upgrade to golang-lru v2

authorize/evaluator/functions.go

@@ -6,12 +6,12 @@ import (
 	"encoding/pem"
 	"fmt"
 
-	lru "github.com/hashicorp/golang-lru"
+	lru "github.com/hashicorp/golang-lru/v2"
 
 	"github.com/pomerium/pomerium/internal/log"
 )
 
-var isValidClientCertificateCache, _ = lru.New2Q(100)
+var isValidClientCertificateCache, _ = lru.New2Q[[2]string, bool](100)
 
 func isValidClientCertificate(ca, cert string) (bool, error) {
 	// when ca is the empty string, client certificates are always accepted
@@ -28,7 +28,7 @@ func isValidClientCertificate(ca, cert string) (bool, error) {
 
 	value, ok := isValidClientCertificateCache.Get(cacheKey)
 	if ok {
-		return value.(bool), nil
+		return value, nil
 	}
 
 	roots := x509.NewCertPool()

go.mod

@@ -33,7 +33,7 @@ require (
 	github.com/gorilla/websocket v1.5.0
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/golang-lru v0.5.4
+	github.com/hashicorp/golang-lru/v2 v2.0.1
 	github.com/jackc/pgconn v1.13.0
 	github.com/jackc/pgtype v1.12.0
 	github.com/jackc/pgx/v4 v4.17.2

go.sum

@@ -524,8 +524,8 @@ github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mO
 github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
-github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
+github.com/hashicorp/golang-lru/v2 v2.0.1 h1:5pv5N1lT1fjLg2VQ5KWc7kmucp2x/kvFOnxuVTqZ6x4=
+github.com/hashicorp/golang-lru/v2 v2.0.1/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=

internal/autocert/ocsp.go

@@ -3,15 +3,15 @@ package autocert
 import (
 	"bytes"
 
-	lru "github.com/hashicorp/golang-lru"
+	lru "github.com/hashicorp/golang-lru/v2"
 )
 
 type ocspCache struct {
-	*lru.Cache
+	*lru.Cache[string, []byte]
 }
 
 func newOCSPCache(size int) (*ocspCache, error) {
-	c, err := lru.New(size)
+	c, err := lru.New[string, []byte](size)
 	if err != nil {
 		return nil, err
 	}
@@ -25,7 +25,7 @@ func (c ocspCache) updated(key string, ocspResp []byte) bool {
 		_ = c.Add(key, ocspResp)
 		return false // to avoid triggering reload first time we see this response
 	}
-	if bytes.Equal(current.([]byte), ocspResp) {
+	if bytes.Equal(current, ocspResp) {
 		return false
 	}
 	_ = c.Add(key, ocspResp)

internal/controlplane/xdsmgr/xdsmgr.go

@@ -10,7 +10,7 @@ import (
 
 	envoy_service_discovery_v3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
 	"github.com/google/uuid"
-	lru "github.com/hashicorp/golang-lru"
+	lru "github.com/hashicorp/golang-lru/v2"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -42,7 +42,7 @@ type Manager struct {
 	nonce     string
 	resources map[string][]*envoy_service_discovery_v3.Resource
 
-	nonceToConfig *lru.Cache
+	nonceToConfig *lru.Cache[string, uint64]
 
 	hostname string
 
@@ -51,7 +51,7 @@ type Manager struct {
 
 // NewManager creates a new Manager.
 func NewManager(resources map[string][]*envoy_service_discovery_v3.Resource, evt *events.Manager) *Manager {
-	nonceToConfig, _ := lru.New(maxNonceCacheSize) // the only error they return is when size is negative, which never happens
+	nonceToConfig, _ := lru.New[string, uint64](maxNonceCacheSize) // the only error they return is when size is negative, which never happens
 
 	return &Manager{
 		signal: signal.New(),
@@ -256,19 +256,16 @@ func (mgr *Manager) Update(ctx context.Context, resources map[string][]*envoy_se
 	mgr.mu.Lock()
 	mgr.nonce = nonce
 	mgr.resources = resources
-	mgr.nonceToConfig.Add(nonce, ctx.Value(contextkeys.UpdateRecordsVersion))
+	v, _ := ctx.Value(contextkeys.UpdateRecordsVersion).(uint64)
+	mgr.nonceToConfig.Add(nonce, v)
 	mgr.mu.Unlock()
 
 	mgr.signal.Broadcast(ctx)
 }
 
 func (mgr *Manager) nonceToConfigVersion(nonce string) (ver uint64) {
-	val, ok := mgr.nonceToConfig.Get(nonce)
-	if !ok {
-		return 0
-	}
-	ver, _ = val.(uint64)
-	return ver
+	v, _ := mgr.nonceToConfig.Get(nonce)
+	return v
 }
 
 func (mgr *Manager) nackEvent(ctx context.Context, req *envoy_service_discovery_v3.DeltaDiscoveryRequest) {

pkg/cryptutil/dek.go

@@ -5,7 +5,7 @@ import (
 	"encoding/base64"
 	"fmt"
 
-	lru "github.com/hashicorp/golang-lru"
+	lru "github.com/hashicorp/golang-lru/v2"
 	"golang.org/x/crypto/chacha20poly1305"
 )
 
@@ -83,22 +83,18 @@ func (dek *DataEncryptionKey) KeyBytes() []byte {
 // Internally an LRU cache is used and the encrypted DEK bytes are converted to strings
 // to allow usage as hash map keys.
 type DataEncryptionKeyCache struct {
-	lru *lru.Cache
+	lru *lru.Cache[string, *DataEncryptionKey]
 }
 
 // NewDataEncryptionKeyCache creates a new DataEncryptionKeyCache.
 func NewDataEncryptionKeyCache() *DataEncryptionKeyCache {
-	c, _ := lru.New(DataEncryptionKeyCacheSize) // only errors if size <= 0
+	c, _ := lru.New[string, *DataEncryptionKey](DataEncryptionKeyCacheSize) // only errors if size <= 0
 	return &DataEncryptionKeyCache{lru: c}
 }
 
 // Get returns a data encryption key if available.
 func (cache *DataEncryptionKeyCache) Get(encryptedDEK []byte) (*DataEncryptionKey, bool) {
-	obj, ok := cache.lru.Get(string(encryptedDEK))
-	if ok {
-		return obj.(*DataEncryptionKey), true
-	}
-	return nil, false
+	return cache.lru.Get(string(encryptedDEK))
 }
 
 // Put stores a data encryption key by its encrypted representation.