicable law or agreed to in writing, Licensor provides the\nWork (and each Contributor provides its Contributions) on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,\nincluding, without limitation, any warranties or conditions of TITLE,\nNON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are\nsolely responsible for determining the appropriateness of using or\nredistributing the Work and assume any risks associated with Your exercise of\npermissions under this License.\n\n8. Limitation of Liability.\n\nIn no event and under no legal theory, whether in tort (including negligence),\ncontract, or otherwise, unless required by applicable law (such as deliberate\nand grossly negligent acts) or agreed to in writing, shall any Contributor be\nliable to You for damages, including any direct, indirect, special, incidental,\nor consequential damages of any character arising as a result of this License or\nout of the use or inability to use the Work (including but not limited to\ndamages for loss of goodwill, work stoppage, computer failure or malfunction, or\nany and all other commercial damages or losses), even if such Contributor has\nbeen advised of the possibility of such damages.\n\n9. Accepting Warranty or Additional Liability.\n\nWhile redistributing the Work or Derivative Works thereof, You may choose to\noffer, and charge a fee for, acceptance of support, warranty, indemnity, or\nother liability obligations and/or rights consistent with this License. However,\nin accepting such obligations, You may act only on Your own behalf and on Your\nsole responsibility, not on behalf of any other Contributor, and only if You\nagree to indemnify, defend, and hold each Contributor harmless for any liability\nincurred by, or claims asserted against, such Contributor by reason of your\naccepting any such warranty or additional liability.\n\nEND OF TERMS AND CONDITIONS\n\nAPPENDIX: How to apply the Apache License to your work\n\nTo apply the Apache License to your work, attach the following boilerplate\nnotice, with the fields enclosed by brackets \"[]\" replaced with your own\nidentifying information. (Don't include the brackets!) The text should be\nenclosed in the appropriate comment syntax for the file format. We also\nrecommend that a file or class name and description of purpose be included on\nthe same \"printed page\" as the copyright notice for easier identification within\nthird-party archives.\n\n Copyright 2014 Unknwon\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-jose/go-jose/v4/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-jose/go-jose/v4/json/LICENSE", "content": "Copyright (c) 2012 The Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-kit/log/LICENSE", "content": "MIT License\n\nCopyright (c) 2021 Go kit\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-logfmt/logfmt/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2015 go-logfmt\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-logr/logr/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-logr/stdr/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/analysis/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/errors/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/jsonpointer/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/jsonpointer/NOTICE", "content": "Copyright 2015-2025 go-swagger maintainers\n\n// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers\n// SPDX-License-Identifier: Apache-2.0\n\nThis software library, github.com/go-openapi/jsonpointer, includes software developed\nby the go-swagger and go-openapi maintainers (\"go-swagger maintainers\").\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this software except in compliance with the License.\n\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0.\n\nThis software is copied from, derived from, and inspired by other original software products.\nIt ships with copies of other software which license terms are recalled below.\n\nThe original software was authored on 25-02-2013 by sigu-399 (https://github.com/sigu-399, sigu.399@gmail.com).\n\ngithub.com/sigh-399/jsonpointer\n===========================\n\n// SPDX-FileCopyrightText: Copyright 2013 sigu-399 ( https://github.com/sigu-399 )\n// SPDX-License-Identifier: Apache-2.0\n\nCopyright 2013 sigu-399 ( https://github.com/sigu-399 )\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/jsonreference/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/jsonreference/NOTICE", "content": "Copyright 2015-2025 go-swagger maintainers\n\n// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers\n// SPDX-License-Identifier: Apache-2.0\n\nThis software library, github.com/go-openapi/jsonpointer, includes software developed\nby the go-swagger and go-openapi maintainers (\"go-swagger maintainers\").\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this software except in compliance with the License.\n\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0.\n\nThis software is copied from, derived from, and inspired by other original software products.\nIt ships with copies of other software which license terms are recalled below.\n\nThe original software was authored on 25-02-2013 by sigu-399 (https://github.com/sigu-399, sigu.399@gmail.com).\n\ngithub.com/sigh-399/jsonpointer\n===========================\n\n// SPDX-FileCopyrightText: Copyright 2013 sigu-399 ( https://github.com/sigu-399 )\n// SPDX-License-Identifier: Apache-2.0\n\nCopyright 2013 sigu-399 ( https://github.com/sigu-399 )\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/loads/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/runtime/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/runtime/middleware/denco/LICENSE", "content": "Copyright (c) 2014 Naoya Inada \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/spec/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/strfmt/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/swag/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/swag/cmdutils/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/swag/conv/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/swag/fileutils/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/swag/jsonname/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/swag/jsonutils/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/swag/loading/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/swag/mangling/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/swag/netutils/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/swag/stringutils/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/swag/typeutils/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/swag/yamlutils/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-openapi/validate/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/go-viper/mapstructure/v2/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2013 Mitchell Hashimoto\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/gobuffalo/flect/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2019 Mark Bates\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/gobwas/glob/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2016 Sergey Kamardin\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE." }, { "path": "third_party/VENDOR-LICENSE/github.com/gogo/protobuf/LICENSE", "content": "Copyright (c) 2013, The GoGo Authors. All rights reserved.\n\nProtocol Buffers for Go with Gadgets\n\nGo support for Protocol Buffers - Google's data interchange format\n\nCopyright 2010 The Go Authors. All rights reserved.\nhttps://github.com/golang/protobuf\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/golang/groupcache/lru/LICENSE", "content": "Apache License\nVersion 2.0, January 2004\nhttp://www.apache.org/licenses/\n\nTERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n1. Definitions.\n\n\"License\" shall mean the terms and conditions for use, reproduction, and\ndistribution as defined by Sections 1 through 9 of this document.\n\n\"Licensor\" shall mean the copyright owner or entity authorized by the copyright\nowner that is granting the License.\n\n\"Legal Entity\" shall mean the union of the acting entity and all other entities\nthat control, are controlled by, or are under common control with that entity.\nFor the purposes of this definition, \"control\" means (i) the power, direct or\nindirect, to cause the direction or management of such entity, whether by\ncontract or otherwise, or (ii) ownership of fifty percent (50%) or more of the\noutstanding shares, or (iii) beneficial ownership of such entity.\n\n\"You\" (or \"Your\") shall mean an individual or Legal Entity exercising\npermissions granted by this License.\n\n\"Source\" form shall mean the preferred form for making modifications, including\nbut not limited to software source code, documentation source, and configuration\nfiles.\n\n\"Object\" form shall mean any form resulting from mechanical transformation or\ntranslation of a Source form, including but not limited to compiled object code,\ngenerated documentation, and conversions to other media types.\n\n\"Work\" shall mean the work of authorship, whether in Source or Object form, made\navailable under the License, as indicated by a copyright notice that is included\nin or attached to the work (an example is provided in the Appendix below).\n\n\"Derivative Works\" shall mean any work, whether in Source or Object form, that\nis based on (or derived from) the Work and for which the editorial revisions,\nannotations, elaborations, or other modifications represent, as a whole, an\noriginal work of authorship. For the purposes of this License, Derivative Works\nshall not include works that remain separable from, or merely link (or bind by\nname) to the interfaces of, the Work and Derivative Works thereof.\n\n\"Contribution\" shall mean any work of authorship, including the original version\nof the Work and any modifications or additions to that Work or Derivative Works\nthereof, that is intentionally submitted to Licensor for inclusion in the Work\nby the copyright owner or by an individual or Legal Entity authorized to submit\non behalf of the copyright owner. For the purposes of this definition,\n\"submitted\" means any form of electronic, verbal, or written communication sent\nto the Licensor or its representatives, including but not limited to\ncommunication on electronic mailing lists, source code control systems, and\nissue tracking systems that are managed by, or on behalf of, the Licensor for\nthe purpose of discussing and improving the Work, but excluding communication\nthat is conspicuously marked or otherwise designated in writing by the copyright\nowner as \"Not a Contribution.\"\n\n\"Contributor\" shall mean Licensor and any individual or Legal Entity on behalf\nof whom a Contribution has been received by Licensor and subsequently\nincorporated within the Work.\n\n2. Grant of Copyright License.\n\nSubject to the terms and conditions of this License, each Contributor hereby\ngrants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,\nirrevocable copyright license to reproduce, prepare Derivative Works of,\npublicly display, publicly perform, sublicense, and distribute the Work and such\nDerivative Works in Source or Object form.\n\n3. Grant of Patent License.\n\nSubject to the terms and conditions of this License, each Contributor hereby\ngrants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,\nirrevocable (except as stated in this section) patent license to make, have\nmade, use, offer to sell, sell, import, and otherwise transfer the Work, where\nsuch license applies only to those patent claims licensable by such Contributor\nthat are necessarily infringed by their Contribution(s) alone or by combination\nof their Contribution(s) with the Work to which such Contribution(s) was\nsubmitted. If You institute patent litigation against any entity (including a\ncross-claim or counterclaim in a lawsuit) alleging that the Work or a\nContribution incorporated within the Work constitutes direct or contributory\npatent infringement, then any patent licenses granted to You under this License\nfor that Work shall terminate as of the date such litigation is filed.\n\n4. Redistribution.\n\nYou may reproduce and distribute copies of the Work or Derivative Works thereof\nin any medium, with or without modifications, and in Source or Object form,\nprovided that You meet the following conditions:\n\nYou must give any other recipients of the Work or Derivative Works a copy of\nthis License; and\nYou must cause any modified files to carry prominent notices stating that You\nchanged the files; and\nYou must retain, in the Source form of any Derivative Works that You distribute,\nall copyright, patent, trademark, and attribution notices from the Source form\nof the Work, excluding those notices that do not pertain to any part of the\nDerivative Works; and\nIf the Work includes a \"NOTICE\" text file as part of its distribution, then any\nDerivative Works that You distribute must include a readable copy of the\nattribution notices contained within such NOTICE file, excluding those notices\nthat do not pertain to any part of the Derivative Works, in at least one of the\nfollowing places: within a NOTICE text file distributed as part of the\nDerivative Works; within the Source form or documentation, if provided along\nwith the Derivative Works; or, within a display generated by the Derivative\nWorks, if and wherever such third-party notices normally appear. The contents of\nthe NOTICE file are for informational purposes only and do not modify the\nLicense. You may add Your own attribution notices within Derivative Works that\nYou distribute, alongside or as an addendum to the NOTICE text from the Work,\nprovided that such additional attribution notices cannot be construed as\nmodifying the License.\nYou may add Your own copyright statement to Your modifications and may provide\nadditional or different license terms and conditions for use, reproduction, or\ndistribution of Your modifications, or for any such Derivative Works as a whole,\nprovided Your use, reproduction, and distribution of the Work otherwise complies\nwith the conditions stated in this License.\n\n5. Submission of Contributions.\n\nUnless You explicitly state otherwise, any Contribution intentionally submitted\nfor inclusion in the Work by You to the Licensor shall be under the terms and\nconditions of this License, without any additional terms or conditions.\nNotwithstanding the above, nothing herein shall supersede or modify the terms of\nany separate license agreement you may have executed with Licensor regarding\nsuch Contributions.\n\n6. Trademarks.\n\nThis License does not grant permission to use the trade names, trademarks,\nservice marks, or product names of the Licensor, except as required for\nreasonable and customary use in describing the origin of the Work and\nreproducing the content of the NOTICE file.\n\n7. Disclaimer of Warranty.\n\nUnless required by applicable law or agreed to in writing, Licensor provides the\nWork (and each Contributor provides its Contributions) on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,\nincluding, without limitation, any warranties or conditions of TITLE,\nNON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are\nsolely responsible for determining the appropriateness of using or\nredistributing the Work and assume any risks associated with Your exercise of\npermissions under this License.\n\n8. Limitation of Liability.\n\nIn no event and under no legal theory, whether in tort (including negligence),\ncontract, or otherwise, unless required by applicable law (such as deliberate\nand grossly negligent acts) or agreed to in writing, shall any Contributor be\nliable to You for damages, including any direct, indirect, special, incidental,\nor consequential damages of any character arising as a result of this License or\nout of the use or inability to use the Work (including but not limited to\ndamages for loss of goodwill, work stoppage, computer failure or malfunction, or\nany and all other commercial damages or losses), even if such Contributor has\nbeen advised of the possibility of such damages.\n\n9. Accepting Warranty or Additional Liability.\n\nWhile redistributing the Work or Derivative Works thereof, You may choose to\noffer, and charge a fee for, acceptance of support, warranty, indemnity, or\nother liability obligations and/or rights consistent with this License. However,\nin accepting such obligations, You may act only on Your own behalf and on Your\nsole responsibility, not on behalf of any other Contributor, and only if You\nagree to indemnify, defend, and hold each Contributor harmless for any liability\nincurred by, or claims asserted against, such Contributor by reason of your\naccepting any such warranty or additional liability.\n\nEND OF TERMS AND CONDITIONS\n\nAPPENDIX: How to apply the Apache License to your work\n\nTo apply the Apache License to your work, attach the following boilerplate\nnotice, with the fields enclosed by brackets \"[]\" replaced with your own\nidentifying information. (Don't include the brackets!) The text should be\nenclosed in the appropriate comment syntax for the file format. We also\nrecommend that a file or class name and description of purpose be included on\nthe same \"printed page\" as the copyright notice for easier identification within\nthird-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/golang/protobuf/ptypes/timestamp/LICENSE", "content": "Copyright 2010 The Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/golang/snappy/LICENSE", "content": "Copyright (c) 2011 The Snappy-Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/golang-jwt/jwt/v4/LICENSE", "content": "Copyright (c) 2012 Dave Grijalva\nCopyright (c) 2021 golang-jwt maintainers\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/golang-jwt/jwt/v5/LICENSE", "content": "Copyright (c) 2012 Dave Grijalva\nCopyright (c) 2021 golang-jwt maintainers\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/google/certificate-transparency-go/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/google/gnostic-models/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/google/go-cmp/cmp/LICENSE", "content": "Copyright (c) 2017 The Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/google/go-containerregistry/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License." }, { "path": "third_party/VENDOR-LICENSE/github.com/google/go-containerregistry/pkg/authn/k8schain/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License." }, { "path": "third_party/VENDOR-LICENSE/github.com/google/go-containerregistry/pkg/authn/kubernetes/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License." }, { "path": "third_party/VENDOR-LICENSE/github.com/google/go-github/v73/github/LICENSE", "content": "Copyright (c) 2013 The go-github AUTHORS. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/google/go-querystring/query/LICENSE", "content": "Copyright (c) 2013 Google. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/google/s2a-go/LICENSE.md", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/google/uuid/LICENSE", "content": "Copyright (c) 2009,2014 Google Inc. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/googleapis/enterprise-certificate-proxy/client/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/googleapis/gax-go/v2/LICENSE", "content": "Copyright 2016, Google Inc.\nAll rights reserved.\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/grpc-ecosystem/grpc-gateway/v2/LICENSE", "content": "Copyright (c) 2015, Gengo, Inc.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without modification,\nare permitted provided that the following conditions are met:\n\n * Redistributions of source code must retain the above copyright notice,\n this list of conditions and the following disclaimer.\n\n * Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\n * Neither the name of Gengo, Inc. nor the names of its\n contributors may be used to endorse or promote products derived from this\n software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\nLOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON\nANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/errwrap/LICENSE", "content": "Mozilla Public License, version 2.0\n\n1. Definitions\n\n1.1. “Contributor”\n\n means each individual or legal entity that creates, contributes to the\n creation of, or owns Covered Software.\n\n1.2. “Contributor Version”\n\n means the combination of the Contributions of others (if any) used by a\n Contributor and that particular Contributor’s Contribution.\n\n1.3. “Contribution”\n\n means Covered Software of a particular Contributor.\n\n1.4. “Covered Software”\n\n means Source Code Form to which the initial Contributor has attached the\n notice in Exhibit A, the Executable Form of such Source Code Form, and\n Modifications of such Source Code Form, in each case including portions\n thereof.\n\n1.5. “Incompatible With Secondary Licenses”\n means\n\n a. that the initial Contributor has attached the notice described in\n Exhibit B to the Covered Software; or\n\n b. that the Covered Software was made available under the terms of version\n 1.1 or earlier of the License, but not also under the terms of a\n Secondary License.\n\n1.6. “Executable Form”\n\n means any form of the work other than Source Code Form.\n\n1.7. “Larger Work”\n\n means a work that combines Covered Software with other material, in a separate\n file or files, that is not Covered Software.\n\n1.8. “License”\n\n means this document.\n\n1.9. “Licensable”\n\n means having the right to grant, to the maximum extent possible, whether at the\n time of the initial grant or subsequently, any and all of the rights conveyed by\n this License.\n\n1.10. “Modifications”\n\n means any of the following:\n\n a. any file in Source Code Form that results from an addition to, deletion\n from, or modification of the contents of Covered Software; or\n\n b. any new file in Source Code Form that contains any Covered Software.\n\n1.11. “Patent Claims” of a Contributor\n\n means any patent claim(s), including without limitation, method, process,\n and apparatus claims, in any patent Licensable by such Contributor that\n would be infringed, but for the grant of the License, by the making,\n using, selling, offering for sale, having made, import, or transfer of\n either its Contributions or its Contributor Version.\n\n1.12. “Secondary License”\n\n means either the GNU General Public License, Version 2.0, the GNU Lesser\n General Public License, Version 2.1, the GNU Affero General Public\n License, Version 3.0, or any later versions of those licenses.\n\n1.13. “Source Code Form”\n\n means the form of the work preferred for making modifications.\n\n1.14. “You” (or “Your”)\n\n means an individual or a legal entity exercising rights under this\n License. For legal entities, “You” includes any entity that controls, is\n controlled by, or is under common control with You. For purposes of this\n definition, “control” means (a) the power, direct or indirect, to cause\n the direction or management of such entity, whether by contract or\n otherwise, or (b) ownership of more than fifty percent (50%) of the\n outstanding shares or beneficial ownership of such entity.\n\n\n2. License Grants and Conditions\n\n2.1. Grants\n\n Each Contributor hereby grants You a world-wide, royalty-free,\n non-exclusive license:\n\n a. under intellectual property rights (other than patent or trademark)\n Licensable by such Contributor to use, reproduce, make available,\n modify, display, perform, distribute, and otherwise exploit its\n Contributions, either on an unmodified basis, with Modifications, or as\n part of a Larger Work; and\n\n b. under Patent Claims of such Contributor to make, use, sell, offer for\n sale, have made, import, and otherwise transfer either its Contributions\n or its Contributor Version.\n\n2.2. Effective Date\n\n The licenses granted in Section 2.1 with respect to any Contribution become\n effective for each Contribution on the date the Contributor first distributes\n such Contribution.\n\n2.3. Limitations on Grant Scope\n\n The licenses granted in this Section 2 are the only rights granted under this\n License. No additional rights or licenses will be implied from the distribution\n or licensing of Covered Software under this License. Notwithstanding Section\n 2.1(b) above, no patent license is granted by a Contributor:\n\n a. for any code that a Contributor has removed from Covered Software; or\n\n b. for infringements caused by: (i) Your and any other third party’s\n modifications of Covered Software, or (ii) the combination of its\n Contributions with other software (except as part of its Contributor\n Version); or\n\n c. under Patent Claims infringed by Covered Software in the absence of its\n Contributions.\n\n This License does not grant any rights in the trademarks, service marks, or\n logos of any Contributor (except as may be necessary to comply with the\n notice requirements in Section 3.4).\n\n2.4. Subsequent Licenses\n\n No Contributor makes additional grants as a result of Your choice to\n distribute the Covered Software under a subsequent version of this License\n (see Section 10.2) or under the terms of a Secondary License (if permitted\n under the terms of Section 3.3).\n\n2.5. Representation\n\n Each Contributor represents that the Contributor believes its Contributions\n are its original creation(s) or it has sufficient rights to grant the\n rights to its Contributions conveyed by this License.\n\n2.6. Fair Use\n\n This License is not intended to limit any rights You have under applicable\n copyright doctrines of fair use, fair dealing, or other equivalents.\n\n2.7. Conditions\n\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in\n Section 2.1.\n\n\n3. Responsibilities\n\n3.1. Distribution of Source Form\n\n All distribution of Covered Software in Source Code Form, including any\n Modifications that You create or to which You contribute, must be under the\n terms of this License. You must inform recipients that the Source Code Form\n of the Covered Software is governed by the terms of this License, and how\n they can obtain a copy of this License. You may not attempt to alter or\n restrict the recipients’ rights in the Source Code Form.\n\n3.2. Distribution of Executable Form\n\n If You distribute Covered Software in Executable Form then:\n\n a. such Covered Software must also be made available in Source Code Form,\n as described in Section 3.1, and You must inform recipients of the\n Executable Form how they can obtain a copy of such Source Code Form by\n reasonable means in a timely manner, at a charge no more than the cost\n of distribution to the recipient; and\n\n b. You may distribute such Executable Form under the terms of this License,\n or sublicense it under different terms, provided that the license for\n the Executable Form does not attempt to limit or alter the recipients’\n rights in the Source Code Form under this License.\n\n3.3. Distribution of a Larger Work\n\n You may create and distribute a Larger Work under terms of Your choice,\n provided that You also comply with the requirements of this License for the\n Covered Software. If the Larger Work is a combination of Covered Software\n with a work governed by one or more Secondary Licenses, and the Covered\n Software is not Incompatible With Secondary Licenses, this License permits\n You to additionally distribute such Covered Software under the terms of\n such Secondary License(s), so that the recipient of the Larger Work may, at\n their option, further distribute the Covered Software under the terms of\n either this License or such Secondary License(s).\n\n3.4. Notices\n\n You may not remove or alter the substance of any license notices (including\n copyright notices, patent notices, disclaimers of warranty, or limitations\n of liability) contained within the Source Code Form of the Covered\n Software, except that You may alter any license notices to the extent\n required to remedy known factual inaccuracies.\n\n3.5. Application of Additional Terms\n\n You may choose to offer, and to charge a fee for, warranty, support,\n indemnity or liability obligations to one or more recipients of Covered\n Software. However, You may do so only on Your own behalf, and not on behalf\n of any Contributor. You must make it absolutely clear that any such\n warranty, support, indemnity, or liability obligation is offered by You\n alone, and You hereby agree to indemnify every Contributor for any\n liability incurred by such Contributor as a result of warranty, support,\n indemnity or liability terms You offer. You may include additional\n disclaimers of warranty and limitations of liability specific to any\n jurisdiction.\n\n4. Inability to Comply Due to Statute or Regulation\n\n If it is impossible for You to comply with any of the terms of this License\n with respect to some or all of the Covered Software due to statute, judicial\n order, or regulation then You must: (a) comply with the terms of this License\n to the maximum extent possible; and (b) describe the limitations and the code\n they affect. Such description must be placed in a text file included with all\n distributions of the Covered Software under this License. Except to the\n extent prohibited by statute or regulation, such description must be\n sufficiently detailed for a recipient of ordinary skill to be able to\n understand it.\n\n5. Termination\n\n5.1. The rights granted under this License will terminate automatically if You\n fail to comply with any of its terms. However, if You become compliant,\n then the rights granted under this License from a particular Contributor\n are reinstated (a) provisionally, unless and until such Contributor\n explicitly and finally terminates Your grants, and (b) on an ongoing basis,\n if such Contributor fails to notify You of the non-compliance by some\n reasonable means prior to 60 days after You have come back into compliance.\n Moreover, Your grants from a particular Contributor are reinstated on an\n ongoing basis if such Contributor notifies You of the non-compliance by\n some reasonable means, this is the first time You have received notice of\n non-compliance with this License from such Contributor, and You become\n compliant prior to 30 days after Your receipt of the notice.\n\n5.2. If You initiate litigation against any entity by asserting a patent\n infringement claim (excluding declaratory judgment actions, counter-claims,\n and cross-claims) alleging that a Contributor Version directly or\n indirectly infringes any patent, then the rights granted to You by any and\n all Contributors for the Covered Software under Section 2.1 of this License\n shall terminate.\n\n5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user\n license agreements (excluding distributors and resellers) which have been\n validly granted by You or Your distributors under this License prior to\n termination shall survive termination.\n\n6. Disclaimer of Warranty\n\n Covered Software is provided under this License on an “as is” basis, without\n warranty of any kind, either expressed, implied, or statutory, including,\n without limitation, warranties that the Covered Software is free of defects,\n merchantable, fit for a particular purpose or non-infringing. The entire\n risk as to the quality and performance of the Covered Software is with You.\n Should any Covered Software prove defective in any respect, You (not any\n Contributor) assume the cost of any necessary servicing, repair, or\n correction. This disclaimer of warranty constitutes an essential part of this\n License. No use of any Covered Software is authorized under this License\n except under this disclaimer.\n\n7. Limitation of Liability\n\n Under no circumstances and under no legal theory, whether tort (including\n negligence), contract, or otherwise, shall any Contributor, or anyone who\n distributes Covered Software as permitted above, be liable to You for any\n direct, indirect, special, incidental, or consequential damages of any\n character including, without limitation, damages for lost profits, loss of\n goodwill, work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses, even if such party shall have been\n informed of the possibility of such damages. This limitation of liability\n shall not apply to liability for death or personal injury resulting from such\n party’s negligence to the extent applicable law prohibits such limitation.\n Some jurisdictions do not allow the exclusion or limitation of incidental or\n consequential damages, so this exclusion and limitation may not apply to You.\n\n8. Litigation\n\n Any litigation relating to this License may be brought only in the courts of\n a jurisdiction where the defendant maintains its principal place of business\n and such litigation shall be governed by laws of that jurisdiction, without\n reference to its conflict-of-law provisions. Nothing in this Section shall\n prevent a party’s ability to bring cross-claims or counter-claims.\n\n9. Miscellaneous\n\n This License represents the complete agreement concerning the subject matter\n hereof. If any provision of this License is held to be unenforceable, such\n provision shall be reformed only to the extent necessary to make it\n enforceable. Any law or regulation which provides that the language of a\n contract shall be construed against the drafter shall not be used to construe\n this License against a Contributor.\n\n\n10. Versions of the License\n\n10.1. New Versions\n\n Mozilla Foundation is the license steward. Except as provided in Section\n 10.3, no one other than the license steward has the right to modify or\n publish new versions of this License. Each version will be given a\n distinguishing version number.\n\n10.2. Effect of New Versions\n\n You may distribute the Covered Software under the terms of the version of\n the License under which You originally received the Covered Software, or\n under the terms of any subsequent version published by the license\n steward.\n\n10.3. Modified Versions\n\n If you create software not governed by this License, and you want to\n create a new license for such software, you may create and use a modified\n version of this License if you rename the license and remove any\n references to the name of the license steward (except to note that such\n modified license differs from this License).\n\n10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses\n If You choose to distribute Source Code Form that is Incompatible With\n Secondary Licenses under the terms of this version of the License, the\n notice described in Exhibit B of this License must be attached.\n\nExhibit A - Source Code Form License Notice\n\n This Source Code Form is subject to the\n terms of the Mozilla Public License, v.\n 2.0. If a copy of the MPL was not\n distributed with this file, You can\n obtain one at\n http://mozilla.org/MPL/2.0/.\n\nIf it is not possible or desirable to put the notice in a particular file, then\nYou may include the notice in a location (such as a LICENSE file in a relevant\ndirectory) where a recipient would be likely to look for such a notice.\n\nYou may add additional accurate notices of copyright ownership.\n\nExhibit B - “Incompatible With Secondary Licenses” Notice\n\n This Source Code Form is “Incompatible\n With Secondary Licenses”, as defined by\n the Mozilla Public License, v. 2.0.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/errwrap/README.md", "content": "# errwrap\n\n`errwrap` is a package for Go that formalizes the pattern of wrapping errors\nand checking if an error contains another error.\n\nThere is a common pattern in Go of taking a returned `error` value and\nthen wrapping it (such as with `fmt.Errorf`) before returning it. The problem\nwith this pattern is that you completely lose the original `error` structure.\n\nArguably the _correct_ approach is that you should make a custom structure\nimplementing the `error` interface, and have the original error as a field\non that structure, such [as this example](http://golang.org/pkg/os/#PathError).\nThis is a good approach, but you have to know the entire chain of possible\nrewrapping that happens, when you might just care about one.\n\n`errwrap` formalizes this pattern (it doesn't matter what approach you use\nabove) by giving a single interface for wrapping errors, checking if a specific\nerror is wrapped, and extracting that error.\n\n## Installation and Docs\n\nInstall using `go get github.com/hashicorp/errwrap`.\n\nFull documentation is available at\nhttp://godoc.org/github.com/hashicorp/errwrap\n\n## Usage\n\n#### Basic Usage\n\nBelow is a very basic example of its usage:\n\n```go\n// A function that always returns an error, but wraps it, like a real\n// function might.\nfunc tryOpen() error {\n\t_, err := os.Open(\"/i/dont/exist\")\n\tif err != nil {\n\t\treturn errwrap.Wrapf(\"Doesn't exist: {{err}}\", err)\n\t}\n\n\treturn nil\n}\n\nfunc main() {\n\terr := tryOpen()\n\n\t// We can use the Contains helpers to check if an error contains\n\t// another error. It is safe to do this with a nil error, or with\n\t// an error that doesn't even use the errwrap package.\n\tif errwrap.Contains(err, \"does not exist\") {\n\t\t// Do something\n\t}\n\tif errwrap.ContainsType(err, new(os.PathError)) {\n\t\t// Do something\n\t}\n\n\t// Or we can use the associated `Get` functions to just extract\n\t// a specific error. This would return nil if that specific error doesn't\n\t// exist.\n\tperr := errwrap.GetType(err, new(os.PathError))\n}\n```\n\n#### Custom Types\n\nIf you're already making custom types that properly wrap errors, then\nyou can get all the functionality of `errwraps.Contains` and such by\nimplementing the `Wrapper` interface with just one function. Example:\n\n```go\ntype AppError {\n Code ErrorCode\n Err error\n}\n\nfunc (e *AppError) WrappedErrors() []error {\n return []error{e.Err}\n}\n```\n\nNow this works:\n\n```go\nerr := &AppError{Err: fmt.Errorf(\"an error\")}\nif errwrap.ContainsType(err, fmt.Errorf(\"\")) {\n\t// This will work!\n}\n```\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/errwrap/errwrap.go", "content": "// Package errwrap implements methods to formalize error wrapping in Go.\n//\n// All of the top-level functions that take an `error` are built to be able\n// to take any error, not just wrapped errors. This allows you to use errwrap\n// without having to type-check and type-cast everywhere.\npackage errwrap\n\nimport (\n\t\"errors\"\n\t\"reflect\"\n\t\"strings\"\n)\n\n// WalkFunc is the callback called for Walk.\ntype WalkFunc func(error)\n\n// Wrapper is an interface that can be implemented by custom types to\n// have all the Contains, Get, etc. functions in errwrap work.\n//\n// When Walk reaches a Wrapper, it will call the callback for every\n// wrapped error in addition to the wrapper itself. Since all the top-level\n// functions in errwrap use Walk, this means that all those functions work\n// with your custom type.\ntype Wrapper interface {\n\tWrappedErrors() []error\n}\n\n// Wrap defines that outer wraps inner, returning an error type that\n// can be cleanly used with the other methods in this package, such as\n// Contains, GetAll, etc.\n//\n// This function won't modify the error message at all (the outer message\n// will be used).\nfunc Wrap(outer, inner error) error {\n\treturn &wrappedError{\n\t\tOuter: outer,\n\t\tInner: inner,\n\t}\n}\n\n// Wrapf wraps an error with a formatting message. This is similar to using\n// `fmt.Errorf` to wrap an error. If you're using `fmt.Errorf` to wrap\n// errors, you should replace it with this.\n//\n// format is the format of the error message. The string '{{err}}' will\n// be replaced with the original error message.\n//\n// Deprecated: Use fmt.Errorf()\nfunc Wrapf(format string, err error) error {\n\touterMsg := \"\"\n\tif err != nil {\n\t\touterMsg = err.Error()\n\t}\n\n\touter := errors.New(strings.Replace(\n\t\tformat, \"{{err}}\", outerMsg, -1))\n\n\treturn Wrap(outer, err)\n}\n\n// Contains checks if the given error contains an error with the\n// message msg. If err is not a wrapped error, this will always return\n// false unless the error itself happens to match this msg.\nfunc Contains(err error, msg string) bool {\n\treturn len(GetAll(err, msg)) > 0\n}\n\n// ContainsType checks if the given error contains an error with\n// the same concrete type as v. If err is not a wrapped error, this will\n// check the err itself.\nfunc ContainsType(err error, v interface{}) bool {\n\treturn len(GetAllType(err, v)) > 0\n}\n\n// Get is the same as GetAll but returns the deepest matching error.\nfunc Get(err error, msg string) error {\n\tes := GetAll(err, msg)\n\tif len(es) > 0 {\n\t\treturn es[len(es)-1]\n\t}\n\n\treturn nil\n}\n\n// GetType is the same as GetAllType but returns the deepest matching error.\nfunc GetType(err error, v interface{}) error {\n\tes := GetAllType(err, v)\n\tif len(es) > 0 {\n\t\treturn es[len(es)-1]\n\t}\n\n\treturn nil\n}\n\n// GetAll gets all the errors that might be wrapped in err with the\n// given message. The order of the errors is such that the outermost\n// matching error (the most recent wrap) is index zero, and so on.\nfunc GetAll(err error, msg string) []error {\n\tvar result []error\n\n\tWalk(err, func(err error) {\n\t\tif err.Error() == msg {\n\t\t\tresult = append(result, err)\n\t\t}\n\t})\n\n\treturn result\n}\n\n// GetAllType gets all the errors that are the same type as v.\n//\n// The order of the return value is the same as described in GetAll.\nfunc GetAllType(err error, v interface{}) []error {\n\tvar result []error\n\n\tvar search string\n\tif v != nil {\n\t\tsearch = reflect.TypeOf(v).String()\n\t}\n\tWalk(err, func(err error) {\n\t\tvar needle string\n\t\tif err != nil {\n\t\t\tneedle = reflect.TypeOf(err).String()\n\t\t}\n\n\t\tif needle == search {\n\t\t\tresult = append(result, err)\n\t\t}\n\t})\n\n\treturn result\n}\n\n// Walk walks all the wrapped errors in err and calls the callback. If\n// err isn't a wrapped error, this will be called once for err. If err\n// is a wrapped error, the callback will be called for both the wrapper\n// that implements error as well as the wrapped error itself.\nfunc Walk(err error, cb WalkFunc) {\n\tif err == nil {\n\t\treturn\n\t}\n\n\tswitch e := err.(type) {\n\tcase *wrappedError:\n\t\tcb(e.Outer)\n\t\tWalk(e.Inner, cb)\n\tcase Wrapper:\n\t\tcb(err)\n\n\t\tfor _, err := range e.WrappedErrors() {\n\t\t\tWalk(err, cb)\n\t\t}\n\tcase interface{ Unwrap() error }:\n\t\tcb(err)\n\t\tWalk(e.Unwrap(), cb)\n\tdefault:\n\t\tcb(err)\n\t}\n}\n\n// wrappedError is an implementation of error that has both the\n// outer and inner errors.\ntype wrappedError struct {\n\tOuter error\n\tInner error\n}\n\nfunc (w *wrappedError) Error() string {\n\treturn w.Outer.Error()\n}\n\nfunc (w *wrappedError) WrappedErrors() []error {\n\treturn []error{w.Outer, w.Inner}\n}\n\nfunc (w *wrappedError) Unwrap() error {\n\treturn w.Inner\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-cleanhttp/LICENSE", "content": "Mozilla Public License, version 2.0\n\n1. Definitions\n\n1.1. \"Contributor\"\n\n means each individual or legal entity that creates, contributes to the\n creation of, or owns Covered Software.\n\n1.2. \"Contributor Version\"\n\n means the combination of the Contributions of others (if any) used by a\n Contributor and that particular Contributor's Contribution.\n\n1.3. \"Contribution\"\n\n means Covered Software of a particular Contributor.\n\n1.4. \"Covered Software\"\n\n means Source Code Form to which the initial Contributor has attached the\n notice in Exhibit A, the Executable Form of such Source Code Form, and\n Modifications of such Source Code Form, in each case including portions\n thereof.\n\n1.5. \"Incompatible With Secondary Licenses\"\n means\n\n a. that the initial Contributor has attached the notice described in\n Exhibit B to the Covered Software; or\n\n b. that the Covered Software was made available under the terms of\n version 1.1 or earlier of the License, but not also under the terms of\n a Secondary License.\n\n1.6. \"Executable Form\"\n\n means any form of the work other than Source Code Form.\n\n1.7. \"Larger Work\"\n\n means a work that combines Covered Software with other material, in a\n separate file or files, that is not Covered Software.\n\n1.8. \"License\"\n\n means this document.\n\n1.9. \"Licensable\"\n\n means having the right to grant, to the maximum extent possible, whether\n at the time of the initial grant or subsequently, any and all of the\n rights conveyed by this License.\n\n1.10. \"Modifications\"\n\n means any of the following:\n\n a. any file in Source Code Form that results from an addition to,\n deletion from, or modification of the contents of Covered Software; or\n\n b. any new file in Source Code Form that contains any Covered Software.\n\n1.11. \"Patent Claims\" of a Contributor\n\n means any patent claim(s), including without limitation, method,\n process, and apparatus claims, in any patent Licensable by such\n Contributor that would be infringed, but for the grant of the License,\n by the making, using, selling, offering for sale, having made, import,\n or transfer of either its Contributions or its Contributor Version.\n\n1.12. \"Secondary License\"\n\n means either the GNU General Public License, Version 2.0, the GNU Lesser\n General Public License, Version 2.1, the GNU Affero General Public\n License, Version 3.0, or any later versions of those licenses.\n\n1.13. \"Source Code Form\"\n\n means the form of the work preferred for making modifications.\n\n1.14. \"You\" (or \"Your\")\n\n means an individual or a legal entity exercising rights under this\n License. For legal entities, \"You\" includes any entity that controls, is\n controlled by, or is under common control with You. For purposes of this\n definition, \"control\" means (a) the power, direct or indirect, to cause\n the direction or management of such entity, whether by contract or\n otherwise, or (b) ownership of more than fifty percent (50%) of the\n outstanding shares or beneficial ownership of such entity.\n\n\n2. License Grants and Conditions\n\n2.1. Grants\n\n Each Contributor hereby grants You a world-wide, royalty-free,\n non-exclusive license:\n\n a. under intellectual property rights (other than patent or trademark)\n Licensable by such Contributor to use, reproduce, make available,\n modify, display, perform, distribute, and otherwise exploit its\n Contributions, either on an unmodified basis, with Modifications, or\n as part of a Larger Work; and\n\n b. under Patent Claims of such Contributor to make, use, sell, offer for\n sale, have made, import, and otherwise transfer either its\n Contributions or its Contributor Version.\n\n2.2. Effective Date\n\n The licenses granted in Section 2.1 with respect to any Contribution\n become effective for each Contribution on the date the Contributor first\n distributes such Contribution.\n\n2.3. Limitations on Grant Scope\n\n The licenses granted in this Section 2 are the only rights granted under\n this License. No additional rights or licenses will be implied from the\n distribution or licensing of Covered Software under this License.\n Notwithstanding Section 2.1(b) above, no patent license is granted by a\n Contributor:\n\n a. for any code that a Contributor has removed from Covered Software; or\n\n b. for infringements caused by: (i) Your and any other third party's\n modifications of Covered Software, or (ii) the combination of its\n Contributions with other software (except as part of its Contributor\n Version); or\n\n c. under Patent Claims infringed by Covered Software in the absence of\n its Contributions.\n\n This License does not grant any rights in the trademarks, service marks,\n or logos of any Contributor (except as may be necessary to comply with\n the notice requirements in Section 3.4).\n\n2.4. Subsequent Licenses\n\n No Contributor makes additional grants as a result of Your choice to\n distribute the Covered Software under a subsequent version of this\n License (see Section 10.2) or under the terms of a Secondary License (if\n permitted under the terms of Section 3.3).\n\n2.5. Representation\n\n Each Contributor represents that the Contributor believes its\n Contributions are its original creation(s) or it has sufficient rights to\n grant the rights to its Contributions conveyed by this License.\n\n2.6. Fair Use\n\n This License is not intended to limit any rights You have under\n applicable copyright doctrines of fair use, fair dealing, or other\n equivalents.\n\n2.7. Conditions\n\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in\n Section 2.1.\n\n\n3. Responsibilities\n\n3.1. Distribution of Source Form\n\n All distribution of Covered Software in Source Code Form, including any\n Modifications that You create or to which You contribute, must be under\n the terms of this License. You must inform recipients that the Source\n Code Form of the Covered Software is governed by the terms of this\n License, and how they can obtain a copy of this License. You may not\n attempt to alter or restrict the recipients' rights in the Source Code\n Form.\n\n3.2. Distribution of Executable Form\n\n If You distribute Covered Software in Executable Form then:\n\n a. such Covered Software must also be made available in Source Code Form,\n as described in Section 3.1, and You must inform recipients of the\n Executable Form how they can obtain a copy of such Source Code Form by\n reasonable means in a timely manner, at a charge no more than the cost\n of distribution to the recipient; and\n\n b. You may distribute such Executable Form under the terms of this\n License, or sublicense it under different terms, provided that the\n license for the Executable Form does not attempt to limit or alter the\n recipients' rights in the Source Code Form under this License.\n\n3.3. Distribution of a Larger Work\n\n You may create and distribute a Larger Work under terms of Your choice,\n provided that You also comply with the requirements of this License for\n the Covered Software. If the Larger Work is a combination of Covered\n Software with a work governed by one or more Secondary Licenses, and the\n Covered Software is not Incompatible With Secondary Licenses, this\n License permits You to additionally distribute such Covered Software\n under the terms of such Secondary License(s), so that the recipient of\n the Larger Work may, at their option, further distribute the Covered\n Software under the terms of either this License or such Secondary\n License(s).\n\n3.4. Notices\n\n You may not remove or alter the substance of any license notices\n (including copyright notices, patent notices, disclaimers of warranty, or\n limitations of liability) contained within the Source Code Form of the\n Covered Software, except that You may alter any license notices to the\n extent required to remedy known factual inaccuracies.\n\n3.5. Application of Additional Terms\n\n You may choose to offer, and to charge a fee for, warranty, support,\n indemnity or liability obligations to one or more recipients of Covered\n Software. However, You may do so only on Your own behalf, and not on\n behalf of any Contributor. You must make it absolutely clear that any\n such warranty, support, indemnity, or liability obligation is offered by\n You alone, and You hereby agree to indemnify every Contributor for any\n liability incurred by such Contributor as a result of warranty, support,\n indemnity or liability terms You offer. You may include additional\n disclaimers of warranty and limitations of liability specific to any\n jurisdiction.\n\n4. Inability to Comply Due to Statute or Regulation\n\n If it is impossible for You to comply with any of the terms of this License\n with respect to some or all of the Covered Software due to statute,\n judicial order, or regulation then You must: (a) comply with the terms of\n this License to the maximum extent possible; and (b) describe the\n limitations and the code they affect. Such description must be placed in a\n text file included with all distributions of the Covered Software under\n this License. Except to the extent prohibited by statute or regulation,\n such description must be sufficiently detailed for a recipient of ordinary\n skill to be able to understand it.\n\n5. Termination\n\n5.1. The rights granted under this License will terminate automatically if You\n fail to comply with any of its terms. However, if You become compliant,\n then the rights granted under this License from a particular Contributor\n are reinstated (a) provisionally, unless and until such Contributor\n explicitly and finally terminates Your grants, and (b) on an ongoing\n basis, if such Contributor fails to notify You of the non-compliance by\n some reasonable means prior to 60 days after You have come back into\n compliance. Moreover, Your grants from a particular Contributor are\n reinstated on an ongoing basis if such Contributor notifies You of the\n non-compliance by some reasonable means, this is the first time You have\n received notice of non-compliance with this License from such\n Contributor, and You become compliant prior to 30 days after Your receipt\n of the notice.\n\n5.2. If You initiate litigation against any entity by asserting a patent\n infringement claim (excluding declaratory judgment actions,\n counter-claims, and cross-claims) alleging that a Contributor Version\n directly or indirectly infringes any patent, then the rights granted to\n You by any and all Contributors for the Covered Software under Section\n 2.1 of this License shall terminate.\n\n5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user\n license agreements (excluding distributors and resellers) which have been\n validly granted by You or Your distributors under this License prior to\n termination shall survive termination.\n\n6. Disclaimer of Warranty\n\n Covered Software is provided under this License on an \"as is\" basis,\n without warranty of any kind, either expressed, implied, or statutory,\n including, without limitation, warranties that the Covered Software is free\n of defects, merchantable, fit for a particular purpose or non-infringing.\n The entire risk as to the quality and performance of the Covered Software\n is with You. Should any Covered Software prove defective in any respect,\n You (not any Contributor) assume the cost of any necessary servicing,\n repair, or correction. This disclaimer of warranty constitutes an essential\n part of this License. No use of any Covered Software is authorized under\n this License except under this disclaimer.\n\n7. Limitation of Liability\n\n Under no circumstances and under no legal theory, whether tort (including\n negligence), contract, or otherwise, shall any Contributor, or anyone who\n distributes Covered Software as permitted above, be liable to You for any\n direct, indirect, special, incidental, or consequential damages of any\n character including, without limitation, damages for lost profits, loss of\n goodwill, work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses, even if such party shall have been\n informed of the possibility of such damages. This limitation of liability\n shall not apply to liability for death or personal injury resulting from\n such party's negligence to the extent applicable law prohibits such\n limitation. Some jurisdictions do not allow the exclusion or limitation of\n incidental or consequential damages, so this exclusion and limitation may\n not apply to You.\n\n8. Litigation\n\n Any litigation relating to this License may be brought only in the courts\n of a jurisdiction where the defendant maintains its principal place of\n business and such litigation shall be governed by laws of that\n jurisdiction, without reference to its conflict-of-law provisions. Nothing\n in this Section shall prevent a party's ability to bring cross-claims or\n counter-claims.\n\n9. Miscellaneous\n\n This License represents the complete agreement concerning the subject\n matter hereof. If any provision of this License is held to be\n unenforceable, such provision shall be reformed only to the extent\n necessary to make it enforceable. Any law or regulation which provides that\n the language of a contract shall be construed against the drafter shall not\n be used to construe this License against a Contributor.\n\n\n10. Versions of the License\n\n10.1. New Versions\n\n Mozilla Foundation is the license steward. Except as provided in Section\n 10.3, no one other than the license steward has the right to modify or\n publish new versions of this License. Each version will be given a\n distinguishing version number.\n\n10.2. Effect of New Versions\n\n You may distribute the Covered Software under the terms of the version\n of the License under which You originally received the Covered Software,\n or under the terms of any subsequent version published by the license\n steward.\n\n10.3. Modified Versions\n\n If you create software not governed by this License, and you want to\n create a new license for such software, you may create and use a\n modified version of this License if you rename the license and remove\n any references to the name of the license steward (except to note that\n such modified license differs from this License).\n\n10.4. Distributing Source Code Form that is Incompatible With Secondary\n Licenses If You choose to distribute Source Code Form that is\n Incompatible With Secondary Licenses under the terms of this version of\n the License, the notice described in Exhibit B of this License must be\n attached.\n\nExhibit A - Source Code Form License Notice\n\n This Source Code Form is subject to the\n terms of the Mozilla Public License, v.\n 2.0. If a copy of the MPL was not\n distributed with this file, You can\n obtain one at\n http://mozilla.org/MPL/2.0/.\n\nIf it is not possible or desirable to put the notice in a particular file,\nthen You may include the notice in a location (such as a LICENSE file in a\nrelevant directory) where a recipient would be likely to look for such a\nnotice.\n\nYou may add additional accurate notices of copyright ownership.\n\nExhibit B - \"Incompatible With Secondary Licenses\" Notice\n\n This Source Code Form is \"Incompatible\n With Secondary Licenses\", as defined by\n the Mozilla Public License, v. 2.0.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-cleanhttp/README.md", "content": "# cleanhttp\n\nFunctions for accessing \"clean\" Go http.Client values\n\n-------------\n\nThe Go standard library contains a default `http.Client` called\n`http.DefaultClient`. It is a common idiom in Go code to start with\n`http.DefaultClient` and tweak it as necessary, and in fact, this is\nencouraged; from the `http` package documentation:\n\n> The Client's Transport typically has internal state (cached TCP connections),\nso Clients should be reused instead of created as needed. Clients are safe for\nconcurrent use by multiple goroutines.\n\nUnfortunately, this is a shared value, and it is not uncommon for libraries to\nassume that they are free to modify it at will. With enough dependencies, it\ncan be very easy to encounter strange problems and race conditions due to\nmanipulation of this shared value across libraries and goroutines (clients are\nsafe for concurrent use, but writing values to the client struct itself is not\nprotected).\n\nMaking things worse is the fact that a bare `http.Client` will use a default\n`http.Transport` called `http.DefaultTransport`, which is another global value\nthat behaves the same way. So it is not simply enough to replace\n`http.DefaultClient` with `&http.Client{}`.\n\nThis repository provides some simple functions to get a \"clean\" `http.Client`\n-- one that uses the same default values as the Go standard library, but\nreturns a client that does not share any state with other clients.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-cleanhttp/cleanhttp.go", "content": "package cleanhttp\n\nimport (\n\t\"net\"\n\t\"net/http\"\n\t\"runtime\"\n\t\"time\"\n)\n\n// DefaultTransport returns a new http.Transport with similar default values to\n// http.DefaultTransport, but with idle connections and keepalives disabled.\nfunc DefaultTransport() *http.Transport {\n\ttransport := DefaultPooledTransport()\n\ttransport.DisableKeepAlives = true\n\ttransport.MaxIdleConnsPerHost = -1\n\treturn transport\n}\n\n// DefaultPooledTransport returns a new http.Transport with similar default\n// values to http.DefaultTransport. Do not use this for transient transports as\n// it can leak file descriptors over time. Only use this for transports that\n// will be re-used for the same host(s).\nfunc DefaultPooledTransport() *http.Transport {\n\ttransport := &http.Transport{\n\t\tProxy: http.ProxyFromEnvironment,\n\t\tDialContext: (&net.Dialer{\n\t\t\tTimeout: 30 * time.Second,\n\t\t\tKeepAlive: 30 * time.Second,\n\t\t\tDualStack: true,\n\t\t}).DialContext,\n\t\tMaxIdleConns: 100,\n\t\tIdleConnTimeout: 90 * time.Second,\n\t\tTLSHandshakeTimeout: 10 * time.Second,\n\t\tExpectContinueTimeout: 1 * time.Second,\n\t\tForceAttemptHTTP2: true,\n\t\tMaxIdleConnsPerHost: runtime.GOMAXPROCS(0) + 1,\n\t}\n\treturn transport\n}\n\n// DefaultClient returns a new http.Client with similar default values to\n// http.Client, but with a non-shared Transport, idle connections disabled, and\n// keepalives disabled.\nfunc DefaultClient() *http.Client {\n\treturn &http.Client{\n\t\tTransport: DefaultTransport(),\n\t}\n}\n\n// DefaultPooledClient returns a new http.Client with similar default values to\n// http.Client, but with a shared Transport. Do not use this function for\n// transient clients as it can leak file descriptors over time. Only use this\n// for clients that will be re-used for the same host(s).\nfunc DefaultPooledClient() *http.Client {\n\treturn &http.Client{\n\t\tTransport: DefaultPooledTransport(),\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-cleanhttp/doc.go", "content": "// Package cleanhttp offers convenience utilities for acquiring \"clean\"\n// http.Transport and http.Client structs.\n//\n// Values set on http.DefaultClient and http.DefaultTransport affect all\n// callers. This can have detrimental effects, esepcially in TLS contexts,\n// where client or root certificates set to talk to multiple endpoints can end\n// up displacing each other, leading to hard-to-debug issues. This package\n// provides non-shared http.Client and http.Transport structs to ensure that\n// the configuration will not be overwritten by other parts of the application\n// or dependencies.\n//\n// The DefaultClient and DefaultTransport functions disable idle connections\n// and keepalives. Without ensuring that idle connections are closed before\n// garbage collection, short-term clients/transports can leak file descriptors,\n// eventually leading to \"too many open files\" errors. If you will be\n// connecting to the same hosts repeatedly from the same client, you can use\n// DefaultPooledClient to receive a client that has connection pooling\n// semantics similar to http.DefaultClient.\n//\npackage cleanhttp\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-cleanhttp/handlers.go", "content": "package cleanhttp\n\nimport (\n\t\"net/http\"\n\t\"strings\"\n\t\"unicode\"\n)\n\n// HandlerInput provides input options to cleanhttp's handlers\ntype HandlerInput struct {\n\tErrStatus int\n}\n\n// PrintablePathCheckHandler is a middleware that ensures the request path\n// contains only printable runes.\nfunc PrintablePathCheckHandler(next http.Handler, input *HandlerInput) http.Handler {\n\t// Nil-check on input to make it optional\n\tif input == nil {\n\t\tinput = &HandlerInput{\n\t\t\tErrStatus: http.StatusBadRequest,\n\t\t}\n\t}\n\n\t// Default to http.StatusBadRequest on error\n\tif input.ErrStatus == 0 {\n\t\tinput.ErrStatus = http.StatusBadRequest\n\t}\n\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tif r != nil {\n\t\t\t// Check URL path for non-printable characters\n\t\t\tidx := strings.IndexFunc(r.URL.Path, func(c rune) bool {\n\t\t\t\treturn !unicode.IsPrint(c)\n\t\t\t})\n\n\t\t\tif idx != -1 {\n\t\t\t\tw.WriteHeader(input.ErrStatus)\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tif next != nil {\n\t\t\t\tnext.ServeHTTP(w, r)\n\t\t\t}\n\t\t}\n\n\t\treturn\n\t})\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/LICENSE", "content": "Mozilla Public License, version 2.0\n\n1. Definitions\n\n1.1. “Contributor”\n\n means each individual or legal entity that creates, contributes to the\n creation of, or owns Covered Software.\n\n1.2. “Contributor Version”\n\n means the combination of the Contributions of others (if any) used by a\n Contributor and that particular Contributor’s Contribution.\n\n1.3. “Contribution”\n\n means Covered Software of a particular Contributor.\n\n1.4. “Covered Software”\n\n means Source Code Form to which the initial Contributor has attached the\n notice in Exhibit A, the Executable Form of such Source Code Form, and\n Modifications of such Source Code Form, in each case including portions\n thereof.\n\n1.5. “Incompatible With Secondary Licenses”\n means\n\n a. that the initial Contributor has attached the notice described in\n Exhibit B to the Covered Software; or\n\n b. that the Covered Software was made available under the terms of version\n 1.1 or earlier of the License, but not also under the terms of a\n Secondary License.\n\n1.6. “Executable Form”\n\n means any form of the work other than Source Code Form.\n\n1.7. “Larger Work”\n\n means a work that combines Covered Software with other material, in a separate\n file or files, that is not Covered Software.\n\n1.8. “License”\n\n means this document.\n\n1.9. “Licensable”\n\n means having the right to grant, to the maximum extent possible, whether at the\n time of the initial grant or subsequently, any and all of the rights conveyed by\n this License.\n\n1.10. “Modifications”\n\n means any of the following:\n\n a. any file in Source Code Form that results from an addition to, deletion\n from, or modification of the contents of Covered Software; or\n\n b. any new file in Source Code Form that contains any Covered Software.\n\n1.11. “Patent Claims” of a Contributor\n\n means any patent claim(s), including without limitation, method, process,\n and apparatus claims, in any patent Licensable by such Contributor that\n would be infringed, but for the grant of the License, by the making,\n using, selling, offering for sale, having made, import, or transfer of\n either its Contributions or its Contributor Version.\n\n1.12. “Secondary License”\n\n means either the GNU General Public License, Version 2.0, the GNU Lesser\n General Public License, Version 2.1, the GNU Affero General Public\n License, Version 3.0, or any later versions of those licenses.\n\n1.13. “Source Code Form”\n\n means the form of the work preferred for making modifications.\n\n1.14. “You” (or “Your”)\n\n means an individual or a legal entity exercising rights under this\n License. For legal entities, “You” includes any entity that controls, is\n controlled by, or is under common control with You. For purposes of this\n definition, “control” means (a) the power, direct or indirect, to cause\n the direction or management of such entity, whether by contract or\n otherwise, or (b) ownership of more than fifty percent (50%) of the\n outstanding shares or beneficial ownership of such entity.\n\n\n2. License Grants and Conditions\n\n2.1. Grants\n\n Each Contributor hereby grants You a world-wide, royalty-free,\n non-exclusive license:\n\n a. under intellectual property rights (other than patent or trademark)\n Licensable by such Contributor to use, reproduce, make available,\n modify, display, perform, distribute, and otherwise exploit its\n Contributions, either on an unmodified basis, with Modifications, or as\n part of a Larger Work; and\n\n b. under Patent Claims of such Contributor to make, use, sell, offer for\n sale, have made, import, and otherwise transfer either its Contributions\n or its Contributor Version.\n\n2.2. Effective Date\n\n The licenses granted in Section 2.1 with respect to any Contribution become\n effective for each Contribution on the date the Contributor first distributes\n such Contribution.\n\n2.3. Limitations on Grant Scope\n\n The licenses granted in this Section 2 are the only rights granted under this\n License. No additional rights or licenses will be implied from the distribution\n or licensing of Covered Software under this License. Notwithstanding Section\n 2.1(b) above, no patent license is granted by a Contributor:\n\n a. for any code that a Contributor has removed from Covered Software; or\n\n b. for infringements caused by: (i) Your and any other third party’s\n modifications of Covered Software, or (ii) the combination of its\n Contributions with other software (except as part of its Contributor\n Version); or\n\n c. under Patent Claims infringed by Covered Software in the absence of its\n Contributions.\n\n This License does not grant any rights in the trademarks, service marks, or\n logos of any Contributor (except as may be necessary to comply with the\n notice requirements in Section 3.4).\n\n2.4. Subsequent Licenses\n\n No Contributor makes additional grants as a result of Your choice to\n distribute the Covered Software under a subsequent version of this License\n (see Section 10.2) or under the terms of a Secondary License (if permitted\n under the terms of Section 3.3).\n\n2.5. Representation\n\n Each Contributor represents that the Contributor believes its Contributions\n are its original creation(s) or it has sufficient rights to grant the\n rights to its Contributions conveyed by this License.\n\n2.6. Fair Use\n\n This License is not intended to limit any rights You have under applicable\n copyright doctrines of fair use, fair dealing, or other equivalents.\n\n2.7. Conditions\n\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in\n Section 2.1.\n\n\n3. Responsibilities\n\n3.1. Distribution of Source Form\n\n All distribution of Covered Software in Source Code Form, including any\n Modifications that You create or to which You contribute, must be under the\n terms of this License. You must inform recipients that the Source Code Form\n of the Covered Software is governed by the terms of this License, and how\n they can obtain a copy of this License. You may not attempt to alter or\n restrict the recipients’ rights in the Source Code Form.\n\n3.2. Distribution of Executable Form\n\n If You distribute Covered Software in Executable Form then:\n\n a. such Covered Software must also be made available in Source Code Form,\n as described in Section 3.1, and You must inform recipients of the\n Executable Form how they can obtain a copy of such Source Code Form by\n reasonable means in a timely manner, at a charge no more than the cost\n of distribution to the recipient; and\n\n b. You may distribute such Executable Form under the terms of this License,\n or sublicense it under different terms, provided that the license for\n the Executable Form does not attempt to limit or alter the recipients’\n rights in the Source Code Form under this License.\n\n3.3. Distribution of a Larger Work\n\n You may create and distribute a Larger Work under terms of Your choice,\n provided that You also comply with the requirements of this License for the\n Covered Software. If the Larger Work is a combination of Covered Software\n with a work governed by one or more Secondary Licenses, and the Covered\n Software is not Incompatible With Secondary Licenses, this License permits\n You to additionally distribute such Covered Software under the terms of\n such Secondary License(s), so that the recipient of the Larger Work may, at\n their option, further distribute the Covered Software under the terms of\n either this License or such Secondary License(s).\n\n3.4. Notices\n\n You may not remove or alter the substance of any license notices (including\n copyright notices, patent notices, disclaimers of warranty, or limitations\n of liability) contained within the Source Code Form of the Covered\n Software, except that You may alter any license notices to the extent\n required to remedy known factual inaccuracies.\n\n3.5. Application of Additional Terms\n\n You may choose to offer, and to charge a fee for, warranty, support,\n indemnity or liability obligations to one or more recipients of Covered\n Software. However, You may do so only on Your own behalf, and not on behalf\n of any Contributor. You must make it absolutely clear that any such\n warranty, support, indemnity, or liability obligation is offered by You\n alone, and You hereby agree to indemnify every Contributor for any\n liability incurred by such Contributor as a result of warranty, support,\n indemnity or liability terms You offer. You may include additional\n disclaimers of warranty and limitations of liability specific to any\n jurisdiction.\n\n4. Inability to Comply Due to Statute or Regulation\n\n If it is impossible for You to comply with any of the terms of this License\n with respect to some or all of the Covered Software due to statute, judicial\n order, or regulation then You must: (a) comply with the terms of this License\n to the maximum extent possible; and (b) describe the limitations and the code\n they affect. Such description must be placed in a text file included with all\n distributions of the Covered Software under this License. Except to the\n extent prohibited by statute or regulation, such description must be\n sufficiently detailed for a recipient of ordinary skill to be able to\n understand it.\n\n5. Termination\n\n5.1. The rights granted under this License will terminate automatically if You\n fail to comply with any of its terms. However, if You become compliant,\n then the rights granted under this License from a particular Contributor\n are reinstated (a) provisionally, unless and until such Contributor\n explicitly and finally terminates Your grants, and (b) on an ongoing basis,\n if such Contributor fails to notify You of the non-compliance by some\n reasonable means prior to 60 days after You have come back into compliance.\n Moreover, Your grants from a particular Contributor are reinstated on an\n ongoing basis if such Contributor notifies You of the non-compliance by\n some reasonable means, this is the first time You have received notice of\n non-compliance with this License from such Contributor, and You become\n compliant prior to 30 days after Your receipt of the notice.\n\n5.2. If You initiate litigation against any entity by asserting a patent\n infringement claim (excluding declaratory judgment actions, counter-claims,\n and cross-claims) alleging that a Contributor Version directly or\n indirectly infringes any patent, then the rights granted to You by any and\n all Contributors for the Covered Software under Section 2.1 of this License\n shall terminate.\n\n5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user\n license agreements (excluding distributors and resellers) which have been\n validly granted by You or Your distributors under this License prior to\n termination shall survive termination.\n\n6. Disclaimer of Warranty\n\n Covered Software is provided under this License on an “as is” basis, without\n warranty of any kind, either expressed, implied, or statutory, including,\n without limitation, warranties that the Covered Software is free of defects,\n merchantable, fit for a particular purpose or non-infringing. The entire\n risk as to the quality and performance of the Covered Software is with You.\n Should any Covered Software prove defective in any respect, You (not any\n Contributor) assume the cost of any necessary servicing, repair, or\n correction. This disclaimer of warranty constitutes an essential part of this\n License. No use of any Covered Software is authorized under this License\n except under this disclaimer.\n\n7. Limitation of Liability\n\n Under no circumstances and under no legal theory, whether tort (including\n negligence), contract, or otherwise, shall any Contributor, or anyone who\n distributes Covered Software as permitted above, be liable to You for any\n direct, indirect, special, incidental, or consequential damages of any\n character including, without limitation, damages for lost profits, loss of\n goodwill, work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses, even if such party shall have been\n informed of the possibility of such damages. This limitation of liability\n shall not apply to liability for death or personal injury resulting from such\n party’s negligence to the extent applicable law prohibits such limitation.\n Some jurisdictions do not allow the exclusion or limitation of incidental or\n consequential damages, so this exclusion and limitation may not apply to You.\n\n8. Litigation\n\n Any litigation relating to this License may be brought only in the courts of\n a jurisdiction where the defendant maintains its principal place of business\n and such litigation shall be governed by laws of that jurisdiction, without\n reference to its conflict-of-law provisions. Nothing in this Section shall\n prevent a party’s ability to bring cross-claims or counter-claims.\n\n9. Miscellaneous\n\n This License represents the complete agreement concerning the subject matter\n hereof. If any provision of this License is held to be unenforceable, such\n provision shall be reformed only to the extent necessary to make it\n enforceable. Any law or regulation which provides that the language of a\n contract shall be construed against the drafter shall not be used to construe\n this License against a Contributor.\n\n\n10. Versions of the License\n\n10.1. New Versions\n\n Mozilla Foundation is the license steward. Except as provided in Section\n 10.3, no one other than the license steward has the right to modify or\n publish new versions of this License. Each version will be given a\n distinguishing version number.\n\n10.2. Effect of New Versions\n\n You may distribute the Covered Software under the terms of the version of\n the License under which You originally received the Covered Software, or\n under the terms of any subsequent version published by the license\n steward.\n\n10.3. Modified Versions\n\n If you create software not governed by this License, and you want to\n create a new license for such software, you may create and use a modified\n version of this License if you rename the license and remove any\n references to the name of the license steward (except to note that such\n modified license differs from this License).\n\n10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses\n If You choose to distribute Source Code Form that is Incompatible With\n Secondary Licenses under the terms of this version of the License, the\n notice described in Exhibit B of this License must be attached.\n\nExhibit A - Source Code Form License Notice\n\n This Source Code Form is subject to the\n terms of the Mozilla Public License, v.\n 2.0. If a copy of the MPL was not\n distributed with this file, You can\n obtain one at\n http://mozilla.org/MPL/2.0/.\n\nIf it is not possible or desirable to put the notice in a particular file, then\nYou may include the notice in a location (such as a LICENSE file in a relevant\ndirectory) where a recipient would be likely to look for such a notice.\n\nYou may add additional accurate notices of copyright ownership.\n\nExhibit B - “Incompatible With Secondary Licenses” Notice\n\n This Source Code Form is “Incompatible\n With Secondary Licenses”, as defined by\n the Mozilla Public License, v. 2.0.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/Makefile", "content": "TEST?=./...\n\ndefault: test\n\n# test runs the test suite and vets the code.\ntest: generate\n\t@echo \"==> Running tests...\"\n\t@go list $(TEST) \\\n\t\t| grep -v \"/vendor/\" \\\n\t\t| xargs -n1 go test -timeout=60s -parallel=10 ${TESTARGS}\n\n# testrace runs the race checker\ntestrace: generate\n\t@echo \"==> Running tests (race)...\"\n\t@go list $(TEST) \\\n\t\t| grep -v \"/vendor/\" \\\n\t\t| xargs -n1 go test -timeout=60s -race ${TESTARGS}\n\n# updatedeps installs all the dependencies needed to run and build.\nupdatedeps:\n\t@sh -c \"'${CURDIR}/scripts/deps.sh' '${NAME}'\"\n\n# generate runs `go generate` to build the dynamically generated source files.\ngenerate:\n\t@echo \"==> Generating...\"\n\t@find . -type f -name '.DS_Store' -delete\n\t@go list ./... \\\n\t\t| grep -v \"/vendor/\" \\\n\t\t| xargs -n1 go generate\n\n.PHONY: default test testrace updatedeps generate\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/README.md", "content": "# go-multierror\n\n[![CircleCI](https://img.shields.io/circleci/build/github/hashicorp/go-multierror/master)](https://circleci.com/gh/hashicorp/go-multierror)\n[![Go Reference](https://pkg.go.dev/badge/github.com/hashicorp/go-multierror.svg)](https://pkg.go.dev/github.com/hashicorp/go-multierror)\n![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/hashicorp/go-multierror)\n\n[circleci]: https://app.circleci.com/pipelines/github/hashicorp/go-multierror\n[godocs]: https://pkg.go.dev/github.com/hashicorp/go-multierror\n\n`go-multierror` is a package for Go that provides a mechanism for\nrepresenting a list of `error` values as a single `error`.\n\nThis allows a function in Go to return an `error` that might actually\nbe a list of errors. If the caller knows this, they can unwrap the\nlist and access the errors. If the caller doesn't know, the error\nformats to a nice human-readable format.\n\n`go-multierror` is fully compatible with the Go standard library\n[errors](https://golang.org/pkg/errors/) package, including the\nfunctions `As`, `Is`, and `Unwrap`. This provides a standardized approach\nfor introspecting on error values.\n\n## Installation and Docs\n\nInstall using `go get github.com/hashicorp/go-multierror`.\n\nFull documentation is available at\nhttps://pkg.go.dev/github.com/hashicorp/go-multierror\n\n### Requires go version 1.13 or newer\n\n`go-multierror` requires go version 1.13 or newer. Go 1.13 introduced\n[error wrapping](https://golang.org/doc/go1.13#error_wrapping), which\nthis library takes advantage of.\n\nIf you need to use an earlier version of go, you can use the\n[v1.0.0](https://github.com/hashicorp/go-multierror/tree/v1.0.0)\ntag, which doesn't rely on features in go 1.13.\n\nIf you see compile errors that look like the below, it's likely that\nyou're on an older version of go:\n\n```\n/go/src/github.com/hashicorp/go-multierror/multierror.go:112:9: undefined: errors.As\n/go/src/github.com/hashicorp/go-multierror/multierror.go:117:9: undefined: errors.Is\n```\n\n## Usage\n\ngo-multierror is easy to use and purposely built to be unobtrusive in\nexisting Go applications/libraries that may not be aware of it.\n\n**Building a list of errors**\n\nThe `Append` function is used to create a list of errors. This function\nbehaves a lot like the Go built-in `append` function: it doesn't matter\nif the first argument is nil, a `multierror.Error`, or any other `error`,\nthe function behaves as you would expect.\n\n```go\nvar result error\n\nif err := step1(); err != nil {\n\tresult = multierror.Append(result, err)\n}\nif err := step2(); err != nil {\n\tresult = multierror.Append(result, err)\n}\n\nreturn result\n```\n\n**Customizing the formatting of the errors**\n\nBy specifying a custom `ErrorFormat`, you can customize the format\nof the `Error() string` function:\n\n```go\nvar result *multierror.Error\n\n// ... accumulate errors here, maybe using Append\n\nif result != nil {\n\tresult.ErrorFormat = func([]error) string {\n\t\treturn \"errors!\"\n\t}\n}\n```\n\n**Accessing the list of errors**\n\n`multierror.Error` implements `error` so if the caller doesn't know about\nmultierror, it will work just fine. But if you're aware a multierror might\nbe returned, you can use type switches to access the list of errors:\n\n```go\nif err := something(); err != nil {\n\tif merr, ok := err.(*multierror.Error); ok {\n\t\t// Use merr.Errors\n\t}\n}\n```\n\nYou can also use the standard [`errors.Unwrap`](https://golang.org/pkg/errors/#Unwrap)\nfunction. This will continue to unwrap into subsequent errors until none exist.\n\n**Extracting an error**\n\nThe standard library [`errors.As`](https://golang.org/pkg/errors/#As)\nfunction can be used directly with a multierror to extract a specific error:\n\n```go\n// Assume err is a multierror value\nerr := somefunc()\n\n// We want to know if \"err\" has a \"RichErrorType\" in it and extract it.\nvar errRich RichErrorType\nif errors.As(err, &errRich) {\n\t// It has it, and now errRich is populated.\n}\n```\n\n**Checking for an exact error value**\n\nSome errors are returned as exact errors such as the [`ErrNotExist`](https://golang.org/pkg/os/#pkg-variables)\nerror in the `os` package. You can check if this error is present by using\nthe standard [`errors.Is`](https://golang.org/pkg/errors/#Is) function.\n\n```go\n// Assume err is a multierror value\nerr := somefunc()\nif errors.Is(err, os.ErrNotExist) {\n\t// err contains os.ErrNotExist\n}\n```\n\n**Returning a multierror only if there are errors**\n\nIf you build a `multierror.Error`, you can use the `ErrorOrNil` function\nto return an `error` implementation only if there are errors to return:\n\n```go\nvar result *multierror.Error\n\n// ... accumulate errors here\n\n// Return the `error` only if errors were added to the multierror, otherwise\n// return nil since there are no errors.\nreturn result.ErrorOrNil()\n```\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/append.go", "content": "package multierror\n\n// Append is a helper function that will append more errors\n// onto an Error in order to create a larger multi-error.\n//\n// If err is not a multierror.Error, then it will be turned into\n// one. If any of the errs are multierr.Error, they will be flattened\n// one level into err.\n// Any nil errors within errs will be ignored. If err is nil, a new\n// *Error will be returned.\nfunc Append(err error, errs ...error) *Error {\n\tswitch err := err.(type) {\n\tcase *Error:\n\t\t// Typed nils can reach here, so initialize if we are nil\n\t\tif err == nil {\n\t\t\terr = new(Error)\n\t\t}\n\n\t\t// Go through each error and flatten\n\t\tfor _, e := range errs {\n\t\t\tswitch e := e.(type) {\n\t\t\tcase *Error:\n\t\t\t\tif e != nil {\n\t\t\t\t\terr.Errors = append(err.Errors, e.Errors...)\n\t\t\t\t}\n\t\t\tdefault:\n\t\t\t\tif e != nil {\n\t\t\t\t\terr.Errors = append(err.Errors, e)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn err\n\tdefault:\n\t\tnewErrs := make([]error, 0, len(errs)+1)\n\t\tif err != nil {\n\t\t\tnewErrs = append(newErrs, err)\n\t\t}\n\t\tnewErrs = append(newErrs, errs...)\n\n\t\treturn Append(&Error{}, newErrs...)\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/flatten.go", "content": "package multierror\n\n// Flatten flattens the given error, merging any *Errors together into\n// a single *Error.\nfunc Flatten(err error) error {\n\t// If it isn't an *Error, just return the error as-is\n\tif _, ok := err.(*Error); !ok {\n\t\treturn err\n\t}\n\n\t// Otherwise, make the result and flatten away!\n\tflatErr := new(Error)\n\tflatten(err, flatErr)\n\treturn flatErr\n}\n\nfunc flatten(err error, flatErr *Error) {\n\tswitch err := err.(type) {\n\tcase *Error:\n\t\tfor _, e := range err.Errors {\n\t\t\tflatten(e, flatErr)\n\t\t}\n\tdefault:\n\t\tflatErr.Errors = append(flatErr.Errors, err)\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/format.go", "content": "package multierror\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n)\n\n// ErrorFormatFunc is a function callback that is called by Error to\n// turn the list of errors into a string.\ntype ErrorFormatFunc func([]error) string\n\n// ListFormatFunc is a basic formatter that outputs the number of errors\n// that occurred along with a bullet point list of the errors.\nfunc ListFormatFunc(es []error) string {\n\tif len(es) == 1 {\n\t\treturn fmt.Sprintf(\"1 error occurred:\\n\\t* %s\\n\\n\", es[0])\n\t}\n\n\tpoints := make([]string, len(es))\n\tfor i, err := range es {\n\t\tpoints[i] = fmt.Sprintf(\"* %s\", err)\n\t}\n\n\treturn fmt.Sprintf(\n\t\t\"%d errors occurred:\\n\\t%s\\n\\n\",\n\t\tlen(es), strings.Join(points, \"\\n\\t\"))\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/group.go", "content": "package multierror\n\nimport \"sync\"\n\n// Group is a collection of goroutines which return errors that need to be\n// coalesced.\ntype Group struct {\n\tmutex sync.Mutex\n\terr *Error\n\twg sync.WaitGroup\n}\n\n// Go calls the given function in a new goroutine.\n//\n// If the function returns an error it is added to the group multierror which\n// is returned by Wait.\nfunc (g *Group) Go(f func() error) {\n\tg.wg.Add(1)\n\n\tgo func() {\n\t\tdefer g.wg.Done()\n\n\t\tif err := f(); err != nil {\n\t\t\tg.mutex.Lock()\n\t\t\tg.err = Append(g.err, err)\n\t\t\tg.mutex.Unlock()\n\t\t}\n\t}()\n}\n\n// Wait blocks until all function calls from the Go method have returned, then\n// returns the multierror.\nfunc (g *Group) Wait() *Error {\n\tg.wg.Wait()\n\tg.mutex.Lock()\n\tdefer g.mutex.Unlock()\n\treturn g.err\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/multierror.go", "content": "package multierror\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n)\n\n// Error is an error type to track multiple errors. This is used to\n// accumulate errors in cases and return them as a single \"error\".\ntype Error struct {\n\tErrors []error\n\tErrorFormat ErrorFormatFunc\n}\n\nfunc (e *Error) Error() string {\n\tfn := e.ErrorFormat\n\tif fn == nil {\n\t\tfn = ListFormatFunc\n\t}\n\n\treturn fn(e.Errors)\n}\n\n// ErrorOrNil returns an error interface if this Error represents\n// a list of errors, or returns nil if the list of errors is empty. This\n// function is useful at the end of accumulation to make sure that the value\n// returned represents the existence of errors.\nfunc (e *Error) ErrorOrNil() error {\n\tif e == nil {\n\t\treturn nil\n\t}\n\tif len(e.Errors) == 0 {\n\t\treturn nil\n\t}\n\n\treturn e\n}\n\nfunc (e *Error) GoString() string {\n\treturn fmt.Sprintf(\"*%#v\", *e)\n}\n\n// WrappedErrors returns the list of errors that this Error is wrapping. It is\n// an implementation of the errwrap.Wrapper interface so that multierror.Error\n// can be used with that library.\n//\n// This method is not safe to be called concurrently. Unlike accessing the\n// Errors field directly, this function also checks if the multierror is nil to\n// prevent a null-pointer panic. It satisfies the errwrap.Wrapper interface.\nfunc (e *Error) WrappedErrors() []error {\n\tif e == nil {\n\t\treturn nil\n\t}\n\treturn e.Errors\n}\n\n// Unwrap returns an error from Error (or nil if there are no errors).\n// This error returned will further support Unwrap to get the next error,\n// etc. The order will match the order of Errors in the multierror.Error\n// at the time of calling.\n//\n// The resulting error supports errors.As/Is/Unwrap so you can continue\n// to use the stdlib errors package to introspect further.\n//\n// This will perform a shallow copy of the errors slice. Any errors appended\n// to this error after calling Unwrap will not be available until a new\n// Unwrap is called on the multierror.Error.\nfunc (e *Error) Unwrap() error {\n\t// If we have no errors then we do nothing\n\tif e == nil || len(e.Errors) == 0 {\n\t\treturn nil\n\t}\n\n\t// If we have exactly one error, we can just return that directly.\n\tif len(e.Errors) == 1 {\n\t\treturn e.Errors[0]\n\t}\n\n\t// Shallow copy the slice\n\terrs := make([]error, len(e.Errors))\n\tcopy(errs, e.Errors)\n\treturn chain(errs)\n}\n\n// chain implements the interfaces necessary for errors.Is/As/Unwrap to\n// work in a deterministic way with multierror. A chain tracks a list of\n// errors while accounting for the current represented error. This lets\n// Is/As be meaningful.\n//\n// Unwrap returns the next error. In the cleanest form, Unwrap would return\n// the wrapped error here but we can't do that if we want to properly\n// get access to all the errors. Instead, users are recommended to use\n// Is/As to get the correct error type out.\n//\n// Precondition: []error is non-empty (len > 0)\ntype chain []error\n\n// Error implements the error interface\nfunc (e chain) Error() string {\n\treturn e[0].Error()\n}\n\n// Unwrap implements errors.Unwrap by returning the next error in the\n// chain or nil if there are no more errors.\nfunc (e chain) Unwrap() error {\n\tif len(e) == 1 {\n\t\treturn nil\n\t}\n\n\treturn e[1:]\n}\n\n// As implements errors.As by attempting to map to the current value.\nfunc (e chain) As(target interface{}) bool {\n\treturn errors.As(e[0], target)\n}\n\n// Is implements errors.Is by comparing the current value directly.\nfunc (e chain) Is(target error) bool {\n\treturn errors.Is(e[0], target)\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/prefix.go", "content": "package multierror\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/hashicorp/errwrap\"\n)\n\n// Prefix is a helper function that will prefix some text\n// to the given error. If the error is a multierror.Error, then\n// it will be prefixed to each wrapped error.\n//\n// This is useful to use when appending multiple multierrors\n// together in order to give better scoping.\nfunc Prefix(err error, prefix string) error {\n\tif err == nil {\n\t\treturn nil\n\t}\n\n\tformat := fmt.Sprintf(\"%s {{err}}\", prefix)\n\tswitch err := err.(type) {\n\tcase *Error:\n\t\t// Typed nils can reach here, so initialize if we are nil\n\t\tif err == nil {\n\t\t\terr = new(Error)\n\t\t}\n\n\t\t// Wrap each of the errors\n\t\tfor i, e := range err.Errors {\n\t\t\terr.Errors[i] = errwrap.Wrapf(format, e)\n\t\t}\n\n\t\treturn err\n\tdefault:\n\t\treturn errwrap.Wrapf(format, err)\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/sort.go", "content": "package multierror\n\n// Len implements sort.Interface function for length\nfunc (err Error) Len() int {\n\treturn len(err.Errors)\n}\n\n// Swap implements sort.Interface function for swapping elements\nfunc (err Error) Swap(i, j int) {\n\terr.Errors[i], err.Errors[j] = err.Errors[j], err.Errors[i]\n}\n\n// Less implements sort.Interface function for determining order\nfunc (err Error) Less(i, j int) bool {\n\treturn err.Errors[i].Error() < err.Errors[j].Error()\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/.gitignore", "content": ".idea/\n*.iml\n*.test\n.vscode/" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/.go-version", "content": "1.23\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/.golangci.yml", "content": "# Copyright (c) HashiCorp, Inc.\n# SPDX-License-Identifier: MPL-2.0\n\nlinters:\n disable-all: true\n enable:\n - errcheck\n - staticcheck\n - gosimple\n - govet\noutput_format: colored-line-number\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/CHANGELOG.md", "content": "## 0.7.7 (May 30, 2024)\n\nBUG FIXES:\n\n- client: avoid potentially leaking URL-embedded basic authentication credentials in logs (#158)\n\n## 0.7.6 (May 9, 2024)\n\nENHANCEMENTS:\n\n- client: support a `RetryPrepare` function for modifying the request before retrying (#216)\n- client: support HTTP-date values for `Retry-After` header value (#138)\n- client: avoid reading entire body when the body is a `*bytes.Reader` (#197)\n\nBUG FIXES:\n\n- client: fix a broken check for invalid server certificate in go 1.20+ (#210)\n\n## 0.7.5 (Nov 8, 2023)\n\nBUG FIXES:\n\n- client: fixes an issue where the request body is not preserved on temporary redirects or re-established HTTP/2 connections (#207)\n\n## 0.7.4 (Jun 6, 2023)\n\nBUG FIXES:\n\n- client: fixing an issue where the Content-Type header wouldn't be sent with an empty payload when using HTTP/2 (#194)\n\n## 0.7.3 (May 15, 2023)\n\nInitial release\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/CODEOWNERS", "content": "# Each line is a file pattern followed by one or more owners.\n# More on CODEOWNERS files: https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners\n\n# Default owner\n* @hashicorp/team-ip-compliance @hashicorp/go-retryablehttp-maintainers\n\n# Add override rules below. Each line is a file/folder pattern followed by one or more owners.\n# Being an owner means those groups or individuals will be added as reviewers to PRs affecting\n# those areas of the code.\n# Examples:\n# /docs/ @docs-team\n# *.js @js-team\n# *.go @go-team\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/LICENSE", "content": "Copyright (c) 2015 HashiCorp, Inc.\n\nMozilla Public License, version 2.0\n\n1. Definitions\n\n1.1. \"Contributor\"\n\n means each individual or legal entity that creates, contributes to the\n creation of, or owns Covered Software.\n\n1.2. \"Contributor Version\"\n\n means the combination of the Contributions of others (if any) used by a\n Contributor and that particular Contributor's Contribution.\n\n1.3. \"Contribution\"\n\n means Covered Software of a particular Contributor.\n\n1.4. \"Covered Software\"\n\n means Source Code Form to which the initial Contributor has attached the\n notice in Exhibit A, the Executable Form of such Source Code Form, and\n Modifications of such Source Code Form, in each case including portions\n thereof.\n\n1.5. \"Incompatible With Secondary Licenses\"\n means\n\n a. that the initial Contributor has attached the notice described in\n Exhibit B to the Covered Software; or\n\n b. that the Covered Software was made available under the terms of\n version 1.1 or earlier of the License, but not also under the terms of\n a Secondary License.\n\n1.6. \"Executable Form\"\n\n means any form of the work other than Source Code Form.\n\n1.7. \"Larger Work\"\n\n means a work that combines Covered Software with other material, in a\n separate file or files, that is not Covered Software.\n\n1.8. \"License\"\n\n means this document.\n\n1.9. \"Licensable\"\n\n means having the right to grant, to the maximum extent possible, whether\n at the time of the initial grant or subsequently, any and all of the\n rights conveyed by this License.\n\n1.10. \"Modifications\"\n\n means any of the following:\n\n a. any file in Source Code Form that results from an addition to,\n deletion from, or modification of the contents of Covered Software; or\n\n b. any new file in Source Code Form that contains any Covered Software.\n\n1.11. \"Patent Claims\" of a Contributor\n\n means any patent claim(s), including without limitation, method,\n process, and apparatus claims, in any patent Licensable by such\n Contributor that would be infringed, but for the grant of the License,\n by the making, using, selling, offering for sale, having made, import,\n or transfer of either its Contributions or its Contributor Version.\n\n1.12. \"Secondary License\"\n\n means either the GNU General Public License, Version 2.0, the GNU Lesser\n General Public License, Version 2.1, the GNU Affero General Public\n License, Version 3.0, or any later versions of those licenses.\n\n1.13. \"Source Code Form\"\n\n means the form of the work preferred for making modifications.\n\n1.14. \"You\" (or \"Your\")\n\n means an individual or a legal entity exercising rights under this\n License. For legal entities, \"You\" includes any entity that controls, is\n controlled by, or is under common control with You. For purposes of this\n definition, \"control\" means (a) the power, direct or indirect, to cause\n the direction or management of such entity, whether by contract or\n otherwise, or (b) ownership of more than fifty percent (50%) of the\n outstanding shares or beneficial ownership of such entity.\n\n\n2. License Grants and Conditions\n\n2.1. Grants\n\n Each Contributor hereby grants You a world-wide, royalty-free,\n non-exclusive license:\n\n a. under intellectual property rights (other than patent or trademark)\n Licensable by such Contributor to use, reproduce, make available,\n modify, display, perform, distribute, and otherwise exploit its\n Contributions, either on an unmodified basis, with Modifications, or\n as part of a Larger Work; and\n\n b. under Patent Claims of such Contributor to make, use, sell, offer for\n sale, have made, import, and otherwise transfer either its\n Contributions or its Contributor Version.\n\n2.2. Effective Date\n\n The licenses granted in Section 2.1 with respect to any Contribution\n become effective for each Contribution on the date the Contributor first\n distributes such Contribution.\n\n2.3. Limitations on Grant Scope\n\n The licenses granted in this Section 2 are the only rights granted under\n this License. No additional rights or licenses will be implied from the\n distribution or licensing of Covered Software under this License.\n Notwithstanding Section 2.1(b) above, no patent license is granted by a\n Contributor:\n\n a. for any code that a Contributor has removed from Covered Software; or\n\n b. for infringements caused by: (i) Your and any other third party's\n modifications of Covered Software, or (ii) the combination of its\n Contributions with other software (except as part of its Contributor\n Version); or\n\n c. under Patent Claims infringed by Covered Software in the absence of\n its Contributions.\n\n This License does not grant any rights in the trademarks, service marks,\n or logos of any Contributor (except as may be necessary to comply with\n the notice requirements in Section 3.4).\n\n2.4. Subsequent Licenses\n\n No Contributor makes additional grants as a result of Your choice to\n distribute the Covered Software under a subsequent version of this\n License (see Section 10.2) or under the terms of a Secondary License (if\n permitted under the terms of Section 3.3).\n\n2.5. Representation\n\n Each Contributor represents that the Contributor believes its\n Contributions are its original creation(s) or it has sufficient rights to\n grant the rights to its Contributions conveyed by this License.\n\n2.6. Fair Use\n\n This License is not intended to limit any rights You have under\n applicable copyright doctrines of fair use, fair dealing, or other\n equivalents.\n\n2.7. Conditions\n\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in\n Section 2.1.\n\n\n3. Responsibilities\n\n3.1. Distribution of Source Form\n\n All distribution of Covered Software in Source Code Form, including any\n Modifications that You create or to which You contribute, must be under\n the terms of this License. You must inform recipients that the Source\n Code Form of the Covered Software is governed by the terms of this\n License, and how they can obtain a copy of this License. You may not\n attempt to alter or restrict the recipients' rights in the Source Code\n Form.\n\n3.2. Distribution of Executable Form\n\n If You distribute Covered Software in Executable Form then:\n\n a. such Covered Software must also be made available in Source Code Form,\n as described in Section 3.1, and You must inform recipients of the\n Executable Form how they can obtain a copy of such Source Code Form by\n reasonable means in a timely manner, at a charge no more than the cost\n of distribution to the recipient; and\n\n b. You may distribute such Executable Form under the terms of this\n License, or sublicense it under different terms, provided that the\n license for the Executable Form does not attempt to limit or alter the\n recipients' rights in the Source Code Form under this License.\n\n3.3. Distribution of a Larger Work\n\n You may create and distribute a Larger Work under terms of Your choice,\n provided that You also comply with the requirements of this License for\n the Covered Software. If the Larger Work is a combination of Covered\n Software with a work governed by one or more Secondary Licenses, and the\n Covered Software is not Incompatible With Secondary Licenses, this\n License permits You to additionally distribute such Covered Software\n under the terms of such Secondary License(s), so that the recipient of\n the Larger Work may, at their option, further distribute the Covered\n Software under the terms of either this License or such Secondary\n License(s).\n\n3.4. Notices\n\n You may not remove or alter the substance of any license notices\n (including copyright notices, patent notices, disclaimers of warranty, or\n limitations of liability) contained within the Source Code Form of the\n Covered Software, except that You may alter any license notices to the\n extent required to remedy known factual inaccuracies.\n\n3.5. Application of Additional Terms\n\n You may choose to offer, and to charge a fee for, warranty, support,\n indemnity or liability obligations to one or more recipients of Covered\n Software. However, You may do so only on Your own behalf, and not on\n behalf of any Contributor. You must make it absolutely clear that any\n such warranty, support, indemnity, or liability obligation is offered by\n You alone, and You hereby agree to indemnify every Contributor for any\n liability incurred by such Contributor as a result of warranty, support,\n indemnity or liability terms You offer. You may include additional\n disclaimers of warranty and limitations of liability specific to any\n jurisdiction.\n\n4. Inability to Comply Due to Statute or Regulation\n\n If it is impossible for You to comply with any of the terms of this License\n with respect to some or all of the Covered Software due to statute,\n judicial order, or regulation then You must: (a) comply with the terms of\n this License to the maximum extent possible; and (b) describe the\n limitations and the code they affect. Such description must be placed in a\n text file included with all distributions of the Covered Software under\n this License. Except to the extent prohibited by statute or regulation,\n such description must be sufficiently detailed for a recipient of ordinary\n skill to be able to understand it.\n\n5. Termination\n\n5.1. The rights granted under this License will terminate automatically if You\n fail to comply with any of its terms. However, if You become compliant,\n then the rights granted under this License from a particular Contributor\n are reinstated (a) provisionally, unless and until such Contributor\n explicitly and finally terminates Your grants, and (b) on an ongoing\n basis, if such Contributor fails to notify You of the non-compliance by\n some reasonable means prior to 60 days after You have come back into\n compliance. Moreover, Your grants from a particular Contributor are\n reinstated on an ongoing basis if such Contributor notifies You of the\n non-compliance by some reasonable means, this is the first time You have\n received notice of non-compliance with this License from such\n Contributor, and You become compliant prior to 30 days after Your receipt\n of the notice.\n\n5.2. If You initiate litigation against any entity by asserting a patent\n infringement claim (excluding declaratory judgment actions,\n counter-claims, and cross-claims) alleging that a Contributor Version\n directly or indirectly infringes any patent, then the rights granted to\n You by any and all Contributors for the Covered Software under Section\n 2.1 of this License shall terminate.\n\n5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user\n license agreements (excluding distributors and resellers) which have been\n validly granted by You or Your distributors under this License prior to\n termination shall survive termination.\n\n6. Disclaimer of Warranty\n\n Covered Software is provided under this License on an \"as is\" basis,\n without warranty of any kind, either expressed, implied, or statutory,\n including, without limitation, warranties that the Covered Software is free\n of defects, merchantable, fit for a particular purpose or non-infringing.\n The entire risk as to the quality and performance of the Covered Software\n is with You. Should any Covered Software prove defective in any respect,\n You (not any Contributor) assume the cost of any necessary servicing,\n repair, or correction. This disclaimer of warranty constitutes an essential\n part of this License. No use of any Covered Software is authorized under\n this License except under this disclaimer.\n\n7. Limitation of Liability\n\n Under no circumstances and under no legal theory, whether tort (including\n negligence), contract, or otherwise, shall any Contributor, or anyone who\n distributes Covered Software as permitted above, be liable to You for any\n direct, indirect, special, incidental, or consequential damages of any\n character including, without limitation, damages for lost profits, loss of\n goodwill, work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses, even if such party shall have been\n informed of the possibility of such damages. This limitation of liability\n shall not apply to liability for death or personal injury resulting from\n such party's negligence to the extent applicable law prohibits such\n limitation. Some jurisdictions do not allow the exclusion or limitation of\n incidental or consequential damages, so this exclusion and limitation may\n not apply to You.\n\n8. Litigation\n\n Any litigation relating to this License may be brought only in the courts\n of a jurisdiction where the defendant maintains its principal place of\n business and such litigation shall be governed by laws of that\n jurisdiction, without reference to its conflict-of-law provisions. Nothing\n in this Section shall prevent a party's ability to bring cross-claims or\n counter-claims.\n\n9. Miscellaneous\n\n This License represents the complete agreement concerning the subject\n matter hereof. If any provision of this License is held to be\n unenforceable, such provision shall be reformed only to the extent\n necessary to make it enforceable. Any law or regulation which provides that\n the language of a contract shall be construed against the drafter shall not\n be used to construe this License against a Contributor.\n\n\n10. Versions of the License\n\n10.1. New Versions\n\n Mozilla Foundation is the license steward. Except as provided in Section\n 10.3, no one other than the license steward has the right to modify or\n publish new versions of this License. Each version will be given a\n distinguishing version number.\n\n10.2. Effect of New Versions\n\n You may distribute the Covered Software under the terms of the version\n of the License under which You originally received the Covered Software,\n or under the terms of any subsequent version published by the license\n steward.\n\n10.3. Modified Versions\n\n If you create software not governed by this License, and you want to\n create a new license for such software, you may create and use a\n modified version of this License if you rename the license and remove\n any references to the name of the license steward (except to note that\n such modified license differs from this License).\n\n10.4. Distributing Source Code Form that is Incompatible With Secondary\n Licenses If You choose to distribute Source Code Form that is\n Incompatible With Secondary Licenses under the terms of this version of\n the License, the notice described in Exhibit B of this License must be\n attached.\n\nExhibit A - Source Code Form License Notice\n\n This Source Code Form is subject to the\n terms of the Mozilla Public License, v.\n 2.0. If a copy of the MPL was not\n distributed with this file, You can\n obtain one at\n http://mozilla.org/MPL/2.0/.\n\nIf it is not possible or desirable to put the notice in a particular file,\nthen You may include the notice in a location (such as a LICENSE file in a\nrelevant directory) where a recipient would be likely to look for such a\nnotice.\n\nYou may add additional accurate notices of copyright ownership.\n\nExhibit B - \"Incompatible With Secondary Licenses\" Notice\n\n This Source Code Form is \"Incompatible\n With Secondary Licenses\", as defined by\n the Mozilla Public License, v. 2.0.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/Makefile", "content": "default: test\n\ntest:\n\tgo vet ./...\n\tgo test -v -race ./... -coverprofile=coverage.out\n\nupdatedeps:\n\tgo get -f -t -u ./...\n\tgo get -f -u ./...\n\n.PHONY: default test updatedeps\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/README.md", "content": "go-retryablehttp\n================\n\n[![Build Status](http://img.shields.io/travis/hashicorp/go-retryablehttp.svg?style=flat-square)][travis]\n[![Go Documentation](http://img.shields.io/badge/go-documentation-blue.svg?style=flat-square)][godocs]\n\n[travis]: http://travis-ci.org/hashicorp/go-retryablehttp\n[godocs]: http://godoc.org/github.com/hashicorp/go-retryablehttp\n\nThe `retryablehttp` package provides a familiar HTTP client interface with\nautomatic retries and exponential backoff. It is a thin wrapper over the\nstandard `net/http` client library and exposes nearly the same public API. This\nmakes `retryablehttp` very easy to drop into existing programs.\n\n`retryablehttp` performs automatic retries under certain conditions. Mainly, if\nan error is returned by the client (connection errors, etc.), or if a 500-range\nresponse code is received (except 501), then a retry is invoked after a wait\nperiod. Otherwise, the response is returned and left to the caller to\ninterpret.\n\nThe main difference from `net/http` is that requests which take a request body\n(POST/PUT et. al) can have the body provided in a number of ways (some more or\nless efficient) that allow \"rewinding\" the request body if the initial request\nfails so that the full request can be attempted again. See the\n[godoc](http://godoc.org/github.com/hashicorp/go-retryablehttp) for more\ndetails.\n\nVersion 0.6.0 and before are compatible with Go prior to 1.12. From 0.6.1 onward, Go 1.12+ is required.\nFrom 0.6.7 onward, Go 1.13+ is required.\n\nExample Use\n===========\n\nUsing this library should look almost identical to what you would do with\n`net/http`. The most simple example of a GET request is shown below:\n\n```go\nresp, err := retryablehttp.Get(\"/foo\")\nif err != nil {\n panic(err)\n}\n```\n\nThe returned response object is an `*http.Response`, the same thing you would\nusually get from `net/http`. Had the request failed one or more times, the above\ncall would block and retry with exponential backoff.\n\n## Getting a stdlib `*http.Client` with retries\n\nIt's possible to convert a `*retryablehttp.Client` directly to a `*http.Client`.\nThis makes use of retryablehttp broadly applicable with minimal effort. Simply\nconfigure a `*retryablehttp.Client` as you wish, and then call `StandardClient()`:\n\n```go\nretryClient := retryablehttp.NewClient()\nretryClient.RetryMax = 10\n\nstandardClient := retryClient.StandardClient() // *http.Client\n```\n\nFor more usage and examples see the\n[pkg.go.dev](https://pkg.go.dev/github.com/hashicorp/go-retryablehttp).\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/cert_error_go119.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\n//go:build !go1.20\n// +build !go1.20\n\npackage retryablehttp\n\nimport \"crypto/x509\"\n\nfunc isCertError(err error) bool {\n\t_, ok := err.(x509.UnknownAuthorityError)\n\treturn ok\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/cert_error_go120.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\n//go:build go1.20\n// +build go1.20\n\npackage retryablehttp\n\nimport \"crypto/tls\"\n\nfunc isCertError(err error) bool {\n\t_, ok := err.(*tls.CertificateVerificationError)\n\treturn ok\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/client.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\n// Package retryablehttp provides a familiar HTTP client interface with\n// automatic retries and exponential backoff. It is a thin wrapper over the\n// standard net/http client library and exposes nearly the same public API.\n// This makes retryablehttp very easy to drop into existing programs.\n//\n// retryablehttp performs automatic retries under certain conditions. Mainly, if\n// an error is returned by the client (connection errors etc), or if a 500-range\n// response is received, then a retry is invoked. Otherwise, the response is\n// returned and left to the caller to interpret.\n//\n// Requests which take a request body should provide a non-nil function\n// parameter. The best choice is to provide either a function satisfying\n// ReaderFunc which provides multiple io.Readers in an efficient manner, a\n// *bytes.Buffer (the underlying raw byte slice will be used) or a raw byte\n// slice. As it is a reference type, and we will wrap it as needed by readers,\n// we can efficiently re-use the request body without needing to copy it. If an\n// io.Reader (such as a *bytes.Reader) is provided, the full body will be read\n// prior to the first request, and will be efficiently re-used for any retries.\n// ReadSeeker can be used, but some users have observed occasional data races\n// between the net/http library and the Seek functionality of some\n// implementations of ReadSeeker, so should be avoided if possible.\npackage retryablehttp\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"log\"\n\t\"math\"\n\t\"math/rand\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"regexp\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\tcleanhttp \"github.com/hashicorp/go-cleanhttp\"\n)\n\nvar (\n\t// Default retry configuration\n\tdefaultRetryWaitMin = 1 * time.Second\n\tdefaultRetryWaitMax = 30 * time.Second\n\tdefaultRetryMax = 4\n\n\t// defaultLogger is the logger provided with defaultClient\n\tdefaultLogger = log.New(os.Stderr, \"\", log.LstdFlags)\n\n\t// defaultClient is used for performing requests without explicitly making\n\t// a new client. It is purposely private to avoid modifications.\n\tdefaultClient = NewClient()\n\n\t// We need to consume response bodies to maintain http connections, but\n\t// limit the size we consume to respReadLimit.\n\trespReadLimit = int64(4096)\n\n\t// timeNow sets the function that returns the current time.\n\t// This defaults to time.Now. Changes to this should only be done in tests.\n\ttimeNow = time.Now\n\n\t// A regular expression to match the error returned by net/http when the\n\t// configured number of redirects is exhausted. This error isn't typed\n\t// specifically so we resort to matching on the error string.\n\tredirectsErrorRe = regexp.MustCompile(`stopped after \\d+ redirects\\z`)\n\n\t// A regular expression to match the error returned by net/http when the\n\t// scheme specified in the URL is invalid. This error isn't typed\n\t// specifically so we resort to matching on the error string.\n\tschemeErrorRe = regexp.MustCompile(`unsupported protocol scheme`)\n\n\t// A regular expression to match the error returned by net/http when a\n\t// request header or value is invalid. This error isn't typed\n\t// specifically so we resort to matching on the error string.\n\tinvalidHeaderErrorRe = regexp.MustCompile(`invalid header`)\n\n\t// A regular expression to match the error returned by net/http when the\n\t// TLS certificate is not trusted. This error isn't typed\n\t// specifically so we resort to matching on the error string.\n\tnotTrustedErrorRe = regexp.MustCompile(`certificate is not trusted`)\n)\n\n// ReaderFunc is the type of function that can be given natively to NewRequest\ntype ReaderFunc func() (io.Reader, error)\n\n// ResponseHandlerFunc is a type of function that takes in a Response, and does something with it.\n// The ResponseHandlerFunc is called when the HTTP client successfully receives a response and the\n// CheckRetry function indicates that a retry of the base request is not necessary.\n// If an error is returned from this function, the CheckRetry policy will be used to determine\n// whether to retry the whole request (including this handler).\n//\n// Make sure to check status codes! Even if the request was completed it may have a non-2xx status code.\n//\n// The response body is not automatically closed. It must be closed either by the ResponseHandlerFunc or\n// by the caller out-of-band. Failure to do so will result in a memory leak.\ntype ResponseHandlerFunc func(*http.Response) error\n\n// LenReader is an interface implemented by many in-memory io.Reader's. Used\n// for automatically sending the right Content-Length header when possible.\ntype LenReader interface {\n\tLen() int\n}\n\n// Request wraps the metadata needed to create HTTP requests.\ntype Request struct {\n\t// body is a seekable reader over the request body payload. This is\n\t// used to rewind the request data in between retries.\n\tbody ReaderFunc\n\n\tresponseHandler ResponseHandlerFunc\n\n\t// Embed an HTTP request directly. This makes a *Request act exactly\n\t// like an *http.Request so that all meta methods are supported.\n\t*http.Request\n}\n\n// WithContext returns wrapped Request with a shallow copy of underlying *http.Request\n// with its context changed to ctx. The provided ctx must be non-nil.\nfunc (r *Request) WithContext(ctx context.Context) *Request {\n\treturn &Request{\n\t\tbody: r.body,\n\t\tresponseHandler: r.responseHandler,\n\t\tRequest: r.Request.WithContext(ctx),\n\t}\n}\n\n// SetResponseHandler allows setting the response handler.\nfunc (r *Request) SetResponseHandler(fn ResponseHandlerFunc) {\n\tr.responseHandler = fn\n}\n\n// BodyBytes allows accessing the request body. It is an analogue to\n// http.Request's Body variable, but it returns a copy of the underlying data\n// rather than consuming it.\n//\n// This function is not thread-safe; do not call it at the same time as another\n// call, or at the same time this request is being used with Client.Do.\nfunc (r *Request) BodyBytes() ([]byte, error) {\n\tif r.body == nil {\n\t\treturn nil, nil\n\t}\n\tbody, err := r.body()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tbuf := new(bytes.Buffer)\n\t_, err = buf.ReadFrom(body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn buf.Bytes(), nil\n}\n\n// SetBody allows setting the request body.\n//\n// It is useful if a new body needs to be set without constructing a new Request.\nfunc (r *Request) SetBody(rawBody interface{}) error {\n\tbodyReader, contentLength, err := getBodyReaderAndContentLength(rawBody)\n\tif err != nil {\n\t\treturn err\n\t}\n\tr.body = bodyReader\n\tr.ContentLength = contentLength\n\tif bodyReader != nil {\n\t\tr.GetBody = func() (io.ReadCloser, error) {\n\t\t\tbody, err := bodyReader()\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tif rc, ok := body.(io.ReadCloser); ok {\n\t\t\t\treturn rc, nil\n\t\t\t}\n\t\t\treturn io.NopCloser(body), nil\n\t\t}\n\t} else {\n\t\tr.GetBody = func() (io.ReadCloser, error) { return http.NoBody, nil }\n\t}\n\treturn nil\n}\n\n// WriteTo allows copying the request body into a writer.\n//\n// It writes data to w until there's no more data to write or\n// when an error occurs. The return int64 value is the number of bytes\n// written. Any error encountered during the write is also returned.\n// The signature matches io.WriterTo interface.\nfunc (r *Request) WriteTo(w io.Writer) (int64, error) {\n\tbody, err := r.body()\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\tif c, ok := body.(io.Closer); ok {\n\t\tdefer c.Close()\n\t}\n\treturn io.Copy(w, body)\n}\n\nfunc getBodyReaderAndContentLength(rawBody interface{}) (ReaderFunc, int64, error) {\n\tvar bodyReader ReaderFunc\n\tvar contentLength int64\n\n\tswitch body := rawBody.(type) {\n\t// If they gave us a function already, great! Use it.\n\tcase ReaderFunc:\n\t\tbodyReader = body\n\t\ttmp, err := body()\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tif lr, ok := tmp.(LenReader); ok {\n\t\t\tcontentLength = int64(lr.Len())\n\t\t}\n\t\tif c, ok := tmp.(io.Closer); ok {\n\t\t\tc.Close()\n\t\t}\n\n\tcase func() (io.Reader, error):\n\t\tbodyReader = body\n\t\ttmp, err := body()\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tif lr, ok := tmp.(LenReader); ok {\n\t\t\tcontentLength = int64(lr.Len())\n\t\t}\n\t\tif c, ok := tmp.(io.Closer); ok {\n\t\t\tc.Close()\n\t\t}\n\n\t// If a regular byte slice, we can read it over and over via new\n\t// readers\n\tcase []byte:\n\t\tbuf := body\n\t\tbodyReader = func() (io.Reader, error) {\n\t\t\treturn bytes.NewReader(buf), nil\n\t\t}\n\t\tcontentLength = int64(len(buf))\n\n\t// If a bytes.Buffer we can read the underlying byte slice over and\n\t// over\n\tcase *bytes.Buffer:\n\t\tbuf := body\n\t\tbodyReader = func() (io.Reader, error) {\n\t\t\treturn bytes.NewReader(buf.Bytes()), nil\n\t\t}\n\t\tcontentLength = int64(buf.Len())\n\n\t// We prioritize *bytes.Reader here because we don't really want to\n\t// deal with it seeking so want it to match here instead of the\n\t// io.ReadSeeker case.\n\tcase *bytes.Reader:\n\t\tsnapshot := *body\n\t\tbodyReader = func() (io.Reader, error) {\n\t\t\tr := snapshot\n\t\t\treturn &r, nil\n\t\t}\n\t\tcontentLength = int64(body.Len())\n\n\t// Compat case\n\tcase io.ReadSeeker:\n\t\traw := body\n\t\tbodyReader = func() (io.Reader, error) {\n\t\t\t_, err := raw.Seek(0, 0)\n\t\t\treturn io.NopCloser(raw), err\n\t\t}\n\t\tif lr, ok := raw.(LenReader); ok {\n\t\t\tcontentLength = int64(lr.Len())\n\t\t}\n\n\t// Read all in so we can reset\n\tcase io.Reader:\n\t\tbuf, err := io.ReadAll(body)\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tif len(buf) == 0 {\n\t\t\tbodyReader = func() (io.Reader, error) {\n\t\t\t\treturn http.NoBody, nil\n\t\t\t}\n\t\t\tcontentLength = 0\n\t\t} else {\n\t\t\tbodyReader = func() (io.Reader, error) {\n\t\t\t\treturn bytes.NewReader(buf), nil\n\t\t\t}\n\t\t\tcontentLength = int64(len(buf))\n\t\t}\n\n\t// No body provided, nothing to do\n\tcase nil:\n\n\t// Unrecognized type\n\tdefault:\n\t\treturn nil, 0, fmt.Errorf(\"cannot handle type %T\", rawBody)\n\t}\n\treturn bodyReader, contentLength, nil\n}\n\n// FromRequest wraps an http.Request in a retryablehttp.Request\nfunc FromRequest(r *http.Request) (*Request, error) {\n\tbodyReader, _, err := getBodyReaderAndContentLength(r.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\t// Could assert contentLength == r.ContentLength\n\treturn &Request{body: bodyReader, Request: r}, nil\n}\n\n// NewRequest creates a new wrapped request.\nfunc NewRequest(method, url string, rawBody interface{}) (*Request, error) {\n\treturn NewRequestWithContext(context.Background(), method, url, rawBody)\n}\n\n// NewRequestWithContext creates a new wrapped request with the provided context.\n//\n// The context controls the entire lifetime of a request and its response:\n// obtaining a connection, sending the request, and reading the response headers and body.\nfunc NewRequestWithContext(ctx context.Context, method, url string, rawBody interface{}) (*Request, error) {\n\thttpReq, err := http.NewRequestWithContext(ctx, method, url, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treq := &Request{\n\t\tRequest: httpReq,\n\t}\n\tif err := req.SetBody(rawBody); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn req, nil\n}\n\n// Logger interface allows to use other loggers than\n// standard log.Logger.\ntype Logger interface {\n\tPrintf(string, ...interface{})\n}\n\n// LeveledLogger is an interface that can be implemented by any logger or a\n// logger wrapper to provide leveled logging. The methods accept a message\n// string and a variadic number of key-value pairs. For log.Printf style\n// formatting where message string contains a format specifier, use Logger\n// interface.\ntype LeveledLogger interface {\n\tError(msg string, keysAndValues ...interface{})\n\tInfo(msg string, keysAndValues ...interface{})\n\tDebug(msg string, keysAndValues ...interface{})\n\tWarn(msg string, keysAndValues ...interface{})\n}\n\n// hookLogger adapts an LeveledLogger to Logger for use by the existing hook functions\n// without changing the API.\ntype hookLogger struct {\n\tLeveledLogger\n}\n\nfunc (h hookLogger) Printf(s string, args ...interface{}) {\n\th.Info(fmt.Sprintf(s, args...))\n}\n\n// RequestLogHook allows a function to run before each retry. The HTTP\n// request which will be made, and the retry number (0 for the initial\n// request) are available to users. The internal logger is exposed to\n// consumers.\ntype RequestLogHook func(Logger, *http.Request, int)\n\n// ResponseLogHook is like RequestLogHook, but allows running a function\n// on each HTTP response. This function will be invoked at the end of\n// every HTTP request executed, regardless of whether a subsequent retry\n// needs to be performed or not. If the response body is read or closed\n// from this method, this will affect the response returned from Do().\ntype ResponseLogHook func(Logger, *http.Response)\n\n// CheckRetry specifies a policy for handling retries. It is called\n// following each request with the response and error values returned by\n// the http.Client. If CheckRetry returns false, the Client stops retrying\n// and returns the response to the caller. If CheckRetry returns an error,\n// that error value is returned in lieu of the error from the request. The\n// Client will close any response body when retrying, but if the retry is\n// aborted it is up to the CheckRetry callback to properly close any\n// response body before returning.\ntype CheckRetry func(ctx context.Context, resp *http.Response, err error) (bool, error)\n\n// Backoff specifies a policy for how long to wait between retries.\n// It is called after a failing request to determine the amount of time\n// that should pass before trying again.\ntype Backoff func(min, max time.Duration, attemptNum int, resp *http.Response) time.Duration\n\n// ErrorHandler is called if retries are expired, containing the last status\n// from the http library. If not specified, default behavior for the library is\n// to close the body and return an error indicating how many tries were\n// attempted. If overriding this, be sure to close the body if needed.\ntype ErrorHandler func(resp *http.Response, err error, numTries int) (*http.Response, error)\n\n// PrepareRetry is called before retry operation. It can be used for example to re-sign the request\ntype PrepareRetry func(req *http.Request) error\n\n// Client is used to make HTTP requests. It adds additional functionality\n// like automatic retries to tolerate minor outages.\ntype Client struct {\n\tHTTPClient *http.Client // Internal HTTP client.\n\tLogger interface{} // Customer logger instance. Can be either Logger or LeveledLogger\n\n\tRetryWaitMin time.Duration // Minimum time to wait\n\tRetryWaitMax time.Duration // Maximum time to wait\n\tRetryMax int // Maximum number of retries\n\n\t// RequestLogHook allows a user-supplied function to be called\n\t// before each retry.\n\tRequestLogHook RequestLogHook\n\n\t// ResponseLogHook allows a user-supplied function to be called\n\t// with the response from each HTTP request executed.\n\tResponseLogHook ResponseLogHook\n\n\t// CheckRetry specifies the policy for handling retries, and is called\n\t// after each request. The default policy is DefaultRetryPolicy.\n\tCheckRetry CheckRetry\n\n\t// Backoff specifies the policy for how long to wait between retries\n\tBackoff Backoff\n\n\t// ErrorHandler specifies the custom error handler to use, if any\n\tErrorHandler ErrorHandler\n\n\t// PrepareRetry can prepare the request for retry operation, for example re-sign it\n\tPrepareRetry PrepareRetry\n\n\tloggerInit sync.Once\n\tclientInit sync.Once\n}\n\n// NewClient creates a new Client with default settings.\nfunc NewClient() *Client {\n\treturn &Client{\n\t\tHTTPClient: cleanhttp.DefaultPooledClient(),\n\t\tLogger: defaultLogger,\n\t\tRetryWaitMin: defaultRetryWaitMin,\n\t\tRetryWaitMax: defaultRetryWaitMax,\n\t\tRetryMax: defaultRetryMax,\n\t\tCheckRetry: DefaultRetryPolicy,\n\t\tBackoff: DefaultBackoff,\n\t}\n}\n\nfunc (c *Client) logger() interface{} {\n\tc.loggerInit.Do(func() {\n\t\tif c.Logger == nil {\n\t\t\treturn\n\t\t}\n\n\t\tswitch c.Logger.(type) {\n\t\tcase Logger, LeveledLogger:\n\t\t\t// ok\n\t\tdefault:\n\t\t\t// This should happen in dev when they are setting Logger and work on code, not in prod.\n\t\t\tpanic(fmt.Sprintf(\"invalid logger type passed, must be Logger or LeveledLogger, was %T\", c.Logger))\n\t\t}\n\t})\n\n\treturn c.Logger\n}\n\n// DefaultRetryPolicy provides a default callback for Client.CheckRetry, which\n// will retry on connection errors and server errors.\nfunc DefaultRetryPolicy(ctx context.Context, resp *http.Response, err error) (bool, error) {\n\t// do not retry on context.Canceled or context.DeadlineExceeded\n\tif ctx.Err() != nil {\n\t\treturn false, ctx.Err()\n\t}\n\n\t// don't propagate other errors\n\tshouldRetry, _ := baseRetryPolicy(resp, err)\n\treturn shouldRetry, nil\n}\n\n// ErrorPropagatedRetryPolicy is the same as DefaultRetryPolicy, except it\n// propagates errors back instead of returning nil. This allows you to inspect\n// why it decided to retry or not.\nfunc ErrorPropagatedRetryPolicy(ctx context.Context, resp *http.Response, err error) (bool, error) {\n\t// do not retry on context.Canceled or context.DeadlineExceeded\n\tif ctx.Err() != nil {\n\t\treturn false, ctx.Err()\n\t}\n\n\treturn baseRetryPolicy(resp, err)\n}\n\nfunc baseRetryPolicy(resp *http.Response, err error) (bool, error) {\n\tif err != nil {\n\t\tif v, ok := err.(*url.Error); ok {\n\t\t\t// Don't retry if the error was due to too many redirects.\n\t\t\tif redirectsErrorRe.MatchString(v.Error()) {\n\t\t\t\treturn false, v\n\t\t\t}\n\n\t\t\t// Don't retry if the error was due to an invalid protocol scheme.\n\t\t\tif schemeErrorRe.MatchString(v.Error()) {\n\t\t\t\treturn false, v\n\t\t\t}\n\n\t\t\t// Don't retry if the error was due to an invalid header.\n\t\t\tif invalidHeaderErrorRe.MatchString(v.Error()) {\n\t\t\t\treturn false, v\n\t\t\t}\n\n\t\t\t// Don't retry if the error was due to TLS cert verification failure.\n\t\t\tif notTrustedErrorRe.MatchString(v.Error()) {\n\t\t\t\treturn false, v\n\t\t\t}\n\t\t\tif isCertError(v.Err) {\n\t\t\t\treturn false, v\n\t\t\t}\n\t\t}\n\n\t\t// The error is likely recoverable so retry.\n\t\treturn true, nil\n\t}\n\n\t// 429 Too Many Requests is recoverable. Sometimes the server puts\n\t// a Retry-After response header to indicate when the server is\n\t// available to start processing request from client.\n\tif resp.StatusCode == http.StatusTooManyRequests {\n\t\treturn true, nil\n\t}\n\n\t// Check the response code. We retry on 500-range responses to allow\n\t// the server time to recover, as 500's are typically not permanent\n\t// errors and may relate to outages on the server side. This will catch\n\t// invalid response codes as well, like 0 and 999.\n\tif resp.StatusCode == 0 || (resp.StatusCode >= 500 && resp.StatusCode != http.StatusNotImplemented) {\n\t\treturn true, fmt.Errorf(\"unexpected HTTP status %s\", resp.Status)\n\t}\n\n\treturn false, nil\n}\n\n// DefaultBackoff provides a default callback for Client.Backoff which\n// will perform exponential backoff based on the attempt number and limited\n// by the provided minimum and maximum durations.\n//\n// It also tries to parse Retry-After response header when a http.StatusTooManyRequests\n// (HTTP Code 429) is found in the resp parameter. Hence it will return the number of\n// seconds the server states it may be ready to process more requests from this client.\nfunc DefaultBackoff(min, max time.Duration, attemptNum int, resp *http.Response) time.Duration {\n\tif resp != nil {\n\t\tif resp.StatusCode == http.StatusTooManyRequests || resp.StatusCode == http.StatusServiceUnavailable {\n\t\t\tif sleep, ok := parseRetryAfterHeader(resp.Header[\"Retry-After\"]); ok {\n\t\t\t\treturn sleep\n\t\t\t}\n\t\t}\n\t}\n\n\tmult := math.Pow(2, float64(attemptNum)) * float64(min)\n\tsleep := time.Duration(mult)\n\tif float64(sleep) != mult || sleep > max {\n\t\tsleep = max\n\t}\n\treturn sleep\n}\n\n// parseRetryAfterHeader parses the Retry-After header and returns the\n// delay duration according to the spec: https://httpwg.org/specs/rfc7231.html#header.retry-after\n// The bool returned will be true if the header was successfully parsed.\n// Otherwise, the header was either not present, or was not parseable according to the spec.\n//\n// Retry-After headers come in two flavors: Seconds or HTTP-Date\n//\n// Examples:\n// * Retry-After: Fri, 31 Dec 1999 23:59:59 GMT\n// * Retry-After: 120\nfunc parseRetryAfterHeader(headers []string) (time.Duration, bool) {\n\tif len(headers) == 0 || headers[0] == \"\" {\n\t\treturn 0, false\n\t}\n\theader := headers[0]\n\t// Retry-After: 120\n\tif sleep, err := strconv.ParseInt(header, 10, 64); err == nil {\n\t\tif sleep < 0 { // a negative sleep doesn't make sense\n\t\t\treturn 0, false\n\t\t}\n\t\treturn time.Second * time.Duration(sleep), true\n\t}\n\n\t// Retry-After: Fri, 31 Dec 1999 23:59:59 GMT\n\tretryTime, err := time.Parse(time.RFC1123, header)\n\tif err != nil {\n\t\treturn 0, false\n\t}\n\tif until := retryTime.Sub(timeNow()); until > 0 {\n\t\treturn until, true\n\t}\n\t// date is in the past\n\treturn 0, true\n}\n\n// LinearJitterBackoff provides a callback for Client.Backoff which will\n// perform linear backoff based on the attempt number and with jitter to\n// prevent a thundering herd.\n//\n// min and max here are *not* absolute values. The number to be multiplied by\n// the attempt number will be chosen at random from between them, thus they are\n// bounding the jitter.\n//\n// For instance:\n// * To get strictly linear backoff of one second increasing each retry, set\n// both to one second (1s, 2s, 3s, 4s, ...)\n// * To get a small amount of jitter centered around one second increasing each\n// retry, set to around one second, such as a min of 800ms and max of 1200ms\n// (892ms, 2102ms, 2945ms, 4312ms, ...)\n// * To get extreme jitter, set to a very wide spread, such as a min of 100ms\n// and a max of 20s (15382ms, 292ms, 51321ms, 35234ms, ...)\nfunc LinearJitterBackoff(min, max time.Duration, attemptNum int, resp *http.Response) time.Duration {\n\t// attemptNum always starts at zero but we want to start at 1 for multiplication\n\tattemptNum++\n\n\tif max <= min {\n\t\t// Unclear what to do here, or they are the same, so return min *\n\t\t// attemptNum\n\t\treturn min * time.Duration(attemptNum)\n\t}\n\n\t// Seed rand; doing this every time is fine\n\tsource := rand.New(rand.NewSource(int64(time.Now().Nanosecond())))\n\n\t// Pick a random number that lies somewhere between the min and max and\n\t// multiply by the attemptNum. attemptNum starts at zero so we always\n\t// increment here. We first get a random percentage, then apply that to the\n\t// difference between min and max, and add to min.\n\tjitter := source.Float64() * float64(max-min)\n\tjitterMin := int64(jitter) + int64(min)\n\treturn time.Duration(jitterMin * int64(attemptNum))\n}\n\n// RateLimitLinearJitterBackoff wraps the retryablehttp.LinearJitterBackoff.\n// It first checks if the response status code is http.StatusTooManyRequests\n// (HTTP Code 429) or http.StatusServiceUnavailable (HTTP Code 503). If it is\n// and the response contains a Retry-After response header, it will wait the\n// amount of time specified by the header. Otherwise, this calls\n// LinearJitterBackoff.\nfunc RateLimitLinearJitterBackoff(min, max time.Duration, attemptNum int, resp *http.Response) time.Duration {\n\tif resp != nil {\n\t\tif resp.StatusCode == http.StatusTooManyRequests || resp.StatusCode == http.StatusServiceUnavailable {\n\t\t\tif sleep, ok := parseRetryAfterHeader(resp.Header[\"Retry-After\"]); ok {\n\t\t\t\treturn sleep\n\t\t\t}\n\t\t}\n\t}\n\treturn LinearJitterBackoff(min, max, attemptNum, resp)\n}\n\n// PassthroughErrorHandler is an ErrorHandler that directly passes through the\n// values from the net/http library for the final request. The body is not\n// closed.\nfunc PassthroughErrorHandler(resp *http.Response, err error, _ int) (*http.Response, error) {\n\treturn resp, err\n}\n\n// Do wraps calling an HTTP method with retries.\nfunc (c *Client) Do(req *Request) (*http.Response, error) {\n\tc.clientInit.Do(func() {\n\t\tif c.HTTPClient == nil {\n\t\t\tc.HTTPClient = cleanhttp.DefaultPooledClient()\n\t\t}\n\t})\n\n\tlogger := c.logger()\n\n\tif logger != nil {\n\t\tswitch v := logger.(type) {\n\t\tcase LeveledLogger:\n\t\t\tv.Debug(\"performing request\", \"method\", req.Method, \"url\", redactURL(req.URL))\n\t\tcase Logger:\n\t\t\tv.Printf(\"[DEBUG] %s %s\", req.Method, redactURL(req.URL))\n\t\t}\n\t}\n\n\tvar resp *http.Response\n\tvar attempt int\n\tvar shouldRetry bool\n\tvar doErr, respErr, checkErr, prepareErr error\n\n\tfor i := 0; ; i++ {\n\t\tdoErr, respErr, prepareErr = nil, nil, nil\n\t\tattempt++\n\n\t\t// Always rewind the request body when non-nil.\n\t\tif req.body != nil {\n\t\t\tbody, err := req.body()\n\t\t\tif err != nil {\n\t\t\t\tc.HTTPClient.CloseIdleConnections()\n\t\t\t\treturn resp, err\n\t\t\t}\n\t\t\tif c, ok := body.(io.ReadCloser); ok {\n\t\t\t\treq.Body = c\n\t\t\t} else {\n\t\t\t\treq.Body = io.NopCloser(body)\n\t\t\t}\n\t\t}\n\n\t\tif c.RequestLogHook != nil {\n\t\t\tswitch v := logger.(type) {\n\t\t\tcase LeveledLogger:\n\t\t\t\tc.RequestLogHook(hookLogger{v}, req.Request, i)\n\t\t\tcase Logger:\n\t\t\t\tc.RequestLogHook(v, req.Request, i)\n\t\t\tdefault:\n\t\t\t\tc.RequestLogHook(nil, req.Request, i)\n\t\t\t}\n\t\t}\n\n\t\t// Attempt the request\n\t\tresp, doErr = c.HTTPClient.Do(req.Request)\n\n\t\t// Check if we should continue with retries.\n\t\tshouldRetry, checkErr = c.CheckRetry(req.Context(), resp, doErr)\n\t\tif !shouldRetry && doErr == nil && req.responseHandler != nil {\n\t\t\trespErr = req.responseHandler(resp)\n\t\t\tshouldRetry, checkErr = c.CheckRetry(req.Context(), resp, respErr)\n\t\t}\n\n\t\terr := doErr\n\t\tif respErr != nil {\n\t\t\terr = respErr\n\t\t}\n\t\tif err != nil {\n\t\t\tswitch v := logger.(type) {\n\t\t\tcase LeveledLogger:\n\t\t\t\tv.Error(\"request failed\", \"error\", err, \"method\", req.Method, \"url\", redactURL(req.URL))\n\t\t\tcase Logger:\n\t\t\t\tv.Printf(\"[ERR] %s %s request failed: %v\", req.Method, redactURL(req.URL), err)\n\t\t\t}\n\t\t} else {\n\t\t\t// Call this here to maintain the behavior of logging all requests,\n\t\t\t// even if CheckRetry signals to stop.\n\t\t\tif c.ResponseLogHook != nil {\n\t\t\t\t// Call the response logger function if provided.\n\t\t\t\tswitch v := logger.(type) {\n\t\t\t\tcase LeveledLogger:\n\t\t\t\t\tc.ResponseLogHook(hookLogger{v}, resp)\n\t\t\t\tcase Logger:\n\t\t\t\t\tc.ResponseLogHook(v, resp)\n\t\t\t\tdefault:\n\t\t\t\t\tc.ResponseLogHook(nil, resp)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif !shouldRetry {\n\t\t\tbreak\n\t\t}\n\n\t\t// We do this before drainBody because there's no need for the I/O if\n\t\t// we're breaking out\n\t\tremain := c.RetryMax - i\n\t\tif remain <= 0 {\n\t\t\tbreak\n\t\t}\n\n\t\t// We're going to retry, consume any response to reuse the connection.\n\t\tif doErr == nil {\n\t\t\tc.drainBody(resp.Body)\n\t\t}\n\n\t\twait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)\n\t\tif logger != nil {\n\t\t\tdesc := fmt.Sprintf(\"%s %s\", req.Method, redactURL(req.URL))\n\t\t\tif resp != nil {\n\t\t\t\tdesc = fmt.Sprintf(\"%s (status: %d)\", desc, resp.StatusCode)\n\t\t\t}\n\t\t\tswitch v := logger.(type) {\n\t\t\tcase LeveledLogger:\n\t\t\t\tv.Debug(\"retrying request\", \"request\", desc, \"timeout\", wait, \"remaining\", remain)\n\t\t\tcase Logger:\n\t\t\t\tv.Printf(\"[DEBUG] %s: retrying in %s (%d left)\", desc, wait, remain)\n\t\t\t}\n\t\t}\n\t\ttimer := time.NewTimer(wait)\n\t\tselect {\n\t\tcase <-req.Context().Done():\n\t\t\ttimer.Stop()\n\t\t\tc.HTTPClient.CloseIdleConnections()\n\t\t\treturn nil, req.Context().Err()\n\t\tcase <-timer.C:\n\t\t}\n\n\t\t// Make shallow copy of http Request so that we can modify its body\n\t\t// without racing against the closeBody call in persistConn.writeLoop.\n\t\thttpreq := *req.Request\n\t\treq.Request = &httpreq\n\n\t\tif c.PrepareRetry != nil {\n\t\t\tif err := c.PrepareRetry(req.Request); err != nil {\n\t\t\t\tprepareErr = err\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\n\t// this is the closest we have to success criteria\n\tif doErr == nil && respErr == nil && checkErr == nil && prepareErr == nil && !shouldRetry {\n\t\treturn resp, nil\n\t}\n\n\tdefer c.HTTPClient.CloseIdleConnections()\n\n\tvar err error\n\tif prepareErr != nil {\n\t\terr = prepareErr\n\t} else if checkErr != nil {\n\t\terr = checkErr\n\t} else if respErr != nil {\n\t\terr = respErr\n\t} else {\n\t\terr = doErr\n\t}\n\n\tif c.ErrorHandler != nil {\n\t\treturn c.ErrorHandler(resp, err, attempt)\n\t}\n\n\t// By default, we close the response body and return an error without\n\t// returning the response\n\tif resp != nil {\n\t\tc.drainBody(resp.Body)\n\t}\n\n\t// this means CheckRetry thought the request was a failure, but didn't\n\t// communicate why\n\tif err == nil {\n\t\treturn nil, fmt.Errorf(\"%s %s giving up after %d attempt(s)\",\n\t\t\treq.Method, redactURL(req.URL), attempt)\n\t}\n\n\treturn nil, fmt.Errorf(\"%s %s giving up after %d attempt(s): %w\",\n\t\treq.Method, redactURL(req.URL), attempt, err)\n}\n\n// Try to read the response body so we can reuse this connection.\nfunc (c *Client) drainBody(body io.ReadCloser) {\n\tdefer body.Close()\n\t_, err := io.Copy(io.Discard, io.LimitReader(body, respReadLimit))\n\tif err != nil {\n\t\tif c.logger() != nil {\n\t\t\tswitch v := c.logger().(type) {\n\t\t\tcase LeveledLogger:\n\t\t\t\tv.Error(\"error reading response body\", \"error\", err)\n\t\t\tcase Logger:\n\t\t\t\tv.Printf(\"[ERR] error reading response body: %v\", err)\n\t\t\t}\n\t\t}\n\t}\n}\n\n// Get is a shortcut for doing a GET request without making a new client.\nfunc Get(url string) (*http.Response, error) {\n\treturn defaultClient.Get(url)\n}\n\n// Get is a convenience helper for doing simple GET requests.\nfunc (c *Client) Get(url string) (*http.Response, error) {\n\treq, err := NewRequest(\"GET\", url, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn c.Do(req)\n}\n\n// Head is a shortcut for doing a HEAD request without making a new client.\nfunc Head(url string) (*http.Response, error) {\n\treturn defaultClient.Head(url)\n}\n\n// Head is a convenience method for doing simple HEAD requests.\nfunc (c *Client) Head(url string) (*http.Response, error) {\n\treq, err := NewRequest(\"HEAD\", url, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn c.Do(req)\n}\n\n// Post is a shortcut for doing a POST request without making a new client.\n// The bodyType parameter sets the \"Content-Type\" header of the request.\nfunc Post(url, bodyType string, body interface{}) (*http.Response, error) {\n\treturn defaultClient.Post(url, bodyType, body)\n}\n\n// Post is a convenience method for doing simple POST requests.\n// The bodyType parameter sets the \"Content-Type\" header of the request.\nfunc (c *Client) Post(url, bodyType string, body interface{}) (*http.Response, error) {\n\treq, err := NewRequest(\"POST\", url, body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treq.Header.Set(\"Content-Type\", bodyType)\n\treturn c.Do(req)\n}\n\n// PostForm is a shortcut to perform a POST with form data without creating\n// a new client.\nfunc PostForm(url string, data url.Values) (*http.Response, error) {\n\treturn defaultClient.PostForm(url, data)\n}\n\n// PostForm is a convenience method for doing simple POST operations using\n// pre-filled url.Values form data.\nfunc (c *Client) PostForm(url string, data url.Values) (*http.Response, error) {\n\treturn c.Post(url, \"application/x-www-form-urlencoded\", strings.NewReader(data.Encode()))\n}\n\n// StandardClient returns a stdlib *http.Client with a custom Transport, which\n// shims in a *retryablehttp.Client for added retries.\nfunc (c *Client) StandardClient() *http.Client {\n\treturn &http.Client{\n\t\tTransport: &RoundTripper{Client: c},\n\t}\n}\n\n// Taken from url.URL#Redacted() which was introduced in go 1.15.\n// We can switch to using it directly if we'll bump the minimum required go version.\nfunc redactURL(u *url.URL) string {\n\tif u == nil {\n\t\treturn \"\"\n\t}\n\n\tru := *u\n\tif _, has := ru.User.Password(); has {\n\t\tru.User = url.UserPassword(ru.User.Username(), \"xxxxx\")\n\t}\n\treturn ru.String()\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/roundtripper.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage retryablehttp\n\nimport (\n\t\"errors\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"sync\"\n)\n\n// RoundTripper implements the http.RoundTripper interface, using a retrying\n// HTTP client to execute requests.\n//\n// It is important to note that retryablehttp doesn't always act exactly as a\n// RoundTripper should. This is highly dependent on the retryable client's\n// configuration.\ntype RoundTripper struct {\n\t// The client to use during requests. If nil, the default retryablehttp\n\t// client and settings will be used.\n\tClient *Client\n\n\t// once ensures that the logic to initialize the default client runs at\n\t// most once, in a single thread.\n\tonce sync.Once\n}\n\n// init initializes the underlying retryable client.\nfunc (rt *RoundTripper) init() {\n\tif rt.Client == nil {\n\t\trt.Client = NewClient()\n\t}\n}\n\n// RoundTrip satisfies the http.RoundTripper interface.\nfunc (rt *RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {\n\trt.once.Do(rt.init)\n\n\t// Convert the request to be retryable.\n\tretryableReq, err := FromRequest(req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Execute the request.\n\tresp, err := rt.Client.Do(retryableReq)\n\t// If we got an error returned by standard library's `Do` method, unwrap it\n\t// otherwise we will wind up erroneously re-nesting the error.\n\tif _, ok := err.(*url.Error); ok {\n\t\treturn resp, errors.Unwrap(err)\n\t}\n\n\treturn resp, err\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-rootcerts/.travis.yml", "content": "sudo: false\n\nlanguage: go\n\ngo:\n - 1.6\n\nbranches:\n only:\n - master\n\nscript: make test\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-rootcerts/LICENSE", "content": "Mozilla Public License, version 2.0\n\n1. Definitions\n\n1.1. \"Contributor\"\n\n means each individual or legal entity that creates, contributes to the\n creation of, or owns Covered Software.\n\n1.2. \"Contributor Version\"\n\n means the combination of the Contributions of others (if any) used by a\n Contributor and that particular Contributor's Contribution.\n\n1.3. \"Contribution\"\n\n means Covered Software of a particular Contributor.\n\n1.4. \"Covered Software\"\n\n means Source Code Form to which the initial Contributor has attached the\n notice in Exhibit A, the Executable Form of such Source Code Form, and\n Modifications of such Source Code Form, in each case including portions\n thereof.\n\n1.5. \"Incompatible With Secondary Licenses\"\n means\n\n a. that the initial Contributor has attached the notice described in\n Exhibit B to the Covered Software; or\n\n b. that the Covered Software was made available under the terms of\n version 1.1 or earlier of the License, but not also under the terms of\n a Secondary License.\n\n1.6. \"Executable Form\"\n\n means any form of the work other than Source Code Form.\n\n1.7. \"Larger Work\"\n\n means a work that combines Covered Software with other material, in a\n separate file or files, that is not Covered Software.\n\n1.8. \"License\"\n\n means this document.\n\n1.9. \"Licensable\"\n\n means having the right to grant, to the maximum extent possible, whether\n at the time of the initial grant or subsequently, any and all of the\n rights conveyed by this License.\n\n1.10. \"Modifications\"\n\n means any of the following:\n\n a. any file in Source Code Form that results from an addition to,\n deletion from, or modification of the contents of Covered Software; or\n\n b. any new file in Source Code Form that contains any Covered Software.\n\n1.11. \"Patent Claims\" of a Contributor\n\n means any patent claim(s), including without limitation, method,\n process, and apparatus claims, in any patent Licensable by such\n Contributor that would be infringed, but for the grant of the License,\n by the making, using, selling, offering for sale, having made, import,\n or transfer of either its Contributions or its Contributor Version.\n\n1.12. \"Secondary License\"\n\n means either the GNU General Public License, Version 2.0, the GNU Lesser\n General Public License, Version 2.1, the GNU Affero General Public\n License, Version 3.0, or any later versions of those licenses.\n\n1.13. \"Source Code Form\"\n\n means the form of the work preferred for making modifications.\n\n1.14. \"You\" (or \"Your\")\n\n means an individual or a legal entity exercising rights under this\n License. For legal entities, \"You\" includes any entity that controls, is\n controlled by, or is under common control with You. For purposes of this\n definition, \"control\" means (a) the power, direct or indirect, to cause\n the direction or management of such entity, whether by contract or\n otherwise, or (b) ownership of more than fifty percent (50%) of the\n outstanding shares or beneficial ownership of such entity.\n\n\n2. License Grants and Conditions\n\n2.1. Grants\n\n Each Contributor hereby grants You a world-wide, royalty-free,\n non-exclusive license:\n\n a. under intellectual property rights (other than patent or trademark)\n Licensable by such Contributor to use, reproduce, make available,\n modify, display, perform, distribute, and otherwise exploit its\n Contributions, either on an unmodified basis, with Modifications, or\n as part of a Larger Work; and\n\n b. under Patent Claims of such Contributor to make, use, sell, offer for\n sale, have made, import, and otherwise transfer either its\n Contributions or its Contributor Version.\n\n2.2. Effective Date\n\n The licenses granted in Section 2.1 with respect to any Contribution\n become effective for each Contribution on the date the Contributor first\n distributes such Contribution.\n\n2.3. Limitations on Grant Scope\n\n The licenses granted in this Section 2 are the only rights granted under\n this License. No additional rights or licenses will be implied from the\n distribution or licensing of Covered Software under this License.\n Notwithstanding Section 2.1(b) above, no patent license is granted by a\n Contributor:\n\n a. for any code that a Contributor has removed from Covered Software; or\n\n b. for infringements caused by: (i) Your and any other third party's\n modifications of Covered Software, or (ii) the combination of its\n Contributions with other software (except as part of its Contributor\n Version); or\n\n c. under Patent Claims infringed by Covered Software in the absence of\n its Contributions.\n\n This License does not grant any rights in the trademarks, service marks,\n or logos of any Contributor (except as may be necessary to comply with\n the notice requirements in Section 3.4).\n\n2.4. Subsequent Licenses\n\n No Contributor makes additional grants as a result of Your choice to\n distribute the Covered Software under a subsequent version of this\n License (see Section 10.2) or under the terms of a Secondary License (if\n permitted under the terms of Section 3.3).\n\n2.5. Representation\n\n Each Contributor represents that the Contributor believes its\n Contributions are its original creation(s) or it has sufficient rights to\n grant the rights to its Contributions conveyed by this License.\n\n2.6. Fair Use\n\n This License is not intended to limit any rights You have under\n applicable copyright doctrines of fair use, fair dealing, or other\n equivalents.\n\n2.7. Conditions\n\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in\n Section 2.1.\n\n\n3. Responsibilities\n\n3.1. Distribution of Source Form\n\n All distribution of Covered Software in Source Code Form, including any\n Modifications that You create or to which You contribute, must be under\n the terms of this License. You must inform recipients that the Source\n Code Form of the Covered Software is governed by the terms of this\n License, and how they can obtain a copy of this License. You may not\n attempt to alter or restrict the recipients' rights in the Source Code\n Form.\n\n3.2. Distribution of Executable Form\n\n If You distribute Covered Software in Executable Form then:\n\n a. such Covered Software must also be made available in Source Code Form,\n as described in Section 3.1, and You must inform recipients of the\n Executable Form how they can obtain a copy of such Source Code Form by\n reasonable means in a timely manner, at a charge no more than the cost\n of distribution to the recipient; and\n\n b. You may distribute such Executable Form under the terms of this\n License, or sublicense it under different terms, provided that the\n license for the Executable Form does not attempt to limit or alter the\n recipients' rights in the Source Code Form under this License.\n\n3.3. Distribution of a Larger Work\n\n You may create and distribute a Larger Work under terms of Your choice,\n provided that You also comply with the requirements of this License for\n the Covered Software. If the Larger Work is a combination of Covered\n Software with a work governed by one or more Secondary Licenses, and the\n Covered Software is not Incompatible With Secondary Licenses, this\n License permits You to additionally distribute such Covered Software\n under the terms of such Secondary License(s), so that the recipient of\n the Larger Work may, at their option, further distribute the Covered\n Software under the terms of either this License or such Secondary\n License(s).\n\n3.4. Notices\n\n You may not remove or alter the substance of any license notices\n (including copyright notices, patent notices, disclaimers of warranty, or\n limitations of liability) contained within the Source Code Form of the\n Covered Software, except that You may alter any license notices to the\n extent required to remedy known factual inaccuracies.\n\n3.5. Application of Additional Terms\n\n You may choose to offer, and to charge a fee for, warranty, support,\n indemnity or liability obligations to one or more recipients of Covered\n Software. However, You may do so only on Your own behalf, and not on\n behalf of any Contributor. You must make it absolutely clear that any\n such warranty, support, indemnity, or liability obligation is offered by\n You alone, and You hereby agree to indemnify every Contributor for any\n liability incurred by such Contributor as a result of warranty, support,\n indemnity or liability terms You offer. You may include additional\n disclaimers of warranty and limitations of liability specific to any\n jurisdiction.\n\n4. Inability to Comply Due to Statute or Regulation\n\n If it is impossible for You to comply with any of the terms of this License\n with respect to some or all of the Covered Software due to statute,\n judicial order, or regulation then You must: (a) comply with the terms of\n this License to the maximum extent possible; and (b) describe the\n limitations and the code they affect. Such description must be placed in a\n text file included with all distributions of the Covered Software under\n this License. Except to the extent prohibited by statute or regulation,\n such description must be sufficiently detailed for a recipient of ordinary\n skill to be able to understand it.\n\n5. Termination\n\n5.1. The rights granted under this License will terminate automatically if You\n fail to comply with any of its terms. However, if You become compliant,\n then the rights granted under this License from a particular Contributor\n are reinstated (a) provisionally, unless and until such Contributor\n explicitly and finally terminates Your grants, and (b) on an ongoing\n basis, if such Contributor fails to notify You of the non-compliance by\n some reasonable means prior to 60 days after You have come back into\n compliance. Moreover, Your grants from a particular Contributor are\n reinstated on an ongoing basis if such Contributor notifies You of the\n non-compliance by some reasonable means, this is the first time You have\n received notice of non-compliance with this License from such\n Contributor, and You become compliant prior to 30 days after Your receipt\n of the notice.\n\n5.2. If You initiate litigation against any entity by asserting a patent\n infringement claim (excluding declaratory judgment actions,\n counter-claims, and cross-claims) alleging that a Contributor Version\n directly or indirectly infringes any patent, then the rights granted to\n You by any and all Contributors for the Covered Software under Section\n 2.1 of this License shall terminate.\n\n5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user\n license agreements (excluding distributors and resellers) which have been\n validly granted by You or Your distributors under this License prior to\n termination shall survive termination.\n\n6. Disclaimer of Warranty\n\n Covered Software is provided under this License on an \"as is\" basis,\n without warranty of any kind, either expressed, implied, or statutory,\n including, without limitation, warranties that the Covered Software is free\n of defects, merchantable, fit for a particular purpose or non-infringing.\n The entire risk as to the quality and performance of the Covered Software\n is with You. Should any Covered Software prove defective in any respect,\n You (not any Contributor) assume the cost of any necessary servicing,\n repair, or correction. This disclaimer of warranty constitutes an essential\n part of this License. No use of any Covered Software is authorized under\n this License except under this disclaimer.\n\n7. Limitation of Liability\n\n Under no circumstances and under no legal theory, whether tort (including\n negligence), contract, or otherwise, shall any Contributor, or anyone who\n distributes Covered Software as permitted above, be liable to You for any\n direct, indirect, special, incidental, or consequential damages of any\n character including, without limitation, damages for lost profits, loss of\n goodwill, work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses, even if such party shall have been\n informed of the possibility of such damages. This limitation of liability\n shall not apply to liability for death or personal injury resulting from\n such party's negligence to the extent applicable law prohibits such\n limitation. Some jurisdictions do not allow the exclusion or limitation of\n incidental or consequential damages, so this exclusion and limitation may\n not apply to You.\n\n8. Litigation\n\n Any litigation relating to this License may be brought only in the courts\n of a jurisdiction where the defendant maintains its principal place of\n business and such litigation shall be governed by laws of that\n jurisdiction, without reference to its conflict-of-law provisions. Nothing\n in this Section shall prevent a party's ability to bring cross-claims or\n counter-claims.\n\n9. Miscellaneous\n\n This License represents the complete agreement concerning the subject\n matter hereof. If any provision of this License is held to be\n unenforceable, such provision shall be reformed only to the extent\n necessary to make it enforceable. Any law or regulation which provides that\n the language of a contract shall be construed against the drafter shall not\n be used to construe this License against a Contributor.\n\n\n10. Versions of the License\n\n10.1. New Versions\n\n Mozilla Foundation is the license steward. Except as provided in Section\n 10.3, no one other than the license steward has the right to modify or\n publish new versions of this License. Each version will be given a\n distinguishing version number.\n\n10.2. Effect of New Versions\n\n You may distribute the Covered Software under the terms of the version\n of the License under which You originally received the Covered Software,\n or under the terms of any subsequent version published by the license\n steward.\n\n10.3. Modified Versions\n\n If you create software not governed by this License, and you want to\n create a new license for such software, you may create and use a\n modified version of this License if you rename the license and remove\n any references to the name of the license steward (except to note that\n such modified license differs from this License).\n\n10.4. Distributing Source Code Form that is Incompatible With Secondary\n Licenses If You choose to distribute Source Code Form that is\n Incompatible With Secondary Licenses under the terms of this version of\n the License, the notice described in Exhibit B of this License must be\n attached.\n\nExhibit A - Source Code Form License Notice\n\n This Source Code Form is subject to the\n terms of the Mozilla Public License, v.\n 2.0. If a copy of the MPL was not\n distributed with this file, You can\n obtain one at\n http://mozilla.org/MPL/2.0/.\n\nIf it is not possible or desirable to put the notice in a particular file,\nthen You may include the notice in a location (such as a LICENSE file in a\nrelevant directory) where a recipient would be likely to look for such a\nnotice.\n\nYou may add additional accurate notices of copyright ownership.\n\nExhibit B - \"Incompatible With Secondary Licenses\" Notice\n\n This Source Code Form is \"Incompatible\n With Secondary Licenses\", as defined by\n the Mozilla Public License, v. 2.0.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-rootcerts/Makefile", "content": "TEST?=./...\n\ntest:\n\tgo test $(TEST) $(TESTARGS) -timeout=3s -parallel=4\n\tgo vet $(TEST)\n\tgo test $(TEST) -race\n\n.PHONY: test\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-rootcerts/README.md", "content": "# rootcerts\n\nFunctions for loading root certificates for TLS connections.\n\n-----\n\nGo's standard library `crypto/tls` provides a common mechanism for configuring\nTLS connections in `tls.Config`. The `RootCAs` field on this struct is a pool\nof certificates for the client to use as a trust store when verifying server\ncertificates.\n\nThis library contains utility functions for loading certificates destined for\nthat field, as well as one other important thing:\n\nWhen the `RootCAs` field is `nil`, the standard library attempts to load the\nhost's root CA set. This behavior is OS-specific, and the Darwin\nimplementation contains [a bug that prevents trusted certificates from the\nSystem and Login keychains from being loaded][1]. This library contains\nDarwin-specific behavior that works around that bug.\n\n[1]: https://github.com/golang/go/issues/14514\n\n## Example Usage\n\nHere's a snippet demonstrating how this library is meant to be used:\n\n```go\nfunc httpClient() (*http.Client, error)\n\ttlsConfig := &tls.Config{}\n\terr := rootcerts.ConfigureTLS(tlsConfig, &rootcerts.Config{\n\t\tCAFile: os.Getenv(\"MYAPP_CAFILE\"),\n\t\tCAPath: os.Getenv(\"MYAPP_CAPATH\"),\n\t\tCertificate: os.Getenv(\"MYAPP_CERTIFICATE\"),\n\t})\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tc := cleanhttp.DefaultClient()\n\tt := cleanhttp.DefaultTransport()\n\tt.TLSClientConfig = tlsConfig\n\tc.Transport = t\n\treturn c, nil\n}\n```\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-rootcerts/doc.go", "content": "// Package rootcerts contains functions to aid in loading CA certificates for\n// TLS connections.\n//\n// In addition, its default behavior on Darwin works around an open issue [1]\n// in Go's crypto/x509 that prevents certicates from being loaded from the\n// System or Login keychains.\n//\n// [1] https://github.com/golang/go/issues/14514\npackage rootcerts\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-rootcerts/rootcerts.go", "content": "package rootcerts\n\nimport (\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"os\"\n\t\"path/filepath\"\n)\n\n// Config determines where LoadCACerts will load certificates from. When CAFile,\n// CACertificate and CAPath are blank, this library's functions will either load\n// system roots explicitly and return them, or set the CertPool to nil to allow\n// Go's standard library to load system certs.\ntype Config struct {\n\t// CAFile is a path to a PEM-encoded certificate file or bundle. Takes\n\t// precedence over CACertificate and CAPath.\n\tCAFile string\n\n\t// CACertificate is a PEM-encoded certificate or bundle. Takes precedence\n\t// over CAPath.\n\tCACertificate []byte\n\n\t// CAPath is a path to a directory populated with PEM-encoded certificates.\n\tCAPath string\n}\n\n// ConfigureTLS sets up the RootCAs on the provided tls.Config based on the\n// Config specified.\nfunc ConfigureTLS(t *tls.Config, c *Config) error {\n\tif t == nil {\n\t\treturn nil\n\t}\n\tpool, err := LoadCACerts(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tt.RootCAs = pool\n\treturn nil\n}\n\n// LoadCACerts loads a CertPool based on the Config specified.\nfunc LoadCACerts(c *Config) (*x509.CertPool, error) {\n\tif c == nil {\n\t\tc = &Config{}\n\t}\n\tif c.CAFile != \"\" {\n\t\treturn LoadCAFile(c.CAFile)\n\t}\n\tif len(c.CACertificate) != 0 {\n\t\treturn AppendCertificate(c.CACertificate)\n\t}\n\tif c.CAPath != \"\" {\n\t\treturn LoadCAPath(c.CAPath)\n\t}\n\n\treturn LoadSystemCAs()\n}\n\n// LoadCAFile loads a single PEM-encoded file from the path specified.\nfunc LoadCAFile(caFile string) (*x509.CertPool, error) {\n\tpool := x509.NewCertPool()\n\n\tpem, err := ioutil.ReadFile(caFile)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"Error loading CA File: %s\", err)\n\t}\n\n\tok := pool.AppendCertsFromPEM(pem)\n\tif !ok {\n\t\treturn nil, fmt.Errorf(\"Error loading CA File: Couldn't parse PEM in: %s\", caFile)\n\t}\n\n\treturn pool, nil\n}\n\n// AppendCertificate appends an in-memory PEM-encoded certificate or bundle and returns a pool.\nfunc AppendCertificate(ca []byte) (*x509.CertPool, error) {\n\tpool := x509.NewCertPool()\n\n\tok := pool.AppendCertsFromPEM(ca)\n\tif !ok {\n\t\treturn nil, errors.New(\"Error appending CA: Couldn't parse PEM\")\n\t}\n\n\treturn pool, nil\n}\n\n// LoadCAPath walks the provided path and loads all certificates encounted into\n// a pool.\nfunc LoadCAPath(caPath string) (*x509.CertPool, error) {\n\tpool := x509.NewCertPool()\n\twalkFn := func(path string, info os.FileInfo, err error) error {\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tif info.IsDir() {\n\t\t\treturn nil\n\t\t}\n\n\t\tpem, err := ioutil.ReadFile(path)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"Error loading file from CAPath: %s\", err)\n\t\t}\n\n\t\tok := pool.AppendCertsFromPEM(pem)\n\t\tif !ok {\n\t\t\treturn fmt.Errorf(\"Error loading CA Path: Couldn't parse PEM in: %s\", path)\n\t\t}\n\n\t\treturn nil\n\t}\n\n\terr := filepath.Walk(caPath, walkFn)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn pool, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-rootcerts/rootcerts_base.go", "content": "// +build !darwin\n\npackage rootcerts\n\nimport \"crypto/x509\"\n\n// LoadSystemCAs does nothing on non-Darwin systems. We return nil so that\n// default behavior of standard TLS config libraries is triggered, which is to\n// load system certs.\nfunc LoadSystemCAs() (*x509.CertPool, error) {\n\treturn nil, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-rootcerts/rootcerts_darwin.go", "content": "package rootcerts\n\nimport (\n\t\"crypto/x509\"\n\t\"os/exec\"\n\t\"path\"\n\n\t\"github.com/mitchellh/go-homedir\"\n)\n\n// LoadSystemCAs has special behavior on Darwin systems to work around\nfunc LoadSystemCAs() (*x509.CertPool, error) {\n\tpool := x509.NewCertPool()\n\n\tfor _, keychain := range certKeychains() {\n\t\terr := addCertsFromKeychain(pool, keychain)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\n\treturn pool, nil\n}\n\nfunc addCertsFromKeychain(pool *x509.CertPool, keychain string) error {\n\tcmd := exec.Command(\"/usr/bin/security\", \"find-certificate\", \"-a\", \"-p\", keychain)\n\tdata, err := cmd.Output()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tpool.AppendCertsFromPEM(data)\n\n\treturn nil\n}\n\nfunc certKeychains() []string {\n\tkeychains := []string{\n\t\t\"/System/Library/Keychains/SystemRootCertificates.keychain\",\n\t\t\"/Library/Keychains/System.keychain\",\n\t}\n\thome, err := homedir.Dir()\n\tif err == nil {\n\t\tloginKeychain := path.Join(home, \"Library\", \"Keychains\", \"login.keychain\")\n\t\tkeychains = append(keychains, loginKeychain)\n\t}\n\treturn keychains\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-secure-stdlib/parseutil/LICENSE", "content": "Copyright (c) 2020 HashiCorp, Inc.\n\nMozilla Public License, version 2.0\n\n1. Definitions\n\n1.1. \"Contributor\"\n\n means each individual or legal entity that creates, contributes to the\n creation of, or owns Covered Software.\n\n1.2. \"Contributor Version\"\n\n means the combination of the Contributions of others (if any) used by a\n Contributor and that particular Contributor's Contribution.\n\n1.3. \"Contribution\"\n\n means Covered Software of a particular Contributor.\n\n1.4. \"Covered Software\"\n\n means Source Code Form to which the initial Contributor has attached the\n notice in Exhibit A, the Executable Form of such Source Code Form, and\n Modifications of such Source Code Form, in each case including portions\n thereof.\n\n1.5. \"Incompatible With Secondary Licenses\"\n means\n\n a. that the initial Contributor has attached the notice described in\n Exhibit B to the Covered Software; or\n\n b. that the Covered Software was made available under the terms of\n version 1.1 or earlier of the License, but not also under the terms of\n a Secondary License.\n\n1.6. \"Executable Form\"\n\n means any form of the work other than Source Code Form.\n\n1.7. \"Larger Work\"\n\n means a work that combines Covered Software with other material, in a\n separate file or files, that is not Covered Software.\n\n1.8. \"License\"\n\n means this document.\n\n1.9. \"Licensable\"\n\n means having the right to grant, to the maximum extent possible, whether\n at the time of the initial grant or subsequently, any and all of the\n rights conveyed by this License.\n\n1.10. \"Modifications\"\n\n means any of the following:\n\n a. any file in Source Code Form that results from an addition to,\n deletion from, or modification of the contents of Covered Software; or\n\n b. any new file in Source Code Form that contains any Covered Software.\n\n1.11. \"Patent Claims\" of a Contributor\n\n means any patent claim(s), including without limitation, method,\n process, and apparatus claims, in any patent Licensable by such\n Contributor that would be infringed, but for the grant of the License,\n by the making, using, selling, offering for sale, having made, import,\n or transfer of either its Contributions or its Contributor Version.\n\n1.12. \"Secondary License\"\n\n means either the GNU General Public License, Version 2.0, the GNU Lesser\n General Public License, Version 2.1, the GNU Affero General Public\n License, Version 3.0, or any later versions of those licenses.\n\n1.13. \"Source Code Form\"\n\n means the form of the work preferred for making modifications.\n\n1.14. \"You\" (or \"Your\")\n\n means an individual or a legal entity exercising rights under this\n License. For legal entities, \"You\" includes any entity that controls, is\n controlled by, or is under common control with You. For purposes of this\n definition, \"control\" means (a) the power, direct or indirect, to cause\n the direction or management of such entity, whether by contract or\n otherwise, or (b) ownership of more than fifty percent (50%) of the\n outstanding shares or beneficial ownership of such entity.\n\n\n2. License Grants and Conditions\n\n2.1. Grants\n\n Each Contributor hereby grants You a world-wide, royalty-free,\n non-exclusive license:\n\n a. under intellectual property rights (other than patent or trademark)\n Licensable by such Contributor to use, reproduce, make available,\n modify, display, perform, distribute, and otherwise exploit its\n Contributions, either on an unmodified basis, with Modifications, or\n as part of a Larger Work; and\n\n b. under Patent Claims of such Contributor to make, use, sell, offer for\n sale, have made, import, and otherwise transfer either its\n Contributions or its Contributor Version.\n\n2.2. Effective Date\n\n The licenses granted in Section 2.1 with respect to any Contribution\n become effective for each Contribution on the date the Contributor first\n distributes such Contribution.\n\n2.3. Limitations on Grant Scope\n\n The licenses granted in this Section 2 are the only rights granted under\n this License. No additional rights or licenses will be implied from the\n distribution or licensing of Covered Software under this License.\n Notwithstanding Section 2.1(b) above, no patent license is granted by a\n Contributor:\n\n a. for any code that a Contributor has removed from Covered Software; or\n\n b. for infringements caused by: (i) Your and any other third party's\n modifications of Covered Software, or (ii) the combination of its\n Contributions with other software (except as part of its Contributor\n Version); or\n\n c. under Patent Claims infringed by Covered Software in the absence of\n its Contributions.\n\n This License does not grant any rights in the trademarks, service marks,\n or logos of any Contributor (except as may be necessary to comply with\n the notice requirements in Section 3.4).\n\n2.4. Subsequent Licenses\n\n No Contributor makes additional grants as a result of Your choice to\n distribute the Covered Software under a subsequent version of this\n License (see Section 10.2) or under the terms of a Secondary License (if\n permitted under the terms of Section 3.3).\n\n2.5. Representation\n\n Each Contributor represents that the Contributor believes its\n Contributions are its original creation(s) or it has sufficient rights to\n grant the rights to its Contributions conveyed by this License.\n\n2.6. Fair Use\n\n This License is not intended to limit any rights You have under\n applicable copyright doctrines of fair use, fair dealing, or other\n equivalents.\n\n2.7. Conditions\n\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in\n Section 2.1.\n\n\n3. Responsibilities\n\n3.1. Distribution of Source Form\n\n All distribution of Covered Software in Source Code Form, including any\n Modifications that You create or to which You contribute, must be under\n the terms of this License. You must inform recipients that the Source\n Code Form of the Covered Software is governed by the terms of this\n License, and how they can obtain a copy of this License. You may not\n attempt to alter or restrict the recipients' rights in the Source Code\n Form.\n\n3.2. Distribution of Executable Form\n\n If You distribute Covered Software in Executable Form then:\n\n a. such Covered Software must also be made available in Source Code Form,\n as described in Section 3.1, and You must inform recipients of the\n Executable Form how they can obtain a copy of such Source Code Form by\n reasonable means in a timely manner, at a charge no more than the cost\n of distribution to the recipient; and\n\n b. You may distribute such Executable Form under the terms of this\n License, or sublicense it under different terms, provided that the\n license for the Executable Form does not attempt to limit or alter the\n recipients' rights in the Source Code Form under this License.\n\n3.3. Distribution of a Larger Work\n\n You may create and distribute a Larger Work under terms of Your choice,\n provided that You also comply with the requirements of this License for\n the Covered Software. If the Larger Work is a combination of Covered\n Software with a work governed by one or more Secondary Licenses, and the\n Covered Software is not Incompatible With Secondary Licenses, this\n License permits You to additionally distribute such Covered Software\n under the terms of such Secondary License(s), so that the recipient of\n the Larger Work may, at their option, further distribute the Covered\n Software under the terms of either this License or such Secondary\n License(s).\n\n3.4. Notices\n\n You may not remove or alter the substance of any license notices\n (including copyright notices, patent notices, disclaimers of warranty, or\n limitations of liability) contained within the Source Code Form of the\n Covered Software, except that You may alter any license notices to the\n extent required to remedy known factual inaccuracies.\n\n3.5. Application of Additional Terms\n\n You may choose to offer, and to charge a fee for, warranty, support,\n indemnity or liability obligations to one or more recipients of Covered\n Software. However, You may do so only on Your own behalf, and not on\n behalf of any Contributor. You must make it absolutely clear that any\n such warranty, support, indemnity, or liability obligation is offered by\n You alone, and You hereby agree to indemnify every Contributor for any\n liability incurred by such Contributor as a result of warranty, support,\n indemnity or liability terms You offer. You may include additional\n disclaimers of warranty and limitations of liability specific to any\n jurisdiction.\n\n4. Inability to Comply Due to Statute or Regulation\n\n If it is impossible for You to comply with any of the terms of this License\n with respect to some or all of the Covered Software due to statute,\n judicial order, or regulation then You must: (a) comply with the terms of\n this License to the maximum extent possible; and (b) describe the\n limitations and the code they affect. Such description must be placed in a\n text file included with all distributions of the Covered Software under\n this License. Except to the extent prohibited by statute or regulation,\n such description must be sufficiently detailed for a recipient of ordinary\n skill to be able to understand it.\n\n5. Termination\n\n5.1. The rights granted under this License will terminate automatically if You\n fail to comply with any of its terms. However, if You become compliant,\n then the rights granted under this License from a particular Contributor\n are reinstated (a) provisionally, unless and until such Contributor\n explicitly and finally terminates Your grants, and (b) on an ongoing\n basis, if such Contributor fails to notify You of the non-compliance by\n some reasonable means prior to 60 days after You have come back into\n compliance. Moreover, Your grants from a particular Contributor are\n reinstated on an ongoing basis if such Contributor notifies You of the\n non-compliance by some reasonable means, this is the first time You have\n received notice of non-compliance with this License from such\n Contributor, and You become compliant prior to 30 days after Your receipt\n of the notice.\n\n5.2. If You initiate litigation against any entity by asserting a patent\n infringement claim (excluding declaratory judgment actions,\n counter-claims, and cross-claims) alleging that a Contributor Version\n directly or indirectly infringes any patent, then the rights granted to\n You by any and all Contributors for the Covered Software under Section\n 2.1 of this License shall terminate.\n\n5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user\n license agreements (excluding distributors and resellers) which have been\n validly granted by You or Your distributors under this License prior to\n termination shall survive termination.\n\n6. Disclaimer of Warranty\n\n Covered Software is provided under this License on an \"as is\" basis,\n without warranty of any kind, either expressed, implied, or statutory,\n including, without limitation, warranties that the Covered Software is free\n of defects, merchantable, fit for a particular purpose or non-infringing.\n The entire risk as to the quality and performance of the Covered Software\n is with You. Should any Covered Software prove defective in any respect,\n You (not any Contributor) assume the cost of any necessary servicing,\n repair, or correction. This disclaimer of warranty constitutes an essential\n part of this License. No use of any Covered Software is authorized under\n this License except under this disclaimer.\n\n7. Limitation of Liability\n\n Under no circumstances and under no legal theory, whether tort (including\n negligence), contract, or otherwise, shall any Contributor, or anyone who\n distributes Covered Software as permitted above, be liable to You for any\n direct, indirect, special, incidental, or consequential damages of any\n character including, without limitation, damages for lost profits, loss of\n goodwill, work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses, even if such party shall have been\n informed of the possibility of such damages. This limitation of liability\n shall not apply to liability for death or personal injury resulting from\n such party's negligence to the extent applicable law prohibits such\n limitation. Some jurisdictions do not allow the exclusion or limitation of\n incidental or consequential damages, so this exclusion and limitation may\n not apply to You.\n\n8. Litigation\n\n Any litigation relating to this License may be brought only in the courts\n of a jurisdiction where the defendant maintains its principal place of\n business and such litigation shall be governed by laws of that\n jurisdiction, without reference to its conflict-of-law provisions. Nothing\n in this Section shall prevent a party's ability to bring cross-claims or\n counter-claims.\n\n9. Miscellaneous\n\n This License represents the complete agreement concerning the subject\n matter hereof. If any provision of this License is held to be\n unenforceable, such provision shall be reformed only to the extent\n necessary to make it enforceable. Any law or regulation which provides that\n the language of a contract shall be construed against the drafter shall not\n be used to construe this License against a Contributor.\n\n\n10. Versions of the License\n\n10.1. New Versions\n\n Mozilla Foundation is the license steward. Except as provided in Section\n 10.3, no one other than the license steward has the right to modify or\n publish new versions of this License. Each version will be given a\n distinguishing version number.\n\n10.2. Effect of New Versions\n\n You may distribute the Covered Software under the terms of the version\n of the License under which You originally received the Covered Software,\n or under the terms of any subsequent version published by the license\n steward.\n\n10.3. Modified Versions\n\n If you create software not governed by this License, and you want to\n create a new license for such software, you may create and use a\n modified version of this License if you rename the license and remove\n any references to the name of the license steward (except to note that\n such modified license differs from this License).\n\n10.4. Distributing Source Code Form that is Incompatible With Secondary\n Licenses If You choose to distribute Source Code Form that is\n Incompatible With Secondary Licenses under the terms of this version of\n the License, the notice described in Exhibit B of this License must be\n attached.\n\nExhibit A - Source Code Form License Notice\n\n This Source Code Form is subject to the\n terms of the Mozilla Public License, v.\n 2.0. If a copy of the MPL was not\n distributed with this file, You can\n obtain one at\n http://mozilla.org/MPL/2.0/.\n\nIf it is not possible or desirable to put the notice in a particular file,\nthen You may include the notice in a location (such as a LICENSE file in a\nrelevant directory) where a recipient would be likely to look for such a\nnotice.\n\nYou may add additional accurate notices of copyright ownership.\n\nExhibit B - \"Incompatible With Secondary Licenses\" Notice\n\n This Source Code Form is \"Incompatible\n With Secondary Licenses\", as defined by\n the Mozilla Public License, v. 2.0.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-secure-stdlib/parseutil/normalize.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage parseutil\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"net/url\"\n\t\"strings\"\n)\n\n// general delimiters as defined in RFC-3986 §2.2\n// See: https://www.rfc-editor.org/rfc/rfc3986#section-2.2\nconst genDelims = \":/?#[]@\"\n\nfunc normalizeHostPort(host string, port string) (string, error) {\n\tif host == \"\" {\n\t\treturn \"\", fmt.Errorf(\"empty hostname\")\n\t}\n\tif ip := net.ParseIP(host); ip != nil {\n\t\tif ip.To4() == nil && ip.To16() != nil && port == \"\" {\n\t\t\t// this is a unique case, host is ipv6 and requires brackets due to\n\t\t\t// being part of a url, but they won't be added by net.JoinHostPort\n\t\t\t// as there is no port\n\t\t\t// See: https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2\n\t\t\treturn \"[\" + ip.String() + \"]\", nil\n\t\t}\n\t\thost = ip.String()\n\t} else if strings.Contains(host, \":\") {\n\t\t// host is an invalid ipv6 literal.\n\t\t// hosts cannot contain certain reserved characters, including \":\"\n\t\t// See: https://www.rfc-editor.org/rfc/rfc3986#section-2.2,\n\t\t// https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2\n\t\treturn \"\", fmt.Errorf(\"host contains an invalid IPv6 literal\")\n\t}\n\tif port == \"\" {\n\t\treturn host, nil\n\t}\n\treturn net.JoinHostPort(host, port), nil\n}\n\nfunc parseUrl(addr string) (string, error) {\n\tif u, err := url.Parse(addr); err == nil {\n\t\tif strings.HasSuffix(u.Host, \":\") {\n\t\t\treturn \"\", fmt.Errorf(\"url has malformed host: missing port value after colon\")\n\t\t}\n\t\tif u.Host, err = normalizeHostPort(u.Hostname(), u.Port()); err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\treturn u.String(), nil\n\t}\n\treturn \"\", fmt.Errorf(\"failed to parse address\")\n}\n\n// NormalizeAddr takes an address as a string and returns a normalized copy.\n// If the address is a URL, IP Address, or host:port address that includes an\n// IPv6 address, the normalized copy will be conformant with RFC-5952 §4. If\n// the address cannot be parsed, an error will be returned.\n//\n// There are two valid formats:\n//\n// - hosts: \"host\"\n// - may be any of: IPv6 literal, IPv4 literal, dns name, or [sub]domain name\n// - IPv6 literals cannot be encapsulated within square brackets in this format\n//\n// - URIs: \"[scheme://] [user@] host [:port] [/path] [?query] [#frag]\"\n// - format should conform with RFC-3986 §3 or else the returned address may\n// be parsed and formatted incorrectly\n// - hosts containing IPv6 literals MUST be encapsulated within square brackets,\n// as defined in RFC-3986 §3.2.2 and RFC-5952 §6\n// - all non-host components are optional\n//\n// See:\n// - https://www.rfc-editor.org/rfc/rfc5952\n// - https://www.rfc-editor.org/rfc/rfc3986\nfunc NormalizeAddr(address string) (string, error) {\n\tif address == \"\" {\n\t\treturn \"\", fmt.Errorf(\"empty address\")\n\t}\n\n\tif strings.HasPrefix(address, \"[\") && strings.HasSuffix(address, \"]\") {\n\t\treturn \"\", fmt.Errorf(\"address cannot be encapsulated by brackets\")\n\t}\n\n\tif ip := net.ParseIP(address); ip != nil {\n\t\treturn ip.String(), nil\n\t}\n\n\t// if the provided address does not have a scheme provided, attempt to\n\t// provide one and re-parse the result. this is done by looking for the\n\t// first general delimiter and checking if it exists or if it's not a colon\n\t// or by subsequently checking if the first character of the address is a\n\t// letter or a colon or if the colon is part of \"://\"\n\t// See: https://www.rfc-editor.org/rfc/rfc3986#section-3\n\t//\n\t// though the first character being a colon is not mentioned in the scheme\n\t// spec, we check for it as url.Parse will read certain invalid ipv6\n\t// addresses as valid urls, and we want to avoid that\n\tidx := strings.IndexAny(address, genDelims)\n\tswitch {\n\tcase idx < 0:\n\t\tfallthrough\n\tcase address[idx] != ':':\n\t\tfallthrough\n\t\t// by this point we already know that idx > 0 and that address[idx] == ':'\n\tcase idx > 1 && !strings.HasPrefix(address[idx:], \"://\"):\n\t\tconst scheme = \"default://\"\n\t\t// attempt to parse it as a url. we only want to try this func when we\n\t\t// know for sure it has a scheme, since it will parse ANYTHING, but\n\t\t// just put it into u.Path when called without the scheme\n\t\tu, err := parseUrl(scheme + address)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\treturn strings.TrimPrefix(u, scheme), nil\n\n\tdefault:\n\t\treturn parseUrl(address)\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-secure-stdlib/parseutil/parsepath.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage parseutil\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"net/url\"\n\t\"os\"\n\t\"strings\"\n)\n\nvar (\n\tErrNotAUrl = errors.New(\"not a url\")\n\tErrNotParsed = errors.New(\"not a parsed value\")\n)\n\ntype options struct {\n\terrorOnMissingEnv bool\n\tnoTrimSpaces bool\n}\n\ntype option func() optionFunc\n\ntype optionFunc func(*options)\n\n// ParsePath parses a URL with schemes file://, env://, or any other. Depending\n// on the scheme it will return specific types of data:\n//\n// * file:// will return a string with the file's contents\n//\n// * env:// will return a string with the env var's contents\n//\n// * Anything else will return the string as it was. Functionally this means\n// anything for which Go's `url.Parse` function does not throw an error. If you\n// want to ensure that this function errors if a known scheme is not found, use\n// MustParsePath.\n//\n// On error, we return the original string along with the error. The caller can\n// switch on errors.Is(err, ErrNotAUrl) to understand whether it was the parsing\n// step that errored or something else (such as a file not found). This is\n// useful to attempt to read a non-URL string from some resource, but where the\n// original input may simply be a valid string of that type.\nfunc ParsePath(path string, options ...option) (string, error) {\n\treturn parsePath(path, false, options)\n}\n\n// MustParsePath behaves like ParsePath but will return ErrNotAUrl if the value\n// is not a URL with a scheme that can be parsed by this function.\nfunc MustParsePath(path string, options ...option) (string, error) {\n\treturn parsePath(path, true, options)\n}\n\nfunc parsePath(path string, mustParse bool, passedOptions []option) (string, error) {\n\tvar opts options\n\tfor _, o := range passedOptions {\n\t\tof := o()\n\t\tof(&opts)\n\t}\n\n\ttrimmedPath := strings.TrimSpace(path)\n\tparsed, err := url.Parse(trimmedPath)\n\tif err != nil {\n\t\terr = fmt.Errorf(\"error parsing url (%q): %w\", err.Error(), ErrNotAUrl)\n\t\tif opts.noTrimSpaces {\n\t\t\treturn path, err\n\t\t}\n\t\treturn trimmedPath, err\n\t}\n\tswitch parsed.Scheme {\n\tcase \"file\":\n\t\tcontents, err := ioutil.ReadFile(strings.TrimPrefix(trimmedPath, \"file://\"))\n\t\tif err != nil {\n\t\t\treturn trimmedPath, fmt.Errorf(\"error reading file at %s: %w\", trimmedPath, err)\n\t\t}\n\t\tif opts.noTrimSpaces {\n\t\t\treturn string(contents), nil\n\t\t}\n\t\treturn strings.TrimSpace(string(contents)), nil\n\tcase \"env\":\n\t\tenvKey := strings.TrimPrefix(trimmedPath, \"env://\")\n\t\tenvVal, ok := os.LookupEnv(envKey)\n\t\tif opts.errorOnMissingEnv && !ok {\n\t\t\treturn \"\", fmt.Errorf(\"environment variable %s unset\", envKey)\n\t\t}\n\t\tif opts.noTrimSpaces {\n\t\t\treturn envVal, nil\n\t\t}\n\t\treturn strings.TrimSpace(envVal), nil\n\tcase \"string\":\n\t\t// Meant if there is a need to provide a string literal that is prefixed by one of these URL schemes but want to \"escape\" it,\n\t\t// e.g. \"string://env://foo\", in order to get the value \"env://foo\"\n\t\tval := strings.TrimPrefix(trimmedPath, \"string://\")\n\t\tif opts.noTrimSpaces {\n\t\t\treturn val, nil\n\t\t}\n\t\treturn strings.TrimSpace(val), nil\n\tdefault:\n\t\tif mustParse {\n\t\t\treturn \"\", ErrNotParsed\n\t\t}\n\t\treturn path, nil\n\t}\n}\n\n// When true, values returned from ParsePath won't have leading/trailing spaces trimmed.\nfunc WithNoTrimSpaces(noTrim bool) option {\n\treturn func() optionFunc {\n\t\treturn optionFunc(func(o *options) {\n\t\t\to.noTrimSpaces = noTrim\n\t\t})\n\t}\n}\n\n// When true, if an environment variable is unset, an error will be returned rather than the empty string.\nfunc WithErrorOnMissingEnv(errorOnMissingEnv bool) option {\n\treturn func() optionFunc {\n\t\treturn optionFunc(func(o *options) {\n\t\t\to.errorOnMissingEnv = errorOnMissingEnv\n\t\t})\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-secure-stdlib/parseutil/parseutil.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage parseutil\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"math\"\n\t\"regexp\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/hashicorp/go-secure-stdlib/strutil\"\n\tsockaddr \"github.com/hashicorp/go-sockaddr\"\n\t\"github.com/mitchellh/mapstructure\"\n)\n\nvar (\n\tvalidCapacityString = regexp.MustCompile(\"^[\\t ]*([0-9]+)[\\t ]?([kmgtKMGT][iI]?[bB])?[\\t ]*$\")\n\tErrDurationMultiplicationOverflow = errors.New(\"multiplication of durations resulted in overflow, one operand may be too large\")\n)\n\n// ParseCapacityString parses a capacity string and returns the number of bytes it represents.\n// Capacity strings are things like 5gib or 10MB. Supported prefixes are kb, kib, mb, mib, gb,\n// gib, tb, tib, which are not case sensitive. If no prefix is present, the number is assumed\n// to be in bytes already.\nfunc ParseCapacityString(in interface{}) (uint64, error) {\n\tvar cap uint64\n\n\tjsonIn, ok := in.(json.Number)\n\tif ok {\n\t\tin = jsonIn.String()\n\t}\n\n\tswitch inp := in.(type) {\n\tcase nil:\n\t\t// return default of zero\n\tcase string:\n\t\tif inp == \"\" {\n\t\t\treturn cap, nil\n\t\t}\n\n\t\tmatches := validCapacityString.FindStringSubmatch(inp)\n\n\t\t// no sub-groups means we couldn't parse it\n\t\tif len(matches) <= 1 {\n\t\t\treturn cap, errors.New(\"could not parse capacity from input\")\n\t\t}\n\n\t\tvar multiplier uint64 = 1\n\t\tswitch strings.ToLower(matches[2]) {\n\t\tcase \"kb\":\n\t\t\tmultiplier = 1000\n\t\tcase \"kib\":\n\t\t\tmultiplier = 1024\n\t\tcase \"mb\":\n\t\t\tmultiplier = 1000 * 1000\n\t\tcase \"mib\":\n\t\t\tmultiplier = 1024 * 1024\n\t\tcase \"gb\":\n\t\t\tmultiplier = 1000 * 1000 * 1000\n\t\tcase \"gib\":\n\t\t\tmultiplier = 1024 * 1024 * 1024\n\t\tcase \"tb\":\n\t\t\tmultiplier = 1000 * 1000 * 1000 * 1000\n\t\tcase \"tib\":\n\t\t\tmultiplier = 1024 * 1024 * 1024 * 1024\n\t\t}\n\n\t\tsize, err := strconv.ParseUint(matches[1], 10, 64)\n\t\tif err != nil {\n\t\t\treturn cap, err\n\t\t}\n\n\t\tcap = size * multiplier\n\tcase int:\n\t\tcap = uint64(inp)\n\tcase int32:\n\t\tcap = uint64(inp)\n\tcase int64:\n\t\tcap = uint64(inp)\n\tcase uint:\n\t\tcap = uint64(inp)\n\tcase uint32:\n\t\tcap = uint64(inp)\n\tcase uint64:\n\t\tcap = uint64(inp)\n\tcase float32:\n\t\tcap = uint64(inp)\n\tcase float64:\n\t\tcap = uint64(inp)\n\tdefault:\n\t\treturn cap, errors.New(\"could not parse capacity from input\")\n\t}\n\n\treturn cap, nil\n}\n\n// Parse a duration from an arbitrary value (a string or numeric value) into\n// a time.Duration; when units are missing (such as when a numeric type is\n// provided), the duration is assumed to be in seconds.\nfunc ParseDurationSecond(in interface{}) (time.Duration, error) {\n\tvar dur time.Duration\n\tjsonIn, ok := in.(json.Number)\n\tif ok {\n\t\tin = jsonIn.String()\n\t}\n\tvar err error\n\tswitch inp := in.(type) {\n\tcase nil:\n\t\t// return default of zero\n\tcase string:\n\t\tif inp == \"\" {\n\t\t\treturn dur, nil\n\t\t}\n\n\t\tif v, err := strconv.ParseInt(inp, 10, 64); err == nil {\n\t\t\treturn overflowMul(time.Duration(v), time.Second)\n\t\t}\n\n\t\tif strings.HasSuffix(inp, \"d\") {\n\t\t\tv, err := strconv.ParseInt(inp[:len(inp)-1], 10, 64)\n\t\t\tif err != nil {\n\t\t\t\treturn dur, err\n\t\t\t}\n\t\t\treturn overflowMul(time.Duration(v), 24*time.Hour)\n\t\t}\n\n\t\tvar err error\n\t\tif dur, err = time.ParseDuration(inp); err != nil {\n\t\t\treturn dur, err\n\t\t}\n\tcase int:\n\t\tdur, err = overflowMul(time.Duration(inp), time.Second)\n\tcase int32:\n\t\tdur, err = overflowMul(time.Duration(inp), time.Second)\n\tcase int64:\n\t\tdur, err = overflowMul(time.Duration(inp), time.Second)\n\tcase uint:\n\t\tdur, err = overflowMul(time.Duration(inp), time.Second)\n\tcase uint32:\n\t\tdur, err = overflowMul(time.Duration(inp), time.Second)\n\tcase uint64:\n\t\tdur, err = overflowMul(time.Duration(inp), time.Second)\n\tcase float32:\n\t\tdur, err = overflowMul(time.Duration(inp), time.Second)\n\tcase float64:\n\t\tdur, err = overflowMul(time.Duration(inp), time.Second)\n\tcase time.Duration:\n\t\tdur = inp\n\tdefault:\n\t\treturn 0, errors.New(\"could not parse duration from input\")\n\t}\n\tif err != nil {\n\t\tdur = time.Duration(0)\n\t}\n\treturn dur, err\n}\n\n// Multiplication of durations could overflow, this performs multiplication while erroring out if an overflow occurs\nfunc overflowMul(a time.Duration, b time.Duration) (time.Duration, error) {\n\tx := a * b\n\tif a != 0 && x/a != b {\n\t\treturn time.Duration(0), ErrDurationMultiplicationOverflow\n\t}\n\treturn x, nil\n}\n\n// Parse an absolute timestamp from the provided arbitrary value (string or\n// numeric value). When an untyped numeric value is provided, it is assumed\n// to be seconds from the Unix Epoch.\nfunc ParseAbsoluteTime(in interface{}) (time.Time, error) {\n\tvar t time.Time\n\tswitch inp := in.(type) {\n\tcase nil:\n\t\t// return default of zero\n\t\treturn t, nil\n\tcase string:\n\t\t// Allow RFC3339 with nanoseconds, or without,\n\t\t// or an epoch time as an integer.\n\t\tvar err error\n\t\tt, err = time.Parse(time.RFC3339Nano, inp)\n\t\tif err == nil {\n\t\t\tbreak\n\t\t}\n\t\tt, err = time.Parse(time.RFC3339, inp)\n\t\tif err == nil {\n\t\t\tbreak\n\t\t}\n\t\tepochTime, err := strconv.ParseInt(inp, 10, 64)\n\t\tif err == nil {\n\t\t\tt = time.Unix(epochTime, 0)\n\t\t\tbreak\n\t\t}\n\t\treturn t, errors.New(\"could not parse string as date and time\")\n\tcase json.Number:\n\t\tepochTime, err := inp.Int64()\n\t\tif err != nil {\n\t\t\treturn t, err\n\t\t}\n\t\tt = time.Unix(epochTime, 0)\n\tcase int:\n\t\tt = time.Unix(int64(inp), 0)\n\tcase int32:\n\t\tt = time.Unix(int64(inp), 0)\n\tcase int64:\n\t\tt = time.Unix(inp, 0)\n\tcase uint:\n\t\tt = time.Unix(int64(inp), 0)\n\tcase uint32:\n\t\tt = time.Unix(int64(inp), 0)\n\tcase uint64:\n\t\tt = time.Unix(int64(inp), 0)\n\tdefault:\n\t\treturn t, errors.New(\"could not parse time from input type\")\n\t}\n\treturn t, nil\n}\n\n// ParseInt takes an arbitrary value (either a string or numeric type) and\n// parses it as an int64 value. This value is assumed to be larger than the\n// provided type, but cannot safely be cast.\n//\n// When the end value is bounded (such as an int value), it is recommended\n// to instead call SafeParseInt or SafeParseIntRange to safely cast to a\n// more restrictive type.\nfunc ParseInt(in interface{}) (int64, error) {\n\tvar ret int64\n\tjsonIn, ok := in.(json.Number)\n\tif ok {\n\t\tin = jsonIn.String()\n\t}\n\tswitch in.(type) {\n\tcase string:\n\t\tinp := in.(string)\n\t\tif inp == \"\" {\n\t\t\treturn 0, nil\n\t\t}\n\t\tvar err error\n\t\tleft, err := strconv.ParseInt(inp, 10, 64)\n\t\tif err != nil {\n\t\t\treturn ret, err\n\t\t}\n\t\tret = left\n\tcase int:\n\t\tret = int64(in.(int))\n\tcase int32:\n\t\tret = int64(in.(int32))\n\tcase int64:\n\t\tret = in.(int64)\n\tcase uint:\n\t\tret = int64(in.(uint))\n\tcase uint32:\n\t\tret = int64(in.(uint32))\n\tcase uint64:\n\t\tret = int64(in.(uint64))\n\tdefault:\n\t\treturn 0, errors.New(\"could not parse value from input\")\n\t}\n\n\treturn ret, nil\n}\n\n// ParseDirectIntSlice behaves similarly to ParseInt, but accepts typed\n// slices, returning a slice of int64s.\n//\n// If the starting value may not be in slice form (e.g.. a bare numeric value\n// could be provided), it is suggested to call ParseIntSlice instead.\nfunc ParseDirectIntSlice(in interface{}) ([]int64, error) {\n\tvar ret []int64\n\n\tswitch in.(type) {\n\tcase []int:\n\t\tfor _, v := range in.([]int) {\n\t\t\tret = append(ret, int64(v))\n\t\t}\n\tcase []int32:\n\t\tfor _, v := range in.([]int32) {\n\t\t\tret = append(ret, int64(v))\n\t\t}\n\tcase []int64:\n\t\t// For consistency to ensure callers can always modify ret without\n\t\t// impacting in.\n\t\tfor _, v := range in.([]int64) {\n\t\t\tret = append(ret, v)\n\t\t}\n\tcase []uint:\n\t\tfor _, v := range in.([]uint) {\n\t\t\tret = append(ret, int64(v))\n\t\t}\n\tcase []uint32:\n\t\tfor _, v := range in.([]uint32) {\n\t\t\tret = append(ret, int64(v))\n\t\t}\n\tcase []uint64:\n\t\tfor _, v := range in.([]uint64) {\n\t\t\tret = append(ret, int64(v))\n\t\t}\n\tcase []json.Number:\n\t\tfor _, v := range in.([]json.Number) {\n\t\t\telement, err := ParseInt(v)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tret = append(ret, element)\n\t\t}\n\tcase []string:\n\t\tfor _, v := range in.([]string) {\n\t\t\telement, err := ParseInt(v)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tret = append(ret, element)\n\t\t}\n\tdefault:\n\t\treturn nil, errors.New(\"could not parse value from input\")\n\t}\n\n\treturn ret, nil\n}\n\n// ParseIntSlice is a helper function for handling upgrades of optional\n// slices; that is, if the API accepts a type similar to ,\n// nicely handle the common cases of providing only an int-ish, providing\n// an actual slice of int-ishes, or providing a comma-separated list of\n// numbers.\n//\n// When []int64 is not the desired final type (or the values should be\n// range-bound), it is suggested to call SafeParseIntSlice or\n// SafeParseIntSliceRange instead.\nfunc ParseIntSlice(in interface{}) ([]int64, error) {\n\tif ret, err := ParseInt(in); err == nil {\n\t\treturn []int64{ret}, nil\n\t}\n\n\tif ret, err := ParseDirectIntSlice(in); err == nil {\n\t\treturn ret, nil\n\t}\n\n\tif strings, err := ParseCommaStringSlice(in); err == nil {\n\t\tvar ret []int64\n\t\tfor _, v := range strings {\n\t\t\tif v == \"\" {\n\t\t\t\t// Ignore empty fields\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\telement, err := ParseInt(v)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tret = append(ret, element)\n\t\t}\n\n\t\treturn ret, nil\n\t}\n\n\treturn nil, errors.New(\"could not parse value from input\")\n}\n\n// Parses the provided arbitrary value as a boolean-like value.\nfunc ParseBool(in interface{}) (bool, error) {\n\tvar result bool\n\tif err := mapstructure.WeakDecode(in, &result); err != nil {\n\t\treturn false, err\n\t}\n\treturn result, nil\n}\n\n// Parses the provided arbitrary value as a string.\nfunc ParseString(in interface{}) (string, error) {\n\tvar result string\n\tif err := mapstructure.WeakDecode(in, &result); err != nil {\n\t\treturn \"\", err\n\t}\n\treturn result, nil\n}\n\n// Parses the provided string-like value as a comma-separated list of values.\nfunc ParseCommaStringSlice(in interface{}) ([]string, error) {\n\tjsonIn, ok := in.(json.Number)\n\tif ok {\n\t\tin = jsonIn.String()\n\t}\n\n\trawString, ok := in.(string)\n\tif ok && rawString == \"\" {\n\t\treturn []string{}, nil\n\t}\n\tvar result []string\n\tconfig := &mapstructure.DecoderConfig{\n\t\tResult: &result,\n\t\tWeaklyTypedInput: true,\n\t\tDecodeHook: mapstructure.StringToSliceHookFunc(\",\"),\n\t}\n\tdecoder, err := mapstructure.NewDecoder(config)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif err := decoder.Decode(in); err != nil {\n\t\treturn nil, err\n\t}\n\treturn strutil.TrimStrings(result), nil\n}\n\n// Parses the specified value as one or more addresses, separated by commas.\nfunc ParseAddrs(addrs interface{}) ([]*sockaddr.SockAddrMarshaler, error) {\n\tout := make([]*sockaddr.SockAddrMarshaler, 0)\n\tstringAddrs := make([]string, 0)\n\n\tswitch addrs.(type) {\n\tcase string:\n\t\tstringAddrs = strutil.ParseArbitraryStringSlice(addrs.(string), \",\")\n\t\tif len(stringAddrs) == 0 {\n\t\t\treturn nil, fmt.Errorf(\"unable to parse addresses from %v\", addrs)\n\t\t}\n\n\tcase []string:\n\t\tstringAddrs = addrs.([]string)\n\n\tcase []interface{}:\n\t\tfor _, v := range addrs.([]interface{}) {\n\t\t\tstringAddr, ok := v.(string)\n\t\t\tif !ok {\n\t\t\t\treturn nil, fmt.Errorf(\"error parsing %v as string\", v)\n\t\t\t}\n\t\t\tstringAddrs = append(stringAddrs, stringAddr)\n\t\t}\n\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"unknown address input type %T\", addrs)\n\t}\n\n\tfor _, addr := range stringAddrs {\n\t\tsa, err := sockaddr.NewSockAddr(addr)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"error parsing address %q: %w\", addr, err)\n\t\t}\n\t\tout = append(out, &sockaddr.SockAddrMarshaler{\n\t\t\tSockAddr: sa,\n\t\t})\n\t}\n\n\treturn out, nil\n}\n\n// Parses the provided arbitrary value (see ParseInt), ensuring it is within\n// the specified range (inclusive of bounds). If this range corresponds to a\n// smaller type, the returned value can then be safely cast without risking\n// overflow.\nfunc SafeParseIntRange(in interface{}, min int64, max int64) (int64, error) {\n\traw, err := ParseInt(in)\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\n\tif raw < min || raw > max {\n\t\treturn 0, fmt.Errorf(\"error parsing int value; out of range [%v to %v]: %v\", min, max, raw)\n\t}\n\n\treturn raw, nil\n}\n\n// Parses the specified arbitrary value (see ParseInt), ensuring that the\n// resulting value is within the range for an int value. If no error occurred,\n// the caller knows no overflow occurred.\nfunc SafeParseInt(in interface{}) (int, error) {\n\traw, err := SafeParseIntRange(in, math.MinInt, math.MaxInt)\n\treturn int(raw), err\n}\n\n// Parses the provided arbitrary value (see ParseIntSlice) into a slice of\n// int64 values, ensuring each is within the specified range (inclusive of\n// bounds). If this range corresponds to a smaller type, the returned value\n// can then be safely cast without risking overflow.\n//\n// If elements is positive, it is used to ensure the resulting slice is\n// bounded above by that many number of elements (inclusive).\nfunc SafeParseIntSliceRange(in interface{}, minValue int64, maxValue int64, elements int) ([]int64, error) {\n\traw, err := ParseIntSlice(in)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif elements > 0 && len(raw) > elements {\n\t\treturn nil, fmt.Errorf(\"error parsing value from input: got %v but expected at most %v elements\", len(raw), elements)\n\t}\n\n\tfor index, value := range raw {\n\t\tif value < minValue || value > maxValue {\n\t\t\treturn nil, fmt.Errorf(\"error parsing value from input: element %v was outside of range [%v to %v]: %v\", index, minValue, maxValue, value)\n\t\t}\n\t}\n\n\treturn raw, nil\n}\n\n// Parses the provided arbitrary value (see ParseIntSlice) into a slice of\n// int values, ensuring the each resulting value in the slice is within the\n// range for an int value. If no error occurred, the caller knows no overflow\n// occurred.\n//\n// If elements is positive, it is used to ensure the resulting slice is\n// bounded above by that many number of elements (inclusive).\nfunc SafeParseIntSlice(in interface{}, elements int) ([]int, error) {\n\traw, err := SafeParseIntSliceRange(in, math.MinInt, math.MaxInt, elements)\n\tif err != nil || raw == nil {\n\t\treturn nil, err\n\t}\n\n\tvar result = make([]int, 0, len(raw))\n\tfor _, element := range raw {\n\t\tresult = append(result, int(element))\n\t}\n\n\treturn result, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-secure-stdlib/strutil/LICENSE", "content": "Mozilla Public License, version 2.0\n\n1. Definitions\n\n1.1. \"Contributor\"\n\n means each individual or legal entity that creates, contributes to the\n creation of, or owns Covered Software.\n\n1.2. \"Contributor Version\"\n\n means the combination of the Contributions of others (if any) used by a\n Contributor and that particular Contributor's Contribution.\n\n1.3. \"Contribution\"\n\n means Covered Software of a particular Contributor.\n\n1.4. \"Covered Software\"\n\n means Source Code Form to which the initial Contributor has attached the\n notice in Exhibit A, the Executable Form of such Source Code Form, and\n Modifications of such Source Code Form, in each case including portions\n thereof.\n\n1.5. \"Incompatible With Secondary Licenses\"\n means\n\n a. that the initial Contributor has attached the notice described in\n Exhibit B to the Covered Software; or\n\n b. that the Covered Software was made available under the terms of\n version 1.1 or earlier of the License, but not also under the terms of\n a Secondary License.\n\n1.6. \"Executable Form\"\n\n means any form of the work other than Source Code Form.\n\n1.7. \"Larger Work\"\n\n means a work that combines Covered Software with other material, in a\n separate file or files, that is not Covered Software.\n\n1.8. \"License\"\n\n means this document.\n\n1.9. \"Licensable\"\n\n means having the right to grant, to the maximum extent possible, whether\n at the time of the initial grant or subsequently, any and all of the\n rights conveyed by this License.\n\n1.10. \"Modifications\"\n\n means any of the following:\n\n a. any file in Source Code Form that results from an addition to,\n deletion from, or modification of the contents of Covered Software; or\n\n b. any new file in Source Code Form that contains any Covered Software.\n\n1.11. \"Patent Claims\" of a Contributor\n\n means any patent claim(s), including without limitation, method,\n process, and apparatus claims, in any patent Licensable by such\n Contributor that would be infringed, but for the grant of the License,\n by the making, using, selling, offering for sale, having made, import,\n or transfer of either its Contributions or its Contributor Version.\n\n1.12. \"Secondary License\"\n\n means either the GNU General Public License, Version 2.0, the GNU Lesser\n General Public License, Version 2.1, the GNU Affero General Public\n License, Version 3.0, or any later versions of those licenses.\n\n1.13. \"Source Code Form\"\n\n means the form of the work preferred for making modifications.\n\n1.14. \"You\" (or \"Your\")\n\n means an individual or a legal entity exercising rights under this\n License. For legal entities, \"You\" includes any entity that controls, is\n controlled by, or is under common control with You. For purposes of this\n definition, \"control\" means (a) the power, direct or indirect, to cause\n the direction or management of such entity, whether by contract or\n otherwise, or (b) ownership of more than fifty percent (50%) of the\n outstanding shares or beneficial ownership of such entity.\n\n\n2. License Grants and Conditions\n\n2.1. Grants\n\n Each Contributor hereby grants You a world-wide, royalty-free,\n non-exclusive license:\n\n a. under intellectual property rights (other than patent or trademark)\n Licensable by such Contributor to use, reproduce, make available,\n modify, display, perform, distribute, and otherwise exploit its\n Contributions, either on an unmodified basis, with Modifications, or\n as part of a Larger Work; and\n\n b. under Patent Claims of such Contributor to make, use, sell, offer for\n sale, have made, import, and otherwise transfer either its\n Contributions or its Contributor Version.\n\n2.2. Effective Date\n\n The licenses granted in Section 2.1 with respect to any Contribution\n become effective for each Contribution on the date the Contributor first\n distributes such Contribution.\n\n2.3. Limitations on Grant Scope\n\n The licenses granted in this Section 2 are the only rights granted under\n this License. No additional rights or licenses will be implied from the\n distribution or licensing of Covered Software under this License.\n Notwithstanding Section 2.1(b) above, no patent license is granted by a\n Contributor:\n\n a. for any code that a Contributor has removed from Covered Software; or\n\n b. for infringements caused by: (i) Your and any other third party's\n modifications of Covered Software, or (ii) the combination of its\n Contributions with other software (except as part of its Contributor\n Version); or\n\n c. under Patent Claims infringed by Covered Software in the absence of\n its Contributions.\n\n This License does not grant any rights in the trademarks, service marks,\n or logos of any Contributor (except as may be necessary to comply with\n the notice requirements in Section 3.4).\n\n2.4. Subsequent Licenses\n\n No Contributor makes additional grants as a result of Your choice to\n distribute the Covered Software under a subsequent version of this\n License (see Section 10.2) or under the terms of a Secondary License (if\n permitted under the terms of Section 3.3).\n\n2.5. Representation\n\n Each Contributor represents that the Contributor believes its\n Contributions are its original creation(s) or it has sufficient rights to\n grant the rights to its Contributions conveyed by this License.\n\n2.6. Fair Use\n\n This License is not intended to limit any rights You have under\n applicable copyright doctrines of fair use, fair dealing, or other\n equivalents.\n\n2.7. Conditions\n\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in\n Section 2.1.\n\n\n3. Responsibilities\n\n3.1. Distribution of Source Form\n\n All distribution of Covered Software in Source Code Form, including any\n Modifications that You create or to which You contribute, must be under\n the terms of this License. You must inform recipients that the Source\n Code Form of the Covered Software is governed by the terms of this\n License, and how they can obtain a copy of this License. You may not\n attempt to alter or restrict the recipients' rights in the Source Code\n Form.\n\n3.2. Distribution of Executable Form\n\n If You distribute Covered Software in Executable Form then:\n\n a. such Covered Software must also be made available in Source Code Form,\n as described in Section 3.1, and You must inform recipients of the\n Executable Form how they can obtain a copy of such Source Code Form by\n reasonable means in a timely manner, at a charge no more than the cost\n of distribution to the recipient; and\n\n b. You may distribute such Executable Form under the terms of this\n License, or sublicense it under different terms, provided that the\n license for the Executable Form does not attempt to limit or alter the\n recipients' rights in the Source Code Form under this License.\n\n3.3. Distribution of a Larger Work\n\n You may create and distribute a Larger Work under terms of Your choice,\n provided that You also comply with the requirements of this License for\n the Covered Software. If the Larger Work is a combination of Covered\n Software with a work governed by one or more Secondary Licenses, and the\n Covered Software is not Incompatible With Secondary Licenses, this\n License permits You to additionally distribute such Covered Software\n under the terms of such Secondary License(s), so that the recipient of\n the Larger Work may, at their option, further distribute the Covered\n Software under the terms of either this License or such Secondary\n License(s).\n\n3.4. Notices\n\n You may not remove or alter the substance of any license notices\n (including copyright notices, patent notices, disclaimers of warranty, or\n limitations of liability) contained within the Source Code Form of the\n Covered Software, except that You may alter any license notices to the\n extent required to remedy known factual inaccuracies.\n\n3.5. Application of Additional Terms\n\n You may choose to offer, and to charge a fee for, warranty, support,\n indemnity or liability obligations to one or more recipients of Covered\n Software. However, You may do so only on Your own behalf, and not on\n behalf of any Contributor. You must make it absolutely clear that any\n such warranty, support, indemnity, or liability obligation is offered by\n You alone, and You hereby agree to indemnify every Contributor for any\n liability incurred by such Contributor as a result of warranty, support,\n indemnity or liability terms You offer. You may include additional\n disclaimers of warranty and limitations of liability specific to any\n jurisdiction.\n\n4. Inability to Comply Due to Statute or Regulation\n\n If it is impossible for You to comply with any of the terms of this License\n with respect to some or all of the Covered Software due to statute,\n judicial order, or regulation then You must: (a) comply with the terms of\n this License to the maximum extent possible; and (b) describe the\n limitations and the code they affect. Such description must be placed in a\n text file included with all distributions of the Covered Software under\n this License. Except to the extent prohibited by statute or regulation,\n such description must be sufficiently detailed for a recipient of ordinary\n skill to be able to understand it.\n\n5. Termination\n\n5.1. The rights granted under this License will terminate automatically if You\n fail to comply with any of its terms. However, if You become compliant,\n then the rights granted under this License from a particular Contributor\n are reinstated (a) provisionally, unless and until such Contributor\n explicitly and finally terminates Your grants, and (b) on an ongoing\n basis, if such Contributor fails to notify You of the non-compliance by\n some reasonable means prior to 60 days after You have come back into\n compliance. Moreover, Your grants from a particular Contributor are\n reinstated on an ongoing basis if such Contributor notifies You of the\n non-compliance by some reasonable means, this is the first time You have\n received notice of non-compliance with this License from such\n Contributor, and You become compliant prior to 30 days after Your receipt\n of the notice.\n\n5.2. If You initiate litigation against any entity by asserting a patent\n infringement claim (excluding declaratory judgment actions,\n counter-claims, and cross-claims) alleging that a Contributor Version\n directly or indirectly infringes any patent, then the rights granted to\n You by any and all Contributors for the Covered Software under Section\n 2.1 of this License shall terminate.\n\n5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user\n license agreements (excluding distributors and resellers) which have been\n validly granted by You or Your distributors under this License prior to\n termination shall survive termination.\n\n6. Disclaimer of Warranty\n\n Covered Software is provided under this License on an \"as is\" basis,\n without warranty of any kind, either expressed, implied, or statutory,\n including, without limitation, warranties that the Covered Software is free\n of defects, merchantable, fit for a particular purpose or non-infringing.\n The entire risk as to the quality and performance of the Covered Software\n is with You. Should any Covered Software prove defective in any respect,\n You (not any Contributor) assume the cost of any necessary servicing,\n repair, or correction. This disclaimer of warranty constitutes an essential\n part of this License. No use of any Covered Software is authorized under\n this License except under this disclaimer.\n\n7. Limitation of Liability\n\n Under no circumstances and under no legal theory, whether tort (including\n negligence), contract, or otherwise, shall any Contributor, or anyone who\n distributes Covered Software as permitted above, be liable to You for any\n direct, indirect, special, incidental, or consequential damages of any\n character including, without limitation, damages for lost profits, loss of\n goodwill, work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses, even if such party shall have been\n informed of the possibility of such damages. This limitation of liability\n shall not apply to liability for death or personal injury resulting from\n such party's negligence to the extent applicable law prohibits such\n limitation. Some jurisdictions do not allow the exclusion or limitation of\n incidental or consequential damages, so this exclusion and limitation may\n not apply to You.\n\n8. Litigation\n\n Any litigation relating to this License may be brought only in the courts\n of a jurisdiction where the defendant maintains its principal place of\n business and such litigation shall be governed by laws of that\n jurisdiction, without reference to its conflict-of-law provisions. Nothing\n in this Section shall prevent a party's ability to bring cross-claims or\n counter-claims.\n\n9. Miscellaneous\n\n This License represents the complete agreement concerning the subject\n matter hereof. If any provision of this License is held to be\n unenforceable, such provision shall be reformed only to the extent\n necessary to make it enforceable. Any law or regulation which provides that\n the language of a contract shall be construed against the drafter shall not\n be used to construe this License against a Contributor.\n\n\n10. Versions of the License\n\n10.1. New Versions\n\n Mozilla Foundation is the license steward. Except as provided in Section\n 10.3, no one other than the license steward has the right to modify or\n publish new versions of this License. Each version will be given a\n distinguishing version number.\n\n10.2. Effect of New Versions\n\n You may distribute the Covered Software under the terms of the version\n of the License under which You originally received the Covered Software,\n or under the terms of any subsequent version published by the license\n steward.\n\n10.3. Modified Versions\n\n If you create software not governed by this License, and you want to\n create a new license for such software, you may create and use a\n modified version of this License if you rename the license and remove\n any references to the name of the license steward (except to note that\n such modified license differs from this License).\n\n10.4. Distributing Source Code Form that is Incompatible With Secondary\n Licenses If You choose to distribute Source Code Form that is\n Incompatible With Secondary Licenses under the terms of this version of\n the License, the notice described in Exhibit B of this License must be\n attached.\n\nExhibit A - Source Code Form License Notice\n\n This Source Code Form is subject to the\n terms of the Mozilla Public License, v.\n 2.0. If a copy of the MPL was not\n distributed with this file, You can\n obtain one at\n http://mozilla.org/MPL/2.0/.\n\nIf it is not possible or desirable to put the notice in a particular file,\nthen You may include the notice in a location (such as a LICENSE file in a\nrelevant directory) where a recipient would be likely to look for such a\nnotice.\n\nYou may add additional accurate notices of copyright ownership.\n\nExhibit B - \"Incompatible With Secondary Licenses\" Notice\n\n This Source Code Form is \"Incompatible\n With Secondary Licenses\", as defined by\n the Mozilla Public License, v. 2.0.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-secure-stdlib/strutil/strutil.go", "content": "package strutil\n\nimport (\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"sort\"\n\t\"strings\"\n\t\"unicode\"\n\n\tglob \"github.com/ryanuber/go-glob\"\n)\n\n// StrListContainsGlob looks for a string in a list of strings and allows\n// globs.\nfunc StrListContainsGlob(haystack []string, needle string) bool {\n\tfor _, item := range haystack {\n\t\tif glob.Glob(item, needle) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// StrListContains looks for a string in a list of strings.\nfunc StrListContains(haystack []string, needle string) bool {\n\tfor _, item := range haystack {\n\t\tif item == needle {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// StrListContainsCaseInsensitive looks for a string in a list of strings.\nfunc StrListContainsCaseInsensitive(haystack []string, needle string) bool {\n\tfor _, item := range haystack {\n\t\tif strings.EqualFold(item, needle) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// StrListSubset checks if a given list is a subset\n// of another set\nfunc StrListSubset(super, sub []string) bool {\n\tfor _, item := range sub {\n\t\tif !StrListContains(super, item) {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\n// ParseDedupAndSortStrings parses a comma separated list of strings\n// into a slice of strings. The return slice will be sorted and will\n// not contain duplicate or empty items.\nfunc ParseDedupAndSortStrings(input string, sep string) []string {\n\tinput = strings.TrimSpace(input)\n\tparsed := []string{}\n\tif input == \"\" {\n\t\t// Don't return nil\n\t\treturn parsed\n\t}\n\treturn RemoveDuplicates(strings.Split(input, sep), false)\n}\n\n// ParseDedupLowercaseAndSortStrings parses a comma separated list of\n// strings into a slice of strings. The return slice will be sorted and\n// will not contain duplicate or empty items. The values will be converted\n// to lower case.\nfunc ParseDedupLowercaseAndSortStrings(input string, sep string) []string {\n\tinput = strings.TrimSpace(input)\n\tparsed := []string{}\n\tif input == \"\" {\n\t\t// Don't return nil\n\t\treturn parsed\n\t}\n\treturn RemoveDuplicates(strings.Split(input, sep), true)\n}\n\n// ParseKeyValues parses a comma separated list of `=` tuples\n// into a map[string]string.\nfunc ParseKeyValues(input string, out map[string]string, sep string) error {\n\tif out == nil {\n\t\treturn fmt.Errorf(\"'out is nil\")\n\t}\n\n\tkeyValues := ParseDedupLowercaseAndSortStrings(input, sep)\n\tif len(keyValues) == 0 {\n\t\treturn nil\n\t}\n\n\tfor _, keyValue := range keyValues {\n\t\tshards := strings.Split(keyValue, \"=\")\n\t\tif len(shards) != 2 {\n\t\t\treturn fmt.Errorf(\"invalid format\")\n\t\t}\n\n\t\tkey := strings.TrimSpace(shards[0])\n\t\tvalue := strings.TrimSpace(shards[1])\n\t\tif key == \"\" || value == \"\" {\n\t\t\treturn fmt.Errorf(\"invalid pair: key: %q value: %q\", key, value)\n\t\t}\n\t\tout[key] = value\n\t}\n\treturn nil\n}\n\n// ParseArbitraryKeyValues parses arbitrary tuples. The input\n// can be one of the following:\n// * JSON string\n// * Base64 encoded JSON string\n// * Comma separated list of `=` pairs\n// * Base64 encoded string containing comma separated list of\n// `=` pairs\n//\n// Input will be parsed into the output parameter, which should\n// be a non-nil map[string]string.\nfunc ParseArbitraryKeyValues(input string, out map[string]string, sep string) error {\n\tinput = strings.TrimSpace(input)\n\tif input == \"\" {\n\t\treturn nil\n\t}\n\tif out == nil {\n\t\treturn fmt.Errorf(\"'out' is nil\")\n\t}\n\n\t// Try to base64 decode the input. If successful, consider the decoded\n\t// value as input.\n\tinputBytes, err := base64.StdEncoding.DecodeString(input)\n\tif err == nil {\n\t\tinput = string(inputBytes)\n\t}\n\n\t// Try to JSON unmarshal the input. If successful, consider that the\n\t// metadata was supplied as JSON input.\n\terr = json.Unmarshal([]byte(input), &out)\n\tif err != nil {\n\t\t// If JSON unmarshaling fails, consider that the input was\n\t\t// supplied as a comma separated string of 'key=value' pairs.\n\t\tif err = ParseKeyValues(input, out, sep); err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse the input: %w\", err)\n\t\t}\n\t}\n\n\t// Validate the parsed input\n\tfor key, value := range out {\n\t\tif key != \"\" && value == \"\" {\n\t\t\treturn fmt.Errorf(\"invalid value for key %q\", key)\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// ParseStringSlice parses a `sep`-separated list of strings into a\n// []string with surrounding whitespace removed.\n//\n// The output will always be a valid slice but may be of length zero.\nfunc ParseStringSlice(input string, sep string) []string {\n\tinput = strings.TrimSpace(input)\n\tif input == \"\" {\n\t\treturn []string{}\n\t}\n\n\tsplitStr := strings.Split(input, sep)\n\tret := make([]string, len(splitStr))\n\tfor i, val := range splitStr {\n\t\tret[i] = strings.TrimSpace(val)\n\t}\n\n\treturn ret\n}\n\n// ParseArbitraryStringSlice parses arbitrary string slice. The input\n// can be one of the following:\n// * JSON string\n// * Base64 encoded JSON string\n// * `sep` separated list of values\n// * Base64-encoded string containing a `sep` separated list of values\n//\n// Note that the separator is ignored if the input is found to already be in a\n// structured format (e.g., JSON)\n//\n// The output will always be a valid slice but may be of length zero.\nfunc ParseArbitraryStringSlice(input string, sep string) []string {\n\tinput = strings.TrimSpace(input)\n\tif input == \"\" {\n\t\treturn []string{}\n\t}\n\n\t// Try to base64 decode the input. If successful, consider the decoded\n\t// value as input.\n\tinputBytes, err := base64.StdEncoding.DecodeString(input)\n\tif err == nil {\n\t\tinput = string(inputBytes)\n\t}\n\n\tret := []string{}\n\n\t// Try to JSON unmarshal the input. If successful, consider that the\n\t// metadata was supplied as JSON input.\n\terr = json.Unmarshal([]byte(input), &ret)\n\tif err != nil {\n\t\t// If JSON unmarshaling fails, consider that the input was\n\t\t// supplied as a separated string of values.\n\t\treturn ParseStringSlice(input, sep)\n\t}\n\n\tif ret == nil {\n\t\treturn []string{}\n\t}\n\n\treturn ret\n}\n\n// TrimStrings takes a slice of strings and returns a slice of strings\n// with trimmed spaces\nfunc TrimStrings(items []string) []string {\n\tret := make([]string, len(items))\n\tfor i, item := range items {\n\t\tret[i] = strings.TrimSpace(item)\n\t}\n\treturn ret\n}\n\n// RemoveDuplicates removes duplicate and empty elements from a slice of\n// strings. This also may convert the items in the slice to lower case and\n// returns a sorted slice.\nfunc RemoveDuplicates(items []string, lowercase bool) []string {\n\titemsMap := make(map[string]struct{}, len(items))\n\tfor _, item := range items {\n\t\titem = strings.TrimSpace(item)\n\t\tif item == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\tif lowercase {\n\t\t\titem = strings.ToLower(item)\n\t\t}\n\t\titemsMap[item] = struct{}{}\n\t}\n\titems = make([]string, 0, len(itemsMap))\n\tfor item := range itemsMap {\n\t\titems = append(items, item)\n\t}\n\tsort.Strings(items)\n\treturn items\n}\n\n// RemoveDuplicatesStable removes duplicate and empty elements from a slice of\n// strings, preserving order (and case) of the original slice.\n// In all cases, strings are compared after trimming whitespace\n// If caseInsensitive, strings will be compared after ToLower()\nfunc RemoveDuplicatesStable(items []string, caseInsensitive bool) []string {\n\titemsMap := make(map[string]struct{}, len(items))\n\tdeduplicated := make([]string, 0, len(items))\n\n\tfor _, item := range items {\n\t\tkey := strings.TrimSpace(item)\n\t\tif _, ok := itemsMap[key]; ok || key == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\tif caseInsensitive {\n\t\t\tkey = strings.ToLower(key)\n\t\t}\n\t\tif _, ok := itemsMap[key]; ok {\n\t\t\tcontinue\n\t\t}\n\t\titemsMap[key] = struct{}{}\n\t\tdeduplicated = append(deduplicated, item)\n\t}\n\treturn deduplicated\n}\n\n// RemoveEmpty removes empty elements from a slice of\n// strings\nfunc RemoveEmpty(items []string) []string {\n\tif len(items) == 0 {\n\t\treturn items\n\t}\n\titemsSlice := make([]string, 0, len(items))\n\tfor _, item := range items {\n\t\tif item == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\titemsSlice = append(itemsSlice, item)\n\t}\n\treturn itemsSlice\n}\n\n// EquivalentSlices checks whether the given string sets are equivalent, as in,\n// they contain the same values.\nfunc EquivalentSlices(a, b []string) bool {\n\tif a == nil && b == nil {\n\t\treturn true\n\t}\n\n\tif a == nil || b == nil {\n\t\treturn false\n\t}\n\n\t// First we'll build maps to ensure unique values\n\tmapA := make(map[string]struct{}, len(a))\n\tmapB := make(map[string]struct{}, len(b))\n\tfor _, keyA := range a {\n\t\tmapA[keyA] = struct{}{}\n\t}\n\tfor _, keyB := range b {\n\t\tmapB[keyB] = struct{}{}\n\t}\n\n\t// Now we'll build our checking slices\n\tsortedA := make([]string, 0, len(mapA))\n\tsortedB := make([]string, 0, len(mapB))\n\tfor keyA := range mapA {\n\t\tsortedA = append(sortedA, keyA)\n\t}\n\tfor keyB := range mapB {\n\t\tsortedB = append(sortedB, keyB)\n\t}\n\tsort.Strings(sortedA)\n\tsort.Strings(sortedB)\n\n\t// Finally, compare\n\tif len(sortedA) != len(sortedB) {\n\t\treturn false\n\t}\n\n\tfor i := range sortedA {\n\t\tif sortedA[i] != sortedB[i] {\n\t\t\treturn false\n\t\t}\n\t}\n\n\treturn true\n}\n\n// EqualStringMaps tests whether two map[string]string objects are equal.\n// Equal means both maps have the same sets of keys and values. This function\n// is 6-10x faster than a call to reflect.DeepEqual().\nfunc EqualStringMaps(a, b map[string]string) bool {\n\tif len(a) != len(b) {\n\t\treturn false\n\t}\n\n\tfor k := range a {\n\t\tv, ok := b[k]\n\t\tif !ok || a[k] != v {\n\t\t\treturn false\n\t\t}\n\t}\n\n\treturn true\n}\n\n// StrListDelete removes the first occurrence of the given item from the slice\n// of strings if the item exists.\nfunc StrListDelete(s []string, d string) []string {\n\tif s == nil {\n\t\treturn s\n\t}\n\n\tfor index, element := range s {\n\t\tif element == d {\n\t\t\treturn append(s[:index], s[index+1:]...)\n\t\t}\n\t}\n\n\treturn s\n}\n\n// GlobbedStringsMatch compares item to val with support for a leading and/or\n// trailing wildcard '*' in item.\nfunc GlobbedStringsMatch(item, val string) bool {\n\tif len(item) < 2 {\n\t\treturn val == item\n\t}\n\n\thasPrefix := strings.HasPrefix(item, \"*\")\n\thasSuffix := strings.HasSuffix(item, \"*\")\n\n\tif hasPrefix && hasSuffix {\n\t\treturn strings.Contains(val, item[1:len(item)-1])\n\t} else if hasPrefix {\n\t\treturn strings.HasSuffix(val, item[1:])\n\t} else if hasSuffix {\n\t\treturn strings.HasPrefix(val, item[:len(item)-1])\n\t}\n\n\treturn val == item\n}\n\n// AppendIfMissing adds a string to a slice if the given string is not present\nfunc AppendIfMissing(slice []string, i string) []string {\n\tif StrListContains(slice, i) {\n\t\treturn slice\n\t}\n\treturn append(slice, i)\n}\n\n// MergeSlices adds an arbitrary number of slices together, uniquely\nfunc MergeSlices(args ...[]string) []string {\n\tall := map[string]struct{}{}\n\tfor _, slice := range args {\n\t\tfor _, v := range slice {\n\t\t\tall[v] = struct{}{}\n\t\t}\n\t}\n\n\tresult := make([]string, 0, len(all))\n\tfor k := range all {\n\t\tresult = append(result, k)\n\t}\n\tsort.Strings(result)\n\treturn result\n}\n\n// Difference returns the set difference (A - B) of the two given slices. The\n// result will also remove any duplicated values in set A regardless of whether\n// that matches any values in set B.\nfunc Difference(a, b []string, lowercase bool) []string {\n\tif len(a) == 0 {\n\t\treturn a\n\t}\n\tif len(b) == 0 {\n\t\tif !lowercase {\n\t\t\treturn a\n\t\t}\n\t\tnewA := make([]string, len(a))\n\t\tfor i, v := range a {\n\t\t\tnewA[i] = strings.ToLower(v)\n\t\t}\n\t\treturn newA\n\t}\n\n\ta = RemoveDuplicates(a, lowercase)\n\tb = RemoveDuplicates(b, lowercase)\n\n\titemsMap := map[string]struct{}{}\n\tfor _, aVal := range a {\n\t\titemsMap[aVal] = struct{}{}\n\t}\n\n\t// Perform difference calculation\n\tfor _, bVal := range b {\n\t\tif _, ok := itemsMap[bVal]; ok {\n\t\t\tdelete(itemsMap, bVal)\n\t\t}\n\t}\n\n\titems := []string{}\n\tfor item := range itemsMap {\n\t\titems = append(items, item)\n\t}\n\tsort.Strings(items)\n\treturn items\n}\n\n// GetString attempts to retrieve a value from the provided map and assert that it is a string. If the key does not\n// exist in the map, this will return an empty string. If the key exists, but the value is not a string type, this will\n// return an error. If no map or key is provied, this will return an error\nfunc GetString(m map[string]interface{}, key string) (string, error) {\n\tif m == nil {\n\t\treturn \"\", fmt.Errorf(\"missing map\")\n\t}\n\tif key == \"\" {\n\t\treturn \"\", fmt.Errorf(\"missing key\")\n\t}\n\n\trawVal, ok := m[key]\n\tif !ok {\n\t\treturn \"\", nil\n\t}\n\n\tstr, ok := rawVal.(string)\n\tif !ok {\n\t\treturn \"\", fmt.Errorf(\"invalid value at %s: is a %T\", key, rawVal)\n\t}\n\treturn str, nil\n}\n\n// Printable returns true if all characters in the string are printable\n// according to Unicode\nfunc Printable(s string) bool {\n\treturn strings.IndexFunc(s, func(c rune) bool {\n\t\treturn !unicode.IsPrint(c)\n\t}) == -1\n}\n\n// StringListToInterfaceList simply takes a []string and turns it into a\n// []interface{} to satisfy the input requirements for other library functions\nfunc StringListToInterfaceList(in []string) []interface{} {\n\tret := make([]interface{}, len(in))\n\tfor i, v := range in {\n\t\tret[i] = v\n\t}\n\treturn ret\n}\n\n// Reverse reverses the input string\nfunc Reverse(in string) string {\n\tl := len(in)\n\tout := make([]byte, l)\n\tfor i := 0; i <= l/2; i++ {\n\t\tout[i], out[l-1-i] = in[l-1-i], in[i]\n\t}\n\treturn string(out)\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/.gitignore", "content": "# Compiled Object files, Static and Dynamic libs (Shared Objects)\n*.o\n*.a\n*.so\n\n# Folders\n_obj\n_test\n\n# Architecture specific extensions/prefixes\n*.[568vq]\n[568vq].out\n\n*.cgo1.go\n*.cgo2.c\n_cgo_defun.c\n_cgo_gotypes.go\n_cgo_export.*\n\n_testmain.go\n\n*.exe\n*.test\n*.prof\n.cover.out*\ncoverage.html\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/GNUmakefile", "content": "TOOLS= golang.org/x/tools/cover\nGOCOVER_TMPFILE?=\t$(GOCOVER_FILE).tmp\nGOCOVER_FILE?=\t.cover.out\nGOCOVERHTML?=\tcoverage.html\nFIND=`/usr/bin/which 2> /dev/null gfind find | /usr/bin/grep -v ^no | /usr/bin/head -n 1`\nXARGS=`/usr/bin/which 2> /dev/null gxargs xargs | /usr/bin/grep -v ^no | /usr/bin/head -n 1`\n\ntest:: $(GOCOVER_FILE)\n\t@$(MAKE) -C cmd/sockaddr test\n\ncover:: coverage_report\n\n$(GOCOVER_FILE)::\n\t@${FIND} . -type d ! -path '*cmd*' ! -path '*.git*' -print0 | ${XARGS} -0 -I % sh -ec \"cd % && rm -f $(GOCOVER_TMPFILE) && go test -coverprofile=$(GOCOVER_TMPFILE)\"\n\n\t@echo 'mode: set' > $(GOCOVER_FILE)\n\t@${FIND} . -type f ! -path '*cmd*' ! -path '*.git*' -name \"$(GOCOVER_TMPFILE)\" -print0 | ${XARGS} -0 -n1 cat $(GOCOVER_TMPFILE) | grep -v '^mode: ' >> ${PWD}/$(GOCOVER_FILE)\n\n$(GOCOVERHTML): $(GOCOVER_FILE)\n\tgo tool cover -html=$(GOCOVER_FILE) -o $(GOCOVERHTML)\n\ncoverage_report:: $(GOCOVER_FILE)\n\tgo tool cover -html=$(GOCOVER_FILE)\n\naudit_tools::\n\t@go get -u github.com/golang/lint/golint && echo \"Installed golint:\"\n\t@go get -u github.com/fzipp/gocyclo && echo \"Installed gocyclo:\"\n\t@go get -u github.com/remyoudompheng/go-misc/deadcode && echo \"Installed deadcode:\"\n\t@go get -u github.com/client9/misspell/cmd/misspell && echo \"Installed misspell:\"\n\t@go get -u github.com/gordonklaus/ineffassign && echo \"Installed ineffassign:\"\n\naudit::\n\tdeadcode\n\tgo tool vet -all *.go\n\tgo tool vet -shadow=true *.go\n\tgolint *.go\n\tineffassign .\n\tgocyclo -over 65 *.go\n\tmisspell *.go\n\nclean::\n\trm -f $(GOCOVER_FILE) $(GOCOVERHTML)\n\ndev::\n\t@go build\n\t@$(MAKE) -B -C cmd/sockaddr sockaddr\n\ninstall::\n\t@go install\n\t@$(MAKE) -C cmd/sockaddr install\n\ndoc::\n\t@echo Visit: http://127.0.0.1:6161/pkg/github.com/hashicorp/go-sockaddr/\n\tgodoc -http=:6161 -goroot $GOROOT\n\nworld::\n\t@set -e; \\\n\tfor os in solaris darwin freebsd linux windows android; do \\\n\t\tfor arch in amd64; do \\\n\t\t\tprintf \"Building on %s-%s\\n\" \"$${os}\" \"$${arch}\" ; \\\n\t\t\tenv GOOS=\"$${os}\" GOARCH=\"$${arch}\" go build -o /dev/null; \\\n\t\tdone; \\\n\tdone\n\n\t$(MAKE) -C cmd/sockaddr world\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/LICENSE", "content": "Copyright (c) 2016 HashiCorp, Inc.\n\nMozilla Public License Version 2.0\n==================================\n\n1. Definitions\n--------------\n\n1.1. \"Contributor\"\n means each individual or legal entity that creates, contributes to\n the creation of, or owns Covered Software.\n\n1.2. \"Contributor Version\"\n means the combination of the Contributions of others (if any) used\n by a Contributor and that particular Contributor's Contribution.\n\n1.3. \"Contribution\"\n means Covered Software of a particular Contributor.\n\n1.4. \"Covered Software\"\n means Source Code Form to which the initial Contributor has attached\n the notice in Exhibit A, the Executable Form of such Source Code\n Form, and Modifications of such Source Code Form, in each case\n including portions thereof.\n\n1.5. \"Incompatible With Secondary Licenses\"\n means\n\n (a) that the initial Contributor has attached the notice described\n in Exhibit B to the Covered Software; or\n\n (b) that the Covered Software was made available under the terms of\n version 1.1 or earlier of the License, but not also under the\n terms of a Secondary License.\n\n1.6. \"Executable Form\"\n means any form of the work other than Source Code Form.\n\n1.7. \"Larger Work\"\n means a work that combines Covered Software with other material, in\n a separate file or files, that is not Covered Software.\n\n1.8. \"License\"\n means this document.\n\n1.9. \"Licensable\"\n means having the right to grant, to the maximum extent possible,\n whether at the time of the initial grant or subsequently, any and\n all of the rights conveyed by this License.\n\n1.10. \"Modifications\"\n means any of the following:\n\n (a) any file in Source Code Form that results from an addition to,\n deletion from, or modification of the contents of Covered\n Software; or\n\n (b) any new file in Source Code Form that contains any Covered\n Software.\n\n1.11. \"Patent Claims\" of a Contributor\n means any patent claim(s), including without limitation, method,\n process, and apparatus claims, in any patent Licensable by such\n Contributor that would be infringed, but for the grant of the\n License, by the making, using, selling, offering for sale, having\n made, import, or transfer of either its Contributions or its\n Contributor Version.\n\n1.12. \"Secondary License\"\n means either the GNU General Public License, Version 2.0, the GNU\n Lesser General Public License, Version 2.1, the GNU Affero General\n Public License, Version 3.0, or any later versions of those\n licenses.\n\n1.13. \"Source Code Form\"\n means the form of the work preferred for making modifications.\n\n1.14. \"You\" (or \"Your\")\n means an individual or a legal entity exercising rights under this\n License. For legal entities, \"You\" includes any entity that\n controls, is controlled by, or is under common control with You. For\n purposes of this definition, \"control\" means (a) the power, direct\n or indirect, to cause the direction or management of such entity,\n whether by contract or otherwise, or (b) ownership of more than\n fifty percent (50%) of the outstanding shares or beneficial\n ownership of such entity.\n\n2. License Grants and Conditions\n--------------------------------\n\n2.1. Grants\n\nEach Contributor hereby grants You a world-wide, royalty-free,\nnon-exclusive license:\n\n(a) under intellectual property rights (other than patent or trademark)\n Licensable by such Contributor to use, reproduce, make available,\n modify, display, perform, distribute, and otherwise exploit its\n Contributions, either on an unmodified basis, with Modifications, or\n as part of a Larger Work; and\n\n(b) under Patent Claims of such Contributor to make, use, sell, offer\n for sale, have made, import, and otherwise transfer either its\n Contributions or its Contributor Version.\n\n2.2. Effective Date\n\nThe licenses granted in Section 2.1 with respect to any Contribution\nbecome effective for each Contribution on the date the Contributor first\ndistributes such Contribution.\n\n2.3. Limitations on Grant Scope\n\nThe licenses granted in this Section 2 are the only rights granted under\nthis License. No additional rights or licenses will be implied from the\ndistribution or licensing of Covered Software under this License.\nNotwithstanding Section 2.1(b) above, no patent license is granted by a\nContributor:\n\n(a) for any code that a Contributor has removed from Covered Software;\n or\n\n(b) for infringements caused by: (i) Your and any other third party's\n modifications of Covered Software, or (ii) the combination of its\n Contributions with other software (except as part of its Contributor\n Version); or\n\n(c) under Patent Claims infringed by Covered Software in the absence of\n its Contributions.\n\nThis License does not grant any rights in the trademarks, service marks,\nor logos of any Contributor (except as may be necessary to comply with\nthe notice requirements in Section 3.4).\n\n2.4. Subsequent Licenses\n\nNo Contributor makes additional grants as a result of Your choice to\ndistribute the Covered Software under a subsequent version of this\nLicense (see Section 10.2) or under the terms of a Secondary License (if\npermitted under the terms of Section 3.3).\n\n2.5. Representation\n\nEach Contributor represents that the Contributor believes its\nContributions are its original creation(s) or it has sufficient rights\nto grant the rights to its Contributions conveyed by this License.\n\n2.6. Fair Use\n\nThis License is not intended to limit any rights You have under\napplicable copyright doctrines of fair use, fair dealing, or other\nequivalents.\n\n2.7. Conditions\n\nSections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted\nin Section 2.1.\n\n3. Responsibilities\n-------------------\n\n3.1. Distribution of Source Form\n\nAll distribution of Covered Software in Source Code Form, including any\nModifications that You create or to which You contribute, must be under\nthe terms of this License. You must inform recipients that the Source\nCode Form of the Covered Software is governed by the terms of this\nLicense, and how they can obtain a copy of this License. You may not\nattempt to alter or restrict the recipients' rights in the Source Code\nForm.\n\n3.2. Distribution of Executable Form\n\nIf You distribute Covered Software in Executable Form then:\n\n(a) such Covered Software must also be made available in Source Code\n Form, as described in Section 3.1, and You must inform recipients of\n the Executable Form how they can obtain a copy of such Source Code\n Form by reasonable means in a timely manner, at a charge no more\n than the cost of distribution to the recipient; and\n\n(b) You may distribute such Executable Form under the terms of this\n License, or sublicense it under different terms, provided that the\n license for the Executable Form does not attempt to limit or alter\n the recipients' rights in the Source Code Form under this License.\n\n3.3. Distribution of a Larger Work\n\nYou may create and distribute a Larger Work under terms of Your choice,\nprovided that You also comply with the requirements of this License for\nthe Covered Software. If the Larger Work is a combination of Covered\nSoftware with a work governed by one or more Secondary Licenses, and the\nCovered Software is not Incompatible With Secondary Licenses, this\nLicense permits You to additionally distribute such Covered Software\nunder the terms of such Secondary License(s), so that the recipient of\nthe Larger Work may, at their option, further distribute the Covered\nSoftware under the terms of either this License or such Secondary\nLicense(s).\n\n3.4. Notices\n\nYou may not remove or alter the substance of any license notices\n(including copyright notices, patent notices, disclaimers of warranty,\nor limitations of liability) contained within the Source Code Form of\nthe Covered Software, except that You may alter any license notices to\nthe extent required to remedy known factual inaccuracies.\n\n3.5. Application of Additional Terms\n\nYou may choose to offer, and to charge a fee for, warranty, support,\nindemnity or liability obligations to one or more recipients of Covered\nSoftware. However, You may do so only on Your own behalf, and not on\nbehalf of any Contributor. You must make it absolutely clear that any\nsuch warranty, support, indemnity, or liability obligation is offered by\nYou alone, and You hereby agree to indemnify every Contributor for any\nliability incurred by such Contributor as a result of warranty, support,\nindemnity or liability terms You offer. You may include additional\ndisclaimers of warranty and limitations of liability specific to any\njurisdiction.\n\n4. Inability to Comply Due to Statute or Regulation\n---------------------------------------------------\n\nIf it is impossible for You to comply with any of the terms of this\nLicense with respect to some or all of the Covered Software due to\nstatute, judicial order, or regulation then You must: (a) comply with\nthe terms of this License to the maximum extent possible; and (b)\ndescribe the limitations and the code they affect. Such description must\nbe placed in a text file included with all distributions of the Covered\nSoftware under this License. Except to the extent prohibited by statute\nor regulation, such description must be sufficiently detailed for a\nrecipient of ordinary skill to be able to understand it.\n\n5. Termination\n--------------\n\n5.1. The rights granted under this License will terminate automatically\nif You fail to comply with any of its terms. However, if You become\ncompliant, then the rights granted under this License from a particular\nContributor are reinstated (a) provisionally, unless and until such\nContributor explicitly and finally terminates Your grants, and (b) on an\nongoing basis, if such Contributor fails to notify You of the\nnon-compliance by some reasonable means prior to 60 days after You have\ncome back into compliance. Moreover, Your grants from a particular\nContributor are reinstated on an ongoing basis if such Contributor\nnotifies You of the non-compliance by some reasonable means, this is the\nfirst time You have received notice of non-compliance with this License\nfrom such Contributor, and You become compliant prior to 30 days after\nYour receipt of the notice.\n\n5.2. If You initiate litigation against any entity by asserting a patent\ninfringement claim (excluding declaratory judgment actions,\ncounter-claims, and cross-claims) alleging that a Contributor Version\ndirectly or indirectly infringes any patent, then the rights granted to\nYou by any and all Contributors for the Covered Software under Section\n2.1 of this License shall terminate.\n\n5.3. In the event of termination under Sections 5.1 or 5.2 above, all\nend user license agreements (excluding distributors and resellers) which\nhave been validly granted by You or Your distributors under this License\nprior to termination shall survive termination.\n\n************************************************************************\n* *\n* 6. Disclaimer of Warranty *\n* ------------------------- *\n* *\n* Covered Software is provided under this License on an \"as is\" *\n* basis, without warranty of any kind, either expressed, implied, or *\n* statutory, including, without limitation, warranties that the *\n* Covered Software is free of defects, merchantable, fit for a *\n* particular purpose or non-infringing. The entire risk as to the *\n* quality and performance of the Covered Software is with You. *\n* Should any Covered Software prove defective in any respect, You *\n* (not any Contributor) assume the cost of any necessary servicing, *\n* repair, or correction. This disclaimer of warranty constitutes an *\n* essential part of this License. No use of any Covered Software is *\n* authorized under this License except under this disclaimer. *\n* *\n************************************************************************\n\n************************************************************************\n* *\n* 7. Limitation of Liability *\n* -------------------------- *\n* *\n* Under no circumstances and under no legal theory, whether tort *\n* (including negligence), contract, or otherwise, shall any *\n* Contributor, or anyone who distributes Covered Software as *\n* permitted above, be liable to You for any direct, indirect, *\n* special, incidental, or consequential damages of any character *\n* including, without limitation, damages for lost profits, loss of *\n* goodwill, work stoppage, computer failure or malfunction, or any *\n* and all other commercial damages or losses, even if such party *\n* shall have been informed of the possibility of such damages. This *\n* limitation of liability shall not apply to liability for death or *\n* personal injury resulting from such party's negligence to the *\n* extent applicable law prohibits such limitation. Some *\n* jurisdictions do not allow the exclusion or limitation of *\n* incidental or consequential damages, so this exclusion and *\n* limitation may not apply to You. *\n* *\n************************************************************************\n\n8. Litigation\n-------------\n\nAny litigation relating to this License may be brought only in the\ncourts of a jurisdiction where the defendant maintains its principal\nplace of business and such litigation shall be governed by laws of that\njurisdiction, without reference to its conflict-of-law provisions.\nNothing in this Section shall prevent a party's ability to bring\ncross-claims or counter-claims.\n\n9. Miscellaneous\n----------------\n\nThis License represents the complete agreement concerning the subject\nmatter hereof. If any provision of this License is held to be\nunenforceable, such provision shall be reformed only to the extent\nnecessary to make it enforceable. Any law or regulation which provides\nthat the language of a contract shall be construed against the drafter\nshall not be used to construe this License against a Contributor.\n\n10. Versions of the License\n---------------------------\n\n10.1. New Versions\n\nMozilla Foundation is the license steward. Except as provided in Section\n10.3, no one other than the license steward has the right to modify or\npublish new versions of this License. Each version will be given a\ndistinguishing version number.\n\n10.2. Effect of New Versions\n\nYou may distribute the Covered Software under the terms of the version\nof the License under which You originally received the Covered Software,\nor under the terms of any subsequent version published by the license\nsteward.\n\n10.3. Modified Versions\n\nIf you create software not governed by this License, and you want to\ncreate a new license for such software, you may create and use a\nmodified version of this License if you rename the license and remove\nany references to the name of the license steward (except to note that\nsuch modified license differs from this License).\n\n10.4. Distributing Source Code Form that is Incompatible With Secondary\nLicenses\n\nIf You choose to distribute Source Code Form that is Incompatible With\nSecondary Licenses under the terms of this version of the License, the\nnotice described in Exhibit B of this License must be attached.\n\nExhibit A - Source Code Form License Notice\n-------------------------------------------\n\n This Source Code Form is subject to the terms of the Mozilla Public\n License, v. 2.0. If a copy of the MPL was not distributed with this\n file, You can obtain one at http://mozilla.org/MPL/2.0/.\n\nIf it is not possible or desirable to put the notice in a particular\nfile, then You may include the notice in a location (such as a LICENSE\nfile in a relevant directory) where a recipient would be likely to look\nfor such a notice.\n\nYou may add additional accurate notices of copyright ownership.\n\nExhibit B - \"Incompatible With Secondary Licenses\" Notice\n---------------------------------------------------------\n\n This Source Code Form is \"Incompatible With Secondary Licenses\", as\n defined by the Mozilla Public License, v. 2.0.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/README.md", "content": "# go-sockaddr\n\n## `sockaddr` Library\n\nSocket address convenience functions for Go. `go-sockaddr` is a convenience\nlibrary that makes doing the right thing with IP addresses easy. `go-sockaddr`\nis loosely modeled after the UNIX `sockaddr_t` and creates a union of the family\nof `sockaddr_t` types (see below for an ascii diagram). Library documentation\nis available\nat\n[https://godoc.org/github.com/hashicorp/go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr).\nThe primary intent of the library was to make it possible to define heuristics\nfor selecting the correct IP addresses when a configuration is evaluated at\nruntime. See\nthe\n[docs](https://godoc.org/github.com/hashicorp/go-sockaddr),\n[`template` package](https://godoc.org/github.com/hashicorp/go-sockaddr/template),\ntests,\nand\n[CLI utility](https://github.com/hashicorp/go-sockaddr/tree/master/cmd/sockaddr)\nfor details and hints as to how to use this library.\n\nFor example, with this library it is possible to find an IP address that:\n\n* is attached to a default route\n ([`GetDefaultInterfaces()`](https://godoc.org/github.com/hashicorp/go-sockaddr#GetDefaultInterfaces))\n* is contained within a CIDR block ([`IfByNetwork()`](https://godoc.org/github.com/hashicorp/go-sockaddr#IfByNetwork))\n* is an RFC1918 address\n ([`IfByRFC(\"1918\")`](https://godoc.org/github.com/hashicorp/go-sockaddr#IfByRFC))\n* is ordered\n ([`OrderedIfAddrBy(args)`](https://godoc.org/github.com/hashicorp/go-sockaddr#OrderedIfAddrBy) where\n `args` includes, but is not limited\n to,\n [`AscIfType`](https://godoc.org/github.com/hashicorp/go-sockaddr#AscIfType),\n [`AscNetworkSize`](https://godoc.org/github.com/hashicorp/go-sockaddr#AscNetworkSize))\n* excludes all IPv6 addresses\n ([`IfByType(\"^(IPv4)$\")`](https://godoc.org/github.com/hashicorp/go-sockaddr#IfByType))\n* is larger than a `/32`\n ([`IfByMaskSize(32)`](https://godoc.org/github.com/hashicorp/go-sockaddr#IfByMaskSize))\n* is not on a `down` interface\n ([`ExcludeIfs(\"flags\", \"down\")`](https://godoc.org/github.com/hashicorp/go-sockaddr#ExcludeIfs))\n* preferences an IPv6 address over an IPv4 address\n ([`SortIfByType()`](https://godoc.org/github.com/hashicorp/go-sockaddr#SortIfByType) +\n [`ReverseIfAddrs()`](https://godoc.org/github.com/hashicorp/go-sockaddr#ReverseIfAddrs)); and\n* excludes any IP in RFC6890 address\n ([`IfByRFC(\"6890\")`](https://godoc.org/github.com/hashicorp/go-sockaddr#IfByRFC))\n\nOr any combination or variation therein.\n\nThere are also a few simple helper functions such as `GetPublicIP` and\n`GetPrivateIP` which both return strings and select the first public or private\nIP address on the default interface, respectively. Similarly, there is also a\nhelper function called `GetInterfaceIP` which returns the first usable IP\naddress on the named interface.\n\n## `sockaddr` CLI\n\nGiven the possible complexity of the `sockaddr` library, there is a CLI utility\nthat accompanies the library, also\ncalled\n[`sockaddr`](https://github.com/hashicorp/go-sockaddr/tree/master/cmd/sockaddr).\nThe\n[`sockaddr`](https://github.com/hashicorp/go-sockaddr/tree/master/cmd/sockaddr)\nutility exposes nearly all of the functionality of the library and can be used\neither as an administrative tool or testing tool. To install\nthe\n[`sockaddr`](https://github.com/hashicorp/go-sockaddr/tree/master/cmd/sockaddr),\nrun:\n\n```text\n$ go install github.com/hashicorp/go-sockaddr/cmd/sockaddr@latest\n```\n\nIf you're familiar with UNIX's `sockaddr` struct's, the following diagram\nmapping the C `sockaddr` (top) to `go-sockaddr` structs (bottom) and\ninterfaces will be helpful:\n\n```\n+-------------------------------------------------------+\n| |\n| sockaddr |\n| SockAddr |\n| |\n| +--------------+ +----------------------------------+ |\n| | sockaddr_un | | | |\n| | SockAddrUnix | | sockaddr_in{,6} | |\n| +--------------+ | IPAddr | |\n| | | |\n| | +-------------+ +--------------+ | |\n| | | sockaddr_in | | sockaddr_in6 | | |\n| | | IPv4Addr | | IPv6Addr | | |\n| | +-------------+ +--------------+ | |\n| | | |\n| +----------------------------------+ |\n| |\n+-------------------------------------------------------+\n```\n\n## Inspiration and Design\n\nThere were many subtle inspirations that led to this design, but the most direct\ninspiration for the filtering syntax was\nOpenBSD's\n[`pf.conf(5)`](https://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=0&arch=default&format=html#PARAMETERS) firewall\nsyntax that lets you select the first IP address on a given named interface.\nThe original problem stemmed from:\n\n* needing to create immutable images using [Packer](https://www.packer.io) that\n ran the [Consul](https://www.consul.io) process (Consul can only use one IP\n address at a time);\n* images that may or may not have multiple interfaces or IP addresses at\n runtime; and\n* we didn't want to rely on configuration management to render out the correct\n IP address if the VM image was being used in an auto-scaling group.\n\nInstead we needed some way to codify a heuristic that would correctly select the\nright IP address but the input parameters were not known when the image was\ncreated.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/doc.go", "content": "/*\nPackage sockaddr is a Go implementation of the UNIX socket family data types and\nrelated helper functions.\n*/\npackage sockaddr\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ifaddr.go", "content": "package sockaddr\n\nimport \"strings\"\n\n// ifAddrAttrMap is a map of the IfAddr type-specific attributes.\nvar ifAddrAttrMap map[AttrName]func(IfAddr) string\nvar ifAddrAttrs []AttrName\n\nfunc init() {\n\tifAddrAttrInit()\n}\n\n// GetPrivateIP returns a string with a single IP address that is part of RFC\n// 6890 and has a default route. If the system can't determine its IP address\n// or find an RFC 6890 IP address, an empty string will be returned instead.\n// This function is the `eval` equivalent of:\n//\n// ```\n// $ sockaddr eval -r '{{GetPrivateInterfaces | attr \"address\"}}'\n/// ```\nfunc GetPrivateIP() (string, error) {\n\tprivateIfs, err := GetPrivateInterfaces()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tif len(privateIfs) < 1 {\n\t\treturn \"\", nil\n\t}\n\n\tifAddr := privateIfs[0]\n\tip := *ToIPAddr(ifAddr.SockAddr)\n\treturn ip.NetIP().String(), nil\n}\n\n// GetPrivateIPs returns a string with all IP addresses that are part of RFC\n// 6890 (regardless of whether or not there is a default route, unlike\n// GetPublicIP). If the system can't find any RFC 6890 IP addresses, an empty\n// string will be returned instead. This function is the `eval` equivalent of:\n//\n// ```\n// $ sockaddr eval -r '{{GetAllInterfaces | include \"RFC\" \"6890\" | join \"address\" \" \"}}'\n/// ```\nfunc GetPrivateIPs() (string, error) {\n\tifAddrs, err := GetAllInterfaces()\n\tif err != nil {\n\t\treturn \"\", err\n\t} else if len(ifAddrs) < 1 {\n\t\treturn \"\", nil\n\t}\n\n\tifAddrs, _ = FilterIfByType(ifAddrs, TypeIP)\n\tif len(ifAddrs) == 0 {\n\t\treturn \"\", nil\n\t}\n\n\tOrderedIfAddrBy(AscIfType, AscIfNetworkSize).Sort(ifAddrs)\n\n\tifAddrs, _, err = IfByRFC(\"6890\", ifAddrs)\n\tif err != nil {\n\t\treturn \"\", err\n\t} else if len(ifAddrs) == 0 {\n\t\treturn \"\", nil\n\t}\n\n\t_, ifAddrs, err = IfByRFC(ForwardingBlacklistRFC, ifAddrs)\n\tif err != nil {\n\t\treturn \"\", err\n\t} else if len(ifAddrs) == 0 {\n\t\treturn \"\", nil\n\t}\n\n\tips := make([]string, 0, len(ifAddrs))\n\tfor _, ifAddr := range ifAddrs {\n\t\tip := *ToIPAddr(ifAddr.SockAddr)\n\t\ts := ip.NetIP().String()\n\t\tips = append(ips, s)\n\t}\n\n\treturn strings.Join(ips, \" \"), nil\n}\n\n// GetPublicIP returns a string with a single IP address that is NOT part of RFC\n// 6890 and has a default route. If the system can't determine its IP address\n// or find a non RFC 6890 IP address, an empty string will be returned instead.\n// This function is the `eval` equivalent of:\n//\n// ```\n// $ sockaddr eval -r '{{GetPublicInterfaces | attr \"address\"}}'\n/// ```\nfunc GetPublicIP() (string, error) {\n\tpublicIfs, err := GetPublicInterfaces()\n\tif err != nil {\n\t\treturn \"\", err\n\t} else if len(publicIfs) < 1 {\n\t\treturn \"\", nil\n\t}\n\n\tifAddr := publicIfs[0]\n\tip := *ToIPAddr(ifAddr.SockAddr)\n\treturn ip.NetIP().String(), nil\n}\n\n// GetPublicIPs returns a string with all IP addresses that are NOT part of RFC\n// 6890 (regardless of whether or not there is a default route, unlike\n// GetPublicIP). If the system can't find any non RFC 6890 IP addresses, an\n// empty string will be returned instead. This function is the `eval`\n// equivalent of:\n//\n// ```\n// $ sockaddr eval -r '{{GetAllInterfaces | exclude \"RFC\" \"6890\" | join \"address\" \" \"}}'\n/// ```\nfunc GetPublicIPs() (string, error) {\n\tifAddrs, err := GetAllInterfaces()\n\tif err != nil {\n\t\treturn \"\", err\n\t} else if len(ifAddrs) < 1 {\n\t\treturn \"\", nil\n\t}\n\n\tifAddrs, _ = FilterIfByType(ifAddrs, TypeIP)\n\tif len(ifAddrs) == 0 {\n\t\treturn \"\", nil\n\t}\n\n\tOrderedIfAddrBy(AscIfType, AscIfNetworkSize).Sort(ifAddrs)\n\n\t_, ifAddrs, err = IfByRFC(\"6890\", ifAddrs)\n\tif err != nil {\n\t\treturn \"\", err\n\t} else if len(ifAddrs) == 0 {\n\t\treturn \"\", nil\n\t}\n\n\tips := make([]string, 0, len(ifAddrs))\n\tfor _, ifAddr := range ifAddrs {\n\t\tip := *ToIPAddr(ifAddr.SockAddr)\n\t\ts := ip.NetIP().String()\n\t\tips = append(ips, s)\n\t}\n\n\treturn strings.Join(ips, \" \"), nil\n}\n\n// GetInterfaceIP returns a string with a single IP address sorted by the size\n// of the network (i.e. IP addresses with a smaller netmask, larger network\n// size, are sorted first). This function is the `eval` equivalent of:\n//\n// ```\n// $ sockaddr eval -r '{{GetAllInterfaces | include \"name\" <> | sort \"type,size\" | include \"flag\" \"forwardable\" | attr \"address\" }}'\n/// ```\nfunc GetInterfaceIP(namedIfRE string) (string, error) {\n\tifAddrs, err := GetAllInterfaces()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tifAddrs, _, err = IfByName(namedIfRE, ifAddrs)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tifAddrs, _, err = IfByFlag(\"forwardable\", ifAddrs)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tifAddrs, err = SortIfBy(\"+type,+size\", ifAddrs)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tif len(ifAddrs) == 0 {\n\t\treturn \"\", err\n\t}\n\n\tip := ToIPAddr(ifAddrs[0].SockAddr)\n\tif ip == nil {\n\t\treturn \"\", err\n\t}\n\n\treturn IPAddrAttr(*ip, \"address\"), nil\n}\n\n// GetInterfaceIPs returns a string with all IPs, sorted by the size of the\n// network (i.e. IP addresses with a smaller netmask, larger network size, are\n// sorted first), on a named interface. This function is the `eval` equivalent\n// of:\n//\n// ```\n// $ sockaddr eval -r '{{GetAllInterfaces | include \"name\" <> | sort \"type,size\" | join \"address\" \" \"}}'\n/// ```\nfunc GetInterfaceIPs(namedIfRE string) (string, error) {\n\tifAddrs, err := GetAllInterfaces()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tifAddrs, _, err = IfByName(namedIfRE, ifAddrs)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tifAddrs, err = SortIfBy(\"+type,+size\", ifAddrs)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tif len(ifAddrs) == 0 {\n\t\treturn \"\", err\n\t}\n\n\tips := make([]string, 0, len(ifAddrs))\n\tfor _, ifAddr := range ifAddrs {\n\t\tip := *ToIPAddr(ifAddr.SockAddr)\n\t\ts := ip.NetIP().String()\n\t\tips = append(ips, s)\n\t}\n\n\treturn strings.Join(ips, \" \"), nil\n}\n\n// IfAddrAttrs returns a list of attributes supported by the IfAddr type\nfunc IfAddrAttrs() []AttrName {\n\treturn ifAddrAttrs\n}\n\n// IfAddrAttr returns a string representation of an attribute for the given\n// IfAddr.\nfunc IfAddrAttr(ifAddr IfAddr, attrName AttrName) string {\n\tfn, found := ifAddrAttrMap[attrName]\n\tif !found {\n\t\treturn \"\"\n\t}\n\n\treturn fn(ifAddr)\n}\n\n// ifAddrAttrInit is called once at init()\nfunc ifAddrAttrInit() {\n\t// Sorted for human readability\n\tifAddrAttrs = []AttrName{\n\t\t\"flags\",\n\t\t\"name\",\n\t}\n\n\tifAddrAttrMap = map[AttrName]func(ifAddr IfAddr) string{\n\t\t\"flags\": func(ifAddr IfAddr) string {\n\t\t\treturn ifAddr.Interface.Flags.String()\n\t\t},\n\t\t\"name\": func(ifAddr IfAddr) string {\n\t\t\treturn ifAddr.Interface.Name\n\t\t},\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ifaddrs.go", "content": "package sockaddr\n\nimport (\n\t\"encoding/binary\"\n\t\"errors\"\n\t\"fmt\"\n\t\"math/big\"\n\t\"net\"\n\t\"regexp\"\n\t\"sort\"\n\t\"strconv\"\n\t\"strings\"\n)\n\nvar (\n\t// Centralize all regexps and regexp.Copy() where necessary.\n\tsignRE *regexp.Regexp = regexp.MustCompile(`^[\\s]*[+-]`)\n\twhitespaceRE *regexp.Regexp = regexp.MustCompile(`[\\s]+`)\n\t// These regular expressions enable the deprecated parseDefaultIfNameWindows\n\t// and should be removed when those functions are.\n\tifNameRE *regexp.Regexp = regexp.MustCompile(`^(?:Ethernet|Wireless LAN) adapter ([^:]+):`)\n\tipAddrRE *regexp.Regexp = regexp.MustCompile(`^ IPv[46] Address\\. \\. \\. \\. \\. \\. \\. \\. \\. \\. \\. : ([^\\s]+)`)\n)\n\n// IfAddrs is a slice of IfAddr\ntype IfAddrs []IfAddr\n\nfunc (ifs IfAddrs) Len() int { return len(ifs) }\n\n// CmpIfFunc is the function signature that must be met to be used in the\n// OrderedIfAddrBy multiIfAddrSorter\ntype CmpIfAddrFunc func(p1, p2 *IfAddr) int\n\n// multiIfAddrSorter implements the Sort interface, sorting the IfAddrs within.\ntype multiIfAddrSorter struct {\n\tifAddrs IfAddrs\n\tcmp []CmpIfAddrFunc\n}\n\n// Sort sorts the argument slice according to the Cmp functions passed to\n// OrderedIfAddrBy.\nfunc (ms *multiIfAddrSorter) Sort(ifAddrs IfAddrs) {\n\tms.ifAddrs = ifAddrs\n\tsort.Sort(ms)\n}\n\n// OrderedIfAddrBy sorts SockAddr by the list of sort function pointers.\nfunc OrderedIfAddrBy(cmpFuncs ...CmpIfAddrFunc) *multiIfAddrSorter {\n\treturn &multiIfAddrSorter{\n\t\tcmp: cmpFuncs,\n\t}\n}\n\n// Len is part of sort.Interface.\nfunc (ms *multiIfAddrSorter) Len() int {\n\treturn len(ms.ifAddrs)\n}\n\n// Less is part of sort.Interface. It is implemented by looping along the Cmp()\n// functions until it finds a comparison that is either less than or greater\n// than. A return value of 0 defers sorting to the next function in the\n// multisorter (which means the results of sorting may leave the resutls in a\n// non-deterministic order).\nfunc (ms *multiIfAddrSorter) Less(i, j int) bool {\n\tp, q := &ms.ifAddrs[i], &ms.ifAddrs[j]\n\t// Try all but the last comparison.\n\tvar k int\n\tfor k = 0; k < len(ms.cmp)-1; k++ {\n\t\tcmp := ms.cmp[k]\n\t\tx := cmp(p, q)\n\t\tswitch x {\n\t\tcase -1:\n\t\t\t// p < q, so we have a decision.\n\t\t\treturn true\n\t\tcase 1:\n\t\t\t// p > q, so we have a decision.\n\t\t\treturn false\n\t\t}\n\t\t// p == q; try the next comparison.\n\t}\n\t// All comparisons to here said \"equal\", so just return whatever the\n\t// final comparison reports.\n\tswitch ms.cmp[k](p, q) {\n\tcase -1:\n\t\treturn true\n\tcase 1:\n\t\treturn false\n\tdefault:\n\t\t// Still a tie! Now what?\n\t\treturn false\n\t\tpanic(\"undefined sort order for remaining items in the list\")\n\t}\n}\n\n// Swap is part of sort.Interface.\nfunc (ms *multiIfAddrSorter) Swap(i, j int) {\n\tms.ifAddrs[i], ms.ifAddrs[j] = ms.ifAddrs[j], ms.ifAddrs[i]\n}\n\n// AscIfAddress is a sorting function to sort IfAddrs by their respective\n// address type. Non-equal types are deferred in the sort.\nfunc AscIfAddress(p1Ptr, p2Ptr *IfAddr) int {\n\treturn AscAddress(&p1Ptr.SockAddr, &p2Ptr.SockAddr)\n}\n\n// AscIfDefault is a sorting function to sort IfAddrs by whether or not they\n// have a default route or not. Non-equal types are deferred in the sort.\n//\n// FIXME: This is a particularly expensive sorting operation because of the\n// non-memoized calls to NewRouteInfo(). In an ideal world the routeInfo data\n// once at the start of the sort and pass it along as a context or by wrapping\n// the IfAddr type with this information (this would also solve the inability to\n// return errors and the possibility of failing silently). Fortunately,\n// N*log(N) where N = 3 is only ~6.2 invocations. Not ideal, but not worth\n// optimizing today. The common case is this gets called once or twice.\n// Patches welcome.\nfunc AscIfDefault(p1Ptr, p2Ptr *IfAddr) int {\n\tri, err := NewRouteInfo()\n\tif err != nil {\n\t\treturn sortDeferDecision\n\t}\n\n\tdefaultIfName, err := ri.GetDefaultInterfaceName()\n\tif err != nil {\n\t\treturn sortDeferDecision\n\t}\n\n\tswitch {\n\tcase p1Ptr.Interface.Name == defaultIfName && p2Ptr.Interface.Name == defaultIfName:\n\t\treturn sortDeferDecision\n\tcase p1Ptr.Interface.Name == defaultIfName:\n\t\treturn sortReceiverBeforeArg\n\tcase p2Ptr.Interface.Name == defaultIfName:\n\t\treturn sortArgBeforeReceiver\n\tdefault:\n\t\treturn sortDeferDecision\n\t}\n}\n\n// AscIfName is a sorting function to sort IfAddrs by their interface names.\nfunc AscIfName(p1Ptr, p2Ptr *IfAddr) int {\n\treturn strings.Compare(p1Ptr.Name, p2Ptr.Name)\n}\n\n// AscIfNetworkSize is a sorting function to sort IfAddrs by their respective\n// network mask size.\nfunc AscIfNetworkSize(p1Ptr, p2Ptr *IfAddr) int {\n\treturn AscNetworkSize(&p1Ptr.SockAddr, &p2Ptr.SockAddr)\n}\n\n// AscIfPort is a sorting function to sort IfAddrs by their respective\n// port type. Non-equal types are deferred in the sort.\nfunc AscIfPort(p1Ptr, p2Ptr *IfAddr) int {\n\treturn AscPort(&p1Ptr.SockAddr, &p2Ptr.SockAddr)\n}\n\n// AscIfPrivate is a sorting function to sort IfAddrs by \"private\" values before\n// \"public\" values. Both IPv4 and IPv6 are compared against RFC6890 (RFC6890\n// includes, and is not limited to, RFC1918 and RFC6598 for IPv4, and IPv6\n// includes RFC4193).\nfunc AscIfPrivate(p1Ptr, p2Ptr *IfAddr) int {\n\treturn AscPrivate(&p1Ptr.SockAddr, &p2Ptr.SockAddr)\n}\n\n// AscIfType is a sorting function to sort IfAddrs by their respective address\n// type. Non-equal types are deferred in the sort.\nfunc AscIfType(p1Ptr, p2Ptr *IfAddr) int {\n\treturn AscType(&p1Ptr.SockAddr, &p2Ptr.SockAddr)\n}\n\n// DescIfAddress is identical to AscIfAddress but reverse ordered.\nfunc DescIfAddress(p1Ptr, p2Ptr *IfAddr) int {\n\treturn -1 * AscAddress(&p1Ptr.SockAddr, &p2Ptr.SockAddr)\n}\n\n// DescIfDefault is identical to AscIfDefault but reverse ordered.\nfunc DescIfDefault(p1Ptr, p2Ptr *IfAddr) int {\n\treturn -1 * AscIfDefault(p1Ptr, p2Ptr)\n}\n\n// DescIfName is identical to AscIfName but reverse ordered.\nfunc DescIfName(p1Ptr, p2Ptr *IfAddr) int {\n\treturn -1 * strings.Compare(p1Ptr.Name, p2Ptr.Name)\n}\n\n// DescIfNetworkSize is identical to AscIfNetworkSize but reverse ordered.\nfunc DescIfNetworkSize(p1Ptr, p2Ptr *IfAddr) int {\n\treturn -1 * AscNetworkSize(&p1Ptr.SockAddr, &p2Ptr.SockAddr)\n}\n\n// DescIfPort is identical to AscIfPort but reverse ordered.\nfunc DescIfPort(p1Ptr, p2Ptr *IfAddr) int {\n\treturn -1 * AscPort(&p1Ptr.SockAddr, &p2Ptr.SockAddr)\n}\n\n// DescIfPrivate is identical to AscIfPrivate but reverse ordered.\nfunc DescIfPrivate(p1Ptr, p2Ptr *IfAddr) int {\n\treturn -1 * AscPrivate(&p1Ptr.SockAddr, &p2Ptr.SockAddr)\n}\n\n// DescIfType is identical to AscIfType but reverse ordered.\nfunc DescIfType(p1Ptr, p2Ptr *IfAddr) int {\n\treturn -1 * AscType(&p1Ptr.SockAddr, &p2Ptr.SockAddr)\n}\n\n// FilterIfByType filters IfAddrs and returns a list of the matching type\nfunc FilterIfByType(ifAddrs IfAddrs, type_ SockAddrType) (matchedIfs, excludedIfs IfAddrs) {\n\texcludedIfs = make(IfAddrs, 0, len(ifAddrs))\n\tmatchedIfs = make(IfAddrs, 0, len(ifAddrs))\n\n\tfor _, ifAddr := range ifAddrs {\n\t\tif ifAddr.SockAddr.Type()&type_ != 0 {\n\t\t\tmatchedIfs = append(matchedIfs, ifAddr)\n\t\t} else {\n\t\t\texcludedIfs = append(excludedIfs, ifAddr)\n\t\t}\n\t}\n\treturn matchedIfs, excludedIfs\n}\n\n// IfAttr forwards the selector to IfAttr.Attr() for resolution. If there is\n// more than one IfAddr, only the first IfAddr is used.\nfunc IfAttr(selectorName string, ifAddr IfAddr) (string, error) {\n\tattrName := AttrName(strings.ToLower(selectorName))\n\tattrVal, err := ifAddr.Attr(attrName)\n\treturn attrVal, err\n}\n\n// IfAttrs forwards the selector to IfAttrs.Attr() for resolution. If there is\n// more than one IfAddr, only the first IfAddr is used.\nfunc IfAttrs(selectorName string, ifAddrs IfAddrs) (string, error) {\n\tif len(ifAddrs) == 0 {\n\t\treturn \"\", nil\n\t}\n\n\tattrName := AttrName(strings.ToLower(selectorName))\n\tattrVal, err := ifAddrs[0].Attr(attrName)\n\treturn attrVal, err\n}\n\n// GetAllInterfaces iterates over all available network interfaces and finds all\n// available IP addresses on each interface and converts them to\n// sockaddr.IPAddrs, and returning the result as an array of IfAddr.\nfunc GetAllInterfaces() (IfAddrs, error) {\n\tifs, err := net.Interfaces()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tifAddrs := make(IfAddrs, 0, len(ifs))\n\tfor _, intf := range ifs {\n\t\taddrs, err := intf.Addrs()\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tfor _, addr := range addrs {\n\t\t\tvar ipAddr IPAddr\n\t\t\tipAddr, err = NewIPAddr(addr.String())\n\t\t\tif err != nil {\n\t\t\t\treturn IfAddrs{}, fmt.Errorf(\"unable to create an IP address from %q\", addr.String())\n\t\t\t}\n\n\t\t\tifAddr := IfAddr{\n\t\t\t\tSockAddr: ipAddr,\n\t\t\t\tInterface: intf,\n\t\t\t}\n\t\t\tifAddrs = append(ifAddrs, ifAddr)\n\t\t}\n\t}\n\n\treturn ifAddrs, nil\n}\n\n// GetDefaultInterfaces returns IfAddrs of the addresses attached to the default\n// route.\nfunc GetDefaultInterfaces() (IfAddrs, error) {\n\tri, err := NewRouteInfo()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tdefaultIfName, err := ri.GetDefaultInterfaceName()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar defaultIfs, ifAddrs IfAddrs\n\tifAddrs, err = GetAllInterfaces()\n\tfor _, ifAddr := range ifAddrs {\n\t\tif ifAddr.Name == defaultIfName {\n\t\t\tdefaultIfs = append(defaultIfs, ifAddr)\n\t\t}\n\t}\n\n\treturn defaultIfs, nil\n}\n\n// GetPrivateInterfaces returns an IfAddrs that are part of RFC 6890 and have a\n// default route. If the system can't determine its IP address or find an RFC\n// 6890 IP address, an empty IfAddrs will be returned instead. This function is\n// the `eval` equivalent of:\n//\n// ```\n// $ sockaddr eval -r '{{GetAllInterfaces | include \"type\" \"ip\" | include \"flags\" \"forwardable\" | include \"flags\" \"up\" | sort \"default,type,size\" | include \"RFC\" \"6890\" }}'\n/// ```\nfunc GetPrivateInterfaces() (IfAddrs, error) {\n\tprivateIfs, err := GetAllInterfaces()\n\tif err != nil {\n\t\treturn IfAddrs{}, err\n\t}\n\tif len(privateIfs) == 0 {\n\t\treturn IfAddrs{}, nil\n\t}\n\n\tprivateIfs, _ = FilterIfByType(privateIfs, TypeIP)\n\tif len(privateIfs) == 0 {\n\t\treturn IfAddrs{}, nil\n\t}\n\n\tprivateIfs, _, err = IfByFlag(\"forwardable\", privateIfs)\n\tif err != nil {\n\t\treturn IfAddrs{}, err\n\t}\n\n\tprivateIfs, _, err = IfByFlag(\"up\", privateIfs)\n\tif err != nil {\n\t\treturn IfAddrs{}, err\n\t}\n\n\tif len(privateIfs) == 0 {\n\t\treturn IfAddrs{}, nil\n\t}\n\n\tOrderedIfAddrBy(AscIfDefault, AscIfType, AscIfNetworkSize).Sort(privateIfs)\n\n\tprivateIfs, _, err = IfByRFC(\"6890\", privateIfs)\n\tif err != nil {\n\t\treturn IfAddrs{}, err\n\t} else if len(privateIfs) == 0 {\n\t\treturn IfAddrs{}, nil\n\t}\n\n\treturn privateIfs, nil\n}\n\n// GetPublicInterfaces returns an IfAddrs that are NOT part of RFC 6890 and has a\n// default route. If the system can't determine its IP address or find a non\n// RFC 6890 IP address, an empty IfAddrs will be returned instead. This\n// function is the `eval` equivalent of:\n//\n// ```\n// $ sockaddr eval -r '{{GetAllInterfaces | include \"type\" \"ip\" | include \"flags\" \"forwardable\" | include \"flags\" \"up\" | sort \"default,type,size\" | exclude \"RFC\" \"6890\" }}'\n/// ```\nfunc GetPublicInterfaces() (IfAddrs, error) {\n\tpublicIfs, err := GetAllInterfaces()\n\tif err != nil {\n\t\treturn IfAddrs{}, err\n\t}\n\tif len(publicIfs) == 0 {\n\t\treturn IfAddrs{}, nil\n\t}\n\n\tpublicIfs, _ = FilterIfByType(publicIfs, TypeIP)\n\tif len(publicIfs) == 0 {\n\t\treturn IfAddrs{}, nil\n\t}\n\n\tpublicIfs, _, err = IfByFlag(\"forwardable\", publicIfs)\n\tif err != nil {\n\t\treturn IfAddrs{}, err\n\t}\n\n\tpublicIfs, _, err = IfByFlag(\"up\", publicIfs)\n\tif err != nil {\n\t\treturn IfAddrs{}, err\n\t}\n\n\tif len(publicIfs) == 0 {\n\t\treturn IfAddrs{}, nil\n\t}\n\n\tOrderedIfAddrBy(AscIfDefault, AscIfType, AscIfNetworkSize).Sort(publicIfs)\n\n\t_, publicIfs, err = IfByRFC(\"6890\", publicIfs)\n\tif err != nil {\n\t\treturn IfAddrs{}, err\n\t} else if len(publicIfs) == 0 {\n\t\treturn IfAddrs{}, nil\n\t}\n\n\treturn publicIfs, nil\n}\n\n// IfByAddress returns a list of matched and non-matched IfAddrs, or an error if\n// the regexp fails to compile.\nfunc IfByAddress(inputRe string, ifAddrs IfAddrs) (matched, remainder IfAddrs, err error) {\n\tre, err := regexp.Compile(inputRe)\n\tif err != nil {\n\t\treturn nil, nil, fmt.Errorf(\"Unable to compile address regexp %+q: %v\", inputRe, err)\n\t}\n\n\tmatchedAddrs := make(IfAddrs, 0, len(ifAddrs))\n\texcludedAddrs := make(IfAddrs, 0, len(ifAddrs))\n\tfor _, addr := range ifAddrs {\n\t\tif re.MatchString(addr.SockAddr.String()) {\n\t\t\tmatchedAddrs = append(matchedAddrs, addr)\n\t\t} else {\n\t\t\texcludedAddrs = append(excludedAddrs, addr)\n\t\t}\n\t}\n\n\treturn matchedAddrs, excludedAddrs, nil\n}\n\n// IfByName returns a list of matched and non-matched IfAddrs, or an error if\n// the regexp fails to compile.\nfunc IfByName(inputRe string, ifAddrs IfAddrs) (matched, remainder IfAddrs, err error) {\n\tre, err := regexp.Compile(inputRe)\n\tif err != nil {\n\t\treturn nil, nil, fmt.Errorf(\"Unable to compile name regexp %+q: %v\", inputRe, err)\n\t}\n\n\tmatchedAddrs := make(IfAddrs, 0, len(ifAddrs))\n\texcludedAddrs := make(IfAddrs, 0, len(ifAddrs))\n\tfor _, addr := range ifAddrs {\n\t\tif re.MatchString(addr.Name) {\n\t\t\tmatchedAddrs = append(matchedAddrs, addr)\n\t\t} else {\n\t\t\texcludedAddrs = append(excludedAddrs, addr)\n\t\t}\n\t}\n\n\treturn matchedAddrs, excludedAddrs, nil\n}\n\n// IfByPort returns a list of matched and non-matched IfAddrs, or an error if\n// the regexp fails to compile.\nfunc IfByPort(inputRe string, ifAddrs IfAddrs) (matchedIfs, excludedIfs IfAddrs, err error) {\n\tre, err := regexp.Compile(inputRe)\n\tif err != nil {\n\t\treturn nil, nil, fmt.Errorf(\"Unable to compile port regexp %+q: %v\", inputRe, err)\n\t}\n\n\tipIfs, nonIfs := FilterIfByType(ifAddrs, TypeIP)\n\tmatchedIfs = make(IfAddrs, 0, len(ipIfs))\n\texcludedIfs = append(IfAddrs(nil), nonIfs...)\n\tfor _, addr := range ipIfs {\n\t\tipAddr := ToIPAddr(addr.SockAddr)\n\t\tif ipAddr == nil {\n\t\t\tcontinue\n\t\t}\n\n\t\tport := strconv.FormatInt(int64((*ipAddr).IPPort()), 10)\n\t\tif re.MatchString(port) {\n\t\t\tmatchedIfs = append(matchedIfs, addr)\n\t\t} else {\n\t\t\texcludedIfs = append(excludedIfs, addr)\n\t\t}\n\t}\n\n\treturn matchedIfs, excludedIfs, nil\n}\n\n// IfByRFC returns a list of matched and non-matched IfAddrs that contain the\n// relevant RFC-specified traits.\nfunc IfByRFC(selectorParam string, ifAddrs IfAddrs) (matched, remainder IfAddrs, err error) {\n\tinputRFC, err := strconv.ParseUint(selectorParam, 10, 64)\n\tif err != nil {\n\t\treturn IfAddrs{}, IfAddrs{}, fmt.Errorf(\"unable to parse RFC number %q: %v\", selectorParam, err)\n\t}\n\n\tmatchedIfAddrs := make(IfAddrs, 0, len(ifAddrs))\n\tremainingIfAddrs := make(IfAddrs, 0, len(ifAddrs))\n\n\trfcNetMap := KnownRFCs()\n\trfcNets, ok := rfcNetMap[uint(inputRFC)]\n\tif !ok {\n\t\treturn nil, nil, fmt.Errorf(\"unsupported RFC %d\", inputRFC)\n\t}\n\n\tfor _, ifAddr := range ifAddrs {\n\t\tvar contained bool\n\t\tfor _, rfcNet := range rfcNets {\n\t\t\tif rfcNet.Contains(ifAddr.SockAddr) {\n\t\t\t\tmatchedIfAddrs = append(matchedIfAddrs, ifAddr)\n\t\t\t\tcontained = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !contained {\n\t\t\tremainingIfAddrs = append(remainingIfAddrs, ifAddr)\n\t\t}\n\t}\n\n\treturn matchedIfAddrs, remainingIfAddrs, nil\n}\n\n// IfByRFCs returns a list of matched and non-matched IfAddrs that contain the\n// relevant RFC-specified traits. Multiple RFCs can be specified and separated\n// by the `|` symbol. No protection is taken to ensure an IfAddr does not end\n// up in both the included and excluded list.\nfunc IfByRFCs(selectorParam string, ifAddrs IfAddrs) (matched, remainder IfAddrs, err error) {\n\tvar includedIfs, excludedIfs IfAddrs\n\tfor _, rfcStr := range strings.Split(selectorParam, \"|\") {\n\t\tincludedRFCIfs, excludedRFCIfs, err := IfByRFC(rfcStr, ifAddrs)\n\t\tif err != nil {\n\t\t\treturn IfAddrs{}, IfAddrs{}, fmt.Errorf(\"unable to lookup RFC number %q: %v\", rfcStr, err)\n\t\t}\n\t\tincludedIfs = append(includedIfs, includedRFCIfs...)\n\t\texcludedIfs = append(excludedIfs, excludedRFCIfs...)\n\t}\n\n\treturn includedIfs, excludedIfs, nil\n}\n\n// IfByMaskSize returns a list of matched and non-matched IfAddrs that have the\n// matching mask size.\nfunc IfByMaskSize(selectorParam string, ifAddrs IfAddrs) (matchedIfs, excludedIfs IfAddrs, err error) {\n\tmaskSize, err := strconv.ParseUint(selectorParam, 10, 64)\n\tif err != nil {\n\t\treturn IfAddrs{}, IfAddrs{}, fmt.Errorf(\"invalid exclude size argument (%q): %v\", selectorParam, err)\n\t}\n\n\tipIfs, nonIfs := FilterIfByType(ifAddrs, TypeIP)\n\tmatchedIfs = make(IfAddrs, 0, len(ipIfs))\n\texcludedIfs = append(IfAddrs(nil), nonIfs...)\n\tfor _, addr := range ipIfs {\n\t\tipAddr := ToIPAddr(addr.SockAddr)\n\t\tif ipAddr == nil {\n\t\t\treturn IfAddrs{}, IfAddrs{}, fmt.Errorf(\"unable to filter mask sizes on non-IP type %s: %v\", addr.SockAddr.Type().String(), addr.SockAddr.String())\n\t\t}\n\n\t\tswitch {\n\t\tcase (*ipAddr).Type()&TypeIPv4 != 0 && maskSize > 32:\n\t\t\treturn IfAddrs{}, IfAddrs{}, fmt.Errorf(\"mask size out of bounds for IPv4 address: %d\", maskSize)\n\t\tcase (*ipAddr).Type()&TypeIPv6 != 0 && maskSize > 128:\n\t\t\treturn IfAddrs{}, IfAddrs{}, fmt.Errorf(\"mask size out of bounds for IPv6 address: %d\", maskSize)\n\t\t}\n\n\t\tif (*ipAddr).Maskbits() == int(maskSize) {\n\t\t\tmatchedIfs = append(matchedIfs, addr)\n\t\t} else {\n\t\t\texcludedIfs = append(excludedIfs, addr)\n\t\t}\n\t}\n\n\treturn matchedIfs, excludedIfs, nil\n}\n\n// IfByType returns a list of matching and non-matching IfAddr that match the\n// specified type. For instance:\n//\n// include \"type\" \"IPv4,IPv6\"\n//\n// will include any IfAddrs that is either an IPv4 or IPv6 address. Any\n// addresses on those interfaces that don't match will be included in the\n// remainder results.\nfunc IfByType(inputTypes string, ifAddrs IfAddrs) (matched, remainder IfAddrs, err error) {\n\tmatchingIfAddrs := make(IfAddrs, 0, len(ifAddrs))\n\tremainingIfAddrs := make(IfAddrs, 0, len(ifAddrs))\n\n\tifTypes := strings.Split(strings.ToLower(inputTypes), \"|\")\n\tfor _, ifType := range ifTypes {\n\t\tswitch ifType {\n\t\tcase \"ip\", \"ipv4\", \"ipv6\", \"unix\":\n\t\t\t// Valid types\n\t\tdefault:\n\t\t\treturn nil, nil, fmt.Errorf(\"unsupported type %q %q\", ifType, inputTypes)\n\t\t}\n\t}\n\n\tfor _, ifAddr := range ifAddrs {\n\t\tfor _, ifType := range ifTypes {\n\t\t\tvar matched bool\n\t\t\tswitch {\n\t\t\tcase ifType == \"ip\" && ifAddr.SockAddr.Type()&TypeIP != 0:\n\t\t\t\tmatched = true\n\t\t\tcase ifType == \"ipv4\" && ifAddr.SockAddr.Type()&TypeIPv4 != 0:\n\t\t\t\tmatched = true\n\t\t\tcase ifType == \"ipv6\" && ifAddr.SockAddr.Type()&TypeIPv6 != 0:\n\t\t\t\tmatched = true\n\t\t\tcase ifType == \"unix\" && ifAddr.SockAddr.Type()&TypeUnix != 0:\n\t\t\t\tmatched = true\n\t\t\t}\n\n\t\t\tif matched {\n\t\t\t\tmatchingIfAddrs = append(matchingIfAddrs, ifAddr)\n\t\t\t} else {\n\t\t\t\tremainingIfAddrs = append(remainingIfAddrs, ifAddr)\n\t\t\t}\n\t\t}\n\t}\n\n\treturn matchingIfAddrs, remainingIfAddrs, nil\n}\n\n// IfByFlag returns a list of matching and non-matching IfAddrs that match the\n// specified type. For instance:\n//\n// include \"flag\" \"up,broadcast\"\n//\n// will include any IfAddrs that have both the \"up\" and \"broadcast\" flags set.\n// Any addresses on those interfaces that don't match will be omitted from the\n// results.\nfunc IfByFlag(inputFlags string, ifAddrs IfAddrs) (matched, remainder IfAddrs, err error) {\n\tmatchedAddrs := make(IfAddrs, 0, len(ifAddrs))\n\texcludedAddrs := make(IfAddrs, 0, len(ifAddrs))\n\n\tvar wantForwardable,\n\t\twantGlobalUnicast,\n\t\twantInterfaceLocalMulticast,\n\t\twantLinkLocalMulticast,\n\t\twantLinkLocalUnicast,\n\t\twantLoopback,\n\t\twantMulticast,\n\t\twantUnspecified bool\n\tvar ifFlags net.Flags\n\tvar checkFlags, checkAttrs bool\n\tfor _, flagName := range strings.Split(strings.ToLower(inputFlags), \"|\") {\n\t\tswitch flagName {\n\t\tcase \"broadcast\":\n\t\t\tcheckFlags = true\n\t\t\tifFlags = ifFlags | net.FlagBroadcast\n\t\tcase \"down\":\n\t\t\tcheckFlags = true\n\t\t\tifFlags = (ifFlags &^ net.FlagUp)\n\t\tcase \"forwardable\":\n\t\t\tcheckAttrs = true\n\t\t\twantForwardable = true\n\t\tcase \"global unicast\":\n\t\t\tcheckAttrs = true\n\t\t\twantGlobalUnicast = true\n\t\tcase \"interface-local multicast\":\n\t\t\tcheckAttrs = true\n\t\t\twantInterfaceLocalMulticast = true\n\t\tcase \"link-local multicast\":\n\t\t\tcheckAttrs = true\n\t\t\twantLinkLocalMulticast = true\n\t\tcase \"link-local unicast\":\n\t\t\tcheckAttrs = true\n\t\t\twantLinkLocalUnicast = true\n\t\tcase \"loopback\":\n\t\t\tcheckAttrs = true\n\t\t\tcheckFlags = true\n\t\t\tifFlags = ifFlags | net.FlagLoopback\n\t\t\twantLoopback = true\n\t\tcase \"multicast\":\n\t\t\tcheckAttrs = true\n\t\t\tcheckFlags = true\n\t\t\tifFlags = ifFlags | net.FlagMulticast\n\t\t\twantMulticast = true\n\t\tcase \"point-to-point\":\n\t\t\tcheckFlags = true\n\t\t\tifFlags = ifFlags | net.FlagPointToPoint\n\t\tcase \"unspecified\":\n\t\t\tcheckAttrs = true\n\t\t\twantUnspecified = true\n\t\tcase \"up\":\n\t\t\tcheckFlags = true\n\t\t\tifFlags = ifFlags | net.FlagUp\n\t\tdefault:\n\t\t\treturn nil, nil, fmt.Errorf(\"Unknown interface flag: %+q\", flagName)\n\t\t}\n\t}\n\n\tfor _, ifAddr := range ifAddrs {\n\t\tvar matched bool\n\t\tif checkFlags && ifAddr.Interface.Flags&ifFlags == ifFlags {\n\t\t\tmatched = true\n\t\t}\n\t\tif checkAttrs {\n\t\t\tif ip := ToIPAddr(ifAddr.SockAddr); ip != nil {\n\t\t\t\tnetIP := (*ip).NetIP()\n\t\t\t\tswitch {\n\t\t\t\tcase wantGlobalUnicast && netIP.IsGlobalUnicast():\n\t\t\t\t\tmatched = true\n\t\t\t\tcase wantInterfaceLocalMulticast && netIP.IsInterfaceLocalMulticast():\n\t\t\t\t\tmatched = true\n\t\t\t\tcase wantLinkLocalMulticast && netIP.IsLinkLocalMulticast():\n\t\t\t\t\tmatched = true\n\t\t\t\tcase wantLinkLocalUnicast && netIP.IsLinkLocalUnicast():\n\t\t\t\t\tmatched = true\n\t\t\t\tcase wantLoopback && netIP.IsLoopback():\n\t\t\t\t\tmatched = true\n\t\t\t\tcase wantMulticast && netIP.IsMulticast():\n\t\t\t\t\tmatched = true\n\t\t\t\tcase wantUnspecified && netIP.IsUnspecified():\n\t\t\t\t\tmatched = true\n\t\t\t\tcase wantForwardable && !IsRFC(ForwardingBlacklist, ifAddr.SockAddr):\n\t\t\t\t\tmatched = true\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif matched {\n\t\t\tmatchedAddrs = append(matchedAddrs, ifAddr)\n\t\t} else {\n\t\t\texcludedAddrs = append(excludedAddrs, ifAddr)\n\t\t}\n\t}\n\treturn matchedAddrs, excludedAddrs, nil\n}\n\n// IfByNetwork returns an IfAddrs that are equal to or included within the\n// network passed in by selector.\nfunc IfByNetwork(selectorParam string, inputIfAddrs IfAddrs) (IfAddrs, IfAddrs, error) {\n\tvar includedIfs, excludedIfs IfAddrs\n\tfor _, netStr := range strings.Split(selectorParam, \"|\") {\n\t\tnetAddr, err := NewIPAddr(netStr)\n\t\tif err != nil {\n\t\t\treturn nil, nil, fmt.Errorf(\"unable to create an IP address from %+q: %v\", netStr, err)\n\t\t}\n\n\t\tfor _, ifAddr := range inputIfAddrs {\n\t\t\tif netAddr.Contains(ifAddr.SockAddr) {\n\t\t\t\tincludedIfs = append(includedIfs, ifAddr)\n\t\t\t} else {\n\t\t\t\texcludedIfs = append(excludedIfs, ifAddr)\n\t\t\t}\n\t\t}\n\t}\n\n\treturn includedIfs, excludedIfs, nil\n}\n\n// IfAddrMath will return a new IfAddr struct with a mutated value.\nfunc IfAddrMath(operation, value string, inputIfAddr IfAddr) (IfAddr, error) {\n\t// Regexp used to enforce the sign being a required part of the grammar for\n\t// some values.\n\tsignRe := signRE.Copy()\n\n\tswitch strings.ToLower(operation) {\n\tcase \"address\":\n\t\t// \"address\" operates on the IP address and is allowed to overflow or\n\t\t// underflow networks, however it will wrap along the underlying address's\n\t\t// underlying type.\n\n\t\tif !signRe.MatchString(value) {\n\t\t\treturn IfAddr{}, fmt.Errorf(\"sign (+/-) is required for operation %q\", operation)\n\t\t}\n\n\t\tswitch sockType := inputIfAddr.SockAddr.Type(); sockType {\n\t\tcase TypeIPv4:\n\t\t\t// 33 == Accept any uint32 value\n\t\t\t// TODO(seanc@): Add the ability to parse hex\n\t\t\ti, err := strconv.ParseInt(value, 10, 33)\n\t\t\tif err != nil {\n\t\t\t\treturn IfAddr{}, fmt.Errorf(\"unable to convert %q to int for operation %q: %v\", value, operation, err)\n\t\t\t}\n\n\t\t\tipv4 := *ToIPv4Addr(inputIfAddr.SockAddr)\n\t\t\tipv4Uint32 := uint32(ipv4.Address)\n\t\t\tipv4Uint32 += uint32(i)\n\t\t\treturn IfAddr{\n\t\t\t\tSockAddr: IPv4Addr{\n\t\t\t\t\tAddress: IPv4Address(ipv4Uint32),\n\t\t\t\t\tMask: ipv4.Mask,\n\t\t\t\t},\n\t\t\t\tInterface: inputIfAddr.Interface,\n\t\t\t}, nil\n\t\tcase TypeIPv6:\n\t\t\t// 64 == Accept any int32 value\n\t\t\t// TODO(seanc@): Add the ability to parse hex. Also parse a bignum int.\n\t\t\ti, err := strconv.ParseInt(value, 10, 64)\n\t\t\tif err != nil {\n\t\t\t\treturn IfAddr{}, fmt.Errorf(\"unable to convert %q to int for operation %q: %v\", value, operation, err)\n\t\t\t}\n\n\t\t\tipv6 := *ToIPv6Addr(inputIfAddr.SockAddr)\n\t\t\tipv6BigIntA := new(big.Int)\n\t\t\tipv6BigIntA.Set(ipv6.Address)\n\t\t\tipv6BigIntB := big.NewInt(i)\n\n\t\t\tipv6Addr := ipv6BigIntA.Add(ipv6BigIntA, ipv6BigIntB)\n\t\t\tipv6Addr.And(ipv6Addr, ipv6HostMask)\n\n\t\t\treturn IfAddr{\n\t\t\t\tSockAddr: IPv6Addr{\n\t\t\t\t\tAddress: IPv6Address(ipv6Addr),\n\t\t\t\t\tMask: ipv6.Mask,\n\t\t\t\t},\n\t\t\t\tInterface: inputIfAddr.Interface,\n\t\t\t}, nil\n\t\tdefault:\n\t\t\treturn IfAddr{}, fmt.Errorf(\"unsupported type for operation %q: %T\", operation, sockType)\n\t\t}\n\tcase \"network\":\n\t\t// \"network\" operates on the network address. Positive values start at the\n\t\t// network address and negative values wrap at the network address, which\n\t\t// means a \"-1\" value on a network will be the broadcast address after\n\t\t// wrapping is applied.\n\n\t\tif !signRe.MatchString(value) {\n\t\t\treturn IfAddr{}, fmt.Errorf(\"sign (+/-) is required for operation %q\", operation)\n\t\t}\n\n\t\tswitch sockType := inputIfAddr.SockAddr.Type(); sockType {\n\t\tcase TypeIPv4:\n\t\t\t// 33 == Accept any uint32 value\n\t\t\t// TODO(seanc@): Add the ability to parse hex\n\t\t\ti, err := strconv.ParseInt(value, 10, 33)\n\t\t\tif err != nil {\n\t\t\t\treturn IfAddr{}, fmt.Errorf(\"unable to convert %q to int for operation %q: %v\", value, operation, err)\n\t\t\t}\n\n\t\t\tipv4 := *ToIPv4Addr(inputIfAddr.SockAddr)\n\t\t\tipv4Uint32 := uint32(ipv4.NetworkAddress())\n\n\t\t\t// Wrap along network mask boundaries. EZ-mode wrapping made possible by\n\t\t\t// use of int64 vs a uint.\n\t\t\tvar wrappedMask int64\n\t\t\tif i >= 0 {\n\t\t\t\twrappedMask = i\n\t\t\t} else {\n\t\t\t\twrappedMask = 1 + i + int64(^uint32(ipv4.Mask))\n\t\t\t}\n\n\t\t\tipv4Uint32 = ipv4Uint32 + (uint32(wrappedMask) &^ uint32(ipv4.Mask))\n\n\t\t\treturn IfAddr{\n\t\t\t\tSockAddr: IPv4Addr{\n\t\t\t\t\tAddress: IPv4Address(ipv4Uint32),\n\t\t\t\t\tMask: ipv4.Mask,\n\t\t\t\t},\n\t\t\t\tInterface: inputIfAddr.Interface,\n\t\t\t}, nil\n\t\tcase TypeIPv6:\n\t\t\t// 64 == Accept any int32 value\n\t\t\t// TODO(seanc@): Add the ability to parse hex. Also parse a bignum int.\n\t\t\ti, err := strconv.ParseInt(value, 10, 64)\n\t\t\tif err != nil {\n\t\t\t\treturn IfAddr{}, fmt.Errorf(\"unable to convert %q to int for operation %q: %v\", value, operation, err)\n\t\t\t}\n\n\t\t\tipv6 := *ToIPv6Addr(inputIfAddr.SockAddr)\n\t\t\tipv6BigInt := new(big.Int)\n\t\t\tipv6BigInt.Set(ipv6.NetworkAddress())\n\n\t\t\tmask := new(big.Int)\n\t\t\tmask.Set(ipv6.Mask)\n\t\t\tif i > 0 {\n\t\t\t\twrappedMask := new(big.Int)\n\t\t\t\twrappedMask.SetInt64(i)\n\n\t\t\t\twrappedMask.AndNot(wrappedMask, mask)\n\t\t\t\tipv6BigInt.Add(ipv6BigInt, wrappedMask)\n\t\t\t} else {\n\t\t\t\t// Mask off any bits that exceed the network size. Subtract the\n\t\t\t\t// wrappedMask from the last usable - 1\n\t\t\t\twrappedMask := new(big.Int)\n\t\t\t\twrappedMask.SetInt64(-1 * i)\n\t\t\t\twrappedMask.Sub(wrappedMask, big.NewInt(1))\n\n\t\t\t\twrappedMask.AndNot(wrappedMask, mask)\n\n\t\t\t\tlastUsable := new(big.Int)\n\t\t\t\tlastUsable.Set(ipv6.LastUsable().(IPv6Addr).Address)\n\n\t\t\t\tipv6BigInt = lastUsable.Sub(lastUsable, wrappedMask)\n\t\t\t}\n\n\t\t\treturn IfAddr{\n\t\t\t\tSockAddr: IPv6Addr{\n\t\t\t\t\tAddress: IPv6Address(ipv6BigInt),\n\t\t\t\t\tMask: ipv6.Mask,\n\t\t\t\t},\n\t\t\t\tInterface: inputIfAddr.Interface,\n\t\t\t}, nil\n\t\tdefault:\n\t\t\treturn IfAddr{}, fmt.Errorf(\"unsupported type for operation %q: %T\", operation, sockType)\n\t\t}\n\tcase \"mask\":\n\t\t// \"mask\" operates on the IP address and returns the IP address on\n\t\t// which the given integer mask has been applied. If the applied mask\n\t\t// corresponds to a larger network than the mask of the IP address,\n\t\t// the latter will be replaced by the former.\n\t\tswitch sockType := inputIfAddr.SockAddr.Type(); sockType {\n\t\tcase TypeIPv4:\n\t\t\ti, err := strconv.ParseUint(value, 10, 32)\n\t\t\tif err != nil {\n\t\t\t\treturn IfAddr{}, fmt.Errorf(\"unable to convert %q to int for operation %q: %v\", value, operation, err)\n\t\t\t}\n\n\t\t\tif i > 32 {\n\t\t\t\treturn IfAddr{}, fmt.Errorf(\"parameter for operation %q on ipv4 addresses must be between 0 and 32\", operation)\n\t\t\t}\n\n\t\t\tipv4 := *ToIPv4Addr(inputIfAddr.SockAddr)\n\n\t\t\tipv4Mask := net.CIDRMask(int(i), 32)\n\t\t\tipv4MaskUint32 := binary.BigEndian.Uint32(ipv4Mask)\n\n\t\t\tmaskedIpv4 := ipv4.NetIP().Mask(ipv4Mask)\n\t\t\tmaskedIpv4Uint32 := binary.BigEndian.Uint32(maskedIpv4)\n\n\t\t\tmaskedIpv4MaskUint32 := uint32(ipv4.Mask)\n\n\t\t\tif ipv4MaskUint32 < maskedIpv4MaskUint32 {\n\t\t\t\tmaskedIpv4MaskUint32 = ipv4MaskUint32\n\t\t\t}\n\n\t\t\treturn IfAddr{\n\t\t\t\tSockAddr: IPv4Addr{\n\t\t\t\t\tAddress: IPv4Address(maskedIpv4Uint32),\n\t\t\t\t\tMask: IPv4Mask(maskedIpv4MaskUint32),\n\t\t\t\t},\n\t\t\t\tInterface: inputIfAddr.Interface,\n\t\t\t}, nil\n\t\tcase TypeIPv6:\n\t\t\ti, err := strconv.ParseUint(value, 10, 32)\n\t\t\tif err != nil {\n\t\t\t\treturn IfAddr{}, fmt.Errorf(\"unable to convert %q to int for operation %q: %v\", value, operation, err)\n\t\t\t}\n\n\t\t\tif i > 128 {\n\t\t\t\treturn IfAddr{}, fmt.Errorf(\"parameter for operation %q on ipv6 addresses must be between 0 and 64\", operation)\n\t\t\t}\n\n\t\t\tipv6 := *ToIPv6Addr(inputIfAddr.SockAddr)\n\n\t\t\tipv6Mask := net.CIDRMask(int(i), 128)\n\t\t\tipv6MaskBigInt := new(big.Int)\n\t\t\tipv6MaskBigInt.SetBytes(ipv6Mask)\n\n\t\t\tmaskedIpv6 := ipv6.NetIP().Mask(ipv6Mask)\n\t\t\tmaskedIpv6BigInt := new(big.Int)\n\t\t\tmaskedIpv6BigInt.SetBytes(maskedIpv6)\n\n\t\t\tmaskedIpv6MaskBigInt := new(big.Int)\n\t\t\tmaskedIpv6MaskBigInt.Set(ipv6.Mask)\n\n\t\t\tif ipv6MaskBigInt.Cmp(maskedIpv6MaskBigInt) == -1 {\n\t\t\t\tmaskedIpv6MaskBigInt = ipv6MaskBigInt\n\t\t\t}\n\n\t\t\treturn IfAddr{\n\t\t\t\tSockAddr: IPv6Addr{\n\t\t\t\t\tAddress: IPv6Address(maskedIpv6BigInt),\n\t\t\t\t\tMask: IPv6Mask(maskedIpv6MaskBigInt),\n\t\t\t\t},\n\t\t\t\tInterface: inputIfAddr.Interface,\n\t\t\t}, nil\n\t\tdefault:\n\t\t\treturn IfAddr{}, fmt.Errorf(\"unsupported type for operation %q: %T\", operation, sockType)\n\t\t}\n\tdefault:\n\t\treturn IfAddr{}, fmt.Errorf(\"unsupported math operation: %q\", operation)\n\t}\n}\n\n// IfAddrsMath will apply an IfAddrMath operation each IfAddr struct. Any\n// failure will result in zero results.\nfunc IfAddrsMath(operation, value string, inputIfAddrs IfAddrs) (IfAddrs, error) {\n\toutputAddrs := make(IfAddrs, 0, len(inputIfAddrs))\n\tfor _, ifAddr := range inputIfAddrs {\n\t\tresult, err := IfAddrMath(operation, value, ifAddr)\n\t\tif err != nil {\n\t\t\treturn IfAddrs{}, fmt.Errorf(\"unable to perform an IPMath operation on %s: %v\", ifAddr, err)\n\t\t}\n\t\toutputAddrs = append(outputAddrs, result)\n\t}\n\treturn outputAddrs, nil\n}\n\n// IncludeIfs returns an IfAddrs based on the passed in selector.\nfunc IncludeIfs(selectorName, selectorParam string, inputIfAddrs IfAddrs) (IfAddrs, error) {\n\tvar includedIfs IfAddrs\n\tvar err error\n\n\tswitch strings.ToLower(selectorName) {\n\tcase \"address\":\n\t\tincludedIfs, _, err = IfByAddress(selectorParam, inputIfAddrs)\n\tcase \"flag\", \"flags\":\n\t\tincludedIfs, _, err = IfByFlag(selectorParam, inputIfAddrs)\n\tcase \"name\":\n\t\tincludedIfs, _, err = IfByName(selectorParam, inputIfAddrs)\n\tcase \"network\":\n\t\tincludedIfs, _, err = IfByNetwork(selectorParam, inputIfAddrs)\n\tcase \"port\":\n\t\tincludedIfs, _, err = IfByPort(selectorParam, inputIfAddrs)\n\tcase \"rfc\", \"rfcs\":\n\t\tincludedIfs, _, err = IfByRFCs(selectorParam, inputIfAddrs)\n\tcase \"size\":\n\t\tincludedIfs, _, err = IfByMaskSize(selectorParam, inputIfAddrs)\n\tcase \"type\":\n\t\tincludedIfs, _, err = IfByType(selectorParam, inputIfAddrs)\n\tdefault:\n\t\treturn IfAddrs{}, fmt.Errorf(\"invalid include selector %q\", selectorName)\n\t}\n\n\tif err != nil {\n\t\treturn IfAddrs{}, err\n\t}\n\n\treturn includedIfs, nil\n}\n\n// ExcludeIfs returns an IfAddrs based on the passed in selector.\nfunc ExcludeIfs(selectorName, selectorParam string, inputIfAddrs IfAddrs) (IfAddrs, error) {\n\tvar excludedIfs IfAddrs\n\tvar err error\n\n\tswitch strings.ToLower(selectorName) {\n\tcase \"address\":\n\t\t_, excludedIfs, err = IfByAddress(selectorParam, inputIfAddrs)\n\tcase \"flag\", \"flags\":\n\t\t_, excludedIfs, err = IfByFlag(selectorParam, inputIfAddrs)\n\tcase \"name\":\n\t\t_, excludedIfs, err = IfByName(selectorParam, inputIfAddrs)\n\tcase \"network\":\n\t\t_, excludedIfs, err = IfByNetwork(selectorParam, inputIfAddrs)\n\tcase \"port\":\n\t\t_, excludedIfs, err = IfByPort(selectorParam, inputIfAddrs)\n\tcase \"rfc\", \"rfcs\":\n\t\t_, excludedIfs, err = IfByRFCs(selectorParam, inputIfAddrs)\n\tcase \"size\":\n\t\t_, excludedIfs, err = IfByMaskSize(selectorParam, inputIfAddrs)\n\tcase \"type\":\n\t\t_, excludedIfs, err = IfByType(selectorParam, inputIfAddrs)\n\tdefault:\n\t\treturn IfAddrs{}, fmt.Errorf(\"invalid exclude selector %q\", selectorName)\n\t}\n\n\tif err != nil {\n\t\treturn IfAddrs{}, err\n\t}\n\n\treturn excludedIfs, nil\n}\n\n// SortIfBy returns an IfAddrs sorted based on the passed in selector. Multiple\n// sort clauses can be passed in as a comma delimited list without whitespace.\nfunc SortIfBy(selectorParam string, inputIfAddrs IfAddrs) (IfAddrs, error) {\n\tsortedIfs := append(IfAddrs(nil), inputIfAddrs...)\n\n\tclauses := strings.Split(selectorParam, \",\")\n\tsortFuncs := make([]CmpIfAddrFunc, len(clauses))\n\n\tfor i, clause := range clauses {\n\t\tswitch strings.TrimSpace(strings.ToLower(clause)) {\n\t\tcase \"+address\", \"address\":\n\t\t\t// The \"address\" selector returns an array of IfAddrs\n\t\t\t// ordered by the network address. IfAddrs that are not\n\t\t\t// comparable will be at the end of the list and in a\n\t\t\t// non-deterministic order.\n\t\t\tsortFuncs[i] = AscIfAddress\n\t\tcase \"-address\":\n\t\t\tsortFuncs[i] = DescIfAddress\n\t\tcase \"+default\", \"default\":\n\t\t\tsortFuncs[i] = AscIfDefault\n\t\tcase \"-default\":\n\t\t\tsortFuncs[i] = DescIfDefault\n\t\tcase \"+name\", \"name\":\n\t\t\t// The \"name\" selector returns an array of IfAddrs\n\t\t\t// ordered by the interface name.\n\t\t\tsortFuncs[i] = AscIfName\n\t\tcase \"-name\":\n\t\t\tsortFuncs[i] = DescIfName\n\t\tcase \"+port\", \"port\":\n\t\t\t// The \"port\" selector returns an array of IfAddrs\n\t\t\t// ordered by the port, if included in the IfAddr.\n\t\t\t// IfAddrs that are not comparable will be at the end of\n\t\t\t// the list and in a non-deterministic order.\n\t\t\tsortFuncs[i] = AscIfPort\n\t\tcase \"-port\":\n\t\t\tsortFuncs[i] = DescIfPort\n\t\tcase \"+private\", \"private\":\n\t\t\t// The \"private\" selector returns an array of IfAddrs\n\t\t\t// ordered by private addresses first. IfAddrs that are\n\t\t\t// not comparable will be at the end of the list and in\n\t\t\t// a non-deterministic order.\n\t\t\tsortFuncs[i] = AscIfPrivate\n\t\tcase \"-private\":\n\t\t\tsortFuncs[i] = DescIfPrivate\n\t\tcase \"+size\", \"size\":\n\t\t\t// The \"size\" selector returns an array of IfAddrs\n\t\t\t// ordered by the size of the network mask, smaller mask\n\t\t\t// (larger number of hosts per network) to largest\n\t\t\t// (e.g. a /24 sorts before a /32).\n\t\t\tsortFuncs[i] = AscIfNetworkSize\n\t\tcase \"-size\":\n\t\t\tsortFuncs[i] = DescIfNetworkSize\n\t\tcase \"+type\", \"type\":\n\t\t\t// The \"type\" selector returns an array of IfAddrs\n\t\t\t// ordered by the type of the IfAddr. The sort order is\n\t\t\t// Unix, IPv4, then IPv6.\n\t\t\tsortFuncs[i] = AscIfType\n\t\tcase \"-type\":\n\t\t\tsortFuncs[i] = DescIfType\n\t\tdefault:\n\t\t\t// Return an empty list for invalid sort types.\n\t\t\treturn IfAddrs{}, fmt.Errorf(\"unknown sort type: %q\", clause)\n\t\t}\n\t}\n\n\tOrderedIfAddrBy(sortFuncs...).Sort(sortedIfs)\n\n\treturn sortedIfs, nil\n}\n\n// UniqueIfAddrsBy creates a unique set of IfAddrs based on the matching\n// selector. UniqueIfAddrsBy assumes the input has already been sorted.\nfunc UniqueIfAddrsBy(selectorName string, inputIfAddrs IfAddrs) (IfAddrs, error) {\n\tattrName := strings.ToLower(selectorName)\n\n\tifs := make(IfAddrs, 0, len(inputIfAddrs))\n\tvar lastMatch string\n\tfor _, ifAddr := range inputIfAddrs {\n\t\tvar out string\n\t\tswitch attrName {\n\t\tcase \"address\":\n\t\t\tout = ifAddr.SockAddr.String()\n\t\tcase \"name\":\n\t\t\tout = ifAddr.Name\n\t\tdefault:\n\t\t\treturn nil, fmt.Errorf(\"unsupported unique constraint %+q\", selectorName)\n\t\t}\n\n\t\tswitch {\n\t\tcase lastMatch == \"\", lastMatch != out:\n\t\t\tlastMatch = out\n\t\t\tifs = append(ifs, ifAddr)\n\t\tcase lastMatch == out:\n\t\t\tcontinue\n\t\t}\n\t}\n\n\treturn ifs, nil\n}\n\n// JoinIfAddrs joins an IfAddrs and returns a string\nfunc JoinIfAddrs(selectorName string, joinStr string, inputIfAddrs IfAddrs) (string, error) {\n\toutputs := make([]string, 0, len(inputIfAddrs))\n\tattrName := AttrName(strings.ToLower(selectorName))\n\n\tfor _, ifAddr := range inputIfAddrs {\n\t\tvar attrVal string\n\t\tvar err error\n\t\tattrVal, err = ifAddr.Attr(attrName)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\toutputs = append(outputs, attrVal)\n\t}\n\treturn strings.Join(outputs, joinStr), nil\n}\n\n// LimitIfAddrs returns a slice of IfAddrs based on the specified limit.\nfunc LimitIfAddrs(lim uint, in IfAddrs) (IfAddrs, error) {\n\t// Clamp the limit to the length of the array\n\tif int(lim) > len(in) {\n\t\tlim = uint(len(in))\n\t}\n\n\treturn in[0:lim], nil\n}\n\n// OffsetIfAddrs returns a slice of IfAddrs based on the specified offset.\nfunc OffsetIfAddrs(off int, in IfAddrs) (IfAddrs, error) {\n\tvar end bool\n\tif off < 0 {\n\t\tend = true\n\t\toff = off * -1\n\t}\n\n\tif off > len(in) {\n\t\treturn IfAddrs{}, fmt.Errorf(\"unable to seek past the end of the interface array: offset (%d) exceeds the number of interfaces (%d)\", off, len(in))\n\t}\n\n\tif end {\n\t\treturn in[len(in)-off:], nil\n\t}\n\treturn in[off:], nil\n}\n\nfunc (ifAddr IfAddr) String() string {\n\treturn fmt.Sprintf(\"%s %v\", ifAddr.SockAddr, ifAddr.Interface)\n}\n\n// parseDefaultIfNameFromRoute parses standard route(8)'s output for the *BSDs\n// and Solaris.\nfunc parseDefaultIfNameFromRoute(routeOut string) (string, error) {\n\tlines := strings.Split(routeOut, \"\\n\")\n\tfor _, line := range lines {\n\t\tkvs := strings.SplitN(line, \":\", 2)\n\t\tif len(kvs) != 2 {\n\t\t\tcontinue\n\t\t}\n\n\t\tif strings.TrimSpace(kvs[0]) == \"interface\" {\n\t\t\tifName := strings.TrimSpace(kvs[1])\n\t\t\treturn ifName, nil\n\t\t}\n\t}\n\n\treturn \"\", errors.New(\"No default interface found\")\n}\n\n// parseDefaultIfNameFromIPCmd parses the default interface from ip(8) for\n// Linux.\nfunc parseDefaultIfNameFromIPCmd(routeOut string) (string, error) {\n\tparsedLines := parseIfNameFromIPCmd(routeOut)\n\tfor _, parsedLine := range parsedLines {\n\t\tif parsedLine[0] == \"default\" &&\n\t\t\tparsedLine[1] == \"via\" &&\n\t\t\tparsedLine[3] == \"dev\" {\n\t\t\tifName := strings.TrimSpace(parsedLine[4])\n\t\t\treturn ifName, nil\n\t\t}\n\t}\n\n\treturn \"\", errors.New(\"No default interface found\")\n}\n\n// parseDefaultIfNameFromIPCmdAndroid parses the default interface from ip(8) for\n// Android.\nfunc parseDefaultIfNameFromIPCmdAndroid(routeOut string) (string, error) {\n\tparsedLines := parseIfNameFromIPCmd(routeOut)\n\tif len(parsedLines) > 0 {\n\t\tifName := strings.TrimSpace(parsedLines[0][4])\n\t\treturn ifName, nil\n\t}\n\n\treturn \"\", errors.New(\"No default interface found\")\n}\n\n// parseIfNameFromIPCmd parses interfaces from ip(8) for\n// Linux.\nfunc parseIfNameFromIPCmd(routeOut string) [][]string {\n\tlines := strings.Split(routeOut, \"\\n\")\n\tre := whitespaceRE.Copy()\n\tparsedLines := make([][]string, 0, len(lines))\n\tfor _, line := range lines {\n\t\tkvs := re.Split(line, -1)\n\t\tif len(kvs) < 5 {\n\t\t\tcontinue\n\t\t}\n\t\tparsedLines = append(parsedLines, kvs)\n\t}\n\treturn parsedLines\n}\n\n// parseDefaultIfNameWindows parses the default interface from `netstat -rn` and\n// `ipconfig` on Windows.\n//\n// This has been deprecated in favor of a Powershell-based solution because of\n// issues with localized Windows versions, but is currently retained for backward\n// compatibility\nfunc parseDefaultIfNameWindows(routeOut, ipconfigOut string) (string, error) {\n\tdefaultIPAddr, err := parseDefaultIPAddrWindowsRoute(routeOut)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tifName, err := parseDefaultIfNameWindowsIPConfig(defaultIPAddr, ipconfigOut)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\treturn ifName, nil\n}\n\n// parseDefaultIPAddrWindowsRoute parses the IP address on the default interface\n// `netstat -rn`.\n//\n// NOTES(sean): Only IPv4 addresses are parsed at this time. If you have an\n// IPv6 connected host, submit an issue on github.com/hashicorp/go-sockaddr with\n// the output from `netstat -rn`, `ipconfig`, and version of Windows to see IPv6\n// support added.\n//\n// This has been deprecated in favor of a Powershell-based solution because of\n// issues with localized Windows versions, but is currently retained for backward\n// compatibility.\nfunc parseDefaultIPAddrWindowsRoute(routeOut string) (string, error) {\n\tlines := strings.Split(routeOut, \"\\n\")\n\tre := whitespaceRE.Copy()\n\tfor _, line := range lines {\n\t\tkvs := re.Split(strings.TrimSpace(line), -1)\n\t\tif len(kvs) < 3 {\n\t\t\tcontinue\n\t\t}\n\n\t\tif kvs[0] == \"0.0.0.0\" && kvs[1] == \"0.0.0.0\" {\n\t\t\tdefaultIPAddr := strings.TrimSpace(kvs[3])\n\t\t\treturn defaultIPAddr, nil\n\t\t}\n\t}\n\n\treturn \"\", errors.New(\"No IP on default interface found\")\n}\n\n// parseDefaultIfNameWindowsIPConfig parses the output of `ipconfig` to find the\n// interface name forwarding traffic to the default gateway.\n//\n// This has been deprecated in favor of a Powershell-based solution because of\n// issues with localized Windows versions, but is currently retained for backward\n// compatibility\nfunc parseDefaultIfNameWindowsIPConfig(defaultIPAddr, routeOut string) (string, error) {\n\tlines := strings.Split(routeOut, \"\\n\")\n\tifNameRe := ifNameRE.Copy()\n\tipAddrRe := ipAddrRE.Copy()\n\tvar ifName string\n\tfor _, line := range lines {\n\t\tswitch ifNameMatches := ifNameRe.FindStringSubmatch(line); {\n\t\tcase len(ifNameMatches) > 1:\n\t\t\tifName = ifNameMatches[1]\n\t\t\tcontinue\n\t\t}\n\n\t\tswitch ipAddrMatches := ipAddrRe.FindStringSubmatch(line); {\n\t\tcase len(ipAddrMatches) > 1 && ipAddrMatches[1] == defaultIPAddr:\n\t\t\treturn ifName, nil\n\t\t}\n\t}\n\n\treturn \"\", errors.New(\"No default interface found with matching IP\")\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ifattr.go", "content": "package sockaddr\n\nimport (\n\t\"fmt\"\n\t\"net\"\n)\n\n// IfAddr is a union of a SockAddr and a net.Interface.\ntype IfAddr struct {\n\tSockAddr\n\tnet.Interface\n}\n\n// Attr returns the named attribute as a string\nfunc (ifAddr IfAddr) Attr(attrName AttrName) (string, error) {\n\tval := IfAddrAttr(ifAddr, attrName)\n\tif val != \"\" {\n\t\treturn val, nil\n\t}\n\n\treturn Attr(ifAddr.SockAddr, attrName)\n}\n\n// Attr returns the named attribute as a string\nfunc Attr(sa SockAddr, attrName AttrName) (string, error) {\n\tswitch sockType := sa.Type(); {\n\tcase sockType&TypeIP != 0:\n\t\tip := *ToIPAddr(sa)\n\t\tattrVal := IPAddrAttr(ip, attrName)\n\t\tif attrVal != \"\" {\n\t\t\treturn attrVal, nil\n\t\t}\n\n\t\tif sockType == TypeIPv4 {\n\t\t\tipv4 := *ToIPv4Addr(sa)\n\t\t\tattrVal := IPv4AddrAttr(ipv4, attrName)\n\t\t\tif attrVal != \"\" {\n\t\t\t\treturn attrVal, nil\n\t\t\t}\n\t\t} else if sockType == TypeIPv6 {\n\t\t\tipv6 := *ToIPv6Addr(sa)\n\t\t\tattrVal := IPv6AddrAttr(ipv6, attrName)\n\t\t\tif attrVal != \"\" {\n\t\t\t\treturn attrVal, nil\n\t\t\t}\n\t\t}\n\n\tcase sockType == TypeUnix:\n\t\tus := *ToUnixSock(sa)\n\t\tattrVal := UnixSockAttr(us, attrName)\n\t\tif attrVal != \"\" {\n\t\t\treturn attrVal, nil\n\t\t}\n\t}\n\n\t// Non type-specific attributes\n\tswitch attrName {\n\tcase \"string\":\n\t\treturn sa.String(), nil\n\tcase \"type\":\n\t\treturn sa.Type().String(), nil\n\t}\n\n\treturn \"\", fmt.Errorf(\"unsupported attribute name %q\", attrName)\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ipaddr.go", "content": "package sockaddr\n\nimport (\n\t\"fmt\"\n\t\"math/big\"\n\t\"net\"\n\t\"strings\"\n)\n\n// Constants for the sizes of IPv3, IPv4, and IPv6 address types.\nconst (\n\tIPv3len = 6\n\tIPv4len = 4\n\tIPv6len = 16\n)\n\n// IPAddr is a generic IP address interface for IPv4 and IPv6 addresses,\n// networks, and socket endpoints.\ntype IPAddr interface {\n\tSockAddr\n\tAddressBinString() string\n\tAddressHexString() string\n\tCmp(SockAddr) int\n\tCmpAddress(SockAddr) int\n\tCmpPort(SockAddr) int\n\tFirstUsable() IPAddr\n\tHost() IPAddr\n\tIPPort() IPPort\n\tLastUsable() IPAddr\n\tMaskbits() int\n\tNetIP() *net.IP\n\tNetIPMask() *net.IPMask\n\tNetIPNet() *net.IPNet\n\tNetwork() IPAddr\n\tOctets() []int\n}\n\n// IPPort is the type for an IP port number for the TCP and UDP IP transports.\ntype IPPort uint16\n\n// IPPrefixLen is a typed integer representing the prefix length for a given\n// IPAddr.\ntype IPPrefixLen byte\n\n// ipAddrAttrMap is a map of the IPAddr type-specific attributes.\nvar ipAddrAttrMap map[AttrName]func(IPAddr) string\nvar ipAddrAttrs []AttrName\n\nfunc init() {\n\tipAddrInit()\n}\n\n// NewIPAddr creates a new IPAddr from a string. Returns nil if the string is\n// not an IPv4 or an IPv6 address.\nfunc NewIPAddr(addr string) (IPAddr, error) {\n\tipv4Addr, err := NewIPv4Addr(addr)\n\tif err == nil {\n\t\treturn ipv4Addr, nil\n\t}\n\n\tipv6Addr, err := NewIPv6Addr(addr)\n\tif err == nil {\n\t\treturn ipv6Addr, nil\n\t}\n\n\treturn nil, fmt.Errorf(\"invalid IPAddr %v\", addr)\n}\n\n// IPAddrAttr returns a string representation of an attribute for the given\n// IPAddr.\nfunc IPAddrAttr(ip IPAddr, selector AttrName) string {\n\tfn, found := ipAddrAttrMap[selector]\n\tif !found {\n\t\treturn \"\"\n\t}\n\n\treturn fn(ip)\n}\n\n// IPAttrs returns a list of attributes supported by the IPAddr type\nfunc IPAttrs() []AttrName {\n\treturn ipAddrAttrs\n}\n\n// MustIPAddr is a helper method that must return an IPAddr or panic on invalid\n// input.\nfunc MustIPAddr(addr string) IPAddr {\n\tip, err := NewIPAddr(addr)\n\tif err != nil {\n\t\tpanic(fmt.Sprintf(\"Unable to create an IPAddr from %+q: %v\", addr, err))\n\t}\n\treturn ip\n}\n\n// ipAddrInit is called once at init()\nfunc ipAddrInit() {\n\t// Sorted for human readability\n\tipAddrAttrs = []AttrName{\n\t\t\"host\",\n\t\t\"address\",\n\t\t\"port\",\n\t\t\"netmask\",\n\t\t\"network\",\n\t\t\"mask_bits\",\n\t\t\"binary\",\n\t\t\"hex\",\n\t\t\"first_usable\",\n\t\t\"last_usable\",\n\t\t\"octets\",\n\t}\n\n\tipAddrAttrMap = map[AttrName]func(ip IPAddr) string{\n\t\t\"address\": func(ip IPAddr) string {\n\t\t\treturn ip.NetIP().String()\n\t\t},\n\t\t\"binary\": func(ip IPAddr) string {\n\t\t\treturn ip.AddressBinString()\n\t\t},\n\t\t\"first_usable\": func(ip IPAddr) string {\n\t\t\treturn ip.FirstUsable().String()\n\t\t},\n\t\t\"hex\": func(ip IPAddr) string {\n\t\t\treturn ip.AddressHexString()\n\t\t},\n\t\t\"host\": func(ip IPAddr) string {\n\t\t\treturn ip.Host().String()\n\t\t},\n\t\t\"last_usable\": func(ip IPAddr) string {\n\t\t\treturn ip.LastUsable().String()\n\t\t},\n\t\t\"mask_bits\": func(ip IPAddr) string {\n\t\t\treturn fmt.Sprintf(\"%d\", ip.Maskbits())\n\t\t},\n\t\t\"netmask\": func(ip IPAddr) string {\n\t\t\tswitch v := ip.(type) {\n\t\t\tcase IPv4Addr:\n\t\t\t\tipv4Mask := IPv4Addr{\n\t\t\t\t\tAddress: IPv4Address(v.Mask),\n\t\t\t\t\tMask: IPv4HostMask,\n\t\t\t\t}\n\t\t\t\treturn ipv4Mask.String()\n\t\t\tcase IPv6Addr:\n\t\t\t\tipv6Mask := new(big.Int)\n\t\t\t\tipv6Mask.Set(v.Mask)\n\t\t\t\tipv6MaskAddr := IPv6Addr{\n\t\t\t\t\tAddress: IPv6Address(ipv6Mask),\n\t\t\t\t\tMask: ipv6HostMask,\n\t\t\t\t}\n\t\t\t\treturn ipv6MaskAddr.String()\n\t\t\tdefault:\n\t\t\t\treturn fmt.Sprintf(\"\", ip)\n\t\t\t}\n\t\t},\n\t\t\"network\": func(ip IPAddr) string {\n\t\t\treturn ip.Network().NetIP().String()\n\t\t},\n\t\t\"octets\": func(ip IPAddr) string {\n\t\t\toctets := ip.Octets()\n\t\t\toctetStrs := make([]string, 0, len(octets))\n\t\t\tfor _, octet := range octets {\n\t\t\t\toctetStrs = append(octetStrs, fmt.Sprintf(\"%d\", octet))\n\t\t\t}\n\t\t\treturn strings.Join(octetStrs, \" \")\n\t\t},\n\t\t\"port\": func(ip IPAddr) string {\n\t\t\treturn fmt.Sprintf(\"%d\", ip.IPPort())\n\t\t},\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ipaddrs.go", "content": "package sockaddr\n\nimport \"bytes\"\n\ntype IPAddrs []IPAddr\n\nfunc (s IPAddrs) Len() int { return len(s) }\nfunc (s IPAddrs) Swap(i, j int) { s[i], s[j] = s[j], s[i] }\n\n// // SortIPAddrsByCmp is a type that satisfies sort.Interface and can be used\n// // by the routines in this package. The SortIPAddrsByCmp type is used to\n// // sort IPAddrs by Cmp()\n// type SortIPAddrsByCmp struct{ IPAddrs }\n\n// // Less reports whether the element with index i should sort before the\n// // element with index j.\n// func (s SortIPAddrsByCmp) Less(i, j int) bool {\n// \t// Sort by Type, then address, then port number.\n// \treturn Less(s.IPAddrs[i], s.IPAddrs[j])\n// }\n\n// SortIPAddrsBySpecificMaskLen is a type that satisfies sort.Interface and\n// can be used by the routines in this package. The\n// SortIPAddrsBySpecificMaskLen type is used to sort IPAddrs by smallest\n// network (most specific to largest network).\ntype SortIPAddrsByNetworkSize struct{ IPAddrs }\n\n// Less reports whether the element with index i should sort before the\n// element with index j.\nfunc (s SortIPAddrsByNetworkSize) Less(i, j int) bool {\n\t// Sort masks with a larger binary value (i.e. fewer hosts per network\n\t// prefix) after masks with a smaller value (larger number of hosts per\n\t// prefix).\n\tswitch bytes.Compare([]byte(*s.IPAddrs[i].NetIPMask()), []byte(*s.IPAddrs[j].NetIPMask())) {\n\tcase 0:\n\t\t// Fall through to the second test if the net.IPMasks are the\n\t\t// same.\n\t\tbreak\n\tcase 1:\n\t\treturn true\n\tcase -1:\n\t\treturn false\n\tdefault:\n\t\tpanic(\"bad, m'kay?\")\n\t}\n\n\t// Sort IPs based on the length (i.e. prefer IPv4 over IPv6).\n\tiLen := len(*s.IPAddrs[i].NetIP())\n\tjLen := len(*s.IPAddrs[j].NetIP())\n\tif iLen != jLen {\n\t\treturn iLen > jLen\n\t}\n\n\t// Sort IPs based on their network address from lowest to highest.\n\tswitch bytes.Compare(s.IPAddrs[i].NetIPNet().IP, s.IPAddrs[j].NetIPNet().IP) {\n\tcase 0:\n\t\tbreak\n\tcase 1:\n\t\treturn false\n\tcase -1:\n\t\treturn true\n\tdefault:\n\t\tpanic(\"lol wut?\")\n\t}\n\n\t// If a host does not have a port set, it always sorts after hosts\n\t// that have a port (e.g. a host with a /32 and port number is more\n\t// specific and should sort first over a host with a /32 but no port\n\t// set).\n\tif s.IPAddrs[i].IPPort() == 0 || s.IPAddrs[j].IPPort() == 0 {\n\t\treturn false\n\t}\n\treturn s.IPAddrs[i].IPPort() < s.IPAddrs[j].IPPort()\n}\n\n// SortIPAddrsBySpecificMaskLen is a type that satisfies sort.Interface and\n// can be used by the routines in this package. The\n// SortIPAddrsBySpecificMaskLen type is used to sort IPAddrs by smallest\n// network (most specific to largest network).\ntype SortIPAddrsBySpecificMaskLen struct{ IPAddrs }\n\n// Less reports whether the element with index i should sort before the\n// element with index j.\nfunc (s SortIPAddrsBySpecificMaskLen) Less(i, j int) bool {\n\treturn s.IPAddrs[i].Maskbits() > s.IPAddrs[j].Maskbits()\n}\n\n// SortIPAddrsByBroadMaskLen is a type that satisfies sort.Interface and can\n// be used by the routines in this package. The SortIPAddrsByBroadMaskLen\n// type is used to sort IPAddrs by largest network (i.e. largest subnets\n// first).\ntype SortIPAddrsByBroadMaskLen struct{ IPAddrs }\n\n// Less reports whether the element with index i should sort before the\n// element with index j.\nfunc (s SortIPAddrsByBroadMaskLen) Less(i, j int) bool {\n\treturn s.IPAddrs[i].Maskbits() < s.IPAddrs[j].Maskbits()\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ipv4addr.go", "content": "package sockaddr\n\nimport (\n\t\"encoding/binary\"\n\t\"fmt\"\n\t\"net\"\n\t\"regexp\"\n\t\"strconv\"\n\t\"strings\"\n)\n\ntype (\n\t// IPv4Address is a named type representing an IPv4 address.\n\tIPv4Address uint32\n\n\t// IPv4Network is a named type representing an IPv4 network.\n\tIPv4Network uint32\n\n\t// IPv4Mask is a named type representing an IPv4 network mask.\n\tIPv4Mask uint32\n)\n\n// IPv4HostMask is a constant represents a /32 IPv4 Address\n// (i.e. 255.255.255.255).\nconst IPv4HostMask = IPv4Mask(0xffffffff)\n\n// ipv4AddrAttrMap is a map of the IPv4Addr type-specific attributes.\nvar ipv4AddrAttrMap map[AttrName]func(IPv4Addr) string\nvar ipv4AddrAttrs []AttrName\nvar trailingHexNetmaskRE *regexp.Regexp\n\n// IPv4Addr implements a convenience wrapper around the union of Go's\n// built-in net.IP and net.IPNet types. In UNIX-speak, IPv4Addr implements\n// `sockaddr` when the the address family is set to AF_INET\n// (i.e. `sockaddr_in`).\ntype IPv4Addr struct {\n\tIPAddr\n\tAddress IPv4Address\n\tMask IPv4Mask\n\tPort IPPort\n}\n\nfunc init() {\n\tipv4AddrInit()\n\ttrailingHexNetmaskRE = regexp.MustCompile(`/([0f]{8})$`)\n}\n\n// NewIPv4Addr creates an IPv4Addr from a string. String can be in the form\n// of either an IPv4:port (e.g. `1.2.3.4:80`, in which case the mask is\n// assumed to be a `/32`), an IPv4 address (e.g. `1.2.3.4`, also with a `/32`\n// mask), or an IPv4 CIDR (e.g. `1.2.3.4/24`, which has its IP port\n// initialized to zero). ipv4Str can not be a hostname.\n//\n// NOTE: Many net.*() routines will initialize and return an IPv6 address.\n// To create uint32 values from net.IP, always test to make sure the address\n// returned can be converted to a 4 byte array using To4().\nfunc NewIPv4Addr(ipv4Str string) (IPv4Addr, error) {\n\t// Strip off any bogus hex-encoded netmasks that will be mis-parsed by Go. In\n\t// particular, clients with the Barracuda VPN client will see something like:\n\t// `192.168.3.51/00ffffff` as their IP address.\n\ttrailingHexNetmaskRe := trailingHexNetmaskRE.Copy()\n\tif match := trailingHexNetmaskRe.FindStringIndex(ipv4Str); match != nil {\n\t\tipv4Str = ipv4Str[:match[0]]\n\t}\n\n\t// Parse as an IPv4 CIDR\n\tipAddr, network, err := net.ParseCIDR(ipv4Str)\n\tif err == nil {\n\t\tipv4 := ipAddr.To4()\n\t\tif ipv4 == nil {\n\t\t\treturn IPv4Addr{}, fmt.Errorf(\"Unable to convert %s to an IPv4 address\", ipv4Str)\n\t\t}\n\n\t\t// If we see an IPv6 netmask, convert it to an IPv4 mask.\n\t\tnetmaskSepPos := strings.LastIndexByte(ipv4Str, '/')\n\t\tif netmaskSepPos != -1 && netmaskSepPos+1 < len(ipv4Str) {\n\t\t\tnetMask, err := strconv.ParseUint(ipv4Str[netmaskSepPos+1:], 10, 8)\n\t\t\tif err != nil {\n\t\t\t\treturn IPv4Addr{}, fmt.Errorf(\"Unable to convert %s to an IPv4 address: unable to parse CIDR netmask: %v\", ipv4Str, err)\n\t\t\t} else if netMask > 128 {\n\t\t\t\treturn IPv4Addr{}, fmt.Errorf(\"Unable to convert %s to an IPv4 address: invalid CIDR netmask\", ipv4Str)\n\t\t\t}\n\n\t\t\tif netMask >= 96 {\n\t\t\t\t// Convert the IPv6 netmask to an IPv4 netmask\n\t\t\t\tnetwork.Mask = net.CIDRMask(int(netMask-96), IPv4len*8)\n\t\t\t}\n\t\t}\n\t\tipv4Addr := IPv4Addr{\n\t\t\tAddress: IPv4Address(binary.BigEndian.Uint32(ipv4)),\n\t\t\tMask: IPv4Mask(binary.BigEndian.Uint32(network.Mask)),\n\t\t}\n\t\treturn ipv4Addr, nil\n\t}\n\n\t// Attempt to parse ipv4Str as a /32 host with a port number.\n\ttcpAddr, err := net.ResolveTCPAddr(\"tcp4\", ipv4Str)\n\tif err == nil {\n\t\tipv4 := tcpAddr.IP.To4()\n\t\tif ipv4 == nil {\n\t\t\treturn IPv4Addr{}, fmt.Errorf(\"Unable to resolve %+q as an IPv4 address\", ipv4Str)\n\t\t}\n\n\t\tipv4Uint32 := binary.BigEndian.Uint32(ipv4)\n\t\tipv4Addr := IPv4Addr{\n\t\t\tAddress: IPv4Address(ipv4Uint32),\n\t\t\tMask: IPv4HostMask,\n\t\t\tPort: IPPort(tcpAddr.Port),\n\t\t}\n\n\t\treturn ipv4Addr, nil\n\t}\n\n\t// Parse as a naked IPv4 address\n\tip := net.ParseIP(ipv4Str)\n\tif ip != nil {\n\t\tipv4 := ip.To4()\n\t\tif ipv4 == nil {\n\t\t\treturn IPv4Addr{}, fmt.Errorf(\"Unable to string convert %+q to an IPv4 address\", ipv4Str)\n\t\t}\n\n\t\tipv4Uint32 := binary.BigEndian.Uint32(ipv4)\n\t\tipv4Addr := IPv4Addr{\n\t\t\tAddress: IPv4Address(ipv4Uint32),\n\t\t\tMask: IPv4HostMask,\n\t\t}\n\t\treturn ipv4Addr, nil\n\t}\n\n\treturn IPv4Addr{}, fmt.Errorf(\"Unable to parse %+q to an IPv4 address: %v\", ipv4Str, err)\n}\n\n// AddressBinString returns a string with the IPv4Addr's Address represented\n// as a sequence of '0' and '1' characters. This method is useful for\n// debugging or by operators who want to inspect an address.\nfunc (ipv4 IPv4Addr) AddressBinString() string {\n\treturn fmt.Sprintf(\"%032s\", strconv.FormatUint(uint64(ipv4.Address), 2))\n}\n\n// AddressHexString returns a string with the IPv4Addr address represented as\n// a sequence of hex characters. This method is useful for debugging or by\n// operators who want to inspect an address.\nfunc (ipv4 IPv4Addr) AddressHexString() string {\n\treturn fmt.Sprintf(\"%08s\", strconv.FormatUint(uint64(ipv4.Address), 16))\n}\n\n// Broadcast is an IPv4Addr-only method that returns the broadcast address of\n// the network.\n//\n// NOTE: IPv6 only supports multicast, so this method only exists for\n// IPv4Addr.\nfunc (ipv4 IPv4Addr) Broadcast() IPAddr {\n\t// Nothing should listen on a broadcast address.\n\treturn IPv4Addr{\n\t\tAddress: IPv4Address(ipv4.BroadcastAddress()),\n\t\tMask: IPv4HostMask,\n\t}\n}\n\n// BroadcastAddress returns a IPv4Network of the IPv4Addr's broadcast\n// address.\nfunc (ipv4 IPv4Addr) BroadcastAddress() IPv4Network {\n\treturn IPv4Network(uint32(ipv4.Address)&uint32(ipv4.Mask) | ^uint32(ipv4.Mask))\n}\n\n// CmpAddress follows the Cmp() standard protocol and returns:\n//\n// - -1 If the receiver should sort first because its address is lower than arg\n// - 0 if the SockAddr arg is equal to the receiving IPv4Addr or the argument is\n// of a different type.\n// - 1 If the argument should sort first.\nfunc (ipv4 IPv4Addr) CmpAddress(sa SockAddr) int {\n\tipv4b, ok := sa.(IPv4Addr)\n\tif !ok {\n\t\treturn sortDeferDecision\n\t}\n\n\tswitch {\n\tcase ipv4.Address == ipv4b.Address:\n\t\treturn sortDeferDecision\n\tcase ipv4.Address < ipv4b.Address:\n\t\treturn sortReceiverBeforeArg\n\tdefault:\n\t\treturn sortArgBeforeReceiver\n\t}\n}\n\n// CmpPort follows the Cmp() standard protocol and returns:\n//\n// - -1 If the receiver should sort first because its port is lower than arg\n// - 0 if the SockAddr arg's port number is equal to the receiving IPv4Addr,\n// regardless of type.\n// - 1 If the argument should sort first.\nfunc (ipv4 IPv4Addr) CmpPort(sa SockAddr) int {\n\tvar saPort IPPort\n\tswitch v := sa.(type) {\n\tcase IPv4Addr:\n\t\tsaPort = v.Port\n\tcase IPv6Addr:\n\t\tsaPort = v.Port\n\tdefault:\n\t\treturn sortDeferDecision\n\t}\n\n\tswitch {\n\tcase ipv4.Port == saPort:\n\t\treturn sortDeferDecision\n\tcase ipv4.Port < saPort:\n\t\treturn sortReceiverBeforeArg\n\tdefault:\n\t\treturn sortArgBeforeReceiver\n\t}\n}\n\n// CmpRFC follows the Cmp() standard protocol and returns:\n//\n// - -1 If the receiver should sort first because it belongs to the RFC and its\n// arg does not\n// - 0 if the receiver and arg both belong to the same RFC or neither do.\n// - 1 If the arg belongs to the RFC but receiver does not.\nfunc (ipv4 IPv4Addr) CmpRFC(rfcNum uint, sa SockAddr) int {\n\trecvInRFC := IsRFC(rfcNum, ipv4)\n\tipv4b, ok := sa.(IPv4Addr)\n\tif !ok {\n\t\t// If the receiver is part of the desired RFC and the SockAddr\n\t\t// argument is not, return -1 so that the receiver sorts before\n\t\t// the non-IPv4 SockAddr. Conversely, if the receiver is not\n\t\t// part of the RFC, punt on sorting and leave it for the next\n\t\t// sorter.\n\t\tif recvInRFC {\n\t\t\treturn sortReceiverBeforeArg\n\t\t} else {\n\t\t\treturn sortDeferDecision\n\t\t}\n\t}\n\n\targInRFC := IsRFC(rfcNum, ipv4b)\n\tswitch {\n\tcase (recvInRFC && argInRFC), (!recvInRFC && !argInRFC):\n\t\t// If a and b both belong to the RFC, or neither belong to\n\t\t// rfcNum, defer sorting to the next sorter.\n\t\treturn sortDeferDecision\n\tcase recvInRFC && !argInRFC:\n\t\treturn sortReceiverBeforeArg\n\tdefault:\n\t\treturn sortArgBeforeReceiver\n\t}\n}\n\n// Contains returns true if the SockAddr is contained within the receiver.\nfunc (ipv4 IPv4Addr) Contains(sa SockAddr) bool {\n\tipv4b, ok := sa.(IPv4Addr)\n\tif !ok {\n\t\treturn false\n\t}\n\n\treturn ipv4.ContainsNetwork(ipv4b)\n}\n\n// ContainsAddress returns true if the IPv4Address is contained within the\n// receiver.\nfunc (ipv4 IPv4Addr) ContainsAddress(x IPv4Address) bool {\n\treturn IPv4Address(ipv4.NetworkAddress()) <= x &&\n\t\tIPv4Address(ipv4.BroadcastAddress()) >= x\n}\n\n// ContainsNetwork returns true if the network from IPv4Addr is contained\n// within the receiver.\nfunc (ipv4 IPv4Addr) ContainsNetwork(x IPv4Addr) bool {\n\treturn ipv4.NetworkAddress() <= x.NetworkAddress() &&\n\t\tipv4.BroadcastAddress() >= x.BroadcastAddress()\n}\n\n// DialPacketArgs returns the arguments required to be passed to\n// net.DialUDP(). If the Mask of ipv4 is not a /32 or the Port is 0,\n// DialPacketArgs() will fail. See Host() to create an IPv4Addr with its\n// mask set to /32.\nfunc (ipv4 IPv4Addr) DialPacketArgs() (network, dialArgs string) {\n\tif ipv4.Mask != IPv4HostMask || ipv4.Port == 0 {\n\t\treturn \"udp4\", \"\"\n\t}\n\treturn \"udp4\", fmt.Sprintf(\"%s:%d\", ipv4.NetIP().String(), ipv4.Port)\n}\n\n// DialStreamArgs returns the arguments required to be passed to\n// net.DialTCP(). If the Mask of ipv4 is not a /32 or the Port is 0,\n// DialStreamArgs() will fail. See Host() to create an IPv4Addr with its\n// mask set to /32.\nfunc (ipv4 IPv4Addr) DialStreamArgs() (network, dialArgs string) {\n\tif ipv4.Mask != IPv4HostMask || ipv4.Port == 0 {\n\t\treturn \"tcp4\", \"\"\n\t}\n\treturn \"tcp4\", fmt.Sprintf(\"%s:%d\", ipv4.NetIP().String(), ipv4.Port)\n}\n\n// Equal returns true if a SockAddr is equal to the receiving IPv4Addr.\nfunc (ipv4 IPv4Addr) Equal(sa SockAddr) bool {\n\tipv4b, ok := sa.(IPv4Addr)\n\tif !ok {\n\t\treturn false\n\t}\n\n\tif ipv4.Port != ipv4b.Port {\n\t\treturn false\n\t}\n\n\tif ipv4.Address != ipv4b.Address {\n\t\treturn false\n\t}\n\n\tif ipv4.NetIPNet().String() != ipv4b.NetIPNet().String() {\n\t\treturn false\n\t}\n\n\treturn true\n}\n\n// FirstUsable returns an IPv4Addr set to the first address following the\n// network prefix. The first usable address in a network is normally the\n// gateway and should not be used except by devices forwarding packets\n// between two administratively distinct networks (i.e. a router). This\n// function does not discriminate against first usable vs \"first address that\n// should be used.\" For example, FirstUsable() on \"192.168.1.10/24\" would\n// return the address \"192.168.1.1/24\".\nfunc (ipv4 IPv4Addr) FirstUsable() IPAddr {\n\taddr := ipv4.NetworkAddress()\n\n\t// If /32, return the address itself. If /31 assume a point-to-point\n\t// link and return the lower address.\n\tif ipv4.Maskbits() < 31 {\n\t\taddr++\n\t}\n\n\treturn IPv4Addr{\n\t\tAddress: IPv4Address(addr),\n\t\tMask: IPv4HostMask,\n\t}\n}\n\n// Host returns a copy of ipv4 with its mask set to /32 so that it can be\n// used by DialPacketArgs(), DialStreamArgs(), ListenPacketArgs(), or\n// ListenStreamArgs().\nfunc (ipv4 IPv4Addr) Host() IPAddr {\n\t// Nothing should listen on a broadcast address.\n\treturn IPv4Addr{\n\t\tAddress: ipv4.Address,\n\t\tMask: IPv4HostMask,\n\t\tPort: ipv4.Port,\n\t}\n}\n\n// IPPort returns the Port number attached to the IPv4Addr\nfunc (ipv4 IPv4Addr) IPPort() IPPort {\n\treturn ipv4.Port\n}\n\n// LastUsable returns the last address before the broadcast address in a\n// given network.\nfunc (ipv4 IPv4Addr) LastUsable() IPAddr {\n\taddr := ipv4.BroadcastAddress()\n\n\t// If /32, return the address itself. If /31 assume a point-to-point\n\t// link and return the upper address.\n\tif ipv4.Maskbits() < 31 {\n\t\taddr--\n\t}\n\n\treturn IPv4Addr{\n\t\tAddress: IPv4Address(addr),\n\t\tMask: IPv4HostMask,\n\t}\n}\n\n// ListenPacketArgs returns the arguments required to be passed to\n// net.ListenUDP(). If the Mask of ipv4 is not a /32, ListenPacketArgs()\n// will fail. See Host() to create an IPv4Addr with its mask set to /32.\nfunc (ipv4 IPv4Addr) ListenPacketArgs() (network, listenArgs string) {\n\tif ipv4.Mask != IPv4HostMask {\n\t\treturn \"udp4\", \"\"\n\t}\n\treturn \"udp4\", fmt.Sprintf(\"%s:%d\", ipv4.NetIP().String(), ipv4.Port)\n}\n\n// ListenStreamArgs returns the arguments required to be passed to\n// net.ListenTCP(). If the Mask of ipv4 is not a /32, ListenStreamArgs()\n// will fail. See Host() to create an IPv4Addr with its mask set to /32.\nfunc (ipv4 IPv4Addr) ListenStreamArgs() (network, listenArgs string) {\n\tif ipv4.Mask != IPv4HostMask {\n\t\treturn \"tcp4\", \"\"\n\t}\n\treturn \"tcp4\", fmt.Sprintf(\"%s:%d\", ipv4.NetIP().String(), ipv4.Port)\n}\n\n// Maskbits returns the number of network mask bits in a given IPv4Addr. For\n// example, the Maskbits() of \"192.168.1.1/24\" would return 24.\nfunc (ipv4 IPv4Addr) Maskbits() int {\n\tmask := make(net.IPMask, IPv4len)\n\tbinary.BigEndian.PutUint32(mask, uint32(ipv4.Mask))\n\tmaskOnes, _ := mask.Size()\n\treturn maskOnes\n}\n\n// MustIPv4Addr is a helper method that must return an IPv4Addr or panic on\n// invalid input.\nfunc MustIPv4Addr(addr string) IPv4Addr {\n\tipv4, err := NewIPv4Addr(addr)\n\tif err != nil {\n\t\tpanic(fmt.Sprintf(\"Unable to create an IPv4Addr from %+q: %v\", addr, err))\n\t}\n\treturn ipv4\n}\n\n// NetIP returns the address as a net.IP (address is always presized to\n// IPv4).\nfunc (ipv4 IPv4Addr) NetIP() *net.IP {\n\tx := make(net.IP, IPv4len)\n\tbinary.BigEndian.PutUint32(x, uint32(ipv4.Address))\n\treturn &x\n}\n\n// NetIPMask create a new net.IPMask from the IPv4Addr.\nfunc (ipv4 IPv4Addr) NetIPMask() *net.IPMask {\n\tipv4Mask := net.IPMask{}\n\tipv4Mask = make(net.IPMask, IPv4len)\n\tbinary.BigEndian.PutUint32(ipv4Mask, uint32(ipv4.Mask))\n\treturn &ipv4Mask\n}\n\n// NetIPNet create a new net.IPNet from the IPv4Addr.\nfunc (ipv4 IPv4Addr) NetIPNet() *net.IPNet {\n\tipv4net := &net.IPNet{}\n\tipv4net.IP = make(net.IP, IPv4len)\n\tbinary.BigEndian.PutUint32(ipv4net.IP, uint32(ipv4.NetworkAddress()))\n\tipv4net.Mask = *ipv4.NetIPMask()\n\treturn ipv4net\n}\n\n// Network returns the network prefix or network address for a given network.\nfunc (ipv4 IPv4Addr) Network() IPAddr {\n\treturn IPv4Addr{\n\t\tAddress: IPv4Address(ipv4.NetworkAddress()),\n\t\tMask: ipv4.Mask,\n\t}\n}\n\n// NetworkAddress returns an IPv4Network of the IPv4Addr's network address.\nfunc (ipv4 IPv4Addr) NetworkAddress() IPv4Network {\n\treturn IPv4Network(uint32(ipv4.Address) & uint32(ipv4.Mask))\n}\n\n// Octets returns a slice of the four octets in an IPv4Addr's Address. The\n// order of the bytes is big endian.\nfunc (ipv4 IPv4Addr) Octets() []int {\n\treturn []int{\n\t\tint(ipv4.Address >> 24),\n\t\tint((ipv4.Address >> 16) & 0xff),\n\t\tint((ipv4.Address >> 8) & 0xff),\n\t\tint(ipv4.Address & 0xff),\n\t}\n}\n\n// String returns a string representation of the IPv4Addr\nfunc (ipv4 IPv4Addr) String() string {\n\tif ipv4.Port != 0 {\n\t\treturn fmt.Sprintf(\"%s:%d\", ipv4.NetIP().String(), ipv4.Port)\n\t}\n\n\tif ipv4.Maskbits() == 32 {\n\t\treturn ipv4.NetIP().String()\n\t}\n\n\treturn fmt.Sprintf(\"%s/%d\", ipv4.NetIP().String(), ipv4.Maskbits())\n}\n\n// Type is used as a type switch and returns TypeIPv4\nfunc (IPv4Addr) Type() SockAddrType {\n\treturn TypeIPv4\n}\n\n// IPv4AddrAttr returns a string representation of an attribute for the given\n// IPv4Addr.\nfunc IPv4AddrAttr(ipv4 IPv4Addr, selector AttrName) string {\n\tfn, found := ipv4AddrAttrMap[selector]\n\tif !found {\n\t\treturn \"\"\n\t}\n\n\treturn fn(ipv4)\n}\n\n// IPv4Attrs returns a list of attributes supported by the IPv4Addr type\nfunc IPv4Attrs() []AttrName {\n\treturn ipv4AddrAttrs\n}\n\n// ipv4AddrInit is called once at init()\nfunc ipv4AddrInit() {\n\t// Sorted for human readability\n\tipv4AddrAttrs = []AttrName{\n\t\t\"size\", // Same position as in IPv6 for output consistency\n\t\t\"broadcast\",\n\t\t\"uint32\",\n\t}\n\n\tipv4AddrAttrMap = map[AttrName]func(ipv4 IPv4Addr) string{\n\t\t\"broadcast\": func(ipv4 IPv4Addr) string {\n\t\t\treturn ipv4.Broadcast().String()\n\t\t},\n\t\t\"size\": func(ipv4 IPv4Addr) string {\n\t\t\treturn fmt.Sprintf(\"%d\", 1< 2 && ipv6Str[0] == '[' && ipv6Str[len(ipv6Str)-1] == ']' {\n\t\tipv6Str = ipv6Str[1 : len(ipv6Str)-1]\n\t}\n\tip := net.ParseIP(ipv6Str)\n\tif ip != nil {\n\t\tipv6 := ip.To16()\n\t\tif ipv6 == nil {\n\t\t\treturn IPv6Addr{}, fmt.Errorf(\"Unable to string convert %+q to a 16byte IPv6 address\", ipv6Str)\n\t\t}\n\n\t\tipv6BigIntAddr := new(big.Int)\n\t\tipv6BigIntAddr.SetBytes(ipv6)\n\n\t\tipv6BigIntMask := new(big.Int)\n\t\tipv6BigIntMask.Set(ipv6HostMask)\n\n\t\treturn IPv6Addr{\n\t\t\tAddress: IPv6Address(ipv6BigIntAddr),\n\t\t\tMask: IPv6Mask(ipv6BigIntMask),\n\t\t}, nil\n\t}\n\n\t// Parse as an IPv6 CIDR\n\tipAddr, network, err := net.ParseCIDR(ipv6Str)\n\tif err == nil {\n\t\tipv6 := ipAddr.To16()\n\t\tif ipv6 == nil {\n\t\t\treturn IPv6Addr{}, fmt.Errorf(\"Unable to convert %+q to a 16byte IPv6 address\", ipv6Str)\n\t\t}\n\n\t\tipv6BigIntAddr := new(big.Int)\n\t\tipv6BigIntAddr.SetBytes(ipv6)\n\n\t\tipv6BigIntMask := new(big.Int)\n\t\tipv6BigIntMask.SetBytes(network.Mask)\n\n\t\tipv6Addr := IPv6Addr{\n\t\t\tAddress: IPv6Address(ipv6BigIntAddr),\n\t\t\tMask: IPv6Mask(ipv6BigIntMask),\n\t\t}\n\t\treturn ipv6Addr, nil\n\t}\n\n\treturn IPv6Addr{}, fmt.Errorf(\"Unable to parse %+q to an IPv6 address: %v\", ipv6Str, err)\n}\n\n// AddressBinString returns a string with the IPv6Addr's Address represented\n// as a sequence of '0' and '1' characters. This method is useful for\n// debugging or by operators who want to inspect an address.\nfunc (ipv6 IPv6Addr) AddressBinString() string {\n\tbi := big.Int(*ipv6.Address)\n\treturn fmt.Sprintf(\"%0128s\", bi.Text(2))\n}\n\n// AddressHexString returns a string with the IPv6Addr address represented as\n// a sequence of hex characters. This method is useful for debugging or by\n// operators who want to inspect an address.\nfunc (ipv6 IPv6Addr) AddressHexString() string {\n\tbi := big.Int(*ipv6.Address)\n\treturn fmt.Sprintf(\"%032s\", bi.Text(16))\n}\n\n// CmpAddress follows the Cmp() standard protocol and returns:\n//\n// - -1 If the receiver should sort first because its address is lower than arg\n// - 0 if the SockAddr arg equal to the receiving IPv6Addr or the argument is of a\n// different type.\n// - 1 If the argument should sort first.\nfunc (ipv6 IPv6Addr) CmpAddress(sa SockAddr) int {\n\tipv6b, ok := sa.(IPv6Addr)\n\tif !ok {\n\t\treturn sortDeferDecision\n\t}\n\n\tipv6aBigInt := new(big.Int)\n\tipv6aBigInt.Set(ipv6.Address)\n\tipv6bBigInt := new(big.Int)\n\tipv6bBigInt.Set(ipv6b.Address)\n\n\treturn ipv6aBigInt.Cmp(ipv6bBigInt)\n}\n\n// CmpPort follows the Cmp() standard protocol and returns:\n//\n// - -1 If the receiver should sort first because its port is lower than arg\n// - 0 if the SockAddr arg's port number is equal to the receiving IPv6Addr,\n// regardless of type.\n// - 1 If the argument should sort first.\nfunc (ipv6 IPv6Addr) CmpPort(sa SockAddr) int {\n\tvar saPort IPPort\n\tswitch v := sa.(type) {\n\tcase IPv4Addr:\n\t\tsaPort = v.Port\n\tcase IPv6Addr:\n\t\tsaPort = v.Port\n\tdefault:\n\t\treturn sortDeferDecision\n\t}\n\n\tswitch {\n\tcase ipv6.Port == saPort:\n\t\treturn sortDeferDecision\n\tcase ipv6.Port < saPort:\n\t\treturn sortReceiverBeforeArg\n\tdefault:\n\t\treturn sortArgBeforeReceiver\n\t}\n}\n\n// CmpRFC follows the Cmp() standard protocol and returns:\n//\n// - -1 If the receiver should sort first because it belongs to the RFC and its\n// arg does not\n// - 0 if the receiver and arg both belong to the same RFC or neither do.\n// - 1 If the arg belongs to the RFC but receiver does not.\nfunc (ipv6 IPv6Addr) CmpRFC(rfcNum uint, sa SockAddr) int {\n\trecvInRFC := IsRFC(rfcNum, ipv6)\n\tipv6b, ok := sa.(IPv6Addr)\n\tif !ok {\n\t\t// If the receiver is part of the desired RFC and the SockAddr\n\t\t// argument is not, sort receiver before the non-IPv6 SockAddr.\n\t\t// Conversely, if the receiver is not part of the RFC, punt on\n\t\t// sorting and leave it for the next sorter.\n\t\tif recvInRFC {\n\t\t\treturn sortReceiverBeforeArg\n\t\t} else {\n\t\t\treturn sortDeferDecision\n\t\t}\n\t}\n\n\targInRFC := IsRFC(rfcNum, ipv6b)\n\tswitch {\n\tcase (recvInRFC && argInRFC), (!recvInRFC && !argInRFC):\n\t\t// If a and b both belong to the RFC, or neither belong to\n\t\t// rfcNum, defer sorting to the next sorter.\n\t\treturn sortDeferDecision\n\tcase recvInRFC && !argInRFC:\n\t\treturn sortReceiverBeforeArg\n\tdefault:\n\t\treturn sortArgBeforeReceiver\n\t}\n}\n\n// Contains returns true if the SockAddr is contained within the receiver.\nfunc (ipv6 IPv6Addr) Contains(sa SockAddr) bool {\n\tipv6b, ok := sa.(IPv6Addr)\n\tif !ok {\n\t\treturn false\n\t}\n\n\treturn ipv6.ContainsNetwork(ipv6b)\n}\n\n// ContainsAddress returns true if the IPv6Address is contained within the\n// receiver.\nfunc (ipv6 IPv6Addr) ContainsAddress(x IPv6Address) bool {\n\txAddr := IPv6Addr{\n\t\tAddress: x,\n\t\tMask: ipv6HostMask,\n\t}\n\n\t{\n\t\txIPv6 := xAddr.FirstUsable().(IPv6Addr)\n\t\tyIPv6 := ipv6.FirstUsable().(IPv6Addr)\n\t\tif xIPv6.CmpAddress(yIPv6) >= 1 {\n\t\t\treturn false\n\t\t}\n\t}\n\n\t{\n\t\txIPv6 := xAddr.LastUsable().(IPv6Addr)\n\t\tyIPv6 := ipv6.LastUsable().(IPv6Addr)\n\t\tif xIPv6.CmpAddress(yIPv6) <= -1 {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\n// ContainsNetwork returns true if the network from IPv6Addr is contained within\n// the receiver.\nfunc (x IPv6Addr) ContainsNetwork(y IPv6Addr) bool {\n\t{\n\t\txIPv6 := x.FirstUsable().(IPv6Addr)\n\t\tyIPv6 := y.FirstUsable().(IPv6Addr)\n\t\tif ret := xIPv6.CmpAddress(yIPv6); ret >= 1 {\n\t\t\treturn false\n\t\t}\n\t}\n\n\t{\n\t\txIPv6 := x.LastUsable().(IPv6Addr)\n\t\tyIPv6 := y.LastUsable().(IPv6Addr)\n\t\tif ret := xIPv6.CmpAddress(yIPv6); ret <= -1 {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\n// DialPacketArgs returns the arguments required to be passed to\n// net.DialUDP(). If the Mask of ipv6 is not a /128 or the Port is 0,\n// DialPacketArgs() will fail. See Host() to create an IPv6Addr with its\n// mask set to /128.\nfunc (ipv6 IPv6Addr) DialPacketArgs() (network, dialArgs string) {\n\tipv6Mask := big.Int(*ipv6.Mask)\n\tif ipv6Mask.Cmp(ipv6HostMask) != 0 || ipv6.Port == 0 {\n\t\treturn \"udp6\", \"\"\n\t}\n\treturn \"udp6\", fmt.Sprintf(\"[%s]:%d\", ipv6.NetIP().String(), ipv6.Port)\n}\n\n// DialStreamArgs returns the arguments required to be passed to\n// net.DialTCP(). If the Mask of ipv6 is not a /128 or the Port is 0,\n// DialStreamArgs() will fail. See Host() to create an IPv6Addr with its\n// mask set to /128.\nfunc (ipv6 IPv6Addr) DialStreamArgs() (network, dialArgs string) {\n\tipv6Mask := big.Int(*ipv6.Mask)\n\tif ipv6Mask.Cmp(ipv6HostMask) != 0 || ipv6.Port == 0 {\n\t\treturn \"tcp6\", \"\"\n\t}\n\treturn \"tcp6\", fmt.Sprintf(\"[%s]:%d\", ipv6.NetIP().String(), ipv6.Port)\n}\n\n// Equal returns true if a SockAddr is equal to the receiving IPv4Addr.\nfunc (ipv6a IPv6Addr) Equal(sa SockAddr) bool {\n\tipv6b, ok := sa.(IPv6Addr)\n\tif !ok {\n\t\treturn false\n\t}\n\n\tif ipv6a.NetIP().String() != ipv6b.NetIP().String() {\n\t\treturn false\n\t}\n\n\tif ipv6a.NetIPNet().String() != ipv6b.NetIPNet().String() {\n\t\treturn false\n\t}\n\n\tif ipv6a.Port != ipv6b.Port {\n\t\treturn false\n\t}\n\n\treturn true\n}\n\n// FirstUsable returns an IPv6Addr set to the first address following the\n// network prefix. The first usable address in a network is normally the\n// gateway and should not be used except by devices forwarding packets\n// between two administratively distinct networks (i.e. a router). This\n// function does not discriminate against first usable vs \"first address that\n// should be used.\" For example, FirstUsable() on \"2001:0db8::0003/64\" would\n// return \"2001:0db8::00011\".\nfunc (ipv6 IPv6Addr) FirstUsable() IPAddr {\n\treturn IPv6Addr{\n\t\tAddress: IPv6Address(ipv6.NetworkAddress()),\n\t\tMask: ipv6HostMask,\n\t}\n}\n\n// Host returns a copy of ipv6 with its mask set to /128 so that it can be\n// used by DialPacketArgs(), DialStreamArgs(), ListenPacketArgs(), or\n// ListenStreamArgs().\nfunc (ipv6 IPv6Addr) Host() IPAddr {\n\t// Nothing should listen on a broadcast address.\n\treturn IPv6Addr{\n\t\tAddress: ipv6.Address,\n\t\tMask: ipv6HostMask,\n\t\tPort: ipv6.Port,\n\t}\n}\n\n// IPPort returns the Port number attached to the IPv6Addr\nfunc (ipv6 IPv6Addr) IPPort() IPPort {\n\treturn ipv6.Port\n}\n\n// LastUsable returns the last address in a given network.\nfunc (ipv6 IPv6Addr) LastUsable() IPAddr {\n\taddr := new(big.Int)\n\taddr.Set(ipv6.Address)\n\n\tmask := new(big.Int)\n\tmask.Set(ipv6.Mask)\n\n\tnegMask := new(big.Int)\n\tnegMask.Xor(ipv6HostMask, mask)\n\n\tlastAddr := new(big.Int)\n\tlastAddr.And(addr, mask)\n\tlastAddr.Or(lastAddr, negMask)\n\n\treturn IPv6Addr{\n\t\tAddress: IPv6Address(lastAddr),\n\t\tMask: ipv6HostMask,\n\t}\n}\n\n// ListenPacketArgs returns the arguments required to be passed to\n// net.ListenUDP(). If the Mask of ipv6 is not a /128, ListenPacketArgs()\n// will fail. See Host() to create an IPv6Addr with its mask set to /128.\nfunc (ipv6 IPv6Addr) ListenPacketArgs() (network, listenArgs string) {\n\tipv6Mask := big.Int(*ipv6.Mask)\n\tif ipv6Mask.Cmp(ipv6HostMask) != 0 {\n\t\treturn \"udp6\", \"\"\n\t}\n\treturn \"udp6\", fmt.Sprintf(\"[%s]:%d\", ipv6.NetIP().String(), ipv6.Port)\n}\n\n// ListenStreamArgs returns the arguments required to be passed to\n// net.ListenTCP(). If the Mask of ipv6 is not a /128, ListenStreamArgs()\n// will fail. See Host() to create an IPv6Addr with its mask set to /128.\nfunc (ipv6 IPv6Addr) ListenStreamArgs() (network, listenArgs string) {\n\tipv6Mask := big.Int(*ipv6.Mask)\n\tif ipv6Mask.Cmp(ipv6HostMask) != 0 {\n\t\treturn \"tcp6\", \"\"\n\t}\n\treturn \"tcp6\", fmt.Sprintf(\"[%s]:%d\", ipv6.NetIP().String(), ipv6.Port)\n}\n\n// Maskbits returns the number of network mask bits in a given IPv6Addr. For\n// example, the Maskbits() of \"2001:0db8::0003/64\" would return 64.\nfunc (ipv6 IPv6Addr) Maskbits() int {\n\tmaskOnes, _ := ipv6.NetIPNet().Mask.Size()\n\n\treturn maskOnes\n}\n\n// MustIPv6Addr is a helper method that must return an IPv6Addr or panic on\n// invalid input.\nfunc MustIPv6Addr(addr string) IPv6Addr {\n\tipv6, err := NewIPv6Addr(addr)\n\tif err != nil {\n\t\tpanic(fmt.Sprintf(\"Unable to create an IPv6Addr from %+q: %v\", addr, err))\n\t}\n\treturn ipv6\n}\n\n// NetIP returns the address as a net.IP.\nfunc (ipv6 IPv6Addr) NetIP() *net.IP {\n\treturn bigIntToNetIPv6(ipv6.Address)\n}\n\n// NetIPMask create a new net.IPMask from the IPv6Addr.\nfunc (ipv6 IPv6Addr) NetIPMask() *net.IPMask {\n\tipv6Mask := make(net.IPMask, IPv6len)\n\tm := big.Int(*ipv6.Mask)\n\tcopy(ipv6Mask, m.Bytes())\n\treturn &ipv6Mask\n}\n\n// Network returns a pointer to the net.IPNet within IPv4Addr receiver.\nfunc (ipv6 IPv6Addr) NetIPNet() *net.IPNet {\n\tipv6net := &net.IPNet{}\n\tipv6net.IP = make(net.IP, IPv6len)\n\tcopy(ipv6net.IP, *ipv6.NetIP())\n\tipv6net.Mask = *ipv6.NetIPMask()\n\treturn ipv6net\n}\n\n// Network returns the network prefix or network address for a given network.\nfunc (ipv6 IPv6Addr) Network() IPAddr {\n\treturn IPv6Addr{\n\t\tAddress: IPv6Address(ipv6.NetworkAddress()),\n\t\tMask: ipv6.Mask,\n\t}\n}\n\n// NetworkAddress returns an IPv6Network of the IPv6Addr's network address.\nfunc (ipv6 IPv6Addr) NetworkAddress() IPv6Network {\n\taddr := new(big.Int)\n\taddr.SetBytes((*ipv6.Address).Bytes())\n\n\tmask := new(big.Int)\n\tmask.SetBytes(*ipv6.NetIPMask())\n\n\tnetAddr := new(big.Int)\n\tnetAddr.And(addr, mask)\n\n\treturn IPv6Network(netAddr)\n}\n\n// Octets returns a slice of the 16 octets in an IPv6Addr's Address. The\n// order of the bytes is big endian.\nfunc (ipv6 IPv6Addr) Octets() []int {\n\tx := make([]int, IPv6len)\n\tfor i, b := range *bigIntToNetIPv6(ipv6.Address) {\n\t\tx[i] = int(b)\n\t}\n\n\treturn x\n}\n\n// String returns a string representation of the IPv6Addr\nfunc (ipv6 IPv6Addr) String() string {\n\tif ipv6.Port != 0 {\n\t\treturn fmt.Sprintf(\"[%s]:%d\", ipv6.NetIP().String(), ipv6.Port)\n\t}\n\n\tif ipv6.Maskbits() == 128 {\n\t\treturn ipv6.NetIP().String()\n\t}\n\n\treturn fmt.Sprintf(\"%s/%d\", ipv6.NetIP().String(), ipv6.Maskbits())\n}\n\n// Type is used as a type switch and returns TypeIPv6\nfunc (IPv6Addr) Type() SockAddrType {\n\treturn TypeIPv6\n}\n\n// IPv6Attrs returns a list of attributes supported by the IPv6Addr type\nfunc IPv6Attrs() []AttrName {\n\treturn ipv6AddrAttrs\n}\n\n// IPv6AddrAttr returns a string representation of an attribute for the given\n// IPv6Addr.\nfunc IPv6AddrAttr(ipv6 IPv6Addr, selector AttrName) string {\n\tfn, found := ipv6AddrAttrMap[selector]\n\tif !found {\n\t\treturn \"\"\n\t}\n\n\treturn fn(ipv6)\n}\n\n// ipv6AddrInit is called once at init()\nfunc ipv6AddrInit() {\n\t// Sorted for human readability\n\tipv6AddrAttrs = []AttrName{\n\t\t\"size\", // Same position as in IPv6 for output consistency\n\t\t\"uint128\",\n\t}\n\n\tipv6AddrAttrMap = map[AttrName]func(ipv6 IPv6Addr) string{\n\t\t\"size\": func(ipv6 IPv6Addr) string {\n\t\t\tnetSize := big.NewInt(1)\n\t\t\tnetSize = netSize.Lsh(netSize, uint(IPv6len*8-ipv6.Maskbits()))\n\t\t\treturn netSize.Text(10)\n\t\t},\n\t\t\"uint128\": func(ipv6 IPv6Addr) string {\n\t\t\tb := big.Int(*ipv6.Address)\n\t\t\treturn b.Text(10)\n\t\t},\n\t}\n}\n\n// bigIntToNetIPv6 is a helper function that correctly returns a net.IP with the\n// correctly padded values.\nfunc bigIntToNetIPv6(bi *big.Int) *net.IP {\n\tx := make(net.IP, IPv6len)\n\tipv6Bytes := bi.Bytes()\n\n\t// It's possibe for ipv6Bytes to be less than IPv6len bytes in size. If\n\t// they are different sizes we to pad the size of response.\n\tif len(ipv6Bytes) < IPv6len {\n\t\tbuf := new(bytes.Buffer)\n\t\tbuf.Grow(IPv6len)\n\n\t\tfor i := len(ipv6Bytes); i < IPv6len; i++ {\n\t\t\tif err := binary.Write(buf, binary.BigEndian, byte(0)); err != nil {\n\t\t\t\tpanic(fmt.Sprintf(\"Unable to pad byte %d of input %v: %v\", i, bi, err))\n\t\t\t}\n\t\t}\n\n\t\tfor _, b := range ipv6Bytes {\n\t\t\tif err := binary.Write(buf, binary.BigEndian, b); err != nil {\n\t\t\t\tpanic(fmt.Sprintf(\"Unable to preserve endianness of input %v: %v\", bi, err))\n\t\t\t}\n\t\t}\n\n\t\tipv6Bytes = buf.Bytes()\n\t}\n\ti := copy(x, ipv6Bytes)\n\tif i != IPv6len {\n\t\tpanic(\"IPv6 wrong size\")\n\t}\n\treturn &x\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/rfc.go", "content": "package sockaddr\n\n// ForwardingBlacklist is a faux RFC that includes a list of non-forwardable IP\n// blocks.\nconst ForwardingBlacklist = 4294967295\nconst ForwardingBlacklistRFC = \"4294967295\"\n\n// IsRFC tests to see if an SockAddr matches the specified RFC\nfunc IsRFC(rfcNum uint, sa SockAddr) bool {\n\trfcNetMap := KnownRFCs()\n\trfcNets, ok := rfcNetMap[rfcNum]\n\tif !ok {\n\t\treturn false\n\t}\n\n\tvar contained bool\n\tfor _, rfcNet := range rfcNets {\n\t\tif rfcNet.Contains(sa) {\n\t\t\tcontained = true\n\t\t\tbreak\n\t\t}\n\t}\n\treturn contained\n}\n\n// KnownRFCs returns an initial set of known RFCs.\n//\n// NOTE (sean@): As this list evolves over time, please submit patches to keep\n// this list current. If something isn't right, inquire, as it may just be a\n// bug on my part. Some of the inclusions were based on my judgement as to what\n// would be a useful value (e.g. RFC3330).\n//\n// Useful resources:\n//\n// * https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml\n// * https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml\n// * https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml\nfunc KnownRFCs() map[uint]SockAddrs {\n\t// NOTE(sean@): Multiple SockAddrs per RFC lend themselves well to a\n\t// RADIX tree, but `ENOTIME`. Patches welcome.\n\treturn map[uint]SockAddrs{\n\t\t919: {\n\t\t\t// [RFC919] Broadcasting Internet Datagrams\n\t\t\tMustIPv4Addr(\"255.255.255.255/32\"), // [RFC1122], §7 Broadcast IP Addressing - Proposed Standards\n\t\t},\n\t\t1122: {\n\t\t\t// [RFC1122] Requirements for Internet Hosts -- Communication Layers\n\t\t\tMustIPv4Addr(\"0.0.0.0/8\"), // [RFC1122], §3.2.1.3\n\t\t\tMustIPv4Addr(\"127.0.0.0/8\"), // [RFC1122], §3.2.1.3\n\t\t},\n\t\t1112: {\n\t\t\t// [RFC1112] Host Extensions for IP Multicasting\n\t\t\tMustIPv4Addr(\"224.0.0.0/4\"), // [RFC1112], §4 Host Group Addresses\n\t\t},\n\t\t1918: {\n\t\t\t// [RFC1918] Address Allocation for Private Internets\n\t\t\tMustIPv4Addr(\"10.0.0.0/8\"),\n\t\t\tMustIPv4Addr(\"172.16.0.0/12\"),\n\t\t\tMustIPv4Addr(\"192.168.0.0/16\"),\n\t\t},\n\t\t2544: {\n\t\t\t// [RFC2544] Benchmarking Methodology for Network\n\t\t\t// Interconnect Devices\n\t\t\tMustIPv4Addr(\"198.18.0.0/15\"),\n\t\t},\n\t\t2765: {\n\t\t\t// [RFC2765] Stateless IP/ICMP Translation Algorithm\n\t\t\t// (SIIT) (obsoleted by RFCs 6145, which itself was\n\t\t\t// later obsoleted by 7915).\n\n\t\t\t// [RFC2765], §2.1 Addresses\n\t\t\tMustIPv6Addr(\"0:0:0:0:0:ffff:0:0/96\"),\n\t\t},\n\t\t2928: {\n\t\t\t// [RFC2928] Initial IPv6 Sub-TLA ID Assignments\n\t\t\tMustIPv6Addr(\"2001::/16\"), // Superblock\n\t\t\t//MustIPv6Addr(\"2001:0000::/23\"), // IANA\n\t\t\t//MustIPv6Addr(\"2001:0200::/23\"), // APNIC\n\t\t\t//MustIPv6Addr(\"2001:0400::/23\"), // ARIN\n\t\t\t//MustIPv6Addr(\"2001:0600::/23\"), // RIPE NCC\n\t\t\t//MustIPv6Addr(\"2001:0800::/23\"), // (future assignment)\n\t\t\t// ...\n\t\t\t//MustIPv6Addr(\"2001:FE00::/23\"), // (future assignment)\n\t\t},\n\t\t3056: { // 6to4 address\n\t\t\t// [RFC3056] Connection of IPv6 Domains via IPv4 Clouds\n\n\t\t\t// [RFC3056], §2 IPv6 Prefix Allocation\n\t\t\tMustIPv6Addr(\"2002::/16\"),\n\t\t},\n\t\t3068: {\n\t\t\t// [RFC3068] An Anycast Prefix for 6to4 Relay Routers\n\t\t\t// (obsolete by RFC7526)\n\n\t\t\t// [RFC3068], § 6to4 Relay anycast address\n\t\t\tMustIPv4Addr(\"192.88.99.0/24\"),\n\n\t\t\t// [RFC3068], §2.5 6to4 IPv6 relay anycast address\n\t\t\t//\n\t\t\t// NOTE: /120 == 128-(32-24)\n\t\t\tMustIPv6Addr(\"2002:c058:6301::/120\"),\n\t\t},\n\t\t3171: {\n\t\t\t// [RFC3171] IANA Guidelines for IPv4 Multicast Address Assignments\n\t\t\tMustIPv4Addr(\"224.0.0.0/4\"),\n\t\t},\n\t\t3330: {\n\t\t\t// [RFC3330] Special-Use IPv4 Addresses\n\n\t\t\t// Addresses in this block refer to source hosts on\n\t\t\t// \"this\" network. Address 0.0.0.0/32 may be used as a\n\t\t\t// source address for this host on this network; other\n\t\t\t// addresses within 0.0.0.0/8 may be used to refer to\n\t\t\t// specified hosts on this network [RFC1700, page 4].\n\t\t\tMustIPv4Addr(\"0.0.0.0/8\"),\n\n\t\t\t// 10.0.0.0/8 - This block is set aside for use in\n\t\t\t// private networks. Its intended use is documented in\n\t\t\t// [RFC1918]. Addresses within this block should not\n\t\t\t// appear on the public Internet.\n\t\t\tMustIPv4Addr(\"10.0.0.0/8\"),\n\n\t\t\t// 14.0.0.0/8 - This block is set aside for assignments\n\t\t\t// to the international system of Public Data Networks\n\t\t\t// [RFC1700, page 181]. The registry of assignments\n\t\t\t// within this block can be accessed from the \"Public\n\t\t\t// Data Network Numbers\" link on the web page at\n\t\t\t// http://www.iana.org/numbers.html. Addresses within\n\t\t\t// this block are assigned to users and should be\n\t\t\t// treated as such.\n\n\t\t\t// 24.0.0.0/8 - This block was allocated in early 1996\n\t\t\t// for use in provisioning IP service over cable\n\t\t\t// television systems. Although the IANA initially was\n\t\t\t// involved in making assignments to cable operators,\n\t\t\t// this responsibility was transferred to American\n\t\t\t// Registry for Internet Numbers (ARIN) in May 2001.\n\t\t\t// Addresses within this block are assigned in the\n\t\t\t// normal manner and should be treated as such.\n\n\t\t\t// 39.0.0.0/8 - This block was used in the \"Class A\n\t\t\t// Subnet Experiment\" that commenced in May 1995, as\n\t\t\t// documented in [RFC1797]. The experiment has been\n\t\t\t// completed and this block has been returned to the\n\t\t\t// pool of addresses reserved for future allocation or\n\t\t\t// assignment. This block therefore no longer has a\n\t\t\t// special use and is subject to allocation to a\n\t\t\t// Regional Internet Registry for assignment in the\n\t\t\t// normal manner.\n\n\t\t\t// 127.0.0.0/8 - This block is assigned for use as the Internet host\n\t\t\t// loopback address. A datagram sent by a higher level protocol to an\n\t\t\t// address anywhere within this block should loop back inside the host.\n\t\t\t// This is ordinarily implemented using only 127.0.0.1/32 for loopback,\n\t\t\t// but no addresses within this block should ever appear on any network\n\t\t\t// anywhere [RFC1700, page 5].\n\t\t\tMustIPv4Addr(\"127.0.0.0/8\"),\n\n\t\t\t// 128.0.0.0/16 - This block, corresponding to the\n\t\t\t// numerically lowest of the former Class B addresses,\n\t\t\t// was initially and is still reserved by the IANA.\n\t\t\t// Given the present classless nature of the IP address\n\t\t\t// space, the basis for the reservation no longer\n\t\t\t// applies and addresses in this block are subject to\n\t\t\t// future allocation to a Regional Internet Registry for\n\t\t\t// assignment in the normal manner.\n\n\t\t\t// 169.254.0.0/16 - This is the \"link local\" block. It\n\t\t\t// is allocated for communication between hosts on a\n\t\t\t// single link. Hosts obtain these addresses by\n\t\t\t// auto-configuration, such as when a DHCP server may\n\t\t\t// not be found.\n\t\t\tMustIPv4Addr(\"169.254.0.0/16\"),\n\n\t\t\t// 172.16.0.0/12 - This block is set aside for use in\n\t\t\t// private networks. Its intended use is documented in\n\t\t\t// [RFC1918]. Addresses within this block should not\n\t\t\t// appear on the public Internet.\n\t\t\tMustIPv4Addr(\"172.16.0.0/12\"),\n\n\t\t\t// 191.255.0.0/16 - This block, corresponding to the numerically highest\n\t\t\t// to the former Class B addresses, was initially and is still reserved\n\t\t\t// by the IANA. Given the present classless nature of the IP address\n\t\t\t// space, the basis for the reservation no longer applies and addresses\n\t\t\t// in this block are subject to future allocation to a Regional Internet\n\t\t\t// Registry for assignment in the normal manner.\n\n\t\t\t// 192.0.0.0/24 - This block, corresponding to the\n\t\t\t// numerically lowest of the former Class C addresses,\n\t\t\t// was initially and is still reserved by the IANA.\n\t\t\t// Given the present classless nature of the IP address\n\t\t\t// space, the basis for the reservation no longer\n\t\t\t// applies and addresses in this block are subject to\n\t\t\t// future allocation to a Regional Internet Registry for\n\t\t\t// assignment in the normal manner.\n\n\t\t\t// 192.0.2.0/24 - This block is assigned as \"TEST-NET\" for use in\n\t\t\t// documentation and example code. It is often used in conjunction with\n\t\t\t// domain names example.com or example.net in vendor and protocol\n\t\t\t// documentation. Addresses within this block should not appear on the\n\t\t\t// public Internet.\n\t\t\tMustIPv4Addr(\"192.0.2.0/24\"),\n\n\t\t\t// 192.88.99.0/24 - This block is allocated for use as 6to4 relay\n\t\t\t// anycast addresses, according to [RFC3068].\n\t\t\tMustIPv4Addr(\"192.88.99.0/24\"),\n\n\t\t\t// 192.168.0.0/16 - This block is set aside for use in private networks.\n\t\t\t// Its intended use is documented in [RFC1918]. Addresses within this\n\t\t\t// block should not appear on the public Internet.\n\t\t\tMustIPv4Addr(\"192.168.0.0/16\"),\n\n\t\t\t// 198.18.0.0/15 - This block has been allocated for use\n\t\t\t// in benchmark tests of network interconnect devices.\n\t\t\t// Its use is documented in [RFC2544].\n\t\t\tMustIPv4Addr(\"198.18.0.0/15\"),\n\n\t\t\t// 223.255.255.0/24 - This block, corresponding to the\n\t\t\t// numerically highest of the former Class C addresses,\n\t\t\t// was initially and is still reserved by the IANA.\n\t\t\t// Given the present classless nature of the IP address\n\t\t\t// space, the basis for the reservation no longer\n\t\t\t// applies and addresses in this block are subject to\n\t\t\t// future allocation to a Regional Internet Registry for\n\t\t\t// assignment in the normal manner.\n\n\t\t\t// 224.0.0.0/4 - This block, formerly known as the Class\n\t\t\t// D address space, is allocated for use in IPv4\n\t\t\t// multicast address assignments. The IANA guidelines\n\t\t\t// for assignments from this space are described in\n\t\t\t// [RFC3171].\n\t\t\tMustIPv4Addr(\"224.0.0.0/4\"),\n\n\t\t\t// 240.0.0.0/4 - This block, formerly known as the Class E address\n\t\t\t// space, is reserved. The \"limited broadcast\" destination address\n\t\t\t// 255.255.255.255 should never be forwarded outside the (sub-)net of\n\t\t\t// the source. The remainder of this space is reserved\n\t\t\t// for future use. [RFC1700, page 4]\n\t\t\tMustIPv4Addr(\"240.0.0.0/4\"),\n\t\t},\n\t\t3849: {\n\t\t\t// [RFC3849] IPv6 Address Prefix Reserved for Documentation\n\t\t\tMustIPv6Addr(\"2001:db8::/32\"), // [RFC3849], §4 IANA Considerations\n\t\t},\n\t\t3927: {\n\t\t\t// [RFC3927] Dynamic Configuration of IPv4 Link-Local Addresses\n\t\t\tMustIPv4Addr(\"169.254.0.0/16\"), // [RFC3927], §2.1 Link-Local Address Selection\n\t\t},\n\t\t4038: {\n\t\t\t// [RFC4038] Application Aspects of IPv6 Transition\n\n\t\t\t// [RFC4038], §4.2. IPv6 Applications in a Dual-Stack Node\n\t\t\tMustIPv6Addr(\"0:0:0:0:0:ffff::/96\"),\n\t\t},\n\t\t4193: {\n\t\t\t// [RFC4193] Unique Local IPv6 Unicast Addresses\n\t\t\tMustIPv6Addr(\"fc00::/7\"),\n\t\t},\n\t\t4291: {\n\t\t\t// [RFC4291] IP Version 6 Addressing Architecture\n\n\t\t\t// [RFC4291], §2.5.2 The Unspecified Address\n\t\t\tMustIPv6Addr(\"::/128\"),\n\n\t\t\t// [RFC4291], §2.5.3 The Loopback Address\n\t\t\tMustIPv6Addr(\"::1/128\"),\n\n\t\t\t// [RFC4291], §2.5.5.1. IPv4-Compatible IPv6 Address\n\t\t\tMustIPv6Addr(\"::/96\"),\n\n\t\t\t// [RFC4291], §2.5.5.2. IPv4-Mapped IPv6 Address\n\t\t\tMustIPv6Addr(\"::ffff:0:0/96\"),\n\n\t\t\t// [RFC4291], §2.5.6 Link-Local IPv6 Unicast Addresses\n\t\t\tMustIPv6Addr(\"fe80::/10\"),\n\n\t\t\t// [RFC4291], §2.5.7 Site-Local IPv6 Unicast Addresses\n\t\t\t// (depreciated)\n\t\t\tMustIPv6Addr(\"fec0::/10\"),\n\n\t\t\t// [RFC4291], §2.7 Multicast Addresses\n\t\t\tMustIPv6Addr(\"ff00::/8\"),\n\n\t\t\t// IPv6 Multicast Information.\n\t\t\t//\n\t\t\t// In the following \"table\" below, `ff0x` is replaced\n\t\t\t// with the following values depending on the scope of\n\t\t\t// the query:\n\t\t\t//\n\t\t\t// IPv6 Multicast Scopes:\n\t\t\t// * ff00/9 // reserved\n\t\t\t// * ff01/9 // interface-local\n\t\t\t// * ff02/9 // link-local\n\t\t\t// * ff03/9 // realm-local\n\t\t\t// * ff04/9 // admin-local\n\t\t\t// * ff05/9 // site-local\n\t\t\t// * ff08/9 // organization-local\n\t\t\t// * ff0e/9 // global\n\t\t\t// * ff0f/9 // reserved\n\t\t\t//\n\t\t\t// IPv6 Multicast Addresses:\n\t\t\t// * ff0x::2 // All routers\n\t\t\t// * ff02::5 // OSPFIGP\n\t\t\t// * ff02::6 // OSPFIGP Designated Routers\n\t\t\t// * ff02::9 // RIP Routers\n\t\t\t// * ff02::a // EIGRP Routers\n\t\t\t// * ff02::d // All PIM Routers\n\t\t\t// * ff02::1a // All RPL Routers\n\t\t\t// * ff0x::fb // mDNSv6\n\t\t\t// * ff0x::101 // All Network Time Protocol (NTP) servers\n\t\t\t// * ff02::1:1 // Link Name\n\t\t\t// * ff02::1:2 // All-dhcp-agents\n\t\t\t// * ff02::1:3 // Link-local Multicast Name Resolution\n\t\t\t// * ff05::1:3 // All-dhcp-servers\n\t\t\t// * ff02::1:ff00:0/104 // Solicited-node multicast address.\n\t\t\t// * ff02::2:ff00:0/104 // Node Information Queries\n\t\t},\n\t\t4380: {\n\t\t\t// [RFC4380] Teredo: Tunneling IPv6 over UDP through\n\t\t\t// Network Address Translations (NATs)\n\n\t\t\t// [RFC4380], §2.6 Global Teredo IPv6 Service Prefix\n\t\t\tMustIPv6Addr(\"2001:0000::/32\"),\n\t\t},\n\t\t4773: {\n\t\t\t// [RFC4773] Administration of the IANA Special Purpose IPv6 Address Block\n\t\t\tMustIPv6Addr(\"2001:0000::/23\"), // IANA\n\t\t},\n\t\t4843: {\n\t\t\t// [RFC4843] An IPv6 Prefix for Overlay Routable Cryptographic Hash Identifiers (ORCHID)\n\t\t\tMustIPv6Addr(\"2001:10::/28\"), // [RFC4843], §7 IANA Considerations\n\t\t},\n\t\t5180: {\n\t\t\t// [RFC5180] IPv6 Benchmarking Methodology for Network Interconnect Devices\n\t\t\tMustIPv6Addr(\"2001:0200::/48\"), // [RFC5180], §8 IANA Considerations\n\t\t},\n\t\t5735: {\n\t\t\t// [RFC5735] Special Use IPv4 Addresses\n\t\t\tMustIPv4Addr(\"192.0.2.0/24\"), // TEST-NET-1\n\t\t\tMustIPv4Addr(\"198.51.100.0/24\"), // TEST-NET-2\n\t\t\tMustIPv4Addr(\"203.0.113.0/24\"), // TEST-NET-3\n\t\t\tMustIPv4Addr(\"198.18.0.0/15\"), // Benchmarks\n\t\t},\n\t\t5737: {\n\t\t\t// [RFC5737] IPv4 Address Blocks Reserved for Documentation\n\t\t\tMustIPv4Addr(\"192.0.2.0/24\"), // TEST-NET-1\n\t\t\tMustIPv4Addr(\"198.51.100.0/24\"), // TEST-NET-2\n\t\t\tMustIPv4Addr(\"203.0.113.0/24\"), // TEST-NET-3\n\t\t},\n\t\t6052: {\n\t\t\t// [RFC6052] IPv6 Addressing of IPv4/IPv6 Translators\n\t\t\tMustIPv6Addr(\"64:ff9b::/96\"), // [RFC6052], §2.1. Well-Known Prefix\n\t\t},\n\t\t6333: {\n\t\t\t// [RFC6333] Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion\n\t\t\tMustIPv4Addr(\"192.0.0.0/29\"), // [RFC6333], §5.7 Well-Known IPv4 Address\n\t\t},\n\t\t6598: {\n\t\t\t// [RFC6598] IANA-Reserved IPv4 Prefix for Shared Address Space\n\t\t\tMustIPv4Addr(\"100.64.0.0/10\"),\n\t\t},\n\t\t6666: {\n\t\t\t// [RFC6666] A Discard Prefix for IPv6\n\t\t\tMustIPv6Addr(\"0100::/64\"),\n\t\t},\n\t\t6890: {\n\t\t\t// [RFC6890] Special-Purpose IP Address Registries\n\n\t\t\t// From \"RFC6890 §2.2.1 Information Requirements\":\n\t\t\t/*\n\t\t\t The IPv4 and IPv6 Special-Purpose Address Registries maintain the\n\t\t\t following information regarding each entry:\n\n\t\t\t o Address Block - A block of IPv4 or IPv6 addresses that has been\n\t\t\t registered for a special purpose.\n\n\t\t\t o Name - A descriptive name for the special-purpose address block.\n\n\t\t\t o RFC - The RFC through which the special-purpose address block was\n\t\t\t requested.\n\n\t\t\t o Allocation Date - The date upon which the special-purpose address\n\t\t\t block was allocated.\n\n\t\t\t o Termination Date - The date upon which the allocation is to be\n\t\t\t terminated. This field is applicable for limited-use allocations\n\t\t\t only.\n\n\t\t\t o Source - A boolean value indicating whether an address from the\n\t\t\t allocated special-purpose address block is valid when used as the\n\t\t\t source address of an IP datagram that transits two devices.\n\n\t\t\t o Destination - A boolean value indicating whether an address from\n\t\t\t the allocated special-purpose address block is valid when used as\n\t\t\t the destination address of an IP datagram that transits two\n\t\t\t devices.\n\n\t\t\t o Forwardable - A boolean value indicating whether a router may\n\t\t\t forward an IP datagram whose destination address is drawn from the\n\t\t\t allocated special-purpose address block between external\n\t\t\t interfaces.\n\n\t\t\t o Global - A boolean value indicating whether an IP datagram whose\n\t\t\t destination address is drawn from the allocated special-purpose\n\t\t\t address block is forwardable beyond a specified administrative\n\t\t\t domain.\n\n\t\t\t o Reserved-by-Protocol - A boolean value indicating whether the\n\t\t\t special-purpose address block is reserved by IP, itself. This\n\t\t\t value is \"TRUE\" if the RFC that created the special-purpose\n\t\t\t address block requires all compliant IP implementations to behave\n\t\t\t in a special way when processing packets either to or from\n\t\t\t addresses contained by the address block.\n\n\t\t\t If the value of \"Destination\" is FALSE, the values of \"Forwardable\"\n\t\t\t and \"Global\" must also be false.\n\t\t\t*/\n\n\t\t\t/*+----------------------+----------------------------+\n\t\t\t* | Attribute | Value |\n\t\t\t* +----------------------+----------------------------+\n\t\t\t* | Address Block | 0.0.0.0/8 |\n\t\t\t* | Name | \"This host on this network\"|\n\t\t\t* | RFC | [RFC1122], Section 3.2.1.3 |\n\t\t\t* | Allocation Date | September 1981 |\n\t\t\t* | Termination Date | N/A |\n\t\t\t* | Source | True |\n\t\t\t* | Destination | False |\n\t\t\t* | Forwardable | False |\n\t\t\t* | Global | False |\n\t\t\t* | Reserved-by-Protocol | True |\n\t\t\t* +----------------------+----------------------------+*/\n\t\t\tMustIPv4Addr(\"0.0.0.0/8\"),\n\n\t\t\t/*+----------------------+---------------+\n\t\t\t* | Attribute | Value |\n\t\t\t* +----------------------+---------------+\n\t\t\t* | Address Block | 10.0.0.0/8 |\n\t\t\t* | Name | Private-Use |\n\t\t\t* | RFC | [RFC1918] |\n\t\t\t* | Allocation Date | February 1996 |\n\t\t\t* | Termination Date | N/A |\n\t\t\t* | Source | True |\n\t\t\t* | Destination | True |\n\t\t\t* | Forwardable | True |\n\t\t\t* | Global | False |\n\t\t\t* | Reserved-by-Protocol | False |\n\t\t\t* +----------------------+---------------+ */\n\t\t\tMustIPv4Addr(\"10.0.0.0/8\"),\n\n\t\t\t/*+----------------------+----------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+----------------------+\n\t\t\t | Address Block | 100.64.0.0/10 |\n\t\t\t | Name | Shared Address Space |\n\t\t\t | RFC | [RFC6598] |\n\t\t\t | Allocation Date | April 2012 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | True |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+----------------------+*/\n\t\t\tMustIPv4Addr(\"100.64.0.0/10\"),\n\n\t\t\t/*+----------------------+----------------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+----------------------------+\n\t\t\t | Address Block | 127.0.0.0/8 |\n\t\t\t | Name | Loopback |\n\t\t\t | RFC | [RFC1122], Section 3.2.1.3 |\n\t\t\t | Allocation Date | September 1981 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | False [1] |\n\t\t\t | Destination | False [1] |\n\t\t\t | Forwardable | False [1] |\n\t\t\t | Global | False [1] |\n\t\t\t | Reserved-by-Protocol | True |\n\t\t\t +----------------------+----------------------------+*/\n\t\t\t// [1] Several protocols have been granted exceptions to\n\t\t\t// this rule. For examples, see [RFC4379] and\n\t\t\t// [RFC5884].\n\t\t\tMustIPv4Addr(\"127.0.0.0/8\"),\n\n\t\t\t/*+----------------------+----------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+----------------+\n\t\t\t | Address Block | 169.254.0.0/16 |\n\t\t\t | Name | Link Local |\n\t\t\t | RFC | [RFC3927] |\n\t\t\t | Allocation Date | May 2005 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | False |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | True |\n\t\t\t +----------------------+----------------+*/\n\t\t\tMustIPv4Addr(\"169.254.0.0/16\"),\n\n\t\t\t/*+----------------------+---------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+---------------+\n\t\t\t | Address Block | 172.16.0.0/12 |\n\t\t\t | Name | Private-Use |\n\t\t\t | RFC | [RFC1918] |\n\t\t\t | Allocation Date | February 1996 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | True |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+---------------+*/\n\t\t\tMustIPv4Addr(\"172.16.0.0/12\"),\n\n\t\t\t/*+----------------------+---------------------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+---------------------------------+\n\t\t\t | Address Block | 192.0.0.0/24 [2] |\n\t\t\t | Name | IETF Protocol Assignments |\n\t\t\t | RFC | Section 2.1 of this document |\n\t\t\t | Allocation Date | January 2010 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | False |\n\t\t\t | Destination | False |\n\t\t\t | Forwardable | False |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+---------------------------------+*/\n\t\t\t// [2] Not usable unless by virtue of a more specific\n\t\t\t// reservation.\n\t\t\tMustIPv4Addr(\"192.0.0.0/24\"),\n\n\t\t\t/*+----------------------+--------------------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+--------------------------------+\n\t\t\t | Address Block | 192.0.0.0/29 |\n\t\t\t | Name | IPv4 Service Continuity Prefix |\n\t\t\t | RFC | [RFC6333], [RFC7335] |\n\t\t\t | Allocation Date | June 2011 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | True |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+--------------------------------+*/\n\t\t\tMustIPv4Addr(\"192.0.0.0/29\"),\n\n\t\t\t/*+----------------------+----------------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+----------------------------+\n\t\t\t | Address Block | 192.0.2.0/24 |\n\t\t\t | Name | Documentation (TEST-NET-1) |\n\t\t\t | RFC | [RFC5737] |\n\t\t\t | Allocation Date | January 2010 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | False |\n\t\t\t | Destination | False |\n\t\t\t | Forwardable | False |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+----------------------------+*/\n\t\t\tMustIPv4Addr(\"192.0.2.0/24\"),\n\n\t\t\t/*+----------------------+--------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+--------------------+\n\t\t\t | Address Block | 192.88.99.0/24 |\n\t\t\t | Name | 6to4 Relay Anycast |\n\t\t\t | RFC | [RFC3068] |\n\t\t\t | Allocation Date | June 2001 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | True |\n\t\t\t | Global | True |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+--------------------+*/\n\t\t\tMustIPv4Addr(\"192.88.99.0/24\"),\n\n\t\t\t/*+----------------------+----------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+----------------+\n\t\t\t | Address Block | 192.168.0.0/16 |\n\t\t\t | Name | Private-Use |\n\t\t\t | RFC | [RFC1918] |\n\t\t\t | Allocation Date | February 1996 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | True |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+----------------+*/\n\t\t\tMustIPv4Addr(\"192.168.0.0/16\"),\n\n\t\t\t/*+----------------------+---------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+---------------+\n\t\t\t | Address Block | 198.18.0.0/15 |\n\t\t\t | Name | Benchmarking |\n\t\t\t | RFC | [RFC2544] |\n\t\t\t | Allocation Date | March 1999 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | True |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+---------------+*/\n\t\t\tMustIPv4Addr(\"198.18.0.0/15\"),\n\n\t\t\t/*+----------------------+----------------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+----------------------------+\n\t\t\t | Address Block | 198.51.100.0/24 |\n\t\t\t | Name | Documentation (TEST-NET-2) |\n\t\t\t | RFC | [RFC5737] |\n\t\t\t | Allocation Date | January 2010 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | False |\n\t\t\t | Destination | False |\n\t\t\t | Forwardable | False |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+----------------------------+*/\n\t\t\tMustIPv4Addr(\"198.51.100.0/24\"),\n\n\t\t\t/*+----------------------+----------------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+----------------------------+\n\t\t\t | Address Block | 203.0.113.0/24 |\n\t\t\t | Name | Documentation (TEST-NET-3) |\n\t\t\t | RFC | [RFC5737] |\n\t\t\t | Allocation Date | January 2010 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | False |\n\t\t\t | Destination | False |\n\t\t\t | Forwardable | False |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+----------------------------+*/\n\t\t\tMustIPv4Addr(\"203.0.113.0/24\"),\n\n\t\t\t/*+----------------------+----------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+----------------------+\n\t\t\t | Address Block | 240.0.0.0/4 |\n\t\t\t | Name | Reserved |\n\t\t\t | RFC | [RFC1112], Section 4 |\n\t\t\t | Allocation Date | August 1989 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | False |\n\t\t\t | Destination | False |\n\t\t\t | Forwardable | False |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | True |\n\t\t\t +----------------------+----------------------+*/\n\t\t\tMustIPv4Addr(\"240.0.0.0/4\"),\n\n\t\t\t/*+----------------------+----------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+----------------------+\n\t\t\t | Address Block | 255.255.255.255/32 |\n\t\t\t | Name | Limited Broadcast |\n\t\t\t | RFC | [RFC0919], Section 7 |\n\t\t\t | Allocation Date | October 1984 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | False |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | False |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+----------------------+*/\n\t\t\tMustIPv4Addr(\"255.255.255.255/32\"),\n\n\t\t\t/*+----------------------+------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+------------------+\n\t\t\t | Address Block | ::1/128 |\n\t\t\t | Name | Loopback Address |\n\t\t\t | RFC | [RFC4291] |\n\t\t\t | Allocation Date | February 2006 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | False |\n\t\t\t | Destination | False |\n\t\t\t | Forwardable | False |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | True |\n\t\t\t +----------------------+------------------+*/\n\t\t\tMustIPv6Addr(\"::1/128\"),\n\n\t\t\t/*+----------------------+---------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+---------------------+\n\t\t\t | Address Block | ::/128 |\n\t\t\t | Name | Unspecified Address |\n\t\t\t | RFC | [RFC4291] |\n\t\t\t | Allocation Date | February 2006 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | False |\n\t\t\t | Forwardable | False |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | True |\n\t\t\t +----------------------+---------------------+*/\n\t\t\tMustIPv6Addr(\"::/128\"),\n\n\t\t\t/*+----------------------+---------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+---------------------+\n\t\t\t | Address Block | 64:ff9b::/96 |\n\t\t\t | Name | IPv4-IPv6 Translat. |\n\t\t\t | RFC | [RFC6052] |\n\t\t\t | Allocation Date | October 2010 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | True |\n\t\t\t | Global | True |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+---------------------+*/\n\t\t\tMustIPv6Addr(\"64:ff9b::/96\"),\n\n\t\t\t/*+----------------------+---------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+---------------------+\n\t\t\t | Address Block | ::ffff:0:0/96 |\n\t\t\t | Name | IPv4-mapped Address |\n\t\t\t | RFC | [RFC4291] |\n\t\t\t | Allocation Date | February 2006 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | False |\n\t\t\t | Destination | False |\n\t\t\t | Forwardable | False |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | True |\n\t\t\t +----------------------+---------------------+*/\n\t\t\tMustIPv6Addr(\"::ffff:0:0/96\"),\n\n\t\t\t/*+----------------------+----------------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+----------------------------+\n\t\t\t | Address Block | 100::/64 |\n\t\t\t | Name | Discard-Only Address Block |\n\t\t\t | RFC | [RFC6666] |\n\t\t\t | Allocation Date | June 2012 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | True |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+----------------------------+*/\n\t\t\tMustIPv6Addr(\"100::/64\"),\n\n\t\t\t/*+----------------------+---------------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+---------------------------+\n\t\t\t | Address Block | 2001::/23 |\n\t\t\t | Name | IETF Protocol Assignments |\n\t\t\t | RFC | [RFC2928] |\n\t\t\t | Allocation Date | September 2000 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | False[1] |\n\t\t\t | Destination | False[1] |\n\t\t\t | Forwardable | False[1] |\n\t\t\t | Global | False[1] |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+---------------------------+*/\n\t\t\t// [1] Unless allowed by a more specific allocation.\n\t\t\tMustIPv6Addr(\"2001::/16\"),\n\n\t\t\t/*+----------------------+----------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+----------------+\n\t\t\t | Address Block | 2001::/32 |\n\t\t\t | Name | TEREDO |\n\t\t\t | RFC | [RFC4380] |\n\t\t\t | Allocation Date | January 2006 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | True |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+----------------+*/\n\t\t\t// Covered by previous entry, included for completeness.\n\t\t\t//\n\t\t\t// MustIPv6Addr(\"2001::/16\"),\n\n\t\t\t/*+----------------------+----------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+----------------+\n\t\t\t | Address Block | 2001:2::/48 |\n\t\t\t | Name | Benchmarking |\n\t\t\t | RFC | [RFC5180] |\n\t\t\t | Allocation Date | April 2008 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | True |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+----------------+*/\n\t\t\t// Covered by previous entry, included for completeness.\n\t\t\t//\n\t\t\t// MustIPv6Addr(\"2001:2::/48\"),\n\n\t\t\t/*+----------------------+---------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+---------------+\n\t\t\t | Address Block | 2001:db8::/32 |\n\t\t\t | Name | Documentation |\n\t\t\t | RFC | [RFC3849] |\n\t\t\t | Allocation Date | July 2004 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | False |\n\t\t\t | Destination | False |\n\t\t\t | Forwardable | False |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+---------------+*/\n\t\t\t// Covered by previous entry, included for completeness.\n\t\t\t//\n\t\t\t// MustIPv6Addr(\"2001:db8::/32\"),\n\n\t\t\t/*+----------------------+--------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+--------------+\n\t\t\t | Address Block | 2001:10::/28 |\n\t\t\t | Name | ORCHID |\n\t\t\t | RFC | [RFC4843] |\n\t\t\t | Allocation Date | March 2007 |\n\t\t\t | Termination Date | March 2014 |\n\t\t\t | Source | False |\n\t\t\t | Destination | False |\n\t\t\t | Forwardable | False |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+--------------+*/\n\t\t\t// Covered by previous entry, included for completeness.\n\t\t\t//\n\t\t\t// MustIPv6Addr(\"2001:10::/28\"),\n\n\t\t\t/*+----------------------+---------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+---------------+\n\t\t\t | Address Block | 2002::/16 [2] |\n\t\t\t | Name | 6to4 |\n\t\t\t | RFC | [RFC3056] |\n\t\t\t | Allocation Date | February 2001 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | True |\n\t\t\t | Global | N/A [2] |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+---------------+*/\n\t\t\t// [2] See [RFC3056] for details.\n\t\t\tMustIPv6Addr(\"2002::/16\"),\n\n\t\t\t/*+----------------------+--------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+--------------+\n\t\t\t | Address Block | fc00::/7 |\n\t\t\t | Name | Unique-Local |\n\t\t\t | RFC | [RFC4193] |\n\t\t\t | Allocation Date | October 2005 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | True |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | False |\n\t\t\t +----------------------+--------------+*/\n\t\t\tMustIPv6Addr(\"fc00::/7\"),\n\n\t\t\t/*+----------------------+-----------------------+\n\t\t\t | Attribute | Value |\n\t\t\t +----------------------+-----------------------+\n\t\t\t | Address Block | fe80::/10 |\n\t\t\t | Name | Linked-Scoped Unicast |\n\t\t\t | RFC | [RFC4291] |\n\t\t\t | Allocation Date | February 2006 |\n\t\t\t | Termination Date | N/A |\n\t\t\t | Source | True |\n\t\t\t | Destination | True |\n\t\t\t | Forwardable | False |\n\t\t\t | Global | False |\n\t\t\t | Reserved-by-Protocol | True |\n\t\t\t +----------------------+-----------------------+*/\n\t\t\tMustIPv6Addr(\"fe80::/10\"),\n\t\t},\n\t\t7335: {\n\t\t\t// [RFC7335] IPv4 Service Continuity Prefix\n\t\t\tMustIPv4Addr(\"192.0.0.0/29\"), // [RFC7335], §6 IANA Considerations\n\t\t},\n\t\tForwardingBlacklist: { // Pseudo-RFC\n\t\t\t// Blacklist of non-forwardable IP blocks taken from RFC6890\n\t\t\t//\n\t\t\t// TODO: the attributes for forwardable should be\n\t\t\t// searcahble and embedded in the main list of RFCs\n\t\t\t// above.\n\t\t\tMustIPv4Addr(\"0.0.0.0/8\"),\n\t\t\tMustIPv4Addr(\"127.0.0.0/8\"),\n\t\t\tMustIPv4Addr(\"169.254.0.0/16\"),\n\t\t\tMustIPv4Addr(\"192.0.0.0/24\"),\n\t\t\tMustIPv4Addr(\"192.0.2.0/24\"),\n\t\t\tMustIPv4Addr(\"198.51.100.0/24\"),\n\t\t\tMustIPv4Addr(\"203.0.113.0/24\"),\n\t\t\tMustIPv4Addr(\"240.0.0.0/4\"),\n\t\t\tMustIPv4Addr(\"255.255.255.255/32\"),\n\t\t\tMustIPv6Addr(\"::1/128\"),\n\t\t\tMustIPv6Addr(\"::/128\"),\n\t\t\tMustIPv6Addr(\"::ffff:0:0/96\"),\n\n\t\t\t// There is no way of expressing a whitelist per RFC2928\n\t\t\t// atm without creating a negative mask, which I don't\n\t\t\t// want to do atm.\n\t\t\t//MustIPv6Addr(\"2001::/23\"),\n\n\t\t\tMustIPv6Addr(\"2001:db8::/32\"),\n\t\t\tMustIPv6Addr(\"2001:10::/28\"),\n\t\t\tMustIPv6Addr(\"fe80::/10\"),\n\t\t},\n\t}\n}\n\n// VisitAllRFCs iterates over all known RFCs and calls the visitor\nfunc VisitAllRFCs(fn func(rfcNum uint, sockaddrs SockAddrs)) {\n\trfcNetMap := KnownRFCs()\n\n\t// Blacklist of faux-RFCs. Don't show the world that we're abusing the\n\t// RFC system in this library.\n\trfcBlacklist := map[uint]struct{}{\n\t\tForwardingBlacklist: {},\n\t}\n\n\tfor rfcNum, sas := range rfcNetMap {\n\t\tif _, found := rfcBlacklist[rfcNum]; !found {\n\t\t\tfn(rfcNum, sas)\n\t\t}\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info.go", "content": "package sockaddr\n\nimport \"errors\"\n\nvar (\n\tErrNoInterface = errors.New(\"No default interface found (unsupported platform)\")\n\tErrNoRoute = errors.New(\"no route info found (unsupported platform)\")\n)\n\n// RouteInterface specifies an interface for obtaining memoized route table and\n// network information from a given OS.\ntype RouteInterface interface {\n\t// GetDefaultInterfaceName returns the name of the interface that has a\n\t// default route or an error and an empty string if a problem was\n\t// encountered.\n\tGetDefaultInterfaceName() (string, error)\n}\n\ntype routeInfo struct {\n\tcmds map[string][]string\n}\n\n// VisitCommands visits each command used by the platform-specific RouteInfo\n// implementation.\nfunc (ri routeInfo) VisitCommands(fn func(name string, cmd []string)) {\n\tfor k, v := range ri.cmds {\n\t\tcmds := append([]string(nil), v...)\n\t\tfn(k, cmds)\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_aix.go", "content": "//go:build aix\n\npackage sockaddr\n\nimport (\n\t\"errors\"\n\t\"os/exec\"\n)\n\nvar cmds map[string][]string = map[string][]string{\n\t\"route\": {\"/usr/sbin/route\", \"-n\", \"get\", \"default\"},\n}\n\n// NewRouteInfo returns a BSD-specific implementation of the RouteInfo\n// interface.\nfunc NewRouteInfo() (routeInfo, error) {\n\treturn routeInfo{\n\t\tcmds: cmds,\n\t}, nil\n}\n\n// GetDefaultInterfaceName returns the interface name attached to the default\n// route on the default interface.\nfunc (ri routeInfo) GetDefaultInterfaceName() (string, error) {\n\tout, err := exec.Command(cmds[\"route\"][0], cmds[\"route\"][1:]...).Output()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tvar ifName string\n\tif ifName, err = parseDefaultIfNameFromRoute(string(out)); err != nil {\n\t\treturn \"\", errors.New(\"No default interface found\")\n\t}\n\treturn ifName, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_android.go", "content": "//go:build android\n\npackage sockaddr\n\nimport (\n\t\"errors\"\n\t\"os/exec\"\n)\n\n// NewRouteInfo returns a Android-specific implementation of the RouteInfo\n// interface.\nfunc NewRouteInfo() (routeInfo, error) {\n\treturn routeInfo{\n\t\tcmds: map[string][]string{\"ip\": {\"/system/bin/ip\", \"route\", \"get\", \"8.8.8.8\"}},\n\t}, nil\n}\n\n// GetDefaultInterfaceName returns the interface name attached to the default\n// route on the default interface.\nfunc (ri routeInfo) GetDefaultInterfaceName() (string, error) {\n\tout, err := exec.Command(ri.cmds[\"ip\"][0], ri.cmds[\"ip\"][1:]...).Output()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\n\tvar ifName string\n\tif ifName, err = parseDefaultIfNameFromIPCmdAndroid(string(out)); err != nil {\n\t\treturn \"\", errors.New(\"No default interface found\")\n\t}\n\treturn ifName, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_bsd.go", "content": "//go:build darwin || dragonfly || freebsd || netbsd || openbsd\n// +build darwin dragonfly freebsd netbsd openbsd\n\npackage sockaddr\n\nimport \"os/exec\"\n\nvar cmds = map[string][]string{\n\t\"route\": {\"/sbin/route\", \"-n\", \"get\", \"default\"},\n}\n\n// NewRouteInfo returns a BSD-specific implementation of the RouteInfo\n// interface.\nfunc NewRouteInfo() (routeInfo, error) {\n\treturn routeInfo{\n\t\tcmds: cmds,\n\t}, nil\n}\n\n// GetDefaultInterfaceName returns the interface name attached to the default\n// route on the default interface.\nfunc (ri routeInfo) GetDefaultInterfaceName() (string, error) {\n\tout, err := exec.Command(cmds[\"route\"][0], cmds[\"route\"][1:]...).Output()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tvar ifName string\n\tif ifName, err = parseDefaultIfNameFromRoute(string(out)); err != nil {\n\t\treturn \"\", err\n\t}\n\treturn ifName, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_default.go", "content": "//go:build nacl || plan9 || js\n// +build nacl plan9 js\n\npackage sockaddr\n\n// getDefaultIfName is the default interface function for unsupported platforms.\nfunc getDefaultIfName() (string, error) {\n\treturn \"\", ErrNoInterface\n}\n\nfunc NewRouteInfo() (routeInfo, error) {\n\treturn routeInfo{}, ErrNoRoute\n}\n\n// GetDefaultInterfaceName returns the interface name attached to the default\n// route on the default interface.\nfunc (ri routeInfo) GetDefaultInterfaceName() (string, error) {\n\treturn \"\", ErrNoInterface\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_linux.go", "content": "//go:build !android\n// +build !android\n\npackage sockaddr\n\nimport (\n\t\"errors\"\n\t\"os/exec\"\n)\n\n// NewRouteInfo returns a Linux-specific implementation of the RouteInfo\n// interface.\nfunc NewRouteInfo() (routeInfo, error) {\n\t// CoreOS Container Linux moved ip to /usr/bin/ip, so look it up on\n\t// $PATH and fallback to /sbin/ip on error.\n\tpath, _ := exec.LookPath(\"ip\")\n\tif path == \"\" {\n\t\tpath = \"/sbin/ip\"\n\t}\n\n\treturn routeInfo{\n\t\tcmds: map[string][]string{\"ip\": {path, \"route\"}},\n\t}, nil\n}\n\n// GetDefaultInterfaceName returns the interface name attached to the default\n// route on the default interface.\nfunc (ri routeInfo) GetDefaultInterfaceName() (string, error) {\n\tout, err := exec.Command(ri.cmds[\"ip\"][0], ri.cmds[\"ip\"][1:]...).Output()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tvar ifName string\n\tif ifName, err = parseDefaultIfNameFromIPCmd(string(out)); err != nil {\n\t\treturn \"\", errors.New(\"No default interface found\")\n\t}\n\treturn ifName, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_solaris.go", "content": "//go:build solaris\n\npackage sockaddr\n\nimport (\n\t\"errors\"\n\t\"os/exec\"\n)\n\nvar cmds map[string][]string = map[string][]string{\n\t\"route\": {\"/usr/sbin/route\", \"-n\", \"get\", \"default\"},\n}\n\n// NewRouteInfo returns a BSD-specific implementation of the RouteInfo\n// interface.\nfunc NewRouteInfo() (routeInfo, error) {\n\treturn routeInfo{\n\t\tcmds: cmds,\n\t}, nil\n}\n\n// GetDefaultInterfaceName returns the interface name attached to the default\n// route on the default interface.\nfunc (ri routeInfo) GetDefaultInterfaceName() (string, error) {\n\tout, err := exec.Command(cmds[\"route\"][0], cmds[\"route\"][1:]...).Output()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tvar ifName string\n\tif ifName, err = parseDefaultIfNameFromRoute(string(out)); err != nil {\n\t\treturn \"\", errors.New(\"No default interface found\")\n\t}\n\treturn ifName, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_test_windows.go", "content": "package sockaddr\n\nimport \"testing\"\n\nfunc Test_parseWindowsDefaultIfName_new_vs_old(t *testing.T) {\n\tif !hasPowershell() {\n\t\tt.Skip(\"this test requires powershell.\")\n\t\treturn\n\t}\n\tri, err := NewRouteInfo()\n\tif err != nil {\n\t\tt.Fatalf(\"bad: %v\", err)\n\t}\n\tpsVer, err1 := ri.GetDefaultInterfaceName()\n\tlegacyVer, err2 := ri.GetDefaultInterfaceNameLegacy()\n\tif err1 != nil {\n\t\tt.Errorf(\"err != nil for GetDefaultInterfaceName - %v\", err1)\n\t}\n\tif err2 != nil {\n\t\tt.Errorf(\"err != nil for GetDefaultInterfaceNameLegacy - %v\", err2)\n\t}\n\tif psVer != legacyVer {\n\t\tt.Errorf(\"got %s; want %s\", psVer, legacyVer)\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_windows.go", "content": "package sockaddr\n\nimport (\n\t\"os/exec\"\n\t\"strings\"\n)\n\nvar cmds map[string][]string = map[string][]string{\n\t\"defaultInterface\": {\"powershell\", \"Get-NetRoute -DestinationPrefix '0.0.0.0/0' | select -ExpandProperty InterfaceAlias\"},\n\t// These commands enable GetDefaultInterfaceNameLegacy and should be removed\n\t// when it is.\n\t\"netstat\": {\"netstat\", \"-rn\"},\n\t\"ipconfig\": {\"ipconfig\"},\n}\n\n// NewRouteInfo returns a BSD-specific implementation of the RouteInfo\n// interface.\nfunc NewRouteInfo() (routeInfo, error) {\n\treturn routeInfo{\n\t\tcmds: cmds,\n\t}, nil\n}\n\n// GetDefaultInterfaceName returns the interface name attached to the default\n// route on the default interface.\nfunc (ri routeInfo) GetDefaultInterfaceName() (string, error) {\n\tif !hasPowershell() {\n\t\t// No powershell, fallback to legacy method\n\t\treturn ri.GetDefaultInterfaceNameLegacy()\n\t}\n\n\tifNameOut, err := exec.Command(cmds[\"defaultInterface\"][0], cmds[\"defaultInterface\"][1:]...).Output()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tifName := strings.TrimSpace(string(ifNameOut[:]))\n\treturn ifName, nil\n}\n\n// GetDefaultInterfaceNameLegacy provides legacy behavior for GetDefaultInterfaceName\n// on Windows machines without powershell.\nfunc (ri routeInfo) GetDefaultInterfaceNameLegacy() (string, error) {\n\tifNameOut, err := exec.Command(cmds[\"netstat\"][0], cmds[\"netstat\"][1:]...).Output()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tipconfigOut, err := exec.Command(cmds[\"ipconfig\"][0], cmds[\"ipconfig\"][1:]...).Output()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tifName, err := parseDefaultIfNameWindows(string(ifNameOut), string(ipconfigOut))\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\treturn ifName, nil\n}\n\nfunc hasPowershell() bool {\n\t_, err := exec.LookPath(\"powershell\")\n\treturn (err != nil)\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/sockaddr.go", "content": "package sockaddr\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"strings\"\n)\n\ntype SockAddrType int\ntype AttrName string\n\nconst (\n\tTypeUnknown SockAddrType = 0x0\n\tTypeUnix = 0x1\n\tTypeIPv4 = 0x2\n\tTypeIPv6 = 0x4\n\n\t// TypeIP is the union of TypeIPv4 and TypeIPv6\n\tTypeIP = 0x6\n)\n\ntype SockAddr interface {\n\t// CmpRFC returns 0 if SockAddr exactly matches one of the matched RFC\n\t// networks, -1 if the receiver is contained within the RFC network, or\n\t// 1 if the address is not contained within the RFC.\n\tCmpRFC(rfcNum uint, sa SockAddr) int\n\n\t// Contains returns true if the SockAddr arg is contained within the\n\t// receiver\n\tContains(SockAddr) bool\n\n\t// Equal allows for the comparison of two SockAddrs\n\tEqual(SockAddr) bool\n\n\tDialPacketArgs() (string, string)\n\tDialStreamArgs() (string, string)\n\tListenPacketArgs() (string, string)\n\tListenStreamArgs() (string, string)\n\n\t// String returns the string representation of SockAddr\n\tString() string\n\n\t// Type returns the SockAddrType\n\tType() SockAddrType\n}\n\n// sockAddrAttrMap is a map of the SockAddr type-specific attributes.\nvar sockAddrAttrMap map[AttrName]func(SockAddr) string\nvar sockAddrAttrs []AttrName\n\nfunc init() {\n\tsockAddrInit()\n}\n\n// New creates a new SockAddr from the string. The order in which New()\n// attempts to construct a SockAddr is: IPv4Addr, IPv6Addr, SockAddrUnix.\n//\n// NOTE: New() relies on the heuristic wherein if the path begins with either a\n// '.' or '/' character before creating a new UnixSock. For UNIX sockets that\n// are absolute paths or are nested within a sub-directory, this works as\n// expected, however if the UNIX socket is contained in the current working\n// directory, this will fail unless the path begins with \"./\"\n// (e.g. \"./my-local-socket\"). Calls directly to NewUnixSock() do not suffer\n// this limitation. Invalid IP addresses such as \"256.0.0.0/-1\" will run afoul\n// of this heuristic and be assumed to be a valid UNIX socket path (which they\n// are, but it is probably not what you want and you won't realize it until you\n// stat(2) the file system to discover it doesn't exist).\nfunc NewSockAddr(s string) (SockAddr, error) {\n\tipv4Addr, err := NewIPv4Addr(s)\n\tif err == nil {\n\t\treturn ipv4Addr, nil\n\t}\n\n\tipv6Addr, err := NewIPv6Addr(s)\n\tif err == nil {\n\t\treturn ipv6Addr, nil\n\t}\n\n\t// Check to make sure the string begins with either a '.' or '/', or\n\t// contains a '/'.\n\tif len(s) > 1 && (strings.IndexAny(s[0:1], \"./\") != -1 || strings.IndexByte(s, '/') != -1) {\n\t\tunixSock, err := NewUnixSock(s)\n\t\tif err == nil {\n\t\t\treturn unixSock, nil\n\t\t}\n\t}\n\n\treturn nil, fmt.Errorf(\"Unable to convert %q to an IPv4 or IPv6 address, or a UNIX Socket\", s)\n}\n\n// ToIPAddr returns an IPAddr type or nil if the type conversion fails.\nfunc ToIPAddr(sa SockAddr) *IPAddr {\n\tipa, ok := sa.(IPAddr)\n\tif !ok {\n\t\treturn nil\n\t}\n\treturn &ipa\n}\n\n// ToIPv4Addr returns an IPv4Addr type or nil if the type conversion fails.\nfunc ToIPv4Addr(sa SockAddr) *IPv4Addr {\n\tswitch v := sa.(type) {\n\tcase IPv4Addr:\n\t\treturn &v\n\tdefault:\n\t\treturn nil\n\t}\n}\n\n// ToIPv6Addr returns an IPv6Addr type or nil if the type conversion fails.\nfunc ToIPv6Addr(sa SockAddr) *IPv6Addr {\n\tswitch v := sa.(type) {\n\tcase IPv6Addr:\n\t\treturn &v\n\tdefault:\n\t\treturn nil\n\t}\n}\n\n// ToUnixSock returns a UnixSock type or nil if the type conversion fails.\nfunc ToUnixSock(sa SockAddr) *UnixSock {\n\tswitch v := sa.(type) {\n\tcase UnixSock:\n\t\treturn &v\n\tdefault:\n\t\treturn nil\n\t}\n}\n\n// SockAddrAttr returns a string representation of an attribute for the given\n// SockAddr.\nfunc SockAddrAttr(sa SockAddr, selector AttrName) string {\n\tfn, found := sockAddrAttrMap[selector]\n\tif !found {\n\t\treturn \"\"\n\t}\n\n\treturn fn(sa)\n}\n\n// String() for SockAddrType returns a string representation of the\n// SockAddrType (e.g. \"IPv4\", \"IPv6\", \"UNIX\", \"IP\", or \"unknown\").\nfunc (sat SockAddrType) String() string {\n\tswitch sat {\n\tcase TypeIPv4:\n\t\treturn \"IPv4\"\n\tcase TypeIPv6:\n\t\treturn \"IPv6\"\n\t// There is no concrete \"IP\" type. Leaving here as a reminder.\n\t// case TypeIP:\n\t// \treturn \"IP\"\n\tcase TypeUnix:\n\t\treturn \"UNIX\"\n\tdefault:\n\t\tpanic(\"unsupported type\")\n\t}\n}\n\n// sockAddrInit is called once at init()\nfunc sockAddrInit() {\n\tsockAddrAttrs = []AttrName{\n\t\t\"type\", // type should be first\n\t\t\"string\",\n\t}\n\n\tsockAddrAttrMap = map[AttrName]func(sa SockAddr) string{\n\t\t\"string\": func(sa SockAddr) string {\n\t\t\treturn sa.String()\n\t\t},\n\t\t\"type\": func(sa SockAddr) string {\n\t\t\treturn sa.Type().String()\n\t\t},\n\t}\n}\n\n// UnixSockAttrs returns a list of attributes supported by the UnixSock type\nfunc SockAddrAttrs() []AttrName {\n\treturn sockAddrAttrs\n}\n\n// Although this is pretty trivial to do in a program, having the logic here is\n// useful all around. Note that this marshals into a *string* -- the underlying\n// string representation of the sockaddr. If you then unmarshal into this type\n// in Go, all will work as expected, but externally you can take what comes out\n// and use the string value directly.\ntype SockAddrMarshaler struct {\n\tSockAddr\n}\n\nfunc (s *SockAddrMarshaler) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(s.SockAddr.String())\n}\n\nfunc (s *SockAddrMarshaler) UnmarshalJSON(in []byte) error {\n\tvar str string\n\terr := json.Unmarshal(in, &str)\n\tif err != nil {\n\t\treturn err\n\t}\n\tsa, err := NewSockAddr(str)\n\tif err != nil {\n\t\treturn err\n\t}\n\ts.SockAddr = sa\n\treturn nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/sockaddrs.go", "content": "package sockaddr\n\nimport (\n\t\"bytes\"\n\t\"sort\"\n)\n\n// SockAddrs is a slice of SockAddrs\ntype SockAddrs []SockAddr\n\nfunc (s SockAddrs) Len() int { return len(s) }\nfunc (s SockAddrs) Swap(i, j int) { s[i], s[j] = s[j], s[i] }\n\n// CmpAddrFunc is the function signature that must be met to be used in the\n// OrderedAddrBy multiAddrSorter\ntype CmpAddrFunc func(p1, p2 *SockAddr) int\n\n// multiAddrSorter implements the Sort interface, sorting the SockAddrs within.\ntype multiAddrSorter struct {\n\taddrs SockAddrs\n\tcmp []CmpAddrFunc\n}\n\n// Sort sorts the argument slice according to the Cmp functions passed to\n// OrderedAddrBy.\nfunc (ms *multiAddrSorter) Sort(sockAddrs SockAddrs) {\n\tms.addrs = sockAddrs\n\tsort.Sort(ms)\n}\n\n// OrderedAddrBy sorts SockAddr by the list of sort function pointers.\nfunc OrderedAddrBy(cmpFuncs ...CmpAddrFunc) *multiAddrSorter {\n\treturn &multiAddrSorter{\n\t\tcmp: cmpFuncs,\n\t}\n}\n\n// Len is part of sort.Interface.\nfunc (ms *multiAddrSorter) Len() int {\n\treturn len(ms.addrs)\n}\n\n// Less is part of sort.Interface. It is implemented by looping along the\n// Cmp() functions until it finds a comparison that is either less than,\n// equal to, or greater than.\nfunc (ms *multiAddrSorter) Less(i, j int) bool {\n\tp, q := &ms.addrs[i], &ms.addrs[j]\n\t// Try all but the last comparison.\n\tvar k int\n\tfor k = 0; k < len(ms.cmp)-1; k++ {\n\t\tcmp := ms.cmp[k]\n\t\tx := cmp(p, q)\n\t\tswitch x {\n\t\tcase -1:\n\t\t\t// p < q, so we have a decision.\n\t\t\treturn true\n\t\tcase 1:\n\t\t\t// p > q, so we have a decision.\n\t\t\treturn false\n\t\t}\n\t\t// p == q; try the next comparison.\n\t}\n\t// All comparisons to here said \"equal\", so just return whatever the\n\t// final comparison reports.\n\tswitch ms.cmp[k](p, q) {\n\tcase -1:\n\t\treturn true\n\tcase 1:\n\t\treturn false\n\tdefault:\n\t\t// Still a tie! Now what?\n\t\treturn false\n\t}\n}\n\n// Swap is part of sort.Interface.\nfunc (ms *multiAddrSorter) Swap(i, j int) {\n\tms.addrs[i], ms.addrs[j] = ms.addrs[j], ms.addrs[i]\n}\n\nconst (\n\t// NOTE (sean@): These constants are here for code readability only and\n\t// are sprucing up the code for readability purposes. Some of the\n\t// Cmp*() variants have confusing logic (especially when dealing with\n\t// mixed-type comparisons) and this, I think, has made it easier to grok\n\t// the code faster.\n\tsortReceiverBeforeArg = -1\n\tsortDeferDecision = 0\n\tsortArgBeforeReceiver = 1\n)\n\n// AscAddress is a sorting function to sort SockAddrs by their respective\n// address type. Non-equal types are deferred in the sort.\nfunc AscAddress(p1Ptr, p2Ptr *SockAddr) int {\n\tp1 := *p1Ptr\n\tp2 := *p2Ptr\n\n\tswitch v := p1.(type) {\n\tcase IPv4Addr:\n\t\treturn v.CmpAddress(p2)\n\tcase IPv6Addr:\n\t\treturn v.CmpAddress(p2)\n\tcase UnixSock:\n\t\treturn v.CmpAddress(p2)\n\tdefault:\n\t\treturn sortDeferDecision\n\t}\n}\n\n// AscPort is a sorting function to sort SockAddrs by their respective address\n// type. Non-equal types are deferred in the sort.\nfunc AscPort(p1Ptr, p2Ptr *SockAddr) int {\n\tp1 := *p1Ptr\n\tp2 := *p2Ptr\n\n\tswitch v := p1.(type) {\n\tcase IPv4Addr:\n\t\treturn v.CmpPort(p2)\n\tcase IPv6Addr:\n\t\treturn v.CmpPort(p2)\n\tdefault:\n\t\treturn sortDeferDecision\n\t}\n}\n\n// AscPrivate is a sorting function to sort \"more secure\" private values before\n// \"more public\" values. Both IPv4 and IPv6 are compared against RFC6890\n// (RFC6890 includes, and is not limited to, RFC1918 and RFC6598 for IPv4, and\n// IPv6 includes RFC4193).\nfunc AscPrivate(p1Ptr, p2Ptr *SockAddr) int {\n\tp1 := *p1Ptr\n\tp2 := *p2Ptr\n\n\tswitch v := p1.(type) {\n\tcase IPv4Addr, IPv6Addr:\n\t\treturn v.CmpRFC(6890, p2)\n\tdefault:\n\t\treturn sortDeferDecision\n\t}\n}\n\n// AscNetworkSize is a sorting function to sort SockAddrs based on their network\n// size. Non-equal types are deferred in the sort.\nfunc AscNetworkSize(p1Ptr, p2Ptr *SockAddr) int {\n\tp1 := *p1Ptr\n\tp2 := *p2Ptr\n\tp1Type := p1.Type()\n\tp2Type := p2.Type()\n\n\t// Network size operations on non-IP types make no sense\n\tif p1Type != p2Type && p1Type != TypeIP {\n\t\treturn sortDeferDecision\n\t}\n\n\tipA := p1.(IPAddr)\n\tipB := p2.(IPAddr)\n\n\treturn bytes.Compare([]byte(*ipA.NetIPMask()), []byte(*ipB.NetIPMask()))\n}\n\n// AscType is a sorting function to sort \"more secure\" types before\n// \"less-secure\" types.\nfunc AscType(p1Ptr, p2Ptr *SockAddr) int {\n\tp1 := *p1Ptr\n\tp2 := *p2Ptr\n\tp1Type := p1.Type()\n\tp2Type := p2.Type()\n\tswitch {\n\tcase p1Type < p2Type:\n\t\treturn sortReceiverBeforeArg\n\tcase p1Type == p2Type:\n\t\treturn sortDeferDecision\n\tcase p1Type > p2Type:\n\t\treturn sortArgBeforeReceiver\n\tdefault:\n\t\treturn sortDeferDecision\n\t}\n}\n\n// FilterByType returns two lists: a list of matched and unmatched SockAddrs\nfunc (sas SockAddrs) FilterByType(type_ SockAddrType) (matched, excluded SockAddrs) {\n\tmatched = make(SockAddrs, 0, len(sas))\n\texcluded = make(SockAddrs, 0, len(sas))\n\n\tfor _, sa := range sas {\n\t\tif sa.Type()&type_ != 0 {\n\t\t\tmatched = append(matched, sa)\n\t\t} else {\n\t\t\texcluded = append(excluded, sa)\n\t\t}\n\t}\n\treturn matched, excluded\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/unixsock.go", "content": "package sockaddr\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n)\n\ntype UnixSock struct {\n\tSockAddr\n\tpath string\n}\ntype UnixSocks []*UnixSock\n\n// unixAttrMap is a map of the UnixSockAddr type-specific attributes.\nvar unixAttrMap map[AttrName]func(UnixSock) string\nvar unixAttrs []AttrName\n\nfunc init() {\n\tunixAttrInit()\n}\n\n// NewUnixSock creates an UnixSock from a string path. String can be in the\n// form of either URI-based string (e.g. `file:///etc/passwd`), an absolute\n// path (e.g. `/etc/passwd`), or a relative path (e.g. `./foo`).\nfunc NewUnixSock(s string) (ret UnixSock, err error) {\n\tret.path = s\n\treturn ret, nil\n}\n\n// Contains returns true if sa and us have the same path\nfunc (us UnixSock) Contains(sa SockAddr) bool {\n\tusb, ok := sa.(UnixSock)\n\tif !ok {\n\t\treturn false\n\t}\n\n\treturn usb.path == us.path\n}\n\n// CmpAddress follows the Cmp() standard protocol and returns:\n//\n// - -1 If the receiver should sort first because its name lexically sorts before arg\n// - 0 if the SockAddr arg is not a UnixSock, or is a UnixSock with the same path.\n// - 1 If the argument should sort first.\nfunc (us UnixSock) CmpAddress(sa SockAddr) int {\n\tusb, ok := sa.(UnixSock)\n\tif !ok {\n\t\treturn sortDeferDecision\n\t}\n\n\treturn strings.Compare(us.Path(), usb.Path())\n}\n\n// CmpRFC doesn't make sense for a Unix socket, so just return defer decision\nfunc (us UnixSock) CmpRFC(rfcNum uint, sa SockAddr) int { return sortDeferDecision }\n\n// DialPacketArgs returns the arguments required to be passed to net.DialUnix()\n// with the `unixgram` network type.\nfunc (us UnixSock) DialPacketArgs() (network, dialArgs string) {\n\treturn \"unixgram\", us.path\n}\n\n// DialStreamArgs returns the arguments required to be passed to net.DialUnix()\n// with the `unix` network type.\nfunc (us UnixSock) DialStreamArgs() (network, dialArgs string) {\n\treturn \"unix\", us.path\n}\n\n// Equal returns true if a SockAddr is equal to the receiving UnixSock.\nfunc (us UnixSock) Equal(sa SockAddr) bool {\n\tusb, ok := sa.(UnixSock)\n\tif !ok {\n\t\treturn false\n\t}\n\n\tif us.Path() != usb.Path() {\n\t\treturn false\n\t}\n\n\treturn true\n}\n\n// ListenPacketArgs returns the arguments required to be passed to\n// net.ListenUnixgram() with the `unixgram` network type.\nfunc (us UnixSock) ListenPacketArgs() (network, dialArgs string) {\n\treturn \"unixgram\", us.path\n}\n\n// ListenStreamArgs returns the arguments required to be passed to\n// net.ListenUnix() with the `unix` network type.\nfunc (us UnixSock) ListenStreamArgs() (network, dialArgs string) {\n\treturn \"unix\", us.path\n}\n\n// MustUnixSock is a helper method that must return an UnixSock or panic on\n// invalid input.\nfunc MustUnixSock(addr string) UnixSock {\n\tus, err := NewUnixSock(addr)\n\tif err != nil {\n\t\tpanic(fmt.Sprintf(\"Unable to create a UnixSock from %+q: %v\", addr, err))\n\t}\n\treturn us\n}\n\n// Path returns the given path of the UnixSock\nfunc (us UnixSock) Path() string {\n\treturn us.path\n}\n\n// String returns the path of the UnixSock\nfunc (us UnixSock) String() string {\n\treturn fmt.Sprintf(\"%+q\", us.path)\n}\n\n// Type is used as a type switch and returns TypeUnix\nfunc (UnixSock) Type() SockAddrType {\n\treturn TypeUnix\n}\n\n// UnixSockAttrs returns a list of attributes supported by the UnixSockAddr type\nfunc UnixSockAttrs() []AttrName {\n\treturn unixAttrs\n}\n\n// UnixSockAttr returns a string representation of an attribute for the given\n// UnixSock.\nfunc UnixSockAttr(us UnixSock, attrName AttrName) string {\n\tfn, found := unixAttrMap[attrName]\n\tif !found {\n\t\treturn \"\"\n\t}\n\n\treturn fn(us)\n}\n\n// unixAttrInit is called once at init()\nfunc unixAttrInit() {\n\t// Sorted for human readability\n\tunixAttrs = []AttrName{\n\t\t\"path\",\n\t}\n\n\tunixAttrMap = map[AttrName]func(us UnixSock) string{\n\t\t\"path\": func(us UnixSock) string {\n\t\t\treturn us.Path()\n\t\t},\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/.gitignore", "content": "# Compiled Object files, Static and Dynamic libs (Shared Objects)\n*.o\n*.a\n*.so\n\n# Folders\n_obj\n_test\n\n# Architecture specific extensions/prefixes\n*.[568vq]\n[568vq].out\n\n*.cgo1.go\n*.cgo2.c\n_cgo_defun.c\n_cgo_gotypes.go\n_cgo_export.*\n\n_testmain.go\n\n*.exe\n*.test\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/.golangci.yml", "content": "linters:\n enable:\n - megacheck\n - revive\n - govet\n - unconvert\n - megacheck\n - gas\n - gocyclo\n - dupl\n - misspell\n - unparam\n - unused\n - typecheck\n - ineffassign\n - stylecheck\n - exportloopref\n - gocritic\n - nakedret\n - gosimple\n - prealloc\n fast: false\n disable-all: true\n\nissues:\n exclude-rules:\n - path: _test\\.go\n linters:\n - dupl\n exclude-use-default: false\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/2q.go", "content": "package lru\n\nimport (\n\t\"fmt\"\n\t\"sync\"\n\n\t\"github.com/hashicorp/golang-lru/simplelru\"\n)\n\nconst (\n\t// Default2QRecentRatio is the ratio of the 2Q cache dedicated\n\t// to recently added entries that have only been accessed once.\n\tDefault2QRecentRatio = 0.25\n\n\t// Default2QGhostEntries is the default ratio of ghost\n\t// entries kept to track entries recently evicted\n\tDefault2QGhostEntries = 0.50\n)\n\n// TwoQueueCache is a thread-safe fixed size 2Q cache.\n// 2Q is an enhancement over the standard LRU cache\n// in that it tracks both frequently and recently used\n// entries separately. This avoids a burst in access to new\n// entries from evicting frequently used entries. It adds some\n// additional tracking overhead to the standard LRU cache, and is\n// computationally about 2x the cost, and adds some metadata over\n// head. The ARCCache is similar, but does not require setting any\n// parameters.\ntype TwoQueueCache struct {\n\tsize int\n\trecentSize int\n\n\trecent simplelru.LRUCache\n\tfrequent simplelru.LRUCache\n\trecentEvict simplelru.LRUCache\n\tlock sync.RWMutex\n}\n\n// New2Q creates a new TwoQueueCache using the default\n// values for the parameters.\nfunc New2Q(size int) (*TwoQueueCache, error) {\n\treturn New2QParams(size, Default2QRecentRatio, Default2QGhostEntries)\n}\n\n// New2QParams creates a new TwoQueueCache using the provided\n// parameter values.\nfunc New2QParams(size int, recentRatio, ghostRatio float64) (*TwoQueueCache, error) {\n\tif size <= 0 {\n\t\treturn nil, fmt.Errorf(\"invalid size\")\n\t}\n\tif recentRatio < 0.0 || recentRatio > 1.0 {\n\t\treturn nil, fmt.Errorf(\"invalid recent ratio\")\n\t}\n\tif ghostRatio < 0.0 || ghostRatio > 1.0 {\n\t\treturn nil, fmt.Errorf(\"invalid ghost ratio\")\n\t}\n\n\t// Determine the sub-sizes\n\trecentSize := int(float64(size) * recentRatio)\n\tevictSize := int(float64(size) * ghostRatio)\n\n\t// Allocate the LRUs\n\trecent, err := simplelru.NewLRU(size, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tfrequent, err := simplelru.NewLRU(size, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\trecentEvict, err := simplelru.NewLRU(evictSize, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Initialize the cache\n\tc := &TwoQueueCache{\n\t\tsize: size,\n\t\trecentSize: recentSize,\n\t\trecent: recent,\n\t\tfrequent: frequent,\n\t\trecentEvict: recentEvict,\n\t}\n\treturn c, nil\n}\n\n// Get looks up a key's value from the cache.\nfunc (c *TwoQueueCache) Get(key interface{}) (value interface{}, ok bool) {\n\tc.lock.Lock()\n\tdefer c.lock.Unlock()\n\n\t// Check if this is a frequent value\n\tif val, ok := c.frequent.Get(key); ok {\n\t\treturn val, ok\n\t}\n\n\t// If the value is contained in recent, then we\n\t// promote it to frequent\n\tif val, ok := c.recent.Peek(key); ok {\n\t\tc.recent.Remove(key)\n\t\tc.frequent.Add(key, val)\n\t\treturn val, ok\n\t}\n\n\t// No hit\n\treturn nil, false\n}\n\n// Add adds a value to the cache.\nfunc (c *TwoQueueCache) Add(key, value interface{}) {\n\tc.lock.Lock()\n\tdefer c.lock.Unlock()\n\n\t// Check if the value is frequently used already,\n\t// and just update the value\n\tif c.frequent.Contains(key) {\n\t\tc.frequent.Add(key, value)\n\t\treturn\n\t}\n\n\t// Check if the value is recently used, and promote\n\t// the value into the frequent list\n\tif c.recent.Contains(key) {\n\t\tc.recent.Remove(key)\n\t\tc.frequent.Add(key, value)\n\t\treturn\n\t}\n\n\t// If the value was recently evicted, add it to the\n\t// frequently used list\n\tif c.recentEvict.Contains(key) {\n\t\tc.ensureSpace(true)\n\t\tc.recentEvict.Remove(key)\n\t\tc.frequent.Add(key, value)\n\t\treturn\n\t}\n\n\t// Add to the recently seen list\n\tc.ensureSpace(false)\n\tc.recent.Add(key, value)\n}\n\n// ensureSpace is used to ensure we have space in the cache\nfunc (c *TwoQueueCache) ensureSpace(recentEvict bool) {\n\t// If we have space, nothing to do\n\trecentLen := c.recent.Len()\n\tfreqLen := c.frequent.Len()\n\tif recentLen+freqLen < c.size {\n\t\treturn\n\t}\n\n\t// If the recent buffer is larger than\n\t// the target, evict from there\n\tif recentLen > 0 && (recentLen > c.recentSize || (recentLen == c.recentSize && !recentEvict)) {\n\t\tk, _, _ := c.recent.RemoveOldest()\n\t\tc.recentEvict.Add(k, nil)\n\t\treturn\n\t}\n\n\t// Remove from the frequent list otherwise\n\tc.frequent.RemoveOldest()\n}\n\n// Len returns the number of items in the cache.\nfunc (c *TwoQueueCache) Len() int {\n\tc.lock.RLock()\n\tdefer c.lock.RUnlock()\n\treturn c.recent.Len() + c.frequent.Len()\n}\n\n// Keys returns a slice of the keys in the cache.\n// The frequently used keys are first in the returned slice.\nfunc (c *TwoQueueCache) Keys() []interface{} {\n\tc.lock.RLock()\n\tdefer c.lock.RUnlock()\n\tk1 := c.frequent.Keys()\n\tk2 := c.recent.Keys()\n\treturn append(k1, k2...)\n}\n\n// Remove removes the provided key from the cache.\nfunc (c *TwoQueueCache) Remove(key interface{}) {\n\tc.lock.Lock()\n\tdefer c.lock.Unlock()\n\tif c.frequent.Remove(key) {\n\t\treturn\n\t}\n\tif c.recent.Remove(key) {\n\t\treturn\n\t}\n\tif c.recentEvict.Remove(key) {\n\t\treturn\n\t}\n}\n\n// Purge is used to completely clear the cache.\nfunc (c *TwoQueueCache) Purge() {\n\tc.lock.Lock()\n\tdefer c.lock.Unlock()\n\tc.recent.Purge()\n\tc.frequent.Purge()\n\tc.recentEvict.Purge()\n}\n\n// Contains is used to check if the cache contains a key\n// without updating recency or frequency.\nfunc (c *TwoQueueCache) Contains(key interface{}) bool {\n\tc.lock.RLock()\n\tdefer c.lock.RUnlock()\n\treturn c.frequent.Contains(key) || c.recent.Contains(key)\n}\n\n// Peek is used to inspect the cache value of a key\n// without updating recency or frequency.\nfunc (c *TwoQueueCache) Peek(key interface{}) (value interface{}, ok bool) {\n\tc.lock.RLock()\n\tdefer c.lock.RUnlock()\n\tif val, ok := c.frequent.Peek(key); ok {\n\t\treturn val, ok\n\t}\n\treturn c.recent.Peek(key)\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/LICENSE", "content": "Copyright (c) 2014 HashiCorp, Inc.\n\nMozilla Public License, version 2.0\n\n1. Definitions\n\n1.1. \"Contributor\"\n\n means each individual or legal entity that creates, contributes to the\n creation of, or owns Covered Software.\n\n1.2. \"Contributor Version\"\n\n means the combination of the Contributions of others (if any) used by a\n Contributor and that particular Contributor's Contribution.\n\n1.3. \"Contribution\"\n\n means Covered Software of a particular Contributor.\n\n1.4. \"Covered Software\"\n\n means Source Code Form to which the initial Contributor has attached the\n notice in Exhibit A, the Executable Form of such Source Code Form, and\n Modifications of such Source Code Form, in each case including portions\n thereof.\n\n1.5. \"Incompatible With Secondary Licenses\"\n means\n\n a. that the initial Contributor has attached the notice described in\n Exhibit B to the Covered Software; or\n\n b. that the Covered Software was made available under the terms of\n version 1.1 or earlier of the License, but not also under the terms of\n a Secondary License.\n\n1.6. \"Executable Form\"\n\n means any form of the work other than Source Code Form.\n\n1.7. \"Larger Work\"\n\n means a work that combines Covered Software with other material, in a\n separate file or files, that is not Covered Software.\n\n1.8. \"License\"\n\n means this document.\n\n1.9. \"Licensable\"\n\n means having the right to grant, to the maximum extent possible, whether\n at the time of the initial grant or subsequently, any and all of the\n rights conveyed by this License.\n\n1.10. \"Modifications\"\n\n means any of the following:\n\n a. any file in Source Code Form that results from an addition to,\n deletion from, or modification of the contents of Covered Software; or\n\n b. any new file in Source Code Form that contains any Covered Software.\n\n1.11. \"Patent Claims\" of a Contributor\n\n means any patent claim(s), including without limitation, method,\n process, and apparatus claims, in any patent Licensable by such\n Contributor that would be infringed, but for the grant of the License,\n by the making, using, selling, offering for sale, having made, import,\n or transfer of either its Contributions or its Contributor Version.\n\n1.12. \"Secondary License\"\n\n means either the GNU General Public License, Version 2.0, the GNU Lesser\n General Public License, Version 2.1, the GNU Affero General Public\n License, Version 3.0, or any later versions of those licenses.\n\n1.13. \"Source Code Form\"\n\n means the form of the work preferred for making modifications.\n\n1.14. \"You\" (or \"Your\")\n\n means an individual or a legal entity exercising rights under this\n License. For legal entities, \"You\" includes any entity that controls, is\n controlled by, or is under common control with You. For purposes of this\n definition, \"control\" means (a) the power, direct or indirect, to cause\n the direction or management of such entity, whether by contract or\n otherwise, or (b) ownership of more than fifty percent (50%) of the\n outstanding shares or beneficial ownership of such entity.\n\n\n2. License Grants and Conditions\n\n2.1. Grants\n\n Each Contributor hereby grants You a world-wide, royalty-free,\n non-exclusive license:\n\n a. under intellectual property rights (other than patent or trademark)\n Licensable by such Contributor to use, reproduce, make available,\n modify, display, perform, distribute, and otherwise exploit its\n Contributions, either on an unmodified basis, with Modifications, or\n as part of a Larger Work; and\n\n b. under Patent Claims of such Contributor to make, use, sell, offer for\n sale, have made, import, and otherwise transfer either its\n Contributions or its Contributor Version.\n\n2.2. Effective Date\n\n The licenses granted in Section 2.1 with respect to any Contribution\n become effective for each Contribution on the date the Contributor first\n distributes such Contribution.\n\n2.3. Limitations on Grant Scope\n\n The licenses granted in this Section 2 are the only rights granted under\n this License. No additional rights or licenses will be implied from the\n distribution or licensing of Covered Software under this License.\n Notwithstanding Section 2.1(b) above, no patent license is granted by a\n Contributor:\n\n a. for any code that a Contributor has removed from Covered Software; or\n\n b. for infringements caused by: (i) Your and any other third party's\n modifications of Covered Software, or (ii) the combination of its\n Contributions with other software (except as part of its Contributor\n Version); or\n\n c. under Patent Claims infringed by Covered Software in the absence of\n its Contributions.\n\n This License does not grant any rights in the trademarks, service marks,\n or logos of any Contributor (except as may be necessary to comply with\n the notice requirements in Section 3.4).\n\n2.4. Subsequent Licenses\n\n No Contributor makes additional grants as a result of Your choice to\n distribute the Covered Software under a subsequent version of this\n License (see Section 10.2) or under the terms of a Secondary License (if\n permitted under the terms of Section 3.3).\n\n2.5. Representation\n\n Each Contributor represents that the Contributor believes its\n Contributions are its original creation(s) or it has sufficient rights to\n grant the rights to its Contributions conveyed by this License.\n\n2.6. Fair Use\n\n This License is not intended to limit any rights You have under\n applicable copyright doctrines of fair use, fair dealing, or other\n equivalents.\n\n2.7. Conditions\n\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in\n Section 2.1.\n\n\n3. Responsibilities\n\n3.1. Distribution of Source Form\n\n All distribution of Covered Software in Source Code Form, including any\n Modifications that You create or to which You contribute, must be under\n the terms of this License. You must inform recipients that the Source\n Code Form of the Covered Software is governed by the terms of this\n License, and how they can obtain a copy of this License. You may not\n attempt to alter or restrict the recipients' rights in the Source Code\n Form.\n\n3.2. Distribution of Executable Form\n\n If You distribute Covered Software in Executable Form then:\n\n a. such Covered Software must also be made available in Source Code Form,\n as described in Section 3.1, and You must inform recipients of the\n Executable Form how they can obtain a copy of such Source Code Form by\n reasonable means in a timely manner, at a charge no more than the cost\n of distribution to the recipient; and\n\n b. You may distribute such Executable Form under the terms of this\n License, or sublicense it under different terms, provided that the\n license for the Executable Form does not attempt to limit or alter the\n recipients' rights in the Source Code Form under this License.\n\n3.3. Distribution of a Larger Work\n\n You may create and distribute a Larger Work under terms of Your choice,\n provided that You also comply with the requirements of this License for\n the Covered Software. If the Larger Work is a combination of Covered\n Software with a work governed by one or more Secondary Licenses, and the\n Covered Software is not Incompatible With Secondary Licenses, this\n License permits You to additionally distribute such Covered Software\n under the terms of such Secondary License(s), so that the recipient of\n the Larger Work may, at their option, further distribute the Covered\n Software under the terms of either this License or such Secondary\n License(s).\n\n3.4. Notices\n\n You may not remove or alter the substance of any license notices\n (including copyright notices, patent notices, disclaimers of warranty, or\n limitations of liability) contained within the Source Code Form of the\n Covered Software, except that You may alter any license notices to the\n extent required to remedy known factual inaccuracies.\n\n3.5. Application of Additional Terms\n\n You may choose to offer, and to charge a fee for, warranty, support,\n indemnity or liability obligations to one or more recipients of Covered\n Software. However, You may do so only on Your own behalf, and not on\n behalf of any Contributor. You must make it absolutely clear that any\n such warranty, support, indemnity, or liability obligation is offered by\n You alone, and You hereby agree to indemnify every Contributor for any\n liability incurred by such Contributor as a result of warranty, support,\n indemnity or liability terms You offer. You may include additional\n disclaimers of warranty and limitations of liability specific to any\n jurisdiction.\n\n4. Inability to Comply Due to Statute or Regulation\n\n If it is impossible for You to comply with any of the terms of this License\n with respect to some or all of the Covered Software due to statute,\n judicial order, or regulation then You must: (a) comply with the terms of\n this License to the maximum extent possible; and (b) describe the\n limitations and the code they affect. Such description must be placed in a\n text file included with all distributions of the Covered Software under\n this License. Except to the extent prohibited by statute or regulation,\n such description must be sufficiently detailed for a recipient of ordinary\n skill to be able to understand it.\n\n5. Termination\n\n5.1. The rights granted under this License will terminate automatically if You\n fail to comply with any of its terms. However, if You become compliant,\n then the rights granted under this License from a particular Contributor\n are reinstated (a) provisionally, unless and until such Contributor\n explicitly and finally terminates Your grants, and (b) on an ongoing\n basis, if such Contributor fails to notify You of the non-compliance by\n some reasonable means prior to 60 days after You have come back into\n compliance. Moreover, Your grants from a particular Contributor are\n reinstated on an ongoing basis if such Contributor notifies You of the\n non-compliance by some reasonable means, this is the first time You have\n received notice of non-compliance with this License from such\n Contributor, and You become compliant prior to 30 days after Your receipt\n of the notice.\n\n5.2. If You initiate litigation against any entity by asserting a patent\n infringement claim (excluding declaratory judgment actions,\n counter-claims, and cross-claims) alleging that a Contributor Version\n directly or indirectly infringes any patent, then the rights granted to\n You by any and all Contributors for the Covered Software under Section\n 2.1 of this License shall terminate.\n\n5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user\n license agreements (excluding distributors and resellers) which have been\n validly granted by You or Your distributors under this License prior to\n termination shall survive termination.\n\n6. Disclaimer of Warranty\n\n Covered Software is provided under this License on an \"as is\" basis,\n without warranty of any kind, either expressed, implied, or statutory,\n including, without limitation, warranties that the Covered Software is free\n of defects, merchantable, fit for a particular purpose or non-infringing.\n The entire risk as to the quality and performance of the Covered Software\n is with You. Should any Covered Software prove defective in any respect,\n You (not any Contributor) assume the cost of any necessary servicing,\n repair, or correction. This disclaimer of warranty constitutes an essential\n part of this License. No use of any Covered Software is authorized under\n this License except under this disclaimer.\n\n7. Limitation of Liability\n\n Under no circumstances and under no legal theory, whether tort (including\n negligence), contract, or otherwise, shall any Contributor, or anyone who\n distributes Covered Software as permitted above, be liable to You for any\n direct, indirect, special, incidental, or consequential damages of any\n character including, without limitation, damages for lost profits, loss of\n goodwill, work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses, even if such party shall have been\n informed of the possibility of such damages. This limitation of liability\n shall not apply to liability for death or personal injury resulting from\n such party's negligence to the extent applicable law prohibits such\n limitation. Some jurisdictions do not allow the exclusion or limitation of\n incidental or consequential damages, so this exclusion and limitation may\n not apply to You.\n\n8. Litigation\n\n Any litigation relating to this License may be brought only in the courts\n of a jurisdiction where the defendant maintains its principal place of\n business and such litigation shall be governed by laws of that\n jurisdiction, without reference to its conflict-of-law provisions. Nothing\n in this Section shall prevent a party's ability to bring cross-claims or\n counter-claims.\n\n9. Miscellaneous\n\n This License represents the complete agreement concerning the subject\n matter hereof. If any provision of this License is held to be\n unenforceable, such provision shall be reformed only to the extent\n necessary to make it enforceable. Any law or regulation which provides that\n the language of a contract shall be construed against the drafter shall not\n be used to construe this License against a Contributor.\n\n\n10. Versions of the License\n\n10.1. New Versions\n\n Mozilla Foundation is the license steward. Except as provided in Section\n 10.3, no one other than the license steward has the right to modify or\n publish new versions of this License. Each version will be given a\n distinguishing version number.\n\n10.2. Effect of New Versions\n\n You may distribute the Covered Software under the terms of the version\n of the License under which You originally received the Covered Software,\n or under the terms of any subsequent version published by the license\n steward.\n\n10.3. Modified Versions\n\n If you create software not governed by this License, and you want to\n create a new license for such software, you may create and use a\n modified version of this License if you rename the license and remove\n any references to the name of the license steward (except to note that\n such modified license differs from this License).\n\n10.4. Distributing Source Code Form that is Incompatible With Secondary\n Licenses If You choose to distribute Source Code Form that is\n Incompatible With Secondary Licenses under the terms of this version of\n the License, the notice described in Exhibit B of this License must be\n attached.\n\nExhibit A - Source Code Form License Notice\n\n This Source Code Form is subject to the\n terms of the Mozilla Public License, v.\n 2.0. If a copy of the MPL was not\n distributed with this file, You can\n obtain one at\n http://mozilla.org/MPL/2.0/.\n\nIf it is not possible or desirable to put the notice in a particular file,\nthen You may include the notice in a location (such as a LICENSE file in a\nrelevant directory) where a recipient would be likely to look for such a\nnotice.\n\nYou may add additional accurate notices of copyright ownership.\n\nExhibit B - \"Incompatible With Secondary Licenses\" Notice\n\n This Source Code Form is \"Incompatible\n With Secondary Licenses\", as defined by\n the Mozilla Public License, v. 2.0.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/README.md", "content": "golang-lru\n==========\n\nPlease upgrade to github.com/hashicorp/golang-lru/v2 for all new code as v1 will\nnot be updated anymore. The v2 version supports generics and is faster; old code\ncan specify a specific tag, e.g. github.com/hashicorp/golang-lru/v1.0.2 for\nbackwards compatibility.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/arc.go", "content": "package lru\n\nimport (\n\t\"sync\"\n\n\t\"github.com/hashicorp/golang-lru/simplelru\"\n)\n\n// ARCCache is a thread-safe fixed size Adaptive Replacement Cache (ARC).\n// ARC is an enhancement over the standard LRU cache in that tracks both\n// frequency and recency of use. This avoids a burst in access to new\n// entries from evicting the frequently used older entries. It adds some\n// additional tracking overhead to a standard LRU cache, computationally\n// it is roughly 2x the cost, and the extra memory overhead is linear\n// with the size of the cache. ARC has been patented by IBM, but is\n// similar to the TwoQueueCache (2Q) which requires setting parameters.\ntype ARCCache struct {\n\tsize int // Size is the total capacity of the cache\n\tp int // P is the dynamic preference towards T1 or T2\n\n\tt1 simplelru.LRUCache // T1 is the LRU for recently accessed items\n\tb1 simplelru.LRUCache // B1 is the LRU for evictions from t1\n\n\tt2 simplelru.LRUCache // T2 is the LRU for frequently accessed items\n\tb2 simplelru.LRUCache // B2 is the LRU for evictions from t2\n\n\tlock sync.RWMutex\n}\n\n// NewARC creates an ARC of the given size\nfunc NewARC(size int) (*ARCCache, error) {\n\t// Create the sub LRUs\n\tb1, err := simplelru.NewLRU(size, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tb2, err := simplelru.NewLRU(size, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tt1, err := simplelru.NewLRU(size, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tt2, err := simplelru.NewLRU(size, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Initialize the ARC\n\tc := &ARCCache{\n\t\tsize: size,\n\t\tp: 0,\n\t\tt1: t1,\n\t\tb1: b1,\n\t\tt2: t2,\n\t\tb2: b2,\n\t}\n\treturn c, nil\n}\n\n// Get looks up a key's value from the cache.\nfunc (c *ARCCache) Get(key interface{}) (value interface{}, ok bool) {\n\tc.lock.Lock()\n\tdefer c.lock.Unlock()\n\n\t// If the value is contained in T1 (recent), then\n\t// promote it to T2 (frequent)\n\tif val, ok := c.t1.Peek(key); ok {\n\t\tc.t1.Remove(key)\n\t\tc.t2.Add(key, val)\n\t\treturn val, ok\n\t}\n\n\t// Check if the value is contained in T2 (frequent)\n\tif val, ok := c.t2.Get(key); ok {\n\t\treturn val, ok\n\t}\n\n\t// No hit\n\treturn nil, false\n}\n\n// Add adds a value to the cache.\nfunc (c *ARCCache) Add(key, value interface{}) {\n\tc.lock.Lock()\n\tdefer c.lock.Unlock()\n\n\t// Check if the value is contained in T1 (recent), and potentially\n\t// promote it to frequent T2\n\tif c.t1.Contains(key) {\n\t\tc.t1.Remove(key)\n\t\tc.t2.Add(key, value)\n\t\treturn\n\t}\n\n\t// Check if the value is already in T2 (frequent) and update it\n\tif c.t2.Contains(key) {\n\t\tc.t2.Add(key, value)\n\t\treturn\n\t}\n\n\t// Check if this value was recently evicted as part of the\n\t// recently used list\n\tif c.b1.Contains(key) {\n\t\t// T1 set is too small, increase P appropriately\n\t\tdelta := 1\n\t\tb1Len := c.b1.Len()\n\t\tb2Len := c.b2.Len()\n\t\tif b2Len > b1Len {\n\t\t\tdelta = b2Len / b1Len\n\t\t}\n\t\tif c.p+delta >= c.size {\n\t\t\tc.p = c.size\n\t\t} else {\n\t\t\tc.p += delta\n\t\t}\n\n\t\t// Potentially need to make room in the cache\n\t\tif c.t1.Len()+c.t2.Len() >= c.size {\n\t\t\tc.replace(false)\n\t\t}\n\n\t\t// Remove from B1\n\t\tc.b1.Remove(key)\n\n\t\t// Add the key to the frequently used list\n\t\tc.t2.Add(key, value)\n\t\treturn\n\t}\n\n\t// Check if this value was recently evicted as part of the\n\t// frequently used list\n\tif c.b2.Contains(key) {\n\t\t// T2 set is too small, decrease P appropriately\n\t\tdelta := 1\n\t\tb1Len := c.b1.Len()\n\t\tb2Len := c.b2.Len()\n\t\tif b1Len > b2Len {\n\t\t\tdelta = b1Len / b2Len\n\t\t}\n\t\tif delta >= c.p {\n\t\t\tc.p = 0\n\t\t} else {\n\t\t\tc.p -= delta\n\t\t}\n\n\t\t// Potentially need to make room in the cache\n\t\tif c.t1.Len()+c.t2.Len() >= c.size {\n\t\t\tc.replace(true)\n\t\t}\n\n\t\t// Remove from B2\n\t\tc.b2.Remove(key)\n\n\t\t// Add the key to the frequently used list\n\t\tc.t2.Add(key, value)\n\t\treturn\n\t}\n\n\t// Potentially need to make room in the cache\n\tif c.t1.Len()+c.t2.Len() >= c.size {\n\t\tc.replace(false)\n\t}\n\n\t// Keep the size of the ghost buffers trim\n\tif c.b1.Len() > c.size-c.p {\n\t\tc.b1.RemoveOldest()\n\t}\n\tif c.b2.Len() > c.p {\n\t\tc.b2.RemoveOldest()\n\t}\n\n\t// Add to the recently seen list\n\tc.t1.Add(key, value)\n}\n\n// replace is used to adaptively evict from either T1 or T2\n// based on the current learned value of P\nfunc (c *ARCCache) replace(b2ContainsKey bool) {\n\tt1Len := c.t1.Len()\n\tif t1Len > 0 && (t1Len > c.p || (t1Len == c.p && b2ContainsKey)) {\n\t\tk, _, ok := c.t1.RemoveOldest()\n\t\tif ok {\n\t\t\tc.b1.Add(k, nil)\n\t\t}\n\t} else {\n\t\tk, _, ok := c.t2.RemoveOldest()\n\t\tif ok {\n\t\t\tc.b2.Add(k, nil)\n\t\t}\n\t}\n}\n\n// Len returns the number of cached entries\nfunc (c *ARCCache) Len() int {\n\tc.lock.RLock()\n\tdefer c.lock.RUnlock()\n\treturn c.t1.Len() + c.t2.Len()\n}\n\n// Keys returns all the cached keys\nfunc (c *ARCCache) Keys() []interface{} {\n\tc.lock.RLock()\n\tdefer c.lock.RUnlock()\n\tk1 := c.t1.Keys()\n\tk2 := c.t2.Keys()\n\treturn append(k1, k2...)\n}\n\n// Remove is used to purge a key from the cache\nfunc (c *ARCCache) Remove(key interface{}) {\n\tc.lock.Lock()\n\tdefer c.lock.Unlock()\n\tif c.t1.Remove(key) {\n\t\treturn\n\t}\n\tif c.t2.Remove(key) {\n\t\treturn\n\t}\n\tif c.b1.Remove(key) {\n\t\treturn\n\t}\n\tif c.b2.Remove(key) {\n\t\treturn\n\t}\n}\n\n// Purge is used to clear the cache\nfunc (c *ARCCache) Purge() {\n\tc.lock.Lock()\n\tdefer c.lock.Unlock()\n\tc.t1.Purge()\n\tc.t2.Purge()\n\tc.b1.Purge()\n\tc.b2.Purge()\n}\n\n// Contains is used to check if the cache contains a key\n// without updating recency or frequency.\nfunc (c *ARCCache) Contains(key interface{}) bool {\n\tc.lock.RLock()\n\tdefer c.lock.RUnlock()\n\treturn c.t1.Contains(key) || c.t2.Contains(key)\n}\n\n// Peek is used to inspect the cache value of a key\n// without updating recency or frequency.\nfunc (c *ARCCache) Peek(key interface{}) (value interface{}, ok bool) {\n\tc.lock.RLock()\n\tdefer c.lock.RUnlock()\n\tif val, ok := c.t1.Peek(key); ok {\n\t\treturn val, ok\n\t}\n\treturn c.t2.Peek(key)\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/doc.go", "content": "// Package lru provides three different LRU caches of varying sophistication.\n//\n// Cache is a simple LRU cache. It is based on the\n// LRU implementation in groupcache:\n// https://github.com/golang/groupcache/tree/master/lru\n//\n// TwoQueueCache tracks frequently used and recently used entries separately.\n// This avoids a burst of accesses from taking out frequently used entries,\n// at the cost of about 2x computational overhead and some extra bookkeeping.\n//\n// ARCCache is an adaptive replacement cache. It tracks recent evictions as\n// well as recent usage in both the frequent and recent caches. Its\n// computational overhead is comparable to TwoQueueCache, but the memory\n// overhead is linear with the size of the cache.\n//\n// ARC has been patented by IBM, so do not use it if that is problematic for\n// your program.\n//\n// All caches in this package take locks while operating, and are therefore\n// thread-safe for consumers.\npackage lru\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/lru.go", "content": "package lru\n\nimport (\n\t\"sync\"\n\n\t\"github.com/hashicorp/golang-lru/simplelru\"\n)\n\nconst (\n\t// DefaultEvictedBufferSize defines the default buffer size to store evicted key/val\n\tDefaultEvictedBufferSize = 16\n)\n\n// Cache is a thread-safe fixed size LRU cache.\ntype Cache struct {\n\tlru *simplelru.LRU\n\tevictedKeys, evictedVals []interface{}\n\tonEvictedCB func(k, v interface{})\n\tlock sync.RWMutex\n}\n\n// New creates an LRU of the given size.\nfunc New(size int) (*Cache, error) {\n\treturn NewWithEvict(size, nil)\n}\n\n// NewWithEvict constructs a fixed size cache with the given eviction\n// callback.\nfunc NewWithEvict(size int, onEvicted func(key, value interface{})) (c *Cache, err error) {\n\t// create a cache with default settings\n\tc = &Cache{\n\t\tonEvictedCB: onEvicted,\n\t}\n\tif onEvicted != nil {\n\t\tc.initEvictBuffers()\n\t\tonEvicted = c.onEvicted\n\t}\n\tc.lru, err = simplelru.NewLRU(size, onEvicted)\n\treturn\n}\n\nfunc (c *Cache) initEvictBuffers() {\n\tc.evictedKeys = make([]interface{}, 0, DefaultEvictedBufferSize)\n\tc.evictedVals = make([]interface{}, 0, DefaultEvictedBufferSize)\n}\n\n// onEvicted save evicted key/val and sent in externally registered callback\n// outside of critical section\nfunc (c *Cache) onEvicted(k, v interface{}) {\n\tc.evictedKeys = append(c.evictedKeys, k)\n\tc.evictedVals = append(c.evictedVals, v)\n}\n\n// Purge is used to completely clear the cache.\nfunc (c *Cache) Purge() {\n\tvar ks, vs []interface{}\n\tc.lock.Lock()\n\tc.lru.Purge()\n\tif c.onEvictedCB != nil && len(c.evictedKeys) > 0 {\n\t\tks, vs = c.evictedKeys, c.evictedVals\n\t\tc.initEvictBuffers()\n\t}\n\tc.lock.Unlock()\n\t// invoke callback outside of critical section\n\tif c.onEvictedCB != nil {\n\t\tfor i := 0; i < len(ks); i++ {\n\t\t\tc.onEvictedCB(ks[i], vs[i])\n\t\t}\n\t}\n}\n\n// Add adds a value to the cache. Returns true if an eviction occurred.\nfunc (c *Cache) Add(key, value interface{}) (evicted bool) {\n\tvar k, v interface{}\n\tc.lock.Lock()\n\tevicted = c.lru.Add(key, value)\n\tif c.onEvictedCB != nil && evicted {\n\t\tk, v = c.evictedKeys[0], c.evictedVals[0]\n\t\tc.evictedKeys, c.evictedVals = c.evictedKeys[:0], c.evictedVals[:0]\n\t}\n\tc.lock.Unlock()\n\tif c.onEvictedCB != nil && evicted {\n\t\tc.onEvictedCB(k, v)\n\t}\n\treturn\n}\n\n// Get looks up a key's value from the cache.\nfunc (c *Cache) Get(key interface{}) (value interface{}, ok bool) {\n\tc.lock.Lock()\n\tvalue, ok = c.lru.Get(key)\n\tc.lock.Unlock()\n\treturn value, ok\n}\n\n// Contains checks if a key is in the cache, without updating the\n// recent-ness or deleting it for being stale.\nfunc (c *Cache) Contains(key interface{}) bool {\n\tc.lock.RLock()\n\tcontainKey := c.lru.Contains(key)\n\tc.lock.RUnlock()\n\treturn containKey\n}\n\n// Peek returns the key value (or undefined if not found) without updating\n// the \"recently used\"-ness of the key.\nfunc (c *Cache) Peek(key interface{}) (value interface{}, ok bool) {\n\tc.lock.RLock()\n\tvalue, ok = c.lru.Peek(key)\n\tc.lock.RUnlock()\n\treturn value, ok\n}\n\n// ContainsOrAdd checks if a key is in the cache without updating the\n// recent-ness or deleting it for being stale, and if not, adds the value.\n// Returns whether found and whether an eviction occurred.\nfunc (c *Cache) ContainsOrAdd(key, value interface{}) (ok, evicted bool) {\n\tvar k, v interface{}\n\tc.lock.Lock()\n\tif c.lru.Contains(key) {\n\t\tc.lock.Unlock()\n\t\treturn true, false\n\t}\n\tevicted = c.lru.Add(key, value)\n\tif c.onEvictedCB != nil && evicted {\n\t\tk, v = c.evictedKeys[0], c.evictedVals[0]\n\t\tc.evictedKeys, c.evictedVals = c.evictedKeys[:0], c.evictedVals[:0]\n\t}\n\tc.lock.Unlock()\n\tif c.onEvictedCB != nil && evicted {\n\t\tc.onEvictedCB(k, v)\n\t}\n\treturn false, evicted\n}\n\n// PeekOrAdd checks if a key is in the cache without updating the\n// recent-ness or deleting it for being stale, and if not, adds the value.\n// Returns whether found and whether an eviction occurred.\nfunc (c *Cache) PeekOrAdd(key, value interface{}) (previous interface{}, ok, evicted bool) {\n\tvar k, v interface{}\n\tc.lock.Lock()\n\tprevious, ok = c.lru.Peek(key)\n\tif ok {\n\t\tc.lock.Unlock()\n\t\treturn previous, true, false\n\t}\n\tevicted = c.lru.Add(key, value)\n\tif c.onEvictedCB != nil && evicted {\n\t\tk, v = c.evictedKeys[0], c.evictedVals[0]\n\t\tc.evictedKeys, c.evictedVals = c.evictedKeys[:0], c.evictedVals[:0]\n\t}\n\tc.lock.Unlock()\n\tif c.onEvictedCB != nil && evicted {\n\t\tc.onEvictedCB(k, v)\n\t}\n\treturn nil, false, evicted\n}\n\n// Remove removes the provided key from the cache.\nfunc (c *Cache) Remove(key interface{}) (present bool) {\n\tvar k, v interface{}\n\tc.lock.Lock()\n\tpresent = c.lru.Remove(key)\n\tif c.onEvictedCB != nil && present {\n\t\tk, v = c.evictedKeys[0], c.evictedVals[0]\n\t\tc.evictedKeys, c.evictedVals = c.evictedKeys[:0], c.evictedVals[:0]\n\t}\n\tc.lock.Unlock()\n\tif c.onEvictedCB != nil && present {\n\t\tc.onEvictedCB(k, v)\n\t}\n\treturn\n}\n\n// Resize changes the cache size.\nfunc (c *Cache) Resize(size int) (evicted int) {\n\tvar ks, vs []interface{}\n\tc.lock.Lock()\n\tevicted = c.lru.Resize(size)\n\tif c.onEvictedCB != nil && evicted > 0 {\n\t\tks, vs = c.evictedKeys, c.evictedVals\n\t\tc.initEvictBuffers()\n\t}\n\tc.lock.Unlock()\n\tif c.onEvictedCB != nil && evicted > 0 {\n\t\tfor i := 0; i < len(ks); i++ {\n\t\t\tc.onEvictedCB(ks[i], vs[i])\n\t\t}\n\t}\n\treturn evicted\n}\n\n// RemoveOldest removes the oldest item from the cache.\nfunc (c *Cache) RemoveOldest() (key, value interface{}, ok bool) {\n\tvar k, v interface{}\n\tc.lock.Lock()\n\tkey, value, ok = c.lru.RemoveOldest()\n\tif c.onEvictedCB != nil && ok {\n\t\tk, v = c.evictedKeys[0], c.evictedVals[0]\n\t\tc.evictedKeys, c.evictedVals = c.evictedKeys[:0], c.evictedVals[:0]\n\t}\n\tc.lock.Unlock()\n\tif c.onEvictedCB != nil && ok {\n\t\tc.onEvictedCB(k, v)\n\t}\n\treturn\n}\n\n// GetOldest returns the oldest entry\nfunc (c *Cache) GetOldest() (key, value interface{}, ok bool) {\n\tc.lock.RLock()\n\tkey, value, ok = c.lru.GetOldest()\n\tc.lock.RUnlock()\n\treturn\n}\n\n// Keys returns a slice of the keys in the cache, from oldest to newest.\nfunc (c *Cache) Keys() []interface{} {\n\tc.lock.RLock()\n\tkeys := c.lru.Keys()\n\tc.lock.RUnlock()\n\treturn keys\n}\n\n// Len returns the number of items in the cache.\nfunc (c *Cache) Len() int {\n\tc.lock.RLock()\n\tlength := c.lru.Len()\n\tc.lock.RUnlock()\n\treturn length\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/simplelru/lru.go", "content": "package simplelru\n\nimport (\n\t\"container/list\"\n\t\"errors\"\n)\n\n// EvictCallback is used to get a callback when a cache entry is evicted\ntype EvictCallback func(key interface{}, value interface{})\n\n// LRU implements a non-thread safe fixed size LRU cache\ntype LRU struct {\n\tsize int\n\tevictList *list.List\n\titems map[interface{}]*list.Element\n\tonEvict EvictCallback\n}\n\n// entry is used to hold a value in the evictList\ntype entry struct {\n\tkey interface{}\n\tvalue interface{}\n}\n\n// NewLRU constructs an LRU of the given size\nfunc NewLRU(size int, onEvict EvictCallback) (*LRU, error) {\n\tif size <= 0 {\n\t\treturn nil, errors.New(\"must provide a positive size\")\n\t}\n\tc := &LRU{\n\t\tsize: size,\n\t\tevictList: list.New(),\n\t\titems: make(map[interface{}]*list.Element),\n\t\tonEvict: onEvict,\n\t}\n\treturn c, nil\n}\n\n// Purge is used to completely clear the cache.\nfunc (c *LRU) Purge() {\n\tfor k, v := range c.items {\n\t\tif c.onEvict != nil {\n\t\t\tc.onEvict(k, v.Value.(*entry).value)\n\t\t}\n\t\tdelete(c.items, k)\n\t}\n\tc.evictList.Init()\n}\n\n// Add adds a value to the cache. Returns true if an eviction occurred.\nfunc (c *LRU) Add(key, value interface{}) (evicted bool) {\n\t// Check for existing item\n\tif ent, ok := c.items[key]; ok {\n\t\tc.evictList.MoveToFront(ent)\n\t\tent.Value.(*entry).value = value\n\t\treturn false\n\t}\n\n\t// Add new item\n\tent := &entry{key, value}\n\tentry := c.evictList.PushFront(ent)\n\tc.items[key] = entry\n\n\tevict := c.evictList.Len() > c.size\n\t// Verify size not exceeded\n\tif evict {\n\t\tc.removeOldest()\n\t}\n\treturn evict\n}\n\n// Get looks up a key's value from the cache.\nfunc (c *LRU) Get(key interface{}) (value interface{}, ok bool) {\n\tif ent, ok := c.items[key]; ok {\n\t\tc.evictList.MoveToFront(ent)\n\t\tif ent.Value.(*entry) == nil {\n\t\t\treturn nil, false\n\t\t}\n\t\treturn ent.Value.(*entry).value, true\n\t}\n\treturn\n}\n\n// Contains checks if a key is in the cache, without updating the recent-ness\n// or deleting it for being stale.\nfunc (c *LRU) Contains(key interface{}) (ok bool) {\n\t_, ok = c.items[key]\n\treturn ok\n}\n\n// Peek returns the key value (or undefined if not found) without updating\n// the \"recently used\"-ness of the key.\nfunc (c *LRU) Peek(key interface{}) (value interface{}, ok bool) {\n\tvar ent *list.Element\n\tif ent, ok = c.items[key]; ok {\n\t\treturn ent.Value.(*entry).value, true\n\t}\n\treturn nil, ok\n}\n\n// Remove removes the provided key from the cache, returning if the\n// key was contained.\nfunc (c *LRU) Remove(key interface{}) (present bool) {\n\tif ent, ok := c.items[key]; ok {\n\t\tc.removeElement(ent)\n\t\treturn true\n\t}\n\treturn false\n}\n\n// RemoveOldest removes the oldest item from the cache.\nfunc (c *LRU) RemoveOldest() (key, value interface{}, ok bool) {\n\tent := c.evictList.Back()\n\tif ent != nil {\n\t\tc.removeElement(ent)\n\t\tkv := ent.Value.(*entry)\n\t\treturn kv.key, kv.value, true\n\t}\n\treturn nil, nil, false\n}\n\n// GetOldest returns the oldest entry\nfunc (c *LRU) GetOldest() (key, value interface{}, ok bool) {\n\tent := c.evictList.Back()\n\tif ent != nil {\n\t\tkv := ent.Value.(*entry)\n\t\treturn kv.key, kv.value, true\n\t}\n\treturn nil, nil, false\n}\n\n// Keys returns a slice of the keys in the cache, from oldest to newest.\nfunc (c *LRU) Keys() []interface{} {\n\tkeys := make([]interface{}, len(c.items))\n\ti := 0\n\tfor ent := c.evictList.Back(); ent != nil; ent = ent.Prev() {\n\t\tkeys[i] = ent.Value.(*entry).key\n\t\ti++\n\t}\n\treturn keys\n}\n\n// Len returns the number of items in the cache.\nfunc (c *LRU) Len() int {\n\treturn c.evictList.Len()\n}\n\n// Resize changes the cache size.\nfunc (c *LRU) Resize(size int) (evicted int) {\n\tdiff := c.Len() - size\n\tif diff < 0 {\n\t\tdiff = 0\n\t}\n\tfor i := 0; i < diff; i++ {\n\t\tc.removeOldest()\n\t}\n\tc.size = size\n\treturn diff\n}\n\n// removeOldest removes the oldest item from the cache.\nfunc (c *LRU) removeOldest() {\n\tent := c.evictList.Back()\n\tif ent != nil {\n\t\tc.removeElement(ent)\n\t}\n}\n\n// removeElement is used to remove a given list element from the cache\nfunc (c *LRU) removeElement(e *list.Element) {\n\tc.evictList.Remove(e)\n\tkv := e.Value.(*entry)\n\tdelete(c.items, kv.key)\n\tif c.onEvict != nil {\n\t\tc.onEvict(kv.key, kv.value)\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/simplelru/lru_interface.go", "content": "// Package simplelru provides simple LRU implementation based on build-in container/list.\npackage simplelru\n\n// LRUCache is the interface for simple LRU cache.\ntype LRUCache interface {\n\t// Adds a value to the cache, returns true if an eviction occurred and\n\t// updates the \"recently used\"-ness of the key.\n\tAdd(key, value interface{}) bool\n\n\t// Returns key's value from the cache and\n\t// updates the \"recently used\"-ness of the key. #value, isFound\n\tGet(key interface{}) (value interface{}, ok bool)\n\n\t// Checks if a key exists in cache without updating the recent-ness.\n\tContains(key interface{}) (ok bool)\n\n\t// Returns key's value without updating the \"recently used\"-ness of the key.\n\tPeek(key interface{}) (value interface{}, ok bool)\n\n\t// Removes a key from the cache.\n\tRemove(key interface{}) bool\n\n\t// Removes the oldest entry from cache.\n\tRemoveOldest() (interface{}, interface{}, bool)\n\n\t// Returns the oldest entry from the cache. #key, value, isFound\n\tGetOldest() (interface{}, interface{}, bool)\n\n\t// Returns a slice of the keys in the cache, from oldest to newest.\n\tKeys() []interface{}\n\n\t// Returns the number of items in the cache.\n\tLen() int\n\n\t// Clears all cache entries.\n\tPurge()\n\n\t// Resizes cache, returning number evicted\n\tResize(int) int\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/testing.go", "content": "package lru\n\nimport (\n\t\"crypto/rand\"\n\t\"math\"\n\t\"math/big\"\n\t\"testing\"\n)\n\nfunc getRand(tb testing.TB) int64 {\n\tout, err := rand.Int(rand.Reader, big.NewInt(math.MaxInt64))\n\tif err != nil {\n\t\ttb.Fatal(err)\n\t}\n\treturn out.Int64()\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/.gitignore", "content": "y.output\r\n\r\n# ignore intellij files\r\n.idea\r\n*.iml\r\n*.ipr\r\n*.iws\r\n\r\n*.test\r\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/.travis.yml", "content": "sudo: false\n\nlanguage: go\n\ngo:\n - 1.x\n - tip\n\nbranches:\n only:\n - master\n\nscript: make test\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/LICENSE", "content": "Mozilla Public License, version 2.0\n\n1. Definitions\n\n1.1. “Contributor”\n\n means each individual or legal entity that creates, contributes to the\n creation of, or owns Covered Software.\n\n1.2. “Contributor Version”\n\n means the combination of the Contributions of others (if any) used by a\n Contributor and that particular Contributor’s Contribution.\n\n1.3. “Contribution”\n\n means Covered Software of a particular Contributor.\n\n1.4. “Covered Software”\n\n means Source Code Form to which the initial Contributor has attached the\n notice in Exhibit A, the Executable Form of such Source Code Form, and\n Modifications of such Source Code Form, in each case including portions\n thereof.\n\n1.5. “Incompatible With Secondary Licenses”\n means\n\n a. that the initial Contributor has attached the notice described in\n Exhibit B to the Covered Software; or\n\n b. that the Covered Software was made available under the terms of version\n 1.1 or earlier of the License, but not also under the terms of a\n Secondary License.\n\n1.6. “Executable Form”\n\n means any form of the work other than Source Code Form.\n\n1.7. “Larger Work”\n\n means a work that combines Covered Software with other material, in a separate\n file or files, that is not Covered Software.\n\n1.8. “License”\n\n means this document.\n\n1.9. “Licensable”\n\n means having the right to grant, to the maximum extent possible, whether at the\n time of the initial grant or subsequently, any and all of the rights conveyed by\n this License.\n\n1.10. “Modifications”\n\n means any of the following:\n\n a. any file in Source Code Form that results from an addition to, deletion\n from, or modification of the contents of Covered Software; or\n\n b. any new file in Source Code Form that contains any Covered Software.\n\n1.11. “Patent Claims” of a Contributor\n\n means any patent claim(s), including without limitation, method, process,\n and apparatus claims, in any patent Licensable by such Contributor that\n would be infringed, but for the grant of the License, by the making,\n using, selling, offering for sale, having made, import, or transfer of\n either its Contributions or its Contributor Version.\n\n1.12. “Secondary License”\n\n means either the GNU General Public License, Version 2.0, the GNU Lesser\n General Public License, Version 2.1, the GNU Affero General Public\n License, Version 3.0, or any later versions of those licenses.\n\n1.13. “Source Code Form”\n\n means the form of the work preferred for making modifications.\n\n1.14. “You” (or “Your”)\n\n means an individual or a legal entity exercising rights under this\n License. For legal entities, “You” includes any entity that controls, is\n controlled by, or is under common control with You. For purposes of this\n definition, “control” means (a) the power, direct or indirect, to cause\n the direction or management of such entity, whether by contract or\n otherwise, or (b) ownership of more than fifty percent (50%) of the\n outstanding shares or beneficial ownership of such entity.\n\n\n2. License Grants and Conditions\n\n2.1. Grants\n\n Each Contributor hereby grants You a world-wide, royalty-free,\n non-exclusive license:\n\n a. under intellectual property rights (other than patent or trademark)\n Licensable by such Contributor to use, reproduce, make available,\n modify, display, perform, distribute, and otherwise exploit its\n Contributions, either on an unmodified basis, with Modifications, or as\n part of a Larger Work; and\n\n b. under Patent Claims of such Contributor to make, use, sell, offer for\n sale, have made, import, and otherwise transfer either its Contributions\n or its Contributor Version.\n\n2.2. Effective Date\n\n The licenses granted in Section 2.1 with respect to any Contribution become\n effective for each Contribution on the date the Contributor first distributes\n such Contribution.\n\n2.3. Limitations on Grant Scope\n\n The licenses granted in this Section 2 are the only rights granted under this\n License. No additional rights or licenses will be implied from the distribution\n or licensing of Covered Software under this License. Notwithstanding Section\n 2.1(b) above, no patent license is granted by a Contributor:\n\n a. for any code that a Contributor has removed from Covered Software; or\n\n b. for infringements caused by: (i) Your and any other third party’s\n modifications of Covered Software, or (ii) the combination of its\n Contributions with other software (except as part of its Contributor\n Version); or\n\n c. under Patent Claims infringed by Covered Software in the absence of its\n Contributions.\n\n This License does not grant any rights in the trademarks, service marks, or\n logos of any Contributor (except as may be necessary to comply with the\n notice requirements in Section 3.4).\n\n2.4. Subsequent Licenses\n\n No Contributor makes additional grants as a result of Your choice to\n distribute the Covered Software under a subsequent version of this License\n (see Section 10.2) or under the terms of a Secondary License (if permitted\n under the terms of Section 3.3).\n\n2.5. Representation\n\n Each Contributor represents that the Contributor believes its Contributions\n are its original creation(s) or it has sufficient rights to grant the\n rights to its Contributions conveyed by this License.\n\n2.6. Fair Use\n\n This License is not intended to limit any rights You have under applicable\n copyright doctrines of fair use, fair dealing, or other equivalents.\n\n2.7. Conditions\n\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in\n Section 2.1.\n\n\n3. Responsibilities\n\n3.1. Distribution of Source Form\n\n All distribution of Covered Software in Source Code Form, including any\n Modifications that You create or to which You contribute, must be under the\n terms of this License. You must inform recipients that the Source Code Form\n of the Covered Software is governed by the terms of this License, and how\n they can obtain a copy of this License. You may not attempt to alter or\n restrict the recipients’ rights in the Source Code Form.\n\n3.2. Distribution of Executable Form\n\n If You distribute Covered Software in Executable Form then:\n\n a. such Covered Software must also be made available in Source Code Form,\n as described in Section 3.1, and You must inform recipients of the\n Executable Form how they can obtain a copy of such Source Code Form by\n reasonable means in a timely manner, at a charge no more than the cost\n of distribution to the recipient; and\n\n b. You may distribute such Executable Form under the terms of this License,\n or sublicense it under different terms, provided that the license for\n the Executable Form does not attempt to limit or alter the recipients’\n rights in the Source Code Form under this License.\n\n3.3. Distribution of a Larger Work\n\n You may create and distribute a Larger Work under terms of Your choice,\n provided that You also comply with the requirements of this License for the\n Covered Software. If the Larger Work is a combination of Covered Software\n with a work governed by one or more Secondary Licenses, and the Covered\n Software is not Incompatible With Secondary Licenses, this License permits\n You to additionally distribute such Covered Software under the terms of\n such Secondary License(s), so that the recipient of the Larger Work may, at\n their option, further distribute the Covered Software under the terms of\n either this License or such Secondary License(s).\n\n3.4. Notices\n\n You may not remove or alter the substance of any license notices (including\n copyright notices, patent notices, disclaimers of warranty, or limitations\n of liability) contained within the Source Code Form of the Covered\n Software, except that You may alter any license notices to the extent\n required to remedy known factual inaccuracies.\n\n3.5. Application of Additional Terms\n\n You may choose to offer, and to charge a fee for, warranty, support,\n indemnity or liability obligations to one or more recipients of Covered\n Software. However, You may do so only on Your own behalf, and not on behalf\n of any Contributor. You must make it absolutely clear that any such\n warranty, support, indemnity, or liability obligation is offered by You\n alone, and You hereby agree to indemnify every Contributor for any\n liability incurred by such Contributor as a result of warranty, support,\n indemnity or liability terms You offer. You may include additional\n disclaimers of warranty and limitations of liability specific to any\n jurisdiction.\n\n4. Inability to Comply Due to Statute or Regulation\n\n If it is impossible for You to comply with any of the terms of this License\n with respect to some or all of the Covered Software due to statute, judicial\n order, or regulation then You must: (a) comply with the terms of this License\n to the maximum extent possible; and (b) describe the limitations and the code\n they affect. Such description must be placed in a text file included with all\n distributions of the Covered Software under this License. Except to the\n extent prohibited by statute or regulation, such description must be\n sufficiently detailed for a recipient of ordinary skill to be able to\n understand it.\n\n5. Termination\n\n5.1. The rights granted under this License will terminate automatically if You\n fail to comply with any of its terms. However, if You become compliant,\n then the rights granted under this License from a particular Contributor\n are reinstated (a) provisionally, unless and until such Contributor\n explicitly and finally terminates Your grants, and (b) on an ongoing basis,\n if such Contributor fails to notify You of the non-compliance by some\n reasonable means prior to 60 days after You have come back into compliance.\n Moreover, Your grants from a particular Contributor are reinstated on an\n ongoing basis if such Contributor notifies You of the non-compliance by\n some reasonable means, this is the first time You have received notice of\n non-compliance with this License from such Contributor, and You become\n compliant prior to 30 days after Your receipt of the notice.\n\n5.2. If You initiate litigation against any entity by asserting a patent\n infringement claim (excluding declaratory judgment actions, counter-claims,\n and cross-claims) alleging that a Contributor Version directly or\n indirectly infringes any patent, then the rights granted to You by any and\n all Contributors for the Covered Software under Section 2.1 of this License\n shall terminate.\n\n5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user\n license agreements (excluding distributors and resellers) which have been\n validly granted by You or Your distributors under this License prior to\n termination shall survive termination.\n\n6. Disclaimer of Warranty\n\n Covered Software is provided under this License on an “as is” basis, without\n warranty of any kind, either expressed, implied, or statutory, including,\n without limitation, warranties that the Covered Software is free of defects,\n merchantable, fit for a particular purpose or non-infringing. The entire\n risk as to the quality and performance of the Covered Software is with You.\n Should any Covered Software prove defective in any respect, You (not any\n Contributor) assume the cost of any necessary servicing, repair, or\n correction. This disclaimer of warranty constitutes an essential part of this\n License. No use of any Covered Software is authorized under this License\n except under this disclaimer.\n\n7. Limitation of Liability\n\n Under no circumstances and under no legal theory, whether tort (including\n negligence), contract, or otherwise, shall any Contributor, or anyone who\n distributes Covered Software as permitted above, be liable to You for any\n direct, indirect, special, incidental, or consequential damages of any\n character including, without limitation, damages for lost profits, loss of\n goodwill, work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses, even if such party shall have been\n informed of the possibility of such damages. This limitation of liability\n shall not apply to liability for death or personal injury resulting from such\n party’s negligence to the extent applicable law prohibits such limitation.\n Some jurisdictions do not allow the exclusion or limitation of incidental or\n consequential damages, so this exclusion and limitation may not apply to You.\n\n8. Litigation\n\n Any litigation relating to this License may be brought only in the courts of\n a jurisdiction where the defendant maintains its principal place of business\n and such litigation shall be governed by laws of that jurisdiction, without\n reference to its conflict-of-law provisions. Nothing in this Section shall\n prevent a party’s ability to bring cross-claims or counter-claims.\n\n9. Miscellaneous\n\n This License represents the complete agreement concerning the subject matter\n hereof. If any provision of this License is held to be unenforceable, such\n provision shall be reformed only to the extent necessary to make it\n enforceable. Any law or regulation which provides that the language of a\n contract shall be construed against the drafter shall not be used to construe\n this License against a Contributor.\n\n\n10. Versions of the License\n\n10.1. New Versions\n\n Mozilla Foundation is the license steward. Except as provided in Section\n 10.3, no one other than the license steward has the right to modify or\n publish new versions of this License. Each version will be given a\n distinguishing version number.\n\n10.2. Effect of New Versions\n\n You may distribute the Covered Software under the terms of the version of\n the License under which You originally received the Covered Software, or\n under the terms of any subsequent version published by the license\n steward.\n\n10.3. Modified Versions\n\n If you create software not governed by this License, and you want to\n create a new license for such software, you may create and use a modified\n version of this License if you rename the license and remove any\n references to the name of the license steward (except to note that such\n modified license differs from this License).\n\n10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses\n If You choose to distribute Source Code Form that is Incompatible With\n Secondary Licenses under the terms of this version of the License, the\n notice described in Exhibit B of this License must be attached.\n\nExhibit A - Source Code Form License Notice\n\n This Source Code Form is subject to the\n terms of the Mozilla Public License, v.\n 2.0. If a copy of the MPL was not\n distributed with this file, You can\n obtain one at\n http://mozilla.org/MPL/2.0/.\n\nIf it is not possible or desirable to put the notice in a particular file, then\nYou may include the notice in a location (such as a LICENSE file in a relevant\ndirectory) where a recipient would be likely to look for such a notice.\n\nYou may add additional accurate notices of copyright ownership.\n\nExhibit B - “Incompatible With Secondary Licenses” Notice\n\n This Source Code Form is “Incompatible\n With Secondary Licenses”, as defined by\n the Mozilla Public License, v. 2.0.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/Makefile", "content": "TEST?=./...\r\n\r\ndefault: test\r\n\r\nfmt: generate\r\n\tgo fmt ./...\r\n\r\ntest: generate\r\n\tgo get -t ./...\r\n\tgo test $(TEST) $(TESTARGS)\r\n\r\ngenerate:\r\n\tgo generate ./...\r\n\r\nupdatedeps:\r\n\tgo get -u golang.org/x/tools/cmd/stringer\r\n\r\n.PHONY: default generate test updatedeps\r\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/README.md", "content": "# HCL\n\n[![GoDoc](https://godoc.org/github.com/hashicorp/hcl?status.png)](https://godoc.org/github.com/hashicorp/hcl) [![Build Status](https://travis-ci.org/hashicorp/hcl.svg?branch=master)](https://travis-ci.org/hashicorp/hcl)\n\nHCL (HashiCorp Configuration Language) is a configuration language built\nby HashiCorp. The goal of HCL is to build a structured configuration language\nthat is both human and machine friendly for use with command-line tools, but\nspecifically targeted towards DevOps tools, servers, etc.\n\nHCL is also fully JSON compatible. That is, JSON can be used as completely\nvalid input to a system expecting HCL. This helps makes systems\ninteroperable with other systems.\n\nHCL is heavily inspired by\n[libucl](https://github.com/vstakhov/libucl),\nnginx configuration, and others similar.\n\n## Why?\n\nA common question when viewing HCL is to ask the question: why not\nJSON, YAML, etc.?\n\nPrior to HCL, the tools we built at [HashiCorp](http://www.hashicorp.com)\nused a variety of configuration languages from full programming languages\nsuch as Ruby to complete data structure languages such as JSON. What we\nlearned is that some people wanted human-friendly configuration languages\nand some people wanted machine-friendly languages.\n\nJSON fits a nice balance in this, but is fairly verbose and most\nimportantly doesn't support comments. With YAML, we found that beginners\nhad a really hard time determining what the actual structure was, and\nended up guessing more often than not whether to use a hyphen, colon, etc.\nin order to represent some configuration key.\n\nFull programming languages such as Ruby enable complex behavior\na configuration language shouldn't usually allow, and also forces\npeople to learn some set of Ruby.\n\nBecause of this, we decided to create our own configuration language\nthat is JSON-compatible. Our configuration language (HCL) is designed\nto be written and modified by humans. The API for HCL allows JSON\nas an input so that it is also machine-friendly (machines can generate\nJSON instead of trying to generate HCL).\n\nOur goal with HCL is not to alienate other configuration languages.\nIt is instead to provide HCL as a specialized language for our tools,\nand JSON as the interoperability layer.\n\n## Syntax\n\nFor a complete grammar, please see the parser itself. A high-level overview\nof the syntax and grammar is listed here.\n\n * Single line comments start with `#` or `//`\n\n * Multi-line comments are wrapped in `/*` and `*/`. Nested block comments\n are not allowed. A multi-line comment (also known as a block comment)\n terminates at the first `*/` found.\n\n * Values are assigned with the syntax `key = value` (whitespace doesn't\n matter). The value can be any primitive: a string, number, boolean,\n object, or list.\n\n * Strings are double-quoted and can contain any UTF-8 characters.\n Example: `\"Hello, World\"`\n\n * Multi-line strings start with `<-\n echo %Path%\n\n go version\n\n go env\n\n go get -t ./...\n\nbuild_script:\n- cmd: go test -v ./...\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/decoder.go", "content": "package hcl\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"reflect\"\n\t\"sort\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/hashicorp/hcl/hcl/ast\"\n\t\"github.com/hashicorp/hcl/hcl/parser\"\n\t\"github.com/hashicorp/hcl/hcl/token\"\n)\n\n// This is the tag to use with structures to have settings for HCL\nconst tagName = \"hcl\"\n\nvar (\n\t// nodeType holds a reference to the type of ast.Node\n\tnodeType reflect.Type = findNodeType()\n)\n\n// Unmarshal accepts a byte slice as input and writes the\n// data to the value pointed to by v.\nfunc Unmarshal(bs []byte, v interface{}) error {\n\troot, err := parse(bs, false)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn DecodeObject(v, root)\n}\n\n// UnmarshalErrorOnDuplicates accepts a byte slice as input and writes the\n// data to the value pointed to by v but errors on duplicate attribute key.\nfunc UnmarshalErrorOnDuplicates(bs []byte, v interface{}) error {\n\troot, err := parse(bs, true)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn DecodeObject(v, root)\n}\n\n// Decode reads the given input and decodes it into the structure\n// given by `out`.\nfunc Decode(out interface{}, in string) error {\n\treturn decode(out, in, false)\n}\n\n// DecodeErrorOnDuplicates reads the given input and decodes it into the structure but errrors on duplicate attribute key\n// given by `out`.\nfunc DecodeErrorOnDuplicates(out interface{}, in string) error {\n\treturn decode(out, in, true)\n}\n\n// decode reads the given input and decodes it into the structure given by `out`.\n// takes in a boolean to determine if it should error on duplicate attribute\nfunc decode(out interface{}, in string, errorOnDuplicateAtributes bool) error {\n\tobj, err := parse([]byte(in), errorOnDuplicateAtributes)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn DecodeObject(out, obj)\n}\n\n// DecodeObject is a lower-level version of Decode. It decodes a\n// raw Object into the given output.\nfunc DecodeObject(out interface{}, n ast.Node) error {\n\tval := reflect.ValueOf(out)\n\tif val.Kind() != reflect.Ptr {\n\t\treturn errors.New(\"result must be a pointer\")\n\t}\n\n\t// If we have the file, we really decode the root node\n\tif f, ok := n.(*ast.File); ok {\n\t\tn = f.Node\n\t}\n\n\tvar d decoder\n\treturn d.decode(\"root\", n, val.Elem())\n}\n\ntype decoder struct {\n\tstack []reflect.Kind\n}\n\nfunc (d *decoder) decode(name string, node ast.Node, result reflect.Value) error {\n\tk := result\n\n\t// If we have an interface with a valid value, we use that\n\t// for the check.\n\tif result.Kind() == reflect.Interface {\n\t\telem := result.Elem()\n\t\tif elem.IsValid() {\n\t\t\tk = elem\n\t\t}\n\t}\n\n\t// Push current onto stack unless it is an interface.\n\tif k.Kind() != reflect.Interface {\n\t\td.stack = append(d.stack, k.Kind())\n\n\t\t// Schedule a pop\n\t\tdefer func() {\n\t\t\td.stack = d.stack[:len(d.stack)-1]\n\t\t}()\n\t}\n\n\tswitch k.Kind() {\n\tcase reflect.Bool:\n\t\treturn d.decodeBool(name, node, result)\n\tcase reflect.Float32, reflect.Float64:\n\t\treturn d.decodeFloat(name, node, result)\n\tcase reflect.Int, reflect.Int32, reflect.Int64:\n\t\treturn d.decodeInt(name, node, result)\n\tcase reflect.Interface:\n\t\t// When we see an interface, we make our own thing\n\t\treturn d.decodeInterface(name, node, result)\n\tcase reflect.Map:\n\t\treturn d.decodeMap(name, node, result)\n\tcase reflect.Ptr:\n\t\treturn d.decodePtr(name, node, result)\n\tcase reflect.Slice:\n\t\treturn d.decodeSlice(name, node, result)\n\tcase reflect.String:\n\t\treturn d.decodeString(name, node, result)\n\tcase reflect.Struct:\n\t\treturn d.decodeStruct(name, node, result)\n\tdefault:\n\t\treturn &parser.PosError{\n\t\t\tPos: node.Pos(),\n\t\t\tErr: fmt.Errorf(\"%s: unknown kind to decode into: %s\", name, k.Kind()),\n\t\t}\n\t}\n}\n\nfunc (d *decoder) decodeBool(name string, node ast.Node, result reflect.Value) error {\n\tswitch n := node.(type) {\n\tcase *ast.LiteralType:\n\t\tif n.Token.Type == token.BOOL {\n\t\t\tv, err := strconv.ParseBool(n.Token.Text)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\n\t\t\tresult.Set(reflect.ValueOf(v))\n\t\t\treturn nil\n\t\t}\n\t}\n\n\treturn &parser.PosError{\n\t\tPos: node.Pos(),\n\t\tErr: fmt.Errorf(\"%s: unknown type %T\", name, node),\n\t}\n}\n\nfunc (d *decoder) decodeFloat(name string, node ast.Node, result reflect.Value) error {\n\tswitch n := node.(type) {\n\tcase *ast.LiteralType:\n\t\tif n.Token.Type == token.FLOAT || n.Token.Type == token.NUMBER {\n\t\t\tv, err := strconv.ParseFloat(n.Token.Text, 64)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\n\t\t\tresult.Set(reflect.ValueOf(v).Convert(result.Type()))\n\t\t\treturn nil\n\t\t}\n\t}\n\n\treturn &parser.PosError{\n\t\tPos: node.Pos(),\n\t\tErr: fmt.Errorf(\"%s: unknown type %T\", name, node),\n\t}\n}\n\nfunc (d *decoder) decodeInt(name string, node ast.Node, result reflect.Value) error {\n\tswitch n := node.(type) {\n\tcase *ast.LiteralType:\n\t\tswitch n.Token.Type {\n\t\tcase token.NUMBER:\n\t\t\tv, err := strconv.ParseInt(n.Token.Text, 0, 0)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\n\t\t\tif result.Kind() == reflect.Interface {\n\t\t\t\tresult.Set(reflect.ValueOf(int(v)))\n\t\t\t} else {\n\t\t\t\tresult.SetInt(v)\n\t\t\t}\n\t\t\treturn nil\n\t\tcase token.STRING:\n\t\t\tv, err := strconv.ParseInt(n.Token.Value().(string), 0, 0)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\n\t\t\tif result.Kind() == reflect.Interface {\n\t\t\t\tresult.Set(reflect.ValueOf(int(v)))\n\t\t\t} else {\n\t\t\t\tresult.SetInt(v)\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t}\n\n\treturn &parser.PosError{\n\t\tPos: node.Pos(),\n\t\tErr: fmt.Errorf(\"%s: unknown type %T\", name, node),\n\t}\n}\n\nfunc (d *decoder) decodeInterface(name string, node ast.Node, result reflect.Value) error {\n\t// When we see an ast.Node, we retain the value to enable deferred decoding.\n\t// Very useful in situations where we want to preserve ast.Node information\n\t// like Pos\n\tif result.Type() == nodeType && result.CanSet() {\n\t\tresult.Set(reflect.ValueOf(node))\n\t\treturn nil\n\t}\n\n\tvar set reflect.Value\n\tredecode := true\n\n\t// For testing types, ObjectType should just be treated as a list. We\n\t// set this to a temporary var because we want to pass in the real node.\n\ttestNode := node\n\tif ot, ok := node.(*ast.ObjectType); ok {\n\t\ttestNode = ot.List\n\t}\n\n\tswitch n := testNode.(type) {\n\tcase *ast.ObjectList:\n\t\t// If we're at the root or we're directly within a slice, then we\n\t\t// decode objects into map[string]interface{}, otherwise we decode\n\t\t// them into lists.\n\t\tif len(d.stack) == 0 || d.stack[len(d.stack)-1] == reflect.Slice {\n\t\t\tvar temp map[string]interface{}\n\t\t\ttempVal := reflect.ValueOf(temp)\n\t\t\tresult := reflect.MakeMap(\n\t\t\t\treflect.MapOf(\n\t\t\t\t\treflect.TypeOf(\"\"),\n\t\t\t\t\ttempVal.Type().Elem()))\n\n\t\t\tset = result\n\t\t} else {\n\t\t\tvar temp []map[string]interface{}\n\t\t\ttempVal := reflect.ValueOf(temp)\n\t\t\tresult := reflect.MakeSlice(\n\t\t\t\treflect.SliceOf(tempVal.Type().Elem()), 0, len(n.Items))\n\t\t\tset = result\n\t\t}\n\tcase *ast.ObjectType:\n\t\t// If we're at the root or we're directly within a slice, then we\n\t\t// decode objects into map[string]interface{}, otherwise we decode\n\t\t// them into lists.\n\t\tif len(d.stack) == 0 || d.stack[len(d.stack)-1] == reflect.Slice {\n\t\t\tvar temp map[string]interface{}\n\t\t\ttempVal := reflect.ValueOf(temp)\n\t\t\tresult := reflect.MakeMap(\n\t\t\t\treflect.MapOf(\n\t\t\t\t\treflect.TypeOf(\"\"),\n\t\t\t\t\ttempVal.Type().Elem()))\n\n\t\t\tset = result\n\t\t} else {\n\t\t\tvar temp []map[string]interface{}\n\t\t\ttempVal := reflect.ValueOf(temp)\n\t\t\tresult := reflect.MakeSlice(\n\t\t\t\treflect.SliceOf(tempVal.Type().Elem()), 0, 1)\n\t\t\tset = result\n\t\t}\n\tcase *ast.ListType:\n\t\tvar temp []interface{}\n\t\ttempVal := reflect.ValueOf(temp)\n\t\tresult := reflect.MakeSlice(\n\t\t\treflect.SliceOf(tempVal.Type().Elem()), 0, 0)\n\t\tset = result\n\tcase *ast.LiteralType:\n\t\tswitch n.Token.Type {\n\t\tcase token.BOOL:\n\t\t\tvar result bool\n\t\t\tset = reflect.Indirect(reflect.New(reflect.TypeOf(result)))\n\t\tcase token.FLOAT:\n\t\t\tvar result float64\n\t\t\tset = reflect.Indirect(reflect.New(reflect.TypeOf(result)))\n\t\tcase token.NUMBER:\n\t\t\tvar result int\n\t\t\tset = reflect.Indirect(reflect.New(reflect.TypeOf(result)))\n\t\tcase token.STRING, token.HEREDOC:\n\t\t\tset = reflect.Indirect(reflect.New(reflect.TypeOf(\"\")))\n\t\tdefault:\n\t\t\treturn &parser.PosError{\n\t\t\t\tPos: node.Pos(),\n\t\t\t\tErr: fmt.Errorf(\"%s: cannot decode into interface: %T\", name, node),\n\t\t\t}\n\t\t}\n\tdefault:\n\t\treturn fmt.Errorf(\n\t\t\t\"%s: cannot decode into interface: %T\",\n\t\t\tname, node)\n\t}\n\n\t// Set the result to what its supposed to be, then reset\n\t// result so we don't reflect into this method anymore.\n\tresult.Set(set)\n\n\tif redecode {\n\t\t// Revisit the node so that we can use the newly instantiated\n\t\t// thing and populate it.\n\t\tif err := d.decode(name, node, result); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc (d *decoder) decodeMap(name string, node ast.Node, result reflect.Value) error {\n\tif item, ok := node.(*ast.ObjectItem); ok {\n\t\tnode = &ast.ObjectList{Items: []*ast.ObjectItem{item}}\n\t}\n\n\tif ot, ok := node.(*ast.ObjectType); ok {\n\t\tnode = ot.List\n\t}\n\n\tn, ok := node.(*ast.ObjectList)\n\tif !ok {\n\t\treturn &parser.PosError{\n\t\t\tPos: node.Pos(),\n\t\t\tErr: fmt.Errorf(\"%s: not an object type for map (%T)\", name, node),\n\t\t}\n\t}\n\n\t// If we have an interface, then we can address the interface,\n\t// but not the slice itself, so get the element but set the interface\n\tset := result\n\tif result.Kind() == reflect.Interface {\n\t\tresult = result.Elem()\n\t}\n\n\tresultType := result.Type()\n\tresultElemType := resultType.Elem()\n\tresultKeyType := resultType.Key()\n\tif resultKeyType.Kind() != reflect.String {\n\t\treturn &parser.PosError{\n\t\t\tPos: node.Pos(),\n\t\t\tErr: fmt.Errorf(\"%s: map must have string keys\", name),\n\t\t}\n\t}\n\n\t// Make a map if it is nil\n\tresultMap := result\n\tif result.IsNil() {\n\t\tresultMap = reflect.MakeMap(\n\t\t\treflect.MapOf(resultKeyType, resultElemType))\n\t}\n\n\t// Go through each element and decode it.\n\tdone := make(map[string]struct{})\n\tfor _, item := range n.Items {\n\t\tif item.Val == nil {\n\t\t\tcontinue\n\t\t}\n\n\t\t// github.com/hashicorp/terraform/issue/5740\n\t\tif len(item.Keys) == 0 {\n\t\t\treturn &parser.PosError{\n\t\t\t\tPos: node.Pos(),\n\t\t\t\tErr: fmt.Errorf(\"%s: map must have string keys\", name),\n\t\t\t}\n\t\t}\n\n\t\t// Get the key we're dealing with, which is the first item\n\t\tkeyStr := item.Keys[0].Token.Value().(string)\n\n\t\t// If we've already processed this key, then ignore it\n\t\tif _, ok := done[keyStr]; ok {\n\t\t\tcontinue\n\t\t}\n\n\t\t// Determine the value. If we have more than one key, then we\n\t\t// get the objectlist of only these keys.\n\t\titemVal := item.Val\n\t\tif len(item.Keys) > 1 {\n\t\t\titemVal = n.Filter(keyStr)\n\t\t\tdone[keyStr] = struct{}{}\n\t\t}\n\n\t\t// Make the field name\n\t\tfieldName := fmt.Sprintf(\"%s.%s\", name, keyStr)\n\n\t\t// Get the key/value as reflection values\n\t\tkey := reflect.ValueOf(keyStr)\n\t\tval := reflect.Indirect(reflect.New(resultElemType))\n\n\t\t// If we have a pre-existing value in the map, use that\n\t\toldVal := resultMap.MapIndex(key)\n\t\tif oldVal.IsValid() {\n\t\t\tval.Set(oldVal)\n\t\t}\n\n\t\t// Decode!\n\t\tif err := d.decode(fieldName, itemVal, val); err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\t// Set the value on the map\n\t\tresultMap.SetMapIndex(key, val)\n\t}\n\n\t// Set the final map if we can\n\tset.Set(resultMap)\n\n\treturn nil\n}\n\nfunc (d *decoder) decodePtr(name string, node ast.Node, result reflect.Value) error {\n\t// if pointer is not nil, decode into existing value\n\tif !result.IsNil() {\n\t\treturn d.decode(name, node, result.Elem())\n\t}\n\n\t// Create an element of the concrete (non pointer) type and decode\n\t// into that. Then set the value of the pointer to this type.\n\tresultType := result.Type()\n\tresultElemType := resultType.Elem()\n\tval := reflect.New(resultElemType)\n\tif err := d.decode(name, node, reflect.Indirect(val)); err != nil {\n\t\treturn err\n\t}\n\n\tresult.Set(val)\n\treturn nil\n}\n\nfunc (d *decoder) decodeSlice(name string, node ast.Node, result reflect.Value) error {\n\t// If we have an interface, then we can address the interface,\n\t// but not the slice itself, so get the element but set the interface\n\tset := result\n\tif result.Kind() == reflect.Interface {\n\t\tresult = result.Elem()\n\t}\n\t// Create the slice if it isn't nil\n\tresultType := result.Type()\n\tresultElemType := resultType.Elem()\n\tif result.IsNil() {\n\t\tresultSliceType := reflect.SliceOf(resultElemType)\n\t\tresult = reflect.MakeSlice(\n\t\t\tresultSliceType, 0, 0)\n\t}\n\n\t// Figure out the items we'll be copying into the slice\n\tvar items []ast.Node\n\tswitch n := node.(type) {\n\tcase *ast.ObjectList:\n\t\titems = make([]ast.Node, len(n.Items))\n\t\tfor i, item := range n.Items {\n\t\t\titems[i] = item\n\t\t}\n\tcase *ast.ObjectType:\n\t\titems = []ast.Node{n}\n\tcase *ast.ListType:\n\t\titems = n.List\n\tdefault:\n\t\treturn &parser.PosError{\n\t\t\tPos: node.Pos(),\n\t\t\tErr: fmt.Errorf(\"unknown slice type: %T\", node),\n\t\t}\n\t}\n\n\tfor i, item := range items {\n\t\tfieldName := fmt.Sprintf(\"%s[%d]\", name, i)\n\n\t\t// Decode\n\t\tval := reflect.Indirect(reflect.New(resultElemType))\n\n\t\t// if item is an object that was decoded from ambiguous JSON and\n\t\t// flattened, make sure it's expanded if it needs to decode into a\n\t\t// defined structure.\n\t\titem := expandObject(item, val)\n\n\t\tif err := d.decode(fieldName, item, val); err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\t// Append it onto the slice\n\t\tresult = reflect.Append(result, val)\n\t}\n\n\tset.Set(result)\n\treturn nil\n}\n\n// expandObject detects if an ambiguous JSON object was flattened to a List which\n// should be decoded into a struct, and expands the ast to properly deocode.\nfunc expandObject(node ast.Node, result reflect.Value) ast.Node {\n\titem, ok := node.(*ast.ObjectItem)\n\tif !ok {\n\t\treturn node\n\t}\n\n\telemType := result.Type()\n\n\t// our target type must be a struct\n\tswitch elemType.Kind() {\n\tcase reflect.Ptr:\n\t\tswitch elemType.Elem().Kind() {\n\t\tcase reflect.Struct:\n\t\t\t//OK\n\t\tdefault:\n\t\t\treturn node\n\t\t}\n\tcase reflect.Struct:\n\t\t//OK\n\tdefault:\n\t\treturn node\n\t}\n\n\t// A list value will have a key and field name. If it had more fields,\n\t// it wouldn't have been flattened.\n\tif len(item.Keys) != 2 {\n\t\treturn node\n\t}\n\n\tkeyToken := item.Keys[0].Token\n\titem.Keys = item.Keys[1:]\n\n\t// we need to un-flatten the ast enough to decode\n\tnewNode := &ast.ObjectItem{\n\t\tKeys: []*ast.ObjectKey{\n\t\t\t{\n\t\t\t\tToken: keyToken,\n\t\t\t},\n\t\t},\n\t\tVal: &ast.ObjectType{\n\t\t\tList: &ast.ObjectList{\n\t\t\t\tItems: []*ast.ObjectItem{item},\n\t\t\t},\n\t\t},\n\t}\n\n\treturn newNode\n}\n\nfunc (d *decoder) decodeString(name string, node ast.Node, result reflect.Value) error {\n\tswitch n := node.(type) {\n\tcase *ast.LiteralType:\n\t\tswitch n.Token.Type {\n\t\tcase token.NUMBER:\n\t\t\tresult.Set(reflect.ValueOf(n.Token.Text).Convert(result.Type()))\n\t\t\treturn nil\n\t\tcase token.STRING, token.HEREDOC:\n\t\t\tresult.Set(reflect.ValueOf(n.Token.Value()).Convert(result.Type()))\n\t\t\treturn nil\n\t\t}\n\t}\n\n\treturn &parser.PosError{\n\t\tPos: node.Pos(),\n\t\tErr: fmt.Errorf(\"%s: unknown type for string %T\", name, node),\n\t}\n}\n\nfunc (d *decoder) decodeStruct(name string, node ast.Node, result reflect.Value) error {\n\tvar item *ast.ObjectItem\n\tif it, ok := node.(*ast.ObjectItem); ok {\n\t\titem = it\n\t\tnode = it.Val\n\t}\n\n\tif ot, ok := node.(*ast.ObjectType); ok {\n\t\tnode = ot.List\n\t}\n\n\t// Handle the special case where the object itself is a literal. Previously\n\t// the yacc parser would always ensure top-level elements were arrays. The new\n\t// parser does not make the same guarantees, thus we need to convert any\n\t// top-level literal elements into a list.\n\tif _, ok := node.(*ast.LiteralType); ok && item != nil {\n\t\tnode = &ast.ObjectList{Items: []*ast.ObjectItem{item}}\n\t}\n\n\tlist, ok := node.(*ast.ObjectList)\n\tif !ok {\n\t\treturn &parser.PosError{\n\t\t\tPos: node.Pos(),\n\t\t\tErr: fmt.Errorf(\"%s: not an object type for struct (%T)\", name, node),\n\t\t}\n\t}\n\n\t// This slice will keep track of all the structs we'll be decoding.\n\t// There can be more than one struct if there are embedded structs\n\t// that are squashed.\n\tstructs := make([]reflect.Value, 1, 5)\n\tstructs[0] = result\n\n\t// Compile the list of all the fields that we're going to be decoding\n\t// from all the structs.\n\ttype field struct {\n\t\tfield reflect.StructField\n\t\tval reflect.Value\n\t}\n\tfields := []field{}\n\tfor len(structs) > 0 {\n\t\tstructVal := structs[0]\n\t\tstructs = structs[1:]\n\n\t\tstructType := structVal.Type()\n\t\tfor i := 0; i < structType.NumField(); i++ {\n\t\t\tfieldType := structType.Field(i)\n\t\t\ttagParts := strings.Split(fieldType.Tag.Get(tagName), \",\")\n\n\t\t\t// Ignore fields with tag name \"-\"\n\t\t\tif tagParts[0] == \"-\" {\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tif fieldType.Anonymous {\n\t\t\t\tfieldKind := fieldType.Type.Kind()\n\t\t\t\tif fieldKind != reflect.Struct {\n\t\t\t\t\treturn &parser.PosError{\n\t\t\t\t\t\tPos: node.Pos(),\n\t\t\t\t\t\tErr: fmt.Errorf(\"%s: unsupported type to struct: %s\",\n\t\t\t\t\t\t\tfieldType.Name, fieldKind),\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// We have an embedded field. We \"squash\" the fields down\n\t\t\t\t// if specified in the tag.\n\t\t\t\tsquash := false\n\t\t\t\tfor _, tag := range tagParts[1:] {\n\t\t\t\t\tif tag == \"squash\" {\n\t\t\t\t\t\tsquash = true\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif squash {\n\t\t\t\t\tstructs = append(\n\t\t\t\t\t\tstructs, result.FieldByName(fieldType.Name))\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Normal struct field, store it away\n\t\t\tfields = append(fields, field{fieldType, structVal.Field(i)})\n\t\t}\n\t}\n\n\tusedKeys := make(map[string]struct{})\n\tdecodedFields := make([]string, 0, len(fields))\n\tdecodedFieldsVal := make([]reflect.Value, 0)\n\tunusedKeysVal := make([]reflect.Value, 0)\n\n\t// fill unusedNodeKeys with keys from the AST\n\t// a slice because we have to do equals case fold to match Filter\n\tunusedNodeKeys := make(map[string][]token.Pos, 0)\n\tfor i, item := range list.Items {\n\t\tfor _, k := range item.Keys {\n\t\t\t// isNestedJSON returns true for e.g. bar in\n\t\t\t// { \"foo\": { \"bar\": {...} } }\n\t\t\t// This isn't an unused node key, so we want to skip it\n\t\t\tisNestedJSON := i > 0 && len(item.Keys) > 1\n\t\t\tif !isNestedJSON && (k.Token.JSON || k.Token.Type == token.IDENT) {\n\t\t\t\tfn := k.Token.Value().(string)\n\t\t\t\tsl := unusedNodeKeys[fn]\n\t\t\t\tunusedNodeKeys[fn] = append(sl, k.Token.Pos)\n\t\t\t}\n\t\t}\n\t}\n\n\tfor _, f := range fields {\n\t\tfield, fieldValue := f.field, f.val\n\t\tif !fieldValue.IsValid() {\n\t\t\t// This should never happen\n\t\t\tpanic(\"field is not valid\")\n\t\t}\n\n\t\t// If we can't set the field, then it is unexported or something,\n\t\t// and we just continue onwards.\n\t\tif !fieldValue.CanSet() {\n\t\t\tcontinue\n\t\t}\n\n\t\tfieldName := field.Name\n\n\t\ttagValue := field.Tag.Get(tagName)\n\t\ttagParts := strings.SplitN(tagValue, \",\", 2)\n\t\tif len(tagParts) >= 2 {\n\t\t\tswitch tagParts[1] {\n\t\t\tcase \"decodedFields\":\n\t\t\t\tdecodedFieldsVal = append(decodedFieldsVal, fieldValue)\n\t\t\t\tcontinue\n\t\t\tcase \"key\":\n\t\t\t\tif item == nil {\n\t\t\t\t\treturn &parser.PosError{\n\t\t\t\t\t\tPos: node.Pos(),\n\t\t\t\t\t\tErr: fmt.Errorf(\"%s: %s asked for 'key', impossible\",\n\t\t\t\t\t\t\tname, fieldName),\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tfieldValue.SetString(item.Keys[0].Token.Value().(string))\n\t\t\t\tcontinue\n\t\t\tcase \"unusedKeyPositions\":\n\t\t\t\tunusedKeysVal = append(unusedKeysVal, fieldValue)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\n\t\tif tagParts[0] != \"\" {\n\t\t\tfieldName = tagParts[0]\n\t\t}\n\n\t\t// Determine the element we'll use to decode. If it is a single\n\t\t// match (only object with the field), then we decode it exactly.\n\t\t// If it is a prefix match, then we decode the matches.\n\t\tfilter := list.Filter(fieldName)\n\n\t\tprefixMatches := filter.Children()\n\t\tmatches := filter.Elem()\n\t\tif len(matches.Items) == 0 && len(prefixMatches.Items) == 0 {\n\t\t\tcontinue\n\t\t}\n\n\t\t// Track the used keys\n\t\tusedKeys[fieldName] = struct{}{}\n\t\tunusedNodeKeys = removeCaseFold(unusedNodeKeys, fieldName)\n\n\t\t// Create the field name and decode. We range over the elements\n\t\t// because we actually want the value.\n\t\tfieldName = fmt.Sprintf(\"%s.%s\", name, fieldName)\n\t\tif len(prefixMatches.Items) > 0 {\n\t\t\tif err := d.decode(fieldName, prefixMatches, fieldValue); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tfor _, match := range matches.Items {\n\t\t\tvar decodeNode ast.Node = match.Val\n\t\t\tif ot, ok := decodeNode.(*ast.ObjectType); ok {\n\t\t\t\tdecodeNode = &ast.ObjectList{Items: ot.List.Items}\n\t\t\t}\n\n\t\t\tif err := d.decode(fieldName, decodeNode, fieldValue); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\n\t\tdecodedFields = append(decodedFields, field.Name)\n\t}\n\n\tif len(decodedFieldsVal) > 0 {\n\t\t// Sort it so that it is deterministic\n\t\tsort.Strings(decodedFields)\n\n\t\tfor _, v := range decodedFieldsVal {\n\t\t\tv.Set(reflect.ValueOf(decodedFields))\n\t\t}\n\t}\n\n\tif len(unusedNodeKeys) > 0 {\n\t\t// like decodedFields, populated the unusedKeys field(s)\n\t\tfor _, v := range unusedKeysVal {\n\t\t\tv.Set(reflect.ValueOf(unusedNodeKeys))\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// findNodeType returns the type of ast.Node\nfunc findNodeType() reflect.Type {\n\tvar nodeContainer struct {\n\t\tNode ast.Node\n\t}\n\tvalue := reflect.ValueOf(nodeContainer).FieldByName(\"Node\")\n\treturn value.Type()\n}\n\nfunc removeCaseFold(xs map[string][]token.Pos, y string) map[string][]token.Pos {\n\tvar toDel []string\n\n\tfor i := range xs {\n\t\tif strings.EqualFold(i, y) {\n\t\t\ttoDel = append(toDel, i)\n\t\t}\n\t}\n\tfor _, i := range toDel {\n\t\tdelete(xs, i)\n\t}\n\treturn xs\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/ast/ast.go", "content": "// Package ast declares the types used to represent syntax trees for HCL\n// (HashiCorp Configuration Language)\npackage ast\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/hashicorp/hcl/hcl/token\"\n)\n\n// Node is an element in the abstract syntax tree.\ntype Node interface {\n\tnode()\n\tPos() token.Pos\n}\n\nfunc (File) node() {}\nfunc (ObjectList) node() {}\nfunc (ObjectKey) node() {}\nfunc (ObjectItem) node() {}\nfunc (Comment) node() {}\nfunc (CommentGroup) node() {}\nfunc (ObjectType) node() {}\nfunc (LiteralType) node() {}\nfunc (ListType) node() {}\n\nvar unknownPos token.Pos\n\n// File represents a single HCL file\ntype File struct {\n\tNode Node // usually a *ObjectList\n\tComments []*CommentGroup // list of all comments in the source\n}\n\nfunc (f *File) Pos() token.Pos {\n\treturn f.Node.Pos()\n}\n\n// ObjectList represents a list of ObjectItems. An HCL file itself is an\n// ObjectList.\ntype ObjectList struct {\n\tItems []*ObjectItem\n}\n\nfunc (o *ObjectList) Add(item *ObjectItem) {\n\to.Items = append(o.Items, item)\n}\n\n// Filter filters out the objects with the given key list as a prefix.\n//\n// The returned list of objects contain ObjectItems where the keys have\n// this prefix already stripped off. This might result in objects with\n// zero-length key lists if they have no children.\n//\n// If no matches are found, an empty ObjectList (non-nil) is returned.\nfunc (o *ObjectList) Filter(keys ...string) *ObjectList {\n\tvar result ObjectList\n\tfor _, item := range o.Items {\n\t\t// If there aren't enough keys, then ignore this\n\t\tif len(item.Keys) < len(keys) {\n\t\t\tcontinue\n\t\t}\n\n\t\tmatch := true\n\t\tfor i, key := range item.Keys[:len(keys)] {\n\t\t\tkey := key.Token.Value().(string)\n\t\t\tif key != keys[i] && !strings.EqualFold(key, keys[i]) {\n\t\t\t\tmatch = false\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !match {\n\t\t\tcontinue\n\t\t}\n\n\t\t// Strip off the prefix from the children\n\t\tnewItem := *item\n\t\tnewItem.Keys = newItem.Keys[len(keys):]\n\t\tresult.Add(&newItem)\n\t}\n\n\treturn &result\n}\n\n// Children returns further nested objects (key length > 0) within this\n// ObjectList. This should be used with Filter to get at child items.\nfunc (o *ObjectList) Children() *ObjectList {\n\tvar result ObjectList\n\tfor _, item := range o.Items {\n\t\tif len(item.Keys) > 0 {\n\t\t\tresult.Add(item)\n\t\t}\n\t}\n\n\treturn &result\n}\n\n// Elem returns items in the list that are direct element assignments\n// (key length == 0). This should be used with Filter to get at elements.\nfunc (o *ObjectList) Elem() *ObjectList {\n\tvar result ObjectList\n\tfor _, item := range o.Items {\n\t\tif len(item.Keys) == 0 {\n\t\t\tresult.Add(item)\n\t\t}\n\t}\n\n\treturn &result\n}\n\nfunc (o *ObjectList) Pos() token.Pos {\n\t// If an Object has no members, it won't have a first item\n\t// to use as position\n\tif len(o.Items) == 0 {\n\t\treturn unknownPos\n\t}\n\t// Return the uninitialized position\n\treturn o.Items[0].Pos()\n}\n\n// ObjectItem represents a HCL Object Item. An item is represented with a key\n// (or keys). It can be an assignment or an object (both normal and nested)\ntype ObjectItem struct {\n\t// keys is only one length long if it's of type assignment. If it's a\n\t// nested object it can be larger than one. In that case \"assign\" is\n\t// invalid as there is no assignments for a nested object.\n\tKeys []*ObjectKey\n\n\t// assign contains the position of \"=\", if any\n\tAssign token.Pos\n\n\t// val is the item itself. It can be an object,list, number, bool or a\n\t// string. If key length is larger than one, val can be only of type\n\t// Object.\n\tVal Node\n\n\tLeadComment *CommentGroup // associated lead comment\n\tLineComment *CommentGroup // associated line comment\n}\n\nfunc (o *ObjectItem) Pos() token.Pos {\n\t// If a parsed object has no keys, there is no position\n\t// for its first element.\n\tif len(o.Keys) == 0 {\n\t\treturn unknownPos\n\t}\n\n\treturn o.Keys[0].Pos()\n}\n\n// ObjectKeys are either an identifier or of type string.\ntype ObjectKey struct {\n\tToken token.Token\n}\n\nfunc (o *ObjectKey) Pos() token.Pos {\n\treturn o.Token.Pos\n}\n\n// LiteralType represents a literal of basic type. Valid types are:\n// token.NUMBER, token.FLOAT, token.BOOL and token.STRING\ntype LiteralType struct {\n\tToken token.Token\n\n\t// comment types, only used when in a list\n\tLeadComment *CommentGroup\n\tLineComment *CommentGroup\n}\n\nfunc (l *LiteralType) Pos() token.Pos {\n\treturn l.Token.Pos\n}\n\n// ListStatement represents a HCL List type\ntype ListType struct {\n\tLbrack token.Pos // position of \"[\"\n\tRbrack token.Pos // position of \"]\"\n\tList []Node // the elements in lexical order\n}\n\nfunc (l *ListType) Pos() token.Pos {\n\treturn l.Lbrack\n}\n\nfunc (l *ListType) Add(node Node) {\n\tl.List = append(l.List, node)\n}\n\n// ObjectType represents a HCL Object Type\ntype ObjectType struct {\n\tLbrace token.Pos // position of \"{\"\n\tRbrace token.Pos // position of \"}\"\n\tList *ObjectList // the nodes in lexical order\n}\n\nfunc (o *ObjectType) Pos() token.Pos {\n\treturn o.Lbrace\n}\n\n// Comment node represents a single //, # style or /*- style commment\ntype Comment struct {\n\tStart token.Pos // position of / or #\n\tText string\n}\n\nfunc (c *Comment) Pos() token.Pos {\n\treturn c.Start\n}\n\n// CommentGroup node represents a sequence of comments with no other tokens and\n// no empty lines between.\ntype CommentGroup struct {\n\tList []*Comment // len(List) > 0\n}\n\nfunc (c *CommentGroup) Pos() token.Pos {\n\treturn c.List[0].Pos()\n}\n\n//-------------------------------------------------------------------\n// GoStringer\n//-------------------------------------------------------------------\n\nfunc (o *ObjectKey) GoString() string { return fmt.Sprintf(\"*%#v\", *o) }\nfunc (o *ObjectList) GoString() string { return fmt.Sprintf(\"*%#v\", *o) }\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/ast/walk.go", "content": "package ast\n\nimport \"fmt\"\n\n// WalkFunc describes a function to be called for each node during a Walk. The\n// returned node can be used to rewrite the AST. Walking stops the returned\n// bool is false.\ntype WalkFunc func(Node) (Node, bool)\n\n// Walk traverses an AST in depth-first order: It starts by calling fn(node);\n// node must not be nil. If fn returns true, Walk invokes fn recursively for\n// each of the non-nil children of node, followed by a call of fn(nil). The\n// returned node of fn can be used to rewrite the passed node to fn.\nfunc Walk(node Node, fn WalkFunc) Node {\n\trewritten, ok := fn(node)\n\tif !ok {\n\t\treturn rewritten\n\t}\n\n\tswitch n := node.(type) {\n\tcase *File:\n\t\tn.Node = Walk(n.Node, fn)\n\tcase *ObjectList:\n\t\tfor i, item := range n.Items {\n\t\t\tn.Items[i] = Walk(item, fn).(*ObjectItem)\n\t\t}\n\tcase *ObjectKey:\n\t\t// nothing to do\n\tcase *ObjectItem:\n\t\tfor i, k := range n.Keys {\n\t\t\tn.Keys[i] = Walk(k, fn).(*ObjectKey)\n\t\t}\n\n\t\tif n.Val != nil {\n\t\t\tn.Val = Walk(n.Val, fn)\n\t\t}\n\tcase *LiteralType:\n\t\t// nothing to do\n\tcase *ListType:\n\t\tfor i, l := range n.List {\n\t\t\tn.List[i] = Walk(l, fn)\n\t\t}\n\tcase *ObjectType:\n\t\tn.List = Walk(n.List, fn).(*ObjectList)\n\tdefault:\n\t\t// should we panic here?\n\t\tfmt.Printf(\"unknown type: %T\\n\", n)\n\t}\n\n\tfn(nil)\n\treturn rewritten\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/parser/error.go", "content": "package parser\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/hashicorp/hcl/hcl/token\"\n)\n\n// PosError is a parse error that contains a position.\ntype PosError struct {\n\tPos token.Pos\n\tErr error\n}\n\nfunc (e *PosError) Error() string {\n\treturn fmt.Sprintf(\"At %s: %s\", e.Pos, e.Err)\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/parser/parser.go", "content": "// Package parser implements a parser for HCL (HashiCorp Configuration\n// Language)\npackage parser\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/hashicorp/hcl/hcl/ast\"\n\t\"github.com/hashicorp/hcl/hcl/scanner\"\n\t\"github.com/hashicorp/hcl/hcl/token\"\n)\n\ntype Parser struct {\n\tsc *scanner.Scanner\n\n\t// Last read token\n\ttok token.Token\n\tcommaPrev token.Token\n\n\tcomments []*ast.CommentGroup\n\tleadComment *ast.CommentGroup // last lead comment\n\tlineComment *ast.CommentGroup // last line comment\n\n\tenableTrace bool\n\tindent int\n\tn int // buffer size (max = 1)\n\n\terrorOnDuplicateKeys bool\n}\n\nfunc newParser(src []byte, errorOnDuplicateKeys bool) *Parser {\n\treturn &Parser{\n\t\tsc: scanner.New(src),\n\t\terrorOnDuplicateKeys: errorOnDuplicateKeys,\n\t}\n}\n\n// Parse returns the fully parsed source and returns the abstract syntax tree.\nfunc Parse(src []byte) (*ast.File, error) {\n\treturn parse(src, true)\n}\n\n// Parse returns the fully parsed source and returns the abstract syntax tree.\nfunc ParseDontErrorOnDuplicateKeys(src []byte) (*ast.File, error) {\n\treturn parse(src, false)\n}\n\n// Parse returns the fully parsed source and returns the abstract syntax tree.\nfunc parse(src []byte, errorOnDuplicateKeys bool) (*ast.File, error) {\n\t// normalize all line endings\n\t// since the scanner and output only work with \"\\n\" line endings, we may\n\t// end up with dangling \"\\r\" characters in the parsed data.\n\tsrc = bytes.Replace(src, []byte(\"\\r\\n\"), []byte(\"\\n\"), -1)\n\n\tp := newParser(src, errorOnDuplicateKeys)\n\treturn p.Parse()\n}\n\nvar errEofToken = errors.New(\"EOF token found\")\n\n// Parse returns the fully parsed source and returns the abstract syntax tree.\nfunc (p *Parser) Parse() (*ast.File, error) {\n\tf := &ast.File{}\n\tvar err, scerr error\n\tp.sc.Error = func(pos token.Pos, msg string) {\n\t\tscerr = &PosError{Pos: pos, Err: errors.New(msg)}\n\t}\n\n\tf.Node, err = p.objectList(false)\n\tif scerr != nil {\n\t\treturn nil, scerr\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tf.Comments = p.comments\n\n\treturn f, nil\n}\n\n// objectList parses a list of items within an object (generally k/v pairs).\n// The parameter\" obj\" tells this whether to we are within an object (braces:\n// '{', '}') or just at the top level. If we're within an object, we end\n// at an RBRACE.\nfunc (p *Parser) objectList(obj bool) (*ast.ObjectList, error) {\n\tdefer un(trace(p, \"ParseObjectList\"))\n\tnode := &ast.ObjectList{}\n\n\tseenKeys := map[string]struct{}{}\n\tfor {\n\t\tif obj {\n\t\t\ttok := p.scan()\n\t\t\tp.unscan()\n\t\t\tif tok.Type == token.RBRACE {\n\t\t\t\tbreak\n\t\t\t}\n\n\t\t}\n\n\t\tn, err := p.objectItem()\n\n\t\tif err == errEofToken {\n\t\t\tbreak // we are finished\n\t\t} else if err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tif n.Assign.String() != \"-\" {\n\t\t\tfor _, key := range n.Keys {\n\t\t\t\tif !p.errorOnDuplicateKeys {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t\t_, ok := seenKeys[key.Token.Text]\n\t\t\t\tif ok {\n\t\t\t\t\treturn nil, errors.New(fmt.Sprintf(\"The argument %q at %s was already set. Each argument can only be defined once\", key.Token.Text, key.Token.Pos.String()))\n\n\t\t\t\t}\n\t\t\t\tseenKeys[key.Token.Text] = struct{}{}\n\t\t\t}\n\t\t}\n\n\t\t// we don't return a nil node, because might want to use already\n\t\t// collected items.\n\t\tif err != nil {\n\t\t\treturn node, err\n\t\t}\n\n\t\tnode.Add(n)\n\n\t\t// object lists can be optionally comma-delimited e.g. when a list of maps\n\t\t// is being expressed, so a comma is allowed here - it's simply consumed\n\t\ttok := p.scan()\n\t\tif tok.Type != token.COMMA {\n\t\t\tp.unscan()\n\t\t}\n\t}\n\treturn node, nil\n}\n\nfunc (p *Parser) consumeComment() (comment *ast.Comment, endline int) {\n\tendline = p.tok.Pos.Line\n\n\t// count the endline if it's multiline comment, ie starting with /*\n\tif len(p.tok.Text) > 1 && p.tok.Text[1] == '*' {\n\t\t// don't use range here - no need to decode Unicode code points\n\t\tfor i := 0; i < len(p.tok.Text); i++ {\n\t\t\tif p.tok.Text[i] == '\\n' {\n\t\t\t\tendline++\n\t\t\t}\n\t\t}\n\t}\n\n\tcomment = &ast.Comment{Start: p.tok.Pos, Text: p.tok.Text}\n\tp.tok = p.sc.Scan()\n\treturn\n}\n\nfunc (p *Parser) consumeCommentGroup(n int) (comments *ast.CommentGroup, endline int) {\n\tvar list []*ast.Comment\n\tendline = p.tok.Pos.Line\n\n\tfor p.tok.Type == token.COMMENT && p.tok.Pos.Line <= endline+n {\n\t\tvar comment *ast.Comment\n\t\tcomment, endline = p.consumeComment()\n\t\tlist = append(list, comment)\n\t}\n\n\t// add comment group to the comments list\n\tcomments = &ast.CommentGroup{List: list}\n\tp.comments = append(p.comments, comments)\n\n\treturn\n}\n\n// objectItem parses a single object item\nfunc (p *Parser) objectItem() (*ast.ObjectItem, error) {\n\tdefer un(trace(p, \"ParseObjectItem\"))\n\n\tkeys, err := p.objectKey()\n\tif len(keys) > 0 && err == errEofToken {\n\t\t// We ignore eof token here since it is an error if we didn't\n\t\t// receive a value (but we did receive a key) for the item.\n\t\terr = nil\n\t}\n\tif len(keys) > 0 && err != nil && p.tok.Type == token.RBRACE {\n\t\t// This is a strange boolean statement, but what it means is:\n\t\t// We have keys with no value, and we're likely in an object\n\t\t// (since RBrace ends an object). For this, we set err to nil so\n\t\t// we continue and get the error below of having the wrong value\n\t\t// type.\n\t\terr = nil\n\n\t\t// Reset the token type so we don't think it completed fine. See\n\t\t// objectType which uses p.tok.Type to check if we're done with\n\t\t// the object.\n\t\tp.tok.Type = token.EOF\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\to := &ast.ObjectItem{\n\t\tKeys: keys,\n\t}\n\n\tif p.leadComment != nil {\n\t\to.LeadComment = p.leadComment\n\t\tp.leadComment = nil\n\t}\n\n\tswitch p.tok.Type {\n\tcase token.ASSIGN:\n\t\to.Assign = p.tok.Pos\n\t\to.Val, err = p.object()\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\tcase token.LBRACE:\n\t\to.Val, err = p.objectType()\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\tdefault:\n\t\tkeyStr := make([]string, 0, len(keys))\n\t\tfor _, k := range keys {\n\t\t\tkeyStr = append(keyStr, k.Token.Text)\n\t\t}\n\n\t\treturn nil, &PosError{\n\t\t\tPos: p.tok.Pos,\n\t\t\tErr: fmt.Errorf(\n\t\t\t\t\"key '%s' expected start of object ('{') or assignment ('=')\",\n\t\t\t\tstrings.Join(keyStr, \" \")),\n\t\t}\n\t}\n\n\t// key=#comment\n\t// val\n\tif p.lineComment != nil {\n\t\to.LineComment, p.lineComment = p.lineComment, nil\n\t}\n\n\t// do a look-ahead for line comment\n\tp.scan()\n\tif len(keys) > 0 && o.Val.Pos().Line == keys[0].Pos().Line && p.lineComment != nil {\n\t\to.LineComment = p.lineComment\n\t\tp.lineComment = nil\n\t}\n\tp.unscan()\n\treturn o, nil\n}\n\n// objectKey parses an object key and returns a ObjectKey AST\nfunc (p *Parser) objectKey() ([]*ast.ObjectKey, error) {\n\tkeyCount := 0\n\tkeys := make([]*ast.ObjectKey, 0)\n\n\tfor {\n\t\ttok := p.scan()\n\t\tswitch tok.Type {\n\t\tcase token.EOF:\n\t\t\t// It is very important to also return the keys here as well as\n\t\t\t// the error. This is because we need to be able to tell if we\n\t\t\t// did parse keys prior to finding the EOF, or if we just found\n\t\t\t// a bare EOF.\n\t\t\treturn keys, errEofToken\n\t\tcase token.ASSIGN:\n\t\t\t// assignment or object only, but not nested objects. this is not\n\t\t\t// allowed: `foo bar = {}`\n\t\t\tif keyCount > 1 {\n\t\t\t\treturn nil, &PosError{\n\t\t\t\t\tPos: p.tok.Pos,\n\t\t\t\t\tErr: fmt.Errorf(\"nested object expected: LBRACE got: %s\", p.tok.Type),\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif keyCount == 0 {\n\t\t\t\treturn nil, &PosError{\n\t\t\t\t\tPos: p.tok.Pos,\n\t\t\t\t\tErr: errors.New(\"no object keys found!\"),\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn keys, nil\n\t\tcase token.LBRACE:\n\t\t\tvar err error\n\n\t\t\t// If we have no keys, then it is a syntax error. i.e. {{}} is not\n\t\t\t// allowed.\n\t\t\tif len(keys) == 0 {\n\t\t\t\terr = &PosError{\n\t\t\t\t\tPos: p.tok.Pos,\n\t\t\t\t\tErr: fmt.Errorf(\"expected: IDENT | STRING got: %s\", p.tok.Type),\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// object\n\t\t\treturn keys, err\n\t\tcase token.IDENT, token.STRING:\n\t\t\tkeyCount++\n\t\t\tkeys = append(keys, &ast.ObjectKey{Token: p.tok})\n\t\tcase token.ILLEGAL:\n\t\t\treturn keys, &PosError{\n\t\t\t\tPos: p.tok.Pos,\n\t\t\t\tErr: fmt.Errorf(\"illegal character\"),\n\t\t\t}\n\t\tdefault:\n\t\t\treturn keys, &PosError{\n\t\t\t\tPos: p.tok.Pos,\n\t\t\t\tErr: fmt.Errorf(\"expected: IDENT | STRING | ASSIGN | LBRACE got: %s\", p.tok.Type),\n\t\t\t}\n\t\t}\n\t}\n}\n\n// object parses any type of object, such as number, bool, string, object or\n// list.\nfunc (p *Parser) object() (ast.Node, error) {\n\tdefer un(trace(p, \"ParseType\"))\n\ttok := p.scan()\n\n\tswitch tok.Type {\n\tcase token.NUMBER, token.FLOAT, token.BOOL, token.STRING, token.HEREDOC:\n\t\treturn p.literalType()\n\tcase token.LBRACE:\n\t\treturn p.objectType()\n\tcase token.LBRACK:\n\t\treturn p.listType()\n\tcase token.COMMENT:\n\t\t// implement comment\n\tcase token.EOF:\n\t\treturn nil, errEofToken\n\t}\n\n\treturn nil, &PosError{\n\t\tPos: tok.Pos,\n\t\tErr: fmt.Errorf(\"Unknown token: %+v\", tok),\n\t}\n}\n\n// objectType parses an object type and returns a ObjectType AST\nfunc (p *Parser) objectType() (*ast.ObjectType, error) {\n\tdefer un(trace(p, \"ParseObjectType\"))\n\n\t// we assume that the currently scanned token is a LBRACE\n\to := &ast.ObjectType{\n\t\tLbrace: p.tok.Pos,\n\t}\n\n\tl, err := p.objectList(true)\n\n\t// if we hit RBRACE, we are good to go (means we parsed all Items), if it's\n\t// not a RBRACE, it's an syntax error and we just return it.\n\tif err != nil && p.tok.Type != token.RBRACE {\n\t\treturn nil, err\n\t} else if err != nil {\n\t\treturn nil, err\n\t}\n\n\t// No error, scan and expect the ending to be a brace\n\tif tok := p.scan(); tok.Type != token.RBRACE {\n\t\treturn nil, &PosError{\n\t\t\tPos: tok.Pos,\n\t\t\tErr: fmt.Errorf(\"object expected closing RBRACE got: %s\", tok.Type),\n\t\t}\n\t}\n\n\to.List = l\n\to.Rbrace = p.tok.Pos // advanced via parseObjectList\n\treturn o, nil\n}\n\n// listType parses a list type and returns a ListType AST\nfunc (p *Parser) listType() (*ast.ListType, error) {\n\tdefer un(trace(p, \"ParseListType\"))\n\n\t// we assume that the currently scanned token is a LBRACK\n\tl := &ast.ListType{\n\t\tLbrack: p.tok.Pos,\n\t}\n\n\tneedComma := false\n\tfor {\n\t\ttok := p.scan()\n\t\tif needComma {\n\t\t\tswitch tok.Type {\n\t\t\tcase token.COMMA, token.RBRACK:\n\t\t\tdefault:\n\t\t\t\treturn nil, &PosError{\n\t\t\t\t\tPos: tok.Pos,\n\t\t\t\t\tErr: fmt.Errorf(\n\t\t\t\t\t\t\"error parsing list, expected comma or list end, got: %s\",\n\t\t\t\t\t\ttok.Type),\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tswitch tok.Type {\n\t\tcase token.BOOL, token.NUMBER, token.FLOAT, token.STRING, token.HEREDOC:\n\n\t\t\tnode, err := p.literalType()\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\n\t\t\t// If there is a lead comment, apply it\n\t\t\tif p.leadComment != nil {\n\t\t\t\tnode.LeadComment = p.leadComment\n\t\t\t\tp.leadComment = nil\n\t\t\t}\n\n\t\t\tl.Add(node)\n\t\t\tneedComma = true\n\t\tcase token.COMMA:\n\t\t\t// get next list item or we are at the end\n\t\t\t// do a look-ahead for line comment\n\t\t\tp.scan()\n\t\t\tif p.lineComment != nil && len(l.List) > 0 {\n\t\t\t\tlit, ok := l.List[len(l.List)-1].(*ast.LiteralType)\n\t\t\t\tif ok {\n\t\t\t\t\tlit.LineComment = p.lineComment\n\t\t\t\t\tl.List[len(l.List)-1] = lit\n\t\t\t\t\tp.lineComment = nil\n\t\t\t\t}\n\t\t\t}\n\t\t\tp.unscan()\n\n\t\t\tneedComma = false\n\t\t\tcontinue\n\t\tcase token.LBRACE:\n\t\t\t// Looks like a nested object, so parse it out\n\t\t\tnode, err := p.objectType()\n\t\t\tif err != nil {\n\t\t\t\treturn nil, &PosError{\n\t\t\t\t\tPos: tok.Pos,\n\t\t\t\t\tErr: fmt.Errorf(\n\t\t\t\t\t\t\"error while trying to parse object within list: %s\", err),\n\t\t\t\t}\n\t\t\t}\n\t\t\tl.Add(node)\n\t\t\tneedComma = true\n\t\tcase token.LBRACK:\n\t\t\tnode, err := p.listType()\n\t\t\tif err != nil {\n\t\t\t\treturn nil, &PosError{\n\t\t\t\t\tPos: tok.Pos,\n\t\t\t\t\tErr: fmt.Errorf(\n\t\t\t\t\t\t\"error while trying to parse list within list: %s\", err),\n\t\t\t\t}\n\t\t\t}\n\t\t\tl.Add(node)\n\t\tcase token.RBRACK:\n\t\t\t// finished\n\t\t\tl.Rbrack = p.tok.Pos\n\t\t\treturn l, nil\n\t\tdefault:\n\t\t\treturn nil, &PosError{\n\t\t\t\tPos: tok.Pos,\n\t\t\t\tErr: fmt.Errorf(\"unexpected token while parsing list: %s\", tok.Type),\n\t\t\t}\n\t\t}\n\t}\n}\n\n// literalType parses a literal type and returns a LiteralType AST\nfunc (p *Parser) literalType() (*ast.LiteralType, error) {\n\tdefer un(trace(p, \"ParseLiteral\"))\n\n\treturn &ast.LiteralType{\n\t\tToken: p.tok,\n\t}, nil\n}\n\n// scan returns the next token from the underlying scanner. If a token has\n// been unscanned then read that instead. In the process, it collects any\n// comment groups encountered, and remembers the last lead and line comments.\nfunc (p *Parser) scan() token.Token {\n\t// If we have a token on the buffer, then return it.\n\tif p.n != 0 {\n\t\tp.n = 0\n\t\treturn p.tok\n\t}\n\n\t// Otherwise read the next token from the scanner and Save it to the buffer\n\t// in case we unscan later.\n\tprev := p.tok\n\tp.tok = p.sc.Scan()\n\n\tif p.tok.Type == token.COMMENT {\n\t\tvar comment *ast.CommentGroup\n\t\tvar endline int\n\n\t\t// fmt.Printf(\"p.tok.Pos.Line = %+v prev: %d endline %d \\n\",\n\t\t// p.tok.Pos.Line, prev.Pos.Line, endline)\n\t\tif p.tok.Pos.Line == prev.Pos.Line {\n\t\t\t// The comment is on same line as the previous token; it\n\t\t\t// cannot be a lead comment but may be a line comment.\n\t\t\tcomment, endline = p.consumeCommentGroup(0)\n\t\t\tif p.tok.Pos.Line != endline {\n\t\t\t\t// The next token is on a different line, thus\n\t\t\t\t// the last comment group is a line comment.\n\t\t\t\tp.lineComment = comment\n\t\t\t}\n\t\t}\n\n\t\t// consume successor comments, if any\n\t\tendline = -1\n\t\tfor p.tok.Type == token.COMMENT {\n\t\t\tcomment, endline = p.consumeCommentGroup(1)\n\t\t}\n\n\t\tif endline+1 == p.tok.Pos.Line && p.tok.Type != token.RBRACE {\n\t\t\tswitch p.tok.Type {\n\t\t\tcase token.RBRACE, token.RBRACK:\n\t\t\t\t// Do not count for these cases\n\t\t\tdefault:\n\t\t\t\t// The next token is following on the line immediately after the\n\t\t\t\t// comment group, thus the last comment group is a lead comment.\n\t\t\t\tp.leadComment = comment\n\t\t\t}\n\t\t}\n\n\t}\n\n\treturn p.tok\n}\n\n// unscan pushes the previously read token back onto the buffer.\nfunc (p *Parser) unscan() {\n\tp.n = 1\n}\n\n// ----------------------------------------------------------------------------\n// Parsing support\n\nfunc (p *Parser) printTrace(a ...interface{}) {\n\tif !p.enableTrace {\n\t\treturn\n\t}\n\n\tconst dots = \". . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \"\n\tconst n = len(dots)\n\tfmt.Printf(\"%5d:%3d: \", p.tok.Pos.Line, p.tok.Pos.Column)\n\n\ti := 2 * p.indent\n\tfor i > n {\n\t\tfmt.Print(dots)\n\t\ti -= n\n\t}\n\t// i <= n\n\tfmt.Print(dots[0:i])\n\tfmt.Println(a...)\n}\n\nfunc trace(p *Parser, msg string) *Parser {\n\tp.printTrace(msg, \"(\")\n\tp.indent++\n\treturn p\n}\n\n// Usage pattern: defer un(trace(p, \"...\"))\nfunc un(p *Parser) {\n\tp.indent--\n\tp.printTrace(\")\")\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/scanner/scanner.go", "content": "// Package scanner implements a scanner for HCL (HashiCorp Configuration\n// Language) source text.\npackage scanner\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"os\"\n\t\"regexp\"\n\t\"unicode\"\n\t\"unicode/utf8\"\n\n\t\"github.com/hashicorp/hcl/hcl/token\"\n)\n\n// eof represents a marker rune for the end of the reader.\nconst eof = rune(0)\n\n// Scanner defines a lexical scanner\ntype Scanner struct {\n\tbuf *bytes.Buffer // Source buffer for advancing and scanning\n\tsrc []byte // Source buffer for immutable access\n\n\t// Source Position\n\tsrcPos token.Pos // current position\n\tprevPos token.Pos // previous position, used for peek() method\n\n\tlastCharLen int // length of last character in bytes\n\tlastLineLen int // length of last line in characters (for correct column reporting)\n\n\ttokStart int // token text start position\n\ttokEnd int // token text end position\n\n\t// Error is called for each error encountered. If no Error\n\t// function is set, the error is reported to os.Stderr.\n\tError func(pos token.Pos, msg string)\n\n\t// ErrorCount is incremented by one for each error encountered.\n\tErrorCount int\n\n\t// tokPos is the start position of most recently scanned token; set by\n\t// Scan. The Filename field is always left untouched by the Scanner. If\n\t// an error is reported (via Error) and Position is invalid, the scanner is\n\t// not inside a token.\n\ttokPos token.Pos\n}\n\n// New creates and initializes a new instance of Scanner using src as\n// its source content.\nfunc New(src []byte) *Scanner {\n\t// even though we accept a src, we read from a io.Reader compatible type\n\t// (*bytes.Buffer). So in the future we might easily change it to streaming\n\t// read.\n\tb := bytes.NewBuffer(src)\n\ts := &Scanner{\n\t\tbuf: b,\n\t\tsrc: src,\n\t}\n\n\t// srcPosition always starts with 1\n\ts.srcPos.Line = 1\n\treturn s\n}\n\n// next reads the next rune from the bufferred reader. Returns the rune(0) if\n// an error occurs (or io.EOF is returned).\nfunc (s *Scanner) next() rune {\n\tch, size, err := s.buf.ReadRune()\n\tif err != nil {\n\t\t// advance for error reporting\n\t\ts.srcPos.Column++\n\t\ts.srcPos.Offset += size\n\t\ts.lastCharLen = size\n\t\treturn eof\n\t}\n\n\t// remember last position\n\ts.prevPos = s.srcPos\n\n\ts.srcPos.Column++\n\ts.lastCharLen = size\n\ts.srcPos.Offset += size\n\n\tif ch == utf8.RuneError && size == 1 {\n\t\ts.err(\"illegal UTF-8 encoding\")\n\t\treturn ch\n\t}\n\n\tif ch == '\\n' {\n\t\ts.srcPos.Line++\n\t\ts.lastLineLen = s.srcPos.Column\n\t\ts.srcPos.Column = 0\n\t}\n\n\tif ch == '\\x00' {\n\t\ts.err(\"unexpected null character (0x00)\")\n\t\treturn eof\n\t}\n\n\tif ch == '\\uE123' {\n\t\ts.err(\"unicode code point U+E123 reserved for internal use\")\n\t\treturn utf8.RuneError\n\t}\n\n\t// debug\n\t// fmt.Printf(\"ch: %q, offset:column: %d:%d\\n\", ch, s.srcPos.Offset, s.srcPos.Column)\n\treturn ch\n}\n\n// unread unreads the previous read Rune and updates the source position\nfunc (s *Scanner) unread() {\n\tif err := s.buf.UnreadRune(); err != nil {\n\t\tpanic(err) // this is user fault, we should catch it\n\t}\n\ts.srcPos = s.prevPos // put back last position\n}\n\n// peek returns the next rune without advancing the reader.\nfunc (s *Scanner) peek() rune {\n\tpeek, _, err := s.buf.ReadRune()\n\tif err != nil {\n\t\treturn eof\n\t}\n\n\ts.buf.UnreadRune()\n\treturn peek\n}\n\n// Scan scans the next token and returns the token.\nfunc (s *Scanner) Scan() token.Token {\n\tch := s.next()\n\n\t// skip white space\n\tfor isWhitespace(ch) {\n\t\tch = s.next()\n\t}\n\n\tvar tok token.Type\n\n\t// token text markings\n\ts.tokStart = s.srcPos.Offset - s.lastCharLen\n\n\t// token position, initial next() is moving the offset by one(size of rune\n\t// actually), though we are interested with the starting point\n\ts.tokPos.Offset = s.srcPos.Offset - s.lastCharLen\n\tif s.srcPos.Column > 0 {\n\t\t// common case: last character was not a '\\n'\n\t\ts.tokPos.Line = s.srcPos.Line\n\t\ts.tokPos.Column = s.srcPos.Column\n\t} else {\n\t\t// last character was a '\\n'\n\t\t// (we cannot be at the beginning of the source\n\t\t// since we have called next() at least once)\n\t\ts.tokPos.Line = s.srcPos.Line - 1\n\t\ts.tokPos.Column = s.lastLineLen\n\t}\n\n\tswitch {\n\tcase isLetter(ch):\n\t\ttok = token.IDENT\n\t\tlit := s.scanIdentifier()\n\t\tif lit == \"true\" || lit == \"false\" {\n\t\t\ttok = token.BOOL\n\t\t}\n\tcase isDecimal(ch):\n\t\ttok = s.scanNumber(ch)\n\tdefault:\n\t\tswitch ch {\n\t\tcase eof:\n\t\t\ttok = token.EOF\n\t\tcase '\"':\n\t\t\ttok = token.STRING\n\t\t\ts.scanString()\n\t\tcase '#', '/':\n\t\t\ttok = token.COMMENT\n\t\t\ts.scanComment(ch)\n\t\tcase '.':\n\t\t\ttok = token.PERIOD\n\t\t\tch = s.peek()\n\t\t\tif isDecimal(ch) {\n\t\t\t\ttok = token.FLOAT\n\t\t\t\tch = s.scanMantissa(ch)\n\t\t\t\tch = s.scanExponent(ch)\n\t\t\t}\n\t\tcase '<':\n\t\t\ttok = token.HEREDOC\n\t\t\ts.scanHeredoc()\n\t\tcase '[':\n\t\t\ttok = token.LBRACK\n\t\tcase ']':\n\t\t\ttok = token.RBRACK\n\t\tcase '{':\n\t\t\ttok = token.LBRACE\n\t\tcase '}':\n\t\t\ttok = token.RBRACE\n\t\tcase ',':\n\t\t\ttok = token.COMMA\n\t\tcase '=':\n\t\t\ttok = token.ASSIGN\n\t\tcase '+':\n\t\t\ttok = token.ADD\n\t\tcase '-':\n\t\t\tif isDecimal(s.peek()) {\n\t\t\t\tch := s.next()\n\t\t\t\ttok = s.scanNumber(ch)\n\t\t\t} else {\n\t\t\t\ttok = token.SUB\n\t\t\t}\n\t\tdefault:\n\t\t\ts.err(\"illegal char\")\n\t\t}\n\t}\n\n\t// finish token ending\n\ts.tokEnd = s.srcPos.Offset\n\n\t// create token literal\n\tvar tokenText string\n\tif s.tokStart >= 0 {\n\t\ttokenText = string(s.src[s.tokStart:s.tokEnd])\n\t}\n\ts.tokStart = s.tokEnd // ensure idempotency of tokenText() call\n\n\treturn token.Token{\n\t\tType: tok,\n\t\tPos: s.tokPos,\n\t\tText: tokenText,\n\t}\n}\n\nfunc (s *Scanner) scanComment(ch rune) {\n\t// single line comments\n\tif ch == '#' || (ch == '/' && s.peek() != '*') {\n\t\tif ch == '/' && s.peek() != '/' {\n\t\t\ts.err(\"expected '/' for comment\")\n\t\t\treturn\n\t\t}\n\n\t\tch = s.next()\n\t\tfor ch != '\\n' && ch >= 0 && ch != eof {\n\t\t\tch = s.next()\n\t\t}\n\t\tif ch != eof && ch >= 0 {\n\t\t\ts.unread()\n\t\t}\n\t\treturn\n\t}\n\n\t// be sure we get the character after /* This allows us to find comment's\n\t// that are not erminated\n\tif ch == '/' {\n\t\ts.next()\n\t\tch = s.next() // read character after \"/*\"\n\t}\n\n\t// look for /* - style comments\n\tfor {\n\t\tif ch < 0 || ch == eof {\n\t\t\ts.err(\"comment not terminated\")\n\t\t\tbreak\n\t\t}\n\n\t\tch0 := ch\n\t\tch = s.next()\n\t\tif ch0 == '*' && ch == '/' {\n\t\t\tbreak\n\t\t}\n\t}\n}\n\n// scanNumber scans a HCL number definition starting with the given rune\nfunc (s *Scanner) scanNumber(ch rune) token.Type {\n\tif ch == '0' {\n\t\t// check for hexadecimal, octal or float\n\t\tch = s.next()\n\t\tif ch == 'x' || ch == 'X' {\n\t\t\t// hexadecimal\n\t\t\tch = s.next()\n\t\t\tfound := false\n\t\t\tfor isHexadecimal(ch) {\n\t\t\t\tch = s.next()\n\t\t\t\tfound = true\n\t\t\t}\n\n\t\t\tif !found {\n\t\t\t\ts.err(\"illegal hexadecimal number\")\n\t\t\t}\n\n\t\t\tif ch != eof {\n\t\t\t\ts.unread()\n\t\t\t}\n\n\t\t\treturn token.NUMBER\n\t\t}\n\n\t\t// now it's either something like: 0421(octal) or 0.1231(float)\n\t\tillegalOctal := false\n\t\tfor isDecimal(ch) {\n\t\t\tch = s.next()\n\t\t\tif ch == '8' || ch == '9' {\n\t\t\t\t// this is just a possibility. For example 0159 is illegal, but\n\t\t\t\t// 0159.23 is valid. So we mark a possible illegal octal. If\n\t\t\t\t// the next character is not a period, we'll print the error.\n\t\t\t\tillegalOctal = true\n\t\t\t}\n\t\t}\n\n\t\tif ch == 'e' || ch == 'E' {\n\t\t\tch = s.scanExponent(ch)\n\t\t\treturn token.FLOAT\n\t\t}\n\n\t\tif ch == '.' {\n\t\t\tch = s.scanFraction(ch)\n\n\t\t\tif ch == 'e' || ch == 'E' {\n\t\t\t\tch = s.next()\n\t\t\t\tch = s.scanExponent(ch)\n\t\t\t}\n\t\t\treturn token.FLOAT\n\t\t}\n\n\t\tif illegalOctal {\n\t\t\ts.err(\"illegal octal number\")\n\t\t}\n\n\t\tif ch != eof {\n\t\t\ts.unread()\n\t\t}\n\t\treturn token.NUMBER\n\t}\n\n\ts.scanMantissa(ch)\n\tch = s.next() // seek forward\n\tif ch == 'e' || ch == 'E' {\n\t\tch = s.scanExponent(ch)\n\t\treturn token.FLOAT\n\t}\n\n\tif ch == '.' {\n\t\tch = s.scanFraction(ch)\n\t\tif ch == 'e' || ch == 'E' {\n\t\t\tch = s.next()\n\t\t\tch = s.scanExponent(ch)\n\t\t}\n\t\treturn token.FLOAT\n\t}\n\n\tif ch != eof {\n\t\ts.unread()\n\t}\n\treturn token.NUMBER\n}\n\n// scanMantissa scans the mantissa beginning from the rune. It returns the next\n// non decimal rune. It's used to determine wheter it's a fraction or exponent.\nfunc (s *Scanner) scanMantissa(ch rune) rune {\n\tscanned := false\n\tfor isDecimal(ch) {\n\t\tch = s.next()\n\t\tscanned = true\n\t}\n\n\tif scanned && ch != eof {\n\t\ts.unread()\n\t}\n\treturn ch\n}\n\n// scanFraction scans the fraction after the '.' rune\nfunc (s *Scanner) scanFraction(ch rune) rune {\n\tif ch == '.' {\n\t\tch = s.peek() // we peek just to see if we can move forward\n\t\tch = s.scanMantissa(ch)\n\t}\n\treturn ch\n}\n\n// scanExponent scans the remaining parts of an exponent after the 'e' or 'E'\n// rune.\nfunc (s *Scanner) scanExponent(ch rune) rune {\n\tif ch == 'e' || ch == 'E' {\n\t\tch = s.next()\n\t\tif ch == '-' || ch == '+' {\n\t\t\tch = s.next()\n\t\t}\n\t\tch = s.scanMantissa(ch)\n\t}\n\treturn ch\n}\n\n// scanHeredoc scans a heredoc string\nfunc (s *Scanner) scanHeredoc() {\n\t// Scan the second '<' in example: '<= len(identBytes) && identRegexp.Match(s.src[lineStart:s.srcPos.Offset-s.lastCharLen]) {\n\t\t\t\tbreak\n\t\t\t}\n\n\t\t\t// Not an anchor match, record the start of a new line\n\t\t\tlineStart = s.srcPos.Offset\n\t\t}\n\n\t\tif ch == eof {\n\t\t\ts.err(\"heredoc not terminated\")\n\t\t\treturn\n\t\t}\n\t}\n\n\treturn\n}\n\n// scanString scans a quoted string\nfunc (s *Scanner) scanString() {\n\tbraces := 0\n\tfor {\n\t\t// '\"' opening already consumed\n\t\t// read character after quote\n\t\tch := s.next()\n\n\t\tif (ch == '\\n' && braces == 0) || ch < 0 || ch == eof {\n\t\t\ts.err(\"literal not terminated\")\n\t\t\treturn\n\t\t}\n\n\t\tif ch == '\"' && braces == 0 {\n\t\t\tbreak\n\t\t}\n\n\t\t// If we're going into a ${} then we can ignore quotes for awhile\n\t\tif braces == 0 && ch == '$' && s.peek() == '{' {\n\t\t\tbraces++\n\t\t\ts.next()\n\t\t} else if braces > 0 && ch == '{' {\n\t\t\tbraces++\n\t\t}\n\t\tif braces > 0 && ch == '}' {\n\t\t\tbraces--\n\t\t}\n\n\t\tif ch == '\\\\' {\n\t\t\ts.scanEscape()\n\t\t}\n\t}\n\n\treturn\n}\n\n// scanEscape scans an escape sequence\nfunc (s *Scanner) scanEscape() rune {\n\t// http://en.cppreference.com/w/cpp/language/escape\n\tch := s.next() // read character after '/'\n\tswitch ch {\n\tcase 'a', 'b', 'f', 'n', 'r', 't', 'v', '\\\\', '\"':\n\t\t// nothing to do\n\tcase '0', '1', '2', '3', '4', '5', '6', '7':\n\t\t// octal notation\n\t\tch = s.scanDigits(ch, 8, 3)\n\tcase 'x':\n\t\t// hexademical notation\n\t\tch = s.scanDigits(s.next(), 16, 2)\n\tcase 'u':\n\t\t// universal character name\n\t\tch = s.scanDigits(s.next(), 16, 4)\n\tcase 'U':\n\t\t// universal character name\n\t\tch = s.scanDigits(s.next(), 16, 8)\n\tdefault:\n\t\ts.err(\"illegal char escape\")\n\t}\n\treturn ch\n}\n\n// scanDigits scans a rune with the given base for n times. For example an\n// octal notation \\184 would yield in scanDigits(ch, 8, 3)\nfunc (s *Scanner) scanDigits(ch rune, base, n int) rune {\n\tstart := n\n\tfor n > 0 && digitVal(ch) < base {\n\t\tch = s.next()\n\t\tif ch == eof {\n\t\t\t// If we see an EOF, we halt any more scanning of digits\n\t\t\t// immediately.\n\t\t\tbreak\n\t\t}\n\n\t\tn--\n\t}\n\tif n > 0 {\n\t\ts.err(\"illegal char escape\")\n\t}\n\n\tif n != start && ch != eof {\n\t\t// we scanned all digits, put the last non digit char back,\n\t\t// only if we read anything at all\n\t\ts.unread()\n\t}\n\n\treturn ch\n}\n\n// scanIdentifier scans an identifier and returns the literal string\nfunc (s *Scanner) scanIdentifier() string {\n\toffs := s.srcPos.Offset - s.lastCharLen\n\tch := s.next()\n\tfor isLetter(ch) || isDigit(ch) || ch == '-' || ch == '.' {\n\t\tch = s.next()\n\t}\n\n\tif ch != eof {\n\t\ts.unread() // we got identifier, put back latest char\n\t}\n\n\treturn string(s.src[offs:s.srcPos.Offset])\n}\n\n// recentPosition returns the position of the character immediately after the\n// character or token returned by the last call to Scan.\nfunc (s *Scanner) recentPosition() (pos token.Pos) {\n\tpos.Offset = s.srcPos.Offset - s.lastCharLen\n\tswitch {\n\tcase s.srcPos.Column > 0:\n\t\t// common case: last character was not a '\\n'\n\t\tpos.Line = s.srcPos.Line\n\t\tpos.Column = s.srcPos.Column\n\tcase s.lastLineLen > 0:\n\t\t// last character was a '\\n'\n\t\t// (we cannot be at the beginning of the source\n\t\t// since we have called next() at least once)\n\t\tpos.Line = s.srcPos.Line - 1\n\t\tpos.Column = s.lastLineLen\n\tdefault:\n\t\t// at the beginning of the source\n\t\tpos.Line = 1\n\t\tpos.Column = 1\n\t}\n\treturn\n}\n\n// err prints the error of any scanning to s.Error function. If the function is\n// not defined, by default it prints them to os.Stderr\nfunc (s *Scanner) err(msg string) {\n\ts.ErrorCount++\n\tpos := s.recentPosition()\n\n\tif s.Error != nil {\n\t\ts.Error(pos, msg)\n\t\treturn\n\t}\n\n\tfmt.Fprintf(os.Stderr, \"%s: %s\\n\", pos, msg)\n}\n\n// isHexadecimal returns true if the given rune is a letter\nfunc isLetter(ch rune) bool {\n\treturn 'a' <= ch && ch <= 'z' || 'A' <= ch && ch <= 'Z' || ch == '_' || ch >= 0x80 && unicode.IsLetter(ch)\n}\n\n// isDigit returns true if the given rune is a decimal digit\nfunc isDigit(ch rune) bool {\n\treturn '0' <= ch && ch <= '9' || ch >= 0x80 && unicode.IsDigit(ch)\n}\n\n// isDecimal returns true if the given rune is a decimal number\nfunc isDecimal(ch rune) bool {\n\treturn '0' <= ch && ch <= '9'\n}\n\n// isHexadecimal returns true if the given rune is an hexadecimal number\nfunc isHexadecimal(ch rune) bool {\n\treturn '0' <= ch && ch <= '9' || 'a' <= ch && ch <= 'f' || 'A' <= ch && ch <= 'F'\n}\n\n// isWhitespace returns true if the rune is a space, tab, newline or carriage return\nfunc isWhitespace(ch rune) bool {\n\treturn ch == ' ' || ch == '\\t' || ch == '\\n' || ch == '\\r'\n}\n\n// digitVal returns the integer value of a given octal,decimal or hexadecimal rune\nfunc digitVal(ch rune) int {\n\tswitch {\n\tcase '0' <= ch && ch <= '9':\n\t\treturn int(ch - '0')\n\tcase 'a' <= ch && ch <= 'f':\n\t\treturn int(ch - 'a' + 10)\n\tcase 'A' <= ch && ch <= 'F':\n\t\treturn int(ch - 'A' + 10)\n\t}\n\treturn 16 // larger than any legal digit val\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/strconv/quote.go", "content": "package strconv\n\nimport (\n\t\"errors\"\n\t\"unicode/utf8\"\n)\n\n// ErrSyntax indicates that a value does not have the right syntax for the target type.\nvar ErrSyntax = errors.New(\"invalid syntax\")\n\n// Unquote interprets s as a single-quoted, double-quoted,\n// or backquoted Go string literal, returning the string value\n// that s quotes. (If s is single-quoted, it would be a Go\n// character literal; Unquote returns the corresponding\n// one-character string.)\nfunc Unquote(s string) (t string, err error) {\n\tn := len(s)\n\tif n < 2 {\n\t\treturn \"\", ErrSyntax\n\t}\n\tquote := s[0]\n\tif quote != s[n-1] {\n\t\treturn \"\", ErrSyntax\n\t}\n\ts = s[1 : n-1]\n\n\tif quote != '\"' {\n\t\treturn \"\", ErrSyntax\n\t}\n\tif !contains(s, '$') && !contains(s, '{') && contains(s, '\\n') {\n\t\treturn \"\", ErrSyntax\n\t}\n\n\t// Is it trivial? Avoid allocation.\n\tif !contains(s, '\\\\') && !contains(s, quote) && !contains(s, '$') {\n\t\tswitch quote {\n\t\tcase '\"':\n\t\t\treturn s, nil\n\t\tcase '\\'':\n\t\t\tr, size := utf8.DecodeRuneInString(s)\n\t\t\tif size == len(s) && (r != utf8.RuneError || size != 1) {\n\t\t\t\treturn s, nil\n\t\t\t}\n\t\t}\n\t}\n\n\tvar runeTmp [utf8.UTFMax]byte\n\tbuf := make([]byte, 0, 3*len(s)/2) // Try to avoid more allocations.\n\tfor len(s) > 0 {\n\t\t// If we're starting a '${}' then let it through un-unquoted.\n\t\t// Specifically: we don't unquote any characters within the `${}`\n\t\t// section.\n\t\tif s[0] == '$' && len(s) > 1 && s[1] == '{' {\n\t\t\tbuf = append(buf, '$', '{')\n\t\t\ts = s[2:]\n\n\t\t\t// Continue reading until we find the closing brace, copying as-is\n\t\t\tbraces := 1\n\t\t\tfor len(s) > 0 && braces > 0 {\n\t\t\t\tr, size := utf8.DecodeRuneInString(s)\n\t\t\t\tif r == utf8.RuneError {\n\t\t\t\t\treturn \"\", ErrSyntax\n\t\t\t\t}\n\n\t\t\t\ts = s[size:]\n\n\t\t\t\tn := utf8.EncodeRune(runeTmp[:], r)\n\t\t\t\tbuf = append(buf, runeTmp[:n]...)\n\n\t\t\t\tswitch r {\n\t\t\t\tcase '{':\n\t\t\t\t\tbraces++\n\t\t\t\tcase '}':\n\t\t\t\t\tbraces--\n\t\t\t\t}\n\t\t\t}\n\t\t\tif braces != 0 {\n\t\t\t\treturn \"\", ErrSyntax\n\t\t\t}\n\t\t\tif len(s) == 0 {\n\t\t\t\t// If there's no string left, we're done!\n\t\t\t\tbreak\n\t\t\t} else {\n\t\t\t\t// If there's more left, we need to pop back up to the top of the loop\n\t\t\t\t// in case there's another interpolation in this string.\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\n\t\tif s[0] == '\\n' {\n\t\t\treturn \"\", ErrSyntax\n\t\t}\n\n\t\tc, multibyte, ss, err := unquoteChar(s, quote)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\ts = ss\n\t\tif c < utf8.RuneSelf || !multibyte {\n\t\t\tbuf = append(buf, byte(c))\n\t\t} else {\n\t\t\tn := utf8.EncodeRune(runeTmp[:], c)\n\t\t\tbuf = append(buf, runeTmp[:n]...)\n\t\t}\n\t\tif quote == '\\'' && len(s) != 0 {\n\t\t\t// single-quoted must be single character\n\t\t\treturn \"\", ErrSyntax\n\t\t}\n\t}\n\treturn string(buf), nil\n}\n\n// contains reports whether the string contains the byte c.\nfunc contains(s string, c byte) bool {\n\tfor i := 0; i < len(s); i++ {\n\t\tif s[i] == c {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\nfunc unhex(b byte) (v rune, ok bool) {\n\tc := rune(b)\n\tswitch {\n\tcase '0' <= c && c <= '9':\n\t\treturn c - '0', true\n\tcase 'a' <= c && c <= 'f':\n\t\treturn c - 'a' + 10, true\n\tcase 'A' <= c && c <= 'F':\n\t\treturn c - 'A' + 10, true\n\t}\n\treturn\n}\n\nfunc unquoteChar(s string, quote byte) (value rune, multibyte bool, tail string, err error) {\n\t// easy cases\n\tswitch c := s[0]; {\n\tcase c == quote && (quote == '\\'' || quote == '\"'):\n\t\terr = ErrSyntax\n\t\treturn\n\tcase c >= utf8.RuneSelf:\n\t\tr, size := utf8.DecodeRuneInString(s)\n\t\treturn r, true, s[size:], nil\n\tcase c != '\\\\':\n\t\treturn rune(s[0]), false, s[1:], nil\n\t}\n\n\t// hard case: c is backslash\n\tif len(s) <= 1 {\n\t\terr = ErrSyntax\n\t\treturn\n\t}\n\tc := s[1]\n\ts = s[2:]\n\n\tswitch c {\n\tcase 'a':\n\t\tvalue = '\\a'\n\tcase 'b':\n\t\tvalue = '\\b'\n\tcase 'f':\n\t\tvalue = '\\f'\n\tcase 'n':\n\t\tvalue = '\\n'\n\tcase 'r':\n\t\tvalue = '\\r'\n\tcase 't':\n\t\tvalue = '\\t'\n\tcase 'v':\n\t\tvalue = '\\v'\n\tcase 'x', 'u', 'U':\n\t\tn := 0\n\t\tswitch c {\n\t\tcase 'x':\n\t\t\tn = 2\n\t\tcase 'u':\n\t\t\tn = 4\n\t\tcase 'U':\n\t\t\tn = 8\n\t\t}\n\t\tvar v rune\n\t\tif len(s) < n {\n\t\t\terr = ErrSyntax\n\t\t\treturn\n\t\t}\n\t\tfor j := 0; j < n; j++ {\n\t\t\tx, ok := unhex(s[j])\n\t\t\tif !ok {\n\t\t\t\terr = ErrSyntax\n\t\t\t\treturn\n\t\t\t}\n\t\t\tv = v<<4 | x\n\t\t}\n\t\ts = s[n:]\n\t\tif c == 'x' {\n\t\t\t// single-byte string, possibly not UTF-8\n\t\t\tvalue = v\n\t\t\tbreak\n\t\t}\n\t\tif v > utf8.MaxRune {\n\t\t\terr = ErrSyntax\n\t\t\treturn\n\t\t}\n\t\tvalue = v\n\t\tmultibyte = true\n\tcase '0', '1', '2', '3', '4', '5', '6', '7':\n\t\tv := rune(c) - '0'\n\t\tif len(s) < 2 {\n\t\t\terr = ErrSyntax\n\t\t\treturn\n\t\t}\n\t\tfor j := 0; j < 2; j++ { // one digit already; two more\n\t\t\tx := rune(s[j]) - '0'\n\t\t\tif x < 0 || x > 7 {\n\t\t\t\terr = ErrSyntax\n\t\t\t\treturn\n\t\t\t}\n\t\t\tv = (v << 3) | x\n\t\t}\n\t\ts = s[2:]\n\t\tif v > 255 {\n\t\t\terr = ErrSyntax\n\t\t\treturn\n\t\t}\n\t\tvalue = v\n\tcase '\\\\':\n\t\tvalue = '\\\\'\n\tcase '\\'', '\"':\n\t\tif c != quote {\n\t\t\terr = ErrSyntax\n\t\t\treturn\n\t\t}\n\t\tvalue = rune(c)\n\tdefault:\n\t\terr = ErrSyntax\n\t\treturn\n\t}\n\ttail = s\n\treturn\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/token/position.go", "content": "package token\n\nimport \"fmt\"\n\n// Pos describes an arbitrary source position\n// including the file, line, and column location.\n// A Position is valid if the line number is > 0.\ntype Pos struct {\n\tFilename string // filename, if any\n\tOffset int // offset, starting at 0\n\tLine int // line number, starting at 1\n\tColumn int // column number, starting at 1 (character count)\n}\n\n// IsValid returns true if the position is valid.\nfunc (p *Pos) IsValid() bool { return p.Line > 0 }\n\n// String returns a string in one of several forms:\n//\n//\tfile:line:column valid position with file name\n//\tline:column valid position without file name\n//\tfile invalid position with file name\n//\t- invalid position without file name\nfunc (p Pos) String() string {\n\ts := p.Filename\n\tif p.IsValid() {\n\t\tif s != \"\" {\n\t\t\ts += \":\"\n\t\t}\n\t\ts += fmt.Sprintf(\"%d:%d\", p.Line, p.Column)\n\t}\n\tif s == \"\" {\n\t\ts = \"-\"\n\t}\n\treturn s\n}\n\n// Before reports whether the position p is before u.\nfunc (p Pos) Before(u Pos) bool {\n\treturn u.Offset > p.Offset || u.Line > p.Line\n}\n\n// After reports whether the position p is after u.\nfunc (p Pos) After(u Pos) bool {\n\treturn u.Offset < p.Offset || u.Line < p.Line\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/token/token.go", "content": "// Package token defines constants representing the lexical tokens for HCL\n// (HashiCorp Configuration Language)\npackage token\n\nimport (\n\t\"fmt\"\n\t\"strconv\"\n\t\"strings\"\n\n\thclstrconv \"github.com/hashicorp/hcl/hcl/strconv\"\n)\n\n// Token defines a single HCL token which can be obtained via the Scanner\ntype Token struct {\n\tType Type\n\tPos Pos\n\tText string\n\tJSON bool\n}\n\n// Type is the set of lexical tokens of the HCL (HashiCorp Configuration Language)\ntype Type int\n\nconst (\n\t// Special tokens\n\tILLEGAL Type = iota\n\tEOF\n\tCOMMENT\n\n\tidentifier_beg\n\tIDENT // literals\n\tliteral_beg\n\tNUMBER // 12345\n\tFLOAT // 123.45\n\tBOOL // true,false\n\tSTRING // \"abc\"\n\tHEREDOC // < 0 {\n\t\t\t// Pop the current item\n\t\t\tn := len(frontier)\n\t\t\titem := frontier[n-1]\n\t\t\tfrontier = frontier[:n-1]\n\n\t\t\tswitch v := item.Val.(type) {\n\t\t\tcase *ast.ObjectType:\n\t\t\t\titems, frontier = flattenObjectType(v, item, items, frontier)\n\t\t\tcase *ast.ListType:\n\t\t\t\titems, frontier = flattenListType(v, item, items, frontier)\n\t\t\tdefault:\n\t\t\t\titems = append(items, item)\n\t\t\t}\n\t\t}\n\n\t\t// Reverse the list since the frontier model runs things backwards\n\t\tfor i := len(items)/2 - 1; i >= 0; i-- {\n\t\t\topp := len(items) - 1 - i\n\t\t\titems[i], items[opp] = items[opp], items[i]\n\t\t}\n\n\t\t// Done! Set the original items\n\t\tlist.Items = items\n\t\treturn n, true\n\t})\n}\n\nfunc flattenListType(\n\tot *ast.ListType,\n\titem *ast.ObjectItem,\n\titems []*ast.ObjectItem,\n\tfrontier []*ast.ObjectItem) ([]*ast.ObjectItem, []*ast.ObjectItem) {\n\t// If the list is empty, keep the original list\n\tif len(ot.List) == 0 {\n\t\titems = append(items, item)\n\t\treturn items, frontier\n\t}\n\n\t// All the elements of this object must also be objects!\n\tfor _, subitem := range ot.List {\n\t\tif _, ok := subitem.(*ast.ObjectType); !ok {\n\t\t\titems = append(items, item)\n\t\t\treturn items, frontier\n\t\t}\n\t}\n\n\t// Great! We have a match go through all the items and flatten\n\tfor _, elem := range ot.List {\n\t\t// Add it to the frontier so that we can recurse\n\t\tfrontier = append(frontier, &ast.ObjectItem{\n\t\t\tKeys: item.Keys,\n\t\t\tAssign: item.Assign,\n\t\t\tVal: elem,\n\t\t\tLeadComment: item.LeadComment,\n\t\t\tLineComment: item.LineComment,\n\t\t})\n\t}\n\n\treturn items, frontier\n}\n\nfunc flattenObjectType(\n\tot *ast.ObjectType,\n\titem *ast.ObjectItem,\n\titems []*ast.ObjectItem,\n\tfrontier []*ast.ObjectItem) ([]*ast.ObjectItem, []*ast.ObjectItem) {\n\t// If the list has no items we do not have to flatten anything\n\tif ot.List.Items == nil {\n\t\titems = append(items, item)\n\t\treturn items, frontier\n\t}\n\n\t// All the elements of this object must also be objects!\n\tfor _, subitem := range ot.List.Items {\n\t\tif _, ok := subitem.Val.(*ast.ObjectType); !ok {\n\t\t\titems = append(items, item)\n\t\t\treturn items, frontier\n\t\t}\n\t}\n\n\t// Great! We have a match go through all the items and flatten\n\tfor _, subitem := range ot.List.Items {\n\t\t// Copy the new key\n\t\tkeys := make([]*ast.ObjectKey, len(item.Keys)+len(subitem.Keys))\n\t\tcopy(keys, item.Keys)\n\t\tcopy(keys[len(item.Keys):], subitem.Keys)\n\n\t\t// Add it to the frontier so that we can recurse\n\t\tfrontier = append(frontier, &ast.ObjectItem{\n\t\t\tKeys: keys,\n\t\t\tAssign: item.Assign,\n\t\t\tVal: subitem.Val,\n\t\t\tLeadComment: item.LeadComment,\n\t\t\tLineComment: item.LineComment,\n\t\t})\n\t}\n\n\treturn items, frontier\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/json/parser/parser.go", "content": "package parser\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\n\t\"github.com/hashicorp/hcl/hcl/ast\"\n\thcltoken \"github.com/hashicorp/hcl/hcl/token\"\n\t\"github.com/hashicorp/hcl/json/scanner\"\n\t\"github.com/hashicorp/hcl/json/token\"\n)\n\ntype Parser struct {\n\tsc *scanner.Scanner\n\n\t// Last read token\n\ttok token.Token\n\tcommaPrev token.Token\n\n\tenableTrace bool\n\tindent int\n\tn int // buffer size (max = 1)\n}\n\nfunc newParser(src []byte) *Parser {\n\treturn &Parser{\n\t\tsc: scanner.New(src),\n\t}\n}\n\n// Parse returns the fully parsed source and returns the abstract syntax tree.\nfunc Parse(src []byte) (*ast.File, error) {\n\tp := newParser(src)\n\treturn p.Parse()\n}\n\nvar errEofToken = errors.New(\"EOF token found\")\n\n// Parse returns the fully parsed source and returns the abstract syntax tree.\nfunc (p *Parser) Parse() (*ast.File, error) {\n\tf := &ast.File{}\n\tvar err, scerr error\n\tp.sc.Error = func(pos token.Pos, msg string) {\n\t\tscerr = fmt.Errorf(\"%s: %s\", pos, msg)\n\t}\n\n\t// The root must be an object in JSON\n\tobject, err := p.object()\n\tif scerr != nil {\n\t\treturn nil, scerr\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// We make our final node an object list so it is more HCL compatible\n\tf.Node = object.List\n\n\t// Flatten it, which finds patterns and turns them into more HCL-like\n\t// AST trees.\n\tflattenObjects(f.Node)\n\n\treturn f, nil\n}\n\nfunc (p *Parser) objectList() (*ast.ObjectList, error) {\n\tdefer un(trace(p, \"ParseObjectList\"))\n\tnode := &ast.ObjectList{}\n\n\tfor {\n\t\tn, err := p.objectItem()\n\t\tif err == errEofToken {\n\t\t\tbreak // we are finished\n\t\t}\n\n\t\t// we don't return a nil node, because might want to use already\n\t\t// collected items.\n\t\tif err != nil {\n\t\t\treturn node, err\n\t\t}\n\n\t\tnode.Add(n)\n\n\t\t// Check for a followup comma. If it isn't a comma, then we're done\n\t\tif tok := p.scan(); tok.Type != token.COMMA {\n\t\t\tbreak\n\t\t}\n\t}\n\n\treturn node, nil\n}\n\n// objectItem parses a single object item\nfunc (p *Parser) objectItem() (*ast.ObjectItem, error) {\n\tdefer un(trace(p, \"ParseObjectItem\"))\n\n\tkeys, err := p.objectKey()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\to := &ast.ObjectItem{\n\t\tKeys: keys,\n\t}\n\n\tswitch p.tok.Type {\n\tcase token.COLON:\n\t\tpos := p.tok.Pos\n\t\to.Assign = hcltoken.Pos{\n\t\t\tFilename: pos.Filename,\n\t\t\tOffset: pos.Offset,\n\t\t\tLine: pos.Line,\n\t\t\tColumn: pos.Column,\n\t\t}\n\n\t\to.Val, err = p.objectValue()\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\n\treturn o, nil\n}\n\n// objectKey parses an object key and returns a ObjectKey AST\nfunc (p *Parser) objectKey() ([]*ast.ObjectKey, error) {\n\tkeyCount := 0\n\tkeys := make([]*ast.ObjectKey, 0)\n\n\tfor {\n\t\ttok := p.scan()\n\t\tswitch tok.Type {\n\t\tcase token.EOF:\n\t\t\treturn nil, errEofToken\n\t\tcase token.STRING:\n\t\t\tkeyCount++\n\t\t\tkeys = append(keys, &ast.ObjectKey{\n\t\t\t\tToken: p.tok.HCLToken(),\n\t\t\t})\n\t\tcase token.COLON:\n\t\t\t// If we have a zero keycount it means that we never got\n\t\t\t// an object key, i.e. `{ :`. This is a syntax error.\n\t\t\tif keyCount == 0 {\n\t\t\t\treturn nil, fmt.Errorf(\"expected: STRING got: %s\", p.tok.Type)\n\t\t\t}\n\n\t\t\t// Done\n\t\t\treturn keys, nil\n\t\tcase token.ILLEGAL:\n\t\t\treturn nil, errors.New(\"illegal\")\n\t\tdefault:\n\t\t\treturn nil, fmt.Errorf(\"expected: STRING got: %s\", p.tok.Type)\n\t\t}\n\t}\n}\n\n// object parses any type of object, such as number, bool, string, object or\n// list.\nfunc (p *Parser) objectValue() (ast.Node, error) {\n\tdefer un(trace(p, \"ParseObjectValue\"))\n\ttok := p.scan()\n\n\tswitch tok.Type {\n\tcase token.NUMBER, token.FLOAT, token.BOOL, token.NULL, token.STRING:\n\t\treturn p.literalType()\n\tcase token.LBRACE:\n\t\treturn p.objectType()\n\tcase token.LBRACK:\n\t\treturn p.listType()\n\tcase token.EOF:\n\t\treturn nil, errEofToken\n\t}\n\n\treturn nil, fmt.Errorf(\"Expected object value, got unknown token: %+v\", tok)\n}\n\n// object parses any type of object, such as number, bool, string, object or\n// list.\nfunc (p *Parser) object() (*ast.ObjectType, error) {\n\tdefer un(trace(p, \"ParseType\"))\n\ttok := p.scan()\n\n\tswitch tok.Type {\n\tcase token.LBRACE:\n\t\treturn p.objectType()\n\tcase token.EOF:\n\t\treturn nil, errEofToken\n\t}\n\n\treturn nil, fmt.Errorf(\"Expected object, got unknown token: %+v\", tok)\n}\n\n// objectType parses an object type and returns a ObjectType AST\nfunc (p *Parser) objectType() (*ast.ObjectType, error) {\n\tdefer un(trace(p, \"ParseObjectType\"))\n\n\t// we assume that the currently scanned token is a LBRACE\n\to := &ast.ObjectType{}\n\n\tl, err := p.objectList()\n\n\t// if we hit RBRACE, we are good to go (means we parsed all Items), if it's\n\t// not a RBRACE, it's an syntax error and we just return it.\n\tif err != nil && p.tok.Type != token.RBRACE {\n\t\treturn nil, err\n\t}\n\n\to.List = l\n\treturn o, nil\n}\n\n// listType parses a list type and returns a ListType AST\nfunc (p *Parser) listType() (*ast.ListType, error) {\n\tdefer un(trace(p, \"ParseListType\"))\n\n\t// we assume that the currently scanned token is a LBRACK\n\tl := &ast.ListType{}\n\n\tfor {\n\t\ttok := p.scan()\n\t\tswitch tok.Type {\n\t\tcase token.NUMBER, token.FLOAT, token.STRING:\n\t\t\tnode, err := p.literalType()\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\n\t\t\tl.Add(node)\n\t\tcase token.COMMA:\n\t\t\tcontinue\n\t\tcase token.LBRACE:\n\t\t\tnode, err := p.objectType()\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\n\t\t\tl.Add(node)\n\t\tcase token.BOOL:\n\t\t\t// TODO(arslan) should we support? not supported by HCL yet\n\t\tcase token.LBRACK:\n\t\t\t// TODO(arslan) should we support nested lists? Even though it's\n\t\t\t// written in README of HCL, it's not a part of the grammar\n\t\t\t// (not defined in parse.y)\n\t\tcase token.RBRACK:\n\t\t\t// finished\n\t\t\treturn l, nil\n\t\tdefault:\n\t\t\treturn nil, fmt.Errorf(\"unexpected token while parsing list: %s\", tok.Type)\n\t\t}\n\n\t}\n}\n\n// literalType parses a literal type and returns a LiteralType AST\nfunc (p *Parser) literalType() (*ast.LiteralType, error) {\n\tdefer un(trace(p, \"ParseLiteral\"))\n\n\treturn &ast.LiteralType{\n\t\tToken: p.tok.HCLToken(),\n\t}, nil\n}\n\n// scan returns the next token from the underlying scanner. If a token has\n// been unscanned then read that instead.\nfunc (p *Parser) scan() token.Token {\n\t// If we have a token on the buffer, then return it.\n\tif p.n != 0 {\n\t\tp.n = 0\n\t\treturn p.tok\n\t}\n\n\tp.tok = p.sc.Scan()\n\treturn p.tok\n}\n\n// unscan pushes the previously read token back onto the buffer.\nfunc (p *Parser) unscan() {\n\tp.n = 1\n}\n\n// ----------------------------------------------------------------------------\n// Parsing support\n\nfunc (p *Parser) printTrace(a ...interface{}) {\n\tif !p.enableTrace {\n\t\treturn\n\t}\n\n\tconst dots = \". . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \"\n\tconst n = len(dots)\n\tfmt.Printf(\"%5d:%3d: \", p.tok.Pos.Line, p.tok.Pos.Column)\n\n\ti := 2 * p.indent\n\tfor i > n {\n\t\tfmt.Print(dots)\n\t\ti -= n\n\t}\n\t// i <= n\n\tfmt.Print(dots[0:i])\n\tfmt.Println(a...)\n}\n\nfunc trace(p *Parser, msg string) *Parser {\n\tp.printTrace(msg, \"(\")\n\tp.indent++\n\treturn p\n}\n\n// Usage pattern: defer un(trace(p, \"...\"))\nfunc un(p *Parser) {\n\tp.indent--\n\tp.printTrace(\")\")\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/json/scanner/scanner.go", "content": "package scanner\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"os\"\n\t\"unicode\"\n\t\"unicode/utf8\"\n\n\t\"github.com/hashicorp/hcl/json/token\"\n)\n\n// eof represents a marker rune for the end of the reader.\nconst eof = rune(0)\n\n// Scanner defines a lexical scanner\ntype Scanner struct {\n\tbuf *bytes.Buffer // Source buffer for advancing and scanning\n\tsrc []byte // Source buffer for immutable access\n\n\t// Source Position\n\tsrcPos token.Pos // current position\n\tprevPos token.Pos // previous position, used for peek() method\n\n\tlastCharLen int // length of last character in bytes\n\tlastLineLen int // length of last line in characters (for correct column reporting)\n\n\ttokStart int // token text start position\n\ttokEnd int // token text end position\n\n\t// Error is called for each error encountered. If no Error\n\t// function is set, the error is reported to os.Stderr.\n\tError func(pos token.Pos, msg string)\n\n\t// ErrorCount is incremented by one for each error encountered.\n\tErrorCount int\n\n\t// tokPos is the start position of most recently scanned token; set by\n\t// Scan. The Filename field is always left untouched by the Scanner. If\n\t// an error is reported (via Error) and Position is invalid, the scanner is\n\t// not inside a token.\n\ttokPos token.Pos\n}\n\n// New creates and initializes a new instance of Scanner using src as\n// its source content.\nfunc New(src []byte) *Scanner {\n\t// even though we accept a src, we read from a io.Reader compatible type\n\t// (*bytes.Buffer). So in the future we might easily change it to streaming\n\t// read.\n\tb := bytes.NewBuffer(src)\n\ts := &Scanner{\n\t\tbuf: b,\n\t\tsrc: src,\n\t}\n\n\t// srcPosition always starts with 1\n\ts.srcPos.Line = 1\n\treturn s\n}\n\n// next reads the next rune from the bufferred reader. Returns the rune(0) if\n// an error occurs (or io.EOF is returned).\nfunc (s *Scanner) next() rune {\n\tch, size, err := s.buf.ReadRune()\n\tif err != nil {\n\t\t// advance for error reporting\n\t\ts.srcPos.Column++\n\t\ts.srcPos.Offset += size\n\t\ts.lastCharLen = size\n\t\treturn eof\n\t}\n\n\tif ch == utf8.RuneError && size == 1 {\n\t\ts.srcPos.Column++\n\t\ts.srcPos.Offset += size\n\t\ts.lastCharLen = size\n\t\ts.err(\"illegal UTF-8 encoding\")\n\t\treturn ch\n\t}\n\n\t// remember last position\n\ts.prevPos = s.srcPos\n\n\ts.srcPos.Column++\n\ts.lastCharLen = size\n\ts.srcPos.Offset += size\n\n\tif ch == '\\n' {\n\t\ts.srcPos.Line++\n\t\ts.lastLineLen = s.srcPos.Column\n\t\ts.srcPos.Column = 0\n\t}\n\n\t// debug\n\t// fmt.Printf(\"ch: %q, offset:column: %d:%d\\n\", ch, s.srcPos.Offset, s.srcPos.Column)\n\treturn ch\n}\n\n// unread unreads the previous read Rune and updates the source position\nfunc (s *Scanner) unread() {\n\tif err := s.buf.UnreadRune(); err != nil {\n\t\tpanic(err) // this is user fault, we should catch it\n\t}\n\ts.srcPos = s.prevPos // put back last position\n}\n\n// peek returns the next rune without advancing the reader.\nfunc (s *Scanner) peek() rune {\n\tpeek, _, err := s.buf.ReadRune()\n\tif err != nil {\n\t\treturn eof\n\t}\n\n\ts.buf.UnreadRune()\n\treturn peek\n}\n\n// Scan scans the next token and returns the token.\nfunc (s *Scanner) Scan() token.Token {\n\tch := s.next()\n\n\t// skip white space\n\tfor isWhitespace(ch) {\n\t\tch = s.next()\n\t}\n\n\tvar tok token.Type\n\n\t// token text markings\n\ts.tokStart = s.srcPos.Offset - s.lastCharLen\n\n\t// token position, initial next() is moving the offset by one(size of rune\n\t// actually), though we are interested with the starting point\n\ts.tokPos.Offset = s.srcPos.Offset - s.lastCharLen\n\tif s.srcPos.Column > 0 {\n\t\t// common case: last character was not a '\\n'\n\t\ts.tokPos.Line = s.srcPos.Line\n\t\ts.tokPos.Column = s.srcPos.Column\n\t} else {\n\t\t// last character was a '\\n'\n\t\t// (we cannot be at the beginning of the source\n\t\t// since we have called next() at least once)\n\t\ts.tokPos.Line = s.srcPos.Line - 1\n\t\ts.tokPos.Column = s.lastLineLen\n\t}\n\n\tswitch {\n\tcase isLetter(ch):\n\t\tlit := s.scanIdentifier()\n\t\tif lit == \"true\" || lit == \"false\" {\n\t\t\ttok = token.BOOL\n\t\t} else if lit == \"null\" {\n\t\t\ttok = token.NULL\n\t\t} else {\n\t\t\ts.err(\"illegal char\")\n\t\t}\n\tcase isDecimal(ch):\n\t\ttok = s.scanNumber(ch)\n\tdefault:\n\t\tswitch ch {\n\t\tcase eof:\n\t\t\ttok = token.EOF\n\t\tcase '\"':\n\t\t\ttok = token.STRING\n\t\t\ts.scanString()\n\t\tcase '.':\n\t\t\ttok = token.PERIOD\n\t\t\tch = s.peek()\n\t\t\tif isDecimal(ch) {\n\t\t\t\ttok = token.FLOAT\n\t\t\t\tch = s.scanMantissa(ch)\n\t\t\t\tch = s.scanExponent(ch)\n\t\t\t}\n\t\tcase '[':\n\t\t\ttok = token.LBRACK\n\t\tcase ']':\n\t\t\ttok = token.RBRACK\n\t\tcase '{':\n\t\t\ttok = token.LBRACE\n\t\tcase '}':\n\t\t\ttok = token.RBRACE\n\t\tcase ',':\n\t\t\ttok = token.COMMA\n\t\tcase ':':\n\t\t\ttok = token.COLON\n\t\tcase '-':\n\t\t\tif isDecimal(s.peek()) {\n\t\t\t\tch := s.next()\n\t\t\t\ttok = s.scanNumber(ch)\n\t\t\t} else {\n\t\t\t\ts.err(\"illegal char\")\n\t\t\t}\n\t\tdefault:\n\t\t\ts.err(\"illegal char: \" + string(ch))\n\t\t}\n\t}\n\n\t// finish token ending\n\ts.tokEnd = s.srcPos.Offset\n\n\t// create token literal\n\tvar tokenText string\n\tif s.tokStart >= 0 {\n\t\ttokenText = string(s.src[s.tokStart:s.tokEnd])\n\t}\n\ts.tokStart = s.tokEnd // ensure idempotency of tokenText() call\n\n\treturn token.Token{\n\t\tType: tok,\n\t\tPos: s.tokPos,\n\t\tText: tokenText,\n\t}\n}\n\n// scanNumber scans a HCL number definition starting with the given rune\nfunc (s *Scanner) scanNumber(ch rune) token.Type {\n\tzero := ch == '0'\n\tpos := s.srcPos\n\n\ts.scanMantissa(ch)\n\tch = s.next() // seek forward\n\tif ch == 'e' || ch == 'E' {\n\t\tch = s.scanExponent(ch)\n\t\treturn token.FLOAT\n\t}\n\n\tif ch == '.' {\n\t\tch = s.scanFraction(ch)\n\t\tif ch == 'e' || ch == 'E' {\n\t\t\tch = s.next()\n\t\t\tch = s.scanExponent(ch)\n\t\t}\n\t\treturn token.FLOAT\n\t}\n\n\tif ch != eof {\n\t\ts.unread()\n\t}\n\n\t// If we have a larger number and this is zero, error\n\tif zero && pos != s.srcPos {\n\t\ts.err(\"numbers cannot start with 0\")\n\t}\n\n\treturn token.NUMBER\n}\n\n// scanMantissa scans the mantissa beginning from the rune. It returns the next\n// non decimal rune. It's used to determine wheter it's a fraction or exponent.\nfunc (s *Scanner) scanMantissa(ch rune) rune {\n\tscanned := false\n\tfor isDecimal(ch) {\n\t\tch = s.next()\n\t\tscanned = true\n\t}\n\n\tif scanned && ch != eof {\n\t\ts.unread()\n\t}\n\treturn ch\n}\n\n// scanFraction scans the fraction after the '.' rune\nfunc (s *Scanner) scanFraction(ch rune) rune {\n\tif ch == '.' {\n\t\tch = s.peek() // we peek just to see if we can move forward\n\t\tch = s.scanMantissa(ch)\n\t}\n\treturn ch\n}\n\n// scanExponent scans the remaining parts of an exponent after the 'e' or 'E'\n// rune.\nfunc (s *Scanner) scanExponent(ch rune) rune {\n\tif ch == 'e' || ch == 'E' {\n\t\tch = s.next()\n\t\tif ch == '-' || ch == '+' {\n\t\t\tch = s.next()\n\t\t}\n\t\tch = s.scanMantissa(ch)\n\t}\n\treturn ch\n}\n\n// scanString scans a quoted string\nfunc (s *Scanner) scanString() {\n\tbraces := 0\n\tfor {\n\t\t// '\"' opening already consumed\n\t\t// read character after quote\n\t\tch := s.next()\n\n\t\tif ch == '\\n' || ch < 0 || ch == eof {\n\t\t\ts.err(\"literal not terminated\")\n\t\t\treturn\n\t\t}\n\n\t\tif ch == '\"' {\n\t\t\tbreak\n\t\t}\n\n\t\t// If we're going into a ${} then we can ignore quotes for awhile\n\t\tif braces == 0 && ch == '$' && s.peek() == '{' {\n\t\t\tbraces++\n\t\t\ts.next()\n\t\t} else if braces > 0 && ch == '{' {\n\t\t\tbraces++\n\t\t}\n\t\tif braces > 0 && ch == '}' {\n\t\t\tbraces--\n\t\t}\n\n\t\tif ch == '\\\\' {\n\t\t\ts.scanEscape()\n\t\t}\n\t}\n\n\treturn\n}\n\n// scanEscape scans an escape sequence\nfunc (s *Scanner) scanEscape() rune {\n\t// http://en.cppreference.com/w/cpp/language/escape\n\tch := s.next() // read character after '/'\n\tswitch ch {\n\tcase 'a', 'b', 'f', 'n', 'r', 't', 'v', '\\\\', '\"':\n\t\t// nothing to do\n\tcase '0', '1', '2', '3', '4', '5', '6', '7':\n\t\t// octal notation\n\t\tch = s.scanDigits(ch, 8, 3)\n\tcase 'x':\n\t\t// hexademical notation\n\t\tch = s.scanDigits(s.next(), 16, 2)\n\tcase 'u':\n\t\t// universal character name\n\t\tch = s.scanDigits(s.next(), 16, 4)\n\tcase 'U':\n\t\t// universal character name\n\t\tch = s.scanDigits(s.next(), 16, 8)\n\tdefault:\n\t\ts.err(\"illegal char escape\")\n\t}\n\treturn ch\n}\n\n// scanDigits scans a rune with the given base for n times. For example an\n// octal notation \\184 would yield in scanDigits(ch, 8, 3)\nfunc (s *Scanner) scanDigits(ch rune, base, n int) rune {\n\tfor n > 0 && digitVal(ch) < base {\n\t\tch = s.next()\n\t\tn--\n\t}\n\tif n > 0 {\n\t\ts.err(\"illegal char escape\")\n\t}\n\n\t// we scanned all digits, put the last non digit char back\n\ts.unread()\n\treturn ch\n}\n\n// scanIdentifier scans an identifier and returns the literal string\nfunc (s *Scanner) scanIdentifier() string {\n\toffs := s.srcPos.Offset - s.lastCharLen\n\tch := s.next()\n\tfor isLetter(ch) || isDigit(ch) || ch == '-' {\n\t\tch = s.next()\n\t}\n\n\tif ch != eof {\n\t\ts.unread() // we got identifier, put back latest char\n\t}\n\n\treturn string(s.src[offs:s.srcPos.Offset])\n}\n\n// recentPosition returns the position of the character immediately after the\n// character or token returned by the last call to Scan.\nfunc (s *Scanner) recentPosition() (pos token.Pos) {\n\tpos.Offset = s.srcPos.Offset - s.lastCharLen\n\tswitch {\n\tcase s.srcPos.Column > 0:\n\t\t// common case: last character was not a '\\n'\n\t\tpos.Line = s.srcPos.Line\n\t\tpos.Column = s.srcPos.Column\n\tcase s.lastLineLen > 0:\n\t\t// last character was a '\\n'\n\t\t// (we cannot be at the beginning of the source\n\t\t// since we have called next() at least once)\n\t\tpos.Line = s.srcPos.Line - 1\n\t\tpos.Column = s.lastLineLen\n\tdefault:\n\t\t// at the beginning of the source\n\t\tpos.Line = 1\n\t\tpos.Column = 1\n\t}\n\treturn\n}\n\n// err prints the error of any scanning to s.Error function. If the function is\n// not defined, by default it prints them to os.Stderr\nfunc (s *Scanner) err(msg string) {\n\ts.ErrorCount++\n\tpos := s.recentPosition()\n\n\tif s.Error != nil {\n\t\ts.Error(pos, msg)\n\t\treturn\n\t}\n\n\tfmt.Fprintf(os.Stderr, \"%s: %s\\n\", pos, msg)\n}\n\n// isHexadecimal returns true if the given rune is a letter\nfunc isLetter(ch rune) bool {\n\treturn 'a' <= ch && ch <= 'z' || 'A' <= ch && ch <= 'Z' || ch == '_' || ch >= 0x80 && unicode.IsLetter(ch)\n}\n\n// isHexadecimal returns true if the given rune is a decimal digit\nfunc isDigit(ch rune) bool {\n\treturn '0' <= ch && ch <= '9' || ch >= 0x80 && unicode.IsDigit(ch)\n}\n\n// isHexadecimal returns true if the given rune is a decimal number\nfunc isDecimal(ch rune) bool {\n\treturn '0' <= ch && ch <= '9'\n}\n\n// isHexadecimal returns true if the given rune is an hexadecimal number\nfunc isHexadecimal(ch rune) bool {\n\treturn '0' <= ch && ch <= '9' || 'a' <= ch && ch <= 'f' || 'A' <= ch && ch <= 'F'\n}\n\n// isWhitespace returns true if the rune is a space, tab, newline or carriage return\nfunc isWhitespace(ch rune) bool {\n\treturn ch == ' ' || ch == '\\t' || ch == '\\n' || ch == '\\r'\n}\n\n// digitVal returns the integer value of a given octal,decimal or hexadecimal rune\nfunc digitVal(ch rune) int {\n\tswitch {\n\tcase '0' <= ch && ch <= '9':\n\t\treturn int(ch - '0')\n\tcase 'a' <= ch && ch <= 'f':\n\t\treturn int(ch - 'a' + 10)\n\tcase 'A' <= ch && ch <= 'F':\n\t\treturn int(ch - 'A' + 10)\n\t}\n\treturn 16 // larger than any legal digit val\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/json/token/position.go", "content": "package token\n\nimport \"fmt\"\n\n// Pos describes an arbitrary source position\n// including the file, line, and column location.\n// A Position is valid if the line number is > 0.\ntype Pos struct {\n\tFilename string // filename, if any\n\tOffset int // offset, starting at 0\n\tLine int // line number, starting at 1\n\tColumn int // column number, starting at 1 (character count)\n}\n\n// IsValid returns true if the position is valid.\nfunc (p *Pos) IsValid() bool { return p.Line > 0 }\n\n// String returns a string in one of several forms:\n//\n//\tfile:line:column valid position with file name\n//\tline:column valid position without file name\n//\tfile invalid position with file name\n//\t- invalid position without file name\nfunc (p Pos) String() string {\n\ts := p.Filename\n\tif p.IsValid() {\n\t\tif s != \"\" {\n\t\t\ts += \":\"\n\t\t}\n\t\ts += fmt.Sprintf(\"%d:%d\", p.Line, p.Column)\n\t}\n\tif s == \"\" {\n\t\ts = \"-\"\n\t}\n\treturn s\n}\n\n// Before reports whether the position p is before u.\nfunc (p Pos) Before(u Pos) bool {\n\treturn u.Offset > p.Offset || u.Line > p.Line\n}\n\n// After reports whether the position p is after u.\nfunc (p Pos) After(u Pos) bool {\n\treturn u.Offset < p.Offset || u.Line < p.Line\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/json/token/token.go", "content": "package token\n\nimport (\n\t\"fmt\"\n\t\"strconv\"\n\n\thcltoken \"github.com/hashicorp/hcl/hcl/token\"\n)\n\n// Token defines a single HCL token which can be obtained via the Scanner\ntype Token struct {\n\tType Type\n\tPos Pos\n\tText string\n}\n\n// Type is the set of lexical tokens of the HCL (HashiCorp Configuration Language)\ntype Type int\n\nconst (\n\t// Special tokens\n\tILLEGAL Type = iota\n\tEOF\n\n\tidentifier_beg\n\tliteral_beg\n\tNUMBER // 12345\n\tFLOAT // 123.45\n\tBOOL // true,false\n\tSTRING // \"abc\"\n\tNULL // null\n\tliteral_end\n\tidentifier_end\n\n\toperator_beg\n\tLBRACK // [\n\tLBRACE // {\n\tCOMMA // ,\n\tPERIOD // .\n\tCOLON // :\n\n\tRBRACK // ]\n\tRBRACE // }\n\n\toperator_end\n)\n\nvar tokens = [...]string{\n\tILLEGAL: \"ILLEGAL\",\n\n\tEOF: \"EOF\",\n\n\tNUMBER: \"NUMBER\",\n\tFLOAT: \"FLOAT\",\n\tBOOL: \"BOOL\",\n\tSTRING: \"STRING\",\n\tNULL: \"NULL\",\n\n\tLBRACK: \"LBRACK\",\n\tLBRACE: \"LBRACE\",\n\tCOMMA: \"COMMA\",\n\tPERIOD: \"PERIOD\",\n\tCOLON: \"COLON\",\n\n\tRBRACK: \"RBRACK\",\n\tRBRACE: \"RBRACE\",\n}\n\n// String returns the string corresponding to the token tok.\nfunc (t Type) String() string {\n\ts := \"\"\n\tif 0 <= t && t < Type(len(tokens)) {\n\t\ts = tokens[t]\n\t}\n\tif s == \"\" {\n\t\ts = \"token(\" + strconv.Itoa(int(t)) + \")\"\n\t}\n\treturn s\n}\n\n// IsIdentifier returns true for tokens corresponding to identifiers and basic\n// type literals; it returns false otherwise.\nfunc (t Type) IsIdentifier() bool { return identifier_beg < t && t < identifier_end }\n\n// IsLiteral returns true for tokens corresponding to basic type literals; it\n// returns false otherwise.\nfunc (t Type) IsLiteral() bool { return literal_beg < t && t < literal_end }\n\n// IsOperator returns true for tokens corresponding to operators and\n// delimiters; it returns false otherwise.\nfunc (t Type) IsOperator() bool { return operator_beg < t && t < operator_end }\n\n// String returns the token's literal text. Note that this is only\n// applicable for certain token types, such as token.IDENT,\n// token.STRING, etc..\nfunc (t Token) String() string {\n\treturn fmt.Sprintf(\"%s %s %s\", t.Pos.String(), t.Type.String(), t.Text)\n}\n\n// HCLToken converts this token to an HCL token.\n//\n// The token type must be a literal type or this will panic.\nfunc (t Token) HCLToken() hcltoken.Token {\n\tswitch t.Type {\n\tcase BOOL:\n\t\treturn hcltoken.Token{Type: hcltoken.BOOL, Text: t.Text}\n\tcase FLOAT:\n\t\treturn hcltoken.Token{Type: hcltoken.FLOAT, Text: t.Text}\n\tcase NULL:\n\t\treturn hcltoken.Token{Type: hcltoken.STRING, Text: \"\"}\n\tcase NUMBER:\n\t\treturn hcltoken.Token{Type: hcltoken.NUMBER, Text: t.Text}\n\tcase STRING:\n\t\treturn hcltoken.Token{Type: hcltoken.STRING, Text: t.Text, JSON: true}\n\tdefault:\n\t\tpanic(fmt.Sprintf(\"unimplemented HCLToken for type: %s\", t.Type))\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/lex.go", "content": "package hcl\n\nimport (\n\t\"unicode\"\n\t\"unicode/utf8\"\n)\n\ntype lexModeValue byte\n\nconst (\n\tlexModeUnknown lexModeValue = iota\n\tlexModeHcl\n\tlexModeJson\n)\n\n// lexMode returns whether we're going to be parsing in JSON\n// mode or HCL mode.\nfunc lexMode(v []byte) lexModeValue {\n\tvar (\n\t\tr rune\n\t\tw int\n\t\toffset int\n\t)\n\n\tfor {\n\t\tr, w = utf8.DecodeRune(v[offset:])\n\t\toffset += w\n\t\tif unicode.IsSpace(r) {\n\t\t\tcontinue\n\t\t}\n\t\tif r == '{' {\n\t\t\treturn lexModeJson\n\t\t}\n\t\tbreak\n\t}\n\n\treturn lexModeHcl\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/parse.go", "content": "package hcl\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/hashicorp/hcl/hcl/ast\"\n\thclParser \"github.com/hashicorp/hcl/hcl/parser\"\n\tjsonParser \"github.com/hashicorp/hcl/json/parser\"\n)\n\n// ParseBytes accepts as input byte slice and returns ast tree.\n//\n// Input can be either JSON or HCL\nfunc ParseBytes(in []byte) (*ast.File, error) {\n\treturn parse(in, true)\n}\n\n// ParseString accepts input as a string and returns ast tree.\nfunc ParseString(input string) (*ast.File, error) {\n\treturn parse([]byte(input), true)\n}\n\nfunc parse(in []byte, errorOnDuplicateKeys bool) (*ast.File, error) {\n\tswitch lexMode(in) {\n\tcase lexModeHcl:\n\t\tif !errorOnDuplicateKeys {\n\t\t\treturn hclParser.ParseDontErrorOnDuplicateKeys(in)\n\t\t}\n\t\treturn hclParser.Parse(in)\n\tcase lexModeJson:\n\t\treturn jsonParser.Parse(in)\n\t}\n\n\treturn nil, fmt.Errorf(\"unknown config format\")\n}\n\n// Parse parses the given input and returns the root object.\n//\n// The input format can be either HCL or JSON.\nfunc Parse(input string) (*ast.File, error) {\n\treturn parse([]byte(input), true)\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/.copywrite.hcl", "content": "schema_version = 1\n\nproject {\n license = \"MPL-2.0\"\n copyright_year = 2024\n\n header_ignore = []\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/LICENSE", "content": "Copyright (c) 2015 HashiCorp, Inc.\n\nMozilla Public License, version 2.0\n\n1. Definitions\n\n1.1. \"Contributor\"\n\n means each individual or legal entity that creates, contributes to the\n creation of, or owns Covered Software.\n\n1.2. \"Contributor Version\"\n\n means the combination of the Contributions of others (if any) used by a\n Contributor and that particular Contributor's Contribution.\n\n1.3. \"Contribution\"\n\n means Covered Software of a particular Contributor.\n\n1.4. \"Covered Software\"\n\n means Source Code Form to which the initial Contributor has attached the\n notice in Exhibit A, the Executable Form of such Source Code Form, and\n Modifications of such Source Code Form, in each case including portions\n thereof.\n\n1.5. \"Incompatible With Secondary Licenses\"\n means\n\n a. that the initial Contributor has attached the notice described in\n Exhibit B to the Covered Software; or\n\n b. that the Covered Software was made available under the terms of\n version 1.1 or earlier of the License, but not also under the terms of\n a Secondary License.\n\n1.6. \"Executable Form\"\n\n means any form of the work other than Source Code Form.\n\n1.7. \"Larger Work\"\n\n means a work that combines Covered Software with other material, in a\n separate file or files, that is not Covered Software.\n\n1.8. \"License\"\n\n means this document.\n\n1.9. \"Licensable\"\n\n means having the right to grant, to the maximum extent possible, whether\n at the time of the initial grant or subsequently, any and all of the\n rights conveyed by this License.\n\n1.10. \"Modifications\"\n\n means any of the following:\n\n a. any file in Source Code Form that results from an addition to,\n deletion from, or modification of the contents of Covered Software; or\n\n b. any new file in Source Code Form that contains any Covered Software.\n\n1.11. \"Patent Claims\" of a Contributor\n\n means any patent claim(s), including without limitation, method,\n process, and apparatus claims, in any patent Licensable by such\n Contributor that would be infringed, but for the grant of the License,\n by the making, using, selling, offering for sale, having made, import,\n or transfer of either its Contributions or its Contributor Version.\n\n1.12. \"Secondary License\"\n\n means either the GNU General Public License, Version 2.0, the GNU Lesser\n General Public License, Version 2.1, the GNU Affero General Public\n License, Version 3.0, or any later versions of those licenses.\n\n1.13. \"Source Code Form\"\n\n means the form of the work preferred for making modifications.\n\n1.14. \"You\" (or \"Your\")\n\n means an individual or a legal entity exercising rights under this\n License. For legal entities, \"You\" includes any entity that controls, is\n controlled by, or is under common control with You. For purposes of this\n definition, \"control\" means (a) the power, direct or indirect, to cause\n the direction or management of such entity, whether by contract or\n otherwise, or (b) ownership of more than fifty percent (50%) of the\n outstanding shares or beneficial ownership of such entity.\n\n\n2. License Grants and Conditions\n\n2.1. Grants\n\n Each Contributor hereby grants You a world-wide, royalty-free,\n non-exclusive license:\n\n a. under intellectual property rights (other than patent or trademark)\n Licensable by such Contributor to use, reproduce, make available,\n modify, display, perform, distribute, and otherwise exploit its\n Contributions, either on an unmodified basis, with Modifications, or\n as part of a Larger Work; and\n\n b. under Patent Claims of such Contributor to make, use, sell, offer for\n sale, have made, import, and otherwise transfer either its\n Contributions or its Contributor Version.\n\n2.2. Effective Date\n\n The licenses granted in Section 2.1 with respect to any Contribution\n become effective for each Contribution on the date the Contributor first\n distributes such Contribution.\n\n2.3. Limitations on Grant Scope\n\n The licenses granted in this Section 2 are the only rights granted under\n this License. No additional rights or licenses will be implied from the\n distribution or licensing of Covered Software under this License.\n Notwithstanding Section 2.1(b) above, no patent license is granted by a\n Contributor:\n\n a. for any code that a Contributor has removed from Covered Software; or\n\n b. for infringements caused by: (i) Your and any other third party's\n modifications of Covered Software, or (ii) the combination of its\n Contributions with other software (except as part of its Contributor\n Version); or\n\n c. under Patent Claims infringed by Covered Software in the absence of\n its Contributions.\n\n This License does not grant any rights in the trademarks, service marks,\n or logos of any Contributor (except as may be necessary to comply with\n the notice requirements in Section 3.4).\n\n2.4. Subsequent Licenses\n\n No Contributor makes additional grants as a result of Your choice to\n distribute the Covered Software under a subsequent version of this\n License (see Section 10.2) or under the terms of a Secondary License (if\n permitted under the terms of Section 3.3).\n\n2.5. Representation\n\n Each Contributor represents that the Contributor believes its\n Contributions are its original creation(s) or it has sufficient rights to\n grant the rights to its Contributions conveyed by this License.\n\n2.6. Fair Use\n\n This License is not intended to limit any rights You have under\n applicable copyright doctrines of fair use, fair dealing, or other\n equivalents.\n\n2.7. Conditions\n\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in\n Section 2.1.\n\n\n3. Responsibilities\n\n3.1. Distribution of Source Form\n\n All distribution of Covered Software in Source Code Form, including any\n Modifications that You create or to which You contribute, must be under\n the terms of this License. You must inform recipients that the Source\n Code Form of the Covered Software is governed by the terms of this\n License, and how they can obtain a copy of this License. You may not\n attempt to alter or restrict the recipients' rights in the Source Code\n Form.\n\n3.2. Distribution of Executable Form\n\n If You distribute Covered Software in Executable Form then:\n\n a. such Covered Software must also be made available in Source Code Form,\n as described in Section 3.1, and You must inform recipients of the\n Executable Form how they can obtain a copy of such Source Code Form by\n reasonable means in a timely manner, at a charge no more than the cost\n of distribution to the recipient; and\n\n b. You may distribute such Executable Form under the terms of this\n License, or sublicense it under different terms, provided that the\n license for the Executable Form does not attempt to limit or alter the\n recipients' rights in the Source Code Form under this License.\n\n3.3. Distribution of a Larger Work\n\n You may create and distribute a Larger Work under terms of Your choice,\n provided that You also comply with the requirements of this License for\n the Covered Software. If the Larger Work is a combination of Covered\n Software with a work governed by one or more Secondary Licenses, and the\n Covered Software is not Incompatible With Secondary Licenses, this\n License permits You to additionally distribute such Covered Software\n under the terms of such Secondary License(s), so that the recipient of\n the Larger Work may, at their option, further distribute the Covered\n Software under the terms of either this License or such Secondary\n License(s).\n\n3.4. Notices\n\n You may not remove or alter the substance of any license notices\n (including copyright notices, patent notices, disclaimers of warranty, or\n limitations of liability) contained within the Source Code Form of the\n Covered Software, except that You may alter any license notices to the\n extent required to remedy known factual inaccuracies.\n\n3.5. Application of Additional Terms\n\n You may choose to offer, and to charge a fee for, warranty, support,\n indemnity or liability obligations to one or more recipients of Covered\n Software. However, You may do so only on Your own behalf, and not on\n behalf of any Contributor. You must make it absolutely clear that any\n such warranty, support, indemnity, or liability obligation is offered by\n You alone, and You hereby agree to indemnify every Contributor for any\n liability incurred by such Contributor as a result of warranty, support,\n indemnity or liability terms You offer. You may include additional\n disclaimers of warranty and limitations of liability specific to any\n jurisdiction.\n\n4. Inability to Comply Due to Statute or Regulation\n\n If it is impossible for You to comply with any of the terms of this License\n with respect to some or all of the Covered Software due to statute,\n judicial order, or regulation then You must: (a) comply with the terms of\n this License to the maximum extent possible; and (b) describe the\n limitations and the code they affect. Such description must be placed in a\n text file included with all distributions of the Covered Software under\n this License. Except to the extent prohibited by statute or regulation,\n such description must be sufficiently detailed for a recipient of ordinary\n skill to be able to understand it.\n\n5. Termination\n\n5.1. The rights granted under this License will terminate automatically if You\n fail to comply with any of its terms. However, if You become compliant,\n then the rights granted under this License from a particular Contributor\n are reinstated (a) provisionally, unless and until such Contributor\n explicitly and finally terminates Your grants, and (b) on an ongoing\n basis, if such Contributor fails to notify You of the non-compliance by\n some reasonable means prior to 60 days after You have come back into\n compliance. Moreover, Your grants from a particular Contributor are\n reinstated on an ongoing basis if such Contributor notifies You of the\n non-compliance by some reasonable means, this is the first time You have\n received notice of non-compliance with this License from such\n Contributor, and You become compliant prior to 30 days after Your receipt\n of the notice.\n\n5.2. If You initiate litigation against any entity by asserting a patent\n infringement claim (excluding declaratory judgment actions,\n counter-claims, and cross-claims) alleging that a Contributor Version\n directly or indirectly infringes any patent, then the rights granted to\n You by any and all Contributors for the Covered Software under Section\n 2.1 of this License shall terminate.\n\n5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user\n license agreements (excluding distributors and resellers) which have been\n validly granted by You or Your distributors under this License prior to\n termination shall survive termination.\n\n6. Disclaimer of Warranty\n\n Covered Software is provided under this License on an \"as is\" basis,\n without warranty of any kind, either expressed, implied, or statutory,\n including, without limitation, warranties that the Covered Software is free\n of defects, merchantable, fit for a particular purpose or non-infringing.\n The entire risk as to the quality and performance of the Covered Software\n is with You. Should any Covered Software prove defective in any respect,\n You (not any Contributor) assume the cost of any necessary servicing,\n repair, or correction. This disclaimer of warranty constitutes an essential\n part of this License. No use of any Covered Software is authorized under\n this License except under this disclaimer.\n\n7. Limitation of Liability\n\n Under no circumstances and under no legal theory, whether tort (including\n negligence), contract, or otherwise, shall any Contributor, or anyone who\n distributes Covered Software as permitted above, be liable to You for any\n direct, indirect, special, incidental, or consequential damages of any\n character including, without limitation, damages for lost profits, loss of\n goodwill, work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses, even if such party shall have been\n informed of the possibility of such damages. This limitation of liability\n shall not apply to liability for death or personal injury resulting from\n such party's negligence to the extent applicable law prohibits such\n limitation. Some jurisdictions do not allow the exclusion or limitation of\n incidental or consequential damages, so this exclusion and limitation may\n not apply to You.\n\n8. Litigation\n\n Any litigation relating to this License may be brought only in the courts\n of a jurisdiction where the defendant maintains its principal place of\n business and such litigation shall be governed by laws of that\n jurisdiction, without reference to its conflict-of-law provisions. Nothing\n in this Section shall prevent a party's ability to bring cross-claims or\n counter-claims.\n\n9. Miscellaneous\n\n This License represents the complete agreement concerning the subject\n matter hereof. If any provision of this License is held to be\n unenforceable, such provision shall be reformed only to the extent\n necessary to make it enforceable. Any law or regulation which provides that\n the language of a contract shall be construed against the drafter shall not\n be used to construe this License against a Contributor.\n\n\n10. Versions of the License\n\n10.1. New Versions\n\n Mozilla Foundation is the license steward. Except as provided in Section\n 10.3, no one other than the license steward has the right to modify or\n publish new versions of this License. Each version will be given a\n distinguishing version number.\n\n10.2. Effect of New Versions\n\n You may distribute the Covered Software under the terms of the version\n of the License under which You originally received the Covered Software,\n or under the terms of any subsequent version published by the license\n steward.\n\n10.3. Modified Versions\n\n If you create software not governed by this License, and you want to\n create a new license for such software, you may create and use a\n modified version of this License if you rename the license and remove\n any references to the name of the license steward (except to note that\n such modified license differs from this License).\n\n10.4. Distributing Source Code Form that is Incompatible With Secondary\n Licenses If You choose to distribute Source Code Form that is\n Incompatible With Secondary Licenses under the terms of this version of\n the License, the notice described in Exhibit B of this License must be\n attached.\n\nExhibit A - Source Code Form License Notice\n\n This Source Code Form is subject to the\n terms of the Mozilla Public License, v.\n 2.0. If a copy of the MPL was not\n distributed with this file, You can\n obtain one at\n http://mozilla.org/MPL/2.0/.\n\nIf it is not possible or desirable to put the notice in a particular file,\nthen You may include the notice in a location (such as a LICENSE file in a\nrelevant directory) where a recipient would be likely to look for such a\nnotice.\n\nYou may add additional accurate notices of copyright ownership.\n\nExhibit B - \"Incompatible With Secondary Licenses\" Notice\n\n This Source Code Form is \"Incompatible\n With Secondary Licenses\", as defined by\n the Mozilla Public License, v. 2.0.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/README.md", "content": "Vault API\n=================\n\nThis provides the `github.com/hashicorp/vault/api` package which contains code useful for interacting with a Vault server.\n\nFor examples of how to use this module, see the [vault-examples](https://github.com/hashicorp/vault-examples) repo.\nFor a step-by-step walkthrough on using these client libraries, see the [developer quickstart](https://developer.hashicorp.com/vault/docs/get-started/developer-qs).\n\n[![GoDoc](https://godoc.org/github.com/hashicorp/vault/api?status.png)](https://godoc.org/github.com/hashicorp/vault/api)" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/auth.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"fmt\"\n)\n\n// Auth is used to perform credential backend related operations.\ntype Auth struct {\n\tc *Client\n}\n\ntype AuthMethod interface {\n\tLogin(ctx context.Context, client *Client) (*Secret, error)\n}\n\n// Auth is used to return the client for credential-backend API calls.\nfunc (c *Client) Auth() *Auth {\n\treturn &Auth{c: c}\n}\n\n// Login sets up the required request body for login requests to the given auth\n// method's /login API endpoint, and then performs a write to it. After a\n// successful login, this method will automatically set the client's token to\n// the login response's ClientToken as well.\n//\n// The Secret returned is the authentication secret, which if desired can be\n// passed as input to the NewLifetimeWatcher method in order to start\n// automatically renewing the token.\nfunc (a *Auth) Login(ctx context.Context, authMethod AuthMethod) (*Secret, error) {\n\tif authMethod == nil {\n\t\treturn nil, fmt.Errorf(\"no auth method provided for login\")\n\t}\n\treturn a.login(ctx, authMethod)\n}\n\n// MFALogin is a wrapper that helps satisfy Vault's MFA implementation.\n// If optional credentials are provided a single-phase login will be attempted\n// and the resulting Secret will contain a ClientToken if the authentication is successful.\n// The client's token will also be set accordingly.\n//\n// If no credentials are provided a two-phase MFA login will be assumed and the resulting\n// Secret will have a MFARequirement containing the MFARequestID to be used in a follow-up\n// call to `sys/mfa/validate` or by passing it to the method (*Auth).MFAValidate.\nfunc (a *Auth) MFALogin(ctx context.Context, authMethod AuthMethod, creds ...string) (*Secret, error) {\n\tif len(creds) > 0 {\n\t\ta.c.SetMFACreds(creds)\n\t\treturn a.login(ctx, authMethod)\n\t}\n\n\treturn a.twoPhaseMFALogin(ctx, authMethod)\n}\n\n// MFAValidate validates an MFA request using the appropriate payload and a secret containing\n// Auth.MFARequirement, like the one returned by MFALogin when credentials are not provided.\n// Upon successful validation the client token will be set accordingly.\n//\n// The Secret returned is the authentication secret, which if desired can be\n// passed as input to the NewLifetimeWatcher method in order to start\n// automatically renewing the token.\nfunc (a *Auth) MFAValidate(ctx context.Context, mfaSecret *Secret, payload map[string]interface{}) (*Secret, error) {\n\tif mfaSecret == nil || mfaSecret.Auth == nil || mfaSecret.Auth.MFARequirement == nil {\n\t\treturn nil, fmt.Errorf(\"secret does not contain MFARequirements\")\n\t}\n\n\ts, err := a.c.Sys().MFAValidateWithContext(ctx, mfaSecret.Auth.MFARequirement.MFARequestID, payload)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn a.checkAndSetToken(s)\n}\n\n// login performs the (*AuthMethod).Login() with the configured client and checks that a ClientToken is returned\nfunc (a *Auth) login(ctx context.Context, authMethod AuthMethod) (*Secret, error) {\n\ts, err := authMethod.Login(ctx, a.c)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to log in to auth method: %w\", err)\n\t}\n\n\treturn a.checkAndSetToken(s)\n}\n\n// twoPhaseMFALogin performs the (*AuthMethod).Login() with the configured client\n// and checks that an MFARequirement is returned\nfunc (a *Auth) twoPhaseMFALogin(ctx context.Context, authMethod AuthMethod) (*Secret, error) {\n\ts, err := authMethod.Login(ctx, a.c)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to log in: %w\", err)\n\t}\n\tif s == nil || s.Auth == nil || s.Auth.MFARequirement == nil {\n\t\tif s != nil {\n\t\t\ts.Warnings = append(s.Warnings, \"expected secret to contain MFARequirements\")\n\t\t}\n\t\treturn s, fmt.Errorf(\"assumed two-phase MFA login, returned secret is missing MFARequirements\")\n\t}\n\n\treturn s, nil\n}\n\nfunc (a *Auth) checkAndSetToken(s *Secret) (*Secret, error) {\n\tif s == nil || s.Auth == nil || s.Auth.ClientToken == \"\" {\n\t\tif s != nil {\n\t\t\ts.Warnings = append(s.Warnings, \"expected secret to contain ClientToken\")\n\t\t}\n\t\treturn s, fmt.Errorf(\"response did not return ClientToken, client token not set\")\n\t}\n\n\ta.c.SetToken(s.Auth.ClientToken)\n\n\treturn s, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/auth_token.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"net/http\"\n)\n\n// TokenAuth is used to perform token backend operations on Vault\ntype TokenAuth struct {\n\tc *Client\n}\n\n// Token is used to return the client for token-backend API calls\nfunc (a *Auth) Token() *TokenAuth {\n\treturn &TokenAuth{c: a.c}\n}\n\nfunc (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error) {\n\treturn c.CreateWithContext(context.Background(), opts)\n}\n\nfunc (c *TokenAuth) CreateWithContext(ctx context.Context, opts *TokenCreateRequest) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, \"/v1/auth/token/create\")\n\tif err := r.SetJSONBody(opts); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *TokenAuth) CreateOrphan(opts *TokenCreateRequest) (*Secret, error) {\n\treturn c.CreateOrphanWithContext(context.Background(), opts)\n}\n\nfunc (c *TokenAuth) CreateOrphanWithContext(ctx context.Context, opts *TokenCreateRequest) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, \"/v1/auth/token/create-orphan\")\n\tif err := r.SetJSONBody(opts); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*Secret, error) {\n\treturn c.CreateWithRoleWithContext(context.Background(), opts, roleName)\n}\n\nfunc (c *TokenAuth) CreateWithRoleWithContext(ctx context.Context, opts *TokenCreateRequest, roleName string) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, \"/v1/auth/token/create/\"+roleName)\n\tif err := r.SetJSONBody(opts); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *TokenAuth) Lookup(token string) (*Secret, error) {\n\treturn c.LookupWithContext(context.Background(), token)\n}\n\nfunc (c *TokenAuth) LookupWithContext(ctx context.Context, token string) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, \"/v1/auth/token/lookup\")\n\tif err := r.SetJSONBody(map[string]interface{}{\n\t\t\"token\": token,\n\t}); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *TokenAuth) LookupAccessor(accessor string) (*Secret, error) {\n\treturn c.LookupAccessorWithContext(context.Background(), accessor)\n}\n\nfunc (c *TokenAuth) LookupAccessorWithContext(ctx context.Context, accessor string) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, \"/v1/auth/token/lookup-accessor\")\n\tif err := r.SetJSONBody(map[string]interface{}{\n\t\t\"accessor\": accessor,\n\t}); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *TokenAuth) LookupSelf() (*Secret, error) {\n\treturn c.LookupSelfWithContext(context.Background())\n}\n\nfunc (c *TokenAuth) LookupSelfWithContext(ctx context.Context) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/auth/token/lookup-self\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *TokenAuth) RenewAccessor(accessor string, increment int) (*Secret, error) {\n\treturn c.RenewAccessorWithContext(context.Background(), accessor, increment)\n}\n\nfunc (c *TokenAuth) RenewAccessorWithContext(ctx context.Context, accessor string, increment int) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, \"/v1/auth/token/renew-accessor\")\n\tif err := r.SetJSONBody(map[string]interface{}{\n\t\t\"accessor\": accessor,\n\t\t\"increment\": increment,\n\t}); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *TokenAuth) Renew(token string, increment int) (*Secret, error) {\n\treturn c.RenewWithContext(context.Background(), token, increment)\n}\n\nfunc (c *TokenAuth) RenewWithContext(ctx context.Context, token string, increment int) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/auth/token/renew\")\n\tif err := r.SetJSONBody(map[string]interface{}{\n\t\t\"token\": token,\n\t\t\"increment\": increment,\n\t}); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *TokenAuth) RenewSelf(increment int) (*Secret, error) {\n\treturn c.RenewSelfWithContext(context.Background(), increment)\n}\n\nfunc (c *TokenAuth) RenewSelfWithContext(ctx context.Context, increment int) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/auth/token/renew-self\")\n\n\tbody := map[string]interface{}{\"increment\": increment}\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\n// RenewTokenAsSelf wraps RenewTokenAsSelfWithContext using context.Background.\nfunc (c *TokenAuth) RenewTokenAsSelf(token string, increment int) (*Secret, error) {\n\treturn c.RenewTokenAsSelfWithContext(context.Background(), token, increment)\n}\n\n// RenewTokenAsSelfWithContext behaves like renew-self, but authenticates using a provided\n// token instead of the token attached to the client.\nfunc (c *TokenAuth) RenewTokenAsSelfWithContext(ctx context.Context, token string, increment int) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/auth/token/renew-self\")\n\tr.ClientToken = token\n\n\tbody := map[string]interface{}{\"increment\": increment}\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\n// RevokeAccessor wraps RevokeAccessorWithContext using context.Background.\nfunc (c *TokenAuth) RevokeAccessor(accessor string) error {\n\treturn c.RevokeAccessorWithContext(context.Background(), accessor)\n}\n\n// RevokeAccessorWithContext revokes a token associated with the given accessor\n// along with all the child tokens.\nfunc (c *TokenAuth) RevokeAccessorWithContext(ctx context.Context, accessor string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, \"/v1/auth/token/revoke-accessor\")\n\tif err := r.SetJSONBody(map[string]interface{}{\n\t\t\"accessor\": accessor,\n\t}); err != nil {\n\t\treturn err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn nil\n}\n\n// RevokeOrphan wraps RevokeOrphanWithContext using context.Background.\nfunc (c *TokenAuth) RevokeOrphan(token string) error {\n\treturn c.RevokeOrphanWithContext(context.Background(), token)\n}\n\n// RevokeOrphanWithContext revokes a token without revoking the tree underneath it (so\n// child tokens are orphaned rather than revoked)\nfunc (c *TokenAuth) RevokeOrphanWithContext(ctx context.Context, token string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/auth/token/revoke-orphan\")\n\tif err := r.SetJSONBody(map[string]interface{}{\n\t\t\"token\": token,\n\t}); err != nil {\n\t\treturn err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn nil\n}\n\n// RevokeSelf wraps RevokeSelfWithContext using context.Background.\nfunc (c *TokenAuth) RevokeSelf(token string) error {\n\treturn c.RevokeSelfWithContext(context.Background(), token)\n}\n\n// RevokeSelfWithContext revokes the token making the call. The `token` parameter is kept\n// for backwards compatibility but is ignored; only the client's set token has\n// an effect.\nfunc (c *TokenAuth) RevokeSelfWithContext(ctx context.Context, token string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/auth/token/revoke-self\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn nil\n}\n\n// RevokeTree wraps RevokeTreeWithContext using context.Background.\nfunc (c *TokenAuth) RevokeTree(token string) error {\n\treturn c.RevokeTreeWithContext(context.Background(), token)\n}\n\n// RevokeTreeWithContext is the \"normal\" revoke operation that revokes the given token and\n// the entire tree underneath -- all of its child tokens, their child tokens,\n// etc.\nfunc (c *TokenAuth) RevokeTreeWithContext(ctx context.Context, token string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/auth/token/revoke\")\n\tif err := r.SetJSONBody(map[string]interface{}{\n\t\t\"token\": token,\n\t}); err != nil {\n\t\treturn err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn nil\n}\n\n// TokenCreateRequest is the options structure for creating a token.\ntype TokenCreateRequest struct {\n\tID string `json:\"id,omitempty\"`\n\tPolicies []string `json:\"policies,omitempty\"`\n\tMetadata map[string]string `json:\"meta,omitempty\"`\n\tLease string `json:\"lease,omitempty\"`\n\tTTL string `json:\"ttl,omitempty\"`\n\tExplicitMaxTTL string `json:\"explicit_max_ttl,omitempty\"`\n\tPeriod string `json:\"period,omitempty\"`\n\tNoParent bool `json:\"no_parent,omitempty\"`\n\tNoDefaultPolicy bool `json:\"no_default_policy,omitempty\"`\n\tDisplayName string `json:\"display_name\"`\n\tNumUses int `json:\"num_uses\"`\n\tRenewable *bool `json:\"renewable,omitempty\"`\n\tType string `json:\"type\"`\n\tEntityAlias string `json:\"entity_alias\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/cliconfig/config.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage cliconfig\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/hashicorp/go-multierror\"\n\t\"github.com/hashicorp/hcl\"\n\t\"github.com/hashicorp/hcl/hcl/ast\"\n\t\"github.com/mitchellh/go-homedir\"\n)\n\nconst (\n\t// defaultConfigPath is the default path to the configuration file\n\tdefaultConfigPath = \"~/.vault\"\n\n\t// configPathEnv is the environment variable that can be used to\n\t// override where the Vault configuration is.\n\tconfigPathEnv = \"VAULT_CONFIG_PATH\"\n)\n\n// Config is the CLI configuration for Vault that can be specified via\n// a `$HOME/.vault` file which is HCL-formatted (therefore HCL or JSON).\ntype defaultConfig struct {\n\t// TokenHelper is the executable/command that is executed for storing\n\t// and retrieving the authentication token for the Vault CLI. If this\n\t// is not specified, then vault's internal token store will be used, which\n\t// stores the token on disk unencrypted.\n\tTokenHelper string `hcl:\"token_helper\"`\n}\n\n// loadConfig reads the configuration from the given path. If path is\n// empty, then the default path will be used, or the environment variable\n// if set.\nfunc loadConfig(path string) (config *defaultConfig, duplicate bool, err error) {\n\tif path == \"\" {\n\t\tpath = defaultConfigPath\n\t}\n\tif v := os.Getenv(configPathEnv); v != \"\" {\n\t\tpath = v\n\t}\n\n\t// NOTE: requires HOME env var to be set\n\tpath, err = homedir.Expand(path)\n\tif err != nil {\n\t\treturn nil, false, fmt.Errorf(\"error expanding config path %q: %w\", path, err)\n\t}\n\n\tcontents, err := os.ReadFile(path)\n\tif err != nil && !os.IsNotExist(err) {\n\t\treturn nil, false, err\n\t}\n\n\tconf, duplicate, err := parseConfig(string(contents))\n\tif err != nil {\n\t\treturn nil, duplicate, fmt.Errorf(\"error parsing config file at %q: %w; ensure that the file is valid; Ansible Vault is known to conflict with it\", path, err)\n\t}\n\n\treturn conf, duplicate, nil\n}\n\n// parseConfig parses the given configuration as a string.\nfunc parseConfig(contents string) (config *defaultConfig, duplicate bool, err error) {\n\t// TODO (HCL_DUP_KEYS_DEPRECATION): on removal stage change this to a simple hcl.Parse, effectively treating\n\t// duplicate keys as an error. Also get rid of all of these \"duplicate\" named return values\n\troot, duplicate, err := parseAndCheckForDuplicateHclAttributes(contents)\n\tif err != nil {\n\t\treturn nil, duplicate, err\n\t}\n\n\t// Top-level item should be the object list\n\tlist, ok := root.Node.(*ast.ObjectList)\n\tif !ok {\n\t\treturn nil, duplicate, fmt.Errorf(\"failed to parse config; does not contain a root object\")\n\t}\n\n\tvalid := map[string]struct{}{\n\t\t\"token_helper\": {},\n\t}\n\n\tvar validationErrors error\n\tfor _, item := range list.Items {\n\t\tkey := item.Keys[0].Token.Value().(string)\n\t\tif _, ok := valid[key]; !ok {\n\t\t\tvalidationErrors = multierror.Append(validationErrors, fmt.Errorf(\"invalid key %q on line %d\", key, item.Assign.Line))\n\t\t}\n\t}\n\n\tif validationErrors != nil {\n\t\treturn nil, duplicate, validationErrors\n\t}\n\n\tvar c defaultConfig\n\tif err := hcl.DecodeObject(&c, list); err != nil {\n\t\treturn nil, duplicate, err\n\t}\n\treturn &c, duplicate, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/cliconfig/hcl_dup_attr_deprecation.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage cliconfig\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/hashicorp/hcl\"\n\t\"github.com/hashicorp/hcl/hcl/ast\"\n\thclParser \"github.com/hashicorp/hcl/hcl/parser\"\n)\n\n// allowHclDuplicatesEnvVar is an environment variable that allows Vault to revert back to accepting HCL files with\n// duplicate attributes. It's temporary until we finish the deprecation process, at which point this will be removed\nconst allowHclDuplicatesEnvVar = \"VAULT_ALLOW_PENDING_REMOVAL_DUPLICATE_HCL_ATTRIBUTES\"\n\n// parseAndCheckForDuplicateHclAttributes parses the input JSON/HCL file and if it is HCL it also checks\n// for duplicate keys in the HCL file, allowing callers to handle the issue accordingly. It now only accepts duplicate\n// // keys if the environment variable VAULT_ALLOW_PENDING_REMOVAL_DUPLICATE_HCL_ATTRIBUTES is set to true. In a future\n// // release we'll remove this function entirely and there will be no way to parse HCL files with duplicate keys.\n// // TODO (HCL_DUP_KEYS_DEPRECATION): remove once not used anymore\nfunc parseAndCheckForDuplicateHclAttributes(input string) (res *ast.File, duplicate bool, err error) {\n\tres, err = hcl.Parse(input)\n\tif err != nil && strings.Contains(err.Error(), \"Each argument can only be defined once\") {\n\t\tallowHclDuplicatesRaw := os.Getenv(allowHclDuplicatesEnvVar)\n\t\tif allowHclDuplicatesRaw == \"\" {\n\t\t\t// default is to not allow duplicates\n\t\t\treturn nil, false, err\n\t\t}\n\t\tallowHclDuplicates, envParseErr := strconv.ParseBool(allowHclDuplicatesRaw)\n\t\tif envParseErr != nil {\n\t\t\treturn nil, false, fmt.Errorf(\"error parsing %q environment variable: %w\", allowHclDuplicatesEnvVar, err)\n\t\t}\n\t\tif !allowHclDuplicates {\n\t\t\treturn nil, false, err\n\t\t}\n\n\t\t// if allowed by the environment variable, parse again without failing on duplicate attributes\n\t\tduplicate = true\n\t\tres, err = hclParser.ParseDontErrorOnDuplicateKeys([]byte(input))\n\t}\n\treturn res, duplicate, err\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/cliconfig/util.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage cliconfig\n\nimport (\n\t\"github.com/hashicorp/vault/api/tokenhelper\"\n)\n\n// DefaultTokenHelper returns the token helper that is configured for Vault.\n// This helper should only be used for non-server CLI commands.\nfunc DefaultTokenHelper() (tokenhelper.TokenHelper, error) {\n\tconfig, _, err := DefaultTokenHelperCheckDuplicates()\n\treturn config, err\n}\n\n// TODO (HCL_DUP_KEYS_DEPRECATION): eventually make this consider duplicates an error. Ideally we should remove it but\n// maybe we can't since it's become part of the API pkg.\nfunc DefaultTokenHelperCheckDuplicates() (helper tokenhelper.TokenHelper, duplicate bool, err error) {\n\tconfig, duplicate, err := loadConfig(\"\")\n\tif err != nil {\n\t\treturn nil, duplicate, err\n\t}\n\n\tpath := config.TokenHelper\n\tif path == \"\" {\n\t\thelper, err = tokenhelper.NewInternalTokenHelper()\n\t\treturn helper, duplicate, err\n\t}\n\n\tpath, err = tokenhelper.ExternalTokenHelperPath(path)\n\tif err != nil {\n\t\treturn nil, duplicate, err\n\t}\n\treturn &tokenhelper.ExternalTokenHelper{BinaryPath: path}, duplicate, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/client.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"crypto/hmac\"\n\t\"crypto/sha256\"\n\t\"crypto/tls\"\n\t\"encoding/base64\"\n\t\"encoding/hex\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\t\"unicode\"\n\n\t\"github.com/hashicorp/errwrap\"\n\t\"github.com/hashicorp/go-cleanhttp\"\n\t\"github.com/hashicorp/go-retryablehttp\"\n\t\"github.com/hashicorp/go-rootcerts\"\n\t\"github.com/hashicorp/go-secure-stdlib/parseutil\"\n\t\"github.com/hashicorp/go-secure-stdlib/strutil\"\n\t\"golang.org/x/net/http2\"\n\t\"golang.org/x/time/rate\"\n)\n\nconst (\n\tEnvVaultAddress = \"VAULT_ADDR\"\n\tEnvVaultAgentAddr = \"VAULT_AGENT_ADDR\"\n\tEnvVaultCACert = \"VAULT_CACERT\"\n\tEnvVaultCACertBytes = \"VAULT_CACERT_BYTES\"\n\tEnvVaultCAPath = \"VAULT_CAPATH\"\n\tEnvVaultClientCert = \"VAULT_CLIENT_CERT\"\n\tEnvVaultClientKey = \"VAULT_CLIENT_KEY\"\n\tEnvVaultClientTimeout = \"VAULT_CLIENT_TIMEOUT\"\n\tEnvVaultHeaders = \"VAULT_HEADERS\"\n\tEnvVaultSRVLookup = \"VAULT_SRV_LOOKUP\"\n\tEnvVaultSkipVerify = \"VAULT_SKIP_VERIFY\"\n\tEnvVaultNamespace = \"VAULT_NAMESPACE\"\n\tEnvVaultTLSServerName = \"VAULT_TLS_SERVER_NAME\"\n\tEnvVaultWrapTTL = \"VAULT_WRAP_TTL\"\n\tEnvVaultMaxRetries = \"VAULT_MAX_RETRIES\"\n\tEnvVaultToken = \"VAULT_TOKEN\"\n\tEnvVaultMFA = \"VAULT_MFA\"\n\tEnvRateLimit = \"VAULT_RATE_LIMIT\"\n\tEnvHTTPProxy = \"VAULT_HTTP_PROXY\"\n\tEnvVaultProxyAddr = \"VAULT_PROXY_ADDR\"\n\tEnvVaultDisableRedirects = \"VAULT_DISABLE_REDIRECTS\"\n\tHeaderIndex = \"X-Vault-Index\"\n\tHeaderForward = \"X-Vault-Forward\"\n\tHeaderInconsistent = \"X-Vault-Inconsistent\"\n\n\t// NamespaceHeaderName is the header set to specify which namespace the\n\t// request is indented for.\n\tNamespaceHeaderName = \"X-Vault-Namespace\"\n\n\t// AuthHeaderName is the name of the header containing the token.\n\tAuthHeaderName = \"X-Vault-Token\"\n\n\t// RequestHeaderName is the name of the header used by the Agent for\n\t// SSRF protection.\n\tRequestHeaderName = \"X-Vault-Request\"\n\n\tSnapshotHeaderName = \"X-Vault-Recover-Snapshot-Id\"\n\tRecoverSourcePathHeaderName = \"X-Vault-Recover-Source-Path\"\n\n\tTLSErrorString = \"This error usually means that the server is running with TLS disabled\\n\" +\n\t\t\"but the client is configured to use TLS. Please either enable TLS\\n\" +\n\t\t\"on the server or run the client with -address set to an address\\n\" +\n\t\t\"that uses the http protocol:\\n\\n\" +\n\t\t\" vault -address http://
\\n\\n\" +\n\t\t\"You can also set the VAULT_ADDR environment variable:\\n\\n\\n\" +\n\t\t\" VAULT_ADDR=http://
vault \\n\\n\" +\n\t\t\"where
is replaced by the actual address to the server.\"\n)\n\n// Deprecated values\nconst (\n\tEnvVaultAgentAddress = \"VAULT_AGENT_ADDR\"\n\tEnvVaultInsecure = \"VAULT_SKIP_VERIFY\"\n\n\tDefaultAddress = \"https://127.0.0.1:8200\"\n)\n\n// WrappingLookupFunc is a function that, given an HTTP verb and a path,\n// returns an optional string duration to be used for response wrapping (e.g.\n// \"15s\", or simply \"15\"). The path will not begin with \"/v1/\" or \"v1/\" or \"/\",\n// however, end-of-path forward slashes are not trimmed, so must match your\n// called path precisely. Response wrapping will only be used when the return\n// value is not the empty string.\ntype WrappingLookupFunc func(operation, path string) string\n\n// Config is used to configure the creation of the client.\ntype Config struct {\n\tmodifyLock sync.RWMutex\n\n\t// Address is the address of the Vault server. This should be a complete\n\t// URL such as \"http://vault.example.com\". If you need a custom SSL\n\t// cert or want to enable insecure mode, you need to specify a custom\n\t// HttpClient.\n\tAddress string\n\n\t// AgentAddress is the address of the local Vault agent. This should be a\n\t// complete URL such as \"http://vault.example.com\".\n\tAgentAddress string\n\n\t// HttpClient is the HTTP client to use. Vault sets sane defaults for the\n\t// http.Client and its associated http.Transport created in DefaultConfig.\n\t// If you must modify Vault's defaults, it is suggested that you start with\n\t// that client and modify as needed rather than start with an empty client\n\t// (or http.DefaultClient).\n\tHttpClient *http.Client\n\n\t// MinRetryWait controls the minimum time to wait before retrying when a 5xx\n\t// error occurs. Defaults to 1000 milliseconds.\n\tMinRetryWait time.Duration\n\n\t// MaxRetryWait controls the maximum time to wait before retrying when a 5xx\n\t// error occurs. Defaults to 1500 milliseconds.\n\tMaxRetryWait time.Duration\n\n\t// MaxRetries controls the maximum number of times to retry when a 5xx\n\t// error occurs. Set to 0 to disable retrying. Defaults to 2 (for a total\n\t// of three tries).\n\tMaxRetries int\n\n\t// Timeout, given a non-negative value, will apply the request timeout\n\t// to each request function unless an earlier deadline is passed to the\n\t// request function through context.Context. Note that this timeout is\n\t// not applicable to Logical().ReadRaw* (raw response) functions.\n\t// Defaults to 60 seconds.\n\tTimeout time.Duration\n\n\t// If there is an error when creating the configuration, this will be the\n\t// error\n\tError error\n\n\t// The Backoff function to use; a default is used if not provided\n\tBackoff retryablehttp.Backoff\n\n\t// The CheckRetry function to use; a default is used if not provided\n\tCheckRetry retryablehttp.CheckRetry\n\n\t// Logger is the leveled logger to provide to the retryable HTTP client.\n\tLogger retryablehttp.LeveledLogger\n\n\t// Limiter is the rate limiter used by the client.\n\t// If this pointer is nil, then there will be no limit set.\n\t// In contrast, if this pointer is set, even to an empty struct,\n\t// then that limiter will be used. Note that an empty Limiter\n\t// is equivalent blocking all events.\n\tLimiter *rate.Limiter\n\n\t// OutputCurlString causes the actual request to return an error of type\n\t// *OutputStringError. Type asserting the error message will allow\n\t// fetching a cURL-compatible string for the operation.\n\t//\n\t// Note: It is not thread-safe to set this and make concurrent requests\n\t// with the same client. Cloning a client will not clone this value.\n\tOutputCurlString bool\n\n\t// OutputPolicy causes the actual request to return an error of type\n\t// *OutputPolicyError. Type asserting the error message will display\n\t// an example of the required policy HCL needed for the operation.\n\t//\n\t// Note: It is not thread-safe to set this and make concurrent requests\n\t// with the same client. Cloning a client will not clone this value.\n\tOutputPolicy bool\n\n\t// curlCACert, curlCAPath, curlClientCert and curlClientKey are used to keep\n\t// track of the name of the TLS certs and keys when OutputCurlString is set.\n\t// Cloning a client will also not clone those values.\n\tcurlCACert, curlCAPath string\n\tcurlClientCert, curlClientKey string\n\n\t// SRVLookup enables the client to lookup the host through DNS SRV lookup\n\tSRVLookup bool\n\n\t// CloneHeaders ensures that the source client's headers are copied to\n\t// its clone.\n\tCloneHeaders bool\n\n\t// CloneToken from parent.\n\tCloneToken bool\n\n\t// CloneTLSConfig from parent (tls.Config).\n\tCloneTLSConfig bool\n\n\t// ReadYourWrites ensures isolated read-after-write semantics by\n\t// providing discovered cluster replication states in each request.\n\t// The shared state is automatically propagated to all Client clones.\n\t//\n\t// Note: Careful consideration should be made prior to enabling this setting\n\t// since there will be a performance penalty paid upon each request.\n\t// This feature requires Enterprise server-side.\n\tReadYourWrites bool\n\n\t// DisableRedirects when set to true, will prevent the client from\n\t// automatically following a (single) redirect response to its initial\n\t// request. This behavior may be desirable if using Vault CLI on the server\n\t// side.\n\t//\n\t// Note: Disabling redirect following behavior could cause issues with\n\t// commands such as 'vault operator raft snapshot' as this redirects to the\n\t// primary node.\n\tDisableRedirects bool\n\tclientTLSConfig *tls.Config\n}\n\n// TLSConfig contains the parameters needed to configure TLS on the HTTP client\n// used to communicate with Vault.\ntype TLSConfig struct {\n\t// CACert is the path to a PEM-encoded CA cert file to use to verify the\n\t// Vault server SSL certificate. It takes precedence over CACertBytes\n\t// and CAPath.\n\tCACert string\n\n\t// CACertBytes is a PEM-encoded certificate or bundle. It takes precedence\n\t// over CAPath.\n\tCACertBytes []byte\n\n\t// CAPath is the path to a directory of PEM-encoded CA cert files to verify\n\t// the Vault server SSL certificate.\n\tCAPath string\n\n\t// ClientCert is the path to the certificate for Vault communication\n\tClientCert string\n\n\t// ClientKey is the path to the private key for Vault communication\n\tClientKey string\n\n\t// TLSServerName, if set, is used to set the SNI host when connecting via\n\t// TLS.\n\tTLSServerName string\n\n\t// Insecure enables or disables SSL verification\n\tInsecure bool\n}\n\n// DefaultConfig returns a default configuration for the client. It is\n// safe to modify the return value of this function.\n//\n// The default Address is https://127.0.0.1:8200, but this can be overridden by\n// setting the `VAULT_ADDR` environment variable.\n//\n// If an error is encountered, the Error field on the returned *Config will be populated with the specific error.\nfunc DefaultConfig() *Config {\n\tconfig := &Config{\n\t\tAddress: DefaultAddress,\n\t\tHttpClient: cleanhttp.DefaultPooledClient(),\n\t\tTimeout: time.Second * 60,\n\t\tMinRetryWait: time.Millisecond * 1000,\n\t\tMaxRetryWait: time.Millisecond * 1500,\n\t\tMaxRetries: 2,\n\t\tBackoff: retryablehttp.RateLimitLinearJitterBackoff,\n\t}\n\n\ttransport := config.HttpClient.Transport.(*http.Transport)\n\ttransport.TLSHandshakeTimeout = 10 * time.Second\n\ttransport.TLSClientConfig = &tls.Config{\n\t\tMinVersion: tls.VersionTLS12,\n\t}\n\tif err := http2.ConfigureTransport(transport); err != nil {\n\t\tconfig.Error = err\n\t\treturn config\n\t}\n\n\tif err := config.ReadEnvironment(); err != nil {\n\t\tconfig.Error = err\n\t\treturn config\n\t}\n\n\t// Ensure redirects are not automatically followed\n\t// Note that this is sane for the API client as it has its own\n\t// redirect handling logic (and thus also for command/meta),\n\t// but in e.g. http_test actual redirect handling is necessary\n\tconfig.HttpClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {\n\t\t// Returning this value causes the Go net library to not close the\n\t\t// response body and to nil out the error. Otherwise retry clients may\n\t\t// try three times on every redirect because it sees an error from this\n\t\t// function (to prevent redirects) passing through to it.\n\t\treturn http.ErrUseLastResponse\n\t}\n\n\treturn config\n}\n\n// configureTLS is a lock free version of ConfigureTLS that can be used in\n// ReadEnvironment where the lock is already hold\nfunc (c *Config) configureTLS(t *TLSConfig) error {\n\tif c.HttpClient == nil {\n\t\tc.HttpClient = DefaultConfig().HttpClient\n\t}\n\n\ttransport, ok := c.HttpClient.Transport.(*http.Transport)\n\tif !ok {\n\t\treturn fmt.Errorf(\n\t\t\t\"unsupported HTTPClient transport type %T\", c.HttpClient.Transport)\n\t}\n\n\tclientTLSConfig := transport.TLSClientConfig\n\n\tvar clientCert tls.Certificate\n\tfoundClientCert := false\n\n\tswitch {\n\tcase t.ClientCert != \"\" && t.ClientKey != \"\":\n\t\tvar err error\n\t\tclientCert, err = tls.LoadX509KeyPair(t.ClientCert, t.ClientKey)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfoundClientCert = true\n\t\tc.curlClientCert = t.ClientCert\n\t\tc.curlClientKey = t.ClientKey\n\tcase t.ClientCert != \"\" || t.ClientKey != \"\":\n\t\treturn fmt.Errorf(\"both client cert and client key must be provided\")\n\t}\n\n\tif t.CACert != \"\" || len(t.CACertBytes) != 0 || t.CAPath != \"\" {\n\t\tc.curlCACert = t.CACert\n\t\tc.curlCAPath = t.CAPath\n\t\trootConfig := &rootcerts.Config{\n\t\t\tCAFile: t.CACert,\n\t\t\tCACertificate: t.CACertBytes,\n\t\t\tCAPath: t.CAPath,\n\t\t}\n\t\tif err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tif t.Insecure {\n\t\tclientTLSConfig.InsecureSkipVerify = true\n\t}\n\n\tif foundClientCert {\n\t\t// We use this function to ignore the server's preferential list of\n\t\t// CAs, otherwise any CA used for the cert auth backend must be in the\n\t\t// server's CA pool\n\t\tclientTLSConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {\n\t\t\treturn &clientCert, nil\n\t\t}\n\t}\n\n\tif t.TLSServerName != \"\" {\n\t\tclientTLSConfig.ServerName = t.TLSServerName\n\t}\n\tc.clientTLSConfig = clientTLSConfig\n\n\treturn nil\n}\n\nfunc (c *Config) TLSConfig() *tls.Config {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\treturn c.clientTLSConfig.Clone()\n}\n\n// ConfigureTLS takes a set of TLS configurations and applies those to the\n// HTTP client.\nfunc (c *Config) ConfigureTLS(t *TLSConfig) error {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\n\treturn c.configureTLS(t)\n}\n\n// ReadEnvironment reads configuration information from the environment. If\n// there is an error, no configuration value is updated.\nfunc (c *Config) ReadEnvironment() error {\n\tvar envAddress string\n\tvar envAgentAddress string\n\tvar envCACert string\n\tvar envCACertBytes []byte\n\tvar envCAPath string\n\tvar envClientCert string\n\tvar envClientKey string\n\tvar envClientTimeout time.Duration\n\tvar envInsecure bool\n\tvar envTLSServerName string\n\tvar envMaxRetries *uint64\n\tvar envSRVLookup bool\n\tvar limit *rate.Limiter\n\tvar envVaultProxy string\n\tvar envVaultDisableRedirects bool\n\n\t// Parse the environment variables\n\tif v := os.Getenv(EnvVaultAddress); v != \"\" {\n\t\tenvAddress = v\n\t}\n\tif v := os.Getenv(EnvVaultAgentAddr); v != \"\" {\n\t\tenvAgentAddress = v\n\t}\n\tif v := os.Getenv(EnvVaultMaxRetries); v != \"\" {\n\t\tmaxRetries, err := strconv.ParseUint(v, 10, 32)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tenvMaxRetries = &maxRetries\n\t}\n\tif v := os.Getenv(EnvVaultCACert); v != \"\" {\n\t\tenvCACert = v\n\t}\n\tif v := os.Getenv(EnvVaultCACertBytes); v != \"\" {\n\t\tenvCACertBytes = []byte(v)\n\t}\n\tif v := os.Getenv(EnvVaultCAPath); v != \"\" {\n\t\tenvCAPath = v\n\t}\n\tif v := os.Getenv(EnvVaultClientCert); v != \"\" {\n\t\tenvClientCert = v\n\t}\n\tif v := os.Getenv(EnvVaultClientKey); v != \"\" {\n\t\tenvClientKey = v\n\t}\n\tif v := os.Getenv(EnvRateLimit); v != \"\" {\n\t\trateLimit, burstLimit, err := parseRateLimit(v)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tlimit = rate.NewLimiter(rate.Limit(rateLimit), burstLimit)\n\t}\n\tif t := os.Getenv(EnvVaultClientTimeout); t != \"\" {\n\t\tclientTimeout, err := parseutil.ParseDurationSecond(t)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"could not parse %q\", EnvVaultClientTimeout)\n\t\t}\n\t\tenvClientTimeout = clientTimeout\n\t}\n\tif v := os.Getenv(EnvVaultSkipVerify); v != \"\" {\n\t\tvar err error\n\t\tenvInsecure, err = strconv.ParseBool(v)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"could not parse %s\", EnvVaultSkipVerify)\n\t\t}\n\t}\n\tif v := os.Getenv(EnvVaultSRVLookup); v != \"\" {\n\t\tvar err error\n\t\tenvSRVLookup, err = strconv.ParseBool(v)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"could not parse %s\", EnvVaultSRVLookup)\n\t\t}\n\t}\n\n\tif v := os.Getenv(EnvVaultTLSServerName); v != \"\" {\n\t\tenvTLSServerName = v\n\t}\n\n\tif v := os.Getenv(EnvHTTPProxy); v != \"\" {\n\t\tenvVaultProxy = v\n\t}\n\n\t// VAULT_PROXY_ADDR supersedes VAULT_HTTP_PROXY\n\tif v := os.Getenv(EnvVaultProxyAddr); v != \"\" {\n\t\tenvVaultProxy = v\n\t}\n\n\tif v := os.Getenv(EnvVaultDisableRedirects); v != \"\" {\n\t\tvar err error\n\t\tenvVaultDisableRedirects, err = strconv.ParseBool(v)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"could not parse %s\", EnvVaultDisableRedirects)\n\t\t}\n\n\t\tc.DisableRedirects = envVaultDisableRedirects\n\t}\n\n\t// Configure the HTTP clients TLS configuration.\n\tt := &TLSConfig{\n\t\tCACert: envCACert,\n\t\tCACertBytes: envCACertBytes,\n\t\tCAPath: envCAPath,\n\t\tClientCert: envClientCert,\n\t\tClientKey: envClientKey,\n\t\tTLSServerName: envTLSServerName,\n\t\tInsecure: envInsecure,\n\t}\n\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\n\tc.SRVLookup = envSRVLookup\n\tc.Limiter = limit\n\n\tif err := c.configureTLS(t); err != nil {\n\t\treturn err\n\t}\n\n\tif envAddress != \"\" {\n\t\tc.Address = envAddress\n\t}\n\n\tif envAgentAddress != \"\" {\n\t\tc.AgentAddress = envAgentAddress\n\t}\n\n\tif envMaxRetries != nil {\n\t\tc.MaxRetries = int(*envMaxRetries)\n\t}\n\n\tif envClientTimeout != 0 {\n\t\tc.Timeout = envClientTimeout\n\t}\n\n\tif envVaultProxy != \"\" {\n\t\tu, err := url.Parse(envVaultProxy)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\ttransport := c.HttpClient.Transport.(*http.Transport)\n\t\ttransport.Proxy = http.ProxyURL(u)\n\t}\n\n\treturn nil\n}\n\n// ParseAddress transforms the provided address into a url.URL and handles\n// the case of Unix domain sockets by setting the DialContext in the\n// configuration's HttpClient.Transport. This function must be called with\n// c.modifyLock held for write access.\nfunc (c *Config) ParseAddress(address string) (*url.URL, error) {\n\tu, err := url.Parse(address)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tpreviousAddress := c.Address\n\tc.Address = address\n\n\tif strings.HasPrefix(address, \"unix://\") {\n\t\t// When the address begins with unix://, always change the transport's\n\t\t// DialContext (to match previous behaviour)\n\t\tsocket := strings.TrimPrefix(address, \"unix://\")\n\n\t\tif transport, ok := c.HttpClient.Transport.(*http.Transport); ok {\n\t\t\ttransport.DialContext = func(context.Context, string, string) (net.Conn, error) {\n\t\t\t\treturn net.Dial(\"unix\", socket)\n\t\t\t}\n\n\t\t\t// Since the address points to a unix domain socket, the scheme in the\n\t\t\t// *URL would be set to `unix`. The *URL in the client is expected to\n\t\t\t// be pointing to the protocol used in the application layer and not to\n\t\t\t// the transport layer. Hence, setting the fields accordingly.\n\t\t\tu.Scheme = \"http\"\n\t\t\tu.Host = \"localhost\"\n\t\t\tu.Path = \"\"\n\t\t} else {\n\t\t\treturn nil, fmt.Errorf(\"attempting to specify unix:// address with non-transport transport\")\n\t\t}\n\t} else if strings.HasPrefix(previousAddress, \"unix://\") {\n\t\t// When the address being set does not begin with unix:// but the previous\n\t\t// address in the Config did, change the transport's DialContext back to\n\t\t// use the default configuration that cleanhttp uses.\n\n\t\tif transport, ok := c.HttpClient.Transport.(*http.Transport); ok {\n\t\t\ttransport.DialContext = cleanhttp.DefaultPooledTransport().DialContext\n\t\t}\n\t}\n\n\treturn u, nil\n}\n\nfunc parseRateLimit(val string) (rate float64, burst int, err error) {\n\t_, err = fmt.Sscanf(val, \"%f:%d\", &rate, &burst)\n\tif err != nil {\n\t\trate, err = strconv.ParseFloat(val, 64)\n\t\tif err != nil {\n\t\t\terr = fmt.Errorf(\"%v was provided but incorrectly formatted\", EnvRateLimit)\n\t\t}\n\t\tburst = int(rate)\n\t}\n\n\treturn rate, burst, err\n}\n\n// Client is the client to the Vault API. Create a client with NewClient.\ntype Client struct {\n\tmodifyLock sync.RWMutex\n\taddr *url.URL\n\tconfig *Config\n\ttoken string\n\theaders http.Header\n\twrappingLookupFunc WrappingLookupFunc\n\tmfaCreds []string\n\tpolicyOverride bool\n\trequestCallbacks []RequestCallback\n\tresponseCallbacks []ResponseCallback\n\treplicationStateStore *replicationStateStore\n\thcpCookie *http.Cookie\n}\n\n// NewClient returns a new client for the given configuration.\n//\n// If the configuration is nil, Vault will use configuration from\n// DefaultConfig(), which is the recommended starting configuration.\n//\n// If the environment variable `VAULT_TOKEN` is present, the token will be\n// automatically added to the client. Otherwise, you must manually call\n// `SetToken()`.\nfunc NewClient(c *Config) (*Client, error) {\n\tdef := DefaultConfig()\n\tif def == nil {\n\t\treturn nil, fmt.Errorf(\"could not create/read default configuration\")\n\t}\n\tif def.Error != nil {\n\t\treturn nil, errwrap.Wrapf(\"error encountered setting up default configuration: {{err}}\", def.Error)\n\t}\n\n\tif c == nil {\n\t\tc = def\n\t}\n\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\n\tif c.MinRetryWait == 0 {\n\t\tc.MinRetryWait = def.MinRetryWait\n\t}\n\n\tif c.MaxRetryWait == 0 {\n\t\tc.MaxRetryWait = def.MaxRetryWait\n\t}\n\n\tif c.HttpClient == nil {\n\t\tc.HttpClient = def.HttpClient\n\t}\n\tif c.HttpClient.Transport == nil {\n\t\tc.HttpClient.Transport = def.HttpClient.Transport\n\t}\n\n\taddress := c.Address\n\tif c.AgentAddress != \"\" {\n\t\taddress = c.AgentAddress\n\t}\n\n\tu, err := c.ParseAddress(address)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tclient := &Client{\n\t\taddr: u,\n\t\tconfig: c,\n\t\theaders: make(http.Header),\n\t}\n\n\tif c.ReadYourWrites {\n\t\tclient.replicationStateStore = &replicationStateStore{}\n\t}\n\n\t// Add the VaultRequest SSRF protection header\n\tclient.headers[RequestHeaderName] = []string{\"true\"}\n\n\tif token := os.Getenv(EnvVaultToken); token != \"\" {\n\t\tclient.token = token\n\t}\n\n\tif namespace := os.Getenv(EnvVaultNamespace); namespace != \"\" {\n\t\tclient.setNamespace(namespace)\n\t}\n\n\tif envHeaders := os.Getenv(EnvVaultHeaders); envHeaders != \"\" {\n\t\tvar result map[string]any\n\t\terr := json.Unmarshal([]byte(envHeaders), &result)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"could not unmarshal environment-supplied headers\")\n\t\t}\n\t\tvar forbiddenHeaders []string\n\t\tfor key, value := range result {\n\t\t\tif strings.HasPrefix(key, \"X-Vault-\") {\n\t\t\t\tforbiddenHeaders = append(forbiddenHeaders, key)\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tvalue, ok := value.(string)\n\t\t\tif !ok {\n\t\t\t\treturn nil, fmt.Errorf(\"environment-supplied headers include non-string values\")\n\t\t\t}\n\t\t\tclient.AddHeader(key, value)\n\t\t}\n\t\tif len(forbiddenHeaders) > 0 {\n\t\t\treturn nil, fmt.Errorf(\"failed to setup Headers[%s]: Header starting by 'X-Vault-' are for internal usage only\", strings.Join(forbiddenHeaders, \", \"))\n\t\t}\n\t}\n\n\treturn client, nil\n}\n\nfunc (c *Client) CloneConfig() *Config {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\n\tnewConfig := DefaultConfig()\n\tnewConfig.Address = c.config.Address\n\tnewConfig.AgentAddress = c.config.AgentAddress\n\tnewConfig.MinRetryWait = c.config.MinRetryWait\n\tnewConfig.MaxRetryWait = c.config.MaxRetryWait\n\tnewConfig.MaxRetries = c.config.MaxRetries\n\tnewConfig.Timeout = c.config.Timeout\n\tnewConfig.Backoff = c.config.Backoff\n\tnewConfig.CheckRetry = c.config.CheckRetry\n\tnewConfig.Logger = c.config.Logger\n\tnewConfig.Limiter = c.config.Limiter\n\tnewConfig.SRVLookup = c.config.SRVLookup\n\tnewConfig.CloneHeaders = c.config.CloneHeaders\n\tnewConfig.CloneToken = c.config.CloneToken\n\tnewConfig.ReadYourWrites = c.config.ReadYourWrites\n\tnewConfig.clientTLSConfig = c.config.clientTLSConfig\n\n\t// we specifically want a _copy_ of the client here, not a pointer to the original one\n\tnewClient := *c.config.HttpClient\n\tnewConfig.HttpClient = &newClient\n\n\treturn newConfig\n}\n\n// SetAddress sets the address of Vault in the client. The format of address should be\n// \"://:\". Setting this on a client will override the\n// value of VAULT_ADDR environment variable.\nfunc (c *Client) SetAddress(addr string) error {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\n\tparsedAddr, err := c.config.ParseAddress(addr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"failed to set address: %w\", err)\n\t}\n\n\tc.addr = parsedAddr\n\treturn nil\n}\n\n// Address returns the Vault URL the client is configured to connect to\nfunc (c *Client) Address() string {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\n\treturn c.addr.String()\n}\n\nfunc (c *Client) SetCheckRedirect(f func(*http.Request, []*http.Request) error) {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.HttpClient.CheckRedirect = f\n}\n\n// SetLimiter will set the rate limiter for this client.\n// This method is thread-safe.\n// rateLimit and burst are specified according to https://godoc.org/golang.org/x/time/rate#NewLimiter\nfunc (c *Client) SetLimiter(rateLimit float64, burst int) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.Limiter = rate.NewLimiter(rate.Limit(rateLimit), burst)\n}\n\nfunc (c *Client) Limiter() *rate.Limiter {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.Limiter\n}\n\n// SetMinRetryWait sets the minimum time to wait before retrying in the case of certain errors.\nfunc (c *Client) SetMinRetryWait(retryWait time.Duration) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.MinRetryWait = retryWait\n}\n\nfunc (c *Client) MinRetryWait() time.Duration {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.MinRetryWait\n}\n\n// SetMaxRetryWait sets the maximum time to wait before retrying in the case of certain errors.\nfunc (c *Client) SetMaxRetryWait(retryWait time.Duration) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.MaxRetryWait = retryWait\n}\n\nfunc (c *Client) MaxRetryWait() time.Duration {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.MaxRetryWait\n}\n\n// SetMaxRetries sets the number of retries that will be used in the case of certain errors\nfunc (c *Client) SetMaxRetries(retries int) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.MaxRetries = retries\n}\n\nfunc (c *Client) SetMaxIdleConnections(idle int) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.HttpClient.Transport.(*http.Transport).MaxIdleConns = idle\n}\n\nfunc (c *Client) MaxIdleConnections() int {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\treturn c.config.HttpClient.Transport.(*http.Transport).MaxIdleConns\n}\n\nfunc (c *Client) SetDisableKeepAlives(disable bool) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.HttpClient.Transport.(*http.Transport).DisableKeepAlives = disable\n}\n\nfunc (c *Client) DisableKeepAlives() bool {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.HttpClient.Transport.(*http.Transport).DisableKeepAlives\n}\n\nfunc (c *Client) MaxRetries() int {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.MaxRetries\n}\n\nfunc (c *Client) SetSRVLookup(srv bool) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.SRVLookup = srv\n}\n\nfunc (c *Client) SRVLookup() bool {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.SRVLookup\n}\n\n// SetCheckRetry sets the CheckRetry function to be used for future requests.\nfunc (c *Client) SetCheckRetry(checkRetry retryablehttp.CheckRetry) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.CheckRetry = checkRetry\n}\n\nfunc (c *Client) CheckRetry() retryablehttp.CheckRetry {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.CheckRetry\n}\n\n// SetClientTimeout sets the client request timeout\nfunc (c *Client) SetClientTimeout(timeout time.Duration) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.Timeout = timeout\n}\n\nfunc (c *Client) ClientTimeout() time.Duration {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.Timeout\n}\n\nfunc (c *Client) OutputCurlString() bool {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.OutputCurlString\n}\n\nfunc (c *Client) SetOutputCurlString(curl bool) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.OutputCurlString = curl\n}\n\nfunc (c *Client) OutputPolicy() bool {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.OutputPolicy\n}\n\nfunc (c *Client) SetOutputPolicy(isSet bool) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.OutputPolicy = isSet\n}\n\n// CurrentWrappingLookupFunc sets a lookup function that returns desired wrap TTLs\n// for a given operation and path.\nfunc (c *Client) CurrentWrappingLookupFunc() WrappingLookupFunc {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\treturn c.wrappingLookupFunc\n}\n\n// SetWrappingLookupFunc sets a lookup function that returns desired wrap TTLs\n// for a given operation and path.\nfunc (c *Client) SetWrappingLookupFunc(lookupFunc WrappingLookupFunc) {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tc.wrappingLookupFunc = lookupFunc\n}\n\n// SetMFACreds sets the MFA credentials supplied either via the environment\n// variable or via the command line.\nfunc (c *Client) SetMFACreds(creds []string) {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tc.mfaCreds = creds\n}\n\n// SetNamespace sets the namespace supplied either via the environment\n// variable or via the command line.\nfunc (c *Client) SetNamespace(namespace string) {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tc.setNamespace(namespace)\n}\n\nfunc (c *Client) setNamespace(namespace string) {\n\tif c.headers == nil {\n\t\tc.headers = make(http.Header)\n\t}\n\n\tc.headers.Set(NamespaceHeaderName, namespace)\n}\n\n// ClearNamespace removes the namespace header if set.\nfunc (c *Client) ClearNamespace() {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tif c.headers != nil {\n\t\tc.headers.Del(NamespaceHeaderName)\n\t}\n}\n\n// Namespace returns the namespace currently set in this client. It will\n// return an empty string if there is no namespace set.\nfunc (c *Client) Namespace() string {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tif c.headers == nil {\n\t\treturn \"\"\n\t}\n\treturn c.headers.Get(NamespaceHeaderName)\n}\n\n// WithNamespace makes a shallow copy of Client, modifies it to use\n// the given namespace, and returns it. Passing an empty string will\n// temporarily unset the namespace.\nfunc (c *Client) WithNamespace(namespace string) *Client {\n\tc2 := *c\n\tc2.modifyLock = sync.RWMutex{}\n\tc.modifyLock.RLock()\n\tc2.headers = c.headersInternal()\n\tc.modifyLock.RUnlock()\n\tif namespace == \"\" {\n\t\tc2.ClearNamespace()\n\t} else {\n\t\tc2.SetNamespace(namespace)\n\t}\n\treturn &c2\n}\n\n// Token returns the access token being used by this client. It will\n// return the empty string if there is no token set.\nfunc (c *Client) Token() string {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\treturn c.token\n}\n\n// SetToken sets the token directly. This won't perform any auth\n// verification, it simply sets the token properly for future requests.\nfunc (c *Client) SetToken(v string) {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tc.token = v\n}\n\n// HCPCookie returns the HCP cookie being used by this client. It will\n// return an empty cookie when no cookie is set.\nfunc (c *Client) HCPCookie() string {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\n\tif c.hcpCookie == nil {\n\t\treturn \"\"\n\t}\n\treturn c.hcpCookie.String()\n}\n\n// SetHCPCookie sets the hcp cookie directly. This won't perform any auth\n// verification, it simply sets the token properly for future requests.\nfunc (c *Client) SetHCPCookie(v *http.Cookie) error {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\n\tif err := v.Valid(); err != nil {\n\t\treturn err\n\t}\n\n\tc.hcpCookie = v\n\n\treturn nil\n}\n\n// ClearToken deletes the token if it is set or does nothing otherwise.\nfunc (c *Client) ClearToken() {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tc.token = \"\"\n}\n\n// Headers gets the current set of headers used for requests. This returns a\n// copy; to modify it call AddHeader or SetHeaders.\nfunc (c *Client) Headers() http.Header {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\treturn c.headersInternal()\n}\n\n// headersInternal gets the current set of headers used for requests. Must be called\n// with the read modifyLock held.\nfunc (c *Client) headersInternal() http.Header {\n\tif c.headers == nil {\n\t\treturn nil\n\t}\n\n\tret := make(http.Header)\n\tfor k, v := range c.headers {\n\t\tfor _, val := range v {\n\t\t\tret[k] = append(ret[k], val)\n\t\t}\n\t}\n\n\treturn ret\n}\n\n// AddHeader allows a single header key/value pair to be added\n// in a race-safe fashion.\nfunc (c *Client) AddHeader(key, value string) {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tc.headers.Add(key, value)\n}\n\n// SetHeaders clears all previous headers and uses only the given\n// ones going forward.\nfunc (c *Client) SetHeaders(headers http.Header) {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tc.headers = headers\n}\n\n// SetBackoff sets the backoff function to be used for future requests.\nfunc (c *Client) SetBackoff(backoff retryablehttp.Backoff) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.Backoff = backoff\n}\n\nfunc (c *Client) SetLogger(logger retryablehttp.LeveledLogger) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.Logger = logger\n}\n\n// SetCloneHeaders to allow headers to be copied whenever the client is cloned.\nfunc (c *Client) SetCloneHeaders(cloneHeaders bool) {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.CloneHeaders = cloneHeaders\n}\n\n// CloneHeaders gets the configured CloneHeaders value.\nfunc (c *Client) CloneHeaders() bool {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.CloneHeaders\n}\n\n// SetCloneToken from parent\nfunc (c *Client) SetCloneToken(cloneToken bool) {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.CloneToken = cloneToken\n}\n\n// CloneToken gets the configured CloneToken value.\nfunc (c *Client) CloneToken() bool {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.CloneToken\n}\n\n// SetReadYourWrites to prevent reading stale cluster replication state.\nfunc (c *Client) SetReadYourWrites(preventStaleReads bool) {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tif preventStaleReads {\n\t\tif c.replicationStateStore == nil {\n\t\t\tc.replicationStateStore = &replicationStateStore{}\n\t\t}\n\t} else {\n\t\tc.replicationStateStore = nil\n\t}\n\n\tc.config.ReadYourWrites = preventStaleReads\n}\n\n// ReadYourWrites gets the configured value of ReadYourWrites\nfunc (c *Client) ReadYourWrites() bool {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.ReadYourWrites\n}\n\n// SetCloneTLSConfig from parent.\nfunc (c *Client) SetCloneTLSConfig(clone bool) {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tc.config.modifyLock.Lock()\n\tdefer c.config.modifyLock.Unlock()\n\n\tc.config.CloneTLSConfig = clone\n}\n\n// CloneTLSConfig gets the configured CloneTLSConfig value.\nfunc (c *Client) CloneTLSConfig() bool {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\n\treturn c.config.CloneTLSConfig\n}\n\n// Clone creates a new client with the same configuration. Note that the same\n// underlying http.Client is used; modifying the client from more than one\n// goroutine at once may not be safe, so modify the client as needed and then\n// clone. The headers are cloned based on the CloneHeaders property of the\n// source config\n//\n// Also, only the client's config is currently copied; this means items not in\n// the api.Config struct, such as policy override and wrapping function\n// behavior, must currently then be set as desired on the new client.\nfunc (c *Client) Clone() (*Client, error) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\treturn c.clone(c.config.CloneHeaders)\n}\n\n// CloneWithHeaders creates a new client similar to Clone, with the difference\n// being that the headers are always cloned\nfunc (c *Client) CloneWithHeaders() (*Client, error) {\n\tc.modifyLock.RLock()\n\tdefer c.modifyLock.RUnlock()\n\tc.config.modifyLock.RLock()\n\tdefer c.config.modifyLock.RUnlock()\n\treturn c.clone(true)\n}\n\n// clone creates a new client, with the headers being cloned based on the\n// passed in cloneheaders boolean.\n// Must be called with the read lock and config read lock held.\nfunc (c *Client) clone(cloneHeaders bool) (*Client, error) {\n\tconfig := c.config\n\n\tnewConfig := &Config{\n\t\tAddress: config.Address,\n\t\tHttpClient: config.HttpClient,\n\t\tMinRetryWait: config.MinRetryWait,\n\t\tMaxRetryWait: config.MaxRetryWait,\n\t\tMaxRetries: config.MaxRetries,\n\t\tTimeout: config.Timeout,\n\t\tBackoff: config.Backoff,\n\t\tCheckRetry: config.CheckRetry,\n\t\tLogger: config.Logger,\n\t\tLimiter: config.Limiter,\n\t\tAgentAddress: config.AgentAddress,\n\t\tSRVLookup: config.SRVLookup,\n\t\tCloneHeaders: config.CloneHeaders,\n\t\tCloneToken: config.CloneToken,\n\t\tReadYourWrites: config.ReadYourWrites,\n\t}\n\n\tif config.CloneTLSConfig {\n\t\tnewConfig.clientTLSConfig = config.clientTLSConfig\n\t}\n\n\tclient, err := NewClient(newConfig)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif cloneHeaders {\n\t\tclient.SetHeaders(c.headersInternal().Clone())\n\t}\n\n\tif config.CloneToken {\n\t\tclient.SetToken(c.token)\n\t}\n\n\tclient.replicationStateStore = c.replicationStateStore\n\n\treturn client, nil\n}\n\n// SetPolicyOverride sets whether requests should be sent with the policy\n// override flag to request overriding soft-mandatory Sentinel policies (both\n// RGPs and EGPs)\nfunc (c *Client) SetPolicyOverride(override bool) {\n\tc.modifyLock.Lock()\n\tdefer c.modifyLock.Unlock()\n\tc.policyOverride = override\n}\n\n// NewRequest creates a new raw request object to query the Vault server\n// configured for this client. This is an advanced method and generally\n// doesn't need to be called externally.\nfunc (c *Client) NewRequest(method, requestPath string) *Request {\n\tc.modifyLock.RLock()\n\taddr := c.addr\n\ttoken := c.token\n\tmfaCreds := c.mfaCreds\n\twrappingLookupFunc := c.wrappingLookupFunc\n\tpolicyOverride := c.policyOverride\n\theaders := c.headersInternal()\n\tc.modifyLock.RUnlock()\n\n\thost := addr.Host\n\t// if SRV records exist (see https://tools.ietf.org/html/draft-andrews-http-srv-02), lookup the SRV\n\t// record and take the highest match; this is not designed for high-availability, just discovery\n\t// Internet Draft specifies that the SRV record is ignored if a port is given\n\tif addr.Port() == \"\" && c.config.SRVLookup {\n\t\t_, addrs, err := net.LookupSRV(\"http\", \"tcp\", addr.Hostname())\n\t\tif err == nil && len(addrs) > 0 {\n\t\t\thost = fmt.Sprintf(\"%s:%d\", addrs[0].Target, addrs[0].Port)\n\t\t}\n\t}\n\n\treq := &Request{\n\t\tMethod: method,\n\t\tURL: &url.URL{\n\t\t\tUser: addr.User,\n\t\t\tScheme: addr.Scheme,\n\t\t\tHost: host,\n\t\t\tPath: path.Join(addr.Path, requestPath),\n\t\t},\n\t\tHost: addr.Host,\n\t\tClientToken: token,\n\t\tParams: make(map[string][]string),\n\t}\n\n\treq.HCPCookie = c.hcpCookie\n\n\tvar lookupPath string\n\tswitch {\n\tcase strings.HasPrefix(requestPath, \"/v1/\"):\n\t\tlookupPath = strings.TrimPrefix(requestPath, \"/v1/\")\n\tcase strings.HasPrefix(requestPath, \"v1/\"):\n\t\tlookupPath = strings.TrimPrefix(requestPath, \"v1/\")\n\tdefault:\n\t\tlookupPath = requestPath\n\t}\n\n\treq.MFAHeaderVals = mfaCreds\n\n\tif wrappingLookupFunc != nil {\n\t\treq.WrapTTL = wrappingLookupFunc(method, lookupPath)\n\t} else {\n\t\treq.WrapTTL = DefaultWrappingLookupFunc(method, lookupPath)\n\t}\n\n\treq.Headers = headers\n\treq.PolicyOverride = policyOverride\n\n\treturn req\n}\n\n// RawRequest performs the raw request given. This request may be against\n// a Vault server not configured with this client. This is an advanced operation\n// that generally won't need to be called externally.\n//\n// Deprecated: RawRequest exists for historical compatibility and should not be\n// used directly. Use client.Logical().ReadRaw(...) or higher level methods\n// instead.\nfunc (c *Client) RawRequest(r *Request) (*Response, error) {\n\treturn c.RawRequestWithContext(context.Background(), r)\n}\n\n// RawRequestWithContext performs the raw request given. This request may be against\n// a Vault server not configured with this client. This is an advanced operation\n// that generally won't need to be called externally.\n//\n// Deprecated: RawRequestWithContext exists for historical compatibility and\n// should not be used directly. Use client.Logical().ReadRawWithContext(...)\n// or higher level methods instead.\nfunc (c *Client) RawRequestWithContext(ctx context.Context, r *Request) (*Response, error) {\n\t// Note: we purposefully do not call cancel manually. The reason is\n\t// when canceled, the request.Body will EOF when reading due to the way\n\t// it streams data in. Cancel will still be run when the timeout is\n\t// hit, so this doesn't really harm anything.\n\tctx, _ = c.withConfiguredTimeout(ctx)\n\treturn c.rawRequestWithContext(ctx, r)\n}\n\nfunc (c *Client) rawRequestWithContext(ctx context.Context, r *Request) (*Response, error) {\n\tc.modifyLock.RLock()\n\ttoken := c.token\n\n\tc.config.modifyLock.RLock()\n\tlimiter := c.config.Limiter\n\tminRetryWait := c.config.MinRetryWait\n\tmaxRetryWait := c.config.MaxRetryWait\n\tmaxRetries := c.config.MaxRetries\n\tcheckRetry := c.config.CheckRetry\n\tbackoff := c.config.Backoff\n\thttpClient := c.config.HttpClient\n\tns := c.headers.Get(NamespaceHeaderName)\n\toutputCurlString := c.config.OutputCurlString\n\toutputPolicy := c.config.OutputPolicy\n\tlogger := c.config.Logger\n\tdisableRedirects := c.config.DisableRedirects\n\tc.config.modifyLock.RUnlock()\n\n\tc.modifyLock.RUnlock()\n\n\t// ensure that the most current namespace setting is used at the time of the call\n\t// e.g. calls using (*Client).WithNamespace\n\tswitch ns {\n\tcase \"\":\n\t\tr.Headers.Del(NamespaceHeaderName)\n\tdefault:\n\t\tr.Headers.Set(NamespaceHeaderName, ns)\n\t}\n\n\tfor _, cb := range c.requestCallbacks {\n\t\tcb(r)\n\t}\n\n\tif c.config.ReadYourWrites {\n\t\tc.replicationStateStore.requireState(r)\n\t}\n\n\tif limiter != nil {\n\t\tlimiter.Wait(ctx)\n\t}\n\n\t// check the token before potentially erroring from the API\n\tif err := validateToken(token); err != nil {\n\t\treturn nil, err\n\t}\n\n\tredirectCount := 0\nSTART:\n\treq, err := r.toRetryableHTTP()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif req == nil {\n\t\treturn nil, fmt.Errorf(\"nil request created\")\n\t}\n\n\tif outputCurlString {\n\t\t// Note that although we're building this up here and returning it as an error object, the Error()\n\t\t// interface method on it only gets called in a context where the actual string returned from that\n\t\t// method is irrelevant, because it gets swallowed by an error buffer that's never output to the user.\n\t\t// That's on purpose, not a bug, because in this case, OutputStringError is not really an _error_, per se.\n\t\t// It's just a way of aborting the control flow so that requests don't actually execute, and instead,\n\t\t// we can detect what's happened back in the CLI machinery and show the actual curl string to the user.\n\t\tLastOutputStringError = &OutputStringError{\n\t\t\tRequest: req,\n\t\t\tTLSSkipVerify: c.config.HttpClient.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify,\n\t\t\tClientCert: c.config.curlClientCert,\n\t\t\tClientKey: c.config.curlClientKey,\n\t\t\tClientCACert: c.config.curlCACert,\n\t\t\tClientCAPath: c.config.curlCAPath,\n\t\t}\n\t\treturn nil, LastOutputStringError\n\t}\n\n\tif outputPolicy {\n\t\tLastOutputPolicyError = &OutputPolicyError{\n\t\t\tmethod: req.Method,\n\t\t\tpath: strings.TrimPrefix(req.URL.Path, \"/v1\"),\n\t\t\tparams: req.URL.Query(),\n\t\t}\n\t\treturn nil, LastOutputPolicyError\n\t}\n\n\treq.Request = req.Request.WithContext(ctx)\n\n\tif backoff == nil {\n\t\tbackoff = retryablehttp.LinearJitterBackoff\n\t}\n\n\tif checkRetry == nil {\n\t\tcheckRetry = DefaultRetryPolicy\n\t}\n\n\tclient := &retryablehttp.Client{\n\t\tHTTPClient: httpClient,\n\t\tRetryWaitMin: minRetryWait,\n\t\tRetryWaitMax: maxRetryWait,\n\t\tRetryMax: maxRetries,\n\t\tBackoff: backoff,\n\t\tCheckRetry: checkRetry,\n\t\tLogger: logger,\n\t\tErrorHandler: retryablehttp.PassthroughErrorHandler,\n\t}\n\n\tvar result *Response\n\tresp, err := client.Do(req)\n\tif resp != nil {\n\t\tresult = &Response{Response: resp}\n\t}\n\tif err != nil {\n\t\tif strings.Contains(err.Error(), \"tls: oversized\") {\n\t\t\terr = errwrap.Wrapf(\"{{err}}\\n\\n\"+TLSErrorString, err)\n\t\t}\n\t\treturn result, err\n\t}\n\n\t// Check for a redirect, only allowing for a single redirect (if redirects aren't disabled)\n\tif (resp.StatusCode == 301 || resp.StatusCode == 302 || resp.StatusCode == 307) && redirectCount == 0 && !disableRedirects {\n\t\t// Parse the updated location\n\t\trespLoc, err := resp.Location()\n\t\tif err != nil {\n\t\t\treturn result, err\n\t\t}\n\n\t\t// Ensure a protocol downgrade doesn't happen\n\t\tif req.URL.Scheme == \"https\" && respLoc.Scheme != \"https\" {\n\t\t\treturn result, fmt.Errorf(\"redirect would cause protocol downgrade\")\n\t\t}\n\n\t\t// Update the request\n\t\tr.URL = respLoc\n\n\t\t// Reset the request body if any\n\t\tif err := r.ResetJSONBody(); err != nil {\n\t\t\treturn result, err\n\t\t}\n\n\t\t// Retry the request\n\t\tredirectCount++\n\t\tgoto START\n\t}\n\n\tif result != nil {\n\t\tfor _, cb := range c.responseCallbacks {\n\t\t\tcb(result)\n\t\t}\n\n\t\tif c.config.ReadYourWrites {\n\t\t\tc.replicationStateStore.recordState(result)\n\t\t}\n\t}\n\tif err := result.Error(); err != nil {\n\t\treturn result, err\n\t}\n\n\treturn result, nil\n}\n\n// httpRequestWithContext avoids the use of the go-retryable library found in RawRequestWithContext and is\n// useful when making calls where a net/http client is desirable. A single redirect (status code 301, 302,\n// or 307) will be followed but all retry and timeout logic is the responsibility of the caller as is\n// closing the Response body.\nfunc (c *Client) httpRequestWithContext(ctx context.Context, r *Request) (*Response, error) {\n\treq, err := http.NewRequestWithContext(ctx, r.Method, r.URL.RequestURI(), r.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tc.modifyLock.RLock()\n\ttoken := c.token\n\n\tc.config.modifyLock.RLock()\n\tlimiter := c.config.Limiter\n\thttpClient := c.config.HttpClient\n\toutputCurlString := c.config.OutputCurlString\n\toutputPolicy := c.config.OutputPolicy\n\tdisableRedirects := c.config.DisableRedirects\n\n\t// add headers\n\tif c.headers != nil {\n\t\tfor header, vals := range c.headers {\n\t\t\tfor _, val := range vals {\n\t\t\t\treq.Header.Add(header, val)\n\t\t\t}\n\t\t}\n\t\t// explicitly set the namespace header to current client\n\t\tif ns := c.headers.Get(NamespaceHeaderName); ns != \"\" {\n\t\t\tr.Headers.Set(NamespaceHeaderName, ns)\n\t\t}\n\t}\n\n\tc.config.modifyLock.RUnlock()\n\tc.modifyLock.RUnlock()\n\n\t// OutputCurlString and OutputPolicy logic rely on the request type to be retryable.Request\n\tif outputCurlString {\n\t\treturn nil, fmt.Errorf(\"output-curl-string is not implemented for this request\")\n\t}\n\tif outputPolicy {\n\t\treturn nil, fmt.Errorf(\"output-policy is not implemented for this request\")\n\t}\n\n\treq.URL.User = r.URL.User\n\treq.URL.Scheme = r.URL.Scheme\n\treq.URL.Host = r.URL.Host\n\treq.Host = r.URL.Host\n\n\tif len(r.ClientToken) != 0 {\n\t\treq.Header.Set(AuthHeaderName, r.ClientToken)\n\t}\n\n\tif len(r.WrapTTL) != 0 {\n\t\treq.Header.Set(\"X-Vault-Wrap-TTL\", r.WrapTTL)\n\t}\n\n\tif len(r.MFAHeaderVals) != 0 {\n\t\tfor _, mfaHeaderVal := range r.MFAHeaderVals {\n\t\t\treq.Header.Add(\"X-Vault-MFA\", mfaHeaderVal)\n\t\t}\n\t}\n\n\tif r.PolicyOverride {\n\t\treq.Header.Set(\"X-Vault-Policy-Override\", \"true\")\n\t}\n\n\tif limiter != nil {\n\t\tlimiter.Wait(ctx)\n\t}\n\n\t// check the token before potentially erroring from the API\n\tif err := validateToken(token); err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar result *Response\n\n\tresp, err := httpClient.Do(req)\n\n\tif resp != nil {\n\t\tresult = &Response{Response: resp}\n\t}\n\n\tif err != nil {\n\t\tif strings.Contains(err.Error(), \"tls: oversized\") {\n\t\t\terr = errwrap.Wrapf(\"{{err}}\\n\\n\"+TLSErrorString, err)\n\t\t}\n\t\treturn result, err\n\t}\n\n\t// Check for a redirect, only allowing for a single redirect, if redirects aren't disabled\n\tif (resp.StatusCode == 301 || resp.StatusCode == 302 || resp.StatusCode == 307) && !disableRedirects {\n\t\t// Parse the updated location\n\t\trespLoc, err := resp.Location()\n\t\tif err != nil {\n\t\t\treturn result, fmt.Errorf(\"redirect failed: %s\", err)\n\t\t}\n\n\t\t// Ensure a protocol downgrade doesn't happen\n\t\tif req.URL.Scheme == \"https\" && respLoc.Scheme != \"https\" {\n\t\t\treturn result, fmt.Errorf(\"redirect would cause protocol downgrade\")\n\t\t}\n\n\t\t// Update the request\n\t\treq.URL = respLoc\n\n\t\t// Reset the request body if any\n\t\tif err := r.ResetJSONBody(); err != nil {\n\t\t\treturn result, fmt.Errorf(\"redirect failed: %s\", err)\n\t\t}\n\n\t\t// Retry the request\n\t\tresp, err = httpClient.Do(req)\n\t\tif err != nil {\n\t\t\treturn result, fmt.Errorf(\"redirect failed: %s\", err)\n\t\t}\n\t}\n\n\tif err := result.Error(); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn result, nil\n}\n\ntype (\n\tRequestCallback func(*Request)\n\tResponseCallback func(*Response)\n)\n\n// WithRequestCallbacks makes a shallow clone of Client, modifies it to use\n// the given callbacks, and returns it. Each of the callbacks will be invoked\n// on every outgoing request. A client may be used to issue requests\n// concurrently; any locking needed by callbacks invoked concurrently is the\n// callback's responsibility.\nfunc (c *Client) WithRequestCallbacks(callbacks ...RequestCallback) *Client {\n\tc2 := *c\n\tc2.modifyLock = sync.RWMutex{}\n\tc2.requestCallbacks = callbacks\n\treturn &c2\n}\n\n// WithResponseCallbacks makes a shallow clone of Client, modifies it to use\n// the given callbacks, and returns it. Each of the callbacks will be invoked\n// on every received response. A client may be used to issue requests\n// concurrently; any locking needed by callbacks invoked concurrently is the\n// callback's responsibility.\nfunc (c *Client) WithResponseCallbacks(callbacks ...ResponseCallback) *Client {\n\tc2 := *c\n\tc2.modifyLock = sync.RWMutex{}\n\tc2.responseCallbacks = callbacks\n\treturn &c2\n}\n\n// withConfiguredTimeout wraps the context with a timeout from the client configuration.\nfunc (c *Client) withConfiguredTimeout(ctx context.Context) (context.Context, context.CancelFunc) {\n\ttimeout := c.ClientTimeout()\n\n\tif timeout > 0 {\n\t\treturn context.WithTimeout(ctx, timeout)\n\t}\n\n\treturn ctx, func() {}\n}\n\n// RecordState returns a response callback that will record the state returned\n// by Vault in a response header.\nfunc RecordState(state *string) ResponseCallback {\n\treturn func(resp *Response) {\n\t\t*state = resp.Header.Get(HeaderIndex)\n\t}\n}\n\n// RequireState returns a request callback that will add a request header to\n// specify the state we require of Vault. This state was obtained from a\n// response header seen previous, probably captured with RecordState.\nfunc RequireState(states ...string) RequestCallback {\n\treturn func(req *Request) {\n\t\tfor _, s := range states {\n\t\t\treq.Headers.Add(HeaderIndex, s)\n\t\t}\n\t}\n}\n\n// compareReplicationStates returns 1 if s1 is newer or identical, -1 if s1 is older, and 0\n// if neither s1 or s2 is strictly greater. An error is returned if s1 or s2\n// are invalid or from different clusters.\nfunc compareReplicationStates(s1, s2 string) (int, error) {\n\tw1, err := ParseReplicationState(s1, nil)\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\tw2, err := ParseReplicationState(s2, nil)\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\n\tif w1.ClusterID != w2.ClusterID {\n\t\treturn 0, fmt.Errorf(\"can't compare replication states with different ClusterIDs\")\n\t}\n\n\tswitch {\n\tcase w1.LocalIndex >= w2.LocalIndex && w1.ReplicatedIndex >= w2.ReplicatedIndex:\n\t\treturn 1, nil\n\t// We've already handled the case where both are equal above, so really we're\n\t// asking here if one or both are lesser.\n\tcase w1.LocalIndex <= w2.LocalIndex && w1.ReplicatedIndex <= w2.ReplicatedIndex:\n\t\treturn -1, nil\n\t}\n\n\treturn 0, nil\n}\n\n// MergeReplicationStates returns a merged array of replication states by iterating\n// through all states in `old`. An iterated state is merged to the result before `new`\n// based on the result of compareReplicationStates\nfunc MergeReplicationStates(old []string, new string) []string {\n\tif len(old) == 0 || len(old) > 2 {\n\t\treturn []string{new}\n\t}\n\n\tvar ret []string\n\tfor _, o := range old {\n\t\tc, err := compareReplicationStates(o, new)\n\t\tif err != nil {\n\t\t\treturn []string{new}\n\t\t}\n\t\tswitch c {\n\t\tcase 1:\n\t\t\tret = append(ret, o)\n\t\tcase -1:\n\t\t\tret = append(ret, new)\n\t\tcase 0:\n\t\t\tret = append(ret, o, new)\n\t\t}\n\t}\n\treturn strutil.RemoveDuplicates(ret, false)\n}\n\ntype WALState struct {\n\tClusterID string\n\tLocalIndex uint64\n\tReplicatedIndex uint64\n}\n\nfunc ParseReplicationState(raw string, hmacKey []byte) (*WALState, error) {\n\tcooked, err := base64.StdEncoding.DecodeString(raw)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\ts := string(cooked)\n\n\tlastIndex := strings.LastIndexByte(s, ':')\n\tif lastIndex == -1 {\n\t\treturn nil, fmt.Errorf(\"invalid full state header format\")\n\t}\n\tstate, stateHMACRaw := s[:lastIndex], s[lastIndex+1:]\n\tstateHMAC, err := hex.DecodeString(stateHMACRaw)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"invalid state header HMAC: %v, %w\", stateHMACRaw, err)\n\t}\n\n\tif len(hmacKey) != 0 {\n\t\thm := hmac.New(sha256.New, hmacKey)\n\t\thm.Write([]byte(state))\n\t\tif !hmac.Equal(hm.Sum(nil), stateHMAC) {\n\t\t\treturn nil, fmt.Errorf(\"invalid state header HMAC (mismatch)\")\n\t\t}\n\t}\n\n\tpieces := strings.Split(state, \":\")\n\tif len(pieces) != 4 || pieces[0] != \"v1\" || pieces[1] == \"\" {\n\t\treturn nil, fmt.Errorf(\"invalid state header format\")\n\t}\n\tlocalIndex, err := strconv.ParseUint(pieces[2], 10, 64)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"invalid local index in state header: %w\", err)\n\t}\n\treplicatedIndex, err := strconv.ParseUint(pieces[3], 10, 64)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"invalid replicated index in state header: %w\", err)\n\t}\n\n\treturn &WALState{\n\t\tClusterID: pieces[1],\n\t\tLocalIndex: localIndex,\n\t\tReplicatedIndex: replicatedIndex,\n\t}, nil\n}\n\n// ForwardInconsistent returns a request callback that will add a request\n// header which says: if the state required isn't present on the node receiving\n// this request, forward it to the active node. This should be used in\n// conjunction with RequireState.\nfunc ForwardInconsistent() RequestCallback {\n\treturn func(req *Request) {\n\t\treq.Headers.Set(HeaderInconsistent, \"forward-active-node\")\n\t}\n}\n\n// ForwardAlways returns a request callback which adds a header telling any\n// performance standbys handling the request to forward it to the active node.\n// This feature must be enabled in Vault's configuration.\nfunc ForwardAlways() RequestCallback {\n\treturn func(req *Request) {\n\t\treq.Headers.Set(HeaderForward, \"active-node\")\n\t}\n}\n\n// DefaultRetryPolicy is the default retry policy used by new Client objects.\n// It is the same as retryablehttp.DefaultRetryPolicy except that it also retries\n// 412 requests, which are returned by Vault when a X-Vault-Index header isn't\n// satisfied.\nfunc DefaultRetryPolicy(ctx context.Context, resp *http.Response, err error) (bool, error) {\n\tretry, err := retryablehttp.DefaultRetryPolicy(ctx, resp, err)\n\tif err != nil || retry {\n\t\treturn retry, err\n\t}\n\tif resp != nil && resp.StatusCode == 412 {\n\t\treturn true, nil\n\t}\n\treturn false, nil\n}\n\n// replicationStateStore is used to track cluster replication states\n// in order to ensure proper read-after-write semantics for a Client.\ntype replicationStateStore struct {\n\tm sync.RWMutex\n\tstore []string\n}\n\n// recordState updates the store's replication states with the merger of all\n// states.\nfunc (w *replicationStateStore) recordState(resp *Response) {\n\tw.m.Lock()\n\tdefer w.m.Unlock()\n\tnewState := resp.Header.Get(HeaderIndex)\n\tif newState != \"\" {\n\t\tw.store = MergeReplicationStates(w.store, newState)\n\t}\n}\n\n// requireState updates the Request with the store's current replication states.\nfunc (w *replicationStateStore) requireState(req *Request) {\n\tw.m.RLock()\n\tdefer w.m.RUnlock()\n\tfor _, s := range w.store {\n\t\treq.Headers.Add(HeaderIndex, s)\n\t}\n}\n\n// states currently stored.\nfunc (w *replicationStateStore) states() []string {\n\tw.m.RLock()\n\tdefer w.m.RUnlock()\n\tc := make([]string, len(w.store))\n\tcopy(c, w.store)\n\treturn c\n}\n\n// validateToken will check for non-printable characters to prevent a call that will fail at the api\nfunc validateToken(t string) error {\n\tidx := strings.IndexFunc(t, func(c rune) bool {\n\t\treturn !unicode.IsPrint(c)\n\t})\n\tif idx != -1 {\n\t\treturn fmt.Errorf(\"configured Vault token contains non-printable characters and cannot be used\")\n\t}\n\treturn nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/hcl_dup_attr_deprecation.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/hashicorp/hcl\"\n\t\"github.com/hashicorp/hcl/hcl/ast\"\n\thclParser \"github.com/hashicorp/hcl/hcl/parser\"\n)\n\n// allowHclDuplicatesEnvVar is an environment variable that allows Vault to revert back to accepting HCL files with\n// duplicate attributes. It's temporary until we finish the deprecation process, at which point this will be removed\nconst allowHclDuplicatesEnvVar = \"VAULT_ALLOW_PENDING_REMOVAL_DUPLICATE_HCL_ATTRIBUTES\"\n\n// parseAndCheckForDuplicateHclAttributes parses the input JSON/HCL file and if it is HCL it also checks\n// for duplicate keys in the HCL file, allowing callers to handle the issue accordingly. It now only accepts duplicate\n// keys if the environment variable VAULT_ALLOW_PENDING_REMOVAL_DUPLICATE_HCL_ATTRIBUTES is set to true. In a future\n// release we'll remove this function entirely and there will be no way to parse HCL files with duplicate keys.\n// TODO (HCL_DUP_KEYS_DEPRECATION): remove once not used anymore\nfunc parseAndCheckForDuplicateHclAttributes(input string) (res *ast.File, duplicate bool, err error) {\n\tres, err = hcl.Parse(input)\n\tif err != nil && strings.Contains(err.Error(), \"Each argument can only be defined once\") {\n\t\tallowHclDuplicatesRaw := os.Getenv(allowHclDuplicatesEnvVar)\n\t\tif allowHclDuplicatesRaw == \"\" {\n\t\t\t// default is to not allow duplicates\n\t\t\treturn nil, false, err\n\t\t}\n\t\tallowHclDuplicates, envParseErr := strconv.ParseBool(allowHclDuplicatesRaw)\n\t\tif envParseErr != nil {\n\t\t\treturn nil, false, fmt.Errorf(\"error parsing %q environment variable: %w\", allowHclDuplicatesEnvVar, err)\n\t\t}\n\t\tif !allowHclDuplicates {\n\t\t\treturn nil, false, err\n\t\t}\n\n\t\t// if allowed by the environment variable, parse again without failing on duplicate attributes\n\t\tduplicate = true\n\t\tres, err = hclParser.ParseDontErrorOnDuplicateKeys([]byte(input))\n\t}\n\treturn res, duplicate, err\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/help.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n)\n\n// Help wraps HelpWithContext using context.Background.\nfunc (c *Client) Help(path string) (*Help, error) {\n\treturn c.HelpWithContext(context.Background(), path)\n}\n\n// HelpWithContext reads the help information for the given path.\nfunc (c *Client) HelpWithContext(ctx context.Context, path string) (*Help, error) {\n\tctx, cancelFunc := c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.NewRequest(http.MethodGet, fmt.Sprintf(\"/v1/%s\", path))\n\tr.Params.Add(\"help\", \"1\")\n\n\tresp, err := c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result Help\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\ntype Help struct {\n\tHelp string `json:\"help\"`\n\tSeeAlso []string `json:\"see_also\"`\n\tOpenAPI map[string]interface{} `json:\"openapi\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/kv.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport \"errors\"\n\n// ErrSecretNotFound is returned by KVv1 and KVv2 wrappers to indicate that the\n// secret is missing at the given location.\nvar ErrSecretNotFound = errors.New(\"secret not found\")\n\n// A KVSecret is a key-value secret returned by Vault's KV secrets engine,\n// and is the most basic type of secret stored in Vault.\n//\n// Data contains the key-value pairs of the secret itself,\n// while Metadata contains a subset of metadata describing\n// this particular version of the secret.\n// The Metadata field for a KV v1 secret will always be nil, as\n// metadata is only supported starting in KV v2.\n//\n// The Raw field can be inspected for information about the lease,\n// and passed to a LifetimeWatcher object for periodic renewal.\ntype KVSecret struct {\n\tData map[string]interface{}\n\tVersionMetadata *KVVersionMetadata\n\tCustomMetadata map[string]interface{}\n\tRaw *Secret\n}\n\n// KVv1 is used to return a client for reads and writes against\n// a KV v1 secrets engine in Vault.\n//\n// The mount path is the location where the target KV secrets engine resides\n// in Vault.\n//\n// While v1 is not necessarily deprecated, Vault development servers tend to\n// use v2 as the version of the KV secrets engine, as this is what's mounted\n// by default when a server is started in -dev mode. See the kvv2 struct.\n//\n// Learn more about the KV secrets engine here:\n// https://developer.hashicorp.com/vault/docs/secrets/kv\nfunc (c *Client) KVv1(mountPath string) *KVv1 {\n\treturn &KVv1{c: c, mountPath: mountPath}\n}\n\n// KVv2 is used to return a client for reads and writes against\n// a KV v2 secrets engine in Vault.\n//\n// The mount path is the location where the target KV secrets engine resides\n// in Vault.\n//\n// Vault development servers tend to have \"secret\" as the mount path,\n// as these are the default settings when a server is started in -dev mode.\n//\n// Learn more about the KV secrets engine here:\n// https://developer.hashicorp.com/vault/docs/secrets/kv\nfunc (c *Client) KVv2(mountPath string) *KVv2 {\n\treturn &KVv2{c: c, mountPath: mountPath}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/kv_v1.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"fmt\"\n)\n\ntype KVv1 struct {\n\tc *Client\n\tmountPath string\n}\n\n// Get returns a secret from the KV v1 secrets engine.\nfunc (kv *KVv1) Get(ctx context.Context, secretPath string) (*KVSecret, error) {\n\tpathToRead := fmt.Sprintf(\"%s/%s\", kv.mountPath, secretPath)\n\n\tsecret, err := kv.c.Logical().ReadWithContext(ctx, pathToRead)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error encountered while reading secret at %s: %w\", pathToRead, err)\n\t}\n\tif secret == nil {\n\t\treturn nil, fmt.Errorf(\"%w: at %s\", ErrSecretNotFound, pathToRead)\n\t}\n\n\treturn &KVSecret{\n\t\tData: secret.Data,\n\t\tVersionMetadata: nil,\n\t\tRaw: secret,\n\t}, nil\n}\n\n// Put inserts a key-value secret (e.g. {\"password\": \"Hashi123\"}) into the\n// KV v1 secrets engine.\n//\n// If the secret already exists, it will be overwritten.\nfunc (kv *KVv1) Put(ctx context.Context, secretPath string, data map[string]interface{}) error {\n\tpathToWriteTo := fmt.Sprintf(\"%s/%s\", kv.mountPath, secretPath)\n\n\t_, err := kv.c.Logical().WriteWithContext(ctx, pathToWriteTo, data)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error writing secret to %s: %w\", pathToWriteTo, err)\n\t}\n\n\treturn nil\n}\n\n// Delete deletes a secret from the KV v1 secrets engine.\nfunc (kv *KVv1) Delete(ctx context.Context, secretPath string) error {\n\tpathToDelete := fmt.Sprintf(\"%s/%s\", kv.mountPath, secretPath)\n\n\t_, err := kv.c.Logical().DeleteWithContext(ctx, pathToDelete)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error deleting secret at %s: %w\", pathToDelete, err)\n\t}\n\n\treturn nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/kv_v2.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"sort\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/mitchellh/mapstructure\"\n)\n\ntype KVv2 struct {\n\tc *Client\n\tmountPath string\n}\n\n// KVMetadata is the full metadata for a given KV v2 secret.\ntype KVMetadata struct {\n\tCASRequired bool `mapstructure:\"cas_required\"`\n\tCreatedTime time.Time `mapstructure:\"created_time\"`\n\tCurrentVersion int `mapstructure:\"current_version\"`\n\tCustomMetadata map[string]interface{} `mapstructure:\"custom_metadata\"`\n\tDeleteVersionAfter time.Duration `mapstructure:\"delete_version_after\"`\n\tMaxVersions int `mapstructure:\"max_versions\"`\n\tOldestVersion int `mapstructure:\"oldest_version\"`\n\tUpdatedTime time.Time `mapstructure:\"updated_time\"`\n\t// Keys are stringified ints, e.g. \"3\". To get a sorted slice of version metadata, use GetVersionsAsList.\n\tVersions map[string]KVVersionMetadata `mapstructure:\"versions\"`\n\tRaw *Secret\n}\n\n// KVMetadataPutInput is the subset of metadata that can be replaced for a\n// KV v2 secret using the PutMetadata method.\n//\n// All fields should be explicitly provided, as any fields left unset in the\n// struct will be reset to their zero value.\ntype KVMetadataPutInput struct {\n\tCASRequired bool\n\tCustomMetadata map[string]interface{}\n\tDeleteVersionAfter time.Duration\n\tMaxVersions int\n}\n\n// KVMetadataPatchInput is the subset of metadata that can be manually modified for\n// a KV v2 secret using the PatchMetadata method.\n//\n// The struct's fields are all pointers. A pointer to a field's zero\n// value (e.g. false for *bool) implies that field should be reset to its\n// zero value after update, whereas a field left as a nil pointer\n// (e.g. nil for *bool) implies the field should remain unchanged.\n//\n// Since maps are already pointers, use an empty map to remove all\n// custom metadata.\ntype KVMetadataPatchInput struct {\n\tCASRequired *bool\n\tCustomMetadata map[string]interface{}\n\tDeleteVersionAfter *time.Duration\n\tMaxVersions *int\n}\n\n// KVVersionMetadata is a subset of metadata for a given version of a KV v2 secret.\ntype KVVersionMetadata struct {\n\tVersion int `mapstructure:\"version\"`\n\tCreatedTime time.Time `mapstructure:\"created_time\"`\n\tDeletionTime time.Time `mapstructure:\"deletion_time\"`\n\tDestroyed bool `mapstructure:\"destroyed\"`\n}\n\n// Currently supported options: WithOption, WithCheckAndSet, WithMethod\ntype KVOption func() (key string, value interface{})\n\nconst (\n\tKVOptionCheckAndSet = \"cas\"\n\tKVOptionMethod = \"method\"\n\tKVMergeMethodPatch = \"patch\"\n\tKVMergeMethodReadWrite = \"rw\"\n)\n\n// WithOption can optionally be passed to provide generic options for a\n// KV request. Valid keys and values depend on the type of request.\nfunc WithOption(key string, value interface{}) KVOption {\n\treturn func() (string, interface{}) {\n\t\treturn key, value\n\t}\n}\n\n// WithCheckAndSet can optionally be passed to perform a check-and-set\n// operation on a KV request. If not set, the write will be allowed.\n// If cas is set to 0, a write will only be allowed if the key doesn't exist.\n// If set to non-zero, the write will only be allowed if the key’s current\n// version matches the version specified in the cas parameter.\nfunc WithCheckAndSet(cas int) KVOption {\n\treturn WithOption(KVOptionCheckAndSet, cas)\n}\n\n// WithMergeMethod can optionally be passed to dictate which type of\n// patch to perform in a Patch request. If set to \"patch\", then an HTTP PATCH\n// request will be issued. If set to \"rw\", then a read will be performed,\n// then a local update, followed by a remote update. Defaults to \"patch\".\nfunc WithMergeMethod(method string) KVOption {\n\treturn WithOption(KVOptionMethod, method)\n}\n\n// Get returns the latest version of a secret from the KV v2 secrets engine.\n//\n// If the latest version has been deleted, an error will not be thrown, but\n// the Data field on the returned secret will be nil, and the Metadata field\n// will contain the deletion time.\nfunc (kv *KVv2) Get(ctx context.Context, secretPath string) (*KVSecret, error) {\n\tpathToRead := fmt.Sprintf(\"%s/data/%s\", kv.mountPath, secretPath)\n\n\tsecret, err := kv.c.Logical().ReadWithContext(ctx, pathToRead)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error encountered while reading secret at %s: %w\", pathToRead, err)\n\t}\n\tif secret == nil {\n\t\treturn nil, fmt.Errorf(\"%w: at %s\", ErrSecretNotFound, pathToRead)\n\t}\n\n\tkvSecret, err := extractDataAndVersionMetadata(secret)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error parsing secret at %s: %w\", pathToRead, err)\n\t}\n\n\tkvSecret.CustomMetadata = extractCustomMetadata(secret)\n\n\treturn kvSecret, nil\n}\n\n// GetVersion returns the data and metadata for a specific version of the\n// given secret.\n//\n// If that version has been deleted, the Data field on the\n// returned secret will be nil, and the Metadata field will contain the deletion time.\n//\n// GetVersionsAsList can provide a list of available versions sorted by\n// version number, while the response from GetMetadata contains them as a map.\nfunc (kv *KVv2) GetVersion(ctx context.Context, secretPath string, version int) (*KVSecret, error) {\n\tpathToRead := fmt.Sprintf(\"%s/data/%s\", kv.mountPath, secretPath)\n\n\tqueryParams := map[string][]string{\"version\": {strconv.Itoa(version)}}\n\tsecret, err := kv.c.Logical().ReadWithDataWithContext(ctx, pathToRead, queryParams)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil {\n\t\treturn nil, fmt.Errorf(\"%w: for version %d at %s\", ErrSecretNotFound, version, pathToRead)\n\t}\n\n\tkvSecret, err := extractDataAndVersionMetadata(secret)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error parsing secret at %s: %w\", pathToRead, err)\n\t}\n\n\tkvSecret.CustomMetadata = extractCustomMetadata(secret)\n\n\treturn kvSecret, nil\n}\n\n// GetVersionsAsList returns a subset of the metadata for each version of the secret, sorted by version number.\nfunc (kv *KVv2) GetVersionsAsList(ctx context.Context, secretPath string) ([]KVVersionMetadata, error) {\n\tpathToRead := fmt.Sprintf(\"%s/metadata/%s\", kv.mountPath, secretPath)\n\n\tsecret, err := kv.c.Logical().ReadWithContext(ctx, pathToRead)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, fmt.Errorf(\"%w: no metadata at %s\", ErrSecretNotFound, pathToRead)\n\t}\n\n\tmd, err := extractFullMetadata(secret)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to extract metadata from secret to determine versions: %w\", err)\n\t}\n\n\tversionsList := make([]KVVersionMetadata, 0, len(md.Versions))\n\tfor _, versionMetadata := range md.Versions {\n\t\tversionsList = append(versionsList, versionMetadata)\n\t}\n\n\tsort.Slice(versionsList, func(i, j int) bool { return versionsList[i].Version < versionsList[j].Version })\n\treturn versionsList, nil\n}\n\n// GetMetadata returns the full metadata for a given secret, including a map of\n// its existing versions and their respective creation/deletion times, etc.\nfunc (kv *KVv2) GetMetadata(ctx context.Context, secretPath string) (*KVMetadata, error) {\n\tpathToRead := fmt.Sprintf(\"%s/metadata/%s\", kv.mountPath, secretPath)\n\n\tsecret, err := kv.c.Logical().ReadWithContext(ctx, pathToRead)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, fmt.Errorf(\"%w: no metadata at %s\", ErrSecretNotFound, pathToRead)\n\t}\n\n\tmd, err := extractFullMetadata(secret)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to extract metadata from secret: %w\", err)\n\t}\n\n\treturn md, nil\n}\n\n// Put inserts a key-value secret (e.g. {\"password\": \"Hashi123\"})\n// into the KV v2 secrets engine.\n//\n// If the secret already exists, a new version will be created\n// and the previous version can be accessed with the GetVersion method.\n// GetMetadata can provide a list of available versions.\nfunc (kv *KVv2) Put(ctx context.Context, secretPath string, data map[string]interface{}, opts ...KVOption) (*KVSecret, error) {\n\tpathToWriteTo := fmt.Sprintf(\"%s/data/%s\", kv.mountPath, secretPath)\n\n\twrappedData := map[string]interface{}{\n\t\t\"data\": data,\n\t}\n\n\t// Add options such as check-and-set, etc.\n\t// We leave this as an optional arg so that most users\n\t// can just pass plain key-value secret data without\n\t// having to remember to put the extra layer \"data\" in there.\n\toptions := make(map[string]interface{})\n\tfor _, opt := range opts {\n\t\tk, v := opt()\n\t\toptions[k] = v\n\t}\n\tif len(opts) > 0 {\n\t\twrappedData[\"options\"] = options\n\t}\n\n\tsecret, err := kv.c.Logical().WriteWithContext(ctx, pathToWriteTo, wrappedData)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error writing secret to %s: %w\", pathToWriteTo, err)\n\t}\n\tif secret == nil {\n\t\treturn nil, fmt.Errorf(\"%w: after writing to %s\", ErrSecretNotFound, pathToWriteTo)\n\t}\n\n\tmetadata, err := extractVersionMetadata(secret)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"secret was written successfully, but unable to view version metadata from response: %w\", err)\n\t}\n\n\tkvSecret := &KVSecret{\n\t\tData: nil, // secret.Data in this case is the metadata\n\t\tVersionMetadata: metadata,\n\t\tRaw: secret,\n\t}\n\n\tkvSecret.CustomMetadata = extractCustomMetadata(secret)\n\n\treturn kvSecret, nil\n}\n\n// PutMetadata can be used to fully replace a subset of metadata fields for a\n// given KV v2 secret. All fields will replace the corresponding values on the Vault server.\n// Any fields left as nil will reset the field on the Vault server back to its zero value.\n//\n// To only partially replace the values of these metadata fields, use PatchMetadata.\n//\n// This method can also be used to create a new secret with just metadata and no secret data yet.\nfunc (kv *KVv2) PutMetadata(ctx context.Context, secretPath string, metadata KVMetadataPutInput) error {\n\tpathToWriteTo := fmt.Sprintf(\"%s/metadata/%s\", kv.mountPath, secretPath)\n\n\tconst (\n\t\tcasRequiredKey = \"cas_required\"\n\t\tdeleteVersionAfterKey = \"delete_version_after\"\n\t\tmaxVersionsKey = \"max_versions\"\n\t\tcustomMetadataKey = \"custom_metadata\"\n\t)\n\n\t// convert values to a map we can pass to Logical\n\tmetadataMap := make(map[string]interface{})\n\tmetadataMap[maxVersionsKey] = metadata.MaxVersions\n\tmetadataMap[deleteVersionAfterKey] = metadata.DeleteVersionAfter.String()\n\tmetadataMap[casRequiredKey] = metadata.CASRequired\n\tmetadataMap[customMetadataKey] = metadata.CustomMetadata\n\n\t_, err := kv.c.Logical().WriteWithContext(ctx, pathToWriteTo, metadataMap)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error writing secret metadata to %s: %w\", pathToWriteTo, err)\n\t}\n\n\treturn nil\n}\n\n// Patch additively updates the most recent version of a key-value secret,\n// differentiating it from Put which will fully overwrite the previous data.\n// Only the key-value pairs that are new or changing need to be provided.\n//\n// The WithMethod KVOption function can optionally be passed to dictate which\n// kind of patch to perform, as older Vault server versions (pre-1.9.0) may\n// only be able to use the old \"rw\" (read-then-write) style of partial update,\n// whereas newer Vault servers can use the default value of \"patch\" if the\n// client token's policy has the \"patch\" capability.\nfunc (kv *KVv2) Patch(ctx context.Context, secretPath string, newData map[string]interface{}, opts ...KVOption) (*KVSecret, error) {\n\t// determine patch method\n\tvar patchMethod string\n\tvar ok bool\n\tfor _, opt := range opts {\n\t\tk, v := opt()\n\t\tif k == \"method\" {\n\t\t\tpatchMethod, ok = v.(string)\n\t\t\tif !ok {\n\t\t\t\treturn nil, fmt.Errorf(\"unsupported type provided for option value; value for patch method should be string \\\"rw\\\" or \\\"patch\\\"\")\n\t\t\t}\n\t\t}\n\t}\n\n\t// Determine which kind of patch to use,\n\t// the newer HTTP Patch style or the older read-then-write style\n\tvar kvs *KVSecret\n\tvar err error\n\tswitch patchMethod {\n\tcase \"rw\":\n\t\tkvs, err = readThenWrite(ctx, kv.c, kv.mountPath, secretPath, newData)\n\tcase \"patch\":\n\t\tkvs, err = mergePatch(ctx, kv.c, kv.mountPath, secretPath, newData, opts...)\n\tcase \"\":\n\t\tkvs, err = mergePatch(ctx, kv.c, kv.mountPath, secretPath, newData, opts...)\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"unsupported patch method provided; value for patch method should be string \\\"rw\\\" or \\\"patch\\\"\")\n\t}\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to perform patch: %w\", err)\n\t}\n\tif kvs == nil {\n\t\treturn nil, fmt.Errorf(\"no secret was written to %s\", secretPath)\n\t}\n\n\treturn kvs, nil\n}\n\n// PatchMetadata can be used to replace just a subset of a secret's\n// metadata fields at a time, as opposed to PutMetadata which is used to\n// completely replace all fields on the previous metadata.\nfunc (kv *KVv2) PatchMetadata(ctx context.Context, secretPath string, metadata KVMetadataPatchInput) error {\n\tpathToWriteTo := fmt.Sprintf(\"%s/metadata/%s\", kv.mountPath, secretPath)\n\n\tmd, err := toMetadataMap(metadata)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to create map for JSON merge patch request: %w\", err)\n\t}\n\n\t_, err = kv.c.Logical().JSONMergePatch(ctx, pathToWriteTo, md)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error patching metadata at %s: %w\", pathToWriteTo, err)\n\t}\n\n\treturn nil\n}\n\n// Delete deletes the most recent version of a secret from the KV v2\n// secrets engine. To delete an older version, use DeleteVersions.\nfunc (kv *KVv2) Delete(ctx context.Context, secretPath string) error {\n\tpathToDelete := fmt.Sprintf(\"%s/data/%s\", kv.mountPath, secretPath)\n\n\t_, err := kv.c.Logical().DeleteWithContext(ctx, pathToDelete)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error deleting secret at %s: %w\", pathToDelete, err)\n\t}\n\n\treturn nil\n}\n\n// DeleteVersions deletes the specified versions of a secret from the KV v2\n// secrets engine. To delete the latest version of a secret, just use Delete.\nfunc (kv *KVv2) DeleteVersions(ctx context.Context, secretPath string, versions []int) error {\n\t// verb and path are different when trying to delete past versions\n\tpathToDelete := fmt.Sprintf(\"%s/delete/%s\", kv.mountPath, secretPath)\n\n\tif len(versions) == 0 {\n\t\treturn nil\n\t}\n\n\tvar versionsToDelete []string\n\tfor _, version := range versions {\n\t\tversionsToDelete = append(versionsToDelete, strconv.Itoa(version))\n\t}\n\tversionsMap := map[string]interface{}{\n\t\t\"versions\": versionsToDelete,\n\t}\n\t_, err := kv.c.Logical().WriteWithContext(ctx, pathToDelete, versionsMap)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error deleting secret at %s: %w\", pathToDelete, err)\n\t}\n\n\treturn nil\n}\n\n// DeleteMetadata deletes all versions and metadata of the secret at the\n// given path.\nfunc (kv *KVv2) DeleteMetadata(ctx context.Context, secretPath string) error {\n\tpathToDelete := fmt.Sprintf(\"%s/metadata/%s\", kv.mountPath, secretPath)\n\n\t_, err := kv.c.Logical().DeleteWithContext(ctx, pathToDelete)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error deleting secret metadata at %s: %w\", pathToDelete, err)\n\t}\n\n\treturn nil\n}\n\n// Undelete undeletes the given versions of a secret, restoring the data\n// so that it can be fetched again with Get requests.\n//\n// A list of existing versions can be retrieved using the GetVersionsAsList method.\nfunc (kv *KVv2) Undelete(ctx context.Context, secretPath string, versions []int) error {\n\tpathToUndelete := fmt.Sprintf(\"%s/undelete/%s\", kv.mountPath, secretPath)\n\n\tdata := map[string]interface{}{\n\t\t\"versions\": versions,\n\t}\n\n\t_, err := kv.c.Logical().WriteWithContext(ctx, pathToUndelete, data)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error undeleting secret metadata at %s: %w\", pathToUndelete, err)\n\t}\n\n\treturn nil\n}\n\n// Destroy permanently removes the specified secret versions' data\n// from the Vault server. If no secret exists at the given path, no\n// action will be taken.\n//\n// A list of existing versions can be retrieved using the GetVersionsAsList method.\nfunc (kv *KVv2) Destroy(ctx context.Context, secretPath string, versions []int) error {\n\tpathToDestroy := fmt.Sprintf(\"%s/destroy/%s\", kv.mountPath, secretPath)\n\n\tdata := map[string]interface{}{\n\t\t\"versions\": versions,\n\t}\n\n\t_, err := kv.c.Logical().WriteWithContext(ctx, pathToDestroy, data)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error destroying secret metadata at %s: %w\", pathToDestroy, err)\n\t}\n\n\treturn nil\n}\n\n// Rollback can be used to roll a secret back to a previous\n// non-deleted/non-destroyed version. That previous version becomes the\n// next/newest version for the path.\nfunc (kv *KVv2) Rollback(ctx context.Context, secretPath string, toVersion int) (*KVSecret, error) {\n\t// First, do a read to get the current version for check-and-set\n\tlatest, err := kv.Get(ctx, secretPath)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to get latest version of secret: %w\", err)\n\t}\n\n\t// Make sure a value already exists\n\tif latest == nil {\n\t\treturn nil, fmt.Errorf(\"no secret was found: %w\", err)\n\t}\n\n\t// Verify metadata found\n\tif latest.VersionMetadata == nil {\n\t\treturn nil, fmt.Errorf(\"no metadata found; rollback can only be used on existing data\")\n\t}\n\n\t// Now run it again and read the version we want to roll back to\n\trollbackVersion, err := kv.GetVersion(ctx, secretPath, toVersion)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to get previous version %d of secret: %w\", toVersion, err)\n\t}\n\n\terr = validateRollbackVersion(rollbackVersion)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"invalid rollback version %d: %w\", toVersion, err)\n\t}\n\n\tcasVersion := latest.VersionMetadata.Version\n\tkvs, err := kv.Put(ctx, secretPath, rollbackVersion.Data, WithCheckAndSet(casVersion))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to roll back to previous secret version: %w\", err)\n\t}\n\n\treturn kvs, nil\n}\n\nfunc extractCustomMetadata(secret *Secret) map[string]interface{} {\n\t// Logical Writes return the metadata directly, Reads return it nested inside the \"metadata\" key\n\tcustomMetadataInterface, ok := secret.Data[\"custom_metadata\"]\n\tif !ok {\n\t\tmetadataInterface := secret.Data[\"metadata\"]\n\t\tmetadataMap, ok := metadataInterface.(map[string]interface{})\n\t\tif !ok {\n\t\t\treturn nil\n\t\t}\n\t\tcustomMetadataInterface = metadataMap[\"custom_metadata\"]\n\t}\n\n\tcm, ok := customMetadataInterface.(map[string]interface{})\n\tif !ok {\n\t\treturn nil\n\t}\n\n\treturn cm\n}\n\nfunc extractDataAndVersionMetadata(secret *Secret) (*KVSecret, error) {\n\t// A nil map is a valid value for data: secret.Data will be nil when this\n\t// version of the secret has been deleted, but the metadata is still\n\t// available.\n\tvar data map[string]interface{}\n\tif secret.Data != nil {\n\t\tdataInterface, ok := secret.Data[\"data\"]\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"missing expected 'data' element\")\n\t\t}\n\n\t\tif dataInterface != nil {\n\t\t\tdata, ok = dataInterface.(map[string]interface{})\n\t\t\tif !ok {\n\t\t\t\treturn nil, fmt.Errorf(\"unexpected type for 'data' element: %T (%#v)\", data, data)\n\t\t\t}\n\t\t}\n\t}\n\n\tmetadata, err := extractVersionMetadata(secret)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to get version metadata: %w\", err)\n\t}\n\n\treturn &KVSecret{\n\t\tData: data,\n\t\tVersionMetadata: metadata,\n\t\tRaw: secret,\n\t}, nil\n}\n\nfunc extractVersionMetadata(secret *Secret) (*KVVersionMetadata, error) {\n\tvar metadata *KVVersionMetadata\n\n\tif secret.Data == nil {\n\t\treturn nil, nil\n\t}\n\n\t// Logical Writes return the metadata directly, Reads return it nested inside the \"metadata\" key\n\tvar metadataMap map[string]interface{}\n\tmetadataInterface, ok := secret.Data[\"metadata\"]\n\tif ok {\n\t\tmetadataMap, ok = metadataInterface.(map[string]interface{})\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"unexpected type for 'metadata' element: %T (%#v)\", metadataInterface, metadataInterface)\n\t\t}\n\t} else {\n\t\tmetadataMap = secret.Data\n\t}\n\n\t// deletion_time usually comes in as an empty string which can't be\n\t// processed as time.RFC3339, so we reset it to a convertible value\n\tif metadataMap[\"deletion_time\"] == \"\" {\n\t\tmetadataMap[\"deletion_time\"] = time.Time{}\n\t}\n\n\td, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{\n\t\tDecodeHook: mapstructure.StringToTimeHookFunc(time.RFC3339),\n\t\tResult: &metadata,\n\t})\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error setting up decoder for API response: %w\", err)\n\t}\n\n\terr = d.Decode(metadataMap)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error decoding metadata from API response into VersionMetadata: %w\", err)\n\t}\n\n\treturn metadata, nil\n}\n\nfunc extractFullMetadata(secret *Secret) (*KVMetadata, error) {\n\tvar metadata *KVMetadata\n\n\tif secret.Data == nil {\n\t\treturn nil, nil\n\t}\n\n\tif versions, ok := secret.Data[\"versions\"]; ok {\n\t\tversionsMap := versions.(map[string]interface{})\n\t\tif len(versionsMap) > 0 {\n\t\t\tfor version, metadata := range versionsMap {\n\t\t\t\tmetadataMap := metadata.(map[string]interface{})\n\t\t\t\t// deletion_time usually comes in as an empty string which can't be\n\t\t\t\t// processed as time.RFC3339, so we reset it to a convertible value\n\t\t\t\tif metadataMap[\"deletion_time\"] == \"\" {\n\t\t\t\t\tmetadataMap[\"deletion_time\"] = time.Time{}\n\t\t\t\t}\n\t\t\t\tversionInt, err := strconv.Atoi(version)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn nil, fmt.Errorf(\"error converting version %s to integer: %w\", version, err)\n\t\t\t\t}\n\t\t\t\tmetadataMap[\"version\"] = versionInt\n\t\t\t\tversionsMap[version] = metadataMap // save the updated copy of the metadata map\n\t\t\t}\n\t\t}\n\t\tsecret.Data[\"versions\"] = versionsMap // save the updated copy of the versions map\n\t}\n\n\td, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{\n\t\tDecodeHook: mapstructure.ComposeDecodeHookFunc(\n\t\t\tmapstructure.StringToTimeHookFunc(time.RFC3339),\n\t\t\tmapstructure.StringToTimeDurationHookFunc(),\n\t\t),\n\t\tResult: &metadata,\n\t})\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error setting up decoder for API response: %w\", err)\n\t}\n\n\terr = d.Decode(secret.Data)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error decoding metadata from API response into KVMetadata: %w\", err)\n\t}\n\n\treturn metadata, nil\n}\n\nfunc validateRollbackVersion(rollbackVersion *KVSecret) error {\n\t// Make sure a value already exists\n\tif rollbackVersion == nil || rollbackVersion.Data == nil {\n\t\treturn fmt.Errorf(\"no secret found\")\n\t}\n\n\t// Verify metadata found\n\tif rollbackVersion.VersionMetadata == nil {\n\t\treturn fmt.Errorf(\"no version metadata found; rollback only works on existing data\")\n\t}\n\n\t// Verify it hasn't been deleted\n\tif !rollbackVersion.VersionMetadata.DeletionTime.IsZero() {\n\t\treturn fmt.Errorf(\"cannot roll back to a version that has been deleted\")\n\t}\n\n\tif rollbackVersion.VersionMetadata.Destroyed {\n\t\treturn fmt.Errorf(\"cannot roll back to a version that has been destroyed\")\n\t}\n\n\t// Verify old data found\n\tif rollbackVersion.Data == nil {\n\t\treturn fmt.Errorf(\"no data found; rollback only works on existing data\")\n\t}\n\n\treturn nil\n}\n\nfunc mergePatch(ctx context.Context, client *Client, mountPath string, secretPath string, newData map[string]interface{}, opts ...KVOption) (*KVSecret, error) {\n\tpathToMergePatch := fmt.Sprintf(\"%s/data/%s\", mountPath, secretPath)\n\n\t// take any other additional options provided\n\t// and pass them along to the patch request\n\twrappedData := map[string]interface{}{\n\t\t\"data\": newData,\n\t}\n\toptions := make(map[string]interface{})\n\tfor _, opt := range opts {\n\t\tk, v := opt()\n\t\toptions[k] = v\n\t}\n\tif len(opts) > 0 {\n\t\twrappedData[\"options\"] = options\n\t}\n\n\tsecret, err := client.Logical().JSONMergePatch(ctx, pathToMergePatch, wrappedData)\n\tif err != nil {\n\t\tvar re *ResponseError\n\n\t\tif errors.As(err, &re) {\n\t\t\tswitch re.StatusCode {\n\t\t\t// 403\n\t\t\tcase http.StatusForbidden:\n\t\t\t\treturn nil, fmt.Errorf(\"received 403 from Vault server; please ensure that token's policy has \\\"patch\\\" capability: %w\", err)\n\n\t\t\t// 404\n\t\t\tcase http.StatusNotFound:\n\t\t\t\treturn nil, fmt.Errorf(\"%w: performing merge patch to %s\", ErrSecretNotFound, pathToMergePatch)\n\n\t\t\t// 405\n\t\t\tcase http.StatusMethodNotAllowed:\n\t\t\t\t// If it's a 405, that probably means the server is running a pre-1.9\n\t\t\t\t// Vault version that doesn't support the HTTP PATCH method.\n\t\t\t\t// Fall back to the old way of doing it.\n\t\t\t\treturn readThenWrite(ctx, client, mountPath, secretPath, newData)\n\t\t\t}\n\t\t}\n\n\t\treturn nil, fmt.Errorf(\"error performing merge patch to %s: %w\", pathToMergePatch, err)\n\t}\n\n\tmetadata, err := extractVersionMetadata(secret)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"secret was written successfully, but unable to view version metadata from response: %w\", err)\n\t}\n\n\tkvSecret := &KVSecret{\n\t\tData: nil, // secret.Data in this case is the metadata\n\t\tVersionMetadata: metadata,\n\t\tRaw: secret,\n\t}\n\n\tkvSecret.CustomMetadata = extractCustomMetadata(secret)\n\n\treturn kvSecret, nil\n}\n\nfunc readThenWrite(ctx context.Context, client *Client, mountPath string, secretPath string, newData map[string]interface{}) (*KVSecret, error) {\n\t// First, read the secret.\n\texistingVersion, err := client.KVv2(mountPath).Get(ctx, secretPath)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error reading secret as part of read-then-write patch operation: %w\", err)\n\t}\n\n\t// Make sure the secret already exists\n\tif existingVersion == nil || existingVersion.Data == nil {\n\t\treturn nil, fmt.Errorf(\"%w: at %s as part of read-then-write patch operation\", ErrSecretNotFound, secretPath)\n\t}\n\n\t// Verify existing secret has metadata\n\tif existingVersion.VersionMetadata == nil {\n\t\treturn nil, fmt.Errorf(\"no metadata found at %s; patch can only be used on existing data\", secretPath)\n\t}\n\n\t// Copy new data over with existing data\n\tcombinedData := existingVersion.Data\n\tfor k, v := range newData {\n\t\tcombinedData[k] = v\n\t}\n\n\tupdatedSecret, err := client.KVv2(mountPath).Put(ctx, secretPath, combinedData, WithCheckAndSet(existingVersion.VersionMetadata.Version))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error writing secret to %s: %w\", secretPath, err)\n\t}\n\n\treturn updatedSecret, nil\n}\n\nfunc toMetadataMap(patchInput KVMetadataPatchInput) (map[string]interface{}, error) {\n\tmetadataMap := make(map[string]interface{})\n\n\tconst (\n\t\tcasRequiredKey = \"cas_required\"\n\t\tdeleteVersionAfterKey = \"delete_version_after\"\n\t\tmaxVersionsKey = \"max_versions\"\n\t\tcustomMetadataKey = \"custom_metadata\"\n\t)\n\n\t// The KVMetadataPatchInput struct is designed to have pointer fields so that\n\t// the user can easily express the difference between explicitly setting a\n\t// field back to its zero value (e.g. false), as opposed to just having\n\t// the field remain unchanged (e.g. nil). This way, they only need to pass\n\t// the fields they want to change.\n\tif patchInput.MaxVersions != nil {\n\t\tmetadataMap[maxVersionsKey] = *(patchInput.MaxVersions)\n\t}\n\tif patchInput.CASRequired != nil {\n\t\tmetadataMap[casRequiredKey] = *(patchInput.CASRequired)\n\t}\n\tif patchInput.CustomMetadata != nil {\n\t\tif len(patchInput.CustomMetadata) == 0 { // empty non-nil map means delete all the keys\n\t\t\tmetadataMap[customMetadataKey] = nil\n\t\t} else {\n\t\t\tmetadataMap[customMetadataKey] = patchInput.CustomMetadata\n\t\t}\n\t}\n\tif patchInput.DeleteVersionAfter != nil {\n\t\tmetadataMap[deleteVersionAfterKey] = patchInput.DeleteVersionAfter.String()\n\t}\n\n\treturn metadataMap, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/lifetime_watcher.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"errors\"\n\t\"math/rand\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/cenkalti/backoff/v4\"\n)\n\nvar (\n\tErrLifetimeWatcherMissingInput = errors.New(\"missing input\")\n\tErrLifetimeWatcherMissingSecret = errors.New(\"missing secret\")\n\tErrLifetimeWatcherNotRenewable = errors.New(\"secret is not renewable\")\n\tErrLifetimeWatcherNoSecretData = errors.New(\"returned empty secret data\")\n\n\t// Deprecated; kept for compatibility\n\tErrRenewerMissingInput = errors.New(\"missing input to renewer\")\n\tErrRenewerMissingSecret = errors.New(\"missing secret to renew\")\n\tErrRenewerNotRenewable = errors.New(\"secret is not renewable\")\n\tErrRenewerNoSecretData = errors.New(\"returned empty secret data\")\n\n\t// DefaultLifetimeWatcherRenewBuffer is the default size of the buffer for renew\n\t// messages on the channel.\n\tDefaultLifetimeWatcherRenewBuffer = 5\n\t// Deprecated: kept for backwards compatibility\n\tDefaultRenewerRenewBuffer = 5\n)\n\n//go:generate enumer -type=RenewBehavior -trimprefix=RenewBehavior\ntype RenewBehavior uint\n\nconst (\n\t// RenewBehaviorIgnoreErrors means we will attempt to keep renewing until\n\t// we hit the lifetime threshold. It also ignores errors stemming from\n\t// passing a non-renewable lease in. In practice, this means you simply\n\t// reauthenticate/refetch credentials when the watcher exits. This is the\n\t// default.\n\tRenewBehaviorIgnoreErrors RenewBehavior = iota\n\n\t// RenewBehaviorRenewDisabled turns off renewal attempts entirely. This\n\t// allows you to simply watch lifetime and have the watcher return at a\n\t// reasonable threshold without actually making Vault calls.\n\tRenewBehaviorRenewDisabled\n\n\t// RenewBehaviorErrorOnErrors is the \"legacy\" behavior which always exits\n\t// on some kind of error\n\tRenewBehaviorErrorOnErrors\n)\n\n// LifetimeWatcher is a process for watching lifetime of a secret.\n//\n//\twatcher, err := client.NewLifetimeWatcher(&LifetimeWatcherInput{\n//\t\tSecret: mySecret,\n//\t})\n//\tgo watcher.Start()\n//\tdefer watcher.Stop()\n//\n//\tfor {\n//\t\tselect {\n//\t\tcase err := <-watcher.DoneCh():\n//\t\t\tif err != nil {\n//\t\t\t\tlog.Fatal(err)\n//\t\t\t}\n//\n//\t\t\t// Renewal is now over\n//\t\tcase renewal := <-watcher.RenewCh():\n//\t\t\tlog.Printf(\"Successfully renewed: %#v\", renewal)\n//\t\t}\n//\t}\n//\n// `DoneCh` will return if renewal fails, or if the remaining lease duration is\n// under a built-in threshold and either renewing is not extending it or\n// renewing is disabled. In both cases, the caller should attempt a re-read of\n// the secret. Clients should check the return value of the channel to see if\n// renewal was successful.\ntype LifetimeWatcher struct {\n\tl sync.Mutex\n\n\tclient *Client\n\tsecret *Secret\n\tgrace time.Duration\n\trandom *rand.Rand\n\tincrement int\n\tdoneCh chan error\n\trenewCh chan *RenewOutput\n\trenewBehavior RenewBehavior\n\n\tstopped bool\n\tstopCh chan struct{}\n\n\terrLifetimeWatcherNotRenewable error\n\terrLifetimeWatcherNoSecretData error\n}\n\n// LifetimeWatcherInput is used as input to the renew function.\ntype LifetimeWatcherInput struct {\n\t// Secret is the secret to renew\n\tSecret *Secret\n\n\t// DEPRECATED: this does not do anything.\n\tGrace time.Duration\n\n\t// Rand is the randomizer to use for underlying randomization. If not\n\t// provided, one will be generated and seeded automatically. If provided, it\n\t// is assumed to have already been seeded.\n\tRand *rand.Rand\n\n\t// RenewBuffer is the size of the buffered channel where renew messages are\n\t// dispatched.\n\tRenewBuffer int\n\n\t// The new TTL, in seconds, that should be set on the lease. The TTL set\n\t// here may or may not be honored by the vault server, based on Vault\n\t// configuration or any associated max TTL values. If specified, the\n\t// minimum of this value and the remaining lease duration will be used\n\t// for grace period calculations.\n\tIncrement int\n\n\t// RenewBehavior controls what happens when a renewal errors or the\n\t// passed-in secret is not renewable.\n\tRenewBehavior RenewBehavior\n}\n\n// RenewOutput is the metadata returned to the client (if it's listening) to\n// renew messages.\ntype RenewOutput struct {\n\t// RenewedAt is the timestamp when the renewal took place (UTC).\n\tRenewedAt time.Time\n\n\t// Secret is the underlying renewal data. It's the same struct as all data\n\t// that is returned from Vault, but since this is renewal data, it will not\n\t// usually include the secret itself.\n\tSecret *Secret\n}\n\n// NewLifetimeWatcher creates a new renewer from the given input.\nfunc (c *Client) NewLifetimeWatcher(i *LifetimeWatcherInput) (*LifetimeWatcher, error) {\n\tif i == nil {\n\t\treturn nil, ErrLifetimeWatcherMissingInput\n\t}\n\n\tsecret := i.Secret\n\tif secret == nil {\n\t\treturn nil, ErrLifetimeWatcherMissingSecret\n\t}\n\n\trandom := i.Rand\n\tif random == nil {\n\t\t// NOTE:\n\t\t// Rather than a cryptographically secure random number generator (RNG),\n\t\t// the default behavior uses the math/rand package. The random number is\n\t\t// used to introduce a slight jitter when calculating the grace period\n\t\t// for a monitored secret monitoring. This is intended to stagger renewal\n\t\t// requests to the Vault server, but in a semi-predictable way, so there\n\t\t// is no need to use a cryptographically secure RNG.\n\t\trandom = rand.New(rand.NewSource(int64(time.Now().Nanosecond())))\n\t}\n\n\trenewBuffer := i.RenewBuffer\n\tif renewBuffer == 0 {\n\t\trenewBuffer = DefaultLifetimeWatcherRenewBuffer\n\t}\n\n\treturn &LifetimeWatcher{\n\t\tclient: c,\n\t\tsecret: secret,\n\t\tincrement: i.Increment,\n\t\trandom: random,\n\t\tdoneCh: make(chan error, 1),\n\t\trenewCh: make(chan *RenewOutput, renewBuffer),\n\t\trenewBehavior: i.RenewBehavior,\n\n\t\tstopped: false,\n\t\tstopCh: make(chan struct{}),\n\n\t\terrLifetimeWatcherNotRenewable: ErrLifetimeWatcherNotRenewable,\n\t\terrLifetimeWatcherNoSecretData: ErrLifetimeWatcherNoSecretData,\n\t}, nil\n}\n\n// Deprecated: exists only for backwards compatibility. Calls\n// NewLifetimeWatcher, and sets compatibility flags.\nfunc (c *Client) NewRenewer(i *LifetimeWatcherInput) (*LifetimeWatcher, error) {\n\tif i == nil {\n\t\treturn nil, ErrRenewerMissingInput\n\t}\n\n\tsecret := i.Secret\n\tif secret == nil {\n\t\treturn nil, ErrRenewerMissingSecret\n\t}\n\n\trenewer, err := c.NewLifetimeWatcher(i)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\trenewer.renewBehavior = RenewBehaviorErrorOnErrors\n\trenewer.errLifetimeWatcherNotRenewable = ErrRenewerNotRenewable\n\trenewer.errLifetimeWatcherNoSecretData = ErrRenewerNoSecretData\n\treturn renewer, err\n}\n\n// DoneCh returns the channel where the renewer will publish when renewal stops.\n// If there is an error, this will be an error.\nfunc (r *LifetimeWatcher) DoneCh() <-chan error {\n\treturn r.doneCh\n}\n\n// RenewCh is a channel that receives a message when a successful renewal takes\n// place and includes metadata about the renewal.\nfunc (r *LifetimeWatcher) RenewCh() <-chan *RenewOutput {\n\treturn r.renewCh\n}\n\n// Stop stops the renewer.\nfunc (r *LifetimeWatcher) Stop() {\n\tr.l.Lock()\n\tdefer r.l.Unlock()\n\n\tif !r.stopped {\n\t\tclose(r.stopCh)\n\t\tr.stopped = true\n\t}\n}\n\n// Start starts a background process for watching the lifetime of this secret.\n// If renewal is enabled, when the secret has auth data, this attempts to renew\n// the auth (token); When the secret has a lease, this attempts to renew the\n// lease.\nfunc (r *LifetimeWatcher) Start() {\n\tr.doneCh <- r.doRenew()\n}\n\n// Renew is for compatibility with the legacy api.Renewer. Calling Renew\n// simply chains to Start.\nfunc (r *LifetimeWatcher) Renew() {\n\tr.Start()\n}\n\ntype renewFunc func(string, int) (*Secret, error)\n\n// doRenew is a helper for renewing authentication.\nfunc (r *LifetimeWatcher) doRenew() error {\n\tdefaultInitialRetryInterval := 10 * time.Second\n\tswitch {\n\tcase r.secret.Auth != nil:\n\t\treturn r.doRenewWithOptions(true, !r.secret.Auth.Renewable,\n\t\t\tr.secret.Auth.LeaseDuration, r.secret.Auth.ClientToken,\n\t\t\tr.client.Auth().Token().RenewTokenAsSelf, defaultInitialRetryInterval)\n\tdefault:\n\t\treturn r.doRenewWithOptions(false, !r.secret.Renewable,\n\t\t\tr.secret.LeaseDuration, r.secret.LeaseID,\n\t\t\tr.client.Sys().Renew, defaultInitialRetryInterval)\n\t}\n}\n\nfunc (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool, initLeaseDuration int, credString string,\n\trenew renewFunc, initialRetryInterval time.Duration,\n) error {\n\tif credString == \"\" ||\n\t\t(nonRenewable && r.renewBehavior == RenewBehaviorErrorOnErrors) {\n\t\treturn r.errLifetimeWatcherNotRenewable\n\t}\n\n\tinitialTime := time.Now()\n\tpriorDuration := time.Duration(initLeaseDuration) * time.Second\n\tr.calculateGrace(priorDuration, time.Duration(r.increment)*time.Second)\n\tvar errorBackoff backoff.BackOff\n\n\tfor {\n\t\t// Check if we are stopped.\n\t\tselect {\n\t\tcase <-r.stopCh:\n\t\t\treturn nil\n\t\tdefault:\n\t\t}\n\n\t\tvar remainingLeaseDuration time.Duration\n\t\tfallbackLeaseDuration := initialTime.Add(priorDuration).Sub(time.Now())\n\t\tvar renewal *Secret\n\t\tvar err error\n\n\t\tswitch {\n\t\tcase nonRenewable || r.renewBehavior == RenewBehaviorRenewDisabled:\n\t\t\t// Can't or won't renew, just keep the same expiration so we exit\n\t\t\t// when it's re-authentication time\n\t\t\tremainingLeaseDuration = fallbackLeaseDuration\n\n\t\tdefault:\n\t\t\t// Renew the token\n\t\t\trenewal, err = renew(credString, r.increment)\n\t\t\tif err != nil && strings.Contains(err.Error(), \"permission denied\") {\n\t\t\t\t// We can't renew since the token doesn't have permission to. Fall back\n\t\t\t\t// to the code path for non-renewable tokens.\n\t\t\t\tnonRenewable = true\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif err != nil || renewal == nil || (tokenMode && renewal.Auth == nil) {\n\t\t\t\tif r.renewBehavior == RenewBehaviorErrorOnErrors {\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t\tif renewal == nil || (tokenMode && renewal.Auth == nil) {\n\t\t\t\t\t\treturn r.errLifetimeWatcherNoSecretData\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// Calculate remaining duration until initial token lease expires\n\t\t\t\tremainingLeaseDuration = initialTime.Add(time.Duration(initLeaseDuration) * time.Second).Sub(time.Now())\n\t\t\t\tif errorBackoff == nil {\n\t\t\t\t\terrorBackoff = &backoff.ExponentialBackOff{\n\t\t\t\t\t\tMaxElapsedTime: remainingLeaseDuration,\n\t\t\t\t\t\tRandomizationFactor: backoff.DefaultRandomizationFactor,\n\t\t\t\t\t\tInitialInterval: initialRetryInterval,\n\t\t\t\t\t\tMaxInterval: 5 * time.Minute,\n\t\t\t\t\t\tMultiplier: 2,\n\t\t\t\t\t\tClock: backoff.SystemClock,\n\t\t\t\t\t}\n\t\t\t\t\terrorBackoff.Reset()\n\t\t\t\t}\n\t\t\t\tbreak\n\t\t\t}\n\t\t\terrorBackoff = nil\n\n\t\t\t// Push a message that a renewal took place.\n\t\t\tselect {\n\t\t\tcase r.renewCh <- &RenewOutput{time.Now().UTC(), renewal}:\n\t\t\tdefault:\n\t\t\t}\n\n\t\t\t// Possibly error if we are not renewable\n\t\t\tif ((tokenMode && !renewal.Auth.Renewable) || (!tokenMode && !renewal.Renewable)) &&\n\t\t\t\tr.renewBehavior == RenewBehaviorErrorOnErrors {\n\t\t\t\treturn r.errLifetimeWatcherNotRenewable\n\t\t\t}\n\n\t\t\t// Reset initial time\n\t\t\tinitialTime = time.Now()\n\n\t\t\t// Grab the lease duration\n\t\t\tinitLeaseDuration = renewal.LeaseDuration\n\t\t\tif tokenMode {\n\t\t\t\tinitLeaseDuration = renewal.Auth.LeaseDuration\n\t\t\t}\n\n\t\t\tremainingLeaseDuration = time.Duration(initLeaseDuration) * time.Second\n\t\t}\n\n\t\tvar sleepDuration time.Duration\n\n\t\tif errorBackoff == nil {\n\t\t\tsleepDuration = r.calculateSleepDuration(remainingLeaseDuration, priorDuration)\n\t\t} else {\n\t\t\tsleepDuration = errorBackoff.NextBackOff()\n\t\t\tif sleepDuration == backoff.Stop {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\n\t\t// remainingLeaseDuration becomes the priorDuration for the next loop\n\t\tpriorDuration = remainingLeaseDuration\n\n\t\t// If we are within grace, return now; or, if the amount of time we\n\t\t// would sleep would land us in the grace period. This helps with short\n\t\t// tokens; for example, you don't want a current lease duration of 4\n\t\t// seconds, a grace period of 3 seconds, and end up sleeping for more\n\t\t// than three of those seconds and having a very small budget of time\n\t\t// to renew.\n\t\tif remainingLeaseDuration <= r.grace || remainingLeaseDuration-sleepDuration <= r.grace {\n\t\t\treturn nil\n\t\t}\n\n\t\ttimer := time.NewTimer(sleepDuration)\n\t\tselect {\n\t\tcase <-r.stopCh:\n\t\t\ttimer.Stop()\n\t\t\treturn nil\n\t\tcase <-timer.C:\n\t\t\tcontinue\n\t\t}\n\t}\n}\n\n// calculateSleepDuration calculates the amount of time the LifeTimeWatcher should sleep\n// before re-entering its loop.\nfunc (r *LifetimeWatcher) calculateSleepDuration(remainingLeaseDuration, priorDuration time.Duration) time.Duration {\n\t// We keep evaluating a new grace period so long as the lease is\n\t// extending. Once it stops extending, we've hit the max and need to\n\t// rely on the grace duration.\n\tif remainingLeaseDuration > priorDuration {\n\t\tr.calculateGrace(remainingLeaseDuration, time.Duration(r.increment)*time.Second)\n\t}\n\n\t// The sleep duration is set to 2/3 of the current lease duration plus\n\t// 1/3 of the current grace period, which adds jitter.\n\treturn time.Duration(float64(remainingLeaseDuration.Nanoseconds())*2/3 + float64(r.grace.Nanoseconds())/3)\n}\n\n// calculateGrace calculates the grace period based on the minimum of the\n// remaining lease duration and the token increment value; it also adds some\n// jitter to not have clients be in sync.\nfunc (r *LifetimeWatcher) calculateGrace(leaseDuration, increment time.Duration) {\n\tminDuration := leaseDuration\n\tif minDuration > increment && increment > 0 {\n\t\tminDuration = increment\n\t}\n\n\tif minDuration <= 0 {\n\t\tr.grace = 0\n\t\treturn\n\t}\n\n\tleaseNanos := float64(minDuration.Nanoseconds())\n\tjitterMax := 0.1 * leaseNanos\n\n\t// For a given lease duration, we want to allow 80-90% of that to elapse,\n\t// so the remaining amount is the grace period\n\tr.grace = time.Duration(jitterMax) + time.Duration(uint64(r.random.Int63())%uint64(jitterMax))\n}\n\ntype (\n\tRenewer = LifetimeWatcher\n\tRenewerInput = LifetimeWatcherInput\n)\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/logical.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"maps\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"strings\"\n\n\t\"github.com/hashicorp/errwrap\"\n)\n\nconst (\n\twrappedResponseLocation = \"cubbyhole/response\"\n)\n\nvar (\n\t// The default TTL that will be used with `sys/wrapping/wrap`, can be\n\t// changed\n\tDefaultWrappingTTL = \"5m\"\n\n\t// The default function used if no other function is set. It honors the env\n\t// var to set the wrap TTL. The default wrap TTL will apply when when writing\n\t// to `sys/wrapping/wrap` when the env var is not set.\n\tDefaultWrappingLookupFunc = func(operation, path string) string {\n\t\tif os.Getenv(EnvVaultWrapTTL) != \"\" {\n\t\t\treturn os.Getenv(EnvVaultWrapTTL)\n\t\t}\n\n\t\tif (operation == http.MethodPut || operation == http.MethodPost) && path == \"sys/wrapping/wrap\" {\n\t\t\treturn DefaultWrappingTTL\n\t\t}\n\n\t\treturn \"\"\n\t}\n)\n\n// Logical is used to perform logical backend operations on Vault.\ntype Logical struct {\n\tc *Client\n}\n\n// Logical is used to return the client for logical-backend API calls.\nfunc (c *Client) Logical() *Logical {\n\treturn &Logical{c: c}\n}\n\nfunc (c *Logical) Read(path string) (*Secret, error) {\n\treturn c.ReadWithDataWithContext(context.Background(), path, nil)\n}\n\nfunc (c *Logical) ReadWithContext(ctx context.Context, path string) (*Secret, error) {\n\treturn c.ReadWithDataWithContext(ctx, path, nil)\n}\n\nfunc (c *Logical) ReadWithData(path string, data map[string][]string) (*Secret, error) {\n\treturn c.ReadWithDataWithContext(context.Background(), path, data)\n}\n\n// ReadFromSnapshot reads the data at the given Vault path from a previously\n// loaded snapshot. The snapshotID parameter is the ID of the loaded snapshot\nfunc (c *Logical) ReadFromSnapshot(path string, snapshotID string) (*Secret, error) {\n\treturn c.ReadWithData(path, map[string][]string{\"read_snapshot_id\": {snapshotID}})\n}\n\nfunc (c *Logical) ReadWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tresp, err := c.readRawWithDataWithContext(ctx, path, data, nil)\n\treturn c.ParseRawResponseAndCloseBody(resp, err)\n}\n\n// ReadWithRequest returns a Secret for the given LogicalReadRequest. This is a\n// more flexible version of ReadWithContext, which allows for passing extra\n// headers to the Vault server.\nfunc (c *Logical) ReadWithRequest(ctx context.Context, req LogicalReadRequest) (*Secret, error) {\n\tresp, err := c.readRawWithDataWithContext(ctx, req.Path(), req.Values(), req.Headers())\n\treturn c.ParseRawResponseAndCloseBody(resp, err)\n}\n\n// ReadRaw attempts to read the value stored at the given Vault path\n// (without '/v1/' prefix) and returns a raw *http.Response.\n//\n// Note: the raw-response functions do not respect the client-configured\n// request timeout; if a timeout is desired, please use ReadRawWithContext\n// instead and set the timeout through context.WithTimeout or context.WithDeadline.\nfunc (c *Logical) ReadRaw(path string) (*Response, error) {\n\treturn c.ReadRawWithDataWithContext(context.Background(), path, nil)\n}\n\n// ReadRawWithContext attempts to read the value stored at the give Vault path\n// (without '/v1/' prefix) and returns a raw *http.Response.\n//\n// Note: the raw-response functions do not respect the client-configured\n// request timeout; if a timeout is desired, please set it through\n// context.WithTimeout or context.WithDeadline.\nfunc (c *Logical) ReadRawWithContext(ctx context.Context, path string) (*Response, error) {\n\treturn c.ReadRawWithDataWithContext(ctx, path, nil)\n}\n\n// ReadRawWithData attempts to read the value stored at the given Vault\n// path (without '/v1/' prefix) and returns a raw *http.Response. The 'data' map\n// is added as query parameters to the request.\n//\n// Note: the raw-response functions do not respect the client-configured\n// request timeout; if a timeout is desired, please use\n// ReadRawWithDataWithContext instead and set the timeout through\n// context.WithTimeout or context.WithDeadline.\nfunc (c *Logical) ReadRawWithData(path string, data map[string][]string) (*Response, error) {\n\treturn c.ReadRawWithDataWithContext(context.Background(), path, data)\n}\n\nfunc (c *Logical) ReadRawFromSnapshot(path string, snapshotID string) (*Response, error) {\n\treturn c.ReadRawWithDataWithContext(context.Background(), path, map[string][]string{\"read_snapshot_id\": {snapshotID}})\n}\n\n// ReadRawWithDataWithContext attempts to read the value stored at the given\n// Vault path (without '/v1/' prefix) and returns a raw *http.Response. The 'data'\n// map is added as query parameters to the request.\n//\n// Note: the raw-response functions do not respect the client-configured\n// request timeout; if a timeout is desired, please set it through\n// context.WithTimeout or context.WithDeadline.\nfunc (c *Logical) ReadRawWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Response, error) {\n\treturn c.readRawWithDataWithContext(ctx, path, data, nil)\n}\n\nfunc (c *Logical) ParseRawResponseAndCloseBody(resp *Response, err error) (*Secret, error) {\n\tif resp != nil {\n\t\tdefer resp.Body.Close()\n\t}\n\tif resp != nil && resp.StatusCode == 404 {\n\t\tsecret, parseErr := ParseSecret(resp.Body)\n\t\tswitch parseErr {\n\t\tcase nil:\n\t\tcase io.EOF:\n\t\t\treturn nil, nil\n\t\tdefault:\n\t\t\treturn nil, parseErr\n\t\t}\n\t\tif secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {\n\t\t\treturn secret, nil\n\t\t}\n\t\treturn nil, nil\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *Logical) readRawWithDataWithContext(ctx context.Context, path string, values url.Values, extraHeaders http.Header) (*Response, error) {\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/\"+path)\n\n\tif err := c.addExtraHeaders(r, extraHeaders); err != nil {\n\t\treturn nil, err\n\t}\n\n\tif values != nil {\n\t\tr.Params = maps.Clone(values)\n\t}\n\n\treturn c.c.RawRequestWithContext(ctx, r)\n}\n\n// ListFromSnapshot lists from the Vault path using a previously loaded\n// snapshot. The snapshotID parameter is the ID of the loaded snapshot\nfunc (c *Logical) ListFromSnapshot(path string, snapshotID string) (*Secret, error) {\n\tr := c.c.NewRequest(\"LIST\", \"/v1/\"+path)\n\tr.Params.Set(\"read_snapshot_id\", snapshotID)\n\treturn c.list(context.Background(), r)\n}\n\nfunc (c *Logical) List(path string) (*Secret, error) {\n\treturn c.ListWithContext(context.Background(), path)\n}\n\nfunc (c *Logical) ListWithContext(ctx context.Context, path string) (*Secret, error) {\n\treturn c.list(ctx, c.c.NewRequest(\"LIST\", \"/v1/\"+path))\n}\n\nfunc (c *Logical) list(ctx context.Context, r *Request) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\t// Set this for broader compatibility, but we use LIST above to be able to\n\t// handle the wrapping lookup function\n\tr.Method = http.MethodGet\n\tr.Params.Set(\"list\", \"true\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif resp != nil {\n\t\tdefer resp.Body.Close()\n\t}\n\tif resp != nil && resp.StatusCode == 404 {\n\t\tsecret, parseErr := ParseSecret(resp.Body)\n\t\tswitch parseErr {\n\t\tcase nil:\n\t\tcase io.EOF:\n\t\t\treturn nil, nil\n\t\tdefault:\n\t\t\treturn nil, parseErr\n\t\t}\n\t\tif secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {\n\t\t\treturn secret, nil\n\t\t}\n\t\treturn nil, nil\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *Logical) Write(path string, data map[string]interface{}) (*Secret, error) {\n\treturn c.WriteWithContext(context.Background(), path, data)\n}\n\nfunc (c *Logical) WriteWithContext(ctx context.Context, path string, data map[string]interface{}) (*Secret, error) {\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/\"+path)\n\tif err := r.SetJSONBody(data); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn c.write(ctx, path, r)\n}\n\nfunc (c *Logical) WriteRaw(path string, data []byte) (*Response, error) {\n\treturn c.WriteRawWithContext(context.Background(), path, data)\n}\n\nfunc (c *Logical) WriteRawWithContext(ctx context.Context, path string, data []byte) (*Response, error) {\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/\"+path)\n\tr.BodyBytes = data\n\n\treturn c.writeRaw(ctx, r)\n}\n\n// WriteWithRequest returns a Secret for the given LogicalRequest. This is a\n// more flexible version of WriteWithContext, which allows for passing extra\n// headers to the Vault server.\nfunc (c *Logical) WriteWithRequest(ctx context.Context, req LogicalWriteRequest) (*Secret, error) {\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/\"+req.Path())\n\tif err := c.addExtraHeaders(r, req.Headers()); err != nil {\n\t\treturn nil, err\n\t}\n\n\tif err := r.SetJSONBody(req.Data()); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn c.write(ctx, req.Path(), r)\n}\n\n// addExtraHeaders adds the given headers to the request, but only if they are\n// not already set in the request. If a header is already set in the request, it\n// returns an error for each header that is already set.\nfunc (c *Logical) addExtraHeaders(r *Request, headers http.Header) error {\n\tvar errs error\n\n\tif r == nil {\n\t\treturn fmt.Errorf(\"cannot add extra headers to nil request\")\n\t}\n\n\tif len(headers) == 0 {\n\t\treturn nil\n\t}\n\n\tif r.Headers == nil {\n\t\tr.Headers = headers\n\t\treturn nil\n\t}\n\n\tcurHeaders := r.Headers.Clone()\n\tfor k, v := range headers {\n\t\tck := http.CanonicalHeaderKey(k)\n\t\tif curVal := curHeaders.Get(ck); curVal != \"\" {\n\t\t\terrs = errors.Join(errs, fmt.Errorf(\"cannot set extra header %q, it is reserved\", ck))\n\t\t\tcontinue\n\t\t}\n\t\tcurHeaders[ck] = v\n\t}\n\tif errs != nil {\n\t\treturn fmt.Errorf(\"cannot add extra headers: %w\", errs)\n\t}\n\n\tr.Headers = curHeaders\n\treturn nil\n}\n\n// Recover recovers the data at the given Vault path from a loaded snapshot.\n// The snapshotID parameter is the ID of the loaded snapshot\nfunc (c *Logical) Recover(ctx context.Context, path string, snapshotID string) (*Secret, error) {\n\treturn c.RecoverFromPath(ctx, path, snapshotID, \"\")\n}\n\nfunc (c *Logical) RecoverFromPath(ctx context.Context, newPath string, snapshotID string, originalPath string) (*Secret, error) {\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/\"+newPath)\n\tr.Params.Set(\"recover_snapshot_id\", snapshotID)\n\tr.Headers.Set(SnapshotHeaderName, snapshotID)\n\tif originalPath != \"\" && originalPath != newPath {\n\t\tr.Headers.Set(RecoverSourcePathHeaderName, originalPath)\n\t}\n\treturn c.write(ctx, originalPath, r)\n}\n\nfunc (c *Logical) JSONMergePatch(ctx context.Context, path string, data map[string]interface{}) (*Secret, error) {\n\tr := c.c.NewRequest(http.MethodPatch, \"/v1/\"+path)\n\tr.Headers.Set(\"Content-Type\", \"application/merge-patch+json\")\n\tif err := r.SetJSONBody(data); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn c.write(ctx, path, r)\n}\n\nfunc (c *Logical) WriteBytes(path string, data []byte) (*Secret, error) {\n\treturn c.WriteBytesWithContext(context.Background(), path, data)\n}\n\nfunc (c *Logical) WriteBytesWithContext(ctx context.Context, path string, data []byte) (*Secret, error) {\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/\"+path)\n\tr.BodyBytes = data\n\n\treturn c.write(ctx, path, r)\n}\n\nfunc (c *Logical) write(ctx context.Context, path string, request *Request) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tresp, err := c.c.rawRequestWithContext(ctx, request)\n\tif resp != nil {\n\t\tdefer resp.Body.Close()\n\t}\n\tif resp != nil && resp.StatusCode == 404 {\n\t\tsecret, parseErr := ParseSecret(resp.Body)\n\t\tswitch parseErr {\n\t\tcase nil:\n\t\tcase io.EOF:\n\t\t\treturn nil, nil\n\t\tdefault:\n\t\t\treturn nil, parseErr\n\t\t}\n\t\tif secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {\n\t\t\treturn secret, err\n\t\t}\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *Logical) writeRaw(ctx context.Context, request *Request) (*Response, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tresp, err := c.c.rawRequestWithContext(ctx, request)\n\treturn resp, err\n}\n\nfunc (c *Logical) Delete(path string) (*Secret, error) {\n\treturn c.DeleteWithContext(context.Background(), path)\n}\n\nfunc (c *Logical) DeleteWithContext(ctx context.Context, path string) (*Secret, error) {\n\treturn c.DeleteWithDataWithContext(ctx, path, nil)\n}\n\nfunc (c *Logical) DeleteWithData(path string, data map[string][]string) (*Secret, error) {\n\treturn c.DeleteWithDataWithContext(context.Background(), path, data)\n}\n\n// DeleteWithRequest returns a Secret for the given LogicalDeleteRequest. This is a\n// more flexible version of DeleteWithContext, which allows for passing extra\n// headers to the Vault server.\nfunc (c *Logical) DeleteWithRequest(ctx context.Context, req LogicalDeleteRequest) (*Secret, error) {\n\treturn c.DeleteWithDataWithContext(ctx, req.Path(), req.Values())\n}\n\nfunc (c *Logical) DeleteWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Secret, error) {\n\treturn c.deleteWithDataWithContext(ctx, path, data)\n}\n\nfunc (c *Logical) deleteWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Secret, error) {\n\treturn c.delete(ctx, NewDeleteRequest(path, data, nil))\n}\n\nfunc (c *Logical) delete(ctx context.Context, req LogicalDeleteRequest) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, \"/v1/\"+req.Path())\n\n\tif values := req.Values(); values != nil {\n\t\tr.Params = values\n\t}\n\n\tif err := c.addExtraHeaders(r, req.Headers()); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif resp != nil {\n\t\tdefer resp.Body.Close()\n\t}\n\tif resp != nil && resp.StatusCode == 404 {\n\t\tsecret, parseErr := ParseSecret(resp.Body)\n\t\tswitch parseErr {\n\t\tcase nil:\n\t\tcase io.EOF:\n\t\t\treturn nil, nil\n\t\tdefault:\n\t\t\treturn nil, parseErr\n\t\t}\n\t\tif secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {\n\t\t\treturn secret, err\n\t\t}\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *Logical) Unwrap(wrappingToken string) (*Secret, error) {\n\treturn c.UnwrapWithContext(context.Background(), wrappingToken)\n}\n\nfunc (c *Logical) UnwrapWithContext(ctx context.Context, wrappingToken string) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tvar data map[string]interface{}\n\twt := strings.TrimSpace(wrappingToken)\n\tif wrappingToken != \"\" {\n\t\tif c.c.Token() == \"\" {\n\t\t\tc.c.SetToken(wt)\n\t\t} else if wrappingToken != c.c.Token() {\n\t\t\tdata = map[string]interface{}{\n\t\t\t\t\"token\": wt,\n\t\t\t}\n\t\t}\n\t}\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/wrapping/unwrap\")\n\tif err := r.SetJSONBody(data); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif resp != nil {\n\t\tdefer resp.Body.Close()\n\t}\n\tif resp == nil || resp.StatusCode != 404 {\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tif resp == nil {\n\t\t\treturn nil, nil\n\t\t}\n\t\treturn ParseSecret(resp.Body)\n\t}\n\n\t// In the 404 case this may actually be a wrapped 404 error\n\tsecret, parseErr := ParseSecret(resp.Body)\n\tswitch parseErr {\n\tcase nil:\n\tcase io.EOF:\n\t\treturn nil, nil\n\tdefault:\n\t\treturn nil, parseErr\n\t}\n\tif secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {\n\t\treturn secret, nil\n\t}\n\n\t// Otherwise this might be an old-style wrapping token so attempt the old\n\t// method\n\tif wrappingToken != \"\" {\n\t\torigToken := c.c.Token()\n\t\tdefer c.c.SetToken(origToken)\n\t\tc.c.SetToken(wrappingToken)\n\t}\n\n\tsecret, err = c.ReadWithContext(ctx, wrappedResponseLocation)\n\tif err != nil {\n\t\treturn nil, errwrap.Wrapf(fmt.Sprintf(\"error reading %q: {{err}}\", wrappedResponseLocation), err)\n\t}\n\tif secret == nil {\n\t\treturn nil, fmt.Errorf(\"no value found at %q\", wrappedResponseLocation)\n\t}\n\tif secret.Data == nil {\n\t\treturn nil, fmt.Errorf(\"\\\"data\\\" not found in wrapping response\")\n\t}\n\tif _, ok := secret.Data[\"response\"]; !ok {\n\t\treturn nil, fmt.Errorf(\"\\\"response\\\" not found in wrapping response \\\"data\\\" map\")\n\t}\n\n\twrappedSecret := new(Secret)\n\tbuf := bytes.NewBufferString(secret.Data[\"response\"].(string))\n\tdec := json.NewDecoder(buf)\n\tdec.UseNumber()\n\tif err := dec.Decode(wrappedSecret); err != nil {\n\t\treturn nil, errwrap.Wrapf(\"error unmarshalling wrapped secret: {{err}}\", err)\n\t}\n\n\treturn wrappedSecret, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/logical_requests.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"maps\"\n\t\"net/http\"\n\t\"net/url\"\n)\n\nvar _ LogicalRequest = (*defaultLogicalRequest)(nil)\n\n// NewLogicalReadRequest creates a new LogicalReadRequest with the given path,\n// values, and headers.\nfunc NewLogicalReadRequest(path string, values url.Values, headers http.Header) LogicalReadRequest {\n\treturn newLogicalRequest(path, values, nil, headers)\n}\n\n// NewLogicalWriteRequest creates a new LogicalWriteRequest with the given path,\n// data, and headers.\nfunc NewLogicalWriteRequest(path string, data map[string]interface{}, headers http.Header) LogicalWriteRequest {\n\treturn newLogicalRequest(path, nil, data, headers)\n}\n\n// NewDeleteRequest creates a new LogicalDeleteRequest with the given path and values.\nfunc NewDeleteRequest(path string, values url.Values, headers http.Header) LogicalDeleteRequest {\n\treturn newLogicalRequest(path, values, nil, headers)\n}\n\n// newLogicalRequest creates a new LogicalRequest with the given path, values,\n// data, and headers.\nfunc newLogicalRequest(path string, values url.Values, data map[string]interface{}, headers http.Header) LogicalRequest {\n\treturn &defaultLogicalRequest{\n\t\tpath: path,\n\t\tvalues: values,\n\t\tdata: data,\n\t\theaders: headers,\n\t}\n}\n\n// BaseLogicalRequest is the interface for requests to Vault's logical backend\n// that do not include data or values.\ntype BaseLogicalRequest interface {\n\t// Path returns the path to write to in Vault, without the \"/v1/\" prefix.\n\tPath() string\n\t// Headers returns the headers to be included in the request to Vault. All\n\t// headers are additive, and must not collide with any of the reserved headers.\n\tHeaders() http.Header\n}\n\n// LogicalRequest is the interface for requests to Vault's logical backend.\ntype LogicalRequest interface {\n\tBaseLogicalRequest\n\t// Values returns the query parameters to be used in the request.\n\t// Values are only used in read and delete requests.\n\tValues() url.Values\n\t// Data returns the data to be written to the path. It is marshaled to JSON.\n\t// Data is only used in write requests.\n\tData() map[string]interface{}\n}\n\n// LogicalWriteRequest is the interface for requests that write data to Vault's\n// logical backend.\ntype LogicalWriteRequest interface {\n\tBaseLogicalRequest\n\tData() map[string]interface{}\n}\n\n// LogicalReadRequest is the interface for requests that read data from Vault's\n// logical backend.\ntype LogicalReadRequest interface {\n\tBaseLogicalRequest\n\tValues() url.Values\n}\n\n// LogicalDeleteRequest is the interface for requests that delete data from Vault's\n// logical backend. It is semantically similar the same as a read request,\ntype LogicalDeleteRequest interface {\n\tBaseLogicalRequest\n\tValues() url.Values\n}\n\n// defaultLogicalRequest is the default implementation of LogicalRequest.\ntype defaultLogicalRequest struct {\n\tpath string\n\tvalues url.Values\n\theaders http.Header\n\tdata map[string]interface{}\n}\n\n// Path returns the path to write to in Vault, without the \"/v1/\" prefix.\nfunc (r *defaultLogicalRequest) Path() string {\n\treturn r.path\n}\n\n// Headers returns a copy of the headers to be included in the request to Vault.\nfunc (r *defaultLogicalRequest) Headers() http.Header {\n\tif r.headers == nil {\n\t\treturn nil\n\t}\n\treturn maps.Clone(r.headers)\n}\n\n// Data returns a copy of the data to be written to the path.\nfunc (r *defaultLogicalRequest) Data() map[string]interface{} {\n\tif r.data == nil {\n\t\treturn nil\n\t}\n\treturn maps.Clone(r.data)\n}\n\n// Values returns a copy of the query parameters to be used in the request.\nfunc (r *defaultLogicalRequest) Values() url.Values {\n\tif r.values == nil {\n\t\treturn nil\n\t}\n\treturn maps.Clone(r.values)\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/output_policy.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"strconv\"\n\t\"strings\"\n)\n\nconst (\n\tErrOutputPolicyRequest = \"output a policy, please\"\n)\n\nvar LastOutputPolicyError *OutputPolicyError\n\ntype OutputPolicyError struct {\n\tmethod string\n\tpath string\n\tparams url.Values\n\tfinalHCLString string\n}\n\nfunc (d *OutputPolicyError) Error() string {\n\tif d.finalHCLString == \"\" {\n\t\tp, err := d.buildSamplePolicy()\n\t\tif err != nil {\n\t\t\treturn err.Error()\n\t\t}\n\t\td.finalHCLString = p\n\t}\n\n\treturn ErrOutputPolicyRequest\n}\n\nfunc (d *OutputPolicyError) HCLString() (string, error) {\n\tif d.finalHCLString == \"\" {\n\t\tp, err := d.buildSamplePolicy()\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\td.finalHCLString = p\n\t}\n\treturn d.finalHCLString, nil\n}\n\n// Builds a sample policy document from the request\nfunc (d *OutputPolicyError) buildSamplePolicy() (string, error) {\n\toperation := d.method\n\t// List is often defined as a URL param instead of as an http.Method\n\t// this will check for the header and properly switch off of the intended functionality\n\tif d.params.Has(\"list\") {\n\t\tisList, err := strconv.ParseBool(d.params.Get(\"list\"))\n\t\tif err != nil {\n\t\t\treturn \"\", fmt.Errorf(\"the value of the list url param is not a bool: %v\", err)\n\t\t}\n\n\t\tif isList {\n\t\t\toperation = \"LIST\"\n\t\t}\n\t}\n\n\tvar capabilities []string\n\tswitch operation {\n\tcase http.MethodGet, \"\":\n\t\tcapabilities = append(capabilities, \"read\")\n\tcase http.MethodPost, http.MethodPut:\n\t\tcapabilities = append(capabilities, \"create\")\n\t\tcapabilities = append(capabilities, \"update\")\n\tcase http.MethodPatch:\n\t\tcapabilities = append(capabilities, \"patch\")\n\tcase http.MethodDelete:\n\t\tcapabilities = append(capabilities, \"delete\")\n\tcase \"LIST\":\n\t\tcapabilities = append(capabilities, \"list\")\n\t}\n\n\t// determine whether to add sudo capability\n\tif IsSudoPath(d.path) {\n\t\tcapabilities = append(capabilities, \"sudo\")\n\t}\n\n\treturn formatOutputPolicy(d.path, capabilities), nil\n}\n\nfunc formatOutputPolicy(path string, capabilities []string) string {\n\t// the OpenAPI response has a / in front of each path,\n\t// but policies need the path without that leading slash\n\tpath = strings.TrimLeft(path, \"/\")\n\n\tcapStr := strings.Join(capabilities, `\", \"`)\n\treturn fmt.Sprintf(\n\t\t`path \"%s\" {\n capabilities = [\"%s\"]\n}`, path, capStr)\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/output_string.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\t\"strings\"\n\n\t\"github.com/hashicorp/go-retryablehttp\"\n)\n\nconst (\n\tErrOutputStringRequest = \"output a string, please\"\n)\n\nvar LastOutputStringError *OutputStringError\n\ntype OutputStringError struct {\n\t*retryablehttp.Request\n\tTLSSkipVerify bool\n\tClientCACert, ClientCAPath string\n\tClientCert, ClientKey string\n\tfinalCurlString string\n}\n\n// Error is here so that we can return this struct as an error from client.rawRequestWithContext(). Note that\n// the ErrOutputStringRequest constant is never actually used and is completely irrelevant to how this all functions.\n// We could've just as easily returned an empty string. What matters is the machinery that happens before then where\n// the curl string is built. So yes, this is confusing, but yes, this is also on purpose, and it is not incorrect.\nfunc (d *OutputStringError) Error() string {\n\tif d.finalCurlString == \"\" {\n\t\tcs, err := d.buildCurlString()\n\t\tif err != nil {\n\t\t\treturn err.Error()\n\t\t}\n\t\td.finalCurlString = cs\n\t}\n\n\treturn ErrOutputStringRequest\n}\n\nfunc (d *OutputStringError) CurlString() (string, error) {\n\tif d.finalCurlString == \"\" {\n\t\tcs, err := d.buildCurlString()\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\td.finalCurlString = cs\n\t}\n\treturn d.finalCurlString, nil\n}\n\nfunc (d *OutputStringError) buildCurlString() (string, error) {\n\tbody, err := d.Request.BodyBytes()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\t// Build cURL string\n\tfinalCurlString := \"curl \"\n\tif d.TLSSkipVerify {\n\t\tfinalCurlString += \"--insecure \"\n\t}\n\tif d.Request.Method != http.MethodGet {\n\t\tfinalCurlString = fmt.Sprintf(\"%s-X %s \", finalCurlString, d.Request.Method)\n\t}\n\tif d.ClientCACert != \"\" {\n\t\tclientCACert := strings.ReplaceAll(d.ClientCACert, \"'\", \"'\\\"'\\\"'\")\n\t\tfinalCurlString = fmt.Sprintf(\"%s--cacert '%s' \", finalCurlString, clientCACert)\n\t}\n\tif d.ClientCAPath != \"\" {\n\t\tclientCAPath := strings.ReplaceAll(d.ClientCAPath, \"'\", \"'\\\"'\\\"'\")\n\t\tfinalCurlString = fmt.Sprintf(\"%s--capath '%s' \", finalCurlString, clientCAPath)\n\t}\n\tif d.ClientCert != \"\" {\n\t\tclientCert := strings.ReplaceAll(d.ClientCert, \"'\", \"'\\\"'\\\"'\")\n\t\tfinalCurlString = fmt.Sprintf(\"%s--cert '%s' \", finalCurlString, clientCert)\n\t}\n\tif d.ClientKey != \"\" {\n\t\tclientKey := strings.ReplaceAll(d.ClientKey, \"'\", \"'\\\"'\\\"'\")\n\t\tfinalCurlString = fmt.Sprintf(\"%s--key '%s' \", finalCurlString, clientKey)\n\t}\n\tfor k, v := range d.Request.Header {\n\t\tfor _, h := range v {\n\t\t\tif strings.ToLower(k) == \"x-vault-token\" {\n\t\t\t\th = `$(vault print token)`\n\t\t\t}\n\t\t\tfinalCurlString = fmt.Sprintf(\"%s-H \\\"%s: %s\\\" \", finalCurlString, k, h)\n\t\t}\n\t}\n\n\tif len(body) > 0 {\n\t\t// We need to escape single quotes since that's what we're using to\n\t\t// quote the body\n\t\tescapedBody := strings.ReplaceAll(string(body), \"'\", \"'\\\"'\\\"'\")\n\t\tfinalCurlString = fmt.Sprintf(\"%s-d '%s' \", finalCurlString, escapedBody)\n\t}\n\n\treturn fmt.Sprintf(\"%s%s\", finalCurlString, d.Request.URL.String()), nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/plugin_helpers.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"encoding/base64\"\n\t\"errors\"\n\t\"flag\"\n\t\"net/url\"\n\t\"os\"\n\n\tjose \"github.com/go-jose/go-jose/v4\"\n\t\"github.com/go-jose/go-jose/v4/jwt\"\n\t\"github.com/hashicorp/errwrap\"\n)\n\n// This file contains helper code used when writing Vault auth method or secrets engine plugins.\n//\n// As such, it would be better located in the sdk module with the rest of the code which is only to support plugins,\n// rather than api, but is here for historical reasons. (The api module used to depend on the sdk module, this code\n// calls NewClient within the api package, so placing it in the sdk would have created a dependency cycle. This reason\n// is now historical, as the dependency between sdk and api has since been reversed in direction.)\n// Moving this code to the sdk would be appropriate if an api v2.0.0 release is ever planned.\n//\n// This helper code is used when a plugin is hosted by Vault 1.11 and earlier. Vault 1.12 and sdk v0.6.0 introduced\n// version 5 of the backend plugin interface, which uses go-plugin's AutoMTLS feature instead of this code.\n\nconst (\n\t// PluginAutoMTLSEnv is used to ensure AutoMTLS is used. This will override\n\t// setting a TLSProviderFunc for a plugin.\n\tPluginAutoMTLSEnv = \"VAULT_PLUGIN_AUTOMTLS_ENABLED\"\n\n\t// PluginMetadataModeEnv is an ENV name used to disable TLS communication\n\t// to bootstrap mounting plugins.\n\tPluginMetadataModeEnv = \"VAULT_PLUGIN_METADATA_MODE\"\n\n\t// PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the\n\t// plugin.\n\tPluginUnwrapTokenEnv = \"VAULT_UNWRAP_TOKEN\"\n\n\t// CubbyHoleJWTSignatureAlgorithm is the signature algorithm used for\n\t// the unwrap token that Vault passes to a plugin when auto-mTLS is\n\t// not enabled.\n\tCubbyHoleJWTSignatureAlgorithm = jose.ES512\n)\n\n// PluginAPIClientMeta is a helper that plugins can use to configure TLS connections\n// back to Vault.\ntype PluginAPIClientMeta struct {\n\t// These are set by the command line flags.\n\tflagCACert string\n\tflagCAPath string\n\tflagClientCert string\n\tflagClientKey string\n\tflagServerName string\n\tflagInsecure bool\n}\n\n// FlagSet returns the flag set for configuring the TLS connection\nfunc (f *PluginAPIClientMeta) FlagSet() *flag.FlagSet {\n\tfs := flag.NewFlagSet(\"vault plugin settings\", flag.ContinueOnError)\n\n\tfs.StringVar(&f.flagCACert, \"ca-cert\", \"\", \"\")\n\tfs.StringVar(&f.flagCAPath, \"ca-path\", \"\", \"\")\n\tfs.StringVar(&f.flagClientCert, \"client-cert\", \"\", \"\")\n\tfs.StringVar(&f.flagClientKey, \"client-key\", \"\", \"\")\n\tfs.StringVar(&f.flagServerName, \"tls-server-name\", \"\", \"\")\n\tfs.BoolVar(&f.flagInsecure, \"tls-skip-verify\", false, \"\")\n\n\treturn fs\n}\n\n// GetTLSConfig will return a TLSConfig based off the values from the flags\nfunc (f *PluginAPIClientMeta) GetTLSConfig() *TLSConfig {\n\t// If we need custom TLS configuration, then set it\n\tif f.flagCACert != \"\" || f.flagCAPath != \"\" || f.flagClientCert != \"\" || f.flagClientKey != \"\" || f.flagInsecure || f.flagServerName != \"\" {\n\t\tt := &TLSConfig{\n\t\t\tCACert: f.flagCACert,\n\t\t\tCAPath: f.flagCAPath,\n\t\t\tClientCert: f.flagClientCert,\n\t\t\tClientKey: f.flagClientKey,\n\t\t\tTLSServerName: f.flagServerName,\n\t\t\tInsecure: f.flagInsecure,\n\t\t}\n\n\t\treturn t\n\t}\n\n\treturn nil\n}\n\n// VaultPluginTLSProvider wraps VaultPluginTLSProviderContext using context.Background.\nfunc VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error) {\n\treturn VaultPluginTLSProviderContext(context.Background(), apiTLSConfig)\n}\n\n// VaultPluginTLSProviderContext is run inside a plugin and retrieves the response\n// wrapped TLS certificate from vault. It returns a configured TLS Config.\nfunc VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig) func() (*tls.Config, error) {\n\tif os.Getenv(PluginAutoMTLSEnv) == \"true\" || os.Getenv(PluginMetadataModeEnv) == \"true\" {\n\t\treturn nil\n\t}\n\n\treturn func() (*tls.Config, error) {\n\t\tunwrapToken := os.Getenv(PluginUnwrapTokenEnv)\n\n\t\tparsedJWT, err := jwt.ParseSigned(unwrapToken, []jose.SignatureAlgorithm{CubbyHoleJWTSignatureAlgorithm})\n\t\tif err != nil {\n\t\t\treturn nil, errwrap.Wrapf(\"error parsing wrapping token: {{err}}\", err)\n\t\t}\n\n\t\tallClaims := make(map[string]interface{})\n\t\tif err = parsedJWT.UnsafeClaimsWithoutVerification(&allClaims); err != nil {\n\t\t\treturn nil, errwrap.Wrapf(\"error parsing claims from wrapping token: {{err}}\", err)\n\t\t}\n\n\t\taddrClaimRaw, ok := allClaims[\"addr\"]\n\t\tif !ok {\n\t\t\treturn nil, errors.New(\"could not validate addr claim\")\n\t\t}\n\t\tvaultAddr, ok := addrClaimRaw.(string)\n\t\tif !ok {\n\t\t\treturn nil, errors.New(\"could not parse addr claim\")\n\t\t}\n\t\tif vaultAddr == \"\" {\n\t\t\treturn nil, errors.New(`no vault api_addr found`)\n\t\t}\n\n\t\t// Sanity check the value\n\t\tif _, err := url.Parse(vaultAddr); err != nil {\n\t\t\treturn nil, errwrap.Wrapf(\"error parsing the vault api_addr: {{err}}\", err)\n\t\t}\n\n\t\t// Unwrap the token\n\t\tclientConf := DefaultConfig()\n\t\tclientConf.Address = vaultAddr\n\t\tif apiTLSConfig != nil {\n\t\t\terr := clientConf.ConfigureTLS(apiTLSConfig)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, errwrap.Wrapf(\"error configuring api client {{err}}\", err)\n\t\t\t}\n\t\t}\n\t\tclient, err := NewClient(clientConf)\n\t\tif err != nil {\n\t\t\treturn nil, errwrap.Wrapf(\"error during api client creation: {{err}}\", err)\n\t\t}\n\n\t\t// Reset token value to make sure nothing has been set by default\n\t\tclient.ClearToken()\n\n\t\tsecret, err := client.Logical().UnwrapWithContext(ctx, unwrapToken)\n\t\tif err != nil {\n\t\t\treturn nil, errwrap.Wrapf(\"error during token unwrap request: {{err}}\", err)\n\t\t}\n\t\tif secret == nil {\n\t\t\treturn nil, errors.New(\"error during token unwrap request: secret is nil\")\n\t\t}\n\n\t\t// Retrieve and parse the server's certificate\n\t\tserverCertBytesRaw, ok := secret.Data[\"ServerCert\"].(string)\n\t\tif !ok {\n\t\t\treturn nil, errors.New(\"error unmarshalling certificate\")\n\t\t}\n\n\t\tserverCertBytes, err := base64.StdEncoding.DecodeString(serverCertBytesRaw)\n\t\tif err != nil {\n\t\t\treturn nil, errwrap.Wrapf(\"error parsing certificate: {{err}}\", err)\n\t\t}\n\n\t\tserverCert, err := x509.ParseCertificate(serverCertBytes)\n\t\tif err != nil {\n\t\t\treturn nil, errwrap.Wrapf(\"error parsing certificate: {{err}}\", err)\n\t\t}\n\n\t\t// Retrieve and parse the server's private key\n\t\tserverKeyB64, ok := secret.Data[\"ServerKey\"].(string)\n\t\tif !ok {\n\t\t\treturn nil, errors.New(\"error unmarshalling certificate\")\n\t\t}\n\n\t\tserverKeyRaw, err := base64.StdEncoding.DecodeString(serverKeyB64)\n\t\tif err != nil {\n\t\t\treturn nil, errwrap.Wrapf(\"error parsing certificate: {{err}}\", err)\n\t\t}\n\n\t\tserverKey, err := x509.ParseECPrivateKey(serverKeyRaw)\n\t\tif err != nil {\n\t\t\treturn nil, errwrap.Wrapf(\"error parsing certificate: {{err}}\", err)\n\t\t}\n\n\t\t// Add CA cert to the cert pool\n\t\tcaCertPool := x509.NewCertPool()\n\t\tcaCertPool.AddCert(serverCert)\n\n\t\t// Build a certificate object out of the server's cert and private key.\n\t\tcert := tls.Certificate{\n\t\t\tCertificate: [][]byte{serverCertBytes},\n\t\t\tPrivateKey: serverKey,\n\t\t\tLeaf: serverCert,\n\t\t}\n\n\t\t// Setup TLS config\n\t\ttlsConfig := &tls.Config{\n\t\t\tClientCAs: caCertPool,\n\t\t\tRootCAs: caCertPool,\n\t\t\tClientAuth: tls.RequireAndVerifyClientCert,\n\t\t\t// TLS 1.2 minimum\n\t\t\tMinVersion: tls.VersionTLS12,\n\t\t\tCertificates: []tls.Certificate{cert},\n\t\t\tServerName: serverCert.Subject.CommonName,\n\t\t}\n\n\t\treturn tlsConfig, nil\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/plugin_runtime_types.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\n// NOTE: this file was copied from\n// https://github.com/hashicorp/vault/blob/main/sdk/helper/consts/plugin_runtime_types.go\n// Any changes made should be made to both files at the same time.\n\nimport \"fmt\"\n\nvar PluginRuntimeTypes = _PluginRuntimeTypeValues\n\n//go:generate enumer -type=PluginRuntimeType -trimprefix=PluginRuntimeType -transform=snake\ntype PluginRuntimeType uint32\n\n// This is a list of PluginRuntimeTypes used by Vault.\nconst (\n\tPluginRuntimeTypeUnsupported PluginRuntimeType = iota\n\tPluginRuntimeTypeContainer\n)\n\n// ParsePluginRuntimeType is a wrapper around PluginRuntimeTypeString kept for backwards compatibility.\nfunc ParsePluginRuntimeType(PluginRuntimeType string) (PluginRuntimeType, error) {\n\tt, err := PluginRuntimeTypeString(PluginRuntimeType)\n\tif err != nil {\n\t\treturn PluginRuntimeTypeUnsupported, fmt.Errorf(\"%q is not a supported plugin runtime type\", PluginRuntimeType)\n\t}\n\treturn t, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/plugin_types.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\n// NOTE: this file was copied from\n// https://github.com/hashicorp/vault/blob/main/sdk/helper/consts/plugin_types.go\n// Any changes made should be made to both files at the same time.\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n)\n\nvar PluginTypes = []PluginType{\n\tPluginTypeUnknown,\n\tPluginTypeCredential,\n\tPluginTypeDatabase,\n\tPluginTypeSecrets,\n}\n\ntype PluginType uint32\n\n// This is a list of PluginTypes used by Vault.\n// If we need to add any in the future, it would\n// be best to add them to the _end_ of the list below\n// because they resolve to incrementing numbers,\n// which may be saved in state somewhere. Thus if\n// the name for one of those numbers changed because\n// a value were added to the middle, that could cause\n// the wrong plugin types to be read from storage\n// for a given underlying number. Example of the problem\n// here: https://play.golang.org/p/YAaPw5ww3er\nconst (\n\tPluginTypeUnknown PluginType = iota\n\tPluginTypeCredential\n\tPluginTypeDatabase\n\tPluginTypeSecrets\n)\n\nfunc (p PluginType) String() string {\n\tswitch p {\n\tcase PluginTypeUnknown:\n\t\treturn \"unknown\"\n\tcase PluginTypeCredential:\n\t\treturn \"auth\"\n\tcase PluginTypeDatabase:\n\t\treturn \"database\"\n\tcase PluginTypeSecrets:\n\t\treturn \"secret\"\n\tdefault:\n\t\treturn \"unsupported\"\n\t}\n}\n\nfunc ParsePluginType(pluginType string) (PluginType, error) {\n\tswitch pluginType {\n\tcase \"unknown\":\n\t\treturn PluginTypeUnknown, nil\n\tcase \"auth\":\n\t\treturn PluginTypeCredential, nil\n\tcase \"database\":\n\t\treturn PluginTypeDatabase, nil\n\tcase \"secret\":\n\t\treturn PluginTypeSecrets, nil\n\tdefault:\n\t\treturn PluginTypeUnknown, fmt.Errorf(\"%q is not a supported plugin type\", pluginType)\n\t}\n}\n\n// UnmarshalJSON implements json.Unmarshaler. It supports unmarshaling either a\n// string or a uint32. All new serialization will be as a string, but we\n// previously serialized as a uint32 so we need to support that for backwards\n// compatibility.\nfunc (p *PluginType) UnmarshalJSON(data []byte) error {\n\tvar asString string\n\terr := json.Unmarshal(data, &asString)\n\tif err == nil {\n\t\t*p, err = ParsePluginType(asString)\n\t\treturn err\n\t}\n\n\tvar asUint32 uint32\n\terr = json.Unmarshal(data, &asUint32)\n\tif err != nil {\n\t\treturn err\n\t}\n\t*p = PluginType(asUint32)\n\tswitch *p {\n\tcase PluginTypeUnknown, PluginTypeCredential, PluginTypeDatabase, PluginTypeSecrets:\n\t\treturn nil\n\tdefault:\n\t\treturn fmt.Errorf(\"%d is not a supported plugin type\", asUint32)\n\t}\n}\n\n// MarshalJSON implements json.Marshaler.\nfunc (p PluginType) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(p.String())\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/pluginruntimetype_enumer.go", "content": "// Code generated by \"enumer -type=PluginRuntimeType -trimprefix=PluginRuntimeType -transform=snake\"; DO NOT EDIT.\n\npackage api\n\nimport (\n\t\"fmt\"\n)\n\nconst _PluginRuntimeTypeName = \"unsupportedcontainer\"\n\nvar _PluginRuntimeTypeIndex = [...]uint8{0, 11, 20}\n\nfunc (i PluginRuntimeType) String() string {\n\tif i >= PluginRuntimeType(len(_PluginRuntimeTypeIndex)-1) {\n\t\treturn fmt.Sprintf(\"PluginRuntimeType(%d)\", i)\n\t}\n\treturn _PluginRuntimeTypeName[_PluginRuntimeTypeIndex[i]:_PluginRuntimeTypeIndex[i+1]]\n}\n\nvar _PluginRuntimeTypeValues = []PluginRuntimeType{0, 1}\n\nvar _PluginRuntimeTypeNameToValueMap = map[string]PluginRuntimeType{\n\t_PluginRuntimeTypeName[0:11]: 0,\n\t_PluginRuntimeTypeName[11:20]: 1,\n}\n\n// PluginRuntimeTypeString retrieves an enum value from the enum constants string name.\n// Throws an error if the param is not part of the enum.\nfunc PluginRuntimeTypeString(s string) (PluginRuntimeType, error) {\n\tif val, ok := _PluginRuntimeTypeNameToValueMap[s]; ok {\n\t\treturn val, nil\n\t}\n\treturn 0, fmt.Errorf(\"%s does not belong to PluginRuntimeType values\", s)\n}\n\n// PluginRuntimeTypeValues returns all values of the enum\nfunc PluginRuntimeTypeValues() []PluginRuntimeType {\n\treturn _PluginRuntimeTypeValues\n}\n\n// IsAPluginRuntimeType returns \"true\" if the value is listed in the enum definition. \"false\" otherwise\nfunc (i PluginRuntimeType) IsAPluginRuntimeType() bool {\n\tfor _, v := range _PluginRuntimeTypeValues {\n\t\tif i == v {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/renewbehavior_enumer.go", "content": "// Code generated by \"enumer -type=RenewBehavior -trimprefix=RenewBehavior\"; DO NOT EDIT.\n\npackage api\n\nimport (\n\t\"fmt\"\n)\n\nconst _RenewBehaviorName = \"IgnoreErrorsRenewDisabledErrorOnErrors\"\n\nvar _RenewBehaviorIndex = [...]uint8{0, 12, 25, 38}\n\nfunc (i RenewBehavior) String() string {\n\tif i >= RenewBehavior(len(_RenewBehaviorIndex)-1) {\n\t\treturn fmt.Sprintf(\"RenewBehavior(%d)\", i)\n\t}\n\treturn _RenewBehaviorName[_RenewBehaviorIndex[i]:_RenewBehaviorIndex[i+1]]\n}\n\nvar _RenewBehaviorValues = []RenewBehavior{0, 1, 2}\n\nvar _RenewBehaviorNameToValueMap = map[string]RenewBehavior{\n\t_RenewBehaviorName[0:12]: 0,\n\t_RenewBehaviorName[12:25]: 1,\n\t_RenewBehaviorName[25:38]: 2,\n}\n\n// RenewBehaviorString retrieves an enum value from the enum constants string name.\n// Throws an error if the param is not part of the enum.\nfunc RenewBehaviorString(s string) (RenewBehavior, error) {\n\tif val, ok := _RenewBehaviorNameToValueMap[s]; ok {\n\t\treturn val, nil\n\t}\n\treturn 0, fmt.Errorf(\"%s does not belong to RenewBehavior values\", s)\n}\n\n// RenewBehaviorValues returns all values of the enum\nfunc RenewBehaviorValues() []RenewBehavior {\n\treturn _RenewBehaviorValues\n}\n\n// IsARenewBehavior returns \"true\" if the value is listed in the enum definition. \"false\" otherwise\nfunc (i RenewBehavior) IsARenewBehavior() bool {\n\tfor _, v := range _RenewBehaviorValues {\n\t\tif i == v {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/replication_status.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/mitchellh/mapstructure\"\n)\n\nconst (\n\tapiRepPerformanceStatusPath = \"/v1/sys/replication/performance/status\"\n\tapiRepDRStatusPath = \"/v1/sys/replication/dr/status\"\n\tapiRepStatusPath = \"/v1/sys/replication/status\"\n)\n\ntype ClusterInfo struct {\n\tAPIAddr string `json:\"api_address,omitempty\" mapstructure:\"api_address\"`\n\tClusterAddress string `json:\"cluster_address,omitempty\" mapstructure:\"cluster_address\"`\n\tConnectionStatus string `json:\"connection_status,omitempty\" mapstructure:\"connection_status\"`\n\tLastHeartBeat string `json:\"last_heartbeat,omitempty\" mapstructure:\"last_heartbeat\"`\n\tLastHeartBeatDurationMillis string `json:\"last_heartbeat_duration_ms,omitempty\" mapstructure:\"last_heartbeat_duration_ms\"`\n\tClockSkewMillis string `json:\"clock_skew_ms,omitempty\" mapstructure:\"clock_skew_ms\"`\n\tNodeID string `json:\"node_id,omitempty\" mapstructure:\"node_id\"`\n\tReplicationPrimaryCanaryAgeMillis string `json:\"replication_primary_canary_age_ms,omitempty\" mapstructure:\"replication_primary_canary_age_ms\"`\n}\n\ntype ReplicationStatusGenericResponse struct {\n\tLastDRWAL uint64 `json:\"last_dr_wal,omitempty\" mapstructure:\"last_dr_wal\"`\n\tLastReindexEpoch string `json:\"last_reindex_epoch,omitempty\" mapstructure:\"last_reindex_epoch\"`\n\tClusterID string `json:\"cluster_id,omitempty\" mapstructure:\"cluster_id\"`\n\tLastWAL uint64 `json:\"last_wal,omitempty\" mapstructure:\"last_wal\"`\n\tMerkleRoot string `json:\"merkle_root,omitempty\" mapstructure:\"merkle_root\"`\n\tMode string `json:\"mode,omitempty\" mapstructure:\"mode\"`\n\tPrimaryClusterAddr string `json:\"primary_cluster_addr,omitempty\" mapstructure:\"primary_cluster_addr\"`\n\tLastPerformanceWAL uint64 `json:\"last_performance_wal,omitempty\" mapstructure:\"last_performance_wal\"`\n\tState string `json:\"state,omitempty\" mapstructure:\"state\"`\n\tLastRemoteWAL uint64 `json:\"last_remote_wal,omitempty\" mapstructure:\"last_remote_wal\"`\n\tSecondaryID string `json:\"secondary_id,omitempty\" mapstructure:\"secondary_id\"`\n\tSSCTGenerationCounter uint64 `json:\"ssct_generation_counter,omitempty\" mapstructure:\"ssct_generation_counter\"`\n\n\tKnownSecondaries []string `json:\"known_secondaries,omitempty\" mapstructure:\"known_secondaries\"`\n\tKnownPrimaryClusterAddrs []string `json:\"known_primary_cluster_addrs,omitempty\" mapstructure:\"known_primary_cluster_addrs\"`\n\tPrimaries []ClusterInfo `json:\"primaries,omitempty\" mapstructure:\"primaries\"`\n\tSecondaries []ClusterInfo `json:\"secondaries,omitempty\" mapstructure:\"secondaries\"`\n}\n\ntype ReplicationStatusResponse struct {\n\tDR ReplicationStatusGenericResponse `json:\"dr,omitempty\" mapstructure:\"dr\"`\n\tPerformance ReplicationStatusGenericResponse `json:\"performance,omitempty\" mapstructure:\"performance\"`\n}\n\nfunc (c *Sys) ReplicationStatus() (*ReplicationStatusResponse, error) {\n\treturn c.ReplicationStatusWithContext(context.Background(), apiRepStatusPath)\n}\n\nfunc (c *Sys) ReplicationPerformanceStatusWithContext(ctx context.Context) (*ReplicationStatusGenericResponse, error) {\n\ts, err := c.ReplicationStatusWithContext(ctx, apiRepPerformanceStatusPath)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &s.Performance, nil\n}\n\nfunc (c *Sys) ReplicationDRStatusWithContext(ctx context.Context) (*ReplicationStatusGenericResponse, error) {\n\ts, err := c.ReplicationStatusWithContext(ctx, apiRepDRStatusPath)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &s.DR, nil\n}\n\nfunc (c *Sys) ReplicationStatusWithContext(ctx context.Context, path string) (*ReplicationStatusResponse, error) {\n\t// default to replication/status\n\tif path == \"\" {\n\t\tpath = apiRepStatusPath\n\t}\n\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, path)\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer func() { _ = resp.Body.Close() }()\n\n\t// First decode response into a map[string]interface{}\n\tdata := make(map[string]interface{})\n\tdec := json.NewDecoder(resp.Body)\n\tdec.UseNumber()\n\tif err := dec.Decode(&data); err != nil {\n\t\treturn nil, err\n\t}\n\n\trawData, ok := data[\"data\"]\n\tif !ok {\n\t\treturn nil, fmt.Errorf(\"empty data in replication status response\")\n\t}\n\n\ts := &ReplicationStatusResponse{}\n\tg := &ReplicationStatusGenericResponse{}\n\tswitch {\n\tcase path == apiRepPerformanceStatusPath:\n\t\terr = mapstructure.Decode(rawData, g)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\ts.Performance = *g\n\tcase path == apiRepDRStatusPath:\n\t\terr = mapstructure.Decode(rawData, g)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\ts.DR = *g\n\tdefault:\n\t\terr = mapstructure.Decode(rawData, s)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\treturn s, err\n\t}\n\n\treturn s, err\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/request.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/url\"\n\n\tretryablehttp \"github.com/hashicorp/go-retryablehttp\"\n)\n\n// Request is a raw request configuration structure used to initiate\n// API requests to the Vault server.\ntype Request struct {\n\tMethod string\n\tURL *url.URL\n\tHost string\n\tParams url.Values\n\tHeaders http.Header\n\tClientToken string\n\tMFAHeaderVals []string\n\tWrapTTL string\n\tObj interface{}\n\n\t// When possible, use BodyBytes as it is more efficient due to how the\n\t// retry logic works\n\tBodyBytes []byte\n\n\t// Fallback\n\tBody io.Reader\n\tBodySize int64\n\n\t// Whether to request overriding soft-mandatory Sentinel policies (RGPs and\n\t// EGPs). If set, the override flag will take effect for all policies\n\t// evaluated during the request.\n\tPolicyOverride bool\n\n\t// HCPCookie is used to set a http cookie when client is connected to HCP\n\tHCPCookie *http.Cookie\n}\n\n// SetJSONBody is used to set a request body that is a JSON-encoded value.\nfunc (r *Request) SetJSONBody(val interface{}) error {\n\tbuf, err := json.Marshal(val)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tr.Obj = val\n\tr.BodyBytes = buf\n\treturn nil\n}\n\n// ResetJSONBody is used to reset the body for a redirect\nfunc (r *Request) ResetJSONBody() error {\n\tif r.BodyBytes == nil {\n\t\treturn nil\n\t}\n\treturn r.SetJSONBody(r.Obj)\n}\n\n// DEPRECATED: ToHTTP turns this request into a valid *http.Request for use\n// with the net/http package.\nfunc (r *Request) ToHTTP() (*http.Request, error) {\n\treq, err := r.toRetryableHTTP()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tswitch {\n\tcase r.BodyBytes == nil && r.Body == nil:\n\t\t// No body\n\n\tcase r.BodyBytes != nil:\n\t\treq.Request.Body = io.NopCloser(bytes.NewReader(r.BodyBytes))\n\n\tdefault:\n\t\tif c, ok := r.Body.(io.ReadCloser); ok {\n\t\t\treq.Request.Body = c\n\t\t} else {\n\t\t\treq.Request.Body = io.NopCloser(r.Body)\n\t\t}\n\t}\n\n\treturn req.Request, nil\n}\n\nfunc (r *Request) toRetryableHTTP() (*retryablehttp.Request, error) {\n\t// Encode the query parameters\n\tr.URL.RawQuery = r.Params.Encode()\n\n\t// Create the HTTP request, defaulting to retryable\n\tvar req *retryablehttp.Request\n\n\tvar err error\n\tvar body interface{}\n\n\tswitch {\n\tcase r.BodyBytes == nil && r.Body == nil:\n\t\t// No body\n\n\tcase r.BodyBytes != nil:\n\t\t// Use bytes, it's more efficient\n\t\tbody = r.BodyBytes\n\n\tdefault:\n\t\tbody = r.Body\n\t}\n\n\treq, err = retryablehttp.NewRequest(r.Method, r.URL.RequestURI(), body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treq.URL.User = r.URL.User\n\treq.URL.Scheme = r.URL.Scheme\n\treq.URL.Host = r.URL.Host\n\treq.Host = r.Host\n\n\tif r.Headers != nil {\n\t\tfor header, vals := range r.Headers {\n\t\t\tfor _, val := range vals {\n\t\t\t\treq.Header.Add(header, val)\n\t\t\t}\n\t\t}\n\t}\n\n\tif len(r.ClientToken) != 0 {\n\t\treq.Header.Set(AuthHeaderName, r.ClientToken)\n\t}\n\n\tif len(r.WrapTTL) != 0 {\n\t\treq.Header.Set(\"X-Vault-Wrap-TTL\", r.WrapTTL)\n\t}\n\n\tif len(r.MFAHeaderVals) != 0 {\n\t\tfor _, mfaHeaderVal := range r.MFAHeaderVals {\n\t\t\treq.Header.Add(\"X-Vault-MFA\", mfaHeaderVal)\n\t\t}\n\t}\n\n\tif r.PolicyOverride {\n\t\treq.Header.Set(\"X-Vault-Policy-Override\", \"true\")\n\t}\n\n\tif r.HCPCookie != nil {\n\t\treq.AddCookie(r.HCPCookie)\n\t}\n\n\treturn req, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/response.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n)\n\n// Response is a raw response that wraps an HTTP response.\ntype Response struct {\n\t*http.Response\n}\n\n// DecodeJSON will decode the response body to a JSON structure. This\n// will consume the response body, but will not close it. Close must\n// still be called.\nfunc (r *Response) DecodeJSON(out interface{}) error {\n\tdec := json.NewDecoder(r.Body)\n\tdec.UseNumber()\n\treturn dec.Decode(out)\n}\n\n// Error returns an error response if there is one. If there is an error,\n// this will fully consume the response body, but will not close it. The\n// body must still be closed manually.\nfunc (r *Response) Error() error {\n\t// 200 to 399 are okay status codes. 429 is the code for health status of\n\t// standby nodes, otherwise, 429 is treated as quota limit reached.\n\tif (r.StatusCode >= 200 && r.StatusCode < 400) || (r.StatusCode == 429 && r.Request.URL.Path == \"/v1/sys/health\") {\n\t\treturn nil\n\t}\n\n\t// We have an error. Let's copy the body into our own buffer first,\n\t// so that if we can't decode JSON, we can at least copy it raw.\n\tbodyBuf := &bytes.Buffer{}\n\tif _, err := io.Copy(bodyBuf, r.Body); err != nil {\n\t\treturn err\n\t}\n\n\tr.Body.Close()\n\tr.Body = io.NopCloser(bodyBuf)\n\tns := r.Header.Get(NamespaceHeaderName)\n\n\t// Build up the error object\n\trespErr := &ResponseError{\n\t\tHTTPMethod: r.Request.Method,\n\t\tURL: r.Request.URL.String(),\n\t\tStatusCode: r.StatusCode,\n\t\tNamespacePath: ns,\n\t}\n\n\t// Decode the error response if we can. Note that we wrap the bodyBuf\n\t// in a bytes.Reader here so that the JSON decoder doesn't move the\n\t// read pointer for the original buffer.\n\tvar resp ErrorResponse\n\tdec := json.NewDecoder(bytes.NewReader(bodyBuf.Bytes()))\n\tdec.UseNumber()\n\tif err := dec.Decode(&resp); err != nil {\n\t\t// Store the fact that we couldn't decode the errors\n\t\trespErr.RawError = true\n\t\trespErr.Errors = []string{bodyBuf.String()}\n\t} else {\n\t\t// Store the decoded errors\n\t\trespErr.Errors = resp.Errors\n\t}\n\n\treturn respErr\n}\n\n// ErrorResponse is the raw structure of errors when they're returned by the\n// HTTP API.\ntype ErrorResponse struct {\n\tErrors []string\n}\n\n// ResponseError is the error returned when Vault responds with an error or\n// non-success HTTP status code. If a request to Vault fails because of a\n// network error a different error message will be returned. ResponseError gives\n// access to the underlying errors and status code.\ntype ResponseError struct {\n\t// HTTPMethod is the HTTP method for the request (PUT, GET, etc).\n\tHTTPMethod string\n\n\t// URL is the URL of the request.\n\tURL string\n\n\t// StatusCode is the HTTP status code.\n\tStatusCode int\n\n\t// RawError marks that the underlying error messages returned by Vault were\n\t// not parsable. The Errors slice will contain the raw response body as the\n\t// first and only error string if this value is set to true.\n\tRawError bool\n\n\t// Errors are the underlying errors returned by Vault.\n\tErrors []string\n\n\t// Namespace path to be reported to the client if it is set to anything other\n\t// than root\n\tNamespacePath string\n}\n\n// Error returns a human-readable error string for the response error.\nfunc (r *ResponseError) Error() string {\n\terrString := \"Errors\"\n\tif r.RawError {\n\t\terrString = \"Raw Message\"\n\t}\n\n\tvar ns string\n\tif r.NamespacePath != \"\" && r.NamespacePath != \"root/\" {\n\t\tns = \"Namespace: \" + r.NamespacePath + \"\\n\"\n\t}\n\n\tvar errBody bytes.Buffer\n\terrBody.WriteString(fmt.Sprintf(\n\t\t\"Error making API request.\\n\\n\"+\n\t\t\tns+\n\t\t\t\"URL: %s %s\\n\"+\n\t\t\t\"Code: %d. %s:\\n\\n\",\n\t\tr.HTTPMethod, r.URL, r.StatusCode, errString))\n\n\tif r.RawError && len(r.Errors) == 1 {\n\t\terrBody.WriteString(r.Errors[0])\n\t} else {\n\t\tfor _, err := range r.Errors {\n\t\t\terrBody.WriteString(fmt.Sprintf(\"* %s\", err))\n\t\t}\n\t}\n\n\treturn errBody.String()\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/secret.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"reflect\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/hashicorp/errwrap\"\n\t\"github.com/hashicorp/go-secure-stdlib/parseutil\"\n)\n\n// Secret is the structure returned for every secret within Vault.\ntype Secret struct {\n\t// The request ID that generated this response\n\tRequestID string `json:\"request_id\"`\n\n\tLeaseID string `json:\"lease_id\"`\n\tLeaseDuration int `json:\"lease_duration\"`\n\tRenewable bool `json:\"renewable\"`\n\n\t// Data is the actual contents of the secret. The format of the data\n\t// is arbitrary and up to the secret backend.\n\tData map[string]interface{} `json:\"data\"`\n\n\t// Warnings contains any warnings related to the operation. These\n\t// are not issues that caused the command to fail, but that the\n\t// client should be aware of.\n\tWarnings []string `json:\"warnings\"`\n\n\t// Auth, if non-nil, means that there was authentication information\n\t// attached to this response.\n\tAuth *SecretAuth `json:\"auth,omitempty\"`\n\n\t// WrapInfo, if non-nil, means that the initial response was wrapped in the\n\t// cubbyhole of the given token (which has a TTL of the given number of\n\t// seconds)\n\tWrapInfo *SecretWrapInfo `json:\"wrap_info,omitempty\"`\n\n\t// MountType, if non-empty, provides some information about what kind\n\t// of mount this secret came from.\n\tMountType string `json:\"mount_type,omitempty\"`\n}\n\n// TokenID returns the standardized token ID (token) for the given secret.\nfunc (s *Secret) TokenID() (string, error) {\n\tif s == nil {\n\t\treturn \"\", nil\n\t}\n\n\tif s.Auth != nil && len(s.Auth.ClientToken) > 0 {\n\t\treturn s.Auth.ClientToken, nil\n\t}\n\n\tif s.Data == nil || s.Data[\"id\"] == nil {\n\t\treturn \"\", nil\n\t}\n\n\tid, ok := s.Data[\"id\"].(string)\n\tif !ok {\n\t\treturn \"\", fmt.Errorf(\"token found but in the wrong format\")\n\t}\n\n\treturn id, nil\n}\n\n// TokenAccessor returns the standardized token accessor for the given secret.\n// If the secret is nil or does not contain an accessor, this returns the empty\n// string.\nfunc (s *Secret) TokenAccessor() (string, error) {\n\tif s == nil {\n\t\treturn \"\", nil\n\t}\n\n\tif s.Auth != nil && len(s.Auth.Accessor) > 0 {\n\t\treturn s.Auth.Accessor, nil\n\t}\n\n\tif s.Data == nil || s.Data[\"accessor\"] == nil {\n\t\treturn \"\", nil\n\t}\n\n\taccessor, ok := s.Data[\"accessor\"].(string)\n\tif !ok {\n\t\treturn \"\", fmt.Errorf(\"token found but in the wrong format\")\n\t}\n\n\treturn accessor, nil\n}\n\n// TokenRemainingUses returns the standardized remaining uses for the given\n// secret. If the secret is nil or does not contain the \"num_uses\", this\n// returns -1. On error, this will return -1 and a non-nil error.\nfunc (s *Secret) TokenRemainingUses() (int, error) {\n\tif s == nil || s.Data == nil || s.Data[\"num_uses\"] == nil {\n\t\treturn -1, nil\n\t}\n\n\treturn parseutil.SafeParseInt(s.Data[\"num_uses\"])\n}\n\n// TokenPolicies returns the standardized list of policies for the given secret.\n// If the secret is nil or does not contain any policies, this returns nil. It\n// also populates the secret's Auth info with identity/token policy info.\nfunc (s *Secret) TokenPolicies() ([]string, error) {\n\tif s == nil {\n\t\treturn nil, nil\n\t}\n\n\tif s.Auth != nil && len(s.Auth.Policies) > 0 {\n\t\treturn s.Auth.Policies, nil\n\t}\n\n\tif s.Data == nil || s.Data[\"policies\"] == nil {\n\t\treturn nil, nil\n\t}\n\n\tvar tokenPolicies []string\n\n\t// Token policies\n\t{\n\t\t_, ok := s.Data[\"policies\"]\n\t\tif !ok {\n\t\t\tgoto TOKEN_DONE\n\t\t}\n\n\t\tsList, ok := s.Data[\"policies\"].([]string)\n\t\tif ok {\n\t\t\ttokenPolicies = sList\n\t\t\tgoto TOKEN_DONE\n\t\t}\n\n\t\tlist, ok := s.Data[\"policies\"].([]interface{})\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"unable to convert token policies to expected format\")\n\t\t}\n\t\tfor _, v := range list {\n\t\t\tp, ok := v.(string)\n\t\t\tif !ok {\n\t\t\t\treturn nil, fmt.Errorf(\"unable to convert policy %v to string\", v)\n\t\t\t}\n\t\t\ttokenPolicies = append(tokenPolicies, p)\n\t\t}\n\t}\n\nTOKEN_DONE:\n\tvar identityPolicies []string\n\n\t// Identity policies\n\t{\n\t\tv, ok := s.Data[\"identity_policies\"]\n\t\tif !ok || v == nil {\n\t\t\tgoto DONE\n\t\t}\n\n\t\tif s.Data[\"identity_policies\"] == nil {\n\t\t\tgoto DONE\n\t\t}\n\n\t\tsList, ok := s.Data[\"identity_policies\"].([]string)\n\t\tif ok {\n\t\t\tidentityPolicies = sList\n\t\t\tgoto DONE\n\t\t}\n\n\t\tlist, ok := s.Data[\"identity_policies\"].([]interface{})\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"unable to convert identity policies to expected format\")\n\t\t}\n\t\tfor _, v := range list {\n\t\t\tp, ok := v.(string)\n\t\t\tif !ok {\n\t\t\t\treturn nil, fmt.Errorf(\"unable to convert policy %v to string\", v)\n\t\t\t}\n\t\t\tidentityPolicies = append(identityPolicies, p)\n\t\t}\n\t}\n\nDONE:\n\n\tif s.Auth == nil {\n\t\ts.Auth = &SecretAuth{}\n\t}\n\n\tpolicies := append(tokenPolicies, identityPolicies...)\n\n\ts.Auth.TokenPolicies = tokenPolicies\n\ts.Auth.IdentityPolicies = identityPolicies\n\ts.Auth.Policies = policies\n\n\treturn policies, nil\n}\n\n// TokenMetadata returns the map of metadata associated with this token, if any\n// exists. If the secret is nil or does not contain the \"metadata\" key, this\n// returns nil.\nfunc (s *Secret) TokenMetadata() (map[string]string, error) {\n\tif s == nil {\n\t\treturn nil, nil\n\t}\n\n\tif s.Auth != nil && len(s.Auth.Metadata) > 0 {\n\t\treturn s.Auth.Metadata, nil\n\t}\n\n\tif s.Data == nil || (s.Data[\"metadata\"] == nil && s.Data[\"meta\"] == nil) {\n\t\treturn nil, nil\n\t}\n\n\tdata, ok := s.Data[\"metadata\"].(map[string]interface{})\n\tif !ok {\n\t\tdata, ok = s.Data[\"meta\"].(map[string]interface{})\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"unable to convert metadata field to expected format\")\n\t\t}\n\t}\n\n\tmetadata := make(map[string]string, len(data))\n\tfor k, v := range data {\n\t\ttyped, ok := v.(string)\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"unable to convert metadata value %v to string\", v)\n\t\t}\n\t\tmetadata[k] = typed\n\t}\n\n\treturn metadata, nil\n}\n\n// TokenIsRenewable returns the standardized token renewability for the given\n// secret. If the secret is nil or does not contain the \"renewable\" key, this\n// returns false.\nfunc (s *Secret) TokenIsRenewable() (bool, error) {\n\tif s == nil {\n\t\treturn false, nil\n\t}\n\n\tif s.Auth != nil && s.Auth.Renewable {\n\t\treturn s.Auth.Renewable, nil\n\t}\n\n\tif s.Data == nil || s.Data[\"renewable\"] == nil {\n\t\treturn false, nil\n\t}\n\n\trenewable, err := parseutil.ParseBool(s.Data[\"renewable\"])\n\tif err != nil {\n\t\treturn false, errwrap.Wrapf(\"could not convert renewable value to a boolean: {{err}}\", err)\n\t}\n\n\treturn renewable, nil\n}\n\n// TokenTTL returns the standardized remaining token TTL for the given secret.\n// If the secret is nil or does not contain a TTL, this returns 0.\nfunc (s *Secret) TokenTTL() (time.Duration, error) {\n\tif s == nil {\n\t\treturn 0, nil\n\t}\n\n\tif s.Auth != nil && s.Auth.LeaseDuration > 0 {\n\t\treturn time.Duration(s.Auth.LeaseDuration) * time.Second, nil\n\t}\n\n\tif s.Data == nil || s.Data[\"ttl\"] == nil {\n\t\treturn 0, nil\n\t}\n\n\tttl, err := parseutil.ParseDurationSecond(s.Data[\"ttl\"])\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\n\treturn ttl, nil\n}\n\n// SecretWrapInfo contains wrapping information if we have it. If what is\n// contained is an authentication token, the accessor for the token will be\n// available in WrappedAccessor.\ntype SecretWrapInfo struct {\n\tToken string `json:\"token\"`\n\tAccessor string `json:\"accessor\"`\n\tTTL int `json:\"ttl\"`\n\tCreationTime time.Time `json:\"creation_time\"`\n\tCreationPath string `json:\"creation_path\"`\n\tWrappedAccessor string `json:\"wrapped_accessor\"`\n}\n\ntype MFAMethodID struct {\n\tType string `json:\"type,omitempty\"`\n\tID string `json:\"id,omitempty\"`\n\tUsesPasscode bool `json:\"uses_passcode,omitempty\"`\n\tName string `json:\"name,omitempty\"`\n\t// SelfEnrollmentEnabled indicates whether the user does not yet have an MFA\n\t// secret for this method and self-enrollment is enabled for it. Clients (like the UI) can use\n\t// this to determine whether to offer the user a way to generate an MFA secret\n\t// for this method.\n\tSelfEnrollmentEnabled bool `json:\"self_enrollment_enabled,omitempty\"`\n}\n\ntype MFAConstraintAny struct {\n\tAny []*MFAMethodID `json:\"any,omitempty\"`\n}\n\ntype MFARequirement struct {\n\tMFARequestID string `json:\"mfa_request_id,omitempty\"`\n\tMFAConstraints map[string]*MFAConstraintAny `json:\"mfa_constraints,omitempty\"`\n}\n\n// SecretAuth is the structure containing auth information if we have it.\ntype SecretAuth struct {\n\tClientToken string `json:\"client_token\"`\n\tAccessor string `json:\"accessor\"`\n\tPolicies []string `json:\"policies\"`\n\tTokenPolicies []string `json:\"token_policies\"`\n\tIdentityPolicies []string `json:\"identity_policies\"`\n\tMetadata map[string]string `json:\"metadata\"`\n\tOrphan bool `json:\"orphan\"`\n\tEntityID string `json:\"entity_id\"`\n\n\tLeaseDuration int `json:\"lease_duration\"`\n\tRenewable bool `json:\"renewable\"`\n\n\tMFARequirement *MFARequirement `json:\"mfa_requirement\"`\n}\n\n// ParseSecret is used to parse a secret value from JSON from an io.Reader.\nfunc ParseSecret(r io.Reader) (*Secret, error) {\n\t// First read the data into a buffer. Not super efficient but we want to\n\t// know if we actually have a body or not.\n\tvar buf bytes.Buffer\n\n\t// io.Reader is treated like a stream and cannot be read\n\t// multiple times. Duplicating this stream using TeeReader\n\t// to use this data in case there is no top-level data from\n\t// api response\n\tvar teebuf bytes.Buffer\n\ttee := io.TeeReader(r, &teebuf)\n\n\t_, err := buf.ReadFrom(tee)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif buf.Len() == 0 {\n\t\treturn nil, nil\n\t}\n\n\t// First decode the JSON into a map[string]interface{}\n\tvar secret Secret\n\tdec := json.NewDecoder(&buf)\n\tdec.UseNumber()\n\tif err := dec.Decode(&secret); err != nil {\n\t\treturn nil, err\n\t}\n\n\t// If the secret is null, add raw data to secret data if present\n\tif reflect.DeepEqual(secret, Secret{}) {\n\t\tdata := make(map[string]interface{})\n\t\tdec := json.NewDecoder(&teebuf)\n\t\tdec.UseNumber()\n\t\tif err := dec.Decode(&data); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\terrRaw, errPresent := data[\"errors\"]\n\n\t\t// if only errors are present in the resp.Body return nil\n\t\t// to return value not found as it does not have any raw data\n\t\tif len(data) == 1 && errPresent {\n\t\t\treturn nil, nil\n\t\t}\n\n\t\t// if errors are present along with raw data return the error\n\t\tif errPresent {\n\t\t\tvar errStrArray []string\n\t\t\terrBytes, err := json.Marshal(errRaw)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tif err := json.Unmarshal(errBytes, &errStrArray); err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\treturn nil, errors.New(strings.Join(errStrArray, \" \"))\n\t\t}\n\n\t\t// if any raw data is present in resp.Body, add it to secret\n\t\tif len(data) > 0 {\n\t\t\tsecret.Data = data\n\t\t}\n\t}\n\n\treturn &secret, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/ssh.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n)\n\n// SSH is used to return a client to invoke operations on SSH backend.\ntype SSH struct {\n\tc *Client\n\tMountPoint string\n}\n\n// SSH returns the client for logical-backend API calls.\nfunc (c *Client) SSH() *SSH {\n\treturn c.SSHWithMountPoint(SSHHelperDefaultMountPoint)\n}\n\n// SSHWithMountPoint returns the client with specific SSH mount point.\nfunc (c *Client) SSHWithMountPoint(mountPoint string) *SSH {\n\treturn &SSH{\n\t\tc: c,\n\t\tMountPoint: mountPoint,\n\t}\n}\n\n// Credential wraps CredentialWithContext using context.Background.\nfunc (c *SSH) Credential(role string, data map[string]interface{}) (*Secret, error) {\n\treturn c.CredentialWithContext(context.Background(), role, data)\n}\n\n// CredentialWithContext invokes the SSH backend API to create a credential to establish an SSH session.\nfunc (c *SSH) CredentialWithContext(ctx context.Context, role string, data map[string]interface{}) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, fmt.Sprintf(\"/v1/%s/creds/%s\", c.MountPoint, role))\n\tif err := r.SetJSONBody(data); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\n// SignKey wraps SignKeyWithContext using context.Background.\nfunc (c *SSH) SignKey(role string, data map[string]interface{}) (*Secret, error) {\n\treturn c.SignKeyWithContext(context.Background(), role, data)\n}\n\n// SignKeyWithContext signs the given public key and returns a signed public key to pass\n// along with the SSH request.\nfunc (c *SSH) SignKeyWithContext(ctx context.Context, role string, data map[string]interface{}) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, fmt.Sprintf(\"/v1/%s/sign/%s\", c.MountPoint, role))\n\tif err := r.SetJSONBody(data); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/ssh_agent.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"net/http\"\n\t\"os\"\n\n\t\"github.com/hashicorp/errwrap\"\n\tcleanhttp \"github.com/hashicorp/go-cleanhttp\"\n\tmultierror \"github.com/hashicorp/go-multierror\"\n\trootcerts \"github.com/hashicorp/go-rootcerts\"\n\t\"github.com/hashicorp/hcl\"\n\t\"github.com/hashicorp/hcl/hcl/ast\"\n\t\"github.com/mitchellh/mapstructure\"\n)\n\nconst (\n\t// SSHHelperDefaultMountPoint is the default path at which SSH backend will be\n\t// mounted in the Vault server.\n\tSSHHelperDefaultMountPoint = \"ssh\"\n\n\t// VerifyEchoRequest is the echo request message sent as OTP by the helper.\n\tVerifyEchoRequest = \"verify-echo-request\"\n\n\t// VerifyEchoResponse is the echo response message sent as a response to OTP\n\t// matching echo request.\n\tVerifyEchoResponse = \"verify-echo-response\"\n)\n\n// SSHHelper is a structure representing a vault-ssh-helper which can talk to vault server\n// in order to verify the OTP entered by the user. It contains the path at which\n// SSH backend is mounted at the server.\ntype SSHHelper struct {\n\tc *Client\n\tMountPoint string\n}\n\n// SSHVerifyResponse is a structure representing the fields in Vault server's\n// response.\ntype SSHVerifyResponse struct {\n\t// Usually empty. If the request OTP is echo request message, this will\n\t// be set to the corresponding echo response message.\n\tMessage string `json:\"message\" mapstructure:\"message\"`\n\n\t// Username associated with the OTP\n\tUsername string `json:\"username\" mapstructure:\"username\"`\n\n\t// IP associated with the OTP\n\tIP string `json:\"ip\" mapstructure:\"ip\"`\n\n\t// Name of the role against which the OTP was issued\n\tRoleName string `json:\"role_name\" mapstructure:\"role_name\"`\n}\n\n// SSHHelperConfig is a structure which represents the entries from the vault-ssh-helper's configuration file.\ntype SSHHelperConfig struct {\n\tVaultAddr string `hcl:\"vault_addr\"`\n\tSSHMountPoint string `hcl:\"ssh_mount_point\"`\n\tNamespace string `hcl:\"namespace\"`\n\tCACert string `hcl:\"ca_cert\"`\n\tCAPath string `hcl:\"ca_path\"`\n\tAllowedCidrList string `hcl:\"allowed_cidr_list\"`\n\tAllowedRoles string `hcl:\"allowed_roles\"`\n\tTLSSkipVerify bool `hcl:\"tls_skip_verify\"`\n\tTLSServerName string `hcl:\"tls_server_name\"`\n}\n\n// SetTLSParameters sets the TLS parameters for this SSH agent.\nfunc (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool) {\n\ttlsConfig := &tls.Config{\n\t\tInsecureSkipVerify: c.TLSSkipVerify,\n\t\tMinVersion: tls.VersionTLS12,\n\t\tRootCAs: certPool,\n\t\tServerName: c.TLSServerName,\n\t}\n\n\ttransport := cleanhttp.DefaultTransport()\n\ttransport.TLSClientConfig = tlsConfig\n\tclientConfig.HttpClient.Transport = transport\n}\n\n// Returns true if any of the following conditions are true:\n// - CA cert is configured\n// - CA path is configured\n// - configured to skip certificate verification\n// - TLS server name is configured\nfunc (c *SSHHelperConfig) shouldSetTLSParameters() bool {\n\treturn c.CACert != \"\" || c.CAPath != \"\" || c.TLSServerName != \"\" || c.TLSSkipVerify\n}\n\n// NewClient returns a new client for the configuration. This client will be used by the\n// vault-ssh-helper to communicate with Vault server and verify the OTP entered by user.\n// If the configuration supplies Vault SSL certificates, then the client will\n// have TLS configured in its transport.\nfunc (c *SSHHelperConfig) NewClient() (*Client, error) {\n\t// Creating a default client configuration for communicating with vault server.\n\tclientConfig := DefaultConfig()\n\n\t// Pointing the client to the actual address of vault server.\n\tclientConfig.Address = c.VaultAddr\n\n\t// Check if certificates are provided via config file.\n\tif c.shouldSetTLSParameters() {\n\t\trootConfig := &rootcerts.Config{\n\t\t\tCAFile: c.CACert,\n\t\t\tCAPath: c.CAPath,\n\t\t}\n\t\tcertPool, err := rootcerts.LoadCACerts(rootConfig)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\t// Enable TLS on the HTTP client information\n\t\tc.SetTLSParameters(clientConfig, certPool)\n\t}\n\n\t// Creating the client object for the given configuration\n\tclient, err := NewClient(clientConfig)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Configure namespace\n\tif c.Namespace != \"\" {\n\t\tclient.SetNamespace(c.Namespace)\n\t}\n\n\treturn client, nil\n}\n\n// LoadSSHHelperConfig loads ssh-helper's configuration from the file and populates the corresponding\n// in-memory structure.\n//\n// Vault address is a required parameter.\n// Mount point defaults to \"ssh\".\nfunc LoadSSHHelperConfig(path string) (*SSHHelperConfig, error) {\n\tcontents, err := ioutil.ReadFile(path)\n\tif err != nil && !os.IsNotExist(err) {\n\t\treturn nil, multierror.Prefix(err, \"ssh_helper:\")\n\t}\n\treturn ParseSSHHelperConfig(string(contents))\n}\n\n// ParseSSHHelperConfig parses the given contents as a string for the SSHHelper\n// configuration.\nfunc ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error) {\n\t// TODO (HCL_DUP_KEYS_DEPRECATION): replace with simple call to hcl.Parse once deprecation of duplicate attributes\n\t// is over, for now just ignore duplicates\n\troot, _, err := parseAndCheckForDuplicateHclAttributes(contents)\n\tif err != nil {\n\t\treturn nil, errwrap.Wrapf(\"error parsing config: {{err}}\", err)\n\t}\n\n\tlist, ok := root.Node.(*ast.ObjectList)\n\tif !ok {\n\t\treturn nil, fmt.Errorf(\"error parsing config: file doesn't contain a root object\")\n\t}\n\n\tvalid := []string{\n\t\t\"vault_addr\",\n\t\t\"ssh_mount_point\",\n\t\t\"namespace\",\n\t\t\"ca_cert\",\n\t\t\"ca_path\",\n\t\t\"allowed_cidr_list\",\n\t\t\"allowed_roles\",\n\t\t\"tls_skip_verify\",\n\t\t\"tls_server_name\",\n\t}\n\tif err := CheckHCLKeys(list, valid); err != nil {\n\t\treturn nil, multierror.Prefix(err, \"ssh_helper:\")\n\t}\n\n\tvar c SSHHelperConfig\n\tc.SSHMountPoint = SSHHelperDefaultMountPoint\n\tif err := hcl.DecodeObject(&c, list); err != nil {\n\t\treturn nil, multierror.Prefix(err, \"ssh_helper:\")\n\t}\n\n\tif c.VaultAddr == \"\" {\n\t\treturn nil, fmt.Errorf(`missing config \"vault_addr\"`)\n\t}\n\treturn &c, nil\n}\n\nfunc CheckHCLKeys(node ast.Node, valid []string) error {\n\tvar list *ast.ObjectList\n\tswitch n := node.(type) {\n\tcase *ast.ObjectList:\n\t\tlist = n\n\tcase *ast.ObjectType:\n\t\tlist = n.List\n\tdefault:\n\t\treturn fmt.Errorf(\"cannot check HCL keys of type %T\", n)\n\t}\n\n\tvalidMap := make(map[string]struct{}, len(valid))\n\tfor _, v := range valid {\n\t\tvalidMap[v] = struct{}{}\n\t}\n\n\tvar result error\n\tfor _, item := range list.Items {\n\t\tkey := item.Keys[0].Token.Value().(string)\n\t\tif _, ok := validMap[key]; !ok {\n\t\t\tresult = multierror.Append(result, fmt.Errorf(\"invalid key %q on line %d\", key, item.Assign.Line))\n\t\t}\n\t}\n\n\treturn result\n}\n\n// SSHHelper creates an SSHHelper object which can talk to Vault server with SSH backend\n// mounted at default path (\"ssh\").\nfunc (c *Client) SSHHelper() *SSHHelper {\n\treturn c.SSHHelperWithMountPoint(SSHHelperDefaultMountPoint)\n}\n\n// SSHHelperWithMountPoint creates an SSHHelper object which can talk to Vault server with SSH backend\n// mounted at a specific mount point.\nfunc (c *Client) SSHHelperWithMountPoint(mountPoint string) *SSHHelper {\n\treturn &SSHHelper{\n\t\tc: c,\n\t\tMountPoint: mountPoint,\n\t}\n}\n\n// Verify verifies if the key provided by user is present in Vault server. The response\n// will contain the IP address and username associated with the OTP. In case the\n// OTP matches the echo request message, instead of searching an entry for the OTP,\n// an echo response message is returned. This feature is used by ssh-helper to verify if\n// its configured correctly.\nfunc (c *SSHHelper) Verify(otp string) (*SSHVerifyResponse, error) {\n\treturn c.VerifyWithContext(context.Background(), otp)\n}\n\n// VerifyWithContext the same as Verify but with a custom context.\nfunc (c *SSHHelper) VerifyWithContext(ctx context.Context, otp string) (*SSHVerifyResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tdata := map[string]interface{}{\n\t\t\"otp\": otp,\n\t}\n\tverifyPath := fmt.Sprintf(\"/v1/%s/verify\", c.MountPoint)\n\tr := c.c.NewRequest(http.MethodPut, verifyPath)\n\tif err := r.SetJSONBody(data); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif secret.Data == nil {\n\t\treturn nil, nil\n\t}\n\n\tvar verifyResp SSHVerifyResponse\n\terr = mapstructure.Decode(secret.Data, &verifyResp)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &verifyResp, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sudo_paths.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"regexp\"\n)\n\n// sudoPaths is a map containing the paths that require a token's policy\n// to have the \"sudo\" capability. The keys are the paths as strings, in\n// the same format as they are returned by the OpenAPI spec. The values\n// are the regular expressions that can be used to test whether a given\n// path matches that path or not (useful specifically for the paths that\n// contain templated fields.)\nvar sudoPaths = map[string]*regexp.Regexp{\n\t\"/auth/token/accessors\": regexp.MustCompile(`^/auth/token/accessors/?$`),\n\t\"/auth/token/revoke-orphan\": regexp.MustCompile(`^/auth/token/revoke-orphan$`),\n\t\"/pki/root\": regexp.MustCompile(`^/pki/root$`),\n\t\"/pki/root/sign-self-issued\": regexp.MustCompile(`^/pki/root/sign-self-issued$`),\n\t\"/sys/audit\": regexp.MustCompile(`^/sys/audit$`),\n\t\"/sys/audit/{path}\": regexp.MustCompile(`^/sys/audit/.+$`),\n\t\"/sys/auth/{path}\": regexp.MustCompile(`^/sys/auth/.+$`),\n\t\"/sys/auth/{path}/tune\": regexp.MustCompile(`^/sys/auth/.+/tune$`),\n\t\"/sys/config/auditing/request-headers\": regexp.MustCompile(`^/sys/config/auditing/request-headers$`),\n\t\"/sys/config/auditing/request-headers/{header}\": regexp.MustCompile(`^/sys/config/auditing/request-headers/.+$`),\n\t\"/sys/config/cors\": regexp.MustCompile(`^/sys/config/cors$`),\n\t\"/sys/config/ui/headers\": regexp.MustCompile(`^/sys/config/ui/headers/?$`),\n\t\"/sys/config/ui/headers/{header}\": regexp.MustCompile(`^/sys/config/ui/headers/.+$`),\n\t\"/sys/internal/inspect/router/{tag}\": regexp.MustCompile(`^/sys/internal/inspect/router/.+$`),\n\t\"/sys/internal/counters/activity/export\": regexp.MustCompile(`^/sys/internal/counters/activity/export$`),\n\t\"/sys/leases\": regexp.MustCompile(`^/sys/leases$`),\n\t// This entry is a bit wrong... sys/leases/lookup does NOT require sudo. But sys/leases/lookup/ with a trailing\n\t// slash DOES require sudo. But the part of the Vault CLI that uses this logic doesn't pass operation-appropriate\n\t// trailing slashes, it always strips them off, so we end up giving the wrong answer for one of these.\n\t\"/sys/leases/lookup/{prefix}\": regexp.MustCompile(`^/sys/leases/lookup(?:/.+)?$`),\n\t\"/sys/leases/revoke-force/{prefix}\": regexp.MustCompile(`^/sys/leases/revoke-force/.+$`),\n\t\"/sys/leases/revoke-prefix/{prefix}\": regexp.MustCompile(`^/sys/leases/revoke-prefix/.+$`),\n\t\"/sys/plugins/catalog/{name}\": regexp.MustCompile(`^/sys/plugins/catalog/[^/]+$`),\n\t\"/sys/plugins/catalog/{type}\": regexp.MustCompile(`^/sys/plugins/catalog/[\\w-]+$`),\n\t\"/sys/plugins/catalog/{type}/{name}\": regexp.MustCompile(`^/sys/plugins/catalog/[\\w-]+/[^/]+$`),\n\t\"/sys/plugins/runtimes/catalog\": regexp.MustCompile(`^/sys/plugins/runtimes/catalog/?$`),\n\t\"/sys/plugins/runtimes/catalog/{type}/{name}\": regexp.MustCompile(`^/sys/plugins/runtimes/catalog/[\\w-]+/[^/]+$`),\n\t\"/sys/raw/{path}\": regexp.MustCompile(`^/sys/raw(?:/.+)?$`),\n\t\"/sys/remount\": regexp.MustCompile(`^/sys/remount$`),\n\t\"/sys/revoke-force/{prefix}\": regexp.MustCompile(`^/sys/revoke-force/.+$`),\n\t\"/sys/revoke-prefix/{prefix}\": regexp.MustCompile(`^/sys/revoke-prefix/.+$`),\n\t\"/sys/rotate\": regexp.MustCompile(`^/sys/rotate$`),\n\t\"/sys/seal\": regexp.MustCompile(`^/sys/seal$`),\n\t\"/sys/step-down\": regexp.MustCompile(`^/sys/step-down$`),\n\n\t// enterprise-only paths\n\t\"/sys/replication/dr/primary/secondary-token\": regexp.MustCompile(`^/sys/replication/dr/primary/secondary-token$`),\n\t\"/sys/replication/performance/primary/secondary-token\": regexp.MustCompile(`^/sys/replication/performance/primary/secondary-token$`),\n\t\"/sys/replication/primary/secondary-token\": regexp.MustCompile(`^/sys/replication/primary/secondary-token$`),\n\t\"/sys/replication/reindex\": regexp.MustCompile(`^/sys/replication/reindex$`),\n\t\"/sys/storage/raft/snapshot-auto/config\": regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/?$`),\n\t\"/sys/storage/raft/snapshot-auto/config/{name}\": regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/[^/]+$`),\n}\n\nfunc SudoPaths() map[string]*regexp.Regexp {\n\treturn sudoPaths\n}\n\n// Determine whether the given path requires the sudo capability.\n// Note that this uses hardcoded static path information, so will return incorrect results for paths in namespaces,\n// or for secret engines mounted at non-default paths.\n// Expects to receive a path with an initial slash, but no trailing slashes, as the Vault CLI (the only known and\n// expected user of this function) sanitizes its paths that way.\nfunc IsSudoPath(path string) bool {\n\t// Return early if the path is any of the non-templated sudo paths.\n\tif _, ok := sudoPaths[path]; ok {\n\t\treturn true\n\t}\n\n\t// Some sudo paths have templated fields in them.\n\t// (e.g. /sys/revoke-prefix/{prefix})\n\t// The values in the sudoPaths map are actually regular expressions,\n\t// so we can check if our path matches against them.\n\tfor _, sudoPathRegexp := range sudoPaths {\n\t\tmatch := sudoPathRegexp.MatchString(path)\n\t\tif match {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\n// Sys is used to perform system-related operations on Vault.\ntype Sys struct {\n\tc *Client\n}\n\n// Sys is used to return the client for sys-related API calls.\nfunc (c *Client) Sys() *Sys {\n\treturn &Sys{c: c}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_audit.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/mitchellh/mapstructure\"\n)\n\nfunc (c *Sys) AuditHash(path string, input string) (string, error) {\n\treturn c.AuditHashWithContext(context.Background(), path, input)\n}\n\nfunc (c *Sys) AuditHashWithContext(ctx context.Context, path string, input string) (string, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tbody := map[string]interface{}{\n\t\t\"input\": input,\n\t}\n\n\tr := c.c.NewRequest(http.MethodPut, fmt.Sprintf(\"/v1/sys/audit-hash/%s\", path))\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn \"\", err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn \"\", errors.New(\"data from server response is empty\")\n\t}\n\n\thash, ok := secret.Data[\"hash\"]\n\tif !ok {\n\t\treturn \"\", errors.New(\"hash not found in response data\")\n\t}\n\thashStr, ok := hash.(string)\n\tif !ok {\n\t\treturn \"\", errors.New(\"could not parse hash in response data\")\n\t}\n\n\treturn hashStr, nil\n}\n\nfunc (c *Sys) ListAudit() (map[string]*Audit, error) {\n\treturn c.ListAuditWithContext(context.Background())\n}\n\nfunc (c *Sys) ListAuditWithContext(ctx context.Context) (map[string]*Audit, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/audit\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tmounts := map[string]*Audit{}\n\terr = mapstructure.Decode(secret.Data, &mounts)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn mounts, nil\n}\n\n// DEPRECATED: Use EnableAuditWithOptions instead\nfunc (c *Sys) EnableAudit(\n\tpath string, auditType string, desc string, opts map[string]string,\n) error {\n\treturn c.EnableAuditWithOptions(path, &EnableAuditOptions{\n\t\tType: auditType,\n\t\tDescription: desc,\n\t\tOptions: opts,\n\t})\n}\n\nfunc (c *Sys) EnableAuditWithOptions(path string, options *EnableAuditOptions) error {\n\treturn c.EnableAuditWithOptionsWithContext(context.Background(), path, options)\n}\n\nfunc (c *Sys) EnableAuditWithOptionsWithContext(ctx context.Context, path string, options *EnableAuditOptions) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, fmt.Sprintf(\"/v1/sys/audit/%s\", path))\n\tif err := r.SetJSONBody(options); err != nil {\n\t\treturn err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn nil\n}\n\nfunc (c *Sys) DisableAudit(path string) error {\n\treturn c.DisableAuditWithContext(context.Background(), path)\n}\n\nfunc (c *Sys) DisableAuditWithContext(ctx context.Context, path string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, fmt.Sprintf(\"/v1/sys/audit/%s\", path))\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\n// Structures for the requests/response are all down here. They aren't\n// individually documented because the map almost directly to the raw HTTP API\n// documentation. Please refer to that documentation for more details.\n\ntype EnableAuditOptions struct {\n\tType string `json:\"type\" mapstructure:\"type\"`\n\tDescription string `json:\"description\" mapstructure:\"description\"`\n\tOptions map[string]string `json:\"options\" mapstructure:\"options\"`\n\tLocal bool `json:\"local\" mapstructure:\"local\"`\n}\n\ntype Audit struct {\n\tType string `json:\"type\" mapstructure:\"type\"`\n\tDescription string `json:\"description\" mapstructure:\"description\"`\n\tOptions map[string]string `json:\"options\" mapstructure:\"options\"`\n\tLocal bool `json:\"local\" mapstructure:\"local\"`\n\tPath string `json:\"path\" mapstructure:\"path\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_auth.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/mitchellh/mapstructure\"\n)\n\nfunc (c *Sys) GetAuth(path string) (*AuthMount, error) {\n\treturn c.GetAuthWithContext(context.Background(), path)\n}\n\nfunc (c *Sys) GetAuthWithContext(ctx context.Context, path string) (*AuthMount, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\t// use `sys/mounts/auth/:path` so we don't require sudo permissions\n\t// historically, `sys/auth` doesn't require sudo, so we don't require it here either\n\tr := c.c.NewRequest(http.MethodGet, fmt.Sprintf(\"/v1/sys/mounts/auth/%s\", path))\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tmount := AuthMount{}\n\terr = mapstructure.Decode(secret.Data, &mount)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &mount, nil\n}\n\nfunc (c *Sys) ListAuth() (map[string]*AuthMount, error) {\n\treturn c.ListAuthWithContext(context.Background())\n}\n\nfunc (c *Sys) ListAuthWithContext(ctx context.Context) (map[string]*AuthMount, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/auth\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tmounts := map[string]*AuthMount{}\n\terr = mapstructure.Decode(secret.Data, &mounts)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn mounts, nil\n}\n\n// DEPRECATED: Use EnableAuthWithOptions instead\nfunc (c *Sys) EnableAuth(path, authType, desc string) error {\n\treturn c.EnableAuthWithOptions(path, &EnableAuthOptions{\n\t\tType: authType,\n\t\tDescription: desc,\n\t})\n}\n\nfunc (c *Sys) EnableAuthWithOptions(path string, options *EnableAuthOptions) error {\n\treturn c.EnableAuthWithOptionsWithContext(context.Background(), path, options)\n}\n\nfunc (c *Sys) EnableAuthWithOptionsWithContext(ctx context.Context, path string, options *EnableAuthOptions) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, fmt.Sprintf(\"/v1/sys/auth/%s\", path))\n\tif err := r.SetJSONBody(options); err != nil {\n\t\treturn err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn nil\n}\n\nfunc (c *Sys) DisableAuth(path string) error {\n\treturn c.DisableAuthWithContext(context.Background(), path)\n}\n\nfunc (c *Sys) DisableAuthWithContext(ctx context.Context, path string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, fmt.Sprintf(\"/v1/sys/auth/%s\", path))\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\n// Rather than duplicate, we can use modern Go's type aliasing\ntype (\n\tEnableAuthOptions = MountInput\n\tAuthConfigInput = MountConfigInput\n\tAuthMount = MountOutput\n\tAuthConfigOutput = MountConfigOutput\n)\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_capabilities.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/mitchellh/mapstructure\"\n)\n\nfunc (c *Sys) CapabilitiesSelf(path string) ([]string, error) {\n\treturn c.CapabilitiesSelfWithContext(context.Background(), path)\n}\n\nfunc (c *Sys) CapabilitiesSelfWithContext(ctx context.Context, path string) ([]string, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\treturn c.CapabilitiesWithContext(ctx, c.c.Token(), path)\n}\n\nfunc (c *Sys) Capabilities(token, path string) ([]string, error) {\n\treturn c.CapabilitiesWithContext(context.Background(), token, path)\n}\n\nfunc (c *Sys) CapabilitiesWithContext(ctx context.Context, token, path string) ([]string, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tbody := map[string]string{\n\t\t\"token\": token,\n\t\t\"path\": path,\n\t}\n\n\treqPath := \"/v1/sys/capabilities\"\n\tif token == c.c.Token() {\n\t\treqPath = fmt.Sprintf(\"%s-self\", reqPath)\n\t}\n\n\tr := c.c.NewRequest(http.MethodPost, reqPath)\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tvar res []string\n\terr = mapstructure.Decode(secret.Data[path], &res)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif len(res) == 0 {\n\t\t_, ok := secret.Data[\"capabilities\"]\n\t\tif ok {\n\t\t\terr = mapstructure.Decode(secret.Data[\"capabilities\"], &res)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t}\n\t}\n\n\treturn res, nil\n}\n\nfunc (c *Sys) CapabilitiesAccessor(accessor, path string) ([]string, error) {\n\treturn c.CapabilitiesAccessorWithContext(context.Background(), accessor, path)\n}\n\nfunc (c *Sys) CapabilitiesAccessorWithContext(ctx context.Context, accessor, path string) ([]string, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tbody := map[string]string{\n\t\t\"accessor\": accessor,\n\t\t\"path\": path,\n\t}\n\n\treqPath := \"/v1/sys/capabilities-accessor\"\n\n\tr := c.c.NewRequest(http.MethodPost, reqPath)\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tvar res []string\n\terr = mapstructure.Decode(secret.Data[path], &res)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif len(res) == 0 {\n\t\t_, ok := secret.Data[\"capabilities\"]\n\t\tif ok {\n\t\t\terr = mapstructure.Decode(secret.Data[\"capabilities\"], &res)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t}\n\t}\n\n\treturn res, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_config_cors.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"net/http\"\n\n\t\"github.com/mitchellh/mapstructure\"\n)\n\nfunc (c *Sys) CORSStatus() (*CORSResponse, error) {\n\treturn c.CORSStatusWithContext(context.Background())\n}\n\nfunc (c *Sys) CORSStatusWithContext(ctx context.Context) (*CORSResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/config/cors\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tvar result CORSResponse\n\terr = mapstructure.Decode(secret.Data, &result)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &result, err\n}\n\nfunc (c *Sys) ConfigureCORS(req *CORSRequest) error {\n\treturn c.ConfigureCORSWithContext(context.Background(), req)\n}\n\nfunc (c *Sys) ConfigureCORSWithContext(ctx context.Context, req *CORSRequest) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/config/cors\")\n\tif err := r.SetJSONBody(req); err != nil {\n\t\treturn err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\nfunc (c *Sys) DisableCORS() error {\n\treturn c.DisableCORSWithContext(context.Background())\n}\n\nfunc (c *Sys) DisableCORSWithContext(ctx context.Context) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, \"/v1/sys/config/cors\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\ntype CORSRequest struct {\n\tAllowedOrigins []string `json:\"allowed_origins\" mapstructure:\"allowed_origins\"`\n\tAllowedHeaders []string `json:\"allowed_headers\" mapstructure:\"allowed_headers\"`\n\tEnabled bool `json:\"enabled\" mapstructure:\"enabled\"`\n}\n\ntype CORSResponse struct {\n\tAllowedOrigins []string `json:\"allowed_origins\" mapstructure:\"allowed_origins\"`\n\tAllowedHeaders []string `json:\"allowed_headers\" mapstructure:\"allowed_headers\"`\n\tEnabled bool `json:\"enabled\" mapstructure:\"enabled\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_generate_root.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"net/http\"\n)\n\nfunc (c *Sys) GenerateRootStatus() (*GenerateRootStatusResponse, error) {\n\treturn c.GenerateRootStatusWithContext(context.Background())\n}\n\nfunc (c *Sys) GenerateDROperationTokenStatus() (*GenerateRootStatusResponse, error) {\n\treturn c.GenerateDROperationTokenStatusWithContext(context.Background())\n}\n\nfunc (c *Sys) GenerateRecoveryOperationTokenStatus() (*GenerateRootStatusResponse, error) {\n\treturn c.GenerateRecoveryOperationTokenStatusWithContext(context.Background())\n}\n\nfunc (c *Sys) GenerateRootStatusWithContext(ctx context.Context) (*GenerateRootStatusResponse, error) {\n\treturn c.generateRootStatusCommonWithContext(ctx, \"/v1/sys/generate-root/attempt\")\n}\n\nfunc (c *Sys) GenerateDROperationTokenStatusWithContext(ctx context.Context) (*GenerateRootStatusResponse, error) {\n\treturn c.generateRootStatusCommonWithContext(ctx, \"/v1/sys/replication/dr/secondary/generate-operation-token/attempt\")\n}\n\nfunc (c *Sys) GenerateRecoveryOperationTokenStatusWithContext(ctx context.Context) (*GenerateRootStatusResponse, error) {\n\treturn c.generateRootStatusCommonWithContext(ctx, \"/v1/sys/generate-recovery-token/attempt\")\n}\n\nfunc (c *Sys) generateRootStatusCommonWithContext(ctx context.Context, path string) (*GenerateRootStatusResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, path)\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result GenerateRootStatusResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\nfunc (c *Sys) GenerateRootInit(otp, pgpKey string) (*GenerateRootStatusResponse, error) {\n\treturn c.GenerateRootInitWithContext(context.Background(), otp, pgpKey)\n}\n\nfunc (c *Sys) GenerateDROperationTokenInit(otp, pgpKey string) (*GenerateRootStatusResponse, error) {\n\treturn c.GenerateDROperationTokenInitWithContext(context.Background(), otp, pgpKey)\n}\n\nfunc (c *Sys) GenerateRecoveryOperationTokenInit(otp, pgpKey string) (*GenerateRootStatusResponse, error) {\n\treturn c.GenerateRecoveryOperationTokenInitWithContext(context.Background(), otp, pgpKey)\n}\n\nfunc (c *Sys) GenerateRootInitWithContext(ctx context.Context, otp, pgpKey string) (*GenerateRootStatusResponse, error) {\n\treturn c.generateRootInitCommonWithContext(ctx, \"/v1/sys/generate-root/attempt\", otp, pgpKey)\n}\n\nfunc (c *Sys) GenerateDROperationTokenInitWithContext(ctx context.Context, otp, pgpKey string) (*GenerateRootStatusResponse, error) {\n\treturn c.generateRootInitCommonWithContext(ctx, \"/v1/sys/replication/dr/secondary/generate-operation-token/attempt\", otp, pgpKey)\n}\n\nfunc (c *Sys) GenerateRecoveryOperationTokenInitWithContext(ctx context.Context, otp, pgpKey string) (*GenerateRootStatusResponse, error) {\n\treturn c.generateRootInitCommonWithContext(ctx, \"/v1/sys/generate-recovery-token/attempt\", otp, pgpKey)\n}\n\nfunc (c *Sys) generateRootInitCommonWithContext(ctx context.Context, path, otp, pgpKey string) (*GenerateRootStatusResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tbody := map[string]interface{}{\n\t\t\"otp\": otp,\n\t\t\"pgp_key\": pgpKey,\n\t}\n\n\tr := c.c.NewRequest(http.MethodPut, path)\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result GenerateRootStatusResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\nfunc (c *Sys) GenerateRootCancel() error {\n\treturn c.GenerateRootCancelWithContext(context.Background())\n}\n\nfunc (c *Sys) GenerateDROperationTokenCancel() error {\n\treturn c.GenerateDROperationTokenCancelWithContext(context.Background())\n}\n\nfunc (c *Sys) GenerateRecoveryOperationTokenCancel() error {\n\treturn c.GenerateRecoveryOperationTokenCancelWithContext(context.Background())\n}\n\nfunc (c *Sys) GenerateRootCancelWithContext(ctx context.Context) error {\n\treturn c.generateRootCancelCommonWithContext(ctx, \"/v1/sys/generate-root/attempt\")\n}\n\nfunc (c *Sys) GenerateDROperationTokenCancelWithContext(ctx context.Context) error {\n\treturn c.generateRootCancelCommonWithContext(ctx, \"/v1/sys/replication/dr/secondary/generate-operation-token/attempt\")\n}\n\nfunc (c *Sys) GenerateRecoveryOperationTokenCancelWithContext(ctx context.Context) error {\n\treturn c.generateRootCancelCommonWithContext(ctx, \"/v1/sys/generate-recovery-token/attempt\")\n}\n\nfunc (c *Sys) generateRootCancelCommonWithContext(ctx context.Context, path string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, path)\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\nfunc (c *Sys) GenerateRootUpdate(shard, nonce string) (*GenerateRootStatusResponse, error) {\n\treturn c.GenerateRootUpdateWithContext(context.Background(), shard, nonce)\n}\n\nfunc (c *Sys) GenerateDROperationTokenUpdate(shard, nonce string) (*GenerateRootStatusResponse, error) {\n\treturn c.GenerateDROperationTokenUpdateWithContext(context.Background(), shard, nonce)\n}\n\nfunc (c *Sys) GenerateRecoveryOperationTokenUpdate(shard, nonce string) (*GenerateRootStatusResponse, error) {\n\treturn c.GenerateRecoveryOperationTokenUpdateWithContext(context.Background(), shard, nonce)\n}\n\nfunc (c *Sys) GenerateRootUpdateWithContext(ctx context.Context, shard, nonce string) (*GenerateRootStatusResponse, error) {\n\treturn c.generateRootUpdateCommonWithContext(ctx, \"/v1/sys/generate-root/update\", shard, nonce)\n}\n\nfunc (c *Sys) GenerateDROperationTokenUpdateWithContext(ctx context.Context, shard, nonce string) (*GenerateRootStatusResponse, error) {\n\treturn c.generateRootUpdateCommonWithContext(ctx, \"/v1/sys/replication/dr/secondary/generate-operation-token/update\", shard, nonce)\n}\n\nfunc (c *Sys) GenerateRecoveryOperationTokenUpdateWithContext(ctx context.Context, shard, nonce string) (*GenerateRootStatusResponse, error) {\n\treturn c.generateRootUpdateCommonWithContext(ctx, \"/v1/sys/generate-recovery-token/update\", shard, nonce)\n}\n\nfunc (c *Sys) generateRootUpdateCommonWithContext(ctx context.Context, path, shard, nonce string) (*GenerateRootStatusResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tbody := map[string]interface{}{\n\t\t\"key\": shard,\n\t\t\"nonce\": nonce,\n\t}\n\n\tr := c.c.NewRequest(http.MethodPut, path)\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result GenerateRootStatusResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\ntype GenerateRootStatusResponse struct {\n\tNonce string `json:\"nonce\"`\n\tStarted bool `json:\"started\"`\n\tProgress int `json:\"progress\"`\n\tRequired int `json:\"required\"`\n\tComplete bool `json:\"complete\"`\n\tEncodedToken string `json:\"encoded_token\"`\n\tEncodedRootToken string `json:\"encoded_root_token\"`\n\tPGPFingerprint string `json:\"pgp_fingerprint\"`\n\tOTP string `json:\"otp\"`\n\tOTPLength int `json:\"otp_length\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_hastatus.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"net/http\"\n\t\"time\"\n)\n\nfunc (c *Sys) HAStatus() (*HAStatusResponse, error) {\n\treturn c.HAStatusWithContext(context.Background())\n}\n\nfunc (c *Sys) HAStatusWithContext(ctx context.Context) (*HAStatusResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/ha-status\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result HAStatusResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\ntype HAStatusResponse struct {\n\tNodes []HANode\n}\n\ntype HANode struct {\n\tHostname string `json:\"hostname\"`\n\tAPIAddress string `json:\"api_address\"`\n\tClusterAddress string `json:\"cluster_address\"`\n\tActiveNode bool `json:\"active_node\"`\n\tLastEcho *time.Time `json:\"last_echo\"`\n\tEchoDurationMillis int64 `json:\"echo_duration_ms\"`\n\tClockSkewMillis int64 `json:\"clock_skew_ms\"`\n\tVersion string `json:\"version\"`\n\tUpgradeVersion string `json:\"upgrade_version,omitempty\"`\n\tRedundancyZone string `json:\"redundancy_zone,omitempty\"`\n\tReplicationPrimaryCanaryAgeMillis int64 `json:\"replication_primary_canary_age_ms\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_health.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"net/http\"\n)\n\nfunc (c *Sys) Health() (*HealthResponse, error) {\n\treturn c.HealthWithContext(context.Background())\n}\n\nfunc (c *Sys) HealthWithContext(ctx context.Context) (*HealthResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/health\")\n\t// If the code is 400 or above it will automatically turn into an error,\n\t// but the sys/health API defaults to returning 5xx when not sealed or\n\t// inited, so we force this code to be something else so we parse correctly\n\tr.Params.Add(\"uninitcode\", \"299\")\n\tr.Params.Add(\"sealedcode\", \"299\")\n\tr.Params.Add(\"standbycode\", \"299\")\n\tr.Params.Add(\"drsecondarycode\", \"299\")\n\tr.Params.Add(\"performancestandbycode\", \"299\")\n\tr.Params.Add(\"removedcode\", \"299\")\n\tr.Params.Add(\"haunhealthycode\", \"299\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result HealthResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\ntype HealthResponse struct {\n\tInitialized bool `json:\"initialized\"`\n\tSealed bool `json:\"sealed\"`\n\tStandby bool `json:\"standby\"`\n\tPerformanceStandby bool `json:\"performance_standby\"`\n\tReplicationPerformanceMode string `json:\"replication_performance_mode\"`\n\tReplicationDRMode string `json:\"replication_dr_mode\"`\n\tServerTimeUTC int64 `json:\"server_time_utc\"`\n\tVersion string `json:\"version\"`\n\tClusterName string `json:\"cluster_name,omitempty\"`\n\tClusterID string `json:\"cluster_id,omitempty\"`\n\tLastWAL uint64 `json:\"last_wal,omitempty\"`\n\tEnterprise bool `json:\"enterprise\"`\n\tEchoDurationMillis int64 `json:\"echo_duration_ms\"`\n\tClockSkewMillis int64 `json:\"clock_skew_ms\"`\n\tReplicationPrimaryCanaryAgeMillis int64 `json:\"replication_primary_canary_age_ms\"`\n\tRemovedFromCluster *bool `json:\"removed_from_cluster,omitempty\"`\n\tHAConnectionHealthy *bool `json:\"ha_connection_healthy,omitempty\"`\n\tLastRequestForwardingHeartbeatMillis int64 `json:\"last_request_forwarding_heartbeat_ms,omitempty\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_init.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"net/http\"\n)\n\nfunc (c *Sys) InitStatus() (bool, error) {\n\treturn c.InitStatusWithContext(context.Background())\n}\n\nfunc (c *Sys) InitStatusWithContext(ctx context.Context) (bool, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/init\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn false, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result InitStatusResponse\n\terr = resp.DecodeJSON(&result)\n\treturn result.Initialized, err\n}\n\nfunc (c *Sys) Init(opts *InitRequest) (*InitResponse, error) {\n\treturn c.InitWithContext(context.Background(), opts)\n}\n\nfunc (c *Sys) InitWithContext(ctx context.Context, opts *InitRequest) (*InitResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/init\")\n\tif err := r.SetJSONBody(opts); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result InitResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\ntype InitRequest struct {\n\tSecretShares int `json:\"secret_shares\"`\n\tSecretThreshold int `json:\"secret_threshold\"`\n\tStoredShares int `json:\"stored_shares\"`\n\tPGPKeys []string `json:\"pgp_keys\"`\n\tRecoveryShares int `json:\"recovery_shares\"`\n\tRecoveryThreshold int `json:\"recovery_threshold\"`\n\tRecoveryPGPKeys []string `json:\"recovery_pgp_keys\"`\n\tRootTokenPGPKey string `json:\"root_token_pgp_key\"`\n}\n\ntype InitStatusResponse struct {\n\tInitialized bool\n}\n\ntype InitResponse struct {\n\tKeys []string `json:\"keys\"`\n\tKeysB64 []string `json:\"keys_base64\"`\n\tRecoveryKeys []string `json:\"recovery_keys\"`\n\tRecoveryKeysB64 []string `json:\"recovery_keys_base64\"`\n\tRootToken string `json:\"root_token\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_leader.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"net/http\"\n\t\"time\"\n)\n\nfunc (c *Sys) Leader() (*LeaderResponse, error) {\n\treturn c.LeaderWithContext(context.Background())\n}\n\nfunc (c *Sys) LeaderWithContext(ctx context.Context) (*LeaderResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/leader\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result LeaderResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\ntype LeaderResponse struct {\n\tHAEnabled bool `json:\"ha_enabled\"`\n\tIsSelf bool `json:\"is_self\"`\n\tActiveTime time.Time `json:\"active_time\"`\n\tLeaderAddress string `json:\"leader_address\"`\n\tLeaderClusterAddress string `json:\"leader_cluster_address\"`\n\tPerfStandby bool `json:\"performance_standby\"`\n\tPerfStandbyLastRemoteWAL uint64 `json:\"performance_standby_last_remote_wal\"`\n\tLastWAL uint64 `json:\"last_wal\"`\n\tRaftCommittedIndex uint64 `json:\"raft_committed_index,omitempty\"`\n\tRaftAppliedIndex uint64 `json:\"raft_applied_index,omitempty\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_leases.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"net/http\"\n)\n\nfunc (c *Sys) Renew(id string, increment int) (*Secret, error) {\n\treturn c.RenewWithContext(context.Background(), id, increment)\n}\n\nfunc (c *Sys) RenewWithContext(ctx context.Context, id string, increment int) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/leases/renew\")\n\n\tbody := map[string]interface{}{\n\t\t\"increment\": increment,\n\t\t\"lease_id\": id,\n\t}\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *Sys) Lookup(id string) (*Secret, error) {\n\treturn c.LookupWithContext(context.Background(), id)\n}\n\nfunc (c *Sys) LookupWithContext(ctx context.Context, id string) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/leases/lookup\")\n\n\tbody := map[string]interface{}{\n\t\t\"lease_id\": id,\n\t}\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\nfunc (c *Sys) Revoke(id string) error {\n\treturn c.RevokeWithContext(context.Background(), id)\n}\n\nfunc (c *Sys) RevokeWithContext(ctx context.Context, id string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/leases/revoke\")\n\tbody := map[string]interface{}{\n\t\t\"lease_id\": id,\n\t}\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\nfunc (c *Sys) RevokePrefix(id string) error {\n\treturn c.RevokePrefixWithContext(context.Background(), id)\n}\n\nfunc (c *Sys) RevokePrefixWithContext(ctx context.Context, id string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/leases/revoke-prefix/\"+id)\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\nfunc (c *Sys) RevokeForce(id string) error {\n\treturn c.RevokeForceWithContext(context.Background(), id)\n}\n\nfunc (c *Sys) RevokeForceWithContext(ctx context.Context, id string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/leases/revoke-force/\"+id)\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\nfunc (c *Sys) RevokeWithOptions(opts *RevokeOptions) error {\n\treturn c.RevokeWithOptionsWithContext(context.Background(), opts)\n}\n\nfunc (c *Sys) RevokeWithOptionsWithContext(ctx context.Context, opts *RevokeOptions) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tif opts == nil {\n\t\treturn errors.New(\"nil options provided\")\n\t}\n\n\t// Construct path\n\tpath := \"/v1/sys/leases/revoke/\"\n\tswitch {\n\tcase opts.Force:\n\t\tpath = \"/v1/sys/leases/revoke-force/\"\n\tcase opts.Prefix:\n\t\tpath = \"/v1/sys/leases/revoke-prefix/\"\n\t}\n\tpath += opts.LeaseID\n\n\tr := c.c.NewRequest(http.MethodPut, path)\n\tif !opts.Force {\n\t\tbody := map[string]interface{}{\n\t\t\t\"sync\": opts.Sync,\n\t\t}\n\t\tif err := r.SetJSONBody(body); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\ntype RevokeOptions struct {\n\tLeaseID string\n\tForce bool\n\tPrefix bool\n\tSync bool\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_mfa.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n)\n\nfunc (c *Sys) MFAValidate(requestID string, payload map[string]interface{}) (*Secret, error) {\n\treturn c.MFAValidateWithContext(context.Background(), requestID, payload)\n}\n\nfunc (c *Sys) MFAValidateWithContext(ctx context.Context, requestID string, payload map[string]interface{}) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tbody := map[string]interface{}{\n\t\t\"mfa_request_id\": requestID,\n\t\t\"mfa_payload\": payload,\n\t}\n\n\tr := c.c.NewRequest(http.MethodPost, fmt.Sprintf(\"/v1/sys/mfa/validate\"))\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to set request body: %w\", err)\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif resp != nil {\n\t\tdefer resp.Body.Close()\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to parse secret from response: %w\", err)\n\t}\n\n\tif secret == nil {\n\t\treturn nil, fmt.Errorf(\"data from server response is empty\")\n\t}\n\n\treturn secret, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_monitor.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"bufio\"\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n)\n\n// Monitor returns a channel that outputs strings containing the log messages\n// coming from the server.\nfunc (c *Sys) Monitor(ctx context.Context, logLevel string, logFormat string) (chan string, error) {\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/monitor\")\n\n\tif logLevel == \"\" {\n\t\tr.Params.Add(\"log_level\", \"info\")\n\t} else {\n\t\tr.Params.Add(\"log_level\", logLevel)\n\t}\n\n\tif logFormat == \"\" {\n\t\tr.Params.Add(\"log_format\", \"standard\")\n\t} else {\n\t\tr.Params.Add(\"log_format\", logFormat)\n\t}\n\n\tresp, err := c.c.RawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tlogCh := make(chan string, 64)\n\n\tgo func() {\n\t\tscanner := bufio.NewScanner(resp.Body)\n\t\tdroppedCount := 0\n\n\t\tdefer close(logCh)\n\t\tdefer resp.Body.Close()\n\n\t\tfor {\n\t\t\tif ctx.Err() != nil {\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tif !scanner.Scan() {\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tlogMessage := scanner.Text()\n\n\t\t\tif droppedCount > 0 {\n\t\t\t\tselect {\n\t\t\t\tcase logCh <- fmt.Sprintf(\"Monitor dropped %d logs during monitor request\\n\", droppedCount):\n\t\t\t\t\tdroppedCount = 0\n\t\t\t\tdefault:\n\t\t\t\t\tdroppedCount++\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tselect {\n\t\t\tcase logCh <- logMessage:\n\t\t\tdefault:\n\t\t\t\tdroppedCount++\n\t\t\t}\n\t\t}\n\t}()\n\n\treturn logCh, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_mounts.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"time\"\n\n\t\"github.com/mitchellh/mapstructure\"\n)\n\nfunc (c *Sys) GetMount(path string) (*MountOutput, error) {\n\treturn c.GetMountWithContext(context.Background(), path)\n}\n\nfunc (c *Sys) GetMountWithContext(ctx context.Context, path string) (*MountOutput, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, fmt.Sprintf(\"/v1/sys/mounts/%s\", path))\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tmount := MountOutput{}\n\terr = mapstructure.Decode(secret.Data, &mount)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &mount, nil\n}\n\nfunc (c *Sys) ListMounts() (map[string]*MountOutput, error) {\n\treturn c.ListMountsWithContext(context.Background())\n}\n\nfunc (c *Sys) ListMountsWithContext(ctx context.Context) (map[string]*MountOutput, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/mounts\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tmounts := map[string]*MountOutput{}\n\terr = mapstructure.Decode(secret.Data, &mounts)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn mounts, nil\n}\n\nfunc (c *Sys) Mount(path string, mountInfo *MountInput) error {\n\treturn c.MountWithContext(context.Background(), path, mountInfo)\n}\n\nfunc (c *Sys) MountWithContext(ctx context.Context, path string, mountInfo *MountInput) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, fmt.Sprintf(\"/v1/sys/mounts/%s\", path))\n\tif err := r.SetJSONBody(mountInfo); err != nil {\n\t\treturn err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn nil\n}\n\nfunc (c *Sys) Unmount(path string) error {\n\treturn c.UnmountWithContext(context.Background(), path)\n}\n\nfunc (c *Sys) UnmountWithContext(ctx context.Context, path string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, fmt.Sprintf(\"/v1/sys/mounts/%s\", path))\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\n// Remount wraps RemountWithContext using context.Background.\nfunc (c *Sys) Remount(from, to string) error {\n\treturn c.RemountWithContext(context.Background(), from, to)\n}\n\n// RemountWithContext kicks off a remount operation, polls the status endpoint using\n// the migration ID till either success or failure state is observed\nfunc (c *Sys) RemountWithContext(ctx context.Context, from, to string) error {\n\tremountResp, err := c.StartRemountWithContext(ctx, from, to)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tfor {\n\t\tremountStatusResp, err := c.RemountStatusWithContext(ctx, remountResp.MigrationID)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif remountStatusResp.MigrationInfo.MigrationStatus == \"success\" {\n\t\t\treturn nil\n\t\t}\n\t\tif remountStatusResp.MigrationInfo.MigrationStatus == \"failure\" {\n\t\t\treturn fmt.Errorf(\"Failure! Error encountered moving mount %s to %s, with migration ID %s\", from, to, remountResp.MigrationID)\n\t\t}\n\t\ttime.Sleep(1 * time.Second)\n\t}\n}\n\n// StartRemount wraps StartRemountWithContext using context.Background.\nfunc (c *Sys) StartRemount(from, to string) (*MountMigrationOutput, error) {\n\treturn c.StartRemountWithContext(context.Background(), from, to)\n}\n\n// StartRemountWithContext kicks off a mount migration and returns a response with the migration ID\nfunc (c *Sys) StartRemountWithContext(ctx context.Context, from, to string) (*MountMigrationOutput, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tbody := map[string]interface{}{\n\t\t\"from\": from,\n\t\t\"to\": to,\n\t}\n\n\tr := c.c.NewRequest(http.MethodPost, \"/v1/sys/remount\")\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tvar result MountMigrationOutput\n\terr = mapstructure.Decode(secret.Data, &result)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &result, err\n}\n\n// RemountStatus wraps RemountStatusWithContext using context.Background.\nfunc (c *Sys) RemountStatus(migrationID string) (*MountMigrationStatusOutput, error) {\n\treturn c.RemountStatusWithContext(context.Background(), migrationID)\n}\n\n// RemountStatusWithContext checks the status of a mount migration operation with the provided ID\nfunc (c *Sys) RemountStatusWithContext(ctx context.Context, migrationID string) (*MountMigrationStatusOutput, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, fmt.Sprintf(\"/v1/sys/remount/status/%s\", migrationID))\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tvar result MountMigrationStatusOutput\n\terr = mapstructure.Decode(secret.Data, &result)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &result, err\n}\n\n// TuneMountConfigInput is a pointer-only version of MountConfigInput. This allows proper update calls where only\n// Values provided by the user are changed, but values can be changed to an empty (but non-nil) value.\ntype TuneMountConfigInput struct {\n\tOptions *map[string]string `json:\"options,omitempty\" mapstructure:\"options\"`\n\tDefaultLeaseTTL *string `json:\"default_lease_ttl,omitempty\" mapstructure:\"default_lease_ttl\"`\n\tDescription *string `json:\"description,omitempty\" mapstructure:\"description\"`\n\tMaxLeaseTTL *string `json:\"max_lease_ttl,omitempty\" mapstructure:\"max_lease_ttl\"`\n\tForceNoCache *bool `json:\"force_no_cache,omitempty\" mapstructure:\"force_no_cache\"`\n\tAuditNonHMACRequestKeys *[]string `json:\"audit_non_hmac_request_keys,omitempty\" mapstructure:\"audit_non_hmac_request_keys\"`\n\tAuditNonHMACResponseKeys *[]string `json:\"audit_non_hmac_response_keys,omitempty\" mapstructure:\"audit_non_hmac_response_keys\"`\n\tListingVisibility *string `json:\"listing_visibility,omitempty\" mapstructure:\"listing_visibility\"`\n\tPassthroughRequestHeaders *[]string `json:\"passthrough_request_headers,omitempty\" mapstructure:\"passthrough_request_headers\"`\n\tAllowedResponseHeaders *[]string `json:\"allowed_response_headers,omitempty\" mapstructure:\"allowed_response_headers\"`\n\tTokenType *string `json:\"token_type,omitempty\" mapstructure:\"token_type\"`\n\tAllowedManagedKeys *[]string `json:\"allowed_managed_keys,omitempty\" mapstructure:\"allowed_managed_keys\"`\n\tPluginVersion *string `json:\"plugin_version,omitempty\"`\n\tUserLockoutConfig *TuneUserLockoutConfigInput `json:\"user_lockout_config,omitempty\"`\n\tDelegatedAuthAccessors *[]string `json:\"delegated_auth_accessors,omitempty\" mapstructure:\"delegated_auth_accessors\"`\n\tIdentityTokenKey *string `json:\"identity_token_key,omitempty\" mapstructure:\"identity_token_key\"`\n\tTrimRequestTrailingSlashes *bool `json:\"trim_request_trailing_slashes,omitempty\" mapstructure:\"trim_request_trailing_slashes\"`\n\t// Deprecated: This field will always be blank for newer server responses.\n\tPluginName *string `json:\"plugin_name,omitempty\" mapstructure:\"plugin_name\"`\n}\n\ntype TuneUserLockoutConfigInput struct {\n\tLockoutThreshold *string `json:\"lockout_threshold,omitempty\" structs:\"lockout_threshold\" mapstructure:\"lockout_threshold\"`\n\tLockoutDuration *string `json:\"lockout_duration,omitempty\" structs:\"lockout_duration\" mapstructure:\"lockout_duration\"`\n\tLockoutCounterResetDuration *string `json:\"lockout_counter_reset_duration,omitempty\" structs:\"lockout_counter_reset_duration\" mapstructure:\"lockout_counter_reset_duration\"`\n\tDisableLockout *bool `json:\"lockout_disable,omitempty\" structs:\"lockout_disable\" mapstructure:\"lockout_disable\"`\n}\n\nfunc (c *Sys) TuneMountAllowNil(path string, config TuneMountConfigInput) error {\n\treturn c.TuneMountAllowNilWithContext(context.Background(), path, config)\n}\n\n// Deprecated: newer functionality should use TuneMountAllowNil instead so that parameters can be set to the nil value\nfunc (c *Sys) TuneMount(path string, config MountConfigInput) error {\n\treturn c.TuneMountWithContext(context.Background(), path, config)\n}\n\nfunc (c *Sys) TuneMountAllowNilWithContext(ctx context.Context, path string, config TuneMountConfigInput) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, fmt.Sprintf(\"/v1/sys/mounts/%s/tune\", path))\n\tif err := r.SetJSONBody(config); err != nil {\n\t\treturn err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\n// Deprecated: newer functionality should use TuneMountAllowNilWithContext instead, so that configuration can be set to\n// a nil value.\nfunc (c *Sys) TuneMountWithContext(ctx context.Context, path string, config MountConfigInput) error {\n\ttuneConfig := TuneMountConfigInput{}\n\n\ttuneConfig.Options = &config.Options // Not omitted if empty\n\ttuneConfig.DefaultLeaseTTL = &config.DefaultLeaseTTL // Not omitted if empty\n\ttuneConfig.Description = config.Description // Already a pointer value\n\ttuneConfig.MaxLeaseTTL = &config.MaxLeaseTTL // Not omitted if empty\n\ttuneConfig.ForceNoCache = &config.ForceNoCache // Not omitted if empty\n\n\tif len(config.AuditNonHMACRequestKeys) != 0 { // Because omitempty in the JSON\n\t\ttuneConfig.AuditNonHMACRequestKeys = &config.AuditNonHMACRequestKeys\n\t}\n\n\tif len(config.AuditNonHMACResponseKeys) != 0 { // Because omitempty in the JSON\n\t\ttuneConfig.AuditNonHMACResponseKeys = &config.AuditNonHMACResponseKeys\n\t}\n\n\tif config.ListingVisibility != \"\" { // Because omitempty in the JSON\n\t\ttuneConfig.ListingVisibility = &config.ListingVisibility\n\t}\n\n\tif len(config.PassthroughRequestHeaders) != 0 { // Because omitempty in the JSON\n\t\ttuneConfig.PassthroughRequestHeaders = &config.PassthroughRequestHeaders\n\t}\n\n\tif len(config.AllowedResponseHeaders) != 0 { // Because omitempty in the JSON\n\t\ttuneConfig.AllowedResponseHeaders = &config.AllowedResponseHeaders\n\t}\n\n\tif config.TokenType != \"\" { // Because omitempty in the JSON\n\t\ttuneConfig.TokenType = &config.TokenType\n\t}\n\n\tif len(config.AllowedManagedKeys) != 0 { // Because omitempty in the JSON\n\t\ttuneConfig.AllowedManagedKeys = &config.AllowedManagedKeys\n\t}\n\n\tif config.PluginVersion != \"\" { // Because omitempty in the JSON\n\t\ttuneConfig.PluginVersion = &config.PluginVersion\n\t}\n\n\tif config.UserLockoutConfig != nil {\n\t\tuserLockoutConfig := TuneUserLockoutConfigInput{}\n\t\tif config.UserLockoutConfig.LockoutDuration != \"\" {\n\t\t\tuserLockoutConfig.LockoutDuration = &config.UserLockoutConfig.LockoutDuration\n\t\t}\n\t\tif config.UserLockoutConfig.LockoutCounterResetDuration != \"\" {\n\t\t\tuserLockoutConfig.LockoutCounterResetDuration = &config.UserLockoutConfig.LockoutCounterResetDuration\n\t\t}\n\t\tif config.UserLockoutConfig.LockoutThreshold != \"\" {\n\t\t\tuserLockoutConfig.LockoutThreshold = &config.UserLockoutConfig.LockoutThreshold\n\t\t}\n\t\tif config.UserLockoutConfig.DisableLockout != nil {\n\t\t\tuserLockoutConfig.DisableLockout = config.UserLockoutConfig.DisableLockout\n\t\t}\n\t\ttuneConfig.UserLockoutConfig = &userLockoutConfig\n\t}\n\n\tif len(config.DelegatedAuthAccessors) != 0 { // Because omitempty in the JSON\n\t\ttuneConfig.DelegatedAuthAccessors = &config.DelegatedAuthAccessors\n\t}\n\n\tif config.IdentityTokenKey != \"\" { // Because omitempty in the JSON\n\t\ttuneConfig.IdentityTokenKey = &config.IdentityTokenKey\n\t}\n\n\ttuneConfig.TrimRequestTrailingSlashes = config.TrimRequestTrailingSlashes // Already a pointer despite being omitempty\n\n\tif config.PluginName != \"\" { // Because omitempty in the JSON\n\t\ttuneConfig.PluginName = &config.PluginName\n\t}\n\n\treturn c.TuneMountAllowNilWithContext(ctx, path, tuneConfig)\n}\n\nfunc (c *Sys) MountConfig(path string) (*MountConfigOutput, error) {\n\treturn c.MountConfigWithContext(context.Background(), path)\n}\n\nfunc (c *Sys) MountConfigWithContext(ctx context.Context, path string) (*MountConfigOutput, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, fmt.Sprintf(\"/v1/sys/mounts/%s/tune\", path))\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tvar result MountConfigOutput\n\terr = mapstructure.Decode(secret.Data, &result)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &result, err\n}\n\ntype MountInput struct {\n\tType string `json:\"type\"`\n\tDescription string `json:\"description\"`\n\tConfig MountConfigInput `json:\"config\"`\n\tLocal bool `json:\"local\"`\n\tSealWrap bool `json:\"seal_wrap\" mapstructure:\"seal_wrap\"`\n\tExternalEntropyAccess bool `json:\"external_entropy_access\" mapstructure:\"external_entropy_access\"`\n\tOptions map[string]string `json:\"options\"`\n\n\t// Deprecated: Newer server responses should be returning this information in the\n\t// Type field (json: \"type\") instead.\n\tPluginName string `json:\"plugin_name,omitempty\"`\n}\n\ntype MountConfigInput struct {\n\tOptions map[string]string `json:\"options\" mapstructure:\"options\"`\n\tDefaultLeaseTTL string `json:\"default_lease_ttl\" mapstructure:\"default_lease_ttl\"`\n\tDescription *string `json:\"description,omitempty\" mapstructure:\"description\"`\n\tMaxLeaseTTL string `json:\"max_lease_ttl\" mapstructure:\"max_lease_ttl\"`\n\tForceNoCache bool `json:\"force_no_cache\" mapstructure:\"force_no_cache\"`\n\tAuditNonHMACRequestKeys []string `json:\"audit_non_hmac_request_keys,omitempty\" mapstructure:\"audit_non_hmac_request_keys\"`\n\tAuditNonHMACResponseKeys []string `json:\"audit_non_hmac_response_keys,omitempty\" mapstructure:\"audit_non_hmac_response_keys\"`\n\tListingVisibility string `json:\"listing_visibility,omitempty\" mapstructure:\"listing_visibility\"`\n\tPassthroughRequestHeaders []string `json:\"passthrough_request_headers,omitempty\" mapstructure:\"passthrough_request_headers\"`\n\tAllowedResponseHeaders []string `json:\"allowed_response_headers,omitempty\" mapstructure:\"allowed_response_headers\"`\n\tTokenType string `json:\"token_type,omitempty\" mapstructure:\"token_type\"`\n\tAllowedManagedKeys []string `json:\"allowed_managed_keys,omitempty\" mapstructure:\"allowed_managed_keys\"`\n\tPluginVersion string `json:\"plugin_version,omitempty\"`\n\tUserLockoutConfig *UserLockoutConfigInput `json:\"user_lockout_config,omitempty\"`\n\tDelegatedAuthAccessors []string `json:\"delegated_auth_accessors,omitempty\" mapstructure:\"delegated_auth_accessors\"`\n\tIdentityTokenKey string `json:\"identity_token_key,omitempty\" mapstructure:\"identity_token_key\"`\n\tTrimRequestTrailingSlashes *bool `json:\"trim_request_trailing_slashes,omitempty\" mapstructure:\"trim_request_trailing_slashes\"`\n\t// Deprecated: This field will always be blank for newer server responses.\n\tPluginName string `json:\"plugin_name,omitempty\" mapstructure:\"plugin_name\"`\n}\n\ntype MountOutput struct {\n\tUUID string `json:\"uuid\"`\n\tType string `json:\"type\"`\n\tDescription string `json:\"description\"`\n\tAccessor string `json:\"accessor\"`\n\tConfig MountConfigOutput `json:\"config\"`\n\tOptions map[string]string `json:\"options\"`\n\tLocal bool `json:\"local\"`\n\tSealWrap bool `json:\"seal_wrap\" mapstructure:\"seal_wrap\"`\n\tExternalEntropyAccess bool `json:\"external_entropy_access\" mapstructure:\"external_entropy_access\"`\n\tPluginVersion string `json:\"plugin_version\" mapstructure:\"plugin_version\"`\n\tRunningVersion string `json:\"running_plugin_version\" mapstructure:\"running_plugin_version\"`\n\tRunningSha256 string `json:\"running_sha256\" mapstructure:\"running_sha256\"`\n\tDeprecationStatus string `json:\"deprecation_status\" mapstructure:\"deprecation_status\"`\n}\n\ntype MountConfigOutput struct {\n\tDefaultLeaseTTL int `json:\"default_lease_ttl\" mapstructure:\"default_lease_ttl\"`\n\tMaxLeaseTTL int `json:\"max_lease_ttl\" mapstructure:\"max_lease_ttl\"`\n\tForceNoCache bool `json:\"force_no_cache\" mapstructure:\"force_no_cache\"`\n\tAuditNonHMACRequestKeys []string `json:\"audit_non_hmac_request_keys,omitempty\" mapstructure:\"audit_non_hmac_request_keys\"`\n\tAuditNonHMACResponseKeys []string `json:\"audit_non_hmac_response_keys,omitempty\" mapstructure:\"audit_non_hmac_response_keys\"`\n\tListingVisibility string `json:\"listing_visibility,omitempty\" mapstructure:\"listing_visibility\"`\n\tPassthroughRequestHeaders []string `json:\"passthrough_request_headers,omitempty\" mapstructure:\"passthrough_request_headers\"`\n\tAllowedResponseHeaders []string `json:\"allowed_response_headers,omitempty\" mapstructure:\"allowed_response_headers\"`\n\tTokenType string `json:\"token_type,omitempty\" mapstructure:\"token_type\"`\n\tAllowedManagedKeys []string `json:\"allowed_managed_keys,omitempty\" mapstructure:\"allowed_managed_keys\"`\n\tUserLockoutConfig *UserLockoutConfigOutput `json:\"user_lockout_config,omitempty\"`\n\tDelegatedAuthAccessors []string `json:\"delegated_auth_accessors,omitempty\" mapstructure:\"delegated_auth_accessors\"`\n\tIdentityTokenKey string `json:\"identity_token_key,omitempty\" mapstructure:\"identity_token_key\"`\n\tTrimRequestTrailingSlashes bool `json:\"trim_request_trailing_slashes,omitempty\" mapstructure:\"trim_request_trailing_slashes\"`\n\n\t// Deprecated: This field will always be blank for newer server responses.\n\tPluginName string `json:\"plugin_name,omitempty\" mapstructure:\"plugin_name\"`\n}\n\ntype UserLockoutConfigInput struct {\n\tLockoutThreshold string `json:\"lockout_threshold,omitempty\" structs:\"lockout_threshold\" mapstructure:\"lockout_threshold\"`\n\tLockoutDuration string `json:\"lockout_duration,omitempty\" structs:\"lockout_duration\" mapstructure:\"lockout_duration\"`\n\tLockoutCounterResetDuration string `json:\"lockout_counter_reset_duration,omitempty\" structs:\"lockout_counter_reset_duration\" mapstructure:\"lockout_counter_reset_duration\"`\n\tDisableLockout *bool `json:\"lockout_disable,omitempty\" structs:\"lockout_disable\" mapstructure:\"lockout_disable\"`\n}\n\ntype UserLockoutConfigOutput struct {\n\tLockoutThreshold uint `json:\"lockout_threshold,omitempty\" structs:\"lockout_threshold\" mapstructure:\"lockout_threshold\"`\n\tLockoutDuration int `json:\"lockout_duration,omitempty\" structs:\"lockout_duration\" mapstructure:\"lockout_duration\"`\n\tLockoutCounterReset int `json:\"lockout_counter_reset,omitempty\" structs:\"lockout_counter_reset\" mapstructure:\"lockout_counter_reset\"`\n\tDisableLockout *bool `json:\"disable_lockout,omitempty\" structs:\"disable_lockout\" mapstructure:\"disable_lockout\"`\n}\n\ntype MountMigrationOutput struct {\n\tMigrationID string `mapstructure:\"migration_id\"`\n}\n\ntype MountMigrationStatusOutput struct {\n\tMigrationID string `mapstructure:\"migration_id\"`\n\tMigrationInfo *MountMigrationStatusInfo `mapstructure:\"migration_info\"`\n}\n\ntype MountMigrationStatusInfo struct {\n\tSourceMount string `mapstructure:\"source_mount\"`\n\tTargetMount string `mapstructure:\"target_mount\"`\n\tMigrationStatus string `mapstructure:\"status\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_plugins.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/mitchellh/mapstructure\"\n)\n\n// ListPluginsInput is used as input to the ListPlugins function.\ntype ListPluginsInput struct {\n\t// Type of the plugin. Required.\n\tType PluginType `json:\"type\"`\n}\n\n// ListPluginsResponse is the response from the ListPlugins call.\ntype ListPluginsResponse struct {\n\t// PluginsByType is the list of plugins by type.\n\tPluginsByType map[PluginType][]string `json:\"types\"`\n\n\tDetails []PluginDetails `json:\"details,omitempty\"`\n\n\t// Names is the list of names of the plugins.\n\t//\n\t// Deprecated: Newer server responses should be returning PluginsByType (json:\n\t// \"types\") instead.\n\tNames []string `json:\"names\"`\n}\n\ntype PluginDetails struct {\n\tType string `json:\"type\"`\n\tName string `json:\"name\"`\n\tOCIImage string `json:\"oci_image,omitempty\" mapstructure:\"oci_image\"`\n\tRuntime string `json:\"runtime,omitempty\"`\n\tVersion string `json:\"version,omitempty\"`\n\tBuiltin bool `json:\"builtin\"`\n\tDeprecationStatus string `json:\"deprecation_status,omitempty\" mapstructure:\"deprecation_status\"`\n}\n\n// ListPlugins wraps ListPluginsWithContext using context.Background.\nfunc (c *Sys) ListPlugins(i *ListPluginsInput) (*ListPluginsResponse, error) {\n\treturn c.ListPluginsWithContext(context.Background(), i)\n}\n\n// ListPluginsWithContext lists all plugins in the catalog and returns their names as a\n// list of strings.\nfunc (c *Sys) ListPluginsWithContext(ctx context.Context, i *ListPluginsInput) (*ListPluginsResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tresp, err := c.c.rawRequestWithContext(ctx, c.c.NewRequest(http.MethodGet, \"/v1/sys/plugins/catalog\"))\n\tif err != nil && resp == nil {\n\t\treturn nil, err\n\t}\n\tif resp == nil {\n\t\treturn nil, nil\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tresult := &ListPluginsResponse{\n\t\tPluginsByType: make(map[PluginType][]string),\n\t}\n\tswitch i.Type {\n\tcase PluginTypeUnknown:\n\t\tfor _, pluginType := range PluginTypes {\n\t\t\tpluginsRaw, ok := secret.Data[pluginType.String()]\n\t\t\tif !ok {\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tpluginsIfc, ok := pluginsRaw.([]interface{})\n\t\t\tif !ok {\n\t\t\t\treturn nil, fmt.Errorf(\"unable to parse plugins for %q type\", pluginType.String())\n\t\t\t}\n\n\t\t\tplugins := make([]string, 0, len(pluginsIfc))\n\t\t\tfor _, nameIfc := range pluginsIfc {\n\t\t\t\tname, ok := nameIfc.(string)\n\t\t\t\tif !ok {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tplugins = append(plugins, name)\n\t\t\t}\n\t\t\tresult.PluginsByType[pluginType] = plugins\n\t\t}\n\tdefault:\n\t\tpluginsRaw, ok := secret.Data[i.Type.String()]\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"no %s entry in returned data\", i.Type.String())\n\t\t}\n\n\t\tvar respKeys []string\n\t\tif err := mapstructure.Decode(pluginsRaw, &respKeys); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tresult.PluginsByType[i.Type] = respKeys\n\t}\n\n\tif detailed, ok := secret.Data[\"detailed\"]; ok {\n\t\tvar details []PluginDetails\n\t\tif err := mapstructure.Decode(detailed, &details); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tswitch i.Type {\n\t\tcase PluginTypeUnknown:\n\t\t\tresult.Details = details\n\t\tdefault:\n\t\t\t// Filter for just the queried type.\n\t\t\tfor _, entry := range details {\n\t\t\t\tif entry.Type == i.Type.String() {\n\t\t\t\t\tresult.Details = append(result.Details, entry)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn result, nil\n}\n\n// GetPluginInput is used as input to the GetPlugin function.\ntype GetPluginInput struct {\n\tName string `json:\"-\"`\n\n\t// Type of the plugin. Required.\n\tType PluginType `json:\"type\"`\n\tVersion string `json:\"version\"`\n}\n\n// GetPluginResponse is the response from the GetPlugin call.\ntype GetPluginResponse struct {\n\tArgs []string `json:\"args\"`\n\tBuiltin bool `json:\"builtin\"`\n\tCommand string `json:\"command\"`\n\tName string `json:\"name\"`\n\tSHA256 string `json:\"sha256\"`\n\tOCIImage string `json:\"oci_image,omitempty\"`\n\tRuntime string `json:\"runtime,omitempty\"`\n\tDeprecationStatus string `json:\"deprecation_status,omitempty\"`\n\tVersion string `json:\"version,omitempty\"`\n}\n\n// GetPlugin wraps GetPluginWithContext using context.Background.\nfunc (c *Sys) GetPlugin(i *GetPluginInput) (*GetPluginResponse, error) {\n\treturn c.GetPluginWithContext(context.Background(), i)\n}\n\n// GetPluginWithContext retrieves information about the plugin.\nfunc (c *Sys) GetPluginWithContext(ctx context.Context, i *GetPluginInput) (*GetPluginResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tpath := catalogPathByType(i.Type, i.Name)\n\treq := c.c.NewRequest(http.MethodGet, path)\n\tif i.Version != \"\" {\n\t\treq.Params.Set(\"version\", i.Version)\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result struct {\n\t\tData *GetPluginResponse\n\t}\n\terr = resp.DecodeJSON(&result)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn result.Data, err\n}\n\n// RegisterPluginInput is used as input to the RegisterPlugin function.\ntype RegisterPluginInput struct {\n\t// Name is the name of the plugin. Required.\n\tName string `json:\"-\"`\n\n\t// Type of the plugin. Required.\n\tType PluginType `json:\"type\"`\n\n\t// Args is the list of args to spawn the process with.\n\tArgs []string `json:\"args,omitempty\"`\n\n\t// Command is the command to run.\n\tCommand string `json:\"command,omitempty\"`\n\n\t// SHA256 is the shasum of the plugin.\n\tSHA256 string `json:\"sha256,omitempty\"`\n\n\t// Version is the optional version of the plugin being registered\n\tVersion string `json:\"version,omitempty\"`\n\n\t// OCIImage specifies the container image to run as a plugin.\n\tOCIImage string `json:\"oci_image,omitempty\"`\n\n\t// Runtime is the Vault plugin runtime to use when running the plugin.\n\tRuntime string `json:\"runtime,omitempty\"`\n\n\t// Env specifies a list of key=value pairs to add to the plugin's environment\n\t// variables.\n\tEnv []string `json:\"env,omitempty\"`\n\n\t// Download the plugin when set to true. This is only applicable for external plugins.\n\tDownload bool `json:\"download,omitempty\"`\n}\n\n// RegisterPluginResponse is the response from the RegisterPluginDetailed call.\ntype RegisterPluginResponse struct {\n\tWarnings []string `json:\"warnings\"`\n}\n\n// RegisterPlugin wraps RegisterPluginWithContext using context.Background.\n// Deprecated: Use RegisterPluginDetailed instead.\nfunc (c *Sys) RegisterPlugin(i *RegisterPluginInput) error {\n\treturn c.RegisterPluginWithContext(context.Background(), i)\n}\n\n// RegisterPluginWithContext registers the plugin with the given information.\n// Deprecated: Use RegisterPluginWithContextDetailed instead.\nfunc (c *Sys) RegisterPluginWithContext(ctx context.Context, i *RegisterPluginInput) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tpath := catalogPathByType(i.Type, i.Name)\n\treq := c.c.NewRequest(http.MethodPut, path)\n\n\tif err := req.SetJSONBody(i); err != nil {\n\t\treturn err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, req)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\n// RegisterPluginDetailed wraps RegisterPluginWtihContextDetailed using context.Background.\nfunc (c *Sys) RegisterPluginDetailed(i *RegisterPluginInput) (*RegisterPluginResponse, error) {\n\treturn c.RegisterPluginWithContextDetailed(context.Background(), i)\n}\n\n// RegisterPluginWithContextDetailed registers the plugin with the given information.\nfunc (c *Sys) RegisterPluginWithContextDetailed(ctx context.Context, i *RegisterPluginInput) (*RegisterPluginResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tpath := catalogPathByType(i.Type, i.Name)\n\treq := c.c.NewRequest(http.MethodPut, path)\n\n\tif err := req.SetJSONBody(i); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, req)\n\tif resp != nil {\n\t\tdefer resp.Body.Close()\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar registerResp RegisterPluginResponse\n\tif resp != nil && resp.StatusCode != http.StatusNoContent {\n\t\tif err := resp.DecodeJSON(®isterResp); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\n\t// Filter out the `Endpoint replaced the value of these parameters with the values captured from the endpoint's path: [type]`\n\t// warning because it is expected behavior from this function, as we set the type parameter in both the path and request body,\n\t// and the warning informs us the path parameter takes precedence. However, this warning is not relevant for an end user so we\n\t// omit it before returning to any client.\n\t// TODO: This can likely be removed once https://hashicorp.atlassian.net/browse/VAULT-36722 is addressed.\n\tvar filteredWarnings []string\n\tif len(registerResp.Warnings) > 0 {\n\t\tfilteredWarnings = make([]string, 0, len(registerResp.Warnings))\n\t}\n\n\tfor _, warning := range registerResp.Warnings {\n\t\tif !strings.Contains(warning, \"Endpoint replaced the value of these parameters with the values captured from the endpoint's path\") {\n\t\t\tfilteredWarnings = append(filteredWarnings, warning)\n\t\t}\n\t}\n\tregisterResp.Warnings = filteredWarnings\n\n\treturn ®isterResp, err\n}\n\n// DeregisterPluginInput is used as input to the DeregisterPlugin function.\ntype DeregisterPluginInput struct {\n\t// Name is the name of the plugin. Required.\n\tName string `json:\"-\"`\n\n\t// Type of the plugin. Required.\n\tType PluginType `json:\"type\"`\n\n\t// Version of the plugin. Optional.\n\tVersion string `json:\"version,omitempty\"`\n}\n\n// DeregisterPlugin wraps DeregisterPluginWithContext using context.Background.\nfunc (c *Sys) DeregisterPlugin(i *DeregisterPluginInput) error {\n\treturn c.DeregisterPluginWithContext(context.Background(), i)\n}\n\n// DeregisterPluginWithContext removes the plugin with the given name from the plugin\n// catalog.\nfunc (c *Sys) DeregisterPluginWithContext(ctx context.Context, i *DeregisterPluginInput) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tpath := catalogPathByType(i.Type, i.Name)\n\treq := c.c.NewRequest(http.MethodDelete, path)\n\treq.Params.Set(\"version\", i.Version)\n\tresp, err := c.c.rawRequestWithContext(ctx, req)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\n// RootReloadPluginInput is used as input to the RootReloadPlugin function.\ntype RootReloadPluginInput struct {\n\tPlugin string `json:\"-\"` // Plugin name, as registered in the plugin catalog.\n\tType PluginType `json:\"-\"` // Plugin type: auth, secret, or database.\n\tScope string `json:\"scope,omitempty\"` // Empty to reload on current node, \"global\" for all nodes.\n}\n\n// RootReloadPlugin reloads plugins, possibly returning reloadID for a global\n// scoped reload. This is only available in the root namespace, and reloads\n// plugins across all namespaces, whereas ReloadPlugin is available in all\n// namespaces but only reloads plugins in use in the request's namespace.\nfunc (c *Sys) RootReloadPlugin(ctx context.Context, i *RootReloadPluginInput) (string, error) {\n\tpath := fmt.Sprintf(\"/v1/sys/plugins/reload/%s/%s\", i.Type.String(), i.Plugin)\n\treturn c.reloadPluginInternal(ctx, path, i, i.Scope == \"global\")\n}\n\n// ReloadPluginInput is used as input to the ReloadPlugin function.\ntype ReloadPluginInput struct {\n\t// Plugin is the name of the plugin to reload, as registered in the plugin catalog\n\tPlugin string `json:\"plugin\"`\n\n\t// Mounts is the array of string mount paths of the plugin backends to reload\n\tMounts []string `json:\"mounts\"`\n\n\t// Scope is the scope of the plugin reload\n\tScope string `json:\"scope\"`\n}\n\n// ReloadPlugin wraps ReloadPluginWithContext using context.Background.\nfunc (c *Sys) ReloadPlugin(i *ReloadPluginInput) (string, error) {\n\treturn c.ReloadPluginWithContext(context.Background(), i)\n}\n\n// ReloadPluginWithContext reloads mounted plugin backends, possibly returning\n// reloadID for a cluster scoped reload. It is limited to reloading plugins that\n// are in use in the request's namespace. See RootReloadPlugin for an API that\n// can reload plugins across all namespaces.\nfunc (c *Sys) ReloadPluginWithContext(ctx context.Context, i *ReloadPluginInput) (string, error) {\n\treturn c.reloadPluginInternal(ctx, \"/v1/sys/plugins/reload/backend\", i, i.Scope == \"global\")\n}\n\nfunc (c *Sys) reloadPluginInternal(ctx context.Context, path string, body any, global bool) (string, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\treq := c.c.NewRequest(http.MethodPut, path)\n\n\tif err := req.SetJSONBody(body); err != nil {\n\t\treturn \"\", err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, req)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tdefer resp.Body.Close()\n\n\tif global {\n\t\t// Get the reload id\n\t\tsecret, parseErr := ParseSecret(resp.Body)\n\t\tif parseErr != nil {\n\t\t\treturn \"\", parseErr\n\t\t}\n\t\tif _, ok := secret.Data[\"reload_id\"]; ok {\n\t\t\treturn secret.Data[\"reload_id\"].(string), nil\n\t\t}\n\t}\n\treturn \"\", err\n}\n\n// ReloadStatus is the status of an individual node's plugin reload\ntype ReloadStatus struct {\n\tTimestamp time.Time `json:\"timestamp\" mapstructure:\"timestamp\"`\n\tError string `json:\"error\" mapstructure:\"error\"`\n}\n\n// ReloadStatusResponse is the combined response of all known completed plugin reloads\ntype ReloadStatusResponse struct {\n\tReloadID string `mapstructure:\"reload_id\"`\n\tResults map[string]*ReloadStatus `mapstructure:\"results\"`\n}\n\n// ReloadPluginStatusInput is used as input to the ReloadStatusPlugin function.\ntype ReloadPluginStatusInput struct {\n\t// ReloadID is the ID of the reload operation\n\tReloadID string `json:\"reload_id\"`\n}\n\n// ReloadPluginStatus wraps ReloadPluginStatusWithContext using context.Background.\nfunc (c *Sys) ReloadPluginStatus(reloadStatusInput *ReloadPluginStatusInput) (*ReloadStatusResponse, error) {\n\treturn c.ReloadPluginStatusWithContext(context.Background(), reloadStatusInput)\n}\n\n// ReloadPluginStatusWithContext retrieves the status of a reload operation\nfunc (c *Sys) ReloadPluginStatusWithContext(ctx context.Context, reloadStatusInput *ReloadPluginStatusInput) (*ReloadStatusResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tpath := \"/v1/sys/plugins/reload/backend/status\"\n\treq := c.c.NewRequest(http.MethodGet, path)\n\treq.Params.Add(\"reload_id\", reloadStatusInput.ReloadID)\n\n\tresp, err := c.c.rawRequestWithContext(ctx, req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\tif resp != nil {\n\t\tsecret, parseErr := ParseSecret(resp.Body)\n\t\tif parseErr != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tvar r ReloadStatusResponse\n\t\td, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{\n\t\t\tDecodeHook: mapstructure.StringToTimeHookFunc(time.RFC3339),\n\t\t\tResult: &r,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\terr = d.Decode(secret.Data)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\treturn &r, nil\n\t}\n\treturn nil, nil\n}\n\n// catalogPathByType is a helper to construct the proper API path by plugin type\nfunc catalogPathByType(pluginType PluginType, name string) string {\n\tpath := fmt.Sprintf(\"/v1/sys/plugins/catalog/%s/%s\", pluginType, name)\n\n\t// Backwards compat, if type is not provided then use old path\n\tif pluginType == PluginTypeUnknown {\n\t\tpath = fmt.Sprintf(\"/v1/sys/plugins/catalog/%s\", name)\n\t}\n\n\treturn path\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_plugins_runtimes.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/mitchellh/mapstructure\"\n)\n\n// GetPluginRuntimeInput is used as input to the GetPluginRuntime function.\ntype GetPluginRuntimeInput struct {\n\tName string `json:\"-\"`\n\n\t// Type of the plugin runtime. Required.\n\tType PluginRuntimeType `json:\"type\"`\n}\n\n// GetPluginRuntimeResponse is the response from the GetPluginRuntime call.\ntype GetPluginRuntimeResponse struct {\n\tType string `json:\"type\"`\n\tName string `json:\"name\"`\n\tOCIRuntime string `json:\"oci_runtime\"`\n\tCgroupParent string `json:\"cgroup_parent\"`\n\tCPU int64 `json:\"cpu_nanos\"`\n\tMemory int64 `json:\"memory_bytes\"`\n}\n\n// GetPluginRuntime retrieves information about the plugin.\nfunc (c *Sys) GetPluginRuntime(ctx context.Context, i *GetPluginRuntimeInput) (*GetPluginRuntimeResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tpath := pluginRuntimeCatalogPathByType(i.Type, i.Name)\n\treq := c.c.NewRequest(http.MethodGet, path)\n\n\tresp, err := c.c.rawRequestWithContext(ctx, req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result struct {\n\t\tData *GetPluginRuntimeResponse\n\t}\n\terr = resp.DecodeJSON(&result)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn result.Data, err\n}\n\n// RegisterPluginRuntimeInput is used as input to the RegisterPluginRuntime function.\ntype RegisterPluginRuntimeInput struct {\n\t// Name is the name of the plugin. Required.\n\tName string `json:\"-\"`\n\n\t// Type of the plugin. Required.\n\tType PluginRuntimeType `json:\"type\"`\n\n\tOCIRuntime string `json:\"oci_runtime,omitempty\"`\n\tCgroupParent string `json:\"cgroup_parent,omitempty\"`\n\tCPU int64 `json:\"cpu_nanos,omitempty\"`\n\tMemory int64 `json:\"memory_bytes,omitempty\"`\n\tRootless bool `json:\"rootless,omitempty\"`\n}\n\n// RegisterPluginRuntime registers the plugin with the given information.\nfunc (c *Sys) RegisterPluginRuntime(ctx context.Context, i *RegisterPluginRuntimeInput) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tpath := pluginRuntimeCatalogPathByType(i.Type, i.Name)\n\treq := c.c.NewRequest(http.MethodPut, path)\n\n\tif err := req.SetJSONBody(i); err != nil {\n\t\treturn err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, req)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\n// DeregisterPluginRuntimeInput is used as input to the DeregisterPluginRuntime function.\ntype DeregisterPluginRuntimeInput struct {\n\t// Name is the name of the plugin runtime. Required.\n\tName string `json:\"-\"`\n\n\t// Type of the plugin. Required.\n\tType PluginRuntimeType `json:\"type\"`\n}\n\n// DeregisterPluginRuntime removes the plugin with the given name from the plugin\n// catalog.\nfunc (c *Sys) DeregisterPluginRuntime(ctx context.Context, i *DeregisterPluginRuntimeInput) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tpath := pluginRuntimeCatalogPathByType(i.Type, i.Name)\n\treq := c.c.NewRequest(http.MethodDelete, path)\n\tresp, err := c.c.rawRequestWithContext(ctx, req)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\ntype PluginRuntimeDetails struct {\n\tType string `json:\"type\" mapstructure:\"type\"`\n\tName string `json:\"name\" mapstructure:\"name\"`\n\tOCIRuntime string `json:\"oci_runtime\" mapstructure:\"oci_runtime\"`\n\tCgroupParent string `json:\"cgroup_parent\" mapstructure:\"cgroup_parent\"`\n\tCPU int64 `json:\"cpu_nanos\" mapstructure:\"cpu_nanos\"`\n\tMemory int64 `json:\"memory_bytes\" mapstructure:\"memory_bytes\"`\n}\n\n// ListPluginRuntimesInput is used as input to the ListPluginRuntimes function.\ntype ListPluginRuntimesInput struct {\n\t// Type of the plugin. Required.\n\tType PluginRuntimeType `json:\"type\"`\n}\n\n// ListPluginRuntimesResponse is the response from the ListPluginRuntimes call.\ntype ListPluginRuntimesResponse struct {\n\t// RuntimesByType is the list of plugin runtimes by type.\n\tRuntimes []PluginRuntimeDetails `json:\"runtimes\"`\n}\n\n// ListPluginRuntimes lists all plugin runtimes in the catalog and returns their names as a\n// list of strings.\nfunc (c *Sys) ListPluginRuntimes(ctx context.Context, input *ListPluginRuntimesInput) (*ListPluginRuntimesResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tif input != nil && input.Type == PluginRuntimeTypeUnsupported {\n\t\treturn nil, fmt.Errorf(\"%q is not a supported runtime type\", input.Type.String())\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, c.c.NewRequest(http.MethodGet, \"/v1/sys/plugins/runtimes/catalog\"))\n\tif err != nil && resp == nil {\n\t\treturn nil, err\n\t}\n\tif resp == nil {\n\t\treturn nil, nil\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\tif _, ok := secret.Data[\"runtimes\"]; !ok {\n\t\treturn nil, fmt.Errorf(\"data from server response does not contain runtimes\")\n\t}\n\n\tvar runtimes []PluginRuntimeDetails\n\tif err = mapstructure.Decode(secret.Data[\"runtimes\"], &runtimes); err != nil {\n\t\treturn nil, err\n\t}\n\n\t// return all runtimes in the catalog\n\tif input == nil {\n\t\treturn &ListPluginRuntimesResponse{Runtimes: runtimes}, nil\n\t}\n\n\tresult := &ListPluginRuntimesResponse{\n\t\tRuntimes: []PluginRuntimeDetails{},\n\t}\n\tfor _, runtime := range runtimes {\n\t\tif runtime.Type == input.Type.String() {\n\t\t\tresult.Runtimes = append(result.Runtimes, runtime)\n\t\t}\n\t}\n\treturn result, nil\n}\n\n// pluginRuntimeCatalogPathByType is a helper to construct the proper API path by plugin type\nfunc pluginRuntimeCatalogPathByType(runtimeType PluginRuntimeType, name string) string {\n\treturn fmt.Sprintf(\"/v1/sys/plugins/runtimes/catalog/%s/%s\", runtimeType, name)\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_policy.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/mitchellh/mapstructure\"\n)\n\nfunc (c *Sys) ListPolicies() ([]string, error) {\n\treturn c.ListPoliciesWithContext(context.Background())\n}\n\nfunc (c *Sys) ListPoliciesWithContext(ctx context.Context) ([]string, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(\"LIST\", \"/v1/sys/policies/acl\")\n\t// Set this for broader compatibility, but we use LIST above to be able to\n\t// handle the wrapping lookup function\n\tr.Method = http.MethodGet\n\tr.Params.Set(\"list\", \"true\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tvar result []string\n\terr = mapstructure.Decode(secret.Data[\"keys\"], &result)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn result, err\n}\n\nfunc (c *Sys) GetPolicy(name string) (string, error) {\n\treturn c.GetPolicyWithContext(context.Background(), name)\n}\n\nfunc (c *Sys) GetPolicyWithContext(ctx context.Context, name string) (string, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, fmt.Sprintf(\"/v1/sys/policies/acl/%s\", name))\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif resp != nil {\n\t\tdefer resp.Body.Close()\n\t\tif resp.StatusCode == 404 {\n\t\t\treturn \"\", nil\n\t\t}\n\t}\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn \"\", errors.New(\"data from server response is empty\")\n\t}\n\n\tif policyRaw, ok := secret.Data[\"policy\"]; ok {\n\t\treturn policyRaw.(string), nil\n\t}\n\n\treturn \"\", fmt.Errorf(\"no policy found in response\")\n}\n\nfunc (c *Sys) PutPolicy(name, rules string) error {\n\treturn c.PutPolicyWithContext(context.Background(), name, rules)\n}\n\nfunc (c *Sys) PutPolicyWithContext(ctx context.Context, name, rules string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tbody := map[string]string{\n\t\t\"policy\": rules,\n\t}\n\n\tr := c.c.NewRequest(http.MethodPut, fmt.Sprintf(\"/v1/sys/policies/acl/%s\", name))\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn nil\n}\n\nfunc (c *Sys) DeletePolicy(name string) error {\n\treturn c.DeletePolicyWithContext(context.Background(), name)\n}\n\nfunc (c *Sys) DeletePolicyWithContext(ctx context.Context, name string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, fmt.Sprintf(\"/v1/sys/policies/acl/%s\", name))\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\ntype getPoliciesResp struct {\n\tRules string `json:\"rules\"`\n}\n\ntype listPoliciesResp struct {\n\tPolicies []string `json:\"policies\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_raft.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"archive/tar\"\n\t\"compress/gzip\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/ioutil\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/hashicorp/go-secure-stdlib/parseutil\"\n\t\"github.com/mitchellh/mapstructure\"\n)\n\nvar ErrIncompleteSnapshot = errors.New(\"incomplete snapshot, unable to read SHA256SUMS.sealed file\")\n\n// RaftJoinResponse represents the response of the raft join API\ntype RaftJoinResponse struct {\n\tJoined bool `json:\"joined\"`\n}\n\n// RaftJoinRequest represents the parameters consumed by the raft join API\ntype RaftJoinRequest struct {\n\tAutoJoin string `json:\"auto_join\"`\n\tAutoJoinScheme string `json:\"auto_join_scheme\"`\n\tAutoJoinPort uint `json:\"auto_join_port\"`\n\tLeaderAPIAddr string `json:\"leader_api_addr\"`\n\tLeaderCACert string `json:\"leader_ca_cert\"`\n\tLeaderClientCert string `json:\"leader_client_cert\"`\n\tLeaderClientKey string `json:\"leader_client_key\"`\n\tRetry bool `json:\"retry\"`\n\tNonVoter bool `json:\"non_voter\"`\n}\n\n// AutopilotConfig is used for querying/setting the Autopilot configuration.\ntype AutopilotConfig struct {\n\tCleanupDeadServers bool `json:\"cleanup_dead_servers\" mapstructure:\"cleanup_dead_servers\"`\n\tLastContactThreshold time.Duration `json:\"last_contact_threshold\" mapstructure:\"-\"`\n\tDeadServerLastContactThreshold time.Duration `json:\"dead_server_last_contact_threshold\" mapstructure:\"-\"`\n\tMaxTrailingLogs uint64 `json:\"max_trailing_logs\" mapstructure:\"max_trailing_logs\"`\n\tMinQuorum uint `json:\"min_quorum\" mapstructure:\"min_quorum\"`\n\tServerStabilizationTime time.Duration `json:\"server_stabilization_time\" mapstructure:\"-\"`\n\tDisableUpgradeMigration bool `json:\"disable_upgrade_migration\" mapstructure:\"disable_upgrade_migration\"`\n}\n\n// MarshalJSON makes the autopilot config fields JSON compatible\nfunc (ac *AutopilotConfig) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(map[string]interface{}{\n\t\t\"cleanup_dead_servers\": ac.CleanupDeadServers,\n\t\t\"last_contact_threshold\": ac.LastContactThreshold.String(),\n\t\t\"dead_server_last_contact_threshold\": ac.DeadServerLastContactThreshold.String(),\n\t\t\"max_trailing_logs\": ac.MaxTrailingLogs,\n\t\t\"min_quorum\": ac.MinQuorum,\n\t\t\"server_stabilization_time\": ac.ServerStabilizationTime.String(),\n\t\t\"disable_upgrade_migration\": ac.DisableUpgradeMigration,\n\t})\n}\n\n// UnmarshalJSON parses the autopilot config JSON blob\nfunc (ac *AutopilotConfig) UnmarshalJSON(b []byte) error {\n\tvar data interface{}\n\terr := json.Unmarshal(b, &data)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tconf := data.(map[string]interface{})\n\tif err = mapstructure.WeakDecode(conf, ac); err != nil {\n\t\treturn err\n\t}\n\tif ac.LastContactThreshold, err = parseutil.ParseDurationSecond(conf[\"last_contact_threshold\"]); err != nil {\n\t\treturn err\n\t}\n\tif ac.DeadServerLastContactThreshold, err = parseutil.ParseDurationSecond(conf[\"dead_server_last_contact_threshold\"]); err != nil {\n\t\treturn err\n\t}\n\tif ac.ServerStabilizationTime, err = parseutil.ParseDurationSecond(conf[\"server_stabilization_time\"]); err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n\n// AutopilotState represents the response of the raft autopilot state API\ntype AutopilotState struct {\n\tHealthy bool `mapstructure:\"healthy\"`\n\tFailureTolerance int `mapstructure:\"failure_tolerance\"`\n\tServers map[string]*AutopilotServer `mapstructure:\"servers\"`\n\tLeader string `mapstructure:\"leader\"`\n\tVoters []string `mapstructure:\"voters\"`\n\tNonVoters []string `mapstructure:\"non_voters\"`\n\tRedundancyZones map[string]AutopilotZone `mapstructure:\"redundancy_zones,omitempty\"`\n\tUpgrade *AutopilotUpgrade `mapstructure:\"upgrade_info,omitempty\"`\n\tOptimisticFailureTolerance int `mapstructure:\"optimistic_failure_tolerance,omitempty\"`\n}\n\nfunc (a *AutopilotState) String() string {\n\tvar result string\n\tresult += fmt.Sprintf(\"Healthy: %t. FailureTolerance: %d. Leader: %s. OptimisticFailureTolerance: %d\\n\", a.Healthy, a.FailureTolerance, a.Leader, a.OptimisticFailureTolerance)\n\tfor _, s := range a.Servers {\n\t\tresult += fmt.Sprintf(\"Server: %s\\n\", s)\n\t}\n\tresult += fmt.Sprintf(\"Voters: %v\\n\", a.Voters)\n\tresult += fmt.Sprintf(\"NonVoters: %v\\n\", a.NonVoters)\n\n\tfor name, zone := range a.RedundancyZones {\n\t\tresult += fmt.Sprintf(\"RedundancyZone %s: %s\\n\", name, &zone)\n\t}\n\n\tresult += fmt.Sprintf(\"Upgrade: %s\", a.Upgrade)\n\treturn result\n}\n\n// AutopilotServer represents the server blocks in the response of the raft\n// autopilot state API.\ntype AutopilotServer struct {\n\tID string `mapstructure:\"id\"`\n\tName string `mapstructure:\"name\"`\n\tAddress string `mapstructure:\"address\"`\n\tNodeStatus string `mapstructure:\"node_status\"`\n\tLastContact string `mapstructure:\"last_contact\"`\n\tLastTerm uint64 `mapstructure:\"last_term\"`\n\tLastIndex uint64 `mapstructure:\"last_index\"`\n\tHealthy bool `mapstructure:\"healthy\"`\n\tStableSince string `mapstructure:\"stable_since\"`\n\tStatus string `mapstructure:\"status\"`\n\tVersion string `mapstructure:\"version\"`\n\tUpgradeVersion string `mapstructure:\"upgrade_version,omitempty\"`\n\tRedundancyZone string `mapstructure:\"redundancy_zone,omitempty\"`\n\tNodeType string `mapstructure:\"node_type,omitempty\"`\n}\n\nfunc (a *AutopilotServer) String() string {\n\treturn fmt.Sprintf(\"ID: %s. Name: %s. Address: %s. NodeStatus: %s. LastContact: %s. LastTerm: %d. LastIndex: %d. Healthy: %t. StableSince: %s. Status: %s. Version: %s. UpgradeVersion: %s. RedundancyZone: %s. NodeType: %s\",\n\t\ta.ID, a.Name, a.Address, a.NodeStatus, a.LastContact, a.LastTerm, a.LastIndex, a.Healthy, a.StableSince, a.Status, a.Version, a.UpgradeVersion, a.RedundancyZone, a.NodeType)\n}\n\ntype AutopilotZone struct {\n\tServers []string `mapstructure:\"servers,omitempty\"`\n\tVoters []string `mapstructure:\"voters,omitempty\"`\n\tFailureTolerance int `mapstructure:\"failure_tolerance,omitempty\"`\n}\n\nfunc (a *AutopilotZone) String() string {\n\treturn fmt.Sprintf(\"Servers: %v. Voters: %v. FailureTolerance: %d\", a.Servers, a.Voters, a.FailureTolerance)\n}\n\ntype AutopilotUpgrade struct {\n\tStatus string `mapstructure:\"status\"`\n\tTargetVersion string `mapstructure:\"target_version,omitempty\"`\n\tTargetVersionVoters []string `mapstructure:\"target_version_voters,omitempty\"`\n\tTargetVersionNonVoters []string `mapstructure:\"target_version_non_voters,omitempty\"`\n\tTargetVersionReadReplicas []string `mapstructure:\"target_version_read_replicas,omitempty\"`\n\tOtherVersionVoters []string `mapstructure:\"other_version_voters,omitempty\"`\n\tOtherVersionNonVoters []string `mapstructure:\"other_version_non_voters,omitempty\"`\n\tOtherVersionReadReplicas []string `mapstructure:\"other_version_read_replicas,omitempty\"`\n\tRedundancyZones map[string]AutopilotZoneUpgradeVersions `mapstructure:\"redundancy_zones,omitempty\"`\n}\n\nfunc (a *AutopilotUpgrade) String() string {\n\tresult := fmt.Sprintf(\"Status: %s. TargetVersion: %s. TargetVersionVoters: %v. TargetVersionNonVoters: %v. TargetVersionReadReplicas: %v. OtherVersionVoters: %v. OtherVersionNonVoters: %v. OtherVersionReadReplicas: %v\",\n\t\ta.Status, a.TargetVersion, a.TargetVersionVoters, a.TargetVersionNonVoters, a.TargetVersionReadReplicas, a.OtherVersionVoters, a.OtherVersionNonVoters, a.OtherVersionReadReplicas)\n\n\tfor name, zone := range a.RedundancyZones {\n\t\tresult += fmt.Sprintf(\"Redundancy Zone %s: %s\", name, zone)\n\t}\n\n\treturn result\n}\n\ntype AutopilotZoneUpgradeVersions struct {\n\tTargetVersionVoters []string `mapstructure:\"target_version_voters,omitempty\"`\n\tTargetVersionNonVoters []string `mapstructure:\"target_version_non_voters,omitempty\"`\n\tOtherVersionVoters []string `mapstructure:\"other_version_voters,omitempty\"`\n\tOtherVersionNonVoters []string `mapstructure:\"other_version_non_voters,omitempty\"`\n}\n\nfunc (a *AutopilotZoneUpgradeVersions) String() string {\n\treturn fmt.Sprintf(\"TargetVersionVoters: %v. TargetVersionNonVoters: %v. OtherVersionVoters: %v. OtherVersionNonVoters: %v\",\n\t\ta.TargetVersionVoters, a.TargetVersionNonVoters, a.OtherVersionVoters, a.OtherVersionNonVoters)\n}\n\n// RaftJoin wraps RaftJoinWithContext using context.Background.\nfunc (c *Sys) RaftJoin(opts *RaftJoinRequest) (*RaftJoinResponse, error) {\n\treturn c.RaftJoinWithContext(context.Background(), opts)\n}\n\n// RaftJoinWithContext adds the node from which this call is invoked from to the raft\n// cluster represented by the leader address in the parameter.\nfunc (c *Sys) RaftJoinWithContext(ctx context.Context, opts *RaftJoinRequest) (*RaftJoinResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, \"/v1/sys/storage/raft/join\")\n\n\tif err := r.SetJSONBody(opts); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result RaftJoinResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\n// RaftSnapshot wraps RaftSnapshotWithContext using context.Background.\nfunc (c *Sys) RaftSnapshot(snapWriter io.Writer) error {\n\treturn c.RaftSnapshotWithContext(context.Background(), snapWriter)\n}\n\n// RaftSnapshotWithContext invokes the API that takes the snapshot of the raft cluster and\n// writes it to the supplied io.Writer.\nfunc (c *Sys) RaftSnapshotWithContext(ctx context.Context, snapWriter io.Writer) error {\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/storage/raft/snapshot\")\n\tr.URL.RawQuery = r.Params.Encode()\n\n\tresp, err := c.c.httpRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\t// Make sure that the last file in the archive, SHA256SUMS.sealed, is present\n\t// and non-empty. This is to catch cases where the snapshot failed midstream,\n\t// e.g. due to a problem with the seal that prevented encryption of that file.\n\tvar wg sync.WaitGroup\n\twg.Add(1)\n\tvar verified bool\n\n\trPipe, wPipe := io.Pipe()\n\tdup := io.TeeReader(resp.Body, wPipe)\n\tgo func() {\n\t\tdefer func() {\n\t\t\tio.Copy(ioutil.Discard, rPipe)\n\t\t\trPipe.Close()\n\t\t\twg.Done()\n\t\t}()\n\n\t\tuncompressed, err := gzip.NewReader(rPipe)\n\t\tif err != nil {\n\t\t\treturn\n\t\t}\n\n\t\tt := tar.NewReader(uncompressed)\n\t\tvar h *tar.Header\n\t\tfor {\n\t\t\th, err = t.Next()\n\t\t\tif err != nil {\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif h.Name != \"SHA256SUMS.sealed\" {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tvar b []byte\n\t\t\tb, err = io.ReadAll(t)\n\t\t\tif err != nil || len(b) == 0 {\n\t\t\t\treturn\n\t\t\t}\n\t\t\tverified = true\n\t\t\treturn\n\t\t}\n\t}()\n\n\t// Copy bytes from dup to snapWriter. This will have a side effect that\n\t// everything read from dup will be written to wPipe.\n\t_, err = io.Copy(snapWriter, dup)\n\twPipe.Close()\n\tif err != nil {\n\t\trPipe.CloseWithError(err)\n\t\treturn err\n\t}\n\twg.Wait()\n\n\tif !verified {\n\t\treturn ErrIncompleteSnapshot\n\t}\n\treturn nil\n}\n\n// RaftSnapshotRestore wraps RaftSnapshotRestoreWithContext using context.Background.\nfunc (c *Sys) RaftSnapshotRestore(snapReader io.Reader, force bool) error {\n\treturn c.RaftSnapshotRestoreWithContext(context.Background(), snapReader, force)\n}\n\n// RaftSnapshotRestoreWithContext reads the snapshot from the io.Reader and installs that\n// snapshot, returning the cluster to the state defined by it.\nfunc (c *Sys) RaftSnapshotRestoreWithContext(ctx context.Context, snapReader io.Reader, force bool) error {\n\tpath := \"/v1/sys/storage/raft/snapshot\"\n\tif force {\n\t\tpath = \"/v1/sys/storage/raft/snapshot-force\"\n\t}\n\n\tr := c.c.NewRequest(http.MethodPost, path)\n\tr.Body = snapReader\n\n\tresp, err := c.c.httpRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn nil\n}\n\n// RaftAutopilotState wraps RaftAutopilotStateWithContext using context.Background.\nfunc (c *Sys) RaftAutopilotState() (*AutopilotState, error) {\n\treturn c.RaftAutopilotStateWithContext(context.Background())\n}\n\n// RaftAutopilotStateWithToken wraps RaftAutopilotStateWithContext using the given token.\nfunc (c *Sys) RaftAutopilotStateWithDRToken(drToken string) (*AutopilotState, error) {\n\treturn c.RaftAutopilotStateWithContext(context.WithValue(context.Background(), \"dr-token\", drToken))\n}\n\n// RaftAutopilotStateWithContext returns the state of the raft cluster as seen by autopilot.\nfunc (c *Sys) RaftAutopilotStateWithContext(ctx context.Context) (*AutopilotState, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tif ctx.Value(\"dr-token\") != nil {\n\t\tc.c.SetToken(ctx.Value(\"dr-token\").(string))\n\t}\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/storage/raft/autopilot/state\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif resp != nil {\n\t\tdefer resp.Body.Close()\n\t\tif resp.StatusCode == 404 {\n\t\t\treturn nil, nil\n\t\t}\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tvar result AutopilotState\n\terr = mapstructure.Decode(secret.Data, &result)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &result, err\n}\n\n// RaftAutopilotConfiguration wraps RaftAutopilotConfigurationWithContext using context.Background.\nfunc (c *Sys) RaftAutopilotConfiguration() (*AutopilotConfig, error) {\n\treturn c.RaftAutopilotConfigurationWithContext(context.Background())\n}\n\n// RaftAutopilotConfigurationWithDRToken wraps RaftAutopilotConfigurationWithContext using the given token.\nfunc (c *Sys) RaftAutopilotConfigurationWithDRToken(drToken string) (*AutopilotConfig, error) {\n\treturn c.RaftAutopilotConfigurationWithContext(context.WithValue(context.Background(), \"dr-token\", drToken))\n}\n\n// RaftAutopilotConfigurationWithContext fetches the autopilot config.\nfunc (c *Sys) RaftAutopilotConfigurationWithContext(ctx context.Context) (*AutopilotConfig, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tif ctx.Value(\"dr-token\") != nil {\n\t\tc.c.SetToken(ctx.Value(\"dr-token\").(string))\n\t}\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/storage/raft/autopilot/configuration\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif resp != nil {\n\t\tdefer resp.Body.Close()\n\t\tif resp.StatusCode == 404 {\n\t\t\treturn nil, nil\n\t\t}\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tvar result AutopilotConfig\n\tif err = mapstructure.Decode(secret.Data, &result); err != nil {\n\t\treturn nil, err\n\t}\n\tif result.LastContactThreshold, err = parseutil.ParseDurationSecond(secret.Data[\"last_contact_threshold\"]); err != nil {\n\t\treturn nil, err\n\t}\n\tif result.DeadServerLastContactThreshold, err = parseutil.ParseDurationSecond(secret.Data[\"dead_server_last_contact_threshold\"]); err != nil {\n\t\treturn nil, err\n\t}\n\tif result.ServerStabilizationTime, err = parseutil.ParseDurationSecond(secret.Data[\"server_stabilization_time\"]); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &result, err\n}\n\n// PutRaftAutopilotConfiguration wraps PutRaftAutopilotConfigurationWithContext using context.Background.\nfunc (c *Sys) PutRaftAutopilotConfiguration(opts *AutopilotConfig) error {\n\treturn c.PutRaftAutopilotConfigurationWithContext(context.Background(), opts)\n}\n\n// PutRaftAutopilotConfigurationWithContext allows modifying the raft autopilot configuration\nfunc (c *Sys) PutRaftAutopilotConfigurationWithContext(ctx context.Context, opts *AutopilotConfig) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, \"/v1/sys/storage/raft/autopilot/configuration\")\n\n\tif err := r.SetJSONBody(opts); err != nil {\n\t\treturn err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn nil\n}\n\n// RaftLoadLocalSnapshot wraps RaftLoadLocalSnapshotWithContext using context.Background.\nfunc (c *Sys) RaftLoadLocalSnapshot(snapReader io.Reader) (*Secret, error) {\n\treturn c.RaftLoadLocalSnapshotWithContext(context.Background(), snapReader)\n}\n\n// RaftLoadLocalSnapshotWithContext loads a snapshot into the raft cluster.\n// It accepts a reader that reads the snapshot file data.\nfunc (c *Sys) RaftLoadLocalSnapshotWithContext(ctx context.Context, snapReader io.Reader) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, \"/v1/sys/storage/raft/snapshot-load\")\n\tr.Body = snapReader\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\n// RaftLoadCloudSnapshot wraps RaftLoadCloudSnapshotWithContext using context.Background.\nfunc (c *Sys) RaftLoadCloudSnapshot(name string, url *url.URL) (*Secret, error) {\n\treturn c.RaftLoadCloudSnapshotWithContext(context.Background(), name, url)\n}\n\n// RaftLoadCloudSnapshotWithContext loads a snapshot from cloud storage into the raft cluster.\n// It accepts a name for the cloud auto snapshot configuration and a URL to the snapshot location in cloud storage.\nfunc (c *Sys) RaftLoadCloudSnapshotWithContext(ctx context.Context, name string, url *url.URL) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, \"/v1/sys/storage/raft/snapshot-auto/snapshot-load/\"+name)\n\tif err := r.SetJSONBody(map[string]interface{}{\n\t\t\"url\": url.String(),\n\t}); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n\n// RaftUnloadSnapshot wraps RaftUnloadSnapshotWithContext using context.Background.\nfunc (c *Sys) RaftUnloadSnapshot(snapID string) (*Secret, error) {\n\treturn c.RaftUnloadSnapshotWithContext(context.Background(), snapID)\n}\n\n// RaftUnloadSnapshotWithContext unloads a snapshot from the raft cluster.\n// It accepts a snapshot ID to identify the snapshot to be unloaded.\nfunc (c *Sys) RaftUnloadSnapshotWithContext(ctx context.Context, snapID string) (*Secret, error) {\n\treturn c.raftUnloadSnapshotWithContext(ctx, snapID, false)\n}\n\n// RaftForceUnloadSnapshot wraps RaftForceUnloadSnapshotWithContext using context.Background.\nfunc (c *Sys) RaftForceUnloadSnapshot(snapID string) (*Secret, error) {\n\treturn c.RaftForceUnloadSnapshotWithContext(context.Background(), snapID)\n}\n\n// RaftForceUnloadSnapshotWithContext forcefully unloads the given snapshot\nfunc (c *Sys) RaftForceUnloadSnapshotWithContext(ctx context.Context, snapID string) (*Secret, error) {\n\treturn c.raftUnloadSnapshotWithContext(ctx, snapID, true)\n}\n\nfunc (c *Sys) raftUnloadSnapshotWithContext(ctx context.Context, snapID string, force bool) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, \"/v1/sys/storage/raft/snapshot-load/\"+snapID)\n\tif force {\n\t\tr.Params.Set(\"force\", \"true\")\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn ParseSecret(resp.Body)\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_rekey.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"net/http\"\n\n\t\"github.com/mitchellh/mapstructure\"\n)\n\nfunc (c *Sys) RekeyStatus() (*RekeyStatusResponse, error) {\n\treturn c.RekeyStatusWithContext(context.Background())\n}\n\nfunc (c *Sys) RekeyStatusWithContext(ctx context.Context) (*RekeyStatusResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/rekey/init\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result RekeyStatusResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\nfunc (c *Sys) RekeyRecoveryKeyStatus() (*RekeyStatusResponse, error) {\n\treturn c.RekeyRecoveryKeyStatusWithContext(context.Background())\n}\n\nfunc (c *Sys) RekeyRecoveryKeyStatusWithContext(ctx context.Context) (*RekeyStatusResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/rekey-recovery-key/init\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result RekeyStatusResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\nfunc (c *Sys) RekeyVerificationStatus() (*RekeyVerificationStatusResponse, error) {\n\treturn c.RekeyVerificationStatusWithContext(context.Background())\n}\n\nfunc (c *Sys) RekeyVerificationStatusWithContext(ctx context.Context) (*RekeyVerificationStatusResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/rekey/verify\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result RekeyVerificationStatusResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\nfunc (c *Sys) RekeyRecoveryKeyVerificationStatus() (*RekeyVerificationStatusResponse, error) {\n\treturn c.RekeyRecoveryKeyVerificationStatusWithContext(context.Background())\n}\n\nfunc (c *Sys) RekeyRecoveryKeyVerificationStatusWithContext(ctx context.Context) (*RekeyVerificationStatusResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/rekey-recovery-key/verify\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result RekeyVerificationStatusResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\nfunc (c *Sys) RekeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error) {\n\treturn c.RekeyInitWithContext(context.Background(), config)\n}\n\nfunc (c *Sys) RekeyInitWithContext(ctx context.Context, config *RekeyInitRequest) (*RekeyStatusResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/rekey/init\")\n\tif err := r.SetJSONBody(config); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result RekeyStatusResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\nfunc (c *Sys) RekeyRecoveryKeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error) {\n\treturn c.RekeyRecoveryKeyInitWithContext(context.Background(), config)\n}\n\nfunc (c *Sys) RekeyRecoveryKeyInitWithContext(ctx context.Context, config *RekeyInitRequest) (*RekeyStatusResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/rekey-recovery-key/init\")\n\tif err := r.SetJSONBody(config); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result RekeyStatusResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\nfunc (c *Sys) RekeyCancel() error {\n\treturn c.RekeyCancelWithContext(context.Background())\n}\n\nfunc (c *Sys) RekeyCancelWithNonce(nonce string) error {\n\treturn c.RekeyCancelWithContextWithNonce(context.Background(), nonce)\n}\n\nfunc (c *Sys) RekeyCancelWithContext(ctx context.Context) error {\n\treturn c.RekeyCancelWithContextWithNonce(ctx, \"\")\n}\n\nfunc (c *Sys) RekeyCancelWithContextWithNonce(ctx context.Context, nonce string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, \"/v1/sys/rekey/init\")\n\tif nonce != \"\" {\n\t\tbody := map[string]interface{}{\n\t\t\t\"nonce\": nonce,\n\t\t}\n\n\t\tif err := r.SetJSONBody(body); err != nil {\n\t\t\treturn err\n\t\t}\n\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\nfunc (c *Sys) RekeyRecoveryKeyCancel() error {\n\treturn c.RekeyRecoveryKeyCancelWithContext(context.Background())\n}\n\nfunc (c *Sys) RekeyRecoveryKeyCancelWithNonce(nonce string) error {\n\treturn c.RekeyRecoveryKeyCancelWithContextWithNonce(context.Background(), nonce)\n}\n\nfunc (c *Sys) RekeyRecoveryKeyCancelWithContext(ctx context.Context) error {\n\treturn c.RekeyCancelWithContextWithNonce(ctx, \"\")\n}\n\nfunc (c *Sys) RekeyRecoveryKeyCancelWithContextWithNonce(ctx context.Context, nonce string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\tr := c.c.NewRequest(http.MethodDelete, \"/v1/sys/rekey-recovery-key/init\")\n\n\tif nonce != \"\" {\n\t\tbody := map[string]interface{}{\n\t\t\t\"nonce\": nonce,\n\t\t}\n\n\t\tif err := r.SetJSONBody(body); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\nfunc (c *Sys) RekeyVerificationCancel() error {\n\treturn c.RekeyVerificationCancelWithContext(context.Background())\n}\n\nfunc (c *Sys) RekeyVerificationCancelWithContext(ctx context.Context) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, \"/v1/sys/rekey/verify\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\nfunc (c *Sys) RekeyRecoveryKeyVerificationCancel() error {\n\treturn c.RekeyRecoveryKeyVerificationCancelWithContext(context.Background())\n}\n\nfunc (c *Sys) RekeyRecoveryKeyVerificationCancelWithContext(ctx context.Context) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, \"/v1/sys/rekey-recovery-key/verify\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\nfunc (c *Sys) RekeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error) {\n\treturn c.RekeyUpdateWithContext(context.Background(), shard, nonce)\n}\n\nfunc (c *Sys) RekeyUpdateWithContext(ctx context.Context, shard, nonce string) (*RekeyUpdateResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tbody := map[string]interface{}{\n\t\t\"key\": shard,\n\t\t\"nonce\": nonce,\n\t}\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/rekey/update\")\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result RekeyUpdateResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\nfunc (c *Sys) RekeyRecoveryKeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error) {\n\treturn c.RekeyRecoveryKeyUpdateWithContext(context.Background(), shard, nonce)\n}\n\nfunc (c *Sys) RekeyRecoveryKeyUpdateWithContext(ctx context.Context, shard, nonce string) (*RekeyUpdateResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tbody := map[string]interface{}{\n\t\t\"key\": shard,\n\t\t\"nonce\": nonce,\n\t}\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/rekey-recovery-key/update\")\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result RekeyUpdateResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\nfunc (c *Sys) RekeyRetrieveBackup() (*RekeyRetrieveResponse, error) {\n\treturn c.RekeyRetrieveBackupWithContext(context.Background())\n}\n\nfunc (c *Sys) RekeyRetrieveBackupWithContext(ctx context.Context) (*RekeyRetrieveResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/rekey/backup\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tvar result RekeyRetrieveResponse\n\terr = mapstructure.Decode(secret.Data, &result)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &result, err\n}\n\nfunc (c *Sys) RekeyRetrieveRecoveryBackup() (*RekeyRetrieveResponse, error) {\n\treturn c.RekeyRetrieveRecoveryBackupWithContext(context.Background())\n}\n\nfunc (c *Sys) RekeyRetrieveRecoveryBackupWithContext(ctx context.Context) (*RekeyRetrieveResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/rekey/recovery-key-backup\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tvar result RekeyRetrieveResponse\n\terr = mapstructure.Decode(secret.Data, &result)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &result, err\n}\n\nfunc (c *Sys) RekeyDeleteBackup() error {\n\treturn c.RekeyDeleteBackupWithContext(context.Background())\n}\n\nfunc (c *Sys) RekeyDeleteBackupWithContext(ctx context.Context) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, \"/v1/sys/rekey/backup\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\n\treturn err\n}\n\nfunc (c *Sys) RekeyDeleteRecoveryBackup() error {\n\treturn c.RekeyDeleteRecoveryBackupWithContext(context.Background())\n}\n\nfunc (c *Sys) RekeyDeleteRecoveryBackupWithContext(ctx context.Context) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, \"/v1/sys/rekey/recovery-key-backup\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\n\treturn err\n}\n\nfunc (c *Sys) RekeyVerificationUpdate(shard, nonce string) (*RekeyVerificationUpdateResponse, error) {\n\treturn c.RekeyVerificationUpdateWithContext(context.Background(), shard, nonce)\n}\n\nfunc (c *Sys) RekeyVerificationUpdateWithContext(ctx context.Context, shard, nonce string) (*RekeyVerificationUpdateResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tbody := map[string]interface{}{\n\t\t\"key\": shard,\n\t\t\"nonce\": nonce,\n\t}\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/rekey/verify\")\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result RekeyVerificationUpdateResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\nfunc (c *Sys) RekeyRecoveryKeyVerificationUpdate(shard, nonce string) (*RekeyVerificationUpdateResponse, error) {\n\treturn c.RekeyRecoveryKeyVerificationUpdateWithContext(context.Background(), shard, nonce)\n}\n\nfunc (c *Sys) RekeyRecoveryKeyVerificationUpdateWithContext(ctx context.Context, shard, nonce string) (*RekeyVerificationUpdateResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tbody := map[string]interface{}{\n\t\t\"key\": shard,\n\t\t\"nonce\": nonce,\n\t}\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/rekey-recovery-key/verify\")\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result RekeyVerificationUpdateResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\ntype RekeyInitRequest struct {\n\tSecretShares int `json:\"secret_shares\"`\n\tSecretThreshold int `json:\"secret_threshold\"`\n\tStoredShares int `json:\"stored_shares\"`\n\tPGPKeys []string `json:\"pgp_keys\"`\n\tBackup bool\n\tRequireVerification bool `json:\"require_verification\"`\n}\n\ntype RekeyStatusResponse struct {\n\tNonce string `json:\"nonce\"`\n\tStarted bool `json:\"started\"`\n\tT int `json:\"t\"`\n\tN int `json:\"n\"`\n\tProgress int `json:\"progress\"`\n\tRequired int `json:\"required\"`\n\tPGPFingerprints []string `json:\"pgp_fingerprints\"`\n\tBackup bool `json:\"backup\"`\n\tVerificationRequired bool `json:\"verification_required\"`\n\tVerificationNonce string `json:\"verification_nonce\"`\n}\n\ntype RekeyUpdateResponse struct {\n\tNonce string `json:\"nonce\"`\n\tComplete bool `json:\"complete\"`\n\tKeys []string `json:\"keys\"`\n\tKeysB64 []string `json:\"keys_base64\"`\n\tPGPFingerprints []string `json:\"pgp_fingerprints\"`\n\tBackup bool `json:\"backup\"`\n\tVerificationRequired bool `json:\"verification_required\"`\n\tVerificationNonce string `json:\"verification_nonce,omitempty\"`\n}\n\ntype RekeyRetrieveResponse struct {\n\tNonce string `json:\"nonce\" mapstructure:\"nonce\"`\n\tKeys map[string][]string `json:\"keys\" mapstructure:\"keys\"`\n\tKeysB64 map[string][]string `json:\"keys_base64\" mapstructure:\"keys_base64\"`\n}\n\ntype RekeyVerificationStatusResponse struct {\n\tNonce string `json:\"nonce\"`\n\tStarted bool `json:\"started\"`\n\tT int `json:\"t\"`\n\tN int `json:\"n\"`\n\tProgress int `json:\"progress\"`\n}\n\ntype RekeyVerificationUpdateResponse struct {\n\tNonce string `json:\"nonce\"`\n\tComplete bool `json:\"complete\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_rotate.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"net/http\"\n\t\"time\"\n)\n\nfunc (c *Sys) Rotate() error {\n\treturn c.RotateWithContext(context.Background())\n}\n\nfunc (c *Sys) RotateWithContext(ctx context.Context) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, \"/v1/sys/rotate\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err == nil {\n\t\tdefer resp.Body.Close()\n\t}\n\treturn err\n}\n\nfunc (c *Sys) KeyStatus() (*KeyStatus, error) {\n\treturn c.KeyStatusWithContext(context.Background())\n}\n\nfunc (c *Sys) KeyStatusWithContext(ctx context.Context) (*KeyStatus, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/key-status\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tvar result KeyStatus\n\n\ttermRaw, ok := secret.Data[\"term\"]\n\tif !ok {\n\t\treturn nil, errors.New(\"term not found in response\")\n\t}\n\tterm, ok := termRaw.(json.Number)\n\tif !ok {\n\t\treturn nil, errors.New(\"could not convert term to a number\")\n\t}\n\tterm64, err := term.Int64()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tresult.Term = int(term64)\n\n\tinstallTimeRaw, ok := secret.Data[\"install_time\"]\n\tif !ok {\n\t\treturn nil, errors.New(\"install_time not found in response\")\n\t}\n\tinstallTimeStr, ok := installTimeRaw.(string)\n\tif !ok {\n\t\treturn nil, errors.New(\"could not convert install_time to a string\")\n\t}\n\tinstallTime, err := time.Parse(time.RFC3339Nano, installTimeStr)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tresult.InstallTime = installTime\n\n\tencryptionsRaw, ok := secret.Data[\"encryptions\"]\n\tif ok {\n\t\tencryptions, ok := encryptionsRaw.(json.Number)\n\t\tif !ok {\n\t\t\treturn nil, errors.New(\"could not convert encryptions to a number\")\n\t\t}\n\t\tencryptions64, err := encryptions.Int64()\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tresult.Encryptions = int(encryptions64)\n\t}\n\n\treturn &result, err\n}\n\ntype KeyStatus struct {\n\tTerm int `json:\"term\"`\n\tInstallTime time.Time `json:\"install_time\"`\n\tEncryptions int `json:\"encryptions\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_seal.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"net/http\"\n)\n\nfunc (c *Sys) SealStatus() (*SealStatusResponse, error) {\n\treturn c.SealStatusWithContext(context.Background())\n}\n\nfunc (c *Sys) SealStatusWithContext(ctx context.Context) (*SealStatusResponse, error) {\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/seal-status\")\n\treturn sealStatusRequestWithContext(ctx, c, r)\n}\n\nfunc (c *Sys) Seal() error {\n\treturn c.SealWithContext(context.Background())\n}\n\nfunc (c *Sys) SealWithContext(ctx context.Context) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/seal\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\treturn nil\n}\n\nfunc (c *Sys) ResetUnsealProcess() (*SealStatusResponse, error) {\n\treturn c.ResetUnsealProcessWithContext(context.Background())\n}\n\nfunc (c *Sys) ResetUnsealProcessWithContext(ctx context.Context) (*SealStatusResponse, error) {\n\tbody := map[string]interface{}{\"reset\": true}\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/unseal\")\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn sealStatusRequestWithContext(ctx, c, r)\n}\n\nfunc (c *Sys) Unseal(shard string) (*SealStatusResponse, error) {\n\treturn c.UnsealWithContext(context.Background(), shard)\n}\n\nfunc (c *Sys) UnsealWithContext(ctx context.Context, shard string) (*SealStatusResponse, error) {\n\tbody := map[string]interface{}{\"key\": shard}\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/unseal\")\n\tif err := r.SetJSONBody(body); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn sealStatusRequestWithContext(ctx, c, r)\n}\n\nfunc (c *Sys) UnsealWithOptions(opts *UnsealOpts) (*SealStatusResponse, error) {\n\treturn c.UnsealWithOptionsWithContext(context.Background(), opts)\n}\n\nfunc (c *Sys) UnsealWithOptionsWithContext(ctx context.Context, opts *UnsealOpts) (*SealStatusResponse, error) {\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/unseal\")\n\n\tif err := r.SetJSONBody(opts); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn sealStatusRequestWithContext(ctx, c, r)\n}\n\nfunc sealStatusRequestWithContext(ctx context.Context, c *Sys, r *Request) (*SealStatusResponse, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar result SealStatusResponse\n\terr = resp.DecodeJSON(&result)\n\treturn &result, err\n}\n\ntype SealStatusResponse struct {\n\tType string `json:\"type\"`\n\tInitialized bool `json:\"initialized\"`\n\tSealed bool `json:\"sealed\"`\n\tT int `json:\"t\"`\n\tN int `json:\"n\"`\n\tProgress int `json:\"progress\"`\n\tNonce string `json:\"nonce\"`\n\tVersion string `json:\"version\"`\n\tBuildDate string `json:\"build_date\"`\n\tMigration bool `json:\"migration\"`\n\tClusterName string `json:\"cluster_name,omitempty\"`\n\tClusterID string `json:\"cluster_id,omitempty\"`\n\tRecoverySeal bool `json:\"recovery_seal\"`\n\tRecoverySealType string `json:\"recovery_seal_type,omitempty\"`\n\tStorageType string `json:\"storage_type,omitempty\"`\n\tHCPLinkStatus string `json:\"hcp_link_status,omitempty\"`\n\tHCPLinkResourceID string `json:\"hcp_link_resource_ID,omitempty\"`\n\tRemovedFromCluster *bool `json:\"removed_from_cluster,omitempty\"`\n\tWarnings []string `json:\"warnings,omitempty\"`\n}\n\ntype UnsealOpts struct {\n\tKey string `json:\"key\"`\n\tReset bool `json:\"reset\"`\n\tMigrate bool `json:\"migrate\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_stepdown.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"net/http\"\n)\n\nfunc (c *Sys) StepDown() error {\n\treturn c.StepDownWithContext(context.Background())\n}\n\nfunc (c *Sys) StepDownWithContext(ctx context.Context) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPut, \"/v1/sys/step-down\")\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif resp != nil && resp.Body != nil {\n\t\tresp.Body.Close()\n\t}\n\treturn err\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_ui_custom_message.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"strconv\"\n)\n\nconst (\n\t// baseEndpoint is the common base URL path for all endpoints used in this\n\t// module.\n\tbaseEndpoint string = \"/v1/sys/config/ui/custom-messages\"\n)\n\n// ListUICustomMessages calls ListUICustomMessagesWithContext using a background\n// Context.\nfunc (c *Sys) ListUICustomMessages(req UICustomMessageListRequest) (*Secret, error) {\n\treturn c.ListUICustomMessagesWithContext(context.Background(), req)\n}\n\n// ListUICustomMessagesWithContext sends a request to the List custom messages\n// endpoint using the provided Context and UICustomMessageListRequest value as\n// the inputs. It returns a pointer to a Secret if a response was obtained from\n// the server, including error responses; or an error if a response could not be\n// obtained due to an error.\nfunc (c *Sys) ListUICustomMessagesWithContext(ctx context.Context, req UICustomMessageListRequest) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(\"LIST\", fmt.Sprintf(\"%s/\", baseEndpoint))\n\tif req.Active != nil {\n\t\tr.Params.Add(\"active\", strconv.FormatBool(*req.Active))\n\t}\n\tif req.Authenticated != nil {\n\t\tr.Params.Add(\"authenticated\", strconv.FormatBool(*req.Authenticated))\n\t}\n\tif req.Type != nil {\n\t\tr.Params.Add(\"type\", *req.Type)\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\treturn secret, nil\n}\n\n// CreateUICustomMessage calls CreateUICustomMessageWithContext using a\n// background Context.\nfunc (c *Sys) CreateUICustomMessage(req UICustomMessageRequest) (*Secret, error) {\n\treturn c.CreateUICustomMessageWithContext(context.Background(), req)\n}\n\n// CreateUICustomMessageWithContext sends a request to the Create custom\n// messages endpoint using the provided Context and UICustomMessageRequest\n// values as the inputs. It returns a pointer to a Secret if a response was\n// obtained from the server, including error responses; or an error if a\n// response could not be obtained due to an error.\nfunc (c *Sys) CreateUICustomMessageWithContext(ctx context.Context, req UICustomMessageRequest) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, baseEndpoint)\n\tif err := r.SetJSONBody(&req); err != nil {\n\t\treturn nil, fmt.Errorf(\"error encoding request body to json: %w\", err)\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error sending request to server: %w\", err)\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"could not parse secret from server response: %w\", err)\n\t}\n\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\treturn secret, nil\n}\n\n// ReadUICustomMessage calls ReadUICustomMessageWithContext using a background\n// Context.\nfunc (c *Sys) ReadUICustomMessage(id string) (*Secret, error) {\n\treturn c.ReadUICustomMessageWithContext(context.Background(), id)\n}\n\n// ReadUICustomMessageWithContext sends a request to the Read custom message\n// endpoint using the provided Context and id values. It returns a pointer to a\n// Secret if a response was obtained from the server, including error responses;\n// or an error if a response could not be obtained due to an error.\nfunc (c *Sys) ReadUICustomMessageWithContext(ctx context.Context, id string) (*Secret, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, fmt.Sprintf(\"%s/%s\", baseEndpoint, id))\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error sending request to server: %w\", err)\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"could not parse secret from server response: %w\", err)\n\t}\n\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\treturn secret, nil\n}\n\n// UpdateUICustomMessage calls UpdateUICustomMessageWithContext using a\n// background Context.\nfunc (c *Sys) UpdateUICustomMessage(id string, req UICustomMessageRequest) error {\n\treturn c.UpdateUICustomMessageWithContext(context.Background(), id, req)\n}\n\n// UpdateUICustomMessageWithContext sends a request to the Update custom message\n// endpoint using the provided Context, id, and UICustomMessageRequest values.\n// It returns a pointer to a Secret if a response was obtained from the server,\n// including error responses; or an error if a response could not be obtained\n// due to an error.\nfunc (c *Sys) UpdateUICustomMessageWithContext(ctx context.Context, id string, req UICustomMessageRequest) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodPost, fmt.Sprintf(\"%s/%s\", baseEndpoint, id))\n\tif err := r.SetJSONBody(&req); err != nil {\n\t\treturn fmt.Errorf(\"error encoding request body to json: %w\", err)\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error sending request to server: %w\", err)\n\t}\n\tdefer resp.Body.Close()\n\n\treturn nil\n}\n\n// DeleteUICustomMessage calls DeleteUICustomMessageWithContext using a\n// background Context.\nfunc (c *Sys) DeleteUICustomMessage(id string) error {\n\treturn c.DeletePolicyWithContext(context.Background(), id)\n}\n\n// DeleteUICustomMessageWithContext sends a request to the Delete custom message\n// endpoint using the provided Context and id values. It returns a pointer to a\n// Secret if a response was obtained from the server, including error responses;\n// or an error if a response could not be obtained due to an error.\nfunc (c *Sys) DeleteUICustomMessageWithContext(ctx context.Context, id string) error {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodDelete, fmt.Sprintf(\"%s/%s\", baseEndpoint, id))\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error sending request to server: %w\", err)\n\t}\n\tdefer resp.Body.Close()\n\n\treturn nil\n}\n\n// UICustomMessageListRequest is a struct used to contain inputs for the List\n// custom messages request. Each field is optional, so their types are pointers.\n// The With... methods can be used to easily set the fields with pointers to\n// values.\ntype UICustomMessageListRequest struct {\n\tAuthenticated *bool\n\tType *string\n\tActive *bool\n}\n\n// WithAuthenticated sets the Authenticated field to a pointer referencing the\n// provided bool value.\nfunc (r *UICustomMessageListRequest) WithAuthenticated(value bool) *UICustomMessageListRequest {\n\tr.Authenticated = &value\n\n\treturn r\n}\n\n// WithType sets the Type field to a pointer referencing the provided string\n// value.\nfunc (r *UICustomMessageListRequest) WithType(value string) *UICustomMessageListRequest {\n\tr.Type = &value\n\n\treturn r\n}\n\n// WithActive sets the Active field to a pointer referencing the provided bool\n// value.\nfunc (r *UICustomMessageListRequest) WithActive(value bool) *UICustomMessageListRequest {\n\tr.Active = &value\n\n\treturn r\n}\n\n// UICustomMessageRequest is a struct containing the properties of a custom\n// message. The Link field can be set using the WithLink method.\ntype UICustomMessageRequest struct {\n\tTitle string `json:\"title\"`\n\tMessage string `json:\"message\"`\n\tAuthenticated bool `json:\"authenticated\"`\n\tType string `json:\"type\"`\n\tStartTime string `json:\"start_time\"`\n\tEndTime string `json:\"end_time,omitempty\"`\n\tLink *uiCustomMessageLink `json:\"link,omitempty\"`\n\tOptions map[string]any `json:\"options,omitempty\"`\n}\n\n// WithLink sets the Link field to the address of a new uiCustomMessageLink\n// struct constructed from the provided title and href values.\nfunc (r *UICustomMessageRequest) WithLink(title, href string) *UICustomMessageRequest {\n\tr.Link = &uiCustomMessageLink{\n\t\tTitle: title,\n\t\tHref: href,\n\t}\n\n\treturn r\n}\n\n// uiCustomMessageLink is a utility struct used to represent a link associated\n// with a custom message.\ntype uiCustomMessageLink struct {\n\tTitle string\n\tHref string\n}\n\n// MarshalJSON encodes the state of the receiver uiCustomMessageLink as JSON and\n// returns those encoded bytes or an error.\nfunc (l uiCustomMessageLink) MarshalJSON() ([]byte, error) {\n\tm := make(map[string]string)\n\n\tm[l.Title] = l.Href\n\n\treturn json.Marshal(m)\n}\n\n// UnmarshalJSON updates the state of the receiver uiCustomMessageLink from the\n// provided JSON encoded bytes. It returns an error if there was a failure.\nfunc (l *uiCustomMessageLink) UnmarshalJSON(b []byte) error {\n\tm := make(map[string]string)\n\n\tif err := json.Unmarshal(b, &m); err != nil {\n\t\treturn err\n\t}\n\n\tfor k, v := range m {\n\t\tl.Title = k\n\t\tl.Href = v\n\t\tbreak\n\t}\n\n\treturn nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_utilization_report.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage api\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"net/http\"\n\n\t\"github.com/mitchellh/mapstructure\"\n)\n\nfunc (c *Sys) UtilizationReport() (*UtilizationReportOutput, error) {\n\treturn c.UtilizationReportWithContext(context.Background(), \"\")\n}\n\nfunc (c *Sys) UtilizationReportWithNamespace(nsPath string) (*UtilizationReportOutput, error) {\n\treturn c.UtilizationReportWithContext(context.Background(), nsPath)\n}\n\nfunc (c *Sys) UtilizationReportWithContext(ctx context.Context, nsPath string) (*UtilizationReportOutput, error) {\n\tctx, cancelFunc := c.c.withConfiguredTimeout(ctx)\n\tdefer cancelFunc()\n\n\tr := c.c.NewRequest(http.MethodGet, \"/v1/sys/utilization-report\")\n\n\tif nsPath != \"\" {\n\t\tr.Params.Add(\"namespace\", nsPath)\n\t}\n\n\tresp, err := c.c.rawRequestWithContext(ctx, r)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tsecret, err := ParseSecret(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif secret == nil || secret.Data == nil {\n\t\treturn nil, errors.New(\"data from server response is empty\")\n\t}\n\n\tvar result UtilizationReportOutput\n\terr = mapstructure.Decode(secret.Data, &result)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &result, err\n}\n\ntype UtilizationReportOutput struct {\n\tNamespaces int `json:\"namespaces,omitempty\" structs:\"namespaces\" mapstructure:\"namespaces\"`\n\n\tKVV1Secrets int `json:\"kvv1_secrets,omitempty\" structs:\"kvv1_secrets\" mapstructure:\"kvv1_secrets\"`\n\tKVV2Secrets int `json:\"kvv2_secrets,omitempty\" structs:\"kvv2_secrets\" mapstructure:\"kvv2_secrets\"`\n\n\tAuthMethods map[string]int `json:\"auth_methods,omitempty\" structs:\"auth_methods\" mapstructure:\"auth_methods\"`\n\tSecretEngines map[string]int `json:\"secret_engines,omitempty\" structs:\"secret_engines\" mapstructure:\"secret_engines\"`\n\n\tLeasesByAuthMethod map[string]int `json:\"leases_by_auth_method,omitempty\" structs:\"leases_by_auth_method\" mapstructure:\"leases_by_auth_method\"`\n\n\tReplicationStatus *UtilizationReportReplicationStatusInformation `json:\"replication_status,omitempty\" structs:\"replication_status\" mapstructure:\"replication_status\"`\n\n\tPKI *UtilizationReportPKIInformation `json:\"pki,omitempty\" structs:\"pki\" mapstructure:\"pki\"`\n\n\tSecretSync *UtilizationReportSecretSyncInformation `json:\"secret_sync,omitempty\" structs:\"secret_sync\" mapstructure:\"secret_sync\"`\n\n\tLeaseCountQuotas *UtilizationReportLeaseCountQuotaInformation `json:\"lease_count_quotas,omitempty\" structs:\"lease_count_quotas\" mapstructure:\"lease_count_quotas\"`\n}\n\ntype UtilizationReportReplicationStatusInformation struct {\n\tDRPrimary bool `json:\"dr_primary,omitempty\" structs:\"dr_primary\" mapstructure:\"dr_primary\"`\n\tDRState string `json:\"dr_state,omitempty\" structs:\"dr_state\" mapstructure:\"dr_state\"`\n\tPRPrimary bool `json:\"pr_primary,omitempty\" structs:\"pr_primary\" mapstructure:\"pr_primary\"`\n\tPRState string `json:\"pr_state,omitempty\" structs:\"pr_state\" mapstructure:\"pr_state\"`\n}\n\ntype UtilizationReportPKIInformation struct {\n\tTotalRoles int `json:\"total_roles,omitempty\" structs:\"total_roles\" mapstructure:\"total_roles\"`\n\tTotalIssuers int `json:\"total_issuers,omitempty\" structs:\"total_issuers\" mapstructure:\"total_issuers\"`\n}\n\ntype UtilizationReportSecretSyncInformation struct {\n\tTotalSources int `json:\"total_sources,omitempty\" structs:\"total_sources\" mapstructure:\"total_sources\"`\n\tTotalDestinations int `json:\"total_destinations,omitempty\" structs:\"total_destinations\" mapstructure:\"total_destinations\"`\n}\n\ntype UtilizationReportLeaseCountQuotaInformation struct {\n\tTotalLeaseCountQuotas int `json:\"total_lease_count_quotas,omitempty\" structs:\"total_lease_count_quotas\" mapstructure:\"total_lease_count_quotas\"`\n\tGlobalLeaseCountQuotaInformation *UtilizationReportGlobalLeaseCountQuotaInformation `json:\"global_lease_count_quota,omitempty\" structs:\"global_lease_count_quota\" mapstructure:\"global_lease_count_quota\"`\n}\n\ntype UtilizationReportGlobalLeaseCountQuotaInformation struct {\n\tName string `json:\"name,omitempty\" structs:\"name\" mapstructure:\"name\"`\n\tCapacity int `json:\"capacity,omitempty\" structs:\"capacity\" mapstructure:\"capacity\"`\n\tCount int `json:\"count,omitempty\" structs:\"count\" mapstructure:\"count\"`\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/tokenhelper/helper.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage tokenhelper\n\n// TokenHelper is an interface that contains basic operations that must be\n// implemented by a token helper\ntype TokenHelper interface {\n\t// Path displays a method-specific path; for the internal helper this\n\t// is the location of the token stored on disk; for the external helper\n\t// this is the location of the binary being invoked\n\tPath() string\n\tErase() error\n\tGet() (string, error)\n\tStore(string) error\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/tokenhelper/helper_external.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage tokenhelper\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"strings\"\n)\n\n// ExternalTokenHelperPath should only be used in dev mode.\n// ExternalTokenHelperPath takes the configured path to a helper and expands it to\n// a full absolute path that can be executed. As of 0.5, the default token\n// helper is internal, to avoid problems running in dev mode (see GH-850 and\n// GH-783), so special assumptions of prepending \"vault token-\" no longer\n// apply.\n//\n// As an additional result, only absolute paths are now allowed. Looking in the\n// path or a current directory for an arbitrary executable could allow someone\n// to switch the expected binary for one further up the path (or in the current\n// directory), potentially opening up execution of an arbitrary binary.\nfunc ExternalTokenHelperPath(path string) (string, error) {\n\tif !filepath.IsAbs(path) {\n\t\tvar err error\n\t\tpath, err = filepath.Abs(path)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t}\n\n\tif _, err := os.Stat(path); err != nil {\n\t\treturn \"\", fmt.Errorf(\"unknown error getting the external helper path\")\n\t}\n\n\treturn path, nil\n}\n\nvar _ TokenHelper = new(ExternalTokenHelper)\n\n// ExternalTokenHelper should only be used in a dev mode. For all other cases,\n// InternalTokenHelper should be used.\n// ExternalTokenHelper is the struct that has all the logic for storing and retrieving\n// tokens from the token helper. The API for the helpers is simple: the\n// BinaryPath is executed directly with arguments Args and environment Env.\n// The last argument appended to Args will be the operation, which is:\n//\n// - \"get\" - Read the value of the token and write it to stdout.\n// - \"store\" - Store the value of the token which is on stdin. Output\n// nothing.\n// - \"erase\" - Erase the contents stored. Output nothing.\n//\n// Any errors can be written on stdout. If the helper exits with a non-zero\n// exit code then the stderr will be made part of the error value.\ntype ExternalTokenHelper struct {\n\tBinaryPath string\n\tArgs []string\n\tEnv []string\n}\n\n// Erase deletes the contents from the helper.\nfunc (h *ExternalTokenHelper) Erase() error {\n\tcmd, err := h.cmd(\"erase\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif output, err := cmd.CombinedOutput(); err != nil {\n\t\treturn fmt.Errorf(\"%q: %w\", string(output), err)\n\t}\n\treturn nil\n}\n\n// Get gets the token value from the helper.\nfunc (h *ExternalTokenHelper) Get() (string, error) {\n\tvar buf, stderr bytes.Buffer\n\tcmd, err := h.cmd(\"get\")\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tcmd.Stdout = &buf\n\tcmd.Stderr = &stderr\n\tif err := cmd.Run(); err != nil {\n\t\treturn \"\", fmt.Errorf(\"%q: %w\", stderr.String(), err)\n\t}\n\n\treturn buf.String(), nil\n}\n\n// Store stores the token value into the helper.\nfunc (h *ExternalTokenHelper) Store(v string) error {\n\tbuf := bytes.NewBufferString(v)\n\tcmd, err := h.cmd(\"store\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tcmd.Stdin = buf\n\tif output, err := cmd.CombinedOutput(); err != nil {\n\t\treturn fmt.Errorf(\"%q: %w\", string(output), err)\n\t}\n\n\treturn nil\n}\n\nfunc (h *ExternalTokenHelper) Path() string {\n\treturn h.BinaryPath\n}\n\nfunc (h *ExternalTokenHelper) cmd(op string) (*exec.Cmd, error) {\n\tbinPath := strings.ReplaceAll(h.BinaryPath, \"\\\\\", \"\\\\\\\\\")\n\n\targs := make([]string, len(h.Args))\n\tcopy(args, h.Args)\n\targs = append(args, op)\n\n\tcmd := exec.Command(binPath, args...)\n\tcmd.Env = h.Env\n\treturn cmd, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/tokenhelper/helper_internal.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage tokenhelper\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\thomedir \"github.com/mitchellh/go-homedir\"\n\t\"github.com/natefinch/atomic\"\n)\n\nvar _ TokenHelper = (*InternalTokenHelper)(nil)\n\n// InternalTokenHelper fulfills the TokenHelper interface when no external\n// token-helper is configured, and avoids shelling out\ntype InternalTokenHelper struct {\n\ttokenPath string\n\thomeDir string\n}\n\nfunc NewInternalTokenHelper() (*InternalTokenHelper, error) {\n\thomeDir, err := homedir.Dir()\n\tif err != nil {\n\t\tpanic(fmt.Sprintf(\"error getting user's home directory: %v\", err))\n\t}\n\treturn &InternalTokenHelper{homeDir: homeDir}, err\n}\n\n// populateTokenPath figures out the token path using homedir to get the user's\n// home directory\nfunc (i *InternalTokenHelper) populateTokenPath() {\n\ti.tokenPath = filepath.Join(i.homeDir, \".vault-token\")\n}\n\nfunc (i *InternalTokenHelper) Path() string {\n\treturn i.tokenPath\n}\n\n// Get gets the value of the stored token, if any\nfunc (i *InternalTokenHelper) Get() (string, error) {\n\ti.populateTokenPath()\n\tf, err := os.Open(i.tokenPath)\n\tif os.IsNotExist(err) {\n\t\treturn \"\", nil\n\t}\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tdefer f.Close()\n\n\tbuf := bytes.NewBuffer(nil)\n\tif _, err := io.Copy(buf, f); err != nil {\n\t\treturn \"\", err\n\t}\n\n\treturn strings.TrimSpace(buf.String()), nil\n}\n\n// Store stores the value of the token to the file. We always overwrite any\n// existing file atomically to ensure that ownership and permissions are set\n// appropriately.\nfunc (i *InternalTokenHelper) Store(input string) error {\n\ti.populateTokenPath()\n\ttmpFile := i.tokenPath + \".tmp\"\n\tf, err := os.OpenFile(tmpFile, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0o600)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\tdefer os.Remove(tmpFile)\n\n\t_, err = io.WriteString(f, input)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = f.Close()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// We don't care so much about atomic writes here. We're using this package\n\t// because we don't have a portable way of verifying that the target file\n\t// is owned by the correct user. The simplest way of ensuring that is\n\t// to simply re-write it, and the simplest way to ensure that we don't\n\t// damage an existing working file due to error is the write-rename pattern.\n\t// os.Rename on Windows will return an error if the target already exists.\n\treturn atomic.ReplaceFile(tmpFile, i.tokenPath)\n}\n\n// Erase erases the value of the token\nfunc (i *InternalTokenHelper) Erase() error {\n\ti.populateTokenPath()\n\tif err := os.Remove(i.tokenPath); err != nil && !os.IsNotExist(err) {\n\t\treturn err\n\t}\n\n\treturn nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/tokenhelper/testing.go", "content": "// Copyright (c) HashiCorp, Inc.\n// SPDX-License-Identifier: MPL-2.0\n\npackage tokenhelper\n\nimport (\n\t\"testing\"\n)\n\n// test is a public function that can be used in other tests to\n// test that a helper is functioning properly.\nfunc test(t *testing.T, h TokenHelper) {\n\tif err := h.Store(\"foo\"); err != nil {\n\t\tt.Fatalf(\"err: %s\", err)\n\t}\n\n\tv, err := h.Get()\n\tif err != nil {\n\t\tt.Fatalf(\"err: %s\", err)\n\t}\n\n\tif v != \"foo\" {\n\t\tt.Fatalf(\"bad: %#v\", v)\n\t}\n\n\tif err := h.Erase(); err != nil {\n\t\tt.Fatalf(\"err: %s\", err)\n\t}\n\n\tv, err = h.Get()\n\tif err != nil {\n\t\tt.Fatalf(\"err: %s\", err)\n\t}\n\n\tif v != \"\" {\n\t\tt.Fatalf(\"bad: %#v\", v)\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/in-toto/attestation/go/v1/LICENSE", "content": "Copyright 2021 in-toto Developers\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/in-toto/in-toto-golang/in_toto/LICENSE", "content": "Copyright 2018 New York University\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/jedisct1/go-minisign/LICENSE", "content": "MIT License\n\nCopyright (c) 2018-2023 Frank Denis\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/jellydator/ttlcache/v3/LICENSE", "content": "MIT License\n\nCopyright (c) 2022 Jellydator\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/json-iterator/go/LICENSE", "content": "MIT License\n\nCopyright (c) 2016 json-iterator\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/kelseyhightower/envconfig/LICENSE", "content": "Copyright (c) 2013 Kelsey Hightower\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies\nof the Software, and to permit persons to whom the Software is furnished to do\nso, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/klauspost/compress/LICENSE", "content": "Copyright (c) 2012 The Go Authors. All rights reserved.\nCopyright (c) 2019 Klaus Post. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\n------------------\n\nFiles: gzhttp/*\n\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright 2016-2017 The New York Times Company\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n------------------\n\nFiles: s2/cmd/internal/readahead/*\n\nThe MIT License (MIT)\n\nCopyright (c) 2015 Klaus Post\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n---------------------\nFiles: snappy/*\nFiles: internal/snapref/*\n\nCopyright (c) 2011 The Snappy-Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\n-----------------\n\nFiles: s2/cmd/internal/filepathx/*\n\nCopyright 2016 The filepathx Authors\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/klauspost/compress/internal/snapref/LICENSE", "content": "Copyright (c) 2011 The Snappy-Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/klauspost/compress/zstd/internal/xxhash/LICENSE.txt", "content": "Copyright (c) 2016 Caleb Spare\n\nMIT License\n\nPermission is hereby granted, free of charge, to any person obtaining\na copy of this software and associated documentation files (the\n\"Software\"), to deal in the Software without restriction, including\nwithout limitation the rights to use, copy, modify, merge, publish,\ndistribute, sublicense, and/or sell copies of the Software, and to\npermit persons to whom the Software is furnished to do so, subject to\nthe following conditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\nNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE\nLIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION\nOF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION\nWITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/kylelemons/godebug/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/lestrrat-go/blackmagic/LICENSE", "content": "MIT License\n\nCopyright (c) 2021 lestrrat-go\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/lestrrat-go/dsig/LICENSE", "content": "MIT License\n\nCopyright (c) 2025 lestrrat-go\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/lestrrat-go/httpcc/LICENSE", "content": "MIT License\n\nCopyright (c) 2020 lestrrat-go\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/lestrrat-go/httprc/v3/LICENSE", "content": "MIT License\n\nCopyright (c) 2022 lestrrat\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/lestrrat-go/jwx/v3/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2015 lestrrat\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/lestrrat-go/option/LICENSE", "content": "MIT License\n\nCopyright (c) 2021 lestrrat-go\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/lestrrat-go/option/v2/LICENSE", "content": "MIT License\n\nCopyright (c) 2021 lestrrat-go\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/letsencrypt/boulder/LICENSE.txt", "content": "Copyright 2016 ISRG. All rights reserved.\n\nMozilla Public License Version 2.0\n==================================\n\n1. Definitions\n--------------\n\n1.1. \"Contributor\"\n means each individual or legal entity that creates, contributes to\n the creation of, or owns Covered Software.\n\n1.2. \"Contributor Version\"\n means the combination of the Contributions of others (if any) used\n by a Contributor and that particular Contributor's Contribution.\n\n1.3. \"Contribution\"\n means Covered Software of a particular Contributor.\n\n1.4. \"Covered Software\"\n means Source Code Form to which the initial Contributor has attached\n the notice in Exhibit A, the Executable Form of such Source Code\n Form, and Modifications of such Source Code Form, in each case\n including portions thereof.\n\n1.5. \"Incompatible With Secondary Licenses\"\n means\n\n (a) that the initial Contributor has attached the notice described\n in Exhibit B to the Covered Software; or\n\n (b) that the Covered Software was made available under the terms of\n version 1.1 or earlier of the License, but not also under the\n terms of a Secondary License.\n\n1.6. \"Executable Form\"\n means any form of the work other than Source Code Form.\n\n1.7. \"Larger Work\"\n means a work that combines Covered Software with other material, in \n a separate file or files, that is not Covered Software.\n\n1.8. \"License\"\n means this document.\n\n1.9. \"Licensable\"\n means having the right to grant, to the maximum extent possible,\n whether at the time of the initial grant or subsequently, any and\n all of the rights conveyed by this License.\n\n1.10. \"Modifications\"\n means any of the following:\n\n (a) any file in Source Code Form that results from an addition to,\n deletion from, or modification of the contents of Covered\n Software; or\n\n (b) any new file in Source Code Form that contains any Covered\n Software.\n\n1.11. \"Patent Claims\" of a Contributor\n means any patent claim(s), including without limitation, method,\n process, and apparatus claims, in any patent Licensable by such\n Contributor that would be infringed, but for the grant of the\n License, by the making, using, selling, offering for sale, having\n made, import, or transfer of either its Contributions or its\n Contributor Version.\n\n1.12. \"Secondary License\"\n means either the GNU General Public License, Version 2.0, the GNU\n Lesser General Public License, Version 2.1, the GNU Affero General\n Public License, Version 3.0, or any later versions of those\n licenses.\n\n1.13. \"Source Code Form\"\n means the form of the work preferred for making modifications.\n\n1.14. \"You\" (or \"Your\")\n means an individual or a legal entity exercising rights under this\n License. For legal entities, \"You\" includes any entity that\n controls, is controlled by, or is under common control with You. For\n purposes of this definition, \"control\" means (a) the power, direct\n or indirect, to cause the direction or management of such entity,\n whether by contract or otherwise, or (b) ownership of more than\n fifty percent (50%) of the outstanding shares or beneficial\n ownership of such entity.\n\n2. License Grants and Conditions\n--------------------------------\n\n2.1. Grants\n\nEach Contributor hereby grants You a world-wide, royalty-free,\nnon-exclusive license:\n\n(a) under intellectual property rights (other than patent or trademark)\n Licensable by such Contributor to use, reproduce, make available,\n modify, display, perform, distribute, and otherwise exploit its\n Contributions, either on an unmodified basis, with Modifications, or\n as part of a Larger Work; and\n\n(b) under Patent Claims of such Contributor to make, use, sell, offer\n for sale, have made, import, and otherwise transfer either its\n Contributions or its Contributor Version.\n\n2.2. Effective Date\n\nThe licenses granted in Section 2.1 with respect to any Contribution\nbecome effective for each Contribution on the date the Contributor first\ndistributes such Contribution.\n\n2.3. Limitations on Grant Scope\n\nThe licenses granted in this Section 2 are the only rights granted under\nthis License. No additional rights or licenses will be implied from the\ndistribution or licensing of Covered Software under this License.\nNotwithstanding Section 2.1(b) above, no patent license is granted by a\nContributor:\n\n(a) for any code that a Contributor has removed from Covered Software;\n or\n\n(b) for infringements caused by: (i) Your and any other third party's\n modifications of Covered Software, or (ii) the combination of its\n Contributions with other software (except as part of its Contributor\n Version); or\n\n(c) under Patent Claims infringed by Covered Software in the absence of\n its Contributions.\n\nThis License does not grant any rights in the trademarks, service marks,\nor logos of any Contributor (except as may be necessary to comply with\nthe notice requirements in Section 3.4).\n\n2.4. Subsequent Licenses\n\nNo Contributor makes additional grants as a result of Your choice to\ndistribute the Covered Software under a subsequent version of this\nLicense (see Section 10.2) or under the terms of a Secondary License (if\npermitted under the terms of Section 3.3).\n\n2.5. Representation\n\nEach Contributor represents that the Contributor believes its\nContributions are its original creation(s) or it has sufficient rights\nto grant the rights to its Contributions conveyed by this License.\n\n2.6. Fair Use\n\nThis License is not intended to limit any rights You have under\napplicable copyright doctrines of fair use, fair dealing, or other\nequivalents.\n\n2.7. Conditions\n\nSections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted\nin Section 2.1.\n\n3. Responsibilities\n-------------------\n\n3.1. Distribution of Source Form\n\nAll distribution of Covered Software in Source Code Form, including any\nModifications that You create or to which You contribute, must be under\nthe terms of this License. You must inform recipients that the Source\nCode Form of the Covered Software is governed by the terms of this\nLicense, and how they can obtain a copy of this License. You may not\nattempt to alter or restrict the recipients' rights in the Source Code\nForm.\n\n3.2. Distribution of Executable Form\n\nIf You distribute Covered Software in Executable Form then:\n\n(a) such Covered Software must also be made available in Source Code\n Form, as described in Section 3.1, and You must inform recipients of\n the Executable Form how they can obtain a copy of such Source Code\n Form by reasonable means in a timely manner, at a charge no more\n than the cost of distribution to the recipient; and\n\n(b) You may distribute such Executable Form under the terms of this\n License, or sublicense it under different terms, provided that the\n license for the Executable Form does not attempt to limit or alter\n the recipients' rights in the Source Code Form under this License.\n\n3.3. Distribution of a Larger Work\n\nYou may create and distribute a Larger Work under terms of Your choice,\nprovided that You also comply with the requirements of this License for\nthe Covered Software. If the Larger Work is a combination of Covered\nSoftware with a work governed by one or more Secondary Licenses, and the\nCovered Software is not Incompatible With Secondary Licenses, this\nLicense permits You to additionally distribute such Covered Software\nunder the terms of such Secondary License(s), so that the recipient of\nthe Larger Work may, at their option, further distribute the Covered\nSoftware under the terms of either this License or such Secondary\nLicense(s).\n\n3.4. Notices\n\nYou may not remove or alter the substance of any license notices\n(including copyright notices, patent notices, disclaimers of warranty,\nor limitations of liability) contained within the Source Code Form of\nthe Covered Software, except that You may alter any license notices to\nthe extent required to remedy known factual inaccuracies.\n\n3.5. Application of Additional Terms\n\nYou may choose to offer, and to charge a fee for, warranty, support,\nindemnity or liability obligations to one or more recipients of Covered\nSoftware. However, You may do so only on Your own behalf, and not on\nbehalf of any Contributor. You must make it absolutely clear that any\nsuch warranty, support, indemnity, or liability obligation is offered by\nYou alone, and You hereby agree to indemnify every Contributor for any\nliability incurred by such Contributor as a result of warranty, support,\nindemnity or liability terms You offer. You may include additional\ndisclaimers of warranty and limitations of liability specific to any\njurisdiction.\n\n4. Inability to Comply Due to Statute or Regulation\n---------------------------------------------------\n\nIf it is impossible for You to comply with any of the terms of this\nLicense with respect to some or all of the Covered Software due to\nstatute, judicial order, or regulation then You must: (a) comply with\nthe terms of this License to the maximum extent possible; and (b)\ndescribe the limitations and the code they affect. Such description must\nbe placed in a text file included with all distributions of the Covered\nSoftware under this License. Except to the extent prohibited by statute\nor regulation, such description must be sufficiently detailed for a\nrecipient of ordinary skill to be able to understand it.\n\n5. Termination\n--------------\n\n5.1. The rights granted under this License will terminate automatically\nif You fail to comply with any of its terms. However, if You become\ncompliant, then the rights granted under this License from a particular\nContributor are reinstated (a) provisionally, unless and until such\nContributor explicitly and finally terminates Your grants, and (b) on an\nongoing basis, if such Contributor fails to notify You of the\nnon-compliance by some reasonable means prior to 60 days after You have\ncome back into compliance. Moreover, Your grants from a particular\nContributor are reinstated on an ongoing basis if such Contributor\nnotifies You of the non-compliance by some reasonable means, this is the\nfirst time You have received notice of non-compliance with this License\nfrom such Contributor, and You become compliant prior to 30 days after\nYour receipt of the notice.\n\n5.2. If You initiate litigation against any entity by asserting a patent\ninfringement claim (excluding declaratory judgment actions,\ncounter-claims, and cross-claims) alleging that a Contributor Version\ndirectly or indirectly infringes any patent, then the rights granted to\nYou by any and all Contributors for the Covered Software under Section\n2.1 of this License shall terminate.\n\n5.3. In the event of termination under Sections 5.1 or 5.2 above, all\nend user license agreements (excluding distributors and resellers) which\nhave been validly granted by You or Your distributors under this License\nprior to termination shall survive termination.\n\n************************************************************************\n* *\n* 6. Disclaimer of Warranty *\n* ------------------------- *\n* *\n* Covered Software is provided under this License on an \"as is\" *\n* basis, without warranty of any kind, either expressed, implied, or *\n* statutory, including, without limitation, warranties that the *\n* Covered Software is free of defects, merchantable, fit for a *\n* particular purpose or non-infringing. The entire risk as to the *\n* quality and performance of the Covered Software is with You. *\n* Should any Covered Software prove defective in any respect, You *\n* (not any Contributor) assume the cost of any necessary servicing, *\n* repair, or correction. This disclaimer of warranty constitutes an *\n* essential part of this License. No use of any Covered Software is *\n* authorized under this License except under this disclaimer. *\n* *\n************************************************************************\n\n************************************************************************\n* *\n* 7. Limitation of Liability *\n* -------------------------- *\n* *\n* Under no circumstances and under no legal theory, whether tort *\n* (including negligence), contract, or otherwise, shall any *\n* Contributor, or anyone who distributes Covered Software as *\n* permitted above, be liable to You for any direct, indirect, *\n* special, incidental, or consequential damages of any character *\n* including, without limitation, damages for lost profits, loss of *\n* goodwill, work stoppage, computer failure or malfunction, or any *\n* and all other commercial damages or losses, even if such party *\n* shall have been informed of the possibility of such damages. This *\n* limitation of liability shall not apply to liability for death or *\n* personal injury resulting from such party's negligence to the *\n* extent applicable law prohibits such limitation. Some *\n* jurisdictions do not allow the exclusion or limitation of *\n* incidental or consequential damages, so this exclusion and *\n* limitation may not apply to You. *\n* *\n************************************************************************\n\n8. Litigation\n-------------\n\nAny litigation relating to this License may be brought only in the\ncourts of a jurisdiction where the defendant maintains its principal\nplace of business and such litigation shall be governed by laws of that\njurisdiction, without reference to its conflict-of-law provisions.\nNothing in this Section shall prevent a party's ability to bring\ncross-claims or counter-claims.\n\n9. Miscellaneous\n----------------\n\nThis License represents the complete agreement concerning the subject\nmatter hereof. If any provision of this License is held to be\nunenforceable, such provision shall be reformed only to the extent\nnecessary to make it enforceable. Any law or regulation which provides\nthat the language of a contract shall be construed against the drafter\nshall not be used to construe this License against a Contributor.\n\n10. Versions of the License\n---------------------------\n\n10.1. New Versions\n\nMozilla Foundation is the license steward. Except as provided in Section\n10.3, no one other than the license steward has the right to modify or\npublish new versions of this License. Each version will be given a\ndistinguishing version number.\n\n10.2. Effect of New Versions\n\nYou may distribute the Covered Software under the terms of the version\nof the License under which You originally received the Covered Software,\nor under the terms of any subsequent version published by the license\nsteward.\n\n10.3. Modified Versions\n\nIf you create software not governed by this License, and you want to\ncreate a new license for such software, you may create and use a\nmodified version of this License if you rename the license and remove\nany references to the name of the license steward (except to note that\nsuch modified license differs from this License).\n\n10.4. Distributing Source Code Form that is Incompatible With Secondary\nLicenses\n\nIf You choose to distribute Source Code Form that is Incompatible With\nSecondary Licenses under the terms of this version of the License, the\nnotice described in Exhibit B of this License must be attached.\n\nExhibit A - Source Code Form License Notice\n-------------------------------------------\n\n This Source Code Form is subject to the terms of the Mozilla Public\n License, v. 2.0. If a copy of the MPL was not distributed with this\n file, You can obtain one at http://mozilla.org/MPL/2.0/.\n\nIf it is not possible or desirable to put the notice in a particular\nfile, then You may include the notice in a location (such as a LICENSE\nfile in a relevant directory) where a recipient would be likely to look\nfor such a notice.\n\nYou may add additional accurate notices of copyright ownership.\n\nExhibit B - \"Incompatible With Secondary Licenses\" Notice\n---------------------------------------------------------\n\n This Source Code Form is \"Incompatible With Secondary Licenses\", as\n defined by the Mozilla Public License, v. 2.0.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/letsencrypt/boulder/core/challenges.go", "content": "package core\n\nimport \"fmt\"\n\nfunc newChallenge(challengeType AcmeChallenge, token string) Challenge {\n\treturn Challenge{\n\t\tType: challengeType,\n\t\tStatus: StatusPending,\n\t\tToken: token,\n\t}\n}\n\n// HTTPChallenge01 constructs a http-01 challenge.\nfunc HTTPChallenge01(token string) Challenge {\n\treturn newChallenge(ChallengeTypeHTTP01, token)\n}\n\n// DNSChallenge01 constructs a dns-01 challenge.\nfunc DNSChallenge01(token string) Challenge {\n\treturn newChallenge(ChallengeTypeDNS01, token)\n}\n\n// TLSALPNChallenge01 constructs a tls-alpn-01 challenge.\nfunc TLSALPNChallenge01(token string) Challenge {\n\treturn newChallenge(ChallengeTypeTLSALPN01, token)\n}\n\n// DNSAccountChallenge01 constructs a dns-account-01 challenge.\nfunc DNSAccountChallenge01(token string) Challenge {\n\treturn newChallenge(ChallengeTypeDNSAccount01, token)\n}\n\n// NewChallenge constructs a challenge of the given kind. It returns an\n// error if the challenge type is unrecognized.\nfunc NewChallenge(kind AcmeChallenge, token string) (Challenge, error) {\n\tswitch kind {\n\tcase ChallengeTypeHTTP01:\n\t\treturn HTTPChallenge01(token), nil\n\tcase ChallengeTypeDNS01:\n\t\treturn DNSChallenge01(token), nil\n\tcase ChallengeTypeTLSALPN01:\n\t\treturn TLSALPNChallenge01(token), nil\n\tcase ChallengeTypeDNSAccount01:\n\t\treturn DNSAccountChallenge01(token), nil\n\tdefault:\n\t\treturn Challenge{}, fmt.Errorf(\"unrecognized challenge type %q\", kind)\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/letsencrypt/boulder/core/interfaces.go", "content": "package core\n\nimport (\n\t\"github.com/letsencrypt/boulder/identifier\"\n)\n\n// PolicyAuthority defines the public interface for the Boulder PA\n// TODO(#5891): Move this interface to a more appropriate location.\ntype PolicyAuthority interface {\n\tWillingToIssue(identifier.ACMEIdentifiers) error\n\tChallengeTypesFor(identifier.ACMEIdentifier) ([]AcmeChallenge, error)\n\tChallengeTypeEnabled(AcmeChallenge) bool\n\tCheckAuthzChallenges(*Authorization) error\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/letsencrypt/boulder/core/objects.go", "content": "package core\n\nimport (\n\t\"crypto\"\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"hash/fnv\"\n\t\"net/netip\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/go-jose/go-jose/v4\"\n\t\"golang.org/x/crypto/ocsp\"\n\n\t\"github.com/letsencrypt/boulder/identifier\"\n\t\"github.com/letsencrypt/boulder/probs\"\n\t\"github.com/letsencrypt/boulder/revocation\"\n)\n\n// AcmeStatus defines the state of a given authorization\ntype AcmeStatus string\n\n// These statuses are the states of authorizations, challenges, and registrations\nconst (\n\tStatusUnknown = AcmeStatus(\"unknown\") // Unknown status; the default\n\tStatusPending = AcmeStatus(\"pending\") // In process; client has next action\n\tStatusProcessing = AcmeStatus(\"processing\") // In process; server has next action\n\tStatusReady = AcmeStatus(\"ready\") // Order is ready for finalization\n\tStatusValid = AcmeStatus(\"valid\") // Object is valid\n\tStatusInvalid = AcmeStatus(\"invalid\") // Validation failed\n\tStatusRevoked = AcmeStatus(\"revoked\") // Object no longer valid\n\tStatusDeactivated = AcmeStatus(\"deactivated\") // Object has been deactivated\n)\n\n// AcmeResource values identify different types of ACME resources\ntype AcmeResource string\n\n// The types of ACME resources\nconst (\n\tResourceNewReg = AcmeResource(\"new-reg\")\n\tResourceNewAuthz = AcmeResource(\"new-authz\")\n\tResourceNewCert = AcmeResource(\"new-cert\")\n\tResourceRevokeCert = AcmeResource(\"revoke-cert\")\n\tResourceRegistration = AcmeResource(\"reg\")\n\tResourceChallenge = AcmeResource(\"challenge\")\n\tResourceAuthz = AcmeResource(\"authz\")\n\tResourceKeyChange = AcmeResource(\"key-change\")\n)\n\n// AcmeChallenge values identify different types of ACME challenges\ntype AcmeChallenge string\n\n// These types are the available challenges\nconst (\n\tChallengeTypeHTTP01 = AcmeChallenge(\"http-01\")\n\tChallengeTypeDNS01 = AcmeChallenge(\"dns-01\")\n\tChallengeTypeTLSALPN01 = AcmeChallenge(\"tls-alpn-01\")\n\tChallengeTypeDNSAccount01 = AcmeChallenge(\"dns-account-01\")\n)\n\n// IsValid tests whether the challenge is a known challenge\nfunc (c AcmeChallenge) IsValid() bool {\n\tswitch c {\n\tcase ChallengeTypeHTTP01, ChallengeTypeDNS01, ChallengeTypeTLSALPN01, ChallengeTypeDNSAccount01:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n\n// OCSPStatus defines the state of OCSP for a certificate\ntype OCSPStatus string\n\n// These status are the states of OCSP\nconst (\n\tOCSPStatusGood = OCSPStatus(\"good\")\n\tOCSPStatusRevoked = OCSPStatus(\"revoked\")\n)\n\nvar OCSPStatusToInt = map[OCSPStatus]int{\n\tOCSPStatusGood: ocsp.Good,\n\tOCSPStatusRevoked: ocsp.Revoked,\n}\n\n// DNSPrefix is attached to DNS names in DNS challenges\nconst DNSPrefix = \"_acme-challenge\"\n\ntype RawCertificateRequest struct {\n\tCSR JSONBuffer `json:\"csr\"` // The encoded CSR\n}\n\n// Registration objects represent non-public metadata attached\n// to account keys.\ntype Registration struct {\n\t// Unique identifier\n\tID int64 `json:\"-\"`\n\n\t// Account key to which the details are attached\n\tKey *jose.JSONWebKey `json:\"key\"`\n\n\t// Contact URIs\n\tContact *[]string `json:\"contact,omitempty\"`\n\n\t// Agreement with terms of service\n\tAgreement string `json:\"-\"`\n\n\t// CreatedAt is the time the registration was created.\n\tCreatedAt *time.Time `json:\"createdAt,omitempty\"`\n\n\tStatus AcmeStatus `json:\"status\"`\n}\n\n// ValidationRecord represents a validation attempt against a specific URL/hostname\n// and the IP addresses that were resolved and used.\ntype ValidationRecord struct {\n\t// SimpleHTTP only\n\tURL string `json:\"url,omitempty\"`\n\n\t// Shared\n\t//\n\t// Hostname can hold either a DNS name or an IP address.\n\tHostname string `json:\"hostname,omitempty\"`\n\tPort string `json:\"port,omitempty\"`\n\tAddressesResolved []netip.Addr `json:\"addressesResolved,omitempty\"`\n\tAddressUsed netip.Addr `json:\"addressUsed\"`\n\n\t// AddressesTried contains a list of addresses tried before the `AddressUsed`.\n\t// Presently this will only ever be one IP from `AddressesResolved` since the\n\t// only retry is in the case of a v6 failure with one v4 fallback. E.g. if\n\t// a record with `AddressesResolved: { 127.0.0.1, ::1 }` were processed for\n\t// a challenge validation with the IPv6 first flag on and the ::1 address\n\t// failed but the 127.0.0.1 retry succeeded then the record would end up\n\t// being:\n\t// {\n\t// ...\n\t// AddressesResolved: [ 127.0.0.1, ::1 ],\n\t// AddressUsed: 127.0.0.1\n\t// AddressesTried: [ ::1 ],\n\t// ...\n\t// }\n\tAddressesTried []netip.Addr `json:\"addressesTried,omitempty\"`\n\n\t// ResolverAddrs is the host:port of the DNS resolver(s) that fulfilled the\n\t// lookup for AddressUsed. During recursive A and AAAA lookups, a record may\n\t// instead look like A:host:port or AAAA:host:port\n\tResolverAddrs []string `json:\"resolverAddrs,omitempty\"`\n}\n\n// Challenge is an aggregate of all data needed for any challenges.\n//\n// Rather than define individual types for different types of\n// challenge, we just throw all the elements into one bucket,\n// together with the common metadata elements.\ntype Challenge struct {\n\t// Type is the type of challenge encoded in this object.\n\tType AcmeChallenge `json:\"type\"`\n\n\t// URL is the URL to which a response can be posted. Required for all types.\n\tURL string `json:\"url,omitempty\"`\n\n\t// Status is the status of this challenge. Required for all types.\n\tStatus AcmeStatus `json:\"status,omitempty\"`\n\n\t// Validated is the time at which the server validated the challenge. Required\n\t// if status is valid.\n\tValidated *time.Time `json:\"validated,omitempty\"`\n\n\t// Error contains the error that occurred during challenge validation, if any.\n\t// If set, the Status must be \"invalid\".\n\tError *probs.ProblemDetails `json:\"error,omitempty\"`\n\n\t// Token is a random value that uniquely identifies the challenge. It is used\n\t// by all current challenges (http-01, tls-alpn-01, and dns-01).\n\tToken string `json:\"token,omitempty\"`\n\n\t// Contains information about URLs used or redirected to and IPs resolved and\n\t// used\n\tValidationRecord []ValidationRecord `json:\"validationRecord,omitempty\"`\n}\n\n// ExpectedKeyAuthorization computes the expected KeyAuthorization value for\n// the challenge.\nfunc (ch Challenge) ExpectedKeyAuthorization(key *jose.JSONWebKey) (string, error) {\n\tif key == nil {\n\t\treturn \"\", fmt.Errorf(\"Cannot authorize a nil key\")\n\t}\n\n\tthumbprint, err := key.Thumbprint(crypto.SHA256)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\treturn ch.Token + \".\" + base64.RawURLEncoding.EncodeToString(thumbprint), nil\n}\n\n// RecordsSane checks the sanity of a ValidationRecord object before sending it\n// back to the RA to be stored.\nfunc (ch Challenge) RecordsSane() bool {\n\tif len(ch.ValidationRecord) == 0 {\n\t\treturn false\n\t}\n\n\tswitch ch.Type {\n\tcase ChallengeTypeHTTP01:\n\t\tfor _, rec := range ch.ValidationRecord {\n\t\t\t// TODO(#7140): Add a check for ResolverAddress == \"\" only after the\n\t\t\t// core.proto change has been deployed.\n\t\t\tif rec.URL == \"\" || rec.Hostname == \"\" || rec.Port == \"\" || (rec.AddressUsed == netip.Addr{}) ||\n\t\t\t\tlen(rec.AddressesResolved) == 0 {\n\t\t\t\treturn false\n\t\t\t}\n\t\t}\n\tcase ChallengeTypeTLSALPN01:\n\t\tif len(ch.ValidationRecord) > 1 {\n\t\t\treturn false\n\t\t}\n\t\tif ch.ValidationRecord[0].URL != \"\" {\n\t\t\treturn false\n\t\t}\n\t\t// TODO(#7140): Add a check for ResolverAddress == \"\" only after the\n\t\t// core.proto change has been deployed.\n\t\tif ch.ValidationRecord[0].Hostname == \"\" || ch.ValidationRecord[0].Port == \"\" ||\n\t\t\t(ch.ValidationRecord[0].AddressUsed == netip.Addr{}) || len(ch.ValidationRecord[0].AddressesResolved) == 0 {\n\t\t\treturn false\n\t\t}\n\tcase ChallengeTypeDNS01, ChallengeTypeDNSAccount01:\n\t\tif len(ch.ValidationRecord) > 1 {\n\t\t\treturn false\n\t\t}\n\t\t// TODO(#7140): Add a check for ResolverAddress == \"\" only after the\n\t\t// core.proto change has been deployed.\n\t\tif ch.ValidationRecord[0].Hostname == \"\" {\n\t\t\treturn false\n\t\t}\n\t\treturn true\n\tdefault: // Unsupported challenge type\n\t\treturn false\n\t}\n\n\treturn true\n}\n\n// CheckPending ensures that a challenge object is pending and has a token.\n// This is used before offering the challenge to the client, and before actually\n// validating a challenge.\nfunc (ch Challenge) CheckPending() error {\n\tif ch.Status != StatusPending {\n\t\treturn fmt.Errorf(\"challenge is not pending\")\n\t}\n\n\tif !looksLikeAToken(ch.Token) {\n\t\treturn fmt.Errorf(\"token is missing or malformed\")\n\t}\n\n\treturn nil\n}\n\n// StringID is used to generate a ID for challenges associated with new style authorizations.\n// This is necessary as these challenges no longer have a unique non-sequential identifier\n// in the new storage scheme. This identifier is generated by constructing a fnv hash over the\n// challenge token and type and encoding the first 4 bytes of it using the base64 URL encoding.\nfunc (ch Challenge) StringID() string {\n\th := fnv.New128a()\n\th.Write([]byte(ch.Token))\n\th.Write([]byte(ch.Type))\n\treturn base64.RawURLEncoding.EncodeToString(h.Sum(nil)[0:4])\n}\n\n// Authorization represents the authorization of an account key holder to act on\n// behalf of an identifier. This struct is intended to be used both internally\n// and for JSON marshaling on the wire. Any fields that should be suppressed on\n// the wire (e.g., ID, regID) must be made empty before marshaling.\ntype Authorization struct {\n\t// An identifier for this authorization, unique across\n\t// authorizations and certificates within this instance.\n\tID string `json:\"-\"`\n\n\t// The identifier for which authorization is being given\n\tIdentifier identifier.ACMEIdentifier `json:\"identifier\"`\n\n\t// The registration ID associated with the authorization\n\tRegistrationID int64 `json:\"-\"`\n\n\t// The status of the validation of this authorization\n\tStatus AcmeStatus `json:\"status,omitempty\"`\n\n\t// The date after which this authorization will be no\n\t// longer be considered valid. Note: a certificate may be issued even on the\n\t// last day of an authorization's lifetime. The last day for which someone can\n\t// hold a valid certificate based on an authorization is authorization\n\t// lifetime + certificate lifetime.\n\tExpires *time.Time `json:\"expires,omitempty\"`\n\n\t// An array of challenges objects used to validate the\n\t// applicant's control of the identifier. For authorizations\n\t// in process, these are challenges to be fulfilled; for\n\t// final authorizations, they describe the evidence that\n\t// the server used in support of granting the authorization.\n\t//\n\t// There should only ever be one challenge of each type in this\n\t// slice and the order of these challenges may not be predictable.\n\tChallenges []Challenge `json:\"challenges,omitempty\"`\n\n\t// https://datatracker.ietf.org/doc/html/rfc8555#page-29\n\t//\n\t// wildcard (optional, boolean): This field MUST be present and true\n\t// for authorizations created as a result of a newOrder request\n\t// containing a DNS identifier with a value that was a wildcard\n\t// domain name. For other authorizations, it MUST be absent.\n\t// Wildcard domain names are described in Section 7.1.3.\n\t//\n\t// This is not represented in the database because we calculate it from\n\t// the identifier stored in the database. Unlike the identifier returned\n\t// as part of the authorization, the identifier we store in the database\n\t// can contain an asterisk.\n\tWildcard bool `json:\"wildcard,omitempty\"`\n\n\t// CertificateProfileName is the name of the profile associated with the\n\t// order that first resulted in the creation of this authorization. Omitted\n\t// from API responses.\n\tCertificateProfileName string `json:\"-\"`\n}\n\n// FindChallengeByStringID will look for a challenge matching the given ID inside\n// this authorization. If found, it will return the index of that challenge within\n// the Authorization's Challenges array. Otherwise it will return -1.\nfunc (authz *Authorization) FindChallengeByStringID(id string) int {\n\tfor i, c := range authz.Challenges {\n\t\tif c.StringID() == id {\n\t\t\treturn i\n\t\t}\n\t}\n\treturn -1\n}\n\n// SolvedBy will look through the Authorizations challenges, returning the type\n// of the *first* challenge it finds with Status: valid, or an error if no\n// challenge is valid.\nfunc (authz *Authorization) SolvedBy() (AcmeChallenge, error) {\n\tif len(authz.Challenges) == 0 {\n\t\treturn \"\", fmt.Errorf(\"authorization has no challenges\")\n\t}\n\tfor _, chal := range authz.Challenges {\n\t\tif chal.Status == StatusValid {\n\t\t\treturn chal.Type, nil\n\t\t}\n\t}\n\treturn \"\", fmt.Errorf(\"authorization not solved by any challenge\")\n}\n\n// JSONBuffer fields get encoded and decoded JOSE-style, in base64url encoding\n// with stripped padding.\ntype JSONBuffer []byte\n\n// MarshalJSON encodes a JSONBuffer for transmission.\nfunc (jb JSONBuffer) MarshalJSON() (result []byte, err error) {\n\treturn json.Marshal(base64.RawURLEncoding.EncodeToString(jb))\n}\n\n// UnmarshalJSON decodes a JSONBuffer to an object.\nfunc (jb *JSONBuffer) UnmarshalJSON(data []byte) (err error) {\n\tvar str string\n\terr = json.Unmarshal(data, &str)\n\tif err != nil {\n\t\treturn err\n\t}\n\t*jb, err = base64.RawURLEncoding.DecodeString(strings.TrimRight(str, \"=\"))\n\treturn\n}\n\n// Certificate objects are entirely internal to the server. The only\n// thing exposed on the wire is the certificate itself.\ntype Certificate struct {\n\tID int64 `db:\"id\"`\n\tRegistrationID int64 `db:\"registrationID\"`\n\n\tSerial string `db:\"serial\"`\n\tDigest string `db:\"digest\"`\n\tDER []byte `db:\"der\"`\n\tIssued time.Time `db:\"issued\"`\n\tExpires time.Time `db:\"expires\"`\n}\n\n// CertificateStatus structs are internal to the server. They represent the\n// latest data about the status of the certificate, required for generating new\n// OCSP responses and determining if a certificate has been revoked.\ntype CertificateStatus struct {\n\tID int64 `db:\"id\"`\n\n\tSerial string `db:\"serial\"`\n\n\t// status: 'good' or 'revoked'. Note that good, expired certificates remain\n\t// with status 'good' but don't necessarily get fresh OCSP responses.\n\tStatus OCSPStatus `db:\"status\"`\n\n\t// ocspLastUpdated: The date and time of the last time we generated an OCSP\n\t// response. If we have never generated one, this has the zero value of\n\t// time.Time, i.e. Jan 1 1970.\n\tOCSPLastUpdated time.Time `db:\"ocspLastUpdated\"`\n\n\t// revokedDate: If status is 'revoked', this is the date and time it was\n\t// revoked. Otherwise it has the zero value of time.Time, i.e. Jan 1 1970.\n\tRevokedDate time.Time `db:\"revokedDate\"`\n\n\t// revokedReason: If status is 'revoked', this is the reason code for the\n\t// revocation. Otherwise it is zero (which happens to be the reason\n\t// code for 'unspecified').\n\tRevokedReason revocation.Reason `db:\"revokedReason\"`\n\n\tLastExpirationNagSent time.Time `db:\"lastExpirationNagSent\"`\n\n\t// NotAfter and IsExpired are convenience columns which allow expensive\n\t// queries to quickly filter out certificates that we don't need to care\n\t// about anymore. These are particularly useful for the CRL updater. See\n\t// https://github.com/letsencrypt/boulder/issues/1864.\n\tNotAfter time.Time `db:\"notAfter\"`\n\tIsExpired bool `db:\"isExpired\"`\n\n\t// Note: this is not an issuance.IssuerNameID because that would create an\n\t// import cycle between core and issuance.\n\t// Note2: This field used to be called `issuerID`. We keep the old name in\n\t// the DB, but update the Go field name to be clear which type of ID this\n\t// is.\n\tIssuerNameID int64 `db:\"issuerID\"`\n}\n\n// SCTDERs is a convenience type\ntype SCTDERs [][]byte\n\n// CertDER is a convenience type that helps differentiate what the\n// underlying byte slice contains\ntype CertDER []byte\n\n// SuggestedWindow is a type exposed inside the RenewalInfo resource.\ntype SuggestedWindow struct {\n\tStart time.Time `json:\"start\"`\n\tEnd time.Time `json:\"end\"`\n}\n\n// IsWithin returns true if the given time is within the suggested window,\n// inclusive of the start time and exclusive of the end time.\nfunc (window SuggestedWindow) IsWithin(now time.Time) bool {\n\treturn !now.Before(window.Start) && now.Before(window.End)\n}\n\n// RenewalInfo is a type which is exposed to clients which query the renewalInfo\n// endpoint specified in draft-aaron-ari.\ntype RenewalInfo struct {\n\tSuggestedWindow SuggestedWindow `json:\"suggestedWindow\"`\n\tExplanationURL string `json:\"explanationURL,omitempty\"`\n}\n\n// RenewalInfoSimple constructs a `RenewalInfo` object and suggested window\n// using a very simple renewal calculation: calculate a point 2/3rds of the way\n// through the validity period (or halfway through, for short-lived certs), then\n// give a 2%-of-validity wide window around that. Both the `issued` and\n// `expires` timestamps are expected to be UTC.\nfunc RenewalInfoSimple(issued time.Time, expires time.Time) RenewalInfo {\n\tvalidity := expires.Add(time.Second).Sub(issued)\n\trenewalOffset := validity / time.Duration(3)\n\tif validity < 10*24*time.Hour {\n\t\trenewalOffset = validity / time.Duration(2)\n\t}\n\tidealRenewal := expires.Add(-renewalOffset)\n\tmargin := validity / time.Duration(100)\n\treturn RenewalInfo{\n\t\tSuggestedWindow: SuggestedWindow{\n\t\t\tStart: idealRenewal.Add(-1 * margin).Truncate(time.Second),\n\t\t\tEnd: idealRenewal.Add(margin).Truncate(time.Second),\n\t\t},\n\t}\n}\n\n// RenewalInfoImmediate constructs a `RenewalInfo` object with a suggested\n// window in the past. Per the draft-ietf-acme-ari-01 spec, clients should\n// attempt to renew immediately if the suggested window is in the past. The\n// passed `now` is assumed to be a timestamp representing the current moment in\n// time. The `explanationURL` is an optional URL that the subscriber can use to\n// learn more about why the renewal is suggested.\nfunc RenewalInfoImmediate(now time.Time, explanationURL string) RenewalInfo {\n\toneHourAgo := now.Add(-1 * time.Hour)\n\treturn RenewalInfo{\n\t\tSuggestedWindow: SuggestedWindow{\n\t\t\tStart: oneHourAgo.Truncate(time.Second),\n\t\t\tEnd: oneHourAgo.Add(time.Minute * 30).Truncate(time.Second),\n\t\t},\n\t\tExplanationURL: explanationURL,\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/letsencrypt/boulder/core/proto/core.pb.go", "content": "// Code generated by protoc-gen-go. DO NOT EDIT.\n// versions:\n// \tprotoc-gen-go v1.36.5\n// \tprotoc v3.20.1\n// source: core.proto\n\npackage proto\n\nimport (\n\tprotoreflect \"google.golang.org/protobuf/reflect/protoreflect\"\n\tprotoimpl \"google.golang.org/protobuf/runtime/protoimpl\"\n\ttimestamppb \"google.golang.org/protobuf/types/known/timestamppb\"\n\treflect \"reflect\"\n\tsync \"sync\"\n\tunsafe \"unsafe\"\n)\n\nconst (\n\t// Verify that this generated code is sufficiently up-to-date.\n\t_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)\n\t// Verify that runtime/protoimpl is sufficiently up-to-date.\n\t_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)\n)\n\ntype Identifier struct {\n\tstate protoimpl.MessageState `protogen:\"open.v1\"`\n\tType string `protobuf:\"bytes,1,opt,name=type,proto3\" json:\"type,omitempty\"`\n\tValue string `protobuf:\"bytes,2,opt,name=value,proto3\" json:\"value,omitempty\"`\n\tunknownFields protoimpl.UnknownFields\n\tsizeCache protoimpl.SizeCache\n}\n\nfunc (x *Identifier) Reset() {\n\t*x = Identifier{}\n\tmi := &file_core_proto_msgTypes[0]\n\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\tms.StoreMessageInfo(mi)\n}\n\nfunc (x *Identifier) String() string {\n\treturn protoimpl.X.MessageStringOf(x)\n}\n\nfunc (*Identifier) ProtoMessage() {}\n\nfunc (x *Identifier) ProtoReflect() protoreflect.Message {\n\tmi := &file_core_proto_msgTypes[0]\n\tif x != nil {\n\t\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\t\tif ms.LoadMessageInfo() == nil {\n\t\t\tms.StoreMessageInfo(mi)\n\t\t}\n\t\treturn ms\n\t}\n\treturn mi.MessageOf(x)\n}\n\n// Deprecated: Use Identifier.ProtoReflect.Descriptor instead.\nfunc (*Identifier) Descriptor() ([]byte, []int) {\n\treturn file_core_proto_rawDescGZIP(), []int{0}\n}\n\nfunc (x *Identifier) GetType() string {\n\tif x != nil {\n\t\treturn x.Type\n\t}\n\treturn \"\"\n}\n\nfunc (x *Identifier) GetValue() string {\n\tif x != nil {\n\t\treturn x.Value\n\t}\n\treturn \"\"\n}\n\ntype Challenge struct {\n\tstate protoimpl.MessageState `protogen:\"open.v1\"`\n\tId int64 `protobuf:\"varint,1,opt,name=id,proto3\" json:\"id,omitempty\"`\n\t// Fields specified by RFC 8555, Section 8.\n\tType string `protobuf:\"bytes,2,opt,name=type,proto3\" json:\"type,omitempty\"`\n\tUrl string `protobuf:\"bytes,9,opt,name=url,proto3\" json:\"url,omitempty\"`\n\tStatus string `protobuf:\"bytes,6,opt,name=status,proto3\" json:\"status,omitempty\"`\n\tValidated *timestamppb.Timestamp `protobuf:\"bytes,12,opt,name=validated,proto3\" json:\"validated,omitempty\"`\n\tError *ProblemDetails `protobuf:\"bytes,7,opt,name=error,proto3\" json:\"error,omitempty\"`\n\t// Fields specified by individual validation methods.\n\tToken string `protobuf:\"bytes,3,opt,name=token,proto3\" json:\"token,omitempty\"`\n\t// Additional fields for our own record keeping.\n\tValidationrecords []*ValidationRecord `protobuf:\"bytes,10,rep,name=validationrecords,proto3\" json:\"validationrecords,omitempty\"`\n\tunknownFields protoimpl.UnknownFields\n\tsizeCache protoimpl.SizeCache\n}\n\nfunc (x *Challenge) Reset() {\n\t*x = Challenge{}\n\tmi := &file_core_proto_msgTypes[1]\n\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\tms.StoreMessageInfo(mi)\n}\n\nfunc (x *Challenge) String() string {\n\treturn protoimpl.X.MessageStringOf(x)\n}\n\nfunc (*Challenge) ProtoMessage() {}\n\nfunc (x *Challenge) ProtoReflect() protoreflect.Message {\n\tmi := &file_core_proto_msgTypes[1]\n\tif x != nil {\n\t\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\t\tif ms.LoadMessageInfo() == nil {\n\t\t\tms.StoreMessageInfo(mi)\n\t\t}\n\t\treturn ms\n\t}\n\treturn mi.MessageOf(x)\n}\n\n// Deprecated: Use Challenge.ProtoReflect.Descriptor instead.\nfunc (*Challenge) Descriptor() ([]byte, []int) {\n\treturn file_core_proto_rawDescGZIP(), []int{1}\n}\n\nfunc (x *Challenge) GetId() int64 {\n\tif x != nil {\n\t\treturn x.Id\n\t}\n\treturn 0\n}\n\nfunc (x *Challenge) GetType() string {\n\tif x != nil {\n\t\treturn x.Type\n\t}\n\treturn \"\"\n}\n\nfunc (x *Challenge) GetUrl() string {\n\tif x != nil {\n\t\treturn x.Url\n\t}\n\treturn \"\"\n}\n\nfunc (x *Challenge) GetStatus() string {\n\tif x != nil {\n\t\treturn x.Status\n\t}\n\treturn \"\"\n}\n\nfunc (x *Challenge) GetValidated() *timestamppb.Timestamp {\n\tif x != nil {\n\t\treturn x.Validated\n\t}\n\treturn nil\n}\n\nfunc (x *Challenge) GetError() *ProblemDetails {\n\tif x != nil {\n\t\treturn x.Error\n\t}\n\treturn nil\n}\n\nfunc (x *Challenge) GetToken() string {\n\tif x != nil {\n\t\treturn x.Token\n\t}\n\treturn \"\"\n}\n\nfunc (x *Challenge) GetValidationrecords() []*ValidationRecord {\n\tif x != nil {\n\t\treturn x.Validationrecords\n\t}\n\treturn nil\n}\n\ntype ValidationRecord struct {\n\tstate protoimpl.MessageState `protogen:\"open.v1\"`\n\t// Next unused field number: 9\n\tHostname string `protobuf:\"bytes,1,opt,name=hostname,proto3\" json:\"hostname,omitempty\"`\n\tPort string `protobuf:\"bytes,2,opt,name=port,proto3\" json:\"port,omitempty\"`\n\tAddressesResolved [][]byte `protobuf:\"bytes,3,rep,name=addressesResolved,proto3\" json:\"addressesResolved,omitempty\"` // netip.Addr.MarshalText()\n\tAddressUsed []byte `protobuf:\"bytes,4,opt,name=addressUsed,proto3\" json:\"addressUsed,omitempty\"` // netip.Addr.MarshalText()\n\tAuthorities []string `protobuf:\"bytes,5,rep,name=authorities,proto3\" json:\"authorities,omitempty\"`\n\tUrl string `protobuf:\"bytes,6,opt,name=url,proto3\" json:\"url,omitempty\"`\n\t// A list of addresses tried before the address used (see\n\t// core/objects.go and the comment on the ValidationRecord structure\n\t// definition for more information.\n\tAddressesTried [][]byte `protobuf:\"bytes,7,rep,name=addressesTried,proto3\" json:\"addressesTried,omitempty\"` // netip.Addr.MarshalText()\n\tResolverAddrs []string `protobuf:\"bytes,8,rep,name=resolverAddrs,proto3\" json:\"resolverAddrs,omitempty\"`\n\tunknownFields protoimpl.UnknownFields\n\tsizeCache protoimpl.SizeCache\n}\n\nfunc (x *ValidationRecord) Reset() {\n\t*x = ValidationRecord{}\n\tmi := &file_core_proto_msgTypes[2]\n\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\tms.StoreMessageInfo(mi)\n}\n\nfunc (x *ValidationRecord) String() string {\n\treturn protoimpl.X.MessageStringOf(x)\n}\n\nfunc (*ValidationRecord) ProtoMessage() {}\n\nfunc (x *ValidationRecord) ProtoReflect() protoreflect.Message {\n\tmi := &file_core_proto_msgTypes[2]\n\tif x != nil {\n\t\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\t\tif ms.LoadMessageInfo() == nil {\n\t\t\tms.StoreMessageInfo(mi)\n\t\t}\n\t\treturn ms\n\t}\n\treturn mi.MessageOf(x)\n}\n\n// Deprecated: Use ValidationRecord.ProtoReflect.Descriptor instead.\nfunc (*ValidationRecord) Descriptor() ([]byte, []int) {\n\treturn file_core_proto_rawDescGZIP(), []int{2}\n}\n\nfunc (x *ValidationRecord) GetHostname() string {\n\tif x != nil {\n\t\treturn x.Hostname\n\t}\n\treturn \"\"\n}\n\nfunc (x *ValidationRecord) GetPort() string {\n\tif x != nil {\n\t\treturn x.Port\n\t}\n\treturn \"\"\n}\n\nfunc (x *ValidationRecord) GetAddressesResolved() [][]byte {\n\tif x != nil {\n\t\treturn x.AddressesResolved\n\t}\n\treturn nil\n}\n\nfunc (x *ValidationRecord) GetAddressUsed() []byte {\n\tif x != nil {\n\t\treturn x.AddressUsed\n\t}\n\treturn nil\n}\n\nfunc (x *ValidationRecord) GetAuthorities() []string {\n\tif x != nil {\n\t\treturn x.Authorities\n\t}\n\treturn nil\n}\n\nfunc (x *ValidationRecord) GetUrl() string {\n\tif x != nil {\n\t\treturn x.Url\n\t}\n\treturn \"\"\n}\n\nfunc (x *ValidationRecord) GetAddressesTried() [][]byte {\n\tif x != nil {\n\t\treturn x.AddressesTried\n\t}\n\treturn nil\n}\n\nfunc (x *ValidationRecord) GetResolverAddrs() []string {\n\tif x != nil {\n\t\treturn x.ResolverAddrs\n\t}\n\treturn nil\n}\n\ntype ProblemDetails struct {\n\tstate protoimpl.MessageState `protogen:\"open.v1\"`\n\tProblemType string `protobuf:\"bytes,1,opt,name=problemType,proto3\" json:\"problemType,omitempty\"`\n\tDetail string `protobuf:\"bytes,2,opt,name=detail,proto3\" json:\"detail,omitempty\"`\n\tHttpStatus int32 `protobuf:\"varint,3,opt,name=httpStatus,proto3\" json:\"httpStatus,omitempty\"`\n\tunknownFields protoimpl.UnknownFields\n\tsizeCache protoimpl.SizeCache\n}\n\nfunc (x *ProblemDetails) Reset() {\n\t*x = ProblemDetails{}\n\tmi := &file_core_proto_msgTypes[3]\n\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\tms.StoreMessageInfo(mi)\n}\n\nfunc (x *ProblemDetails) String() string {\n\treturn protoimpl.X.MessageStringOf(x)\n}\n\nfunc (*ProblemDetails) ProtoMessage() {}\n\nfunc (x *ProblemDetails) ProtoReflect() protoreflect.Message {\n\tmi := &file_core_proto_msgTypes[3]\n\tif x != nil {\n\t\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\t\tif ms.LoadMessageInfo() == nil {\n\t\t\tms.StoreMessageInfo(mi)\n\t\t}\n\t\treturn ms\n\t}\n\treturn mi.MessageOf(x)\n}\n\n// Deprecated: Use ProblemDetails.ProtoReflect.Descriptor instead.\nfunc (*ProblemDetails) Descriptor() ([]byte, []int) {\n\treturn file_core_proto_rawDescGZIP(), []int{3}\n}\n\nfunc (x *ProblemDetails) GetProblemType() string {\n\tif x != nil {\n\t\treturn x.ProblemType\n\t}\n\treturn \"\"\n}\n\nfunc (x *ProblemDetails) GetDetail() string {\n\tif x != nil {\n\t\treturn x.Detail\n\t}\n\treturn \"\"\n}\n\nfunc (x *ProblemDetails) GetHttpStatus() int32 {\n\tif x != nil {\n\t\treturn x.HttpStatus\n\t}\n\treturn 0\n}\n\ntype Certificate struct {\n\tstate protoimpl.MessageState `protogen:\"open.v1\"`\n\t// Next unused field number: 9\n\tRegistrationID int64 `protobuf:\"varint,1,opt,name=registrationID,proto3\" json:\"registrationID,omitempty\"`\n\tSerial string `protobuf:\"bytes,2,opt,name=serial,proto3\" json:\"serial,omitempty\"`\n\tDigest string `protobuf:\"bytes,3,opt,name=digest,proto3\" json:\"digest,omitempty\"`\n\tDer []byte `protobuf:\"bytes,4,opt,name=der,proto3\" json:\"der,omitempty\"`\n\tIssued *timestamppb.Timestamp `protobuf:\"bytes,7,opt,name=issued,proto3\" json:\"issued,omitempty\"`\n\tExpires *timestamppb.Timestamp `protobuf:\"bytes,8,opt,name=expires,proto3\" json:\"expires,omitempty\"`\n\tunknownFields protoimpl.UnknownFields\n\tsizeCache protoimpl.SizeCache\n}\n\nfunc (x *Certificate) Reset() {\n\t*x = Certificate{}\n\tmi := &file_core_proto_msgTypes[4]\n\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\tms.StoreMessageInfo(mi)\n}\n\nfunc (x *Certificate) String() string {\n\treturn protoimpl.X.MessageStringOf(x)\n}\n\nfunc (*Certificate) ProtoMessage() {}\n\nfunc (x *Certificate) ProtoReflect() protoreflect.Message {\n\tmi := &file_core_proto_msgTypes[4]\n\tif x != nil {\n\t\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\t\tif ms.LoadMessageInfo() == nil {\n\t\t\tms.StoreMessageInfo(mi)\n\t\t}\n\t\treturn ms\n\t}\n\treturn mi.MessageOf(x)\n}\n\n// Deprecated: Use Certificate.ProtoReflect.Descriptor instead.\nfunc (*Certificate) Descriptor() ([]byte, []int) {\n\treturn file_core_proto_rawDescGZIP(), []int{4}\n}\n\nfunc (x *Certificate) GetRegistrationID() int64 {\n\tif x != nil {\n\t\treturn x.RegistrationID\n\t}\n\treturn 0\n}\n\nfunc (x *Certificate) GetSerial() string {\n\tif x != nil {\n\t\treturn x.Serial\n\t}\n\treturn \"\"\n}\n\nfunc (x *Certificate) GetDigest() string {\n\tif x != nil {\n\t\treturn x.Digest\n\t}\n\treturn \"\"\n}\n\nfunc (x *Certificate) GetDer() []byte {\n\tif x != nil {\n\t\treturn x.Der\n\t}\n\treturn nil\n}\n\nfunc (x *Certificate) GetIssued() *timestamppb.Timestamp {\n\tif x != nil {\n\t\treturn x.Issued\n\t}\n\treturn nil\n}\n\nfunc (x *Certificate) GetExpires() *timestamppb.Timestamp {\n\tif x != nil {\n\t\treturn x.Expires\n\t}\n\treturn nil\n}\n\ntype CertificateStatus struct {\n\tstate protoimpl.MessageState `protogen:\"open.v1\"`\n\t// Next unused field number: 16\n\tSerial string `protobuf:\"bytes,1,opt,name=serial,proto3\" json:\"serial,omitempty\"`\n\tStatus string `protobuf:\"bytes,3,opt,name=status,proto3\" json:\"status,omitempty\"`\n\tOcspLastUpdated *timestamppb.Timestamp `protobuf:\"bytes,15,opt,name=ocspLastUpdated,proto3\" json:\"ocspLastUpdated,omitempty\"`\n\tRevokedDate *timestamppb.Timestamp `protobuf:\"bytes,12,opt,name=revokedDate,proto3\" json:\"revokedDate,omitempty\"`\n\tRevokedReason int64 `protobuf:\"varint,6,opt,name=revokedReason,proto3\" json:\"revokedReason,omitempty\"`\n\tLastExpirationNagSent *timestamppb.Timestamp `protobuf:\"bytes,13,opt,name=lastExpirationNagSent,proto3\" json:\"lastExpirationNagSent,omitempty\"`\n\tNotAfter *timestamppb.Timestamp `protobuf:\"bytes,14,opt,name=notAfter,proto3\" json:\"notAfter,omitempty\"`\n\tIsExpired bool `protobuf:\"varint,10,opt,name=isExpired,proto3\" json:\"isExpired,omitempty\"`\n\tIssuerID int64 `protobuf:\"varint,11,opt,name=issuerID,proto3\" json:\"issuerID,omitempty\"`\n\tunknownFields protoimpl.UnknownFields\n\tsizeCache protoimpl.SizeCache\n}\n\nfunc (x *CertificateStatus) Reset() {\n\t*x = CertificateStatus{}\n\tmi := &file_core_proto_msgTypes[5]\n\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\tms.StoreMessageInfo(mi)\n}\n\nfunc (x *CertificateStatus) String() string {\n\treturn protoimpl.X.MessageStringOf(x)\n}\n\nfunc (*CertificateStatus) ProtoMessage() {}\n\nfunc (x *CertificateStatus) ProtoReflect() protoreflect.Message {\n\tmi := &file_core_proto_msgTypes[5]\n\tif x != nil {\n\t\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\t\tif ms.LoadMessageInfo() == nil {\n\t\t\tms.StoreMessageInfo(mi)\n\t\t}\n\t\treturn ms\n\t}\n\treturn mi.MessageOf(x)\n}\n\n// Deprecated: Use CertificateStatus.ProtoReflect.Descriptor instead.\nfunc (*CertificateStatus) Descriptor() ([]byte, []int) {\n\treturn file_core_proto_rawDescGZIP(), []int{5}\n}\n\nfunc (x *CertificateStatus) GetSerial() string {\n\tif x != nil {\n\t\treturn x.Serial\n\t}\n\treturn \"\"\n}\n\nfunc (x *CertificateStatus) GetStatus() string {\n\tif x != nil {\n\t\treturn x.Status\n\t}\n\treturn \"\"\n}\n\nfunc (x *CertificateStatus) GetOcspLastUpdated() *timestamppb.Timestamp {\n\tif x != nil {\n\t\treturn x.OcspLastUpdated\n\t}\n\treturn nil\n}\n\nfunc (x *CertificateStatus) GetRevokedDate() *timestamppb.Timestamp {\n\tif x != nil {\n\t\treturn x.RevokedDate\n\t}\n\treturn nil\n}\n\nfunc (x *CertificateStatus) GetRevokedReason() int64 {\n\tif x != nil {\n\t\treturn x.RevokedReason\n\t}\n\treturn 0\n}\n\nfunc (x *CertificateStatus) GetLastExpirationNagSent() *timestamppb.Timestamp {\n\tif x != nil {\n\t\treturn x.LastExpirationNagSent\n\t}\n\treturn nil\n}\n\nfunc (x *CertificateStatus) GetNotAfter() *timestamppb.Timestamp {\n\tif x != nil {\n\t\treturn x.NotAfter\n\t}\n\treturn nil\n}\n\nfunc (x *CertificateStatus) GetIsExpired() bool {\n\tif x != nil {\n\t\treturn x.IsExpired\n\t}\n\treturn false\n}\n\nfunc (x *CertificateStatus) GetIssuerID() int64 {\n\tif x != nil {\n\t\treturn x.IssuerID\n\t}\n\treturn 0\n}\n\ntype Registration struct {\n\tstate protoimpl.MessageState `protogen:\"open.v1\"`\n\t// Next unused field number: 10\n\tId int64 `protobuf:\"varint,1,opt,name=id,proto3\" json:\"id,omitempty\"`\n\tKey []byte `protobuf:\"bytes,2,opt,name=key,proto3\" json:\"key,omitempty\"`\n\tAgreement string `protobuf:\"bytes,5,opt,name=agreement,proto3\" json:\"agreement,omitempty\"`\n\tCreatedAt *timestamppb.Timestamp `protobuf:\"bytes,9,opt,name=createdAt,proto3\" json:\"createdAt,omitempty\"`\n\tStatus string `protobuf:\"bytes,8,opt,name=status,proto3\" json:\"status,omitempty\"`\n\tunknownFields protoimpl.UnknownFields\n\tsizeCache protoimpl.SizeCache\n}\n\nfunc (x *Registration) Reset() {\n\t*x = Registration{}\n\tmi := &file_core_proto_msgTypes[6]\n\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\tms.StoreMessageInfo(mi)\n}\n\nfunc (x *Registration) String() string {\n\treturn protoimpl.X.MessageStringOf(x)\n}\n\nfunc (*Registration) ProtoMessage() {}\n\nfunc (x *Registration) ProtoReflect() protoreflect.Message {\n\tmi := &file_core_proto_msgTypes[6]\n\tif x != nil {\n\t\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\t\tif ms.LoadMessageInfo() == nil {\n\t\t\tms.StoreMessageInfo(mi)\n\t\t}\n\t\treturn ms\n\t}\n\treturn mi.MessageOf(x)\n}\n\n// Deprecated: Use Registration.ProtoReflect.Descriptor instead.\nfunc (*Registration) Descriptor() ([]byte, []int) {\n\treturn file_core_proto_rawDescGZIP(), []int{6}\n}\n\nfunc (x *Registration) GetId() int64 {\n\tif x != nil {\n\t\treturn x.Id\n\t}\n\treturn 0\n}\n\nfunc (x *Registration) GetKey() []byte {\n\tif x != nil {\n\t\treturn x.Key\n\t}\n\treturn nil\n}\n\nfunc (x *Registration) GetAgreement() string {\n\tif x != nil {\n\t\treturn x.Agreement\n\t}\n\treturn \"\"\n}\n\nfunc (x *Registration) GetCreatedAt() *timestamppb.Timestamp {\n\tif x != nil {\n\t\treturn x.CreatedAt\n\t}\n\treturn nil\n}\n\nfunc (x *Registration) GetStatus() string {\n\tif x != nil {\n\t\treturn x.Status\n\t}\n\treturn \"\"\n}\n\ntype Authorization struct {\n\tstate protoimpl.MessageState `protogen:\"open.v1\"`\n\tId string `protobuf:\"bytes,1,opt,name=id,proto3\" json:\"id,omitempty\"`\n\tRegistrationID int64 `protobuf:\"varint,3,opt,name=registrationID,proto3\" json:\"registrationID,omitempty\"`\n\tIdentifier *Identifier `protobuf:\"bytes,11,opt,name=identifier,proto3\" json:\"identifier,omitempty\"`\n\tStatus string `protobuf:\"bytes,4,opt,name=status,proto3\" json:\"status,omitempty\"`\n\tExpires *timestamppb.Timestamp `protobuf:\"bytes,9,opt,name=expires,proto3\" json:\"expires,omitempty\"`\n\tChallenges []*Challenge `protobuf:\"bytes,6,rep,name=challenges,proto3\" json:\"challenges,omitempty\"`\n\tCertificateProfileName string `protobuf:\"bytes,10,opt,name=certificateProfileName,proto3\" json:\"certificateProfileName,omitempty\"`\n\tunknownFields protoimpl.UnknownFields\n\tsizeCache protoimpl.SizeCache\n}\n\nfunc (x *Authorization) Reset() {\n\t*x = Authorization{}\n\tmi := &file_core_proto_msgTypes[7]\n\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\tms.StoreMessageInfo(mi)\n}\n\nfunc (x *Authorization) String() string {\n\treturn protoimpl.X.MessageStringOf(x)\n}\n\nfunc (*Authorization) ProtoMessage() {}\n\nfunc (x *Authorization) ProtoReflect() protoreflect.Message {\n\tmi := &file_core_proto_msgTypes[7]\n\tif x != nil {\n\t\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\t\tif ms.LoadMessageInfo() == nil {\n\t\t\tms.StoreMessageInfo(mi)\n\t\t}\n\t\treturn ms\n\t}\n\treturn mi.MessageOf(x)\n}\n\n// Deprecated: Use Authorization.ProtoReflect.Descriptor instead.\nfunc (*Authorization) Descriptor() ([]byte, []int) {\n\treturn file_core_proto_rawDescGZIP(), []int{7}\n}\n\nfunc (x *Authorization) GetId() string {\n\tif x != nil {\n\t\treturn x.Id\n\t}\n\treturn \"\"\n}\n\nfunc (x *Authorization) GetRegistrationID() int64 {\n\tif x != nil {\n\t\treturn x.RegistrationID\n\t}\n\treturn 0\n}\n\nfunc (x *Authorization) GetIdentifier() *Identifier {\n\tif x != nil {\n\t\treturn x.Identifier\n\t}\n\treturn nil\n}\n\nfunc (x *Authorization) GetStatus() string {\n\tif x != nil {\n\t\treturn x.Status\n\t}\n\treturn \"\"\n}\n\nfunc (x *Authorization) GetExpires() *timestamppb.Timestamp {\n\tif x != nil {\n\t\treturn x.Expires\n\t}\n\treturn nil\n}\n\nfunc (x *Authorization) GetChallenges() []*Challenge {\n\tif x != nil {\n\t\treturn x.Challenges\n\t}\n\treturn nil\n}\n\nfunc (x *Authorization) GetCertificateProfileName() string {\n\tif x != nil {\n\t\treturn x.CertificateProfileName\n\t}\n\treturn \"\"\n}\n\ntype Order struct {\n\tstate protoimpl.MessageState `protogen:\"open.v1\"`\n\tId int64 `protobuf:\"varint,1,opt,name=id,proto3\" json:\"id,omitempty\"`\n\tRegistrationID int64 `protobuf:\"varint,2,opt,name=registrationID,proto3\" json:\"registrationID,omitempty\"`\n\t// Fields specified by RFC 8555, Section 7.1.3\n\t// Note that we do not respect notBefore and notAfter, and we infer the\n\t// finalize and certificate URLs from the id and certificateSerial fields.\n\tStatus string `protobuf:\"bytes,7,opt,name=status,proto3\" json:\"status,omitempty\"`\n\tExpires *timestamppb.Timestamp `protobuf:\"bytes,12,opt,name=expires,proto3\" json:\"expires,omitempty\"`\n\tIdentifiers []*Identifier `protobuf:\"bytes,16,rep,name=identifiers,proto3\" json:\"identifiers,omitempty\"`\n\tError *ProblemDetails `protobuf:\"bytes,4,opt,name=error,proto3\" json:\"error,omitempty\"`\n\tV2Authorizations []int64 `protobuf:\"varint,11,rep,packed,name=v2Authorizations,proto3\" json:\"v2Authorizations,omitempty\"`\n\tCertificateSerial string `protobuf:\"bytes,5,opt,name=certificateSerial,proto3\" json:\"certificateSerial,omitempty\"`\n\t// Additional fields for our own record-keeping.\n\tCreated *timestamppb.Timestamp `protobuf:\"bytes,13,opt,name=created,proto3\" json:\"created,omitempty\"`\n\tCertificateProfileName string `protobuf:\"bytes,14,opt,name=certificateProfileName,proto3\" json:\"certificateProfileName,omitempty\"`\n\tReplaces string `protobuf:\"bytes,15,opt,name=replaces,proto3\" json:\"replaces,omitempty\"`\n\tBeganProcessing bool `protobuf:\"varint,9,opt,name=beganProcessing,proto3\" json:\"beganProcessing,omitempty\"`\n\tunknownFields protoimpl.UnknownFields\n\tsizeCache protoimpl.SizeCache\n}\n\nfunc (x *Order) Reset() {\n\t*x = Order{}\n\tmi := &file_core_proto_msgTypes[8]\n\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\tms.StoreMessageInfo(mi)\n}\n\nfunc (x *Order) String() string {\n\treturn protoimpl.X.MessageStringOf(x)\n}\n\nfunc (*Order) ProtoMessage() {}\n\nfunc (x *Order) ProtoReflect() protoreflect.Message {\n\tmi := &file_core_proto_msgTypes[8]\n\tif x != nil {\n\t\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\t\tif ms.LoadMessageInfo() == nil {\n\t\t\tms.StoreMessageInfo(mi)\n\t\t}\n\t\treturn ms\n\t}\n\treturn mi.MessageOf(x)\n}\n\n// Deprecated: Use Order.ProtoReflect.Descriptor instead.\nfunc (*Order) Descriptor() ([]byte, []int) {\n\treturn file_core_proto_rawDescGZIP(), []int{8}\n}\n\nfunc (x *Order) GetId() int64 {\n\tif x != nil {\n\t\treturn x.Id\n\t}\n\treturn 0\n}\n\nfunc (x *Order) GetRegistrationID() int64 {\n\tif x != nil {\n\t\treturn x.RegistrationID\n\t}\n\treturn 0\n}\n\nfunc (x *Order) GetStatus() string {\n\tif x != nil {\n\t\treturn x.Status\n\t}\n\treturn \"\"\n}\n\nfunc (x *Order) GetExpires() *timestamppb.Timestamp {\n\tif x != nil {\n\t\treturn x.Expires\n\t}\n\treturn nil\n}\n\nfunc (x *Order) GetIdentifiers() []*Identifier {\n\tif x != nil {\n\t\treturn x.Identifiers\n\t}\n\treturn nil\n}\n\nfunc (x *Order) GetError() *ProblemDetails {\n\tif x != nil {\n\t\treturn x.Error\n\t}\n\treturn nil\n}\n\nfunc (x *Order) GetV2Authorizations() []int64 {\n\tif x != nil {\n\t\treturn x.V2Authorizations\n\t}\n\treturn nil\n}\n\nfunc (x *Order) GetCertificateSerial() string {\n\tif x != nil {\n\t\treturn x.CertificateSerial\n\t}\n\treturn \"\"\n}\n\nfunc (x *Order) GetCreated() *timestamppb.Timestamp {\n\tif x != nil {\n\t\treturn x.Created\n\t}\n\treturn nil\n}\n\nfunc (x *Order) GetCertificateProfileName() string {\n\tif x != nil {\n\t\treturn x.CertificateProfileName\n\t}\n\treturn \"\"\n}\n\nfunc (x *Order) GetReplaces() string {\n\tif x != nil {\n\t\treturn x.Replaces\n\t}\n\treturn \"\"\n}\n\nfunc (x *Order) GetBeganProcessing() bool {\n\tif x != nil {\n\t\treturn x.BeganProcessing\n\t}\n\treturn false\n}\n\ntype CRLEntry struct {\n\tstate protoimpl.MessageState `protogen:\"open.v1\"`\n\t// Next unused field number: 5\n\tSerial string `protobuf:\"bytes,1,opt,name=serial,proto3\" json:\"serial,omitempty\"`\n\tReason int32 `protobuf:\"varint,2,opt,name=reason,proto3\" json:\"reason,omitempty\"`\n\tRevokedAt *timestamppb.Timestamp `protobuf:\"bytes,4,opt,name=revokedAt,proto3\" json:\"revokedAt,omitempty\"`\n\tunknownFields protoimpl.UnknownFields\n\tsizeCache protoimpl.SizeCache\n}\n\nfunc (x *CRLEntry) Reset() {\n\t*x = CRLEntry{}\n\tmi := &file_core_proto_msgTypes[9]\n\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\tms.StoreMessageInfo(mi)\n}\n\nfunc (x *CRLEntry) String() string {\n\treturn protoimpl.X.MessageStringOf(x)\n}\n\nfunc (*CRLEntry) ProtoMessage() {}\n\nfunc (x *CRLEntry) ProtoReflect() protoreflect.Message {\n\tmi := &file_core_proto_msgTypes[9]\n\tif x != nil {\n\t\tms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))\n\t\tif ms.LoadMessageInfo() == nil {\n\t\t\tms.StoreMessageInfo(mi)\n\t\t}\n\t\treturn ms\n\t}\n\treturn mi.MessageOf(x)\n}\n\n// Deprecated: Use CRLEntry.ProtoReflect.Descriptor instead.\nfunc (*CRLEntry) Descriptor() ([]byte, []int) {\n\treturn file_core_proto_rawDescGZIP(), []int{9}\n}\n\nfunc (x *CRLEntry) GetSerial() string {\n\tif x != nil {\n\t\treturn x.Serial\n\t}\n\treturn \"\"\n}\n\nfunc (x *CRLEntry) GetReason() int32 {\n\tif x != nil {\n\t\treturn x.Reason\n\t}\n\treturn 0\n}\n\nfunc (x *CRLEntry) GetRevokedAt() *timestamppb.Timestamp {\n\tif x != nil {\n\t\treturn x.RevokedAt\n\t}\n\treturn nil\n}\n\nvar File_core_proto protoreflect.FileDescriptor\n\nvar file_core_proto_rawDesc = string([]byte{\n\t0x0a, 0x0a, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x63, 0x6f,\n\t0x72, 0x65, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,\n\t0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72,\n\t0x6f, 0x74, 0x6f, 0x22, 0x36, 0x0a, 0x0a, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65,\n\t0x72, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,\n\t0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02,\n\t0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0xb3, 0x02, 0x0a, 0x09,\n\t0x43, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18,\n\t0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70,\n\t0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x10, 0x0a,\n\t0x03, 0x75, 0x72, 0x6c, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12,\n\t0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52,\n\t0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x38, 0x0a, 0x09, 0x76, 0x61, 0x6c, 0x69, 0x64,\n\t0x61, 0x74, 0x65, 0x64, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f,\n\t0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d,\n\t0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65,\n\t0x64, 0x12, 0x2a, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b,\n\t0x32, 0x14, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x6c, 0x65, 0x6d, 0x44,\n\t0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x14, 0x0a,\n\t0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f,\n\t0x6b, 0x65, 0x6e, 0x12, 0x44, 0x0a, 0x11, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f,\n\t0x6e, 0x72, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16,\n\t0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e,\n\t0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x52, 0x11, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69,\n\t0x6f, 0x6e, 0x72, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x4a,\n\t0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x4a, 0x04, 0x08, 0x0b, 0x10,\n\t0x0c, 0x22, 0x94, 0x02, 0x0a, 0x10, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e,\n\t0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61,\n\t0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61,\n\t0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,\n\t0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x2c, 0x0a, 0x11, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73,\n\t0x73, 0x65, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x64, 0x18, 0x03, 0x20, 0x03, 0x28,\n\t0x0c, 0x52, 0x11, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x52, 0x65, 0x73, 0x6f,\n\t0x6c, 0x76, 0x65, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x55,\n\t0x73, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x61, 0x64, 0x64, 0x72, 0x65,\n\t0x73, 0x73, 0x55, 0x73, 0x65, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72,\n\t0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x75, 0x74,\n\t0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18,\n\t0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x26, 0x0a, 0x0e, 0x61, 0x64,\n\t0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x54, 0x72, 0x69, 0x65, 0x64, 0x18, 0x07, 0x20, 0x03,\n\t0x28, 0x0c, 0x52, 0x0e, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x54, 0x72, 0x69,\n\t0x65, 0x64, 0x12, 0x24, 0x0a, 0x0d, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x41, 0x64,\n\t0x64, 0x72, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x72, 0x65, 0x73, 0x6f, 0x6c,\n\t0x76, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x73, 0x22, 0x6a, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x62,\n\t0x6c, 0x65, 0x6d, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x12, 0x20, 0x0a, 0x0b, 0x70, 0x72,\n\t0x6f, 0x62, 0x6c, 0x65, 0x6d, 0x54, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,\n\t0x0b, 0x70, 0x72, 0x6f, 0x62, 0x6c, 0x65, 0x6d, 0x54, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06,\n\t0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x65,\n\t0x74, 0x61, 0x69, 0x6c, 0x12, 0x1e, 0x0a, 0x0a, 0x68, 0x74, 0x74, 0x70, 0x53, 0x74, 0x61, 0x74,\n\t0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x68, 0x74, 0x74, 0x70, 0x53, 0x74,\n\t0x61, 0x74, 0x75, 0x73, 0x22, 0xed, 0x01, 0x0a, 0x0b, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,\n\t0x63, 0x61, 0x74, 0x65, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61,\n\t0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65,\n\t0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x16, 0x0a, 0x06,\n\t0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65,\n\t0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x18, 0x03,\n\t0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03,\n\t0x64, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x64, 0x65, 0x72, 0x12, 0x32,\n\t0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,\n\t0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,\n\t0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75,\n\t0x65, 0x64, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x08, 0x20,\n\t0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,\n\t0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52,\n\t0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04,\n\t0x08, 0x06, 0x10, 0x07, 0x22, 0xd5, 0x03, 0x0a, 0x11, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,\n\t0x63, 0x61, 0x74, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65,\n\t0x72, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65, 0x72, 0x69,\n\t0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01,\n\t0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x44, 0x0a, 0x0f, 0x6f, 0x63,\n\t0x73, 0x70, 0x4c, 0x61, 0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x18, 0x0f, 0x20,\n\t0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,\n\t0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52,\n\t0x0f, 0x6f, 0x63, 0x73, 0x70, 0x4c, 0x61, 0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64,\n\t0x12, 0x3c, 0x0a, 0x0b, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x44, 0x61, 0x74, 0x65, 0x18,\n\t0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,\n\t0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d,\n\t0x70, 0x52, 0x0b, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x44, 0x61, 0x74, 0x65, 0x12, 0x24,\n\t0x0a, 0x0d, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18,\n\t0x06, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0d, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x52, 0x65,\n\t0x61, 0x73, 0x6f, 0x6e, 0x12, 0x50, 0x0a, 0x15, 0x6c, 0x61, 0x73, 0x74, 0x45, 0x78, 0x70, 0x69,\n\t0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4e, 0x61, 0x67, 0x53, 0x65, 0x6e, 0x74, 0x18, 0x0d, 0x20,\n\t0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,\n\t0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52,\n\t0x15, 0x6c, 0x61, 0x73, 0x74, 0x45, 0x78, 0x70, 0x69, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4e,\n\t0x61, 0x67, 0x53, 0x65, 0x6e, 0x74, 0x12, 0x36, 0x0a, 0x08, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74,\n\t0x65, 0x72, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,\n\t0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,\n\t0x74, 0x61, 0x6d, 0x70, 0x52, 0x08, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, 0x1c,\n\t0x0a, 0x09, 0x69, 0x73, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28,\n\t0x08, 0x52, 0x09, 0x69, 0x73, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x12, 0x1a, 0x0a, 0x08,\n\t0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08,\n\t0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x4a, 0x04,\n\t0x08, 0x04, 0x10, 0x05, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08,\n\t0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x4a, 0x04, 0x08, 0x09, 0x10, 0x0a, 0x22, 0xb8, 0x01, 0x0a,\n\t0x0c, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a,\n\t0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x10, 0x0a,\n\t0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,\n\t0x1c, 0x0a, 0x09, 0x61, 0x67, 0x72, 0x65, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01,\n\t0x28, 0x09, 0x52, 0x09, 0x61, 0x67, 0x72, 0x65, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x38, 0x0a,\n\t0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b,\n\t0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,\n\t0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x63, 0x72,\n\t0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75,\n\t0x73, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x4a,\n\t0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x4a, 0x04, 0x08, 0x06, 0x10,\n\t0x07, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x22, 0xc8, 0x02, 0x0a, 0x0d, 0x41, 0x75, 0x74, 0x68,\n\t0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18,\n\t0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67,\n\t0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x03, 0x20, 0x01, 0x28,\n\t0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49,\n\t0x44, 0x12, 0x30, 0x0a, 0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x18,\n\t0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x49, 0x64, 0x65,\n\t0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x52, 0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66,\n\t0x69, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x04, 0x20,\n\t0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x34, 0x0a, 0x07, 0x65,\n\t0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67,\n\t0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54,\n\t0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65,\n\t0x73, 0x12, 0x2f, 0x0a, 0x0a, 0x63, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x73, 0x18,\n\t0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0f, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, 0x68, 0x61,\n\t0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x52, 0x0a, 0x63, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67,\n\t0x65, 0x73, 0x12, 0x36, 0x0a, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,\n\t0x65, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x0a, 0x20, 0x01,\n\t0x28, 0x09, 0x52, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x50,\n\t0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06,\n\t0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x4a, 0x04, 0x08, 0x02,\n\t0x10, 0x03, 0x22, 0x93, 0x04, 0x0a, 0x05, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02,\n\t0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x26, 0x0a, 0x0e,\n\t0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x02,\n\t0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69,\n\t0x6f, 0x6e, 0x49, 0x44, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x07,\n\t0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x34, 0x0a, 0x07,\n\t0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,\n\t0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,\n\t0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72,\n\t0x65, 0x73, 0x12, 0x32, 0x0a, 0x0b, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72,\n\t0x73, 0x18, 0x10, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x49,\n\t0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x52, 0x0b, 0x69, 0x64, 0x65, 0x6e, 0x74,\n\t0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x12, 0x2a, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18,\n\t0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x50, 0x72, 0x6f,\n\t0x62, 0x6c, 0x65, 0x6d, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x52, 0x05, 0x65, 0x72, 0x72,\n\t0x6f, 0x72, 0x12, 0x2a, 0x0a, 0x10, 0x76, 0x32, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a,\n\t0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x03, 0x52, 0x10, 0x76, 0x32,\n\t0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x2c,\n\t0x0a, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72,\n\t0x69, 0x61, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69,\n\t0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x34, 0x0a, 0x07,\n\t0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,\n\t0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,\n\t0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x63, 0x72, 0x65, 0x61, 0x74,\n\t0x65, 0x64, 0x12, 0x36, 0x0a, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,\n\t0x65, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x0e, 0x20, 0x01,\n\t0x28, 0x09, 0x52, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x50,\n\t0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65,\n\t0x70, 0x6c, 0x61, 0x63, 0x65, 0x73, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x72, 0x65,\n\t0x70, 0x6c, 0x61, 0x63, 0x65, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x62, 0x65, 0x67, 0x61, 0x6e, 0x50,\n\t0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x69, 0x6e, 0x67, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52,\n\t0x0f, 0x62, 0x65, 0x67, 0x61, 0x6e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x69, 0x6e, 0x67,\n\t0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, 0x06, 0x10, 0x07, 0x4a, 0x04, 0x08, 0x0a,\n\t0x10, 0x0b, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x22, 0x7a, 0x0a, 0x08, 0x43, 0x52, 0x4c, 0x45,\n\t0x6e, 0x74, 0x72, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x01,\n\t0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06,\n\t0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x06, 0x72, 0x65,\n\t0x61, 0x73, 0x6f, 0x6e, 0x12, 0x38, 0x0a, 0x09, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x41,\n\t0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,\n\t0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74,\n\t0x61, 0x6d, 0x70, 0x52, 0x09, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x41, 0x74, 0x4a, 0x04,\n\t0x08, 0x03, 0x10, 0x04, 0x42, 0x2b, 0x5a, 0x29, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,\n\t0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f, 0x62,\n\t0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,\n\t0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,\n})\n\nvar (\n\tfile_core_proto_rawDescOnce sync.Once\n\tfile_core_proto_rawDescData []byte\n)\n\nfunc file_core_proto_rawDescGZIP() []byte {\n\tfile_core_proto_rawDescOnce.Do(func() {\n\t\tfile_core_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_core_proto_rawDesc), len(file_core_proto_rawDesc)))\n\t})\n\treturn file_core_proto_rawDescData\n}\n\nvar file_core_proto_msgTypes = make([]protoimpl.MessageInfo, 10)\nvar file_core_proto_goTypes = []any{\n\t(*Identifier)(nil), // 0: core.Identifier\n\t(*Challenge)(nil), // 1: core.Challenge\n\t(*ValidationRecord)(nil), // 2: core.ValidationRecord\n\t(*ProblemDetails)(nil), // 3: core.ProblemDetails\n\t(*Certificate)(nil), // 4: core.Certificate\n\t(*CertificateStatus)(nil), // 5: core.CertificateStatus\n\t(*Registration)(nil), // 6: core.Registration\n\t(*Authorization)(nil), // 7: core.Authorization\n\t(*Order)(nil), // 8: core.Order\n\t(*CRLEntry)(nil), // 9: core.CRLEntry\n\t(*timestamppb.Timestamp)(nil), // 10: google.protobuf.Timestamp\n}\nvar file_core_proto_depIdxs = []int32{\n\t10, // 0: core.Challenge.validated:type_name -> google.protobuf.Timestamp\n\t3, // 1: core.Challenge.error:type_name -> core.ProblemDetails\n\t2, // 2: core.Challenge.validationrecords:type_name -> core.ValidationRecord\n\t10, // 3: core.Certificate.issued:type_name -> google.protobuf.Timestamp\n\t10, // 4: core.Certificate.expires:type_name -> google.protobuf.Timestamp\n\t10, // 5: core.CertificateStatus.ocspLastUpdated:type_name -> google.protobuf.Timestamp\n\t10, // 6: core.CertificateStatus.revokedDate:type_name -> google.protobuf.Timestamp\n\t10, // 7: core.CertificateStatus.lastExpirationNagSent:type_name -> google.protobuf.Timestamp\n\t10, // 8: core.CertificateStatus.notAfter:type_name -> google.protobuf.Timestamp\n\t10, // 9: core.Registration.createdAt:type_name -> google.protobuf.Timestamp\n\t0, // 10: core.Authorization.identifier:type_name -> core.Identifier\n\t10, // 11: core.Authorization.expires:type_name -> google.protobuf.Timestamp\n\t1, // 12: core.Authorization.challenges:type_name -> core.Challenge\n\t10, // 13: core.Order.expires:type_name -> google.protobuf.Timestamp\n\t0, // 14: core.Order.identifiers:type_name -> core.Identifier\n\t3, // 15: core.Order.error:type_name -> core.ProblemDetails\n\t10, // 16: core.Order.created:type_name -> google.protobuf.Timestamp\n\t10, // 17: core.CRLEntry.revokedAt:type_name -> google.protobuf.Timestamp\n\t18, // [18:18] is the sub-list for method output_type\n\t18, // [18:18] is the sub-list for method input_type\n\t18, // [18:18] is the sub-list for extension type_name\n\t18, // [18:18] is the sub-list for extension extendee\n\t0, // [0:18] is the sub-list for field type_name\n}\n\nfunc init() { file_core_proto_init() }\nfunc file_core_proto_init() {\n\tif File_core_proto != nil {\n\t\treturn\n\t}\n\ttype x struct{}\n\tout := protoimpl.TypeBuilder{\n\t\tFile: protoimpl.DescBuilder{\n\t\t\tGoPackagePath: reflect.TypeOf(x{}).PkgPath(),\n\t\t\tRawDescriptor: unsafe.Slice(unsafe.StringData(file_core_proto_rawDesc), len(file_core_proto_rawDesc)),\n\t\t\tNumEnums: 0,\n\t\t\tNumMessages: 10,\n\t\t\tNumExtensions: 0,\n\t\t\tNumServices: 0,\n\t\t},\n\t\tGoTypes: file_core_proto_goTypes,\n\t\tDependencyIndexes: file_core_proto_depIdxs,\n\t\tMessageInfos: file_core_proto_msgTypes,\n\t}.Build()\n\tFile_core_proto = out.File\n\tfile_core_proto_goTypes = nil\n\tfile_core_proto_depIdxs = nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/letsencrypt/boulder/core/proto/core.proto", "content": "syntax = \"proto3\";\n\npackage core;\noption go_package = \"github.com/letsencrypt/boulder/core/proto\";\n\nimport \"google/protobuf/timestamp.proto\";\n\nmessage Identifier {\n string type = 1;\n string value = 2;\n}\n\nmessage Challenge {\n // Next unused field number: 13\n reserved 4, 5, 8, 11;\n int64 id = 1;\n // Fields specified by RFC 8555, Section 8.\n string type = 2;\n string url = 9;\n string status = 6;\n google.protobuf.Timestamp validated = 12;\n ProblemDetails error = 7;\n // Fields specified by individual validation methods.\n string token = 3;\n // Additional fields for our own record keeping.\n repeated ValidationRecord validationrecords = 10;\n}\n\nmessage ValidationRecord {\n // Next unused field number: 9\n string hostname = 1;\n string port = 2;\n repeated bytes addressesResolved = 3; // netip.Addr.MarshalText()\n bytes addressUsed = 4; // netip.Addr.MarshalText()\n\n repeated string authorities = 5;\n string url = 6;\n // A list of addresses tried before the address used (see\n // core/objects.go and the comment on the ValidationRecord structure\n // definition for more information.\n repeated bytes addressesTried = 7; // netip.Addr.MarshalText()\n repeated string resolverAddrs = 8;\n}\n\nmessage ProblemDetails {\n string problemType = 1;\n string detail = 2;\n int32 httpStatus = 3;\n}\n\nmessage Certificate {\n // Next unused field number: 9\n int64 registrationID = 1;\n string serial = 2;\n string digest = 3;\n bytes der = 4;\n reserved 5; // Previously issuedNS\n google.protobuf.Timestamp issued = 7;\n reserved 6; // Previously expiresNS\n google.protobuf.Timestamp expires = 8;\n}\n\nmessage CertificateStatus {\n // Next unused field number: 16\n string serial = 1;\n reserved 2; // previously subscriberApproved\n string status = 3;\n reserved 4; // Previously ocspLastUpdatedNS\n google.protobuf.Timestamp ocspLastUpdated = 15;\n reserved 5; // Previously revokedDateNS\n google.protobuf.Timestamp revokedDate = 12;\n int64 revokedReason = 6;\n reserved 7; // Previously lastExpirationNagSentNS\n reserved 8; // previously ocspResponse\n google.protobuf.Timestamp lastExpirationNagSent = 13;\n reserved 9; // Previously notAfterNS\n google.protobuf.Timestamp notAfter = 14;\n bool isExpired = 10;\n int64 issuerID = 11;\n}\n\nmessage Registration {\n // Next unused field number: 10\n int64 id = 1;\n bytes key = 2;\n reserved 3; // Previously contact\n reserved 4; // Previously contactsPresent\n string agreement = 5;\n reserved 6; // Previously initialIP\n reserved 7; // Previously createdAtNS\n google.protobuf.Timestamp createdAt = 9;\n string status = 8;\n}\n\nmessage Authorization {\n // Next unused field number: 12\n reserved 5, 7, 8;\n string id = 1;\n int64 registrationID = 3;\n // Fields specified by RFC 8555, Section 7.1.4\n reserved 2; // Previously dnsName\n Identifier identifier = 11;\n string status = 4;\n google.protobuf.Timestamp expires = 9;\n repeated core.Challenge challenges = 6;\n string certificateProfileName = 10;\n // We do not directly represent the \"wildcard\" field, instead inferring it\n // from the identifier value.\n}\n\nmessage Order {\n // Next unused field number: 17\n reserved 3, 6, 10;\n int64 id = 1;\n int64 registrationID = 2;\n // Fields specified by RFC 8555, Section 7.1.3\n // Note that we do not respect notBefore and notAfter, and we infer the\n // finalize and certificate URLs from the id and certificateSerial fields.\n string status = 7;\n google.protobuf.Timestamp expires = 12;\n reserved 8; // Previously dnsNames\n repeated Identifier identifiers = 16;\n ProblemDetails error = 4;\n repeated int64 v2Authorizations = 11;\n string certificateSerial = 5;\n // Additional fields for our own record-keeping.\n google.protobuf.Timestamp created = 13;\n string certificateProfileName = 14;\n string replaces = 15;\n bool beganProcessing = 9;\n}\n\nmessage CRLEntry {\n // Next unused field number: 5\n string serial = 1;\n int32 reason = 2;\n reserved 3; // Previously revokedAtNS\n google.protobuf.Timestamp revokedAt = 4;\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/letsencrypt/boulder/core/util.go", "content": "package core\n\nimport (\n\t\"context\"\n\t\"crypto\"\n\t\"crypto/ecdsa\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"crypto/sha256\"\n\t\"crypto/x509\"\n\t\"encoding/base64\"\n\t\"encoding/hex\"\n\t\"encoding/pem\"\n\t\"errors\"\n\t\"expvar\"\n\t\"fmt\"\n\t\"io\"\n\t\"math/big\"\n\tmrand \"math/rand/v2\"\n\t\"os\"\n\t\"path\"\n\t\"reflect\"\n\t\"regexp\"\n\t\"sort\"\n\t\"strings\"\n\t\"time\"\n\t\"unicode\"\n\n\t\"github.com/go-jose/go-jose/v4\"\n\t\"google.golang.org/grpc/codes\"\n\t\"google.golang.org/grpc/status\"\n\t\"google.golang.org/protobuf/types/known/durationpb\"\n\t\"google.golang.org/protobuf/types/known/timestamppb\"\n\n\t\"github.com/letsencrypt/boulder/identifier\"\n)\n\nconst Unspecified = \"Unspecified\"\n\n// Package Variables Variables\n\n// BuildID is set by the compiler (using -ldflags \"-X core.BuildID $(git rev-parse --short HEAD)\")\n// and is used by GetBuildID\nvar BuildID string\n\n// BuildHost is set by the compiler and is used by GetBuildHost\nvar BuildHost string\n\n// BuildTime is set by the compiler and is used by GetBuildTime\nvar BuildTime string\n\nfunc init() {\n\texpvar.NewString(\"BuildID\").Set(BuildID)\n\texpvar.NewString(\"BuildTime\").Set(BuildTime)\n}\n\n// Random stuff\n\ntype randSource interface {\n\tRead(p []byte) (n int, err error)\n}\n\n// RandReader is used so that it can be replaced in tests that require\n// deterministic output\nvar RandReader randSource = rand.Reader\n\n// RandomString returns a randomly generated string of the requested length.\nfunc RandomString(byteLength int) string {\n\tb := make([]byte, byteLength)\n\t_, err := io.ReadFull(RandReader, b)\n\tif err != nil {\n\t\tpanic(fmt.Sprintf(\"Error reading random bytes: %s\", err))\n\t}\n\treturn base64.RawURLEncoding.EncodeToString(b)\n}\n\n// NewToken produces a random string for Challenges, etc.\nfunc NewToken() string {\n\treturn RandomString(32)\n}\n\nvar tokenFormat = regexp.MustCompile(`^[\\w-]{43}$`)\n\n// looksLikeAToken checks whether a string represents a 32-octet value in\n// the URL-safe base64 alphabet.\nfunc looksLikeAToken(token string) bool {\n\treturn tokenFormat.MatchString(token)\n}\n\n// Fingerprints\n\n// Fingerprint256 produces an unpadded, URL-safe Base64-encoded SHA256 digest\n// of the data.\nfunc Fingerprint256(data []byte) string {\n\td := sha256.New()\n\t_, _ = d.Write(data) // Never returns an error\n\treturn base64.RawURLEncoding.EncodeToString(d.Sum(nil))\n}\n\ntype Sha256Digest [sha256.Size]byte\n\n// KeyDigest produces the SHA256 digest of a provided public key.\nfunc KeyDigest(key crypto.PublicKey) (Sha256Digest, error) {\n\tswitch t := key.(type) {\n\tcase *jose.JSONWebKey:\n\t\tif t == nil {\n\t\t\treturn Sha256Digest{}, errors.New(\"cannot compute digest of nil key\")\n\t\t}\n\t\treturn KeyDigest(t.Key)\n\tcase jose.JSONWebKey:\n\t\treturn KeyDigest(t.Key)\n\tdefault:\n\t\tkeyDER, err := x509.MarshalPKIXPublicKey(key)\n\t\tif err != nil {\n\t\t\treturn Sha256Digest{}, err\n\t\t}\n\t\treturn sha256.Sum256(keyDER), nil\n\t}\n}\n\n// KeyDigestB64 produces a padded, standard Base64-encoded SHA256 digest of a\n// provided public key.\nfunc KeyDigestB64(key crypto.PublicKey) (string, error) {\n\tdigest, err := KeyDigest(key)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn base64.StdEncoding.EncodeToString(digest[:]), nil\n}\n\n// KeyDigestEquals determines whether two public keys have the same digest.\nfunc KeyDigestEquals(j, k crypto.PublicKey) bool {\n\tdigestJ, errJ := KeyDigestB64(j)\n\tdigestK, errK := KeyDigestB64(k)\n\t// Keys that don't have a valid digest (due to marshalling problems)\n\t// are never equal. So, e.g. nil keys are not equal.\n\tif errJ != nil || errK != nil {\n\t\treturn false\n\t}\n\treturn digestJ == digestK\n}\n\n// PublicKeysEqual determines whether two public keys are identical.\nfunc PublicKeysEqual(a, b crypto.PublicKey) (bool, error) {\n\tswitch ak := a.(type) {\n\tcase *rsa.PublicKey:\n\t\treturn ak.Equal(b), nil\n\tcase *ecdsa.PublicKey:\n\t\treturn ak.Equal(b), nil\n\tdefault:\n\t\treturn false, fmt.Errorf(\"unsupported public key type %T\", ak)\n\t}\n}\n\n// SerialToString converts a certificate serial number (big.Int) to a String\n// consistently.\nfunc SerialToString(serial *big.Int) string {\n\treturn fmt.Sprintf(\"%036x\", serial)\n}\n\n// StringToSerial converts a string into a certificate serial number (big.Int)\n// consistently.\nfunc StringToSerial(serial string) (*big.Int, error) {\n\tvar serialNum big.Int\n\tif !ValidSerial(serial) {\n\t\treturn &serialNum, fmt.Errorf(\"invalid serial number %q\", serial)\n\t}\n\t_, err := fmt.Sscanf(serial, \"%036x\", &serialNum)\n\treturn &serialNum, err\n}\n\n// ValidSerial tests whether the input string represents a syntactically\n// valid serial number, i.e., that it is a valid hex string between 32\n// and 36 characters long.\nfunc ValidSerial(serial string) bool {\n\t// Originally, serial numbers were 32 hex characters long. We later increased\n\t// them to 36, but we allow the shorter ones because they exist in some\n\t// production databases.\n\tif len(serial) != 32 && len(serial) != 36 {\n\t\treturn false\n\t}\n\t_, err := hex.DecodeString(serial)\n\treturn err == nil\n}\n\n// GetBuildID identifies what build is running.\nfunc GetBuildID() (retID string) {\n\tretID = BuildID\n\tif retID == \"\" {\n\t\tretID = Unspecified\n\t}\n\treturn\n}\n\n// GetBuildTime identifies when this build was made\nfunc GetBuildTime() (retID string) {\n\tretID = BuildTime\n\tif retID == \"\" {\n\t\tretID = Unspecified\n\t}\n\treturn\n}\n\n// GetBuildHost identifies the building host\nfunc GetBuildHost() (retID string) {\n\tretID = BuildHost\n\tif retID == \"\" {\n\t\tretID = Unspecified\n\t}\n\treturn\n}\n\n// IsAnyNilOrZero returns whether any of the supplied values are nil, or (if not)\n// if any of them is its type's zero-value. This is useful for validating that\n// all required fields on a proto message are present.\nfunc IsAnyNilOrZero(vals ...any) bool {\n\tfor _, val := range vals {\n\t\tswitch v := val.(type) {\n\t\tcase nil:\n\t\t\treturn true\n\t\tcase bool:\n\t\t\tif !v {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase string:\n\t\t\tif v == \"\" {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase []string:\n\t\t\tif len(v) == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase byte:\n\t\t\t// Byte is an alias for uint8 and will cover that case.\n\t\t\tif v == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase []byte:\n\t\t\tif len(v) == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase int:\n\t\t\tif v == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase int8:\n\t\t\tif v == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase int16:\n\t\t\tif v == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase int32:\n\t\t\tif v == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase int64:\n\t\t\tif v == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase uint:\n\t\t\tif v == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase uint16:\n\t\t\tif v == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase uint32:\n\t\t\tif v == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase uint64:\n\t\t\tif v == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase float32:\n\t\t\tif v == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase float64:\n\t\t\tif v == 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase time.Time:\n\t\t\tif v.IsZero() {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase *timestamppb.Timestamp:\n\t\t\tif v == nil || v.AsTime().IsZero() {\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase *durationpb.Duration:\n\t\t\tif v == nil || v.AsDuration() == time.Duration(0) {\n\t\t\t\treturn true\n\t\t\t}\n\t\tdefault:\n\t\t\tif reflect.ValueOf(v).IsZero() {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\n// UniqueLowerNames returns the set of all unique names in the input after all\n// of them are lowercased. The returned names will be in their lowercased form\n// and sorted alphabetically.\nfunc UniqueLowerNames(names []string) (unique []string) {\n\tnameMap := make(map[string]int, len(names))\n\tfor _, name := range names {\n\t\tnameMap[strings.ToLower(name)] = 1\n\t}\n\n\tunique = make([]string, 0, len(nameMap))\n\tfor name := range nameMap {\n\t\tunique = append(unique, name)\n\t}\n\tsort.Strings(unique)\n\treturn\n}\n\n// HashIdentifiers returns a hash of the identifiers requested. This is intended\n// for use when interacting with the orderFqdnSets table and rate limiting.\nfunc HashIdentifiers(idents identifier.ACMEIdentifiers) []byte {\n\tvar values []string\n\tfor _, ident := range identifier.Normalize(idents) {\n\t\tvalues = append(values, ident.Value)\n\t}\n\n\thash := sha256.Sum256([]byte(strings.Join(values, \",\")))\n\treturn hash[:]\n}\n\n// LoadCert loads a PEM certificate specified by filename or returns an error\nfunc LoadCert(filename string) (*x509.Certificate, error) {\n\tcertPEM, err := os.ReadFile(filename)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tblock, _ := pem.Decode(certPEM)\n\tif block == nil {\n\t\treturn nil, fmt.Errorf(\"no data in cert PEM file %q\", filename)\n\t}\n\tcert, err := x509.ParseCertificate(block.Bytes)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn cert, nil\n}\n\n// retryJitter is used to prevent bunched retried queries from falling into lockstep\nconst retryJitter = 0.2\n\n// RetryBackoff calculates a backoff time based on number of retries, will always\n// add jitter so requests that start in unison won't fall into lockstep. Because of\n// this the returned duration can always be larger than the maximum by a factor of\n// retryJitter. Adapted from\n// https://github.com/grpc/grpc-go/blob/v1.11.3/backoff.go#L77-L96\nfunc RetryBackoff(retries int, base, max time.Duration, factor float64) time.Duration {\n\tif retries == 0 {\n\t\treturn 0\n\t}\n\tbackoff, fMax := float64(base), float64(max)\n\tfor backoff < fMax && retries > 1 {\n\t\tbackoff *= factor\n\t\tretries--\n\t}\n\tif backoff > fMax {\n\t\tbackoff = fMax\n\t}\n\t// Randomize backoff delays so that if a cluster of requests start at\n\t// the same time, they won't operate in lockstep.\n\tbackoff *= (1 - retryJitter) + 2*retryJitter*mrand.Float64()\n\treturn time.Duration(backoff)\n}\n\n// IsASCII determines if every character in a string is encoded in\n// the ASCII character set.\nfunc IsASCII(str string) bool {\n\tfor _, r := range str {\n\t\tif r > unicode.MaxASCII {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\n// IsCanceled returns true if err is non-nil and is either context.Canceled, or\n// has a grpc code of Canceled. This is useful because cancellations propagate\n// through gRPC boundaries, and if we choose to treat in-process cancellations a\n// certain way, we usually want to treat cross-process cancellations the same way.\nfunc IsCanceled(err error) bool {\n\treturn errors.Is(err, context.Canceled) || status.Code(err) == codes.Canceled\n}\n\nfunc Command() string {\n\treturn path.Base(os.Args[0])\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/letsencrypt/boulder/goodkey/good_key.go", "content": "package goodkey\n\nimport (\n\t\"context\"\n\t\"crypto\"\n\t\"crypto/ecdsa\"\n\t\"crypto/elliptic\"\n\t\"crypto/rsa\"\n\t\"errors\"\n\t\"fmt\"\n\t\"math/big\"\n\t\"sync\"\n\n\t\"github.com/letsencrypt/boulder/core\"\n\n\t\"github.com/titanous/rocacheck\"\n)\n\n// To generate, run: primes 2 752 | tr '\\n' ,\nvar smallPrimeInts = []int64{\n\t2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47,\n\t53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107,\n\t109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167,\n\t173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229,\n\t233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283,\n\t293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359,\n\t367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431,\n\t433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491,\n\t499, 503, 509, 521, 523, 541, 547, 557, 563, 569, 571,\n\t577, 587, 593, 599, 601, 607, 613, 617, 619, 631, 641,\n\t643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709,\n\t719, 727, 733, 739, 743, 751,\n}\n\n// singleton defines the object of a Singleton pattern\nvar (\n\tsmallPrimesSingleton sync.Once\n\tsmallPrimesProduct *big.Int\n)\n\ntype Config struct {\n\t// AllowedKeys enables or disables specific key algorithms and sizes. If\n\t// nil, defaults to just those keys allowed by the Let's Encrypt CPS.\n\tAllowedKeys *AllowedKeys\n\t// FermatRounds is an integer number of rounds of Fermat's factorization\n\t// method that should be performed to attempt to detect keys whose modulus can\n\t// be trivially factored because the two factors are very close to each other.\n\t// If this config value is empty or 0, it will default to 110 rounds.\n\tFermatRounds int\n}\n\n// AllowedKeys is a map of six specific key algorithm and size combinations to\n// booleans indicating whether keys of that type are considered good.\ntype AllowedKeys struct {\n\t// Baseline Requirements, Section 6.1.5 requires key size >= 2048 and a multiple\n\t// of 8 bits: https://github.com/cabforum/servercert/blob/main/docs/BR.md#615-key-sizes\n\t// Baseline Requirements, Section 6.1.1.3 requires that we reject any keys which\n\t// have a known method to easily compute their private key, such as Debian Weak\n\t// Keys. Our enforcement mechanism relies on enumerating all Debian Weak Keys at\n\t// common key sizes, so we restrict all issuance to those common key sizes.\n\tRSA2048 bool\n\tRSA3072 bool\n\tRSA4096 bool\n\t// Baseline Requirements, Section 6.1.5 requires that ECDSA keys be valid\n\t// points on the NIST P-256, P-384, or P-521 elliptic curves.\n\tECDSAP256 bool\n\tECDSAP384 bool\n\tECDSAP521 bool\n}\n\n// LetsEncryptCPS encodes the five key algorithms and sizes allowed by the Let's\n// Encrypt CPS CV-SSL Subscriber Certificate Profile: RSA 2048, RSA 3076, RSA\n// 4096, ECDSA 256 and ECDSA P384.\n// https://github.com/letsencrypt/cp-cps/blob/main/CP-CPS.md#dv-ssl-subscriber-certificate\n// If this is ever changed, the CP/CPS MUST be changed first.\nfunc LetsEncryptCPS() AllowedKeys {\n\treturn AllowedKeys{\n\t\tRSA2048: true,\n\t\tRSA3072: true,\n\t\tRSA4096: true,\n\t\tECDSAP256: true,\n\t\tECDSAP384: true,\n\t}\n}\n\n// ErrBadKey represents an error with a key. It is distinct from the various\n// ways in which an ACME request can have an erroneous key (BadPublicKeyError,\n// BadCSRError) because this library is used to check both JWS signing keys and\n// keys in CSRs.\nvar ErrBadKey = errors.New(\"\")\n\nfunc badKey(msg string, args ...any) error {\n\treturn fmt.Errorf(\"%w%s\", ErrBadKey, fmt.Errorf(msg, args...))\n}\n\n// BlockedKeyCheckFunc is used to pass in the sa.BlockedKey functionality to KeyPolicy,\n// rather than storing a full sa.SQLStorageAuthority. This allows external\n// users who don’t want to import all of boulder/sa, and makes testing\n// significantly simpler.\n// On success, the function returns a boolean which is true if the key is blocked.\ntype BlockedKeyCheckFunc func(ctx context.Context, keyHash []byte) (bool, error)\n\n// KeyPolicy determines which types of key may be used with various boulder\n// operations.\ntype KeyPolicy struct {\n\tallowedKeys AllowedKeys\n\tfermatRounds int\n\tblockedCheck BlockedKeyCheckFunc\n}\n\n// NewPolicy returns a key policy based on the given configuration, with sane\n// defaults. If the config's AllowedKeys is nil, the LetsEncryptCPS AllowedKeys\n// is used. If the configured FermatRounds is 0, Fermat Factorization defaults to\n// attempting 110 rounds.\nfunc NewPolicy(config *Config, bkc BlockedKeyCheckFunc) (KeyPolicy, error) {\n\tif config == nil {\n\t\tconfig = &Config{}\n\t}\n\tkp := KeyPolicy{\n\t\tblockedCheck: bkc,\n\t}\n\tif config.AllowedKeys == nil {\n\t\tkp.allowedKeys = LetsEncryptCPS()\n\t} else {\n\t\tkp.allowedKeys = *config.AllowedKeys\n\t}\n\tif config.FermatRounds == 0 {\n\t\t// The BRs require 100 rounds, so give ourselves a margin above that.\n\t\tkp.fermatRounds = 110\n\t} else if config.FermatRounds < 100 {\n\t\treturn KeyPolicy{}, fmt.Errorf(\"Fermat factorization rounds must be at least 100: %d\", config.FermatRounds)\n\t} else {\n\t\tkp.fermatRounds = config.FermatRounds\n\t}\n\treturn kp, nil\n}\n\n// GoodKey returns true if the key is acceptable for both TLS use and account\n// key use (our requirements are the same for either one), according to basic\n// strength and algorithm checking. GoodKey only supports pointers: *rsa.PublicKey\n// and *ecdsa.PublicKey. It will reject non-pointer types.\n// TODO: Support JSONWebKeys once go-jose migration is done.\nfunc (policy *KeyPolicy) GoodKey(ctx context.Context, key crypto.PublicKey) error {\n\t// Early rejection of unacceptable key types to guard subsequent checks.\n\tswitch t := key.(type) {\n\tcase *rsa.PublicKey, *ecdsa.PublicKey:\n\t\tbreak\n\tdefault:\n\t\treturn badKey(\"unsupported key type %T\", t)\n\t}\n\tif policy.blockedCheck != nil {\n\t\tdigest, err := core.KeyDigest(key)\n\t\tif err != nil {\n\t\t\treturn badKey(\"%w\", err)\n\t\t}\n\t\texists, err := policy.blockedCheck(ctx, digest[:])\n\t\tif err != nil {\n\t\t\treturn err\n\t\t} else if exists {\n\t\t\treturn badKey(\"public key is forbidden\")\n\t\t}\n\t}\n\tswitch t := key.(type) {\n\tcase *rsa.PublicKey:\n\t\treturn policy.goodKeyRSA(t)\n\tcase *ecdsa.PublicKey:\n\t\treturn policy.goodKeyECDSA(t)\n\tdefault:\n\t\treturn badKey(\"unsupported key type %T\", key)\n\t}\n}\n\n// GoodKeyECDSA determines if an ECDSA pubkey meets our requirements\nfunc (policy *KeyPolicy) goodKeyECDSA(key *ecdsa.PublicKey) (err error) {\n\t// Check the curve.\n\t//\n\t// The validity of the curve is an assumption for all following tests.\n\terr = policy.goodCurve(key.Curve)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Key validation routine adapted from NIST SP800-56A § 5.6.2.3.2.\n\t// \n\t//\n\t// Assuming a prime field since a) we are only allowing such curves and b)\n\t// crypto/elliptic only supports prime curves. Where this assumption\n\t// simplifies the code below, it is explicitly stated and explained. If ever\n\t// adapting this code to support non-prime curves, refer to NIST SP800-56A §\n\t// 5.6.2.3.2 and adapt this code appropriately.\n\tparams := key.Params()\n\n\t// SP800-56A § 5.6.2.3.2 Step 1.\n\t// Partial check of the public key for an invalid range in the EC group:\n\t// Verify that key is not the point at infinity O.\n\t// This code assumes that the point at infinity is (0,0), which is the\n\t// case for all supported curves.\n\tif isPointAtInfinityNISTP(key.X, key.Y) {\n\t\treturn badKey(\"key x, y must not be the point at infinity\")\n\t}\n\n\t// SP800-56A § 5.6.2.3.2 Step 2.\n\t// \"Verify that x_Q and y_Q are integers in the interval [0,p-1] in the\n\t// case that q is an odd prime p, or that x_Q and y_Q are bit strings\n\t// of length m bits in the case that q = 2**m.\"\n\t//\n\t// Prove prime field: ASSUMED.\n\t// Prove q != 2: ASSUMED. (Curve parameter. No supported curve has q == 2.)\n\t// Prime field && q != 2 => q is an odd prime p\n\t// Therefore \"verify that x, y are in [0, p-1]\" satisfies step 2.\n\t//\n\t// Therefore verify that both x and y of the public key point have the unique\n\t// correct representation of an element in the underlying field by verifying\n\t// that x and y are integers in [0, p-1].\n\tif key.X.Sign() < 0 || key.Y.Sign() < 0 {\n\t\treturn badKey(\"key x, y must not be negative\")\n\t}\n\n\tif key.X.Cmp(params.P) >= 0 || key.Y.Cmp(params.P) >= 0 {\n\t\treturn badKey(\"key x, y must not exceed P-1\")\n\t}\n\n\t// SP800-56A § 5.6.2.3.2 Step 3.\n\t// \"If q is an odd prime p, verify that (y_Q)**2 === (x_Q)***3 + a*x_Q + b (mod p).\n\t// If q = 2**m, verify that (y_Q)**2 + (x_Q)*(y_Q) == (x_Q)**3 + a*(x_Q)*2 + b in\n\t// the finite field of size 2**m.\n\t// (Ensures that the public key is on the correct elliptic curve.)\"\n\t//\n\t// q is an odd prime p: proven/assumed above.\n\t// a = -3 for all supported curves.\n\t//\n\t// Therefore step 3 is satisfied simply by showing that\n\t// y**2 === x**3 - 3*x + B (mod P).\n\t//\n\t// This proves that the public key is on the correct elliptic curve.\n\t// But in practice, this test is provided by crypto/elliptic, so use that.\n\tif !key.Curve.IsOnCurve(key.X, key.Y) {\n\t\treturn badKey(\"key point is not on the curve\")\n\t}\n\n\t// SP800-56A § 5.6.2.3.2 Step 4.\n\t// \"Verify that n*Q == Ø.\n\t// (Ensures that the public key has the correct order. Along with check 1,\n\t// ensures that the public key is in the correct range in the correct EC\n\t// subgroup, that is, it is in the correct EC subgroup and is not the\n\t// identity element.)\"\n\t//\n\t// Ensure that public key has the correct order:\n\t// verify that n*Q = Ø.\n\t//\n\t// n*Q = Ø iff n*Q is the point at infinity (see step 1).\n\tox, oy := key.Curve.ScalarMult(key.X, key.Y, params.N.Bytes())\n\tif !isPointAtInfinityNISTP(ox, oy) {\n\t\treturn badKey(\"public key does not have correct order\")\n\t}\n\n\t// End of SP800-56A § 5.6.2.3.2 Public Key Validation Routine.\n\t// Key is valid.\n\treturn nil\n}\n\n// Returns true iff the point (x,y) on NIST P-256, NIST P-384 or NIST P-521 is\n// the point at infinity. These curves all have the same point at infinity\n// (0,0). This function must ONLY be used on points on curves verified to have\n// (0,0) as their point at infinity.\nfunc isPointAtInfinityNISTP(x, y *big.Int) bool {\n\treturn x.Sign() == 0 && y.Sign() == 0\n}\n\n// GoodCurve determines if an elliptic curve meets our requirements.\nfunc (policy *KeyPolicy) goodCurve(c elliptic.Curve) (err error) {\n\t// Simply use a whitelist for now.\n\tparams := c.Params()\n\tswitch {\n\tcase policy.allowedKeys.ECDSAP256 && params == elliptic.P256().Params():\n\t\treturn nil\n\tcase policy.allowedKeys.ECDSAP384 && params == elliptic.P384().Params():\n\t\treturn nil\n\tcase policy.allowedKeys.ECDSAP521 && params == elliptic.P521().Params():\n\t\treturn nil\n\tdefault:\n\t\treturn badKey(\"ECDSA curve %v not allowed\", params.Name)\n\t}\n}\n\n// GoodKeyRSA determines if a RSA pubkey meets our requirements\nfunc (policy *KeyPolicy) goodKeyRSA(key *rsa.PublicKey) error {\n\tmodulus := key.N\n\n\terr := policy.goodRSABitLen(key)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Rather than support arbitrary exponents, which significantly increases\n\t// the size of the key space we allow, we restrict E to the defacto standard\n\t// RSA exponent 65537. There is no specific standards document that specifies\n\t// 65537 as the 'best' exponent, but ITU X.509 Annex C suggests there are\n\t// notable merits for using it if using a fixed exponent.\n\t//\n\t// The CABF Baseline Requirements state:\n\t// The CA SHALL confirm that the value of the public exponent is an\n\t// odd number equal to 3 or more. Additionally, the public exponent\n\t// SHOULD be in the range between 2^16 + 1 and 2^256-1.\n\t//\n\t// By only allowing one exponent, which fits these constraints, we satisfy\n\t// these requirements.\n\tif key.E != 65537 {\n\t\treturn badKey(\"key exponent must be 65537\")\n\t}\n\n\t// The modulus SHOULD also have the following characteristics: an odd\n\t// number, not the power of a prime, and have no factors smaller than 752.\n\t// TODO: We don't yet check for \"power of a prime.\"\n\tif checkSmallPrimes(modulus) {\n\t\treturn badKey(\"key divisible by small prime\")\n\t}\n\t// Check for weak keys generated by Infineon hardware\n\t// (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17)\n\tif rocacheck.IsWeak(key) {\n\t\treturn badKey(\"key generated by vulnerable Infineon-based hardware\")\n\t}\n\n\t// Check if the key can be easily factored via Fermat's factorization method.\n\terr = checkPrimeFactorsTooClose(modulus, policy.fermatRounds)\n\tif err != nil {\n\t\treturn badKey(\"key generated with factors too close together: %w\", err)\n\t}\n\n\treturn nil\n}\n\nfunc (policy *KeyPolicy) goodRSABitLen(key *rsa.PublicKey) error {\n\t// See comment on AllowedKeys above.\n\tmodulusBitLen := key.N.BitLen()\n\tswitch {\n\tcase modulusBitLen == 2048 && policy.allowedKeys.RSA2048:\n\t\treturn nil\n\tcase modulusBitLen == 3072 && policy.allowedKeys.RSA3072:\n\t\treturn nil\n\tcase modulusBitLen == 4096 && policy.allowedKeys.RSA4096:\n\t\treturn nil\n\tdefault:\n\t\treturn badKey(\"key size not supported: %d\", modulusBitLen)\n\t}\n}\n\n// Returns true iff integer i is divisible by any of the primes in smallPrimes.\n//\n// Short circuits; execution time is dependent on i. Do not use this on secret\n// values.\n//\n// Rather than checking each prime individually (invoking Mod on each),\n// multiply the primes together and let GCD do our work for us: if the\n// GCD between and is not one, we know we have\n// a bad key. This is substantially faster than checking each prime\n// individually.\nfunc checkSmallPrimes(i *big.Int) bool {\n\tsmallPrimesSingleton.Do(func() {\n\t\tsmallPrimesProduct = big.NewInt(1)\n\t\tfor _, prime := range smallPrimeInts {\n\t\t\tsmallPrimesProduct.Mul(smallPrimesProduct, big.NewInt(prime))\n\t\t}\n\t})\n\n\t// When the GCD is 1, i and smallPrimesProduct are coprime, meaning they\n\t// share no common factors. When the GCD is not one, it is the product of\n\t// all common factors, meaning we've identified at least one small prime\n\t// which invalidates i as a valid key.\n\n\tvar result big.Int\n\tresult.GCD(nil, nil, i, smallPrimesProduct)\n\treturn result.Cmp(big.NewInt(1)) != 0\n}\n\n// Returns an error if the modulus n is able to be factored into primes p and q\n// via Fermat's factorization method. This method relies on the two primes being\n// very close together, which means that they were almost certainly not picked\n// independently from a uniform random distribution. Basically, if we can factor\n// the key this easily, so can anyone else.\nfunc checkPrimeFactorsTooClose(n *big.Int, rounds int) error {\n\t// Pre-allocate some big numbers that we'll use a lot down below.\n\tone := big.NewInt(1)\n\tbb := new(big.Int)\n\n\t// Any odd integer is equal to a difference of squares of integers:\n\t// n = a^2 - b^2 = (a + b)(a - b)\n\t// Any RSA public key modulus is equal to a product of two primes:\n\t// n = pq\n\t// Here we try to find values for a and b, since doing so also gives us the\n\t// prime factors p = (a + b) and q = (a - b).\n\n\t// We start with a close to the square root of the modulus n, to start with\n\t// two candidate prime factors that are as close together as possible and\n\t// work our way out from there. Specifically, we set a = ceil(sqrt(n)), the\n\t// first integer greater than the square root of n. Unfortunately, big.Int's\n\t// built-in square root function takes the floor, so we have to add one to get\n\t// the ceil.\n\ta := new(big.Int)\n\ta.Sqrt(n).Add(a, one)\n\n\t// We calculate b2 to see if it is a perfect square (i.e. b^2), and therefore\n\t// b is an integer. Specifically, b2 = a^2 - n.\n\tb2 := new(big.Int)\n\tb2.Mul(a, a).Sub(b2, n)\n\n\tfor round := range rounds {\n\t\t// To see if b2 is a perfect square, we take its square root, square that,\n\t\t// and check to see if we got the same result back.\n\t\tbb.Sqrt(b2).Mul(bb, bb)\n\t\tif b2.Cmp(bb) == 0 {\n\t\t\t// b2 is a perfect square, so we've found integer values of a and b,\n\t\t\t// and can easily compute p and q as their sum and difference.\n\t\t\tbb.Sqrt(bb)\n\t\t\tp := new(big.Int).Add(a, bb)\n\t\t\tq := new(big.Int).Sub(a, bb)\n\t\t\treturn fmt.Errorf(\"public modulus n = pq factored in %d rounds into p: %s and q: %s\", round+1, p, q)\n\t\t}\n\n\t\t// Set up the next iteration by incrementing a by one and recalculating b2.\n\t\ta.Add(a, one)\n\t\tb2.Mul(a, a).Sub(b2, n)\n\t}\n\treturn nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/letsencrypt/boulder/identifier/identifier.go", "content": "// The identifier package defines types for RFC 8555 ACME identifiers.\n//\n// It exists as a separate package to prevent an import loop between the core\n// and probs packages.\n//\n// Function naming conventions:\n// - \"New\" creates a new instance from one or more simple base type inputs.\n// - \"From\" and \"To\" extract information from, or compose, a more complex object.\npackage identifier\n\nimport (\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/netip\"\n\t\"slices\"\n\t\"strings\"\n\n\tcorepb \"github.com/letsencrypt/boulder/core/proto\"\n)\n\n// IdentifierType is a named string type for registered ACME identifier types.\n// See https://tools.ietf.org/html/rfc8555#section-9.7.7\ntype IdentifierType string\n\nconst (\n\t// TypeDNS is specified in RFC 8555 for TypeDNS type identifiers.\n\tTypeDNS = IdentifierType(\"dns\")\n\t// TypeIP is specified in RFC 8738\n\tTypeIP = IdentifierType(\"ip\")\n)\n\n// IsValid tests whether the identifier type is known\nfunc (i IdentifierType) IsValid() bool {\n\tswitch i {\n\tcase TypeDNS, TypeIP:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n\n// ACMEIdentifier is a struct encoding an identifier that can be validated. The\n// protocol allows for different types of identifier to be supported (DNS\n// names, IP addresses, etc.), but currently we only support RFC 8555 DNS type\n// identifiers for domain names.\ntype ACMEIdentifier struct {\n\t// Type is the registered IdentifierType of the identifier.\n\tType IdentifierType `json:\"type\"`\n\t// Value is the value of the identifier. For a DNS type identifier it is\n\t// a domain name.\n\tValue string `json:\"value\"`\n}\n\n// ACMEIdentifiers is a named type for a slice of ACME identifiers, so that\n// methods can be applied to these slices.\ntype ACMEIdentifiers []ACMEIdentifier\n\nfunc (i ACMEIdentifier) ToProto() *corepb.Identifier {\n\treturn &corepb.Identifier{\n\t\tType: string(i.Type),\n\t\tValue: i.Value,\n\t}\n}\n\nfunc FromProto(ident *corepb.Identifier) ACMEIdentifier {\n\treturn ACMEIdentifier{\n\t\tType: IdentifierType(ident.Type),\n\t\tValue: ident.Value,\n\t}\n}\n\n// ToProtoSlice is a convenience function for converting a slice of\n// ACMEIdentifier into a slice of *corepb.Identifier, to use for RPCs.\nfunc (idents ACMEIdentifiers) ToProtoSlice() []*corepb.Identifier {\n\tvar pbIdents []*corepb.Identifier\n\tfor _, ident := range idents {\n\t\tpbIdents = append(pbIdents, ident.ToProto())\n\t}\n\treturn pbIdents\n}\n\n// FromProtoSlice is a convenience function for converting a slice of\n// *corepb.Identifier from RPCs into a slice of ACMEIdentifier.\nfunc FromProtoSlice(pbIdents []*corepb.Identifier) ACMEIdentifiers {\n\tvar idents ACMEIdentifiers\n\n\tfor _, pbIdent := range pbIdents {\n\t\tidents = append(idents, FromProto(pbIdent))\n\t}\n\treturn idents\n}\n\n// NewDNS is a convenience function for creating an ACMEIdentifier with Type\n// \"dns\" for a given domain name.\nfunc NewDNS(domain string) ACMEIdentifier {\n\treturn ACMEIdentifier{\n\t\tType: TypeDNS,\n\t\tValue: domain,\n\t}\n}\n\n// NewDNSSlice is a convenience function for creating a slice of ACMEIdentifier\n// with Type \"dns\" for a given slice of domain names.\nfunc NewDNSSlice(input []string) ACMEIdentifiers {\n\tvar out ACMEIdentifiers\n\tfor _, in := range input {\n\t\tout = append(out, NewDNS(in))\n\t}\n\treturn out\n}\n\n// NewIP is a convenience function for creating an ACMEIdentifier with Type \"ip\"\n// for a given IP address.\nfunc NewIP(ip netip.Addr) ACMEIdentifier {\n\treturn ACMEIdentifier{\n\t\tType: TypeIP,\n\t\t// RFC 8738, Sec. 3: The identifier value MUST contain the textual form\n\t\t// of the address as defined in RFC 1123, Sec. 2.1 for IPv4 and in RFC\n\t\t// 5952, Sec. 4 for IPv6.\n\t\tValue: ip.WithZone(\"\").String(),\n\t}\n}\n\n// FromString converts a string to an ACMEIdentifier.\nfunc FromString(identStr string) ACMEIdentifier {\n\tip, err := netip.ParseAddr(identStr)\n\tif err == nil {\n\t\treturn NewIP(ip)\n\t}\n\treturn NewDNS(identStr)\n}\n\n// FromStringSlice converts a slice of strings to a slice of ACMEIdentifier.\nfunc FromStringSlice(identStrs []string) ACMEIdentifiers {\n\tvar idents ACMEIdentifiers\n\tfor _, identStr := range identStrs {\n\t\tidents = append(idents, FromString(identStr))\n\t}\n\treturn idents\n}\n\n// fromX509 extracts the Subject Alternative Names from a certificate or CSR's fields, and\n// returns a slice of ACMEIdentifiers.\nfunc fromX509(commonName string, dnsNames []string, ipAddresses []net.IP) ACMEIdentifiers {\n\tvar sans ACMEIdentifiers\n\tfor _, name := range dnsNames {\n\t\tsans = append(sans, NewDNS(name))\n\t}\n\tif commonName != \"\" {\n\t\t// Boulder won't generate certificates with a CN that's not also present\n\t\t// in the SANs, but such a certificate is possible. If appended, this is\n\t\t// deduplicated later with Normalize(). We assume the CN is a DNSName,\n\t\t// because CNs are untyped strings without metadata, and we will never\n\t\t// configure a Boulder profile to issue a certificate that contains both\n\t\t// an IP address identifier and a CN.\n\t\tsans = append(sans, NewDNS(commonName))\n\t}\n\n\tfor _, ip := range ipAddresses {\n\t\tsans = append(sans, ACMEIdentifier{\n\t\t\tType: TypeIP,\n\t\t\tValue: ip.String(),\n\t\t})\n\t}\n\n\treturn Normalize(sans)\n}\n\n// FromCert extracts the Subject Common Name and Subject Alternative Names from\n// a certificate, and returns a slice of ACMEIdentifiers.\nfunc FromCert(cert *x509.Certificate) ACMEIdentifiers {\n\treturn fromX509(cert.Subject.CommonName, cert.DNSNames, cert.IPAddresses)\n}\n\n// FromCSR extracts the Subject Common Name and Subject Alternative Names from a\n// CSR, and returns a slice of ACMEIdentifiers.\nfunc FromCSR(csr *x509.CertificateRequest) ACMEIdentifiers {\n\treturn fromX509(csr.Subject.CommonName, csr.DNSNames, csr.IPAddresses)\n}\n\n// Normalize returns the set of all unique ACME identifiers in the input after\n// all of them are lowercased. The returned identifier values will be in their\n// lowercased form and sorted alphabetically by value. DNS identifiers will\n// precede IP address identifiers.\nfunc Normalize(idents ACMEIdentifiers) ACMEIdentifiers {\n\tfor i := range idents {\n\t\tidents[i].Value = strings.ToLower(idents[i].Value)\n\t}\n\n\tslices.SortFunc(idents, func(a, b ACMEIdentifier) int {\n\t\tif a.Type == b.Type {\n\t\t\tif a.Value == b.Value {\n\t\t\t\treturn 0\n\t\t\t}\n\t\t\tif a.Value < b.Value {\n\t\t\t\treturn -1\n\t\t\t}\n\t\t\treturn 1\n\t\t}\n\t\tif a.Type == \"dns\" && b.Type == \"ip\" {\n\t\t\treturn -1\n\t\t}\n\t\treturn 1\n\t})\n\n\treturn slices.Compact(idents)\n}\n\n// ToValues returns a slice of DNS names and a slice of IP addresses in the\n// input. If an identifier type or IP address is invalid, it returns an error.\nfunc (idents ACMEIdentifiers) ToValues() ([]string, []net.IP, error) {\n\tvar dnsNames []string\n\tvar ipAddresses []net.IP\n\n\tfor _, ident := range idents {\n\t\tswitch ident.Type {\n\t\tcase TypeDNS:\n\t\t\tdnsNames = append(dnsNames, ident.Value)\n\t\tcase TypeIP:\n\t\t\tip := net.ParseIP(ident.Value)\n\t\t\tif ip == nil {\n\t\t\t\treturn nil, nil, fmt.Errorf(\"parsing IP address: %s\", ident.Value)\n\t\t\t}\n\t\t\tipAddresses = append(ipAddresses, ip)\n\t\tdefault:\n\t\t\treturn nil, nil, fmt.Errorf(\"evaluating identifier type: %s for %s\", ident.Type, ident.Value)\n\t\t}\n\t}\n\n\treturn dnsNames, ipAddresses, nil\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/letsencrypt/boulder/probs/probs.go", "content": "package probs\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/go-jose/go-jose/v4\"\n\n\t\"github.com/letsencrypt/boulder/identifier\"\n)\n\nconst (\n\t// Error types that can be used in ACME payloads. These are sorted in the\n\t// same order as they are defined in RFC8555 Section 6.7. We do not implement\n\t// the `compound`, `externalAccountRequired`, or `userActionRequired` errors,\n\t// because we have no path that would return them.\n\tAccountDoesNotExistProblem = ProblemType(\"accountDoesNotExist\")\n\t// AlreadyReplacedProblem is a problem type that is defined in Section 7.4\n\t// of draft-ietf-acme-ari-08, for more information see:\n\t// https://datatracker.ietf.org/doc/html/draft-ietf-acme-ari-08#section-7.4\n\tAlreadyReplacedProblem = ProblemType(\"alreadyReplaced\")\n\tAlreadyRevokedProblem = ProblemType(\"alreadyRevoked\")\n\tBadCSRProblem = ProblemType(\"badCSR\")\n\tBadNonceProblem = ProblemType(\"badNonce\")\n\tBadPublicKeyProblem = ProblemType(\"badPublicKey\")\n\tBadRevocationReasonProblem = ProblemType(\"badRevocationReason\")\n\tBadSignatureAlgorithmProblem = ProblemType(\"badSignatureAlgorithm\")\n\tCAAProblem = ProblemType(\"caa\")\n\t// ConflictProblem is a problem type that is not defined in RFC8555.\n\tConflictProblem = ProblemType(\"conflict\")\n\tConnectionProblem = ProblemType(\"connection\")\n\tDNSProblem = ProblemType(\"dns\")\n\tInvalidContactProblem = ProblemType(\"invalidContact\")\n\tMalformedProblem = ProblemType(\"malformed\")\n\tOrderNotReadyProblem = ProblemType(\"orderNotReady\")\n\tPausedProblem = ProblemType(\"rateLimited\")\n\tRateLimitedProblem = ProblemType(\"rateLimited\")\n\tRejectedIdentifierProblem = ProblemType(\"rejectedIdentifier\")\n\tServerInternalProblem = ProblemType(\"serverInternal\")\n\tTLSProblem = ProblemType(\"tls\")\n\tUnauthorizedProblem = ProblemType(\"unauthorized\")\n\tUnsupportedContactProblem = ProblemType(\"unsupportedContact\")\n\tUnsupportedIdentifierProblem = ProblemType(\"unsupportedIdentifier\")\n\n\t// Defined in https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/\n\tInvalidProfileProblem = ProblemType(\"invalidProfile\")\n\n\tErrorNS = \"urn:ietf:params:acme:error:\"\n)\n\n// ProblemType defines the error types in the ACME protocol\ntype ProblemType string\n\n// ProblemDetails objects represent problem documents\n// https://tools.ietf.org/html/draft-ietf-appsawg-http-problem-00\ntype ProblemDetails struct {\n\tType ProblemType `json:\"type,omitempty\"`\n\tDetail string `json:\"detail,omitempty\"`\n\t// HTTPStatus is the HTTP status code the ProblemDetails should probably be sent\n\t// as.\n\tHTTPStatus int `json:\"status,omitempty\"`\n\t// SubProblems are optional additional per-identifier problems. See\n\t// RFC 8555 Section 6.7.1: https://tools.ietf.org/html/rfc8555#section-6.7.1\n\tSubProblems []SubProblemDetails `json:\"subproblems,omitempty\"`\n\t// Algorithms is an extension field defined only for problem documents of type\n\t// badSignatureAlgorithm. See RFC 8555, Section 6.2:\n\t// https://datatracker.ietf.org/doc/html/rfc8555#section-6.2\n\tAlgorithms []jose.SignatureAlgorithm `json:\"algorithms,omitempty\"`\n}\n\n// SubProblemDetails represents sub-problems specific to an identifier that are\n// related to a top-level ProblemDetails.\n// See RFC 8555 Section 6.7.1: https://tools.ietf.org/html/rfc8555#section-6.7.1\ntype SubProblemDetails struct {\n\tProblemDetails\n\tIdentifier identifier.ACMEIdentifier `json:\"identifier\"`\n}\n\nfunc (pd *ProblemDetails) String() string {\n\treturn fmt.Sprintf(\"%s :: %s\", pd.Type, pd.Detail)\n}\n\n// WithSubProblems returns a new ProblemsDetails instance created by adding the\n// provided subProbs to the existing ProblemsDetail.\nfunc (pd *ProblemDetails) WithSubProblems(subProbs []SubProblemDetails) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: pd.Type,\n\t\tDetail: pd.Detail,\n\t\tHTTPStatus: pd.HTTPStatus,\n\t\tSubProblems: append(pd.SubProblems, subProbs...),\n\t}\n}\n\n// Helper functions which construct the basic RFC8555 Problem Documents, with\n// the Type already set and the Details supplied by the caller.\n\n// AccountDoesNotExist returns a ProblemDetails representing an\n// AccountDoesNotExistProblem error\nfunc AccountDoesNotExist(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: AccountDoesNotExistProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// AlreadyReplaced returns a ProblemDetails with a AlreadyReplacedProblem and a\n// 409 Conflict status code.\nfunc AlreadyReplaced(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: AlreadyReplacedProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusConflict,\n\t}\n}\n\n// AlreadyRevoked returns a ProblemDetails with a AlreadyRevokedProblem and a 400 Bad\n// Request status code.\nfunc AlreadyRevoked(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: AlreadyRevokedProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// BadCSR returns a ProblemDetails representing a BadCSRProblem.\nfunc BadCSR(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: BadCSRProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// BadNonce returns a ProblemDetails with a BadNonceProblem and a 400 Bad\n// Request status code.\nfunc BadNonce(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: BadNonceProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// BadPublicKey returns a ProblemDetails with a BadPublicKeyProblem and a 400 Bad\n// Request status code.\nfunc BadPublicKey(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: BadPublicKeyProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// BadRevocationReason returns a ProblemDetails representing\n// a BadRevocationReasonProblem\nfunc BadRevocationReason(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: BadRevocationReasonProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// BadSignatureAlgorithm returns a ProblemDetails with a BadSignatureAlgorithmProblem\n// and a 400 Bad Request status code.\nfunc BadSignatureAlgorithm(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: BadSignatureAlgorithmProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// CAA returns a ProblemDetails representing a CAAProblem\nfunc CAA(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: CAAProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusForbidden,\n\t}\n}\n\n// Connection returns a ProblemDetails representing a ConnectionProblem\n// error\nfunc Connection(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: ConnectionProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// DNS returns a ProblemDetails representing a DNSProblem\nfunc DNS(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: DNSProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// InvalidContact returns a ProblemDetails representing an InvalidContactProblem.\nfunc InvalidContact(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: InvalidContactProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// Malformed returns a ProblemDetails with a MalformedProblem and a 400 Bad\n// Request status code.\nfunc Malformed(detail string, a ...any) *ProblemDetails {\n\tif len(a) > 0 {\n\t\tdetail = fmt.Sprintf(detail, a...)\n\t}\n\treturn &ProblemDetails{\n\t\tType: MalformedProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// OrderNotReady returns a ProblemDetails representing a OrderNotReadyProblem\nfunc OrderNotReady(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: OrderNotReadyProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusForbidden,\n\t}\n}\n\n// RateLimited returns a ProblemDetails representing a RateLimitedProblem error\nfunc RateLimited(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: RateLimitedProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusTooManyRequests,\n\t}\n}\n\n// Paused returns a ProblemDetails representing a RateLimitedProblem error\nfunc Paused(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: PausedProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusTooManyRequests,\n\t}\n}\n\n// RejectedIdentifier returns a ProblemDetails with a RejectedIdentifierProblem and a 400 Bad\n// Request status code.\nfunc RejectedIdentifier(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: RejectedIdentifierProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// ServerInternal returns a ProblemDetails with a ServerInternalProblem and a\n// 500 Internal Server Failure status code.\nfunc ServerInternal(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: ServerInternalProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusInternalServerError,\n\t}\n}\n\n// TLS returns a ProblemDetails representing a TLSProblem error\nfunc TLS(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: TLSProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// Unauthorized returns a ProblemDetails with an UnauthorizedProblem and a 403\n// Forbidden status code.\nfunc Unauthorized(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: UnauthorizedProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusForbidden,\n\t}\n}\n\n// UnsupportedContact returns a ProblemDetails representing an\n// UnsupportedContactProblem\nfunc UnsupportedContact(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: UnsupportedContactProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// UnsupportedIdentifier returns a ProblemDetails representing an\n// UnsupportedIdentifierProblem\nfunc UnsupportedIdentifier(detail string, a ...any) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: UnsupportedIdentifierProblem,\n\t\tDetail: fmt.Sprintf(detail, a...),\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n\n// Additional helper functions that return variations on MalformedProblem with\n// different HTTP status codes set.\n\n// Canceled returns a ProblemDetails with a MalformedProblem and a 408 Request\n// Timeout status code.\nfunc Canceled(detail string, a ...any) *ProblemDetails {\n\tif len(a) > 0 {\n\t\tdetail = fmt.Sprintf(detail, a...)\n\t}\n\treturn &ProblemDetails{\n\t\tType: MalformedProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusRequestTimeout,\n\t}\n}\n\n// Conflict returns a ProblemDetails with a ConflictProblem and a 409 Conflict\n// status code.\nfunc Conflict(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: ConflictProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusConflict,\n\t}\n}\n\n// MethodNotAllowed returns a ProblemDetails representing a disallowed HTTP\n// method error.\nfunc MethodNotAllowed() *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: MalformedProblem,\n\t\tDetail: \"Method not allowed\",\n\t\tHTTPStatus: http.StatusMethodNotAllowed,\n\t}\n}\n\n// NotFound returns a ProblemDetails with a MalformedProblem and a 404 Not Found\n// status code.\nfunc NotFound(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: MalformedProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusNotFound,\n\t}\n}\n\n// InvalidProfile returns a ProblemDetails with type InvalidProfile, specified\n// in https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/.\nfunc InvalidProfile(detail string) *ProblemDetails {\n\treturn &ProblemDetails{\n\t\tType: InvalidProfileProblem,\n\t\tDetail: detail,\n\t\tHTTPStatus: http.StatusBadRequest,\n\t}\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/letsencrypt/boulder/revocation/reasons.go", "content": "package revocation\n\nimport (\n\t\"fmt\"\n)\n\n// Reason is used to specify a certificate revocation reason\ntype Reason int64\n\n// The enumerated reasons for revoking a certificate. See RFC 5280:\n// https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.1.\nconst (\n\tUnspecified Reason = 0\n\tKeyCompromise Reason = 1\n\tCACompromise Reason = 2\n\tAffiliationChanged Reason = 3\n\tSuperseded Reason = 4\n\tCessationOfOperation Reason = 5\n\tCertificateHold Reason = 6\n\t// 7 is unused\n\tRemoveFromCRL Reason = 8\n\tPrivilegeWithdrawn Reason = 9\n\tAACompromise Reason = 10\n)\n\n// reasonToString provides a map from reason code to string. It is unexported\n// to make it immutable.\nvar reasonToString = map[Reason]string{\n\tUnspecified: \"unspecified\",\n\tKeyCompromise: \"keyCompromise\",\n\tCACompromise: \"cACompromise\",\n\tAffiliationChanged: \"affiliationChanged\",\n\tSuperseded: \"superseded\",\n\tCessationOfOperation: \"cessationOfOperation\",\n\tCertificateHold: \"certificateHold\",\n\tRemoveFromCRL: \"removeFromCRL\",\n\tPrivilegeWithdrawn: \"privilegeWithdrawn\",\n\tAACompromise: \"aAcompromise\",\n}\n\n// String converts a revocation reason code (such as 0) into its corresponding\n// reason string (e.g. \"unspecified\").\n//\n// The receiver *must* be one of the valid reason code constants defined in this\n// package: this method will panic if called on an invalid Reason. It is\n// expected that this method is only called on const Reasons, or after a call to\n// UserAllowedReason or AdminAllowedReason.\nfunc (r Reason) String() string {\n\tres, ok := reasonToString[r]\n\tif !ok {\n\t\tpanic(fmt.Errorf(\"unrecognized revocation code %d\", r))\n\t}\n\treturn res\n}\n\n// StringToReason converts a revocation reason string (such as \"keyCompromise\")\n// into the corresponding integer reason code (e.g. 1).\nfunc StringToReason(s string) (Reason, error) {\n\tfor code, str := range reasonToString {\n\t\tif s == str {\n\t\t\treturn code, nil\n\t\t}\n\t}\n\treturn 0, fmt.Errorf(\"unrecognized revocation reason %q\", s)\n}\n\n// UserAllowedReason returns true if the given Reason is in the subset of\n// Reasons which users are allowed to request.\nfunc UserAllowedReason(r Reason) bool {\n\tswitch r {\n\tcase Unspecified,\n\t\tKeyCompromise,\n\t\tSuperseded,\n\t\tCessationOfOperation:\n\t\treturn true\n\t}\n\treturn false\n}\n\n// AdminAllowedReason returns true if the given Reason is in the subset of\n// Reasons which admins (i.e. people acting in CA Trusted Roles) are allowed\n// to request. Reasons which do *not* appear here are those which are defined\n// by RFC 5280 but are disallowed by the Baseline Requirements.\nfunc AdminAllowedReason(r Reason) bool {\n\tswitch r {\n\tcase Unspecified,\n\t\tKeyCompromise,\n\t\tSuperseded,\n\t\tCessationOfOperation,\n\t\tPrivilegeWithdrawn:\n\t\treturn true\n\t}\n\treturn false\n}\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/mitchellh/go-homedir/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2013 Mitchell Hashimoto\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/mitchellh/go-wordwrap/LICENSE.md", "content": "The MIT License (MIT)\n\nCopyright (c) 2014 Mitchell Hashimoto\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/mitchellh/mapstructure/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2013 Mitchell Hashimoto\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/moby/docker-image-spec/specs-go/v1/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/moby/term/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n https://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n Copyright 2013-2018 Docker, Inc.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n https://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/modern-go/concurrent/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/modern-go/reflect2/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/mozillazg/docker-credential-acr-helper/pkg/LICENSE", "content": "MIT License\n\nCopyright (c) 2022 mozillazg\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/munnerz/goautoneg/LICENSE", "content": "Copyright (c) 2011, Open Knowledge Foundation Ltd.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n Neither the name of the Open Knowledge Foundation Ltd. nor the\n names of its contributors may be used to endorse or promote\n products derived from this software without specific prior written\n permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nHOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/natefinch/atomic/LICENSE", "content": "The MIT License (MIT) \n\nCopyright (c) 2015 Nate Finch\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/nozzle/throttler/LICENSE", "content": "Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/oklog/ulid/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/open-policy-agent/opa/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/open-policy-agent/opa/internal/edittree/bitvector/license.txt", "content": "Copyright (c) 2014 Dropbox, Inc.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n1. Redistributions of source code must retain the above copyright notice, this\nlist of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright notice,\nthis list of conditions and the following disclaimer in the documentation\nand/or other materials provided with the distribution.\n\n3. Neither the name of the copyright holder nor the names of its contributors\nmay be used to endorse or promote products derived from this software without\nspecific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/open-policy-agent/opa/internal/gojsonschema/LICENSE-APACHE-2.0.txt", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright 2015 xeipuuv\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/open-policy-agent/opa/internal/semver/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/opencontainers/go-digest/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n https://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n Copyright 2019, 2020 OCI Contributors\n Copyright 2016 Docker, Inc.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n https://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/opencontainers/image-spec/specs-go/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n Copyright 2016 The Linux Foundation.\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/pelletier/go-toml/v2/LICENSE", "content": "The MIT License (MIT)\n\ngo-toml v2\nCopyright (c) 2021 - 2023 Thomas Pelletier\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/pkg/browser/LICENSE", "content": "Copyright (c) 2014, Dave Cheney \nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/pkg/errors/LICENSE", "content": "Copyright (c) 2015, Dave Cheney \nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/pmezard/go-difflib/difflib/LICENSE", "content": "Copyright (c) 2013, Patrick Mezard\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n Redistributions in binary form must reproduce the above copyright\nnotice, this list of conditions and the following disclaimer in the\ndocumentation and/or other materials provided with the distribution.\n The names of its contributors may not be used to endorse or promote\nproducts derived from this software without specific prior written\npermission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS\nIS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED\nTO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A\nPARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nHOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED\nTO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR\nPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF\nLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING\nNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/prometheus/client_golang/internal/github.com/golang/gddo/httputil/LICENSE", "content": "Copyright (c) 2013 The Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/prometheus/client_golang/prometheus/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/prometheus/client_golang/prometheus/NOTICE", "content": "Prometheus instrumentation library for Go applications\nCopyright 2012-2015 The Prometheus Authors\n\nThis product includes software developed at\nSoundCloud Ltd. (http://soundcloud.com/).\n\n\nThe following components are included in this product:\n\nperks - a fork of https://github.com/bmizerany/perks\nhttps://github.com/beorn7/perks\nCopyright 2013-2015 Blake Mizerany, Björn Rabenstein\nSee https://github.com/beorn7/perks/blob/master/README.md for license details.\n\nGo support for Protocol Buffers - Google's data interchange format\nhttp://github.com/golang/protobuf/\nCopyright 2010 The Go Authors\nSee source code for license details.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/prometheus/client_model/go/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/prometheus/client_model/go/NOTICE", "content": "Data model artifacts for Prometheus.\nCopyright 2012-2015 The Prometheus Authors\n\nThis product includes software developed at\nSoundCloud Ltd. (http://soundcloud.com/).\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/prometheus/common/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/prometheus/common/NOTICE", "content": "Common libraries shared by Prometheus Go components.\nCopyright 2015 The Prometheus Authors\n\nThis product includes software developed at\nSoundCloud Ltd. (http://soundcloud.com/).\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/prometheus/procfs/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/prometheus/procfs/NOTICE", "content": "procfs provides functions to retrieve system, kernel and process\nmetrics from the pseudo-filesystem proc.\n\nCopyright 2014-2015 The Prometheus Authors\n\nThis product includes software developed at\nSoundCloud Ltd. (http://soundcloud.com/).\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/prometheus/statsd_exporter/pkg/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/prometheus/statsd_exporter/pkg/NOTICE", "content": "StatsD-to-Prometheus exporter\nCopyright 2013-2015 The Prometheus Authors\n\nThis product includes software developed at\nSoundCloud Ltd. (http://soundcloud.com/).\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/protocolbuffers/txtpbfmt/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/rcrowley/go-metrics/LICENSE", "content": "Copyright 2012 Richard Crowley. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n 1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n 2. Redistributions in binary form must reproduce the above\n copyright notice, this list of conditions and the following\n disclaimer in the documentation and/or other materials provided\n with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY RICHARD CROWLEY ``AS IS'' AND ANY EXPRESS\nOR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL RICHARD CROWLEY OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR\nCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF\nSUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS\nINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN\nCONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)\nARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF\nTHE POSSIBILITY OF SUCH DAMAGE.\n\nThe views and conclusions contained in the software and documentation\nare those of the authors and should not be interpreted as representing\nofficial policies, either expressed or implied, of Richard Crowley.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/ryanuber/go-glob/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2014 Ryan Uber\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sagikazarmark/locafero/LICENSE", "content": "Copyright (c) 2023 Márk Sági-Kazár \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is furnished\nto do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sassoftware/relic/lib/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/secure-systems-lab/go-securesystemslib/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2021 NYU Secure Systems Lab\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/shibumi/go-pathspec/LICENSE", "content": "Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sigstore/cosign/v3/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sigstore/protobuf-specs/gen/pb-go/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sigstore/rekor/pkg/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sigstore/rekor-tiles/v2/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sigstore/scaffolding/pkg/repo/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sigstore/sigstore/pkg/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sigstore/sigstore/pkg/signature/kms/aws/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sigstore/sigstore/pkg/signature/kms/azure/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sigstore/sigstore/pkg/signature/kms/gcp/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sigstore/sigstore/pkg/signature/kms/hashivault/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sigstore/sigstore-go/pkg/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sigstore/timestamp-authority/v2/pkg/verification/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License." }, { "path": "third_party/VENDOR-LICENSE/github.com/sirupsen/logrus/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2014 Simon Eskildsen\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/sourcegraph/conc/LICENSE", "content": "MIT License\n\nCopyright (c) 2023 Sourcegraph\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/spf13/afero/LICENSE.txt", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/spf13/cast/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2014 Steve Francia\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE." }, { "path": "third_party/VENDOR-LICENSE/github.com/spf13/cobra/LICENSE.txt", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/spf13/pflag/LICENSE", "content": "Copyright (c) 2012 Alex Ogier. All rights reserved.\nCopyright (c) 2012 The Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/spf13/viper/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2014 Steve Francia\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE." }, { "path": "third_party/VENDOR-LICENSE/github.com/subosito/gotenv/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2013 Alif Rachmawadi\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/syndtr/goleveldb/leveldb/LICENSE", "content": "Copyright 2012 Suryandaru Triandana \nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above copyright\nnotice, this list of conditions and the following disclaimer in the\ndocumentation and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nHOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/tchap/go-patricia/v2/patricia/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2014 The AUTHORS\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS\nFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\nCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER\nIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN\nCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/LICENSE", "content": "Copyright (c) 2014-2020 Prime Directive, Inc. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Prime Directive, Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/v2/metadata/LICENSE", "content": " Apache License\r\n Version 2.0, January 2004\r\n http://www.apache.org/licenses/\r\n\r\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\r\n\r\n 1. Definitions.\r\n\r\n \"License\" shall mean the terms and conditions for use, reproduction,\r\n and distribution as defined by Sections 1 through 9 of this document.\r\n\r\n \"Licensor\" shall mean the copyright owner or entity authorized by\r\n the copyright owner that is granting the License.\r\n\r\n \"Legal Entity\" shall mean the union of the acting entity and all\r\n other entities that control, are controlled by, or are under common\r\n control with that entity. For the purposes of this definition,\r\n \"control\" means (i) the power, direct or indirect, to cause the\r\n direction or management of such entity, whether by contract or\r\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\r\n outstanding shares, or (iii) beneficial ownership of such entity.\r\n\r\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\r\n exercising permissions granted by this License.\r\n\r\n \"Source\" form shall mean the preferred form for making modifications,\r\n including but not limited to software source code, documentation\r\n source, and configuration files.\r\n\r\n \"Object\" form shall mean any form resulting from mechanical\r\n transformation or translation of a Source form, including but\r\n not limited to compiled object code, generated documentation,\r\n and conversions to other media types.\r\n\r\n \"Work\" shall mean the work of authorship, whether in Source or\r\n Object form, made available under the License, as indicated by a\r\n copyright notice that is included in or attached to the work\r\n (an example is provided in the Appendix below).\r\n\r\n \"Derivative Works\" shall mean any work, whether in Source or Object\r\n form, that is based on (or derived from) the Work and for which the\r\n editorial revisions, annotations, elaborations, or other modifications\r\n represent, as a whole, an original work of authorship. For the purposes\r\n of this License, Derivative Works shall not include works that remain\r\n separable from, or merely link (or bind by name) to the interfaces of,\r\n the Work and Derivative Works thereof.\r\n\r\n \"Contribution\" shall mean any work of authorship, including\r\n the original version of the Work and any modifications or additions\r\n to that Work or Derivative Works thereof, that is intentionally\r\n submitted to Licensor for inclusion in the Work by the copyright owner\r\n or by an individual or Legal Entity authorized to submit on behalf of\r\n the copyright owner. For the purposes of this definition, \"submitted\"\r\n means any form of electronic, verbal, or written communication sent\r\n to the Licensor or its representatives, including but not limited to\r\n communication on electronic mailing lists, source code control systems,\r\n and issue tracking systems that are managed by, or on behalf of, the\r\n Licensor for the purpose of discussing and improving the Work, but\r\n excluding communication that is conspicuously marked or otherwise\r\n designated in writing by the copyright owner as \"Not a Contribution.\"\r\n\r\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\r\n on behalf of whom a Contribution has been received by Licensor and\r\n subsequently incorporated within the Work.\r\n\r\n 2. Grant of Copyright License. Subject to the terms and conditions of\r\n this License, each Contributor hereby grants to You a perpetual,\r\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\r\n copyright license to reproduce, prepare Derivative Works of,\r\n publicly display, publicly perform, sublicense, and distribute the\r\n Work and such Derivative Works in Source or Object form.\r\n\r\n 3. Grant of Patent License. Subject to the terms and conditions of\r\n this License, each Contributor hereby grants to You a perpetual,\r\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\r\n (except as stated in this section) patent license to make, have made,\r\n use, offer to sell, sell, import, and otherwise transfer the Work,\r\n where such license applies only to those patent claims licensable\r\n by such Contributor that are necessarily infringed by their\r\n Contribution(s) alone or by combination of their Contribution(s)\r\n with the Work to which such Contribution(s) was submitted. If You\r\n institute patent litigation against any entity (including a\r\n cross-claim or counterclaim in a lawsuit) alleging that the Work\r\n or a Contribution incorporated within the Work constitutes direct\r\n or contributory patent infringement, then any patent licenses\r\n granted to You under this License for that Work shall terminate\r\n as of the date such litigation is filed.\r\n\r\n 4. Redistribution. You may reproduce and distribute copies of the\r\n Work or Derivative Works thereof in any medium, with or without\r\n modifications, and in Source or Object form, provided that You\r\n meet the following conditions:\r\n\r\n (a) You must give any other recipients of the Work or\r\n Derivative Works a copy of this License; and\r\n\r\n (b) You must cause any modified files to carry prominent notices\r\n stating that You changed the files; and\r\n\r\n (c) You must retain, in the Source form of any Derivative Works\r\n that You distribute, all copyright, patent, trademark, and\r\n attribution notices from the Source form of the Work,\r\n excluding those notices that do not pertain to any part of\r\n the Derivative Works; and\r\n\r\n (d) If the Work includes a \"NOTICE\" text file as part of its\r\n distribution, then any Derivative Works that You distribute must\r\n include a readable copy of the attribution notices contained\r\n within such NOTICE file, excluding those notices that do not\r\n pertain to any part of the Derivative Works, in at least one\r\n of the following places: within a NOTICE text file distributed\r\n as part of the Derivative Works; within the Source form or\r\n documentation, if provided along with the Derivative Works; or,\r\n within a display generated by the Derivative Works, if and\r\n wherever such third-party notices normally appear. The contents\r\n of the NOTICE file are for informational purposes only and\r\n do not modify the License. You may add Your own attribution\r\n notices within Derivative Works that You distribute, alongside\r\n or as an addendum to the NOTICE text from the Work, provided\r\n that such additional attribution notices cannot be construed\r\n as modifying the License.\r\n\r\n You may add Your own copyright statement to Your modifications and\r\n may provide additional or different license terms and conditions\r\n for use, reproduction, or distribution of Your modifications, or\r\n for any such Derivative Works as a whole, provided Your use,\r\n reproduction, and distribution of the Work otherwise complies with\r\n the conditions stated in this License.\r\n\r\n 5. Submission of Contributions. Unless You explicitly state otherwise,\r\n any Contribution intentionally submitted for inclusion in the Work\r\n by You to the Licensor shall be under the terms and conditions of\r\n this License, without any additional terms or conditions.\r\n Notwithstanding the above, nothing herein shall supersede or modify\r\n the terms of any separate license agreement you may have executed\r\n with Licensor regarding such Contributions.\r\n\r\n 6. Trademarks. This License does not grant permission to use the trade\r\n names, trademarks, service marks, or product names of the Licensor,\r\n except as required for reasonable and customary use in describing the\r\n origin of the Work and reproducing the content of the NOTICE file.\r\n\r\n 7. Disclaimer of Warranty. Unless required by applicable law or\r\n agreed to in writing, Licensor provides the Work (and each\r\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\r\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\r\n implied, including, without limitation, any warranties or conditions\r\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\r\n PARTICULAR PURPOSE. You are solely responsible for determining the\r\n appropriateness of using or redistributing the Work and assume any\r\n risks associated with Your exercise of permissions under this License.\r\n\r\n 8. Limitation of Liability. In no event and under no legal theory,\r\n whether in tort (including negligence), contract, or otherwise,\r\n unless required by applicable law (such as deliberate and grossly\r\n negligent acts) or agreed to in writing, shall any Contributor be\r\n liable to You for damages, including any direct, indirect, special,\r\n incidental, or consequential damages of any character arising as a\r\n result of this License or out of the use or inability to use the\r\n Work (including but not limited to damages for loss of goodwill,\r\n work stoppage, computer failure or malfunction, or any and all\r\n other commercial damages or losses), even if such Contributor\r\n has been advised of the possibility of such damages.\r\n\r\n 9. Accepting Warranty or Additional Liability. While redistributing\r\n the Work or Derivative Works thereof, You may choose to offer,\r\n and charge a fee for, acceptance of support, warranty, indemnity,\r\n or other liability obligations and/or rights consistent with this\r\n License. However, in accepting such obligations, You may act only\r\n on Your own behalf and on Your sole responsibility, not on behalf\r\n of any other Contributor, and only if You agree to indemnify,\r\n defend, and hold each Contributor harmless for any liability\r\n incurred by, or claims asserted against, such Contributor by reason\r\n of your accepting any such warranty or additional liability.\r\n\r\n END OF TERMS AND CONDITIONS\r\n\r\n APPENDIX: How to apply the Apache License to your work.\r\n\r\n To apply the Apache License to your work, attach the following\r\n boilerplate notice, with the fields enclosed by brackets \"[]\"\r\n replaced with your own identifying information. (Don't include\r\n the brackets!) The text should be enclosed in the appropriate\r\n comment syntax for the file format. We also recommend that a\r\n file or class name and description of purpose be included on the\r\n same \"printed page\" as the copyright notice for easier\r\n identification within third-party archives.\r\n\r\n Copyright 2024 The Update Framework Authors\r\n\r\n Licensed under the Apache License, Version 2.0 (the \"License\");\r\n you may not use this file except in compliance with the License.\r\n You may obtain a copy of the License at\r\n\r\n http://www.apache.org/licenses/LICENSE-2.0\r\n\r\n Unless required by applicable law or agreed to in writing, software\r\n distributed under the License is distributed on an \"AS IS\" BASIS,\r\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r\n See the License for the specific language governing permissions and\r\n limitations under the License." }, { "path": "third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/v2/metadata/NOTICE", "content": "Copyright 2024 The Update Framework Authors\n\nApache 2.0 License\nCopyright 2024 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (/).\n\nSPDX-License-Identifier: Apache-2.0\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/titanous/rocacheck/LICENSE", "content": "MIT License\n\nCopyright (c) 2017, Jonathan Rudenberg\nCopyright (c) 2017, CRoCS, EnigmaBridge Ltd.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/tjfoc/gmsm/sm3/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/transparency-dev/formats/log/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/transparency-dev/merkle/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/valyala/fastjson/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2018 Aliaksandr Valialkin\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/vbatts/tar-split/archive/tar/LICENSE", "content": "Copyright (c) 2015 Vincent Batts, Raleigh, NC, USA\n\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n1. Redistributions of source code must retain the above copyright notice, this\nlist of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright notice,\nthis list of conditions and the following disclaimer in the documentation\nand/or other materials provided with the distribution.\n\n3. Neither the name of the copyright holder nor the names of its contributors\nmay be used to endorse or promote products derived from this software without\nspecific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/vektah/gqlparser/v2/LICENSE", "content": "Copyright (c) 2018 Adam Scarr\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE." }, { "path": "third_party/VENDOR-LICENSE/github.com/x448/float16/LICENSE", "content": "MIT License\n\nCopyright (c) 2019 Montgomery Edwards⁴⁴⁸ and Faye Amacker\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/xeipuuv/gojsonpointer/LICENSE-APACHE-2.0.txt", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright 2015 xeipuuv\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/xeipuuv/gojsonreference/LICENSE-APACHE-2.0.txt", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright 2015 xeipuuv\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/github.com/yashtewari/glob-intersection/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/gitlab.com/gitlab-org/api/client-go/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/go.mongodb.org/mongo-driver/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/go.opencensus.io/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License." }, { "path": "third_party/VENDOR-LICENSE/go.opentelemetry.io/auto/sdk/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n--------------------------------------------------------------------------------\n\nCopyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." }, { "path": "third_party/VENDOR-LICENSE/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n--------------------------------------------------------------------------------\n\nCopyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." }, { "path": "third_party/VENDOR-LICENSE/go.opentelemetry.io/otel/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n--------------------------------------------------------------------------------\n\nCopyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." }, { "path": "third_party/VENDOR-LICENSE/go.opentelemetry.io/otel/metric/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n--------------------------------------------------------------------------------\n\nCopyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." }, { "path": "third_party/VENDOR-LICENSE/go.opentelemetry.io/otel/sdk/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n--------------------------------------------------------------------------------\n\nCopyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." }, { "path": "third_party/VENDOR-LICENSE/go.opentelemetry.io/otel/trace/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n--------------------------------------------------------------------------------\n\nCopyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." }, { "path": "third_party/VENDOR-LICENSE/go.uber.org/atomic/LICENSE.txt", "content": "Copyright (c) 2016 Uber Technologies, Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/go.uber.org/automaxprocs/LICENSE", "content": "Copyright (c) 2017 Uber Technologies, Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE." }, { "path": "third_party/VENDOR-LICENSE/go.uber.org/multierr/LICENSE.txt", "content": "Copyright (c) 2017-2021 Uber Technologies, Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/go.uber.org/zap/LICENSE", "content": "Copyright (c) 2016-2024 Uber Technologies, Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n" }, { "path": "third_party/VENDOR-LICENSE/go.yaml.in/yaml/v2/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/go.yaml.in/yaml/v2/NOTICE", "content": "Copyright 2011-2016 Canonical Ltd.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/go.yaml.in/yaml/v3/LICENSE", "content": "\nThis project is covered by two different licenses: MIT and Apache.\n\n#### MIT License ####\n\nThe following files were ported to Go from C files of libyaml, and thus\nare still covered by their original MIT license, with the additional\ncopyright staring in 2011 when the project was ported over:\n\n apic.go emitterc.go parserc.go readerc.go scannerc.go\n writerc.go yamlh.go yamlprivateh.go\n\nCopyright (c) 2006-2010 Kirill Simonov\nCopyright (c) 2006-2011 Kirill Simonov\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies\nof the Software, and to permit persons to whom the Software is furnished to do\nso, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n### Apache License ###\n\nAll the remaining project files are covered by the Apache license:\n\nCopyright (c) 2011-2019 Canonical Ltd\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/go.yaml.in/yaml/v3/NOTICE", "content": "Copyright 2011-2016 Canonical Ltd.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/golang.org/x/crypto/LICENSE", "content": "Copyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/golang.org/x/mod/LICENSE", "content": "Copyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/golang.org/x/net/LICENSE", "content": "Copyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/golang.org/x/oauth2/LICENSE", "content": "Copyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/golang.org/x/sync/LICENSE", "content": "Copyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/golang.org/x/sys/LICENSE", "content": "Copyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/golang.org/x/term/LICENSE", "content": "Copyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/golang.org/x/text/LICENSE", "content": "Copyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/golang.org/x/time/rate/LICENSE", "content": "Copyright 2009 The Go Authors.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google LLC nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/gomodules.xyz/jsonpatch/v2/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n" }, { "path": "third_party/VENDOR-LICENSE/google.golang.org/api/LICENSE", "content": "Copyright (c) 2011 Google Inc. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/google.golang.org/api/internal/third_party/uritemplates/LICENSE", "content": "Copyright (c) 2013 Joshua Tacoma. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/google.golang.org/genproto/googleapis/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/google.golang.org/genproto/googleapis/api/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/google.golang.org/genproto/googleapis/rpc/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/google.golang.org/grpc/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/google.golang.org/grpc/NOTICE.txt", "content": "Copyright 2014 gRPC authors.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/google.golang.org/protobuf/LICENSE", "content": "Copyright (c) 2018 The Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/gopkg.in/evanphx/json-patch.v4/LICENSE", "content": "Copyright (c) 2014, Evan Phoenix\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without \nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n* Neither the name of the Evan Phoenix nor the names of its contributors \n may be used to endorse or promote products derived from this software \n without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" \nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE \nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE \nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE \nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL \nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER \nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, \nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE \nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/gopkg.in/inf.v0/LICENSE", "content": "Copyright (c) 2012 Péter Surányi. Portions Copyright (c) 2009 The Go\nAuthors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/gopkg.in/ini.v1/LICENSE", "content": "Apache License\nVersion 2.0, January 2004\nhttp://www.apache.org/licenses/\n\nTERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n1. Definitions.\n\n\"License\" shall mean the terms and conditions for use, reproduction, and\ndistribution as defined by Sections 1 through 9 of this document.\n\n\"Licensor\" shall mean the copyright owner or entity authorized by the copyright\nowner that is granting the License.\n\n\"Legal Entity\" shall mean the union of the acting entity and all other entities\nthat control, are controlled by, or are under common control with that entity.\nFor the purposes of this definition, \"control\" means (i) the power, direct or\nindirect, to cause the direction or management of such entity, whether by\ncontract or otherwise, or (ii) ownership of fifty percent (50%) or more of the\noutstanding shares, or (iii) beneficial ownership of such entity.\n\n\"You\" (or \"Your\") shall mean an individual or Legal Entity exercising\npermissions granted by this License.\n\n\"Source\" form shall mean the preferred form for making modifications, including\nbut not limited to software source code, documentation source, and configuration\nfiles.\n\n\"Object\" form shall mean any form resulting from mechanical transformation or\ntranslation of a Source form, including but not limited to compiled object code,\ngenerated documentation, and conversions to other media types.\n\n\"Work\" shall mean the work of authorship, whether in Source or Object form, made\navailable under the License, as indicated by a copyright notice that is included\nin or attached to the work (an example is provided in the Appendix below).\n\n\"Derivative Works\" shall mean any work, whether in Source or Object form, that\nis based on (or derived from) the Work and for which the editorial revisions,\nannotations, elaborations, or other modifications represent, as a whole, an\noriginal work of authorship. For the purposes of this License, Derivative Works\nshall not include works that remain separable from, or merely link (or bind by\nname) to the interfaces of, the Work and Derivative Works thereof.\n\n\"Contribution\" shall mean any work of authorship, including the original version\nof the Work and any modifications or additions to that Work or Derivative Works\nthereof, that is intentionally submitted to Licensor for inclusion in the Work\nby the copyright owner or by an individual or Legal Entity authorized to submit\non behalf of the copyright owner. For the purposes of this definition,\n\"submitted\" means any form of electronic, verbal, or written communication sent\nto the Licensor or its representatives, including but not limited to\ncommunication on electronic mailing lists, source code control systems, and\nissue tracking systems that are managed by, or on behalf of, the Licensor for\nthe purpose of discussing and improving the Work, but excluding communication\nthat is conspicuously marked or otherwise designated in writing by the copyright\nowner as \"Not a Contribution.\"\n\n\"Contributor\" shall mean Licensor and any individual or Legal Entity on behalf\nof whom a Contribution has been received by Licensor and subsequently\nincorporated within the Work.\n\n2. Grant of Copyright License.\n\nSubject to the terms and conditions of this License, each Contributor hereby\ngrants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,\nirrevocable copyright license to reproduce, prepare Derivative Works of,\npublicly display, publicly perform, sublicense, and distribute the Work and such\nDerivative Works in Source or Object form.\n\n3. Grant of Patent License.\n\nSubject to the terms and conditions of this License, each Contributor hereby\ngrants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,\nirrevocable (except as stated in this section) patent license to make, have\nmade, use, offer to sell, sell, import, and otherwise transfer the Work, where\nsuch license applies only to those patent claims licensable by such Contributor\nthat are necessarily infringed by their Contribution(s) alone or by combination\nof their Contribution(s) with the Work to which such Contribution(s) was\nsubmitted. If You institute patent litigation against any entity (including a\ncross-claim or counterclaim in a lawsuit) alleging that the Work or a\nContribution incorporated within the Work constitutes direct or contributory\npatent infringement, then any patent licenses granted to You under this License\nfor that Work shall terminate as of the date such litigation is filed.\n\n4. Redistribution.\n\nYou may reproduce and distribute copies of the Work or Derivative Works thereof\nin any medium, with or without modifications, and in Source or Object form,\nprovided that You meet the following conditions:\n\nYou must give any other recipients of the Work or Derivative Works a copy of\nthis License; and\nYou must cause any modified files to carry prominent notices stating that You\nchanged the files; and\nYou must retain, in the Source form of any Derivative Works that You distribute,\nall copyright, patent, trademark, and attribution notices from the Source form\nof the Work, excluding those notices that do not pertain to any part of the\nDerivative Works; and\nIf the Work includes a \"NOTICE\" text file as part of its distribution, then any\nDerivative Works that You distribute must include a readable copy of the\nattribution notices contained within such NOTICE file, excluding those notices\nthat do not pertain to any part of the Derivative Works, in at least one of the\nfollowing places: within a NOTICE text file distributed as part of the\nDerivative Works; within the Source form or documentation, if provided along\nwith the Derivative Works; or, within a display generated by the Derivative\nWorks, if and wherever such third-party notices normally appear. The contents of\nthe NOTICE file are for informational purposes only and do not modify the\nLicense. You may add Your own attribution notices within Derivative Works that\nYou distribute, alongside or as an addendum to the NOTICE text from the Work,\nprovided that such additional attribution notices cannot be construed as\nmodifying the License.\nYou may add Your own copyright statement to Your modifications and may provide\nadditional or different license terms and conditions for use, reproduction, or\ndistribution of Your modifications, or for any such Derivative Works as a whole,\nprovided Your use, reproduction, and distribution of the Work otherwise complies\nwith the conditions stated in this License.\n\n5. Submission of Contributions.\n\nUnless You explicitly state otherwise, any Contribution intentionally submitted\nfor inclusion in the Work by You to the Licensor shall be under the terms and\nconditions of this License, without any additional terms or conditions.\nNotwithstanding the above, nothing herein shall supersede or modify the terms of\nany separate license agreement you may have executed with Licensor regarding\nsuch Contributions.\n\n6. Trademarks.\n\nThis License does not grant permission to use the trade names, trademarks,\nservice marks, or product names of the Licensor, except as required for\nreasonable and customary use in describing the origin of the Work and\nreproducing the content of the NOTICE file.\n\n7. Disclaimer of Warranty.\n\nUnless required by applicable law or agreed to in writing, Licensor provides the\nWork (and each Contributor provides its Contributions) on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,\nincluding, without limitation, any warranties or conditions of TITLE,\nNON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are\nsolely responsible for determining the appropriateness of using or\nredistributing the Work and assume any risks associated with Your exercise of\npermissions under this License.\n\n8. Limitation of Liability.\n\nIn no event and under no legal theory, whether in tort (including negligence),\ncontract, or otherwise, unless required by applicable law (such as deliberate\nand grossly negligent acts) or agreed to in writing, shall any Contributor be\nliable to You for damages, including any direct, indirect, special, incidental,\nor consequential damages of any character arising as a result of this License or\nout of the use or inability to use the Work (including but not limited to\ndamages for loss of goodwill, work stoppage, computer failure or malfunction, or\nany and all other commercial damages or losses), even if such Contributor has\nbeen advised of the possibility of such damages.\n\n9. Accepting Warranty or Additional Liability.\n\nWhile redistributing the Work or Derivative Works thereof, You may choose to\noffer, and charge a fee for, acceptance of support, warranty, indemnity, or\nother liability obligations and/or rights consistent with this License. However,\nin accepting such obligations, You may act only on Your own behalf and on Your\nsole responsibility, not on behalf of any other Contributor, and only if You\nagree to indemnify, defend, and hold each Contributor harmless for any liability\nincurred by, or claims asserted against, such Contributor by reason of your\naccepting any such warranty or additional liability.\n\nEND OF TERMS AND CONDITIONS\n\nAPPENDIX: How to apply the Apache License to your work\n\nTo apply the Apache License to your work, attach the following boilerplate\nnotice, with the fields enclosed by brackets \"[]\" replaced with your own\nidentifying information. (Don't include the brackets!) The text should be\nenclosed in the appropriate comment syntax for the file format. We also\nrecommend that a file or class name and description of purpose be included on\nthe same \"printed page\" as the copyright notice for easier identification within\nthird-party archives.\n\n Copyright 2014 Unknwon\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/gopkg.in/yaml.v2/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/gopkg.in/yaml.v2/NOTICE", "content": "Copyright 2011-2016 Canonical Ltd.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/gopkg.in/yaml.v3/LICENSE", "content": "\nThis project is covered by two different licenses: MIT and Apache.\n\n#### MIT License ####\n\nThe following files were ported to Go from C files of libyaml, and thus\nare still covered by their original MIT license, with the additional\ncopyright staring in 2011 when the project was ported over:\n\n apic.go emitterc.go parserc.go readerc.go scannerc.go\n writerc.go yamlh.go yamlprivateh.go\n\nCopyright (c) 2006-2010 Kirill Simonov\nCopyright (c) 2006-2011 Kirill Simonov\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies\nof the Software, and to permit persons to whom the Software is furnished to do\nso, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n### Apache License ###\n\nAll the remaining project files are covered by the Apache license:\n\nCopyright (c) 2011-2019 Canonical Ltd\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/gopkg.in/yaml.v3/NOTICE", "content": "Copyright 2011-2016 Canonical Ltd.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/k8s.io/api/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/k8s.io/apiextensions-apiserver/pkg/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/k8s.io/apimachinery/pkg/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/k8s.io/apimachinery/third_party/forked/golang/LICENSE", "content": "Copyright (c) 2009 The Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/k8s.io/client-go/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/k8s.io/klog/v2/LICENSE", "content": "Apache License\nVersion 2.0, January 2004\nhttp://www.apache.org/licenses/\n\nTERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n1. Definitions.\n\n\"License\" shall mean the terms and conditions for use, reproduction, and\ndistribution as defined by Sections 1 through 9 of this document.\n\n\"Licensor\" shall mean the copyright owner or entity authorized by the copyright\nowner that is granting the License.\n\n\"Legal Entity\" shall mean the union of the acting entity and all other entities\nthat control, are controlled by, or are under common control with that entity.\nFor the purposes of this definition, \"control\" means (i) the power, direct or\nindirect, to cause the direction or management of such entity, whether by\ncontract or otherwise, or (ii) ownership of fifty percent (50%) or more of the\noutstanding shares, or (iii) beneficial ownership of such entity.\n\n\"You\" (or \"Your\") shall mean an individual or Legal Entity exercising\npermissions granted by this License.\n\n\"Source\" form shall mean the preferred form for making modifications, including\nbut not limited to software source code, documentation source, and configuration\nfiles.\n\n\"Object\" form shall mean any form resulting from mechanical transformation or\ntranslation of a Source form, including but not limited to compiled object code,\ngenerated documentation, and conversions to other media types.\n\n\"Work\" shall mean the work of authorship, whether in Source or Object form, made\navailable under the License, as indicated by a copyright notice that is included\nin or attached to the work (an example is provided in the Appendix below).\n\n\"Derivative Works\" shall mean any work, whether in Source or Object form, that\nis based on (or derived from) the Work and for which the editorial revisions,\nannotations, elaborations, or other modifications represent, as a whole, an\noriginal work of authorship. For the purposes of this License, Derivative Works\nshall not include works that remain separable from, or merely link (or bind by\nname) to the interfaces of, the Work and Derivative Works thereof.\n\n\"Contribution\" shall mean any work of authorship, including the original version\nof the Work and any modifications or additions to that Work or Derivative Works\nthereof, that is intentionally submitted to Licensor for inclusion in the Work\nby the copyright owner or by an individual or Legal Entity authorized to submit\non behalf of the copyright owner. For the purposes of this definition,\n\"submitted\" means any form of electronic, verbal, or written communication sent\nto the Licensor or its representatives, including but not limited to\ncommunication on electronic mailing lists, source code control systems, and\nissue tracking systems that are managed by, or on behalf of, the Licensor for\nthe purpose of discussing and improving the Work, but excluding communication\nthat is conspicuously marked or otherwise designated in writing by the copyright\nowner as \"Not a Contribution.\"\n\n\"Contributor\" shall mean Licensor and any individual or Legal Entity on behalf\nof whom a Contribution has been received by Licensor and subsequently\nincorporated within the Work.\n\n2. Grant of Copyright License.\n\nSubject to the terms and conditions of this License, each Contributor hereby\ngrants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,\nirrevocable copyright license to reproduce, prepare Derivative Works of,\npublicly display, publicly perform, sublicense, and distribute the Work and such\nDerivative Works in Source or Object form.\n\n3. Grant of Patent License.\n\nSubject to the terms and conditions of this License, each Contributor hereby\ngrants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,\nirrevocable (except as stated in this section) patent license to make, have\nmade, use, offer to sell, sell, import, and otherwise transfer the Work, where\nsuch license applies only to those patent claims licensable by such Contributor\nthat are necessarily infringed by their Contribution(s) alone or by combination\nof their Contribution(s) with the Work to which such Contribution(s) was\nsubmitted. If You institute patent litigation against any entity (including a\ncross-claim or counterclaim in a lawsuit) alleging that the Work or a\nContribution incorporated within the Work constitutes direct or contributory\npatent infringement, then any patent licenses granted to You under this License\nfor that Work shall terminate as of the date such litigation is filed.\n\n4. Redistribution.\n\nYou may reproduce and distribute copies of the Work or Derivative Works thereof\nin any medium, with or without modifications, and in Source or Object form,\nprovided that You meet the following conditions:\n\nYou must give any other recipients of the Work or Derivative Works a copy of\nthis License; and\nYou must cause any modified files to carry prominent notices stating that You\nchanged the files; and\nYou must retain, in the Source form of any Derivative Works that You distribute,\nall copyright, patent, trademark, and attribution notices from the Source form\nof the Work, excluding those notices that do not pertain to any part of the\nDerivative Works; and\nIf the Work includes a \"NOTICE\" text file as part of its distribution, then any\nDerivative Works that You distribute must include a readable copy of the\nattribution notices contained within such NOTICE file, excluding those notices\nthat do not pertain to any part of the Derivative Works, in at least one of the\nfollowing places: within a NOTICE text file distributed as part of the\nDerivative Works; within the Source form or documentation, if provided along\nwith the Derivative Works; or, within a display generated by the Derivative\nWorks, if and wherever such third-party notices normally appear. The contents of\nthe NOTICE file are for informational purposes only and do not modify the\nLicense. You may add Your own attribution notices within Derivative Works that\nYou distribute, alongside or as an addendum to the NOTICE text from the Work,\nprovided that such additional attribution notices cannot be construed as\nmodifying the License.\nYou may add Your own copyright statement to Your modifications and may provide\nadditional or different license terms and conditions for use, reproduction, or\ndistribution of Your modifications, or for any such Derivative Works as a whole,\nprovided Your use, reproduction, and distribution of the Work otherwise complies\nwith the conditions stated in this License.\n\n5. Submission of Contributions.\n\nUnless You explicitly state otherwise, any Contribution intentionally submitted\nfor inclusion in the Work by You to the Licensor shall be under the terms and\nconditions of this License, without any additional terms or conditions.\nNotwithstanding the above, nothing herein shall supersede or modify the terms of\nany separate license agreement you may have executed with Licensor regarding\nsuch Contributions.\n\n6. Trademarks.\n\nThis License does not grant permission to use the trade names, trademarks,\nservice marks, or product names of the Licensor, except as required for\nreasonable and customary use in describing the origin of the Work and\nreproducing the content of the NOTICE file.\n\n7. Disclaimer of Warranty.\n\nUnless required by applicable law or agreed to in writing, Licensor provides the\nWork (and each Contributor provides its Contributions) on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,\nincluding, without limitation, any warranties or conditions of TITLE,\nNON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are\nsolely responsible for determining the appropriateness of using or\nredistributing the Work and assume any risks associated with Your exercise of\npermissions under this License.\n\n8. Limitation of Liability.\n\nIn no event and under no legal theory, whether in tort (including negligence),\ncontract, or otherwise, unless required by applicable law (such as deliberate\nand grossly negligent acts) or agreed to in writing, shall any Contributor be\nliable to You for damages, including any direct, indirect, special, incidental,\nor consequential damages of any character arising as a result of this License or\nout of the use or inability to use the Work (including but not limited to\ndamages for loss of goodwill, work stoppage, computer failure or malfunction, or\nany and all other commercial damages or losses), even if such Contributor has\nbeen advised of the possibility of such damages.\n\n9. Accepting Warranty or Additional Liability.\n\nWhile redistributing the Work or Derivative Works thereof, You may choose to\noffer, and charge a fee for, acceptance of support, warranty, indemnity, or\nother liability obligations and/or rights consistent with this License. However,\nin accepting such obligations, You may act only on Your own behalf and on Your\nsole responsibility, not on behalf of any other Contributor, and only if You\nagree to indemnify, defend, and hold each Contributor harmless for any liability\nincurred by, or claims asserted against, such Contributor by reason of your\naccepting any such warranty or additional liability.\n\nEND OF TERMS AND CONDITIONS\n\nAPPENDIX: How to apply the Apache License to your work\n\nTo apply the Apache License to your work, attach the following boilerplate\nnotice, with the fields enclosed by brackets \"[]\" replaced with your own\nidentifying information. (Don't include the brackets!) The text should be\nenclosed in the appropriate comment syntax for the file format. We also\nrecommend that a file or class name and description of purpose be included on\nthe same \"printed page\" as the copyright notice for easier identification within\nthird-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/k8s.io/kube-openapi/pkg/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/LICENSE", "content": "Copyright (c) 2020 The Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/k8s.io/kube-openapi/pkg/validation/spec/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/k8s.io/utils/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/k8s.io/utils/internal/third_party/forked/golang/LICENSE", "content": "Copyright (c) 2012 The Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/knative.dev/hack/schema/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/knative.dev/pkg/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/sigs.k8s.io/json/LICENSE", "content": "Files other than internal/golang/* licensed under:\n\n\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n\n------------------\n\ninternal/golang/* files licensed under:\n\n\nCopyright (c) 2009 The Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "third_party/VENDOR-LICENSE/sigs.k8s.io/randfill/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright 2014 The gofuzz Authors\n Copyright 2025 The Kubernetes Authors\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/sigs.k8s.io/randfill/NOTICE", "content": "When donating the randfill project to the CNCF, we could not reach all the\ngofuzz contributors to sign the CNCF CLA. As such, according to the CNCF rules\nto donate a repository, we must add a NOTICE referencing section 7 of the CLA\nwith a list of developers who could not be reached.\n\n`7. Should You wish to submit work that is not Your original creation, You may\nsubmit it to the Foundation separately from any Contribution, identifying the\ncomplete details of its source and of any license or other restriction\n(including, but not limited to, related patents, trademarks, and license\nagreements) of which you are personally aware, and conspicuously marking the\nwork as \"Submitted on behalf of a third-party: [named here]\".`\n\nSubmitted on behalf of a third-party: @dnephin (Daniel Nephin)\nSubmitted on behalf of a third-party: @AlekSi (Alexey Palazhchenko)\nSubmitted on behalf of a third-party: @bbigras (Bruno Bigras)\nSubmitted on behalf of a third-party: @samirkut (Samir)\nSubmitted on behalf of a third-party: @posener (Eyal Posener)\nSubmitted on behalf of a third-party: @Ashikpaul (Ashik Paul)\nSubmitted on behalf of a third-party: @kwongtailau (Kwongtai)\nSubmitted on behalf of a third-party: @ericcornelissen (Eric Cornelissen)\nSubmitted on behalf of a third-party: @eclipseo (Robert-André Mauchin)\nSubmitted on behalf of a third-party: @yanzhoupan (Andrew Pan)\nSubmitted on behalf of a third-party: @STRRL (Zhiqiang ZHOU)\nSubmitted on behalf of a third-party: @disconnect3d (Disconnect3d)\n" }, { "path": "third_party/VENDOR-LICENSE/sigs.k8s.io/release-utils/version/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/sigs.k8s.io/structured-merge-diff/v6/LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "third_party/VENDOR-LICENSE/sigs.k8s.io/yaml/LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2014 Sam Ghods\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n\nCopyright (c) 2012 The Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\n# The forked go-yaml.v3 library under this project is covered by two\ndifferent licenses (MIT and Apache):\n\n#### MIT License ####\n\nThe following files were ported to Go from C files of libyaml, and thus\nare still covered by their original MIT license, with the additional\ncopyright staring in 2011 when the project was ported over:\n\n apic.go emitterc.go parserc.go readerc.go scannerc.go\n writerc.go yamlh.go yamlprivateh.go\n\nCopyright (c) 2006-2010 Kirill Simonov\nCopyright (c) 2006-2011 Kirill Simonov\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies\nof the Software, and to permit persons to whom the Software is furnished to do\nso, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n### Apache License ###\n\nAll the remaining project files are covered by the Apache license:\n\nCopyright (c) 2011-2019 Canonical Ltd\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n\n# The forked go-yaml.v2 library under the project is covered by an\nApache license:\n\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" } ]