Merge pull request #1853 from smallstep/dependabot/go_modules/google.…

…golang.org/grpc-1.64.0

Bump google.golang.org/grpc from 1.63.2 to 1.64.0

authority/linkedca.go

@@ -110,7 +110,7 @@ func newLinkedCAClient(token string) (*linkedCaClient, error) {
 	tlsConfig.GetClientCertificate = renewer.GetClientCertificate
 
 	// Start mTLS client
-	conn, err := grpc.Dial(u.Host, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
+	conn, err := grpc.NewClient(u.Host, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
 	if err != nil {
 		return nil, errors.Wrapf(err, "error connecting %s", u.Host)
 	}
@@ -478,18 +478,15 @@ func getAuthority(sans []string) (string, error) {
 // getRootCertificate creates an insecure majordomo client and returns the
 // verified root certificate.
 func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error) {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
+	conn, err := grpc.NewClient(endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
 		//nolint:gosec // used in bootstrap protocol
 		InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
 	})))
 	if err != nil {
 		return nil, errors.Wrapf(err, "error connecting %s", endpoint)
 	}
 
-	ctx, cancel = context.WithTimeout(context.Background(), 15*time.Second)
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
 
 	client := linkedca.NewMajordomoClient(conn)
@@ -531,11 +528,7 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error)
 // login creates a new majordomo client with just the root ca pool and returns
 // the signed certificate and tls configuration.
 func login(authority, token string, csr *x509.CertificateRequest, signer crypto.PrivateKey, endpoint string, rootCAs *x509.CertPool) (*tls.Certificate, *tls.Config, error) {
-	// Connect to majordomo
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
+	conn, err := grpc.NewClient(endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
 		MinVersion: tls.VersionTLS12,
 		RootCAs:    rootCAs,
 	})))
@@ -544,7 +537,7 @@ func login(authority, token string, csr *x509.CertificateRequest, signer crypto.
 	}
 
 	// Login to get the signed certificate
-	ctx, cancel = context.WithTimeout(context.Background(), 15*time.Second)
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
 
 	client := linkedca.NewMajordomoClient(conn)

authority/provisioner/claims.go

@@ -234,24 +234,24 @@ func (c *Claimer) IsSSHCAEnabled() bool {
 // Validate validates and modifies the Claims with default values.
 func (c *Claimer) Validate() error {
 	var (
-		min = c.MinTLSCertDuration()
-		max = c.MaxTLSCertDuration()
-		def = c.DefaultTLSCertDuration()
+		minDur = c.MinTLSCertDuration()
+		maxDur = c.MaxTLSCertDuration()
+		defDur = c.DefaultTLSCertDuration()
 	)
 	switch {
-	case min <= 0:
+	case minDur <= 0:
 		return errors.Errorf("claims: MinTLSCertDuration must be greater than 0")
-	case max <= 0:
+	case maxDur <= 0:
 		return errors.Errorf("claims: MaxTLSCertDuration must be greater than 0")
-	case def <= 0:
+	case defDur <= 0:
 		return errors.Errorf("claims: DefaultTLSCertDuration must be greater than 0")
-	case max < min:
+	case maxDur < minDur:
 		return errors.Errorf("claims: MaxCertDuration cannot be less "+
-			"than MinCertDuration: MaxCertDuration - %v, MinCertDuration - %v", max, min)
-	case def < min:
-		return errors.Errorf("claims: DefaultCertDuration cannot be less than MinCertDuration: DefaultCertDuration - %v, MinCertDuration - %v", def, min)
-	case max < def:
-		return errors.Errorf("claims: MaxCertDuration cannot be less than DefaultCertDuration: MaxCertDuration - %v, DefaultCertDuration - %v", max, def)
+			"than MinCertDuration: MaxCertDuration - %v, MinCertDuration - %v", maxDur, minDur)
+	case defDur < minDur:
+		return errors.Errorf("claims: DefaultCertDuration cannot be less than MinCertDuration: DefaultCertDuration - %v, MinCertDuration - %v", defDur, minDur)
+	case maxDur < defDur:
+		return errors.Errorf("claims: MaxCertDuration cannot be less than DefaultCertDuration: MaxCertDuration - %v, DefaultCertDuration - %v", maxDur, defDur)
 	default:
 		return nil
 	}

authority/provisioner/sign_options.go

@@ -369,8 +369,8 @@ type validityValidator struct {
 }
 
 // newValidityValidator return a new validity validator.
-func newValidityValidator(min, max time.Duration) *validityValidator {
-	return &validityValidator{min: min, max: max}
+func newValidityValidator(minDur, maxDur time.Duration) *validityValidator {
+	return &validityValidator{min: minDur, max: maxDur}
 }
 
 // Valid validates the certificate validity settings (notBefore/notAfter) and

authority/provisioner/sign_ssh_options.go

@@ -276,14 +276,14 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti
 		return errs.BadRequest("ssh certificate validBefore cannot be before validAfter")
 	}
 
-	var min, max time.Duration
+	var minDur, maxDur time.Duration
 	switch cert.CertType {
 	case ssh.UserCert:
-		min = v.MinUserSSHCertDuration()
-		max = v.MaxUserSSHCertDuration()
+		minDur = v.MinUserSSHCertDuration()
+		maxDur = v.MaxUserSSHCertDuration()
 	case ssh.HostCert:
-		min = v.MinHostSSHCertDuration()
-		max = v.MaxHostSSHCertDuration()
+		minDur = v.MinHostSSHCertDuration()
+		maxDur = v.MaxHostSSHCertDuration()
 	case 0:
 		return errs.BadRequest("ssh certificate type has not been set")
 	default:
@@ -295,10 +295,10 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti
 	dur := time.Duration(cert.ValidBefore-cert.ValidAfter) * time.Second
 
 	switch {
-	case dur < min:
-		return errs.Forbidden("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, min)
-	case dur > max+opts.Backdate:
-		return errs.Forbidden("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, max+opts.Backdate)
+	case dur < minDur:
+		return errs.Forbidden("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, minDur)
+	case dur > maxDur+opts.Backdate:
+		return errs.Forbidden("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, maxDur+opts.Backdate)
 	default:
 		return nil
 	}

authority/provisioners.go

@@ -426,25 +426,25 @@ func ValidateClaims(c *linkedca.Claims) error {
 // ValidateDurations validates the Durations type.
 func ValidateDurations(d *linkedca.Durations) error {
 	var (
-		err           error
-		min, max, def *provisioner.Duration
+		err                 error
+		minDur, maxDur, def *provisioner.Duration
 	)
 
 	if d.Min != "" {
-		min, err = provisioner.NewDuration(d.Min)
+		minDur, err = provisioner.NewDuration(d.Min)
 		if err != nil {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "min duration '%s' is invalid", d.Min)
 		}
-		if min.Value() < 0 {
+		if minDur.Value() < 0 {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "min duration '%s' cannot be less than 0", d.Min)
 		}
 	}
 	if d.Max != "" {
-		max, err = provisioner.NewDuration(d.Max)
+		maxDur, err = provisioner.NewDuration(d.Max)
 		if err != nil {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "max duration '%s' is invalid", d.Max)
 		}
-		if max.Value() < 0 {
+		if maxDur.Value() < 0 {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "max duration '%s' cannot be less than 0", d.Max)
 		}
 	}
@@ -457,15 +457,15 @@ func ValidateDurations(d *linkedca.Durations) error {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "default duration '%s' cannot be less than 0", d.Default)
 		}
 	}
-	if d.Min != "" && d.Max != "" && min.Value() > max.Value() {
+	if d.Min != "" && d.Max != "" && minDur.Value() > maxDur.Value() {
 		return admin.NewError(admin.ErrorBadRequestType,
 			"min duration '%s' cannot be greater than max duration '%s'", d.Min, d.Max)
 	}
-	if d.Min != "" && d.Default != "" && min.Value() > def.Value() {
+	if d.Min != "" && d.Default != "" && minDur.Value() > def.Value() {
 		return admin.NewError(admin.ErrorBadRequestType,
 			"min duration '%s' cannot be greater than default duration '%s'", d.Min, d.Default)
 	}
-	if d.Default != "" && d.Max != "" && min.Value() > def.Value() {
+	if d.Default != "" && d.Max != "" && minDur.Value() > def.Value() {
 		return admin.NewError(admin.ErrorBadRequestType,
 			"default duration '%s' cannot be greater than max duration '%s'", d.Default, d.Max)
 	}
@@ -608,15 +608,15 @@ func provisionerWebhookToLinkedca(pwh *provisioner.Webhook) *linkedca.Webhook {
 	return lwh
 }
 
-func durationsToCertificates(d *linkedca.Durations) (min, max, def *provisioner.Duration, err error) {
+func durationsToCertificates(d *linkedca.Durations) (minDur, maxDur, def *provisioner.Duration, err error) {
 	if d.Min != "" {
-		min, err = provisioner.NewDuration(d.Min)
+		minDur, err = provisioner.NewDuration(d.Min)
 		if err != nil {
 			return nil, nil, nil, admin.WrapErrorISE(err, "error parsing minimum duration '%s'", d.Min)
 		}
 	}
 	if d.Max != "" {
-		max, err = provisioner.NewDuration(d.Max)
+		maxDur, err = provisioner.NewDuration(d.Max)
 		if err != nil {
 			return nil, nil, nil, admin.WrapErrorISE(err, "error parsing maximum duration '%s'", d.Max)
 		}

cas/cloudcas/cloudcas_test.go

@@ -248,6 +248,7 @@ func mustParseECKey(t *testing.T, pemKey string) *ecdsa.PrivateKey {
 	block, _ := pem.Decode([]byte(pemKey))
 	if block == nil {
 		t.Fatal("failed to parse key")
+		return nil
 	}
 	key, err := x509.ParseECPrivateKey(block.Bytes)
 	if err != nil {
@@ -882,7 +883,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
 	defer srv.Stop()
 
 	// Create fake privateca client
-	conn, err := grpc.DialContext(context.Background(), "", grpc.WithTransportCredentials(insecure.NewCredentials()),
+	conn, err := grpc.NewClient("localhost", grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) {
 			return lis.Dial()
 		}))

go.mod

@@ -39,7 +39,7 @@ require (
 	golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81
 	golang.org/x/net v0.25.0
 	google.golang.org/api v0.181.0
-	google.golang.org/grpc v1.63.2
+	google.golang.org/grpc v1.64.0
 	google.golang.org/protobuf v1.34.1
 )
 

go.sum

@@ -681,8 +681,8 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
-google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
+google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY=
+google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=