build(deps): bump github.com/jellydator/ttlcache/v2 from 2.11.1 to 3.…

…0.1 (#1099)

* build(deps): bump github.com/jellydator/ttlcache/v2 from 2.11.1 to 3.0.1

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

* Ignore a linting false-positive

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

* actually fix the linter error

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

---------

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Co-authored-by: Reinhard Tartler <siretart@tauware.de>

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/google/go-cmp v0.5.9
 	github.com/google/go-containerregistry v0.14.0
 	github.com/hashicorp/vault/api v1.9.1
-	github.com/jellydator/ttlcache/v2 v2.11.1
+	github.com/jellydator/ttlcache/v3 v3.0.1
 	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8

go.sum

@@ -200,8 +200,8 @@ github.com/honeycombio/beeline-go v1.10.0 h1:cUDe555oqvw8oD76BQJ8alk7FP0JZ/M/zXp
 github.com/honeycombio/libhoney-go v1.16.0 h1:kPpqoz6vbOzgp7jC6SR7SkNj7rua7rgxvznI6M3KdHc=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/jellydator/ttlcache/v2 v2.11.1 h1:AZGME43Eh2Vv3giG6GeqeLeFXxwxn1/qHItqWZl6U64=
-github.com/jellydator/ttlcache/v2 v2.11.1/go.mod h1:RtE5Snf0/57e+2cLWFYWCCsLas2Hy3c5Z4n14XmSvTI=
+github.com/jellydator/ttlcache/v3 v3.0.1 h1:cHgCSMS7TdQcoprXnWUptJZzyFsqs18Lt8VVhRuZYVU=
+github.com/jellydator/ttlcache/v3 v3.0.1/go.mod h1:WwTaEmcXQ3MTjOm4bsZoDFiCu/hMvNWLO1w67RXz6h4=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
@@ -276,7 +276,6 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -310,7 +309,6 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0=
-go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -324,10 +322,7 @@ golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 h1:2M3HP5CCK1Si9FQhwnzYhXdG6DXeebvUHFpre8QvbyI=
-golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -422,11 +417,8 @@ golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210112230658-8b4aab62c064/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

pkg/oauth/oidc/interactive_e2e_test.go

@@ -50,7 +50,7 @@ func identityFromClaims(c claims) (string, error) {
 	return c.Subject, nil
 }
 
-// identityFromIDToken extracts the email or subject claim from an `IDToken``
+// identityFromIDToken extracts the email or subject claim from an `IDToken“
 func identityFromIDToken(tok *IDToken) (string, error) {
 	claims := claims{}
 	oidcTok := tok.IDToken

pkg/signature/kms/aws/client.go

@@ -35,7 +35,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/kms"
 	"github.com/aws/aws-sdk-go-v2/service/kms/types"
-	"github.com/jellydator/ttlcache/v2"
+	"github.com/jellydator/ttlcache/v3"
 	"github.com/sigstore/sigstore/pkg/signature"
 	sigkms "github.com/sigstore/sigstore/pkg/signature/kms"
 )
@@ -57,7 +57,7 @@ type awsClient struct {
 	endpoint string
 	keyID    string
 	alias    string
-	keyCache *ttlcache.Cache
+	keyCache *ttlcache.Cache[string, cmk]
 }
 
 var (
@@ -125,9 +125,10 @@ func newAWSClient(ctx context.Context, keyResourceID string, opts ...func(*confi
 		return nil, err
 	}
 
-	a.keyCache = ttlcache.NewCache()
-	a.keyCache.SetLoaderFunction(a.keyCacheLoaderFunction)
-	a.keyCache.SkipTTLExtensionOnHit(true)
+	a.keyCache = ttlcache.New[string, cmk](
+		ttlcache.WithDisableTouchOnHit[string, cmk](),
+	)
+
 	return a, nil
 }
 
@@ -201,18 +202,6 @@ func (c *cmk) Verifier() (signature.Verifier, error) {
 	}
 }
 
-func (a *awsClient) keyCacheLoaderFunction(key string) (cmk interface{}, ttl time.Duration, err error) {
-	return a.keyCacheLoaderFunctionWithContext(context.Background())(key)
-}
-
-func (a *awsClient) keyCacheLoaderFunctionWithContext(ctx context.Context) ttlcache.LoaderFunction {
-	return func(key string) (cmk interface{}, ttl time.Duration, err error) {
-		cmk, err = a.fetchCMK(ctx)
-		ttl = time.Second * 300
-		return
-	}
-}
-
 func (a *awsClient) fetchCMK(ctx context.Context) (*cmk, error) {
 	var err error
 	cmk := &cmk{}
@@ -236,15 +225,24 @@ func (a *awsClient) getHashFunc(ctx context.Context) (crypto.Hash, error) {
 }
 
 func (a *awsClient) getCMK(ctx context.Context) (*cmk, error) {
-	c, err := a.keyCache.GetByLoader(cacheKey, a.keyCacheLoaderFunctionWithContext(ctx))
-	if err != nil {
-		return nil, err
-	}
-	cmk, ok := c.(*cmk)
-	if !ok {
-		return nil, fmt.Errorf("could not parse cache value as cmk")
+	var lerr error
+	loader := ttlcache.LoaderFunc[string, cmk](
+		func(c *ttlcache.Cache[string, cmk], key string) *ttlcache.Item[string, cmk] {
+			var k *cmk
+			k, lerr = a.fetchCMK(ctx)
+			if lerr == nil {
+				return c.Set(cacheKey, *k, time.Second*300)
+			}
+			return nil
+		},
+	)
+
+	item := a.keyCache.Get(cacheKey, ttlcache.WithLoader[string, cmk](loader))
+	if lerr == nil {
+		cmk := item.Value()
+		return &cmk, nil
 	}
-	return cmk, nil
+	return nil, lerr
 }
 
 func (a *awsClient) createKey(ctx context.Context, algorithm string) (crypto.PublicKey, error) {
@@ -253,8 +251,9 @@ func (a *awsClient) createKey(ctx context.Context, algorithm string) (crypto.Pub
 	}
 
 	// look for existing key first
-	out, err := a.public(ctx)
+	cmk, err := a.getCMK(ctx)
 	if err == nil {
+		out := cmk.PublicKey
 		return out, nil
 	}
 
@@ -283,7 +282,12 @@ func (a *awsClient) createKey(ctx context.Context, algorithm string) (crypto.Pub
 		return nil, fmt.Errorf("creating alias %q: %w", a.alias, err)
 	}
 
-	return a.public(ctx)
+	cmk, err = a.getCMK(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("retrieving PublicKey from cache: %w", err)
+	}
+
+	return cmk.PublicKey, err
 }
 
 func (a *awsClient) verify(ctx context.Context, sig, message io.Reader, opts ...signature.VerifyOption) error {
@@ -317,18 +321,6 @@ func (a *awsClient) verifyRemotely(ctx context.Context, sig, digest []byte) erro
 	return nil
 }
 
-func (a *awsClient) public(ctx context.Context) (crypto.PublicKey, error) {
-	key, err := a.keyCache.GetByLoader(cacheKey, a.keyCacheLoaderFunctionWithContext(ctx))
-	if err != nil {
-		return nil, err
-	}
-	cmk, ok := key.(*cmk)
-	if !ok {
-		return nil, fmt.Errorf("could not parse key as cmk")
-	}
-	return cmk.PublicKey, nil
-}
-
 func (a *awsClient) sign(ctx context.Context, digest []byte, _ crypto.Hash) ([]byte, error) {
 	cmk, err := a.getCMK(ctx)
 	if err != nil {

pkg/signature/kms/aws/e2e_test.go

@@ -139,7 +139,7 @@ func (suite *AWSSuite) TestSHA384() {
 	require.NotNil(suite.T(), key)
 
 	pubKey, ok := k.(*ecdsa.PublicKey)
-	require.True(suite.T(), ok)
+	require.True(suite.T(), ok, fmt.Sprintf("expected type ecdsa, got type %T", k))
 
 	verifier, _ := signature.LoadECDSAVerifier(pubKey, crypto.SHA384)
 	err = verifier.VerifySignature(bytes.NewReader(sig), bytes.NewReader(data))
@@ -163,7 +163,7 @@ func (suite *AWSSuite) TestPublicKey() {
 	require.NotNil(suite.T(), key)
 
 	pubKey, ok := k.(*ecdsa.PublicKey)
-	require.True(suite.T(), ok)
+	require.True(suite.T(), ok, fmt.Sprintf("expected type ecdsa, got: %T", k))
 
 	verifier, _ := signature.LoadECDSAVerifier(pubKey, crypto.SHA256)
 	err = verifier.VerifySignature(bytes.NewReader(sig), bytes.NewReader(data))

pkg/signature/kms/aws/signer.go

@@ -117,7 +117,11 @@ func (a *SignerVerifier) PublicKey(opts ...signature.PublicKeyOption) (crypto.Pu
 		opt.ApplyContext(&ctx)
 	}
 
-	return a.client.public(ctx)
+	cmk, err := a.client.getCMK(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return cmk.PublicKey, nil
 }
 
 // VerifySignature verifies the signature for the given message. Unless provided

pkg/signature/kms/azure/client.go

@@ -30,7 +30,7 @@ import (
 	"time"
 
 	"github.com/go-jose/go-jose/v3"
-	"github.com/jellydator/ttlcache/v2"
+	"github.com/jellydator/ttlcache/v3"
 
 	kvauth "github.com/Azure/azure-sdk-for-go/services/keyvault/auth"
 	"github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault"
@@ -55,7 +55,7 @@ type kvClient interface {
 
 type azureVaultClient struct {
 	client    kvClient
-	keyCache  *ttlcache.Cache
+	keyCache  *ttlcache.Cache[string, crypto.PublicKey]
 	vaultURL  string
 	vaultName string
 	keyName   string
@@ -112,12 +112,11 @@ func newAzureKMS(_ context.Context, keyResourceID string) (*azureVaultClient, er
 		vaultURL:  vaultURL,
 		vaultName: vaultName,
 		keyName:   keyName,
-		keyCache:  ttlcache.NewCache(),
+		keyCache: ttlcache.New[string, crypto.PublicKey](
+			ttlcache.WithDisableTouchOnHit[string, crypto.PublicKey](),
+		),
 	}
 
-	azClient.keyCache.SetLoaderFunction(azClient.keyCacheLoaderFunction)
-	azClient.keyCache.SkipTTLExtensionOnHit(true)
-
 	return azClient, nil
 }
 
@@ -202,20 +201,6 @@ func getKeysClient() (keyvault.BaseClient, error) {
 	return keyClient, nil
 }
 
-func (a *azureVaultClient) keyCacheLoaderFunction(_ string) (data interface{}, ttl time.Duration, err error) {
-	ttl = time.Second * 300
-	var pubKey crypto.PublicKey
-
-	pubKey, err = a.fetchPublicKey(context.Background())
-	if err != nil {
-		data = nil
-		return
-	}
-
-	data = pubKey
-	return data, ttl, err
-}
-
 func (a *azureVaultClient) fetchPublicKey(ctx context.Context) (crypto.PublicKey, error) {
 	keyBundle, err := a.getKey(ctx)
 	if err != nil {
@@ -268,14 +253,30 @@ func (a *azureVaultClient) getKey(ctx context.Context) (keyvault.KeyBundle, erro
 	return key, err
 }
 
-func (a *azureVaultClient) public() (crypto.PublicKey, error) {
-	return a.keyCache.Get(cacheKey)
+func (a *azureVaultClient) public(ctx context.Context) (crypto.PublicKey, error) {
+	var lerr error
+	loader := ttlcache.LoaderFunc[string, crypto.PublicKey](
+		func(c *ttlcache.Cache[string, crypto.PublicKey], key string) *ttlcache.Item[string, crypto.PublicKey] {
+			ttl := 300 * time.Second
+			var pubKey crypto.PublicKey
+			pubKey, lerr = a.fetchPublicKey(ctx)
+			if lerr == nil {
+				return c.Set(cacheKey, pubKey, ttl)
+			}
+			return nil
+		},
+	)
+	item := a.keyCache.Get(cacheKey, ttlcache.WithLoader[string, crypto.PublicKey](loader))
+	if lerr != nil {
+		return nil, lerr
+	}
+	return item.Value(), nil
 }
 
 func (a *azureVaultClient) createKey(ctx context.Context) (crypto.PublicKey, error) {
 	_, err := a.getKey(ctx)
 	if err == nil {
-		return a.public()
+		return a.public(ctx)
 	}
 
 	_, err = a.client.CreateKey(
@@ -300,7 +301,7 @@ func (a *azureVaultClient) createKey(ctx context.Context) (crypto.PublicKey, err
 		return nil, err
 	}
 
-	return a.public()
+	return a.public(ctx)
 }
 
 func getKeyVaultSignatureAlgo(algo crypto.Hash) (keyvault.JSONWebKeySignatureAlgorithm, error) {

pkg/signature/kms/azure/signer.go

@@ -182,7 +182,7 @@ func (a *SignerVerifier) VerifySignature(sig, message io.Reader, opts ...signatu
 // PublicKey returns the public key that can be used to verify signatures created by
 // this signer. All options provided in arguments to this method are ignored.
 func (a *SignerVerifier) PublicKey(_ ...signature.PublicKeyOption) (crypto.PublicKey, error) {
-	return a.client.public()
+	return a.client.public(context.Background())
 }
 
 // CreateKey attempts to create a new key in Vault with the specified algorithm.