diff --git a/go.mod b/go.mod index 1344d074a..b831fa9e8 100644 --- a/go.mod +++ b/go.mod @@ -178,7 +178,7 @@ require ( go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/mod v0.36.0 // indirect golang.org/x/net v0.55.0 // indirect - golang.org/x/oauth2 v0.34.0 // indirect + golang.org/x/oauth2 v0.36.0 // indirect golang.org/x/sync v0.21.0 // indirect golang.org/x/sys v0.46.0 // indirect golang.org/x/term v0.44.0 // indirect @@ -186,8 +186,8 @@ require ( golang.org/x/time v0.14.0 // indirect golang.org/x/tools v0.45.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect - google.golang.org/grpc v1.79.3 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect + google.golang.org/grpc v1.81.1 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index b18af8e7c..26be56a02 100644 --- a/go.sum +++ b/go.sum @@ -546,8 +546,8 @@ golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8= golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww= -golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw= -golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs= +golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -630,12 +630,12 @@ gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697/go.mod h1:JJrvXBWRZaFMxBufik1a4RpFw4HhgVtBBWQeQgUj2cc= -google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls= -google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= -google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= -google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= +google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 h1:tu/dtnW1o3wfaxCOjSLn5IRX4YDcJrtlpzYkhHhGaC4= +google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171/go.mod h1:M5krXqk4GhBKvB596udGL3UyjL4I1+cTbK0orROM9ng= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= +google.golang.org/grpc v1.81.1 h1:VnnIIZ88UzOOKLukQi+ImGz8O1Wdp8nAGGnvOfEIWQQ= +google.golang.org/grpc v1.81.1/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= diff --git a/vendor/golang.org/x/oauth2/google/default.go b/vendor/golang.org/x/oauth2/google/default.go index 0260935ba..6e5720699 100644 --- a/vendor/golang.org/x/oauth2/google/default.go +++ b/vendor/golang.org/x/oauth2/google/default.go @@ -153,6 +153,43 @@ func (params CredentialsParams) deepCopy() CredentialsParams { return paramsCopy } +// CredentialsType specifies the type of JSON credentials being provided +// to a loading function. +type CredentialsType string + +const ( + // ServiceAccount represents a service account file type. + ServiceAccount CredentialsType = "service_account" + // AuthorizedUser represents a user credentials file type. + AuthorizedUser CredentialsType = "authorized_user" + // ExternalAccount represents an external account file type. + // + // IMPORTANT: + // This credential type does not validate the credential configuration. A security + // risk occurs when a credential configuration configured with malicious urls + // is used. + // You should validate credential configurations provided by untrusted sources. + // See [Security requirements when using credential configurations from an external + // source] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials + // for more details. + ExternalAccount CredentialsType = "external_account" + // ExternalAccountAuthorizedUser represents an external account authorized user file type. + ExternalAccountAuthorizedUser CredentialsType = "external_account_authorized_user" + // ImpersonatedServiceAccount represents an impersonated service account file type. + // + // IMPORTANT: + // This credential type does not validate the credential configuration. A security + // risk occurs when a credential configuration configured with malicious urls + // is used. + // You should validate credential configurations provided by untrusted sources. + // See [Security requirements when using credential configurations from an external + // source] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials + // for more details. + ImpersonatedServiceAccount CredentialsType = "impersonated_service_account" + // GDCHServiceAccount represents a GDCH service account credentials. + GDCHServiceAccount CredentialsType = "gdch_service_account" +) + // DefaultClient returns an HTTP Client that uses the // DefaultTokenSource to obtain authentication credentials. func DefaultClient(ctx context.Context, scope ...string) (*http.Client, error) { @@ -246,17 +283,71 @@ func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials return FindDefaultCredentialsWithParams(ctx, params) } -// CredentialsFromJSONWithParams obtains Google credentials from a JSON value. The JSON can -// represent either a Google Developers Console client_credentials.json file (as in ConfigFromJSON), -// a Google Developers service account key file, a gcloud user credentials file (a.k.a. refresh -// token JSON), or the JSON configuration file for workload identity federation in non-Google cloud -// platforms (see https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation). +// CredentialsFromJSONWithType invokes CredentialsFromJSONWithTypeAndParams with the specified scopes. // // Important: If you accept a credential configuration (credential JSON/File/Stream) from an // external source for authentication to Google Cloud Platform, you must validate it before // providing it to any Google API or library. Providing an unvalidated credential configuration to // Google APIs can compromise the security of your systems and data. For more information, refer to // [Validate credential configurations from external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials). +func CredentialsFromJSONWithType(ctx context.Context, jsonData []byte, credType CredentialsType, scopes ...string) (*Credentials, error) { + var params CredentialsParams + params.Scopes = scopes + return CredentialsFromJSONWithTypeAndParams(ctx, jsonData, credType, params) +} + +// CredentialsFromJSONWithTypeAndParams obtains Google credentials from a JSON value and +// validates that the credentials match the specified type. +// +// Important: If you accept a credential configuration (credential JSON/File/Stream) from an +// external source for authentication to Google Cloud Platform, you must validate it before +// providing it to any Google API or library. Providing an unvalidated credential configuration to +// Google APIs can compromise the security of your systems and data. For more information, refer to +// [Validate credential configurations from external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials). +func CredentialsFromJSONWithTypeAndParams(ctx context.Context, jsonData []byte, credType CredentialsType, params CredentialsParams) (*Credentials, error) { + var f struct { + Type string `json:"type"` + } + if err := json.Unmarshal(jsonData, &f); err != nil { + return nil, err + } + if CredentialsType(f.Type) != credType { + return nil, fmt.Errorf("google: expected credential type %q, found %q", credType, f.Type) + } + return CredentialsFromJSONWithParams(ctx, jsonData, params) +} + +// CredentialsFromJSONWithParams obtains Google credentials from a JSON value. The JSON can +// represent either a Google Developers Console client_credentials.json file (as in ConfigFromJSON), +// a Google Developers service account key file, a gcloud user credentials file (a.k.a. refresh +// token JSON), or the JSON configuration file for workload identity federation in non-Google cloud +// platforms (see https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation). +// +// Deprecated: This function is deprecated because of a potential security risk. +// It does not validate the credential configuration. The security risk occurs +// when a credential configuration is accepted from a source that is not +// under your control and used without validation on your side. +// +// If you know that you will be loading credential configurations of a +// specific type, it is recommended to use a credential-type-specific +// CredentialsFromJSONWithTypeAndParams method. This will ensure that an unexpected +// credential type with potential for malicious intent is not loaded +// unintentionally. You might still have to do validation for certain +// credential types. Please follow the recommendation for that method. For +// example, if you want to load only service accounts, you can use +// +// creds, err := google.CredentialsFromJSONWithTypeAndParams(ctx, jsonData, google.ServiceAccount, params) +// +// If you are loading your credential configuration from an untrusted source +// and have not mitigated the risks (e.g. by validating the configuration +// yourself), make these changes as soon as possible to prevent security +// risks to your environment. +// +// Regardless of the method used, it is always your responsibility to +// validate configurations received from external sources. +// +// For more details see: +// https://cloud.google.com/docs/authentication/external/externally-sourced-credentials func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params CredentialsParams) (*Credentials, error) { // Make defensive copy of the slices in params. params = params.deepCopy() @@ -301,11 +392,31 @@ func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params // CredentialsFromJSON invokes CredentialsFromJSONWithParams with the specified scopes. // -// Important: If you accept a credential configuration (credential JSON/File/Stream) from an -// external source for authentication to Google Cloud Platform, you must validate it before -// providing it to any Google API or library. Providing an unvalidated credential configuration to -// Google APIs can compromise the security of your systems and data. For more information, refer to -// [Validate credential configurations from external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials). +// Deprecated: This function is deprecated because of a potential security risk. +// It does not validate the credential configuration. The security risk occurs +// when a credential configuration is accepted from a source that is not +// under your control and used without validation on your side. +// +// If you know that you will be loading credential configurations of a +// specific type, it is recommended to use a credential-type-specific +// CredentialsFromJSONWithType method. This will ensure that an unexpected +// credential type with potential for malicious intent is not loaded +// unintentionally. You might still have to do validation for certain +// credential types. Please follow the recommendation for that method. For +// example, if you want to load only service accounts, you can use +// +// creds, err := google.CredentialsFromJSONWithType(ctx, jsonData, google.ServiceAccount, scopes...) +// +// If you are loading your credential configuration from an untrusted source +// and have not mitigated the risks (e.g. by validating the configuration +// yourself), make these changes as soon as possible to prevent security +// risks to your environment. +// +// Regardless of the method used, it is always your responsibility to +// validate configurations received from external sources. +// +// For more details see: +// https://cloud.google.com/docs/authentication/external/externally-sourced-credentials func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*Credentials, error) { var params CredentialsParams params.Scopes = scopes diff --git a/vendor/golang.org/x/oauth2/google/google.go b/vendor/golang.org/x/oauth2/google/google.go index 7d1fdd31d..14c98eb69 100644 --- a/vendor/golang.org/x/oauth2/google/google.go +++ b/vendor/golang.org/x/oauth2/google/google.go @@ -103,6 +103,7 @@ const ( externalAccountKey = "external_account" externalAccountAuthorizedUserKey = "external_account_authorized_user" impersonatedServiceAccount = "impersonated_service_account" + gdchServiceAccountKey = "gdch_service_account" ) // credentialsFile is the unmarshalled representation of a credentials file. @@ -165,7 +166,7 @@ func (f *credentialsFile) jwtConfig(scopes []string, subject string) *jwt.Config func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsParams) (oauth2.TokenSource, error) { switch f.Type { - case serviceAccountKey: + case serviceAccountKey, gdchServiceAccountKey: cfg := f.jwtConfig(params.Scopes, params.Subject) return cfg.TokenSource(ctx), nil case userCredentialsKey: diff --git a/vendor/modules.txt b/vendor/modules.txt index b07434453..7cdba7247 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -888,8 +888,8 @@ golang.org/x/net/internal/httpsfv golang.org/x/net/internal/socks golang.org/x/net/proxy golang.org/x/net/websocket -# golang.org/x/oauth2 v0.34.0 -## explicit; go 1.24.0 +# golang.org/x/oauth2 v0.36.0 +## explicit; go 1.25.0 golang.org/x/oauth2 golang.org/x/oauth2/authhandler golang.org/x/oauth2/google @@ -974,11 +974,11 @@ golang.org/x/tools/internal/versions # gomodules.xyz/jsonpatch/v2 v2.4.0 ## explicit; go 1.20 gomodules.xyz/jsonpatch/v2 -# google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 -## explicit; go 1.24.0 +# google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 +## explicit; go 1.25.0 google.golang.org/genproto/googleapis/rpc/status -# google.golang.org/grpc v1.79.3 -## explicit; go 1.24.0 +# google.golang.org/grpc v1.81.1 +## explicit; go 1.25.0 google.golang.org/grpc/codes google.golang.org/grpc/connectivity google.golang.org/grpc/grpclog