diff --git a/go.mod b/go.mod index ccac7752ca..b8407f362a 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/spf13/cobra v1.8.0 github.com/spf13/viper v1.17.0 github.com/stretchr/testify v1.8.4 - github.com/tektoncd/pipeline v0.53.2 + github.com/tektoncd/pipeline v0.54.0 github.com/tektoncd/plumbing v0.0.0-20231109154454-9ef46b417293 github.com/tektoncd/triggers v0.25.3 go.opencensus.io v0.24.0 @@ -29,7 +29,7 @@ require ( gotest.tools/v3 v3.5.1 k8s.io/api v0.28.2 k8s.io/apiextensions-apiserver v0.28.2 - k8s.io/apimachinery v0.28.2 + k8s.io/apimachinery v0.28.3 k8s.io/client-go v1.5.2 k8s.io/code-generator v0.27.6 knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f @@ -85,7 +85,7 @@ require ( github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230321174746-8dcc6526cfb1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go-v2 v1.21.2 // indirect - github.com/aws/aws-sdk-go-v2/config v1.18.45 // indirect + github.com/aws/aws-sdk-go-v2/config v1.19.1 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.13.43 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect @@ -114,7 +114,7 @@ require ( github.com/cockroachdb/apd/v2 v2.0.2 // indirect github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect - github.com/coreos/go-oidc/v3 v3.6.0 // indirect + github.com/coreos/go-oidc/v3 v3.7.0 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/digitorus/pkcs7 v0.0.0-20221212123742-001c36b64ec3 // indirect @@ -238,7 +238,7 @@ require ( github.com/shibumi/go-pathspec v1.3.0 // indirect github.com/sigstore/fulcio v1.3.1 // indirect github.com/sigstore/rekor v1.2.2-0.20230530122220-67cc9e58bd23 // indirect - github.com/sigstore/sigstore v1.7.4 // indirect + github.com/sigstore/sigstore v1.7.5 // indirect github.com/sigstore/timestamp-authority v1.1.1 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect @@ -252,7 +252,7 @@ require ( github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/thales-e-security/pool v0.0.2 // indirect - github.com/theupdateframework/go-tuf v0.5.2 // indirect + github.com/theupdateframework/go-tuf v0.6.1 // indirect github.com/thlib/go-timezone-local v0.0.0-20210907160436-ef149e42d28e // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tjfoc/gmsm v1.3.2 // indirect @@ -280,7 +280,7 @@ require ( golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.14.0 // indirect - google.golang.org/api v0.147.0 // indirect + google.golang.org/api v0.148.0 // indirect google.golang.org/appengine v1.6.8 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20231012201019-e917dd12ba7a // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a // indirect diff --git a/go.sum b/go.sum index f77c1bb4aa..7ccd994fff 100644 --- a/go.sum +++ b/go.sum @@ -333,7 +333,7 @@ cloud.google.com/go/kms v1.8.0/go.mod h1:4xFEhYFqvW+4VMELtZyxomGSYtSQKzM178ylFW4 cloud.google.com/go/kms v1.9.0/go.mod h1:qb1tPTgfF9RQP8e1wq4cLFErVuTJv7UsSC915J8dh3w= cloud.google.com/go/kms v1.10.0/go.mod h1:ng3KTUtQQU9bPX3+QGLsflZIHlkbn8amFAMY63m8d24= cloud.google.com/go/kms v1.10.1/go.mod h1:rIWk/TryCkR59GMC3YtHtXeLzd634lBbKenvyySAyYI= -cloud.google.com/go/kms v1.15.2 h1:lh6qra6oC4AyWe5fUUUBe/S27k12OHAleOOOw6KakdE= +cloud.google.com/go/kms v1.15.3 h1:RYsbxTRmk91ydKCzekI2YjryO4c5Y2M80Zwcs9/D/cI= cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= cloud.google.com/go/language v1.7.0/go.mod h1:DJ6dYN/W+SQOjF8e1hLQXMF21AkH2w9wiPzPCJa2MIE= @@ -743,8 +743,8 @@ github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3eP github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA= github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= github.com/aws/aws-sdk-go-v2/config v1.18.25/go.mod h1:dZnYpD5wTW/dQF0rRNLVypB396zWCcPiBIvdvSWHEg4= -github.com/aws/aws-sdk-go-v2/config v1.18.45 h1:Aka9bI7n8ysuwPeFdm77nfbyHCAKQ3z9ghB3S/38zes= -github.com/aws/aws-sdk-go-v2/config v1.18.45/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= +github.com/aws/aws-sdk-go-v2/config v1.19.1 h1:oe3vqcGftyk40icfLymhhhNysAwk0NfiwkDi2GTPMXs= +github.com/aws/aws-sdk-go-v2/config v1.19.1/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= github.com/aws/aws-sdk-go-v2/credentials v1.13.24/go.mod h1:jYPYi99wUOPIFi0rhiOvXeSEReVOzBqFNOX5bXYoG2o= github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8= github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg= @@ -767,7 +767,7 @@ github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.16.2/go.mod h1:uHtRE7aqXNmpeYL github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27/go.mod h1:EOwBD4J4S5qYszS5/3DpkejfuK+Z5/1uzICfPaZLtqw= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 h1:WWZA/I2K4ptBS1kg0kV1JbBtG/umed0vwHRrmcr9z7k= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37/go.mod h1:vBmDnwWXWxNPFRMmG2m/3MKOe+xEcMDo1tanpaWCcck= -github.com/aws/aws-sdk-go-v2/service/kms v1.24.6 h1:rp9DrFG3na9nuqsBZWb5KwvZrODhjayqFVJe8jmeVY8= +github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 h1:uRGw0UKo5hc7M2T7uGsK/Yg2qwecq/dnVjQbbq9RCzY= github.com/aws/aws-sdk-go-v2/service/sso v1.12.10/go.mod h1:ouy2P4z6sJN70fR3ka3wD3Ro3KezSxU6eKGQI2+2fjI= github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 h1:JuPGc7IkOP4AaqcZSIcyqLpFSqBWK32rM9+a1g6u73k= github.com/aws/aws-sdk-go-v2/service/sso v1.15.2/go.mod h1:gsL4keucRCgW+xA85ALBpRFfdSLH4kHOVSnLMSuBECo= @@ -860,8 +860,8 @@ github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNA github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= -github.com/coreos/go-oidc/v3 v3.6.0 h1:AKVxfYw1Gmkn/w96z0DbT/B/xFnzTd3MkZvWLjF4n/o= -github.com/coreos/go-oidc/v3 v3.6.0/go.mod h1:ZpHUsHBucTUj6WOkrP4E20UPynbLZzhTQ1XKCXkxyPc= +github.com/coreos/go-oidc/v3 v3.7.0 h1:FTdj0uexT4diYIPlF4yoFVI5MRO1r5+SEcIpEw9vC0o= +github.com/coreos/go-oidc/v3 v3.7.0/go.mod h1:yQzSCqBnK3e6Fs5l+f5i0F8Kwf0zpH9bPEsbY00KanM= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= @@ -1630,12 +1630,12 @@ github.com/sigstore/fulcio v1.3.1 h1:0ntW9VbQbt2JytoSs8BOGB84A65eeyvGSavWteYp29Y github.com/sigstore/fulcio v1.3.1/go.mod h1:/XfqazOec45ulJZpyL9sq+OsVQ8g2UOVoNVi7abFgqU= github.com/sigstore/rekor v1.2.2-0.20230530122220-67cc9e58bd23 h1:eZY7mQFcc0VvNr0fiAK3/n7kh73+T06KzBEIUYzFSDQ= github.com/sigstore/rekor v1.2.2-0.20230530122220-67cc9e58bd23/go.mod h1:h1tOLhldpfILtziWpUDgGBu0vulWk9Kh72t6XzBGJok= -github.com/sigstore/sigstore v1.7.4 h1:Fyqn6OKOVsYnV0Vs6JhG5t+q0u7Gj6R5dJ52kUVteLs= -github.com/sigstore/sigstore v1.7.4/go.mod h1:5MxR9PrWYGk5I3sXgdnrMUOLbwFPuAUNtWPm3VwOjkc= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.4 h1:zIqB/IB8qVJBjazd+fjI6XZlE9f8s5HxnOllHAeTTew= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.4 h1:2xI6GX+tQMF0L+DlQq09U4fH8PlFhuz0wSYkiHY8fgo= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.7.4 h1:1xpfNzVhTKOlyfcR618l7Ew1GmnUcMHMQ/fxW1IG/Yw= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.7.4 h1:g+iL3HbRnxKtc/w/J4AJTht/AEiexX/A8XxRyqYw81M= +github.com/sigstore/sigstore v1.7.5 h1:ij55dBhLwjICmLTBJZm7SqoQLdsu/oowDanACcJNs48= +github.com/sigstore/sigstore v1.7.5/go.mod h1:9OCmYWhzuq/G4e1cy9m297tuMRJ1LExyrXY3ZC3Zt/s= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.5 h1:ilufPp36exfpivctI3ElU4ZTckP3eVu6RxYebBb6u+M= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.5 h1:gLdNJJo+xMf7+IeFRlyA/Pjavndo9rivmf5ioYeuPmM= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.7.5 h1:Ku3MD55VXR7+uezCS4LOY0+y2EZFlGCGFyzl+ZSoPyo= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.7.5 h1:yWNBuL52Je3ukUGry1qwg00ujJF2UFWShzXFIAtmxZU= github.com/sigstore/timestamp-authority v1.1.1 h1:EldrdeBED0edNzDMvYZDf5CyWgtSchtR9DKYyksNR8M= github.com/sigstore/timestamp-authority v1.1.1/go.mod h1:cEDLEHl/L3ppqKDaiZ3Cg4ikcaYleuq90I/BFNePzF0= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= @@ -1712,16 +1712,16 @@ github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDd github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= -github.com/tektoncd/pipeline v0.53.2 h1:NEULiwVKlCQVNNMLE7MJ5csb13dWfkkObtSiVJwMPzc= -github.com/tektoncd/pipeline v0.53.2/go.mod h1:tO7iI+L4+kO+CrAYiM9FlXQYveyjyMDCYmy+7VLiwjk= +github.com/tektoncd/pipeline v0.54.0 h1:l15X3BIc15Sqbsjai8SaNo0Dm8BipASZWkyJ4VF2c6w= +github.com/tektoncd/pipeline v0.54.0/go.mod h1:oUD9mW6JUSsEDUuAvWMpr+36DXL8twvAOszMr+rsPV8= github.com/tektoncd/plumbing v0.0.0-20231109154454-9ef46b417293 h1:kNmGaAtPS9LnfNZG/JrF4Y0Qx5Ju+384aqKJNtk4PU0= github.com/tektoncd/plumbing v0.0.0-20231109154454-9ef46b417293/go.mod h1:7eWs1XNkmReggow7ggRbRyRuHi7646B8b2XipCZ3VOw= github.com/tektoncd/triggers v0.25.3 h1:SEZhHAjSqAUKvDg8YNbamDv+3IcXce6XQDsBm7Mzs5U= github.com/tektoncd/triggers v0.25.3/go.mod h1:N6VmwgAn8i2l8w2kNZ+dKt6BGlPrqFE1kkYOkmNz8rA= github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg= github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= -github.com/theupdateframework/go-tuf v0.5.2 h1:habfDzTmpbzBLIFGWa2ZpVhYvFBoK0C1onC3a4zuPRA= -github.com/theupdateframework/go-tuf v0.5.2/go.mod h1:SyMV5kg5n4uEclsyxXJZI2UxPFJNDc4Y+r7wv+MlvTA= +github.com/theupdateframework/go-tuf v0.6.1 h1:6J89fGjQf7s0mLmTG7p7pO/MbKOg+bIXhaLyQdmbKuE= +github.com/theupdateframework/go-tuf v0.6.1/go.mod h1:LAFusuQsFNBnEyYoTuA5zZrF7iaQ4TEgBXm8lb6Vj18= github.com/thlib/go-timezone-local v0.0.0-20210907160436-ef149e42d28e h1:BuzhfgfWQbX0dWzYzT1zsORLnHRv3bcRcsaUk0VmXA8= github.com/thlib/go-timezone-local v0.0.0-20210907160436-ef149e42d28e/go.mod h1:/Tnicc6m/lsJE0irFMA0LfIwTBo4QP7A8IfyIv4zZKI= github.com/tidwall/gjson v1.12.1 h1:ikuZsLdhr8Ws0IdROXUS1Gi4v9Z4pGqpX/CvJkxvfpo= @@ -2379,8 +2379,8 @@ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/ google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0= google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= -google.golang.org/api v0.147.0 h1:Can3FaQo9LlVqxJCodNmeZW/ib3/qKAY3rFeXiHo5gc= -google.golang.org/api v0.147.0/go.mod h1:pQ/9j83DcmPd/5C9e2nFOdjjNkDZ1G+zkbK2uvdkJMs= +google.golang.org/api v0.148.0 h1:HBq4TZlN4/1pNcu0geJZ/Q50vIwIXT532UIMYoo0vOs= +google.golang.org/api v0.148.0/go.mod h1:8/TBgwaKjfqTdacOJrOv2+2Q6fBDU1uHKK06oGSkxzU= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md index e1ddd4cd17..a1ecda86f6 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md +++ b/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md @@ -1,3 +1,11 @@ +# v1.19.1 (2023-10-24) + +* No change notes available for this release. + +# v1.19.0 (2023-10-16) + +* **Feature**: Modify logic of retrieving user agent appID from env config + # v1.18.45 (2023-10-12) * **Bug Fix**: Fail to load config if an explicitly provided profile doesn't exist. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/env_config.go b/vendor/github.com/aws/aws-sdk-go-v2/config/env_config.go index 63ecd02b38..a142a45c54 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/config/env_config.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/config/env_config.go @@ -69,6 +69,7 @@ const ( awsRetryMaxAttempts = "AWS_MAX_ATTEMPTS" awsRetryMode = "AWS_RETRY_MODE" + awsSdkAppID = "AWS_SDK_UA_APP_ID" ) var ( @@ -248,6 +249,9 @@ type EnvConfig struct { // // aws_retry_mode=standard RetryMode aws.RetryMode + + // aws sdk app ID that can be added to user agent header string + AppID string } // loadEnvConfig reads configuration values from the OS's environment variables. @@ -288,6 +292,8 @@ func NewEnvConfig() (EnvConfig, error) { cfg.RoleARN = os.Getenv(awsRoleARNEnvVar) cfg.RoleSessionName = os.Getenv(awsRoleSessionNameEnvVar) + cfg.AppID = os.Getenv(awsSdkAppID) + if err := setEndpointDiscoveryTypeFromEnvVal(&cfg.EnableEndpointDiscovery, []string{awsEnableEndpointDiscoveryEnvVar}); err != nil { return cfg, err } @@ -335,6 +341,10 @@ func (c EnvConfig) getDefaultsMode(ctx context.Context) (aws.DefaultsMode, bool, return c.DefaultsMode, true, nil } +func (c EnvConfig) getAppID(context.Context) (string, bool, error) { + return c.AppID, len(c.AppID) > 0, nil +} + // GetRetryMaxAttempts returns the value of AWS_MAX_ATTEMPTS if was specified, // and not 0. func (c EnvConfig) GetRetryMaxAttempts(ctx context.Context) (int, bool, error) { diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go index 22c98ac014..887131d086 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go @@ -3,4 +3,4 @@ package config // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.18.45" +const goModuleVersion = "1.19.1" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/provider.go b/vendor/github.com/aws/aws-sdk-go-v2/config/provider.go index 69e54b77fb..b056235152 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/config/provider.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/config/provider.go @@ -122,6 +122,26 @@ func getRegion(ctx context.Context, configs configs) (value string, found bool, return } +// IgnoreConfiguredEndpointsProvider is needed to search for all providers +// that provide a flag to disable configured endpoints. +type IgnoreConfiguredEndpointsProvider interface { + GetIgnoreConfiguredEndpoints(ctx context.Context) (bool, bool, error) +} + +// GetIgnoreConfiguredEndpoints is used in knowing when to disable configured +// endpoints feature. +func GetIgnoreConfiguredEndpoints(ctx context.Context, configs []Config) (value bool, found bool, err error) { + for _, cfg := range configs { + if p, ok := cfg.(IgnoreConfiguredEndpointsProvider); ok { + value, found, err = p.GetIgnoreConfiguredEndpoints(ctx) + if err != nil || found { + break + } + } + } + return +} + // appIDProvider provides access to the sdk app ID value type appIDProvider interface { getAppID(ctx context.Context) (string, bool, error) diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/resolve.go b/vendor/github.com/aws/aws-sdk-go-v2/config/resolve.go index b037053503..1187e8c480 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/config/resolve.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/config/resolve.go @@ -113,10 +113,6 @@ func resolveAppID(ctx context.Context, cfg *aws.Config, configs configs) error { return err } - // if app ID is set in env var, it should precedence shared config value - if appID := os.Getenv(`AWS_SDK_UA_APP_ID`); len(appID) > 0 { - ID = appID - } cfg.AppID = ID return nil } diff --git a/vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go b/vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go index 539933b3d9..b1e3f7e3ff 100644 --- a/vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go +++ b/vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go @@ -8,7 +8,7 @@ import ( "crypto/rsa" "errors" "fmt" - "io/ioutil" + "io" "net/http" "sync" "time" @@ -159,7 +159,7 @@ func (r *RemoteKeySet) verify(ctx context.Context, jws *jose.JSONWebSignature) ( // https://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys keys, err := r.keysFromRemote(ctx) if err != nil { - return nil, fmt.Errorf("fetching keys %v", err) + return nil, fmt.Errorf("fetching keys %w", err) } for _, key := range keys { @@ -228,11 +228,11 @@ func (r *RemoteKeySet) updateKeys() ([]jose.JSONWebKey, error) { resp, err := doRequest(r.ctx, req) if err != nil { - return nil, fmt.Errorf("oidc: get keys failed %v", err) + return nil, fmt.Errorf("oidc: get keys failed %w", err) } defer resp.Body.Close() - body, err := ioutil.ReadAll(resp.Body) + body, err := io.ReadAll(resp.Body) if err != nil { return nil, fmt.Errorf("unable to read response body: %v", err) } diff --git a/vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go b/vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go index b159d1ccd7..6e2b0e567b 100644 --- a/vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go +++ b/vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go @@ -10,7 +10,7 @@ import ( "errors" "fmt" "hash" - "io/ioutil" + "io" "mime" "net/http" "strings" @@ -211,7 +211,7 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) { } defer resp.Body.Close() - body, err := ioutil.ReadAll(resp.Body) + body, err := io.ReadAll(resp.Body) if err != nil { return nil, fmt.Errorf("unable to read response body: %v", err) } @@ -332,7 +332,7 @@ func (p *Provider) UserInfo(ctx context.Context, tokenSource oauth2.TokenSource) return nil, err } defer resp.Body.Close() - body, err := ioutil.ReadAll(resp.Body) + body, err := io.ReadAll(resp.Body) if err != nil { return nil, err } diff --git a/vendor/github.com/coreos/go-oidc/v3/oidc/verify.go b/vendor/github.com/coreos/go-oidc/v3/oidc/verify.go index 3e5ffbc76e..0bca49a899 100644 --- a/vendor/github.com/coreos/go-oidc/v3/oidc/verify.go +++ b/vendor/github.com/coreos/go-oidc/v3/oidc/verify.go @@ -7,7 +7,7 @@ import ( "encoding/json" "errors" "fmt" - "io/ioutil" + "io" "net/http" "strings" "time" @@ -182,7 +182,7 @@ func resolveDistributedClaim(ctx context.Context, verifier *IDTokenVerifier, src } defer resp.Body.Close() - body, err := ioutil.ReadAll(resp.Body) + body, err := io.ReadAll(resp.Body) if err != nil { return nil, fmt.Errorf("unable to read response body: %v", err) } diff --git a/vendor/github.com/secure-systems-lab/go-securesystemslib/encrypted/encrypted.go b/vendor/github.com/secure-systems-lab/go-securesystemslib/encrypted/encrypted.go new file mode 100644 index 0000000000..037a718abe --- /dev/null +++ b/vendor/github.com/secure-systems-lab/go-securesystemslib/encrypted/encrypted.go @@ -0,0 +1,290 @@ +// Package encrypted provides a simple, secure system for encrypting data +// symmetrically with a passphrase. +// +// It uses scrypt derive a key from the passphrase and the NaCl secret box +// cipher for authenticated encryption. +package encrypted + +import ( + "crypto/rand" + "encoding/json" + "errors" + "fmt" + "io" + + "golang.org/x/crypto/nacl/secretbox" + "golang.org/x/crypto/scrypt" +) + +const saltSize = 32 + +const ( + boxKeySize = 32 + boxNonceSize = 24 +) + +// KDFParameterStrength defines the KDF parameter strength level to be used for +// encryption key derivation. +type KDFParameterStrength uint8 + +const ( + // Legacy defines legacy scrypt parameters (N:2^15, r:8, p:1) + Legacy KDFParameterStrength = iota + 1 + // Standard defines standard scrypt parameters which is focusing 100ms of computation (N:2^16, r:8, p:1) + Standard + // OWASP defines OWASP recommended scrypt parameters (N:2^17, r:8, p:1) + OWASP +) + +var ( + // legacyParams represents old scrypt derivation parameters for backward + // compatibility. + legacyParams = scryptParams{ + N: 32768, // 2^15 + R: 8, + P: 1, + } + + // standardParams defines scrypt parameters based on the scrypt creator + // recommendation to limit key derivation in time boxed to 100ms. + standardParams = scryptParams{ + N: 65536, // 2^16 + R: 8, + P: 1, + } + + // owaspParams defines scrypt parameters recommended by OWASP + owaspParams = scryptParams{ + N: 131072, // 2^17 + R: 8, + P: 1, + } + + // defaultParams defines scrypt parameters which will be used to generate a + // new key. + defaultParams = standardParams +) + +const ( + nameScrypt = "scrypt" + nameSecretBox = "nacl/secretbox" +) + +type data struct { + KDF scryptKDF `json:"kdf"` + Cipher secretBoxCipher `json:"cipher"` + Ciphertext []byte `json:"ciphertext"` +} + +type scryptParams struct { + N int `json:"N"` + R int `json:"r"` + P int `json:"p"` +} + +func (sp *scryptParams) Equal(in *scryptParams) bool { + return in != nil && sp.N == in.N && sp.P == in.P && sp.R == in.R +} + +func newScryptKDF(level KDFParameterStrength) (scryptKDF, error) { + salt := make([]byte, saltSize) + if err := fillRandom(salt); err != nil { + return scryptKDF{}, fmt.Errorf("unable to generate a random salt: %w", err) + } + + var params scryptParams + switch level { + case Legacy: + params = legacyParams + case Standard: + params = standardParams + case OWASP: + params = owaspParams + default: + // Fallback to default parameters + params = defaultParams + } + + return scryptKDF{ + Name: nameScrypt, + Params: params, + Salt: salt, + }, nil +} + +type scryptKDF struct { + Name string `json:"name"` + Params scryptParams `json:"params"` + Salt []byte `json:"salt"` +} + +func (s *scryptKDF) Key(passphrase []byte) ([]byte, error) { + return scrypt.Key(passphrase, s.Salt, s.Params.N, s.Params.R, s.Params.P, boxKeySize) +} + +// CheckParams checks that the encoded KDF parameters are what we expect them to +// be. If we do not do this, an attacker could cause a DoS by tampering with +// them. +func (s *scryptKDF) CheckParams() error { + switch { + case legacyParams.Equal(&s.Params): + case standardParams.Equal(&s.Params): + case owaspParams.Equal(&s.Params): + default: + return errors.New("unsupported scrypt parameters") + } + + return nil +} + +func newSecretBoxCipher() (secretBoxCipher, error) { + nonce := make([]byte, boxNonceSize) + if err := fillRandom(nonce); err != nil { + return secretBoxCipher{}, err + } + return secretBoxCipher{ + Name: nameSecretBox, + Nonce: nonce, + }, nil +} + +type secretBoxCipher struct { + Name string `json:"name"` + Nonce []byte `json:"nonce"` + + encrypted bool +} + +func (s *secretBoxCipher) Encrypt(plaintext, key []byte) []byte { + var keyBytes [boxKeySize]byte + var nonceBytes [boxNonceSize]byte + + if len(key) != len(keyBytes) { + panic("incorrect key size") + } + if len(s.Nonce) != len(nonceBytes) { + panic("incorrect nonce size") + } + + copy(keyBytes[:], key) + copy(nonceBytes[:], s.Nonce) + + // ensure that we don't re-use nonces + if s.encrypted { + panic("Encrypt must only be called once for each cipher instance") + } + s.encrypted = true + + return secretbox.Seal(nil, plaintext, &nonceBytes, &keyBytes) +} + +func (s *secretBoxCipher) Decrypt(ciphertext, key []byte) ([]byte, error) { + var keyBytes [boxKeySize]byte + var nonceBytes [boxNonceSize]byte + + if len(key) != len(keyBytes) { + panic("incorrect key size") + } + if len(s.Nonce) != len(nonceBytes) { + // return an error instead of panicking since the nonce is user input + return nil, errors.New("encrypted: incorrect nonce size") + } + + copy(keyBytes[:], key) + copy(nonceBytes[:], s.Nonce) + + res, ok := secretbox.Open(nil, ciphertext, &nonceBytes, &keyBytes) + if !ok { + return nil, errors.New("encrypted: decryption failed") + } + return res, nil +} + +// Encrypt takes a passphrase and plaintext, and returns a JSON object +// containing ciphertext and the details necessary to decrypt it. +func Encrypt(plaintext, passphrase []byte) ([]byte, error) { + return EncryptWithCustomKDFParameters(plaintext, passphrase, Standard) +} + +// EncryptWithCustomKDFParameters takes a passphrase, the plaintext and a KDF +// parameter level (Legacy, Standard, or OWASP), and returns a JSON object +// containing ciphertext and the details necessary to decrypt it. +func EncryptWithCustomKDFParameters(plaintext, passphrase []byte, kdfLevel KDFParameterStrength) ([]byte, error) { + k, err := newScryptKDF(kdfLevel) + if err != nil { + return nil, err + } + key, err := k.Key(passphrase) + if err != nil { + return nil, err + } + + c, err := newSecretBoxCipher() + if err != nil { + return nil, err + } + + data := &data{ + KDF: k, + Cipher: c, + } + data.Ciphertext = c.Encrypt(plaintext, key) + + return json.Marshal(data) +} + +// Marshal encrypts the JSON encoding of v using passphrase. +func Marshal(v interface{}, passphrase []byte) ([]byte, error) { + return MarshalWithCustomKDFParameters(v, passphrase, Standard) +} + +// MarshalWithCustomKDFParameters encrypts the JSON encoding of v using passphrase. +func MarshalWithCustomKDFParameters(v interface{}, passphrase []byte, kdfLevel KDFParameterStrength) ([]byte, error) { + data, err := json.MarshalIndent(v, "", "\t") + if err != nil { + return nil, err + } + return EncryptWithCustomKDFParameters(data, passphrase, kdfLevel) +} + +// Decrypt takes a JSON-encoded ciphertext object encrypted using Encrypt and +// tries to decrypt it using passphrase. If successful, it returns the +// plaintext. +func Decrypt(ciphertext, passphrase []byte) ([]byte, error) { + data := &data{} + if err := json.Unmarshal(ciphertext, data); err != nil { + return nil, err + } + + if data.KDF.Name != nameScrypt { + return nil, fmt.Errorf("encrypted: unknown kdf name %q", data.KDF.Name) + } + if data.Cipher.Name != nameSecretBox { + return nil, fmt.Errorf("encrypted: unknown cipher name %q", data.Cipher.Name) + } + if err := data.KDF.CheckParams(); err != nil { + return nil, err + } + + key, err := data.KDF.Key(passphrase) + if err != nil { + return nil, err + } + + return data.Cipher.Decrypt(data.Ciphertext, key) +} + +// Unmarshal decrypts the data using passphrase and unmarshals the resulting +// plaintext into the value pointed to by v. +func Unmarshal(data []byte, v interface{}, passphrase []byte) error { + decrypted, err := Decrypt(data, passphrase) + if err != nil { + return err + } + return json.Unmarshal(decrypted, v) +} + +func fillRandom(b []byte) error { + _, err := io.ReadFull(rand.Reader, b) + return err +} diff --git a/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/privatekey.go b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/privatekey.go index b1a0dad05e..325813d692 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/privatekey.go +++ b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/privatekey.go @@ -26,7 +26,7 @@ import ( "errors" "fmt" - "github.com/theupdateframework/go-tuf/encrypted" + "github.com/secure-systems-lab/go-securesystemslib/encrypted" ) const ( diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/config/feature_flags.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/config/feature_flags.go index 98529ede33..03e67b57cb 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/config/feature_flags.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/config/feature_flags.go @@ -106,6 +106,10 @@ const ( EnableStepActions = "enable-step-actions" // DefaultEnableStepActions is the default value for EnableStepActions DefaultEnableStepActions = false + // EnableParamEnum is the flag to enabled enum in params + EnableParamEnum = "enable-param-enum" + // DefaultEnableParamEnum is the default value for EnableParamEnum + DefaultEnableParamEnum = false disableAffinityAssistantKey = "disable-affinity-assistant" disableCredsInitKey = "disable-creds-init" @@ -156,6 +160,7 @@ type FeatureFlags struct { Coschedule string EnableCELInWhenExpression bool EnableStepActions bool + EnableParamEnum bool } // GetFeatureFlagsConfigName returns the name of the configmap containing all @@ -234,6 +239,9 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) { if err := setFeature(EnableStepActions, DefaultEnableStepActions, &tc.EnableStepActions); err != nil { return nil, err } + if err := setFeature(EnableParamEnum, DefaultEnableParamEnum, &tc.EnableParamEnum); err != nil { + return nil, err + } // Given that they are alpha features, Tekton Bundles and Custom Tasks should be switched on if // enable-api-fields is "alpha". If enable-api-fields is not "alpha" then fall back to the value of // each feature's individual flag. diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/container_types.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/container_types.go index ccef95cf76..a15655521f 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/container_types.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/container_types.go @@ -135,6 +135,33 @@ type Step struct { // Stores configuration for the stderr stream of the step. // +optional StderrConfig *StepOutputConfig `json:"stderrConfig,omitempty"` + // Contains the reference to an existing StepAction. + //+optional + Ref *Ref `json:"ref,omitempty"` + // Params declares parameters passed to this step action. + // +optional + // +listType=atomic + Params Params `json:"params,omitempty"` + // Results declares StepResults produced by the Step. + // + // This is field is at an ALPHA stability level and gated by "enable-step-actions" feature flag. + // + // It can be used in an inlined Step when used to store Results to $(step.results.resultName.path). + // It cannot be used when referencing StepActions using [v1.Step.Ref]. + // The Results declared by the StepActions will be stored here instead. + // +optional + // +listType=atomic + Results []StepResult `json:"results,omitempty"` +} + +// Ref can be used to refer to a specific instance of a StepAction. +type Ref struct { + // Name of the referenced step + Name string `json:"name,omitempty"` + // ResolverRef allows referencing a StepAction in a remote location + // like a git repo. + // +optional + ResolverRef `json:",omitempty"` } // OnErrorType defines a list of supported exiting behavior of a container on error diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/container_validation.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/container_validation.go new file mode 100644 index 0000000000..56108b63db --- /dev/null +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/container_validation.go @@ -0,0 +1,62 @@ +/* +Copyright 2023 The Tekton Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + "context" + "strings" + + "github.com/tektoncd/pipeline/pkg/apis/config" + "k8s.io/apimachinery/pkg/util/validation" + "knative.dev/pkg/apis" +) + +// Validate ensures that a supplied Ref field is populated +// correctly. No errors are returned for a nil Ref. +func (ref *Ref) Validate(ctx context.Context) (errs *apis.FieldError) { + if ref == nil { + return + } + + switch { + case ref.Resolver != "" || ref.Params != nil: + if ref.Resolver != "" { + errs = errs.Also(config.ValidateEnabledAPIFields(ctx, "resolver", config.BetaAPIFields).ViaField("resolver")) + if ref.Name != "" { + errs = errs.Also(apis.ErrMultipleOneOf("name", "resolver")) + } + } + if ref.Params != nil { + errs = errs.Also(config.ValidateEnabledAPIFields(ctx, "resolver params", config.BetaAPIFields).ViaField("params")) + if ref.Name != "" { + errs = errs.Also(apis.ErrMultipleOneOf("name", "params")) + } + if ref.Resolver == "" { + errs = errs.Also(apis.ErrMissingField("resolver")) + } + errs = errs.Also(ValidateParameters(ctx, ref.Params)) + } + case ref.Name != "": + // ref name must be a valid k8s name + if errSlice := validation.IsQualifiedName(ref.Name); len(errSlice) != 0 { + errs = errs.Also(apis.ErrInvalidValue(strings.Join(errSlice, ","), "name")) + } + default: + errs = errs.Also(apis.ErrMissingField("name")) + } + return errs +} diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/merge.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/merge.go index b500ef8758..45798c3726 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/merge.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/merge.go @@ -20,7 +20,6 @@ import ( "encoding/json" corev1 "k8s.io/api/core/v1" - v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/strategicpatch" ) @@ -81,7 +80,7 @@ func MergeStepsWithSpecs(steps []Step, overrides []TaskRunStepSpec) ([]Step, err if !found { continue } - merged := v1.ResourceRequirements{} + merged := corev1.ResourceRequirements{} err := mergeObjWithTemplate(&s.ComputeResources, &o.ComputeResources, &merged) if err != nil { return nil, err @@ -107,7 +106,7 @@ func MergeSidecarsWithSpecs(sidecars []Sidecar, overrides []TaskRunSidecarSpec) if !found { continue } - merged := v1.ResourceRequirements{} + merged := corev1.ResourceRequirements{} err := mergeObjWithTemplate(&s.ComputeResources, &o.ComputeResources, &merged) if err != nil { return nil, err diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/openapi_generated.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/openapi_generated.go index 6425ec1de3..0fb74d29b1 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/openapi_generated.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/openapi_generated.go @@ -61,6 +61,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.PipelineWorkspaceDeclaration": schema_pkg_apis_pipeline_v1_PipelineWorkspaceDeclaration(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.PropertySpec": schema_pkg_apis_pipeline_v1_PropertySpec(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.Provenance": schema_pkg_apis_pipeline_v1_Provenance(ref), + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.Ref": schema_pkg_apis_pipeline_v1_Ref(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.RefSource": schema_pkg_apis_pipeline_v1_RefSource(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.ResolverRef": schema_pkg_apis_pipeline_v1_ResolverRef(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.ResultRef": schema_pkg_apis_pipeline_v1_ResultRef(ref), @@ -69,6 +70,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.SkippedTask": schema_pkg_apis_pipeline_v1_SkippedTask(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.Step": schema_pkg_apis_pipeline_v1_Step(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.StepOutputConfig": schema_pkg_apis_pipeline_v1_StepOutputConfig(ref), + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.StepResult": schema_pkg_apis_pipeline_v1_StepResult(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.StepState": schema_pkg_apis_pipeline_v1_StepState(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.StepTemplate": schema_pkg_apis_pipeline_v1_StepTemplate(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.Task": schema_pkg_apis_pipeline_v1_Task(ref), @@ -788,6 +790,21 @@ func schema_pkg_apis_pipeline_v1_ParamSpec(ref common.ReferenceCallback) common. Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.ParamValue"), }, }, + "enum": { + SchemaProps: spec.SchemaProps{ + Description: "Enum declares a set of allowed param input values for tasks/pipelines that can be validated. If Enum is not set, no input validation is performed for the param.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, }, Required: []string{"name"}, }, @@ -2184,6 +2201,26 @@ func schema_pkg_apis_pipeline_v1_Provenance(ref common.ReferenceCallback) common } } +func schema_pkg_apis_pipeline_v1_Ref(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Ref can be used to refer to a specific instance of a StepAction.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "Name of the referenced step", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_pkg_apis_pipeline_v1_RefSource(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -2924,12 +2961,56 @@ func schema_pkg_apis_pipeline_v1_Step(ref common.ReferenceCallback) common.OpenA Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.StepOutputConfig"), }, }, + "ref": { + SchemaProps: spec.SchemaProps{ + Description: "Contains the reference to an existing StepAction.", + Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.Ref"), + }, + }, + "params": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "Params declares parameters passed to this step action.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.Param"), + }, + }, + }, + }, + }, + "results": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "Results declares StepResults produced by the Step.\n\nThis is field is at an ALPHA stability level and gated by \"enable-step-actions\" feature flag.\n\nIt can be used in an inlined Step when used to store Results to $(step.results.resultName.path). It cannot be used when referencing StepActions using [v1.Step.Ref]. The Results declared by the StepActions will be stored here instead.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.StepResult"), + }, + }, + }, + }, + }, }, Required: []string{"name"}, }, }, Dependencies: []string{ - "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.StepOutputConfig", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.WorkspaceUsage", "k8s.io/api/core/v1.EnvFromSource", "k8s.io/api/core/v1.EnvVar", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.SecurityContext", "k8s.io/api/core/v1.VolumeDevice", "k8s.io/api/core/v1.VolumeMount", "k8s.io/apimachinery/pkg/apis/meta/v1.Duration"}, + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.Param", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.Ref", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.StepOutputConfig", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.StepResult", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.WorkspaceUsage", "k8s.io/api/core/v1.EnvFromSource", "k8s.io/api/core/v1.EnvVar", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.SecurityContext", "k8s.io/api/core/v1.VolumeDevice", "k8s.io/api/core/v1.VolumeMount", "k8s.io/apimachinery/pkg/apis/meta/v1.Duration"}, } } @@ -2953,6 +3034,59 @@ func schema_pkg_apis_pipeline_v1_StepOutputConfig(ref common.ReferenceCallback) } } +func schema_pkg_apis_pipeline_v1_StepResult(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "StepResult used to describe the Results of a Step.\n\nThis is field is at an ALPHA stability level and gated by \"enable-step-actions\" feature flag.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "Name the given name", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "type": { + SchemaProps: spec.SchemaProps{ + Description: "The possible types are 'string', 'array', and 'object', with 'string' as the default.", + Type: []string{"string"}, + Format: "", + }, + }, + "properties": { + SchemaProps: spec.SchemaProps{ + Description: "Properties is the JSON Schema properties to support key-value pairs results.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.PropertySpec"), + }, + }, + }, + }, + }, + "description": { + SchemaProps: spec.SchemaProps{ + Description: "Description is a human-readable description of the result", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"name"}, + }, + }, + Dependencies: []string{ + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.PropertySpec"}, + } +} + func schema_pkg_apis_pipeline_v1_StepState(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -2996,11 +3130,24 @@ func schema_pkg_apis_pipeline_v1_StepState(ref common.ReferenceCallback) common. Format: "", }, }, + "results": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.TaskRunResult"), + }, + }, + }, + }, + }, }, }, }, Dependencies: []string{ - "k8s.io/api/core/v1.ContainerStateRunning", "k8s.io/api/core/v1.ContainerStateTerminated", "k8s.io/api/core/v1.ContainerStateWaiting"}, + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.TaskRunResult", "k8s.io/api/core/v1.ContainerStateRunning", "k8s.io/api/core/v1.ContainerStateTerminated", "k8s.io/api/core/v1.ContainerStateWaiting"}, } } @@ -3364,12 +3511,18 @@ func schema_pkg_apis_pipeline_v1_TaskResult(ref common.ReferenceCallback) common Format: "", }, }, + "value": { + SchemaProps: spec.SchemaProps{ + Description: "Value the expression used to retrieve the value of the result from an underlying Step.", + Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.ParamValue"), + }, + }, }, Required: []string{"name"}, }, }, Dependencies: []string{ - "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.PropertySpec"}, + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.ParamValue", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.PropertySpec"}, } } @@ -3526,7 +3679,7 @@ func schema_pkg_apis_pipeline_v1_TaskRunResult(ref common.ReferenceCallback) com return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "TaskRunResult used to describe the results of a task", + Description: "TaskRunStepResult is a type alias of TaskRunResult", Type: []string{"object"}, Properties: map[string]spec.Schema{ "name": { diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/param_types.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/param_types.go index 167a1084a2..c597354422 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/param_types.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/param_types.go @@ -22,9 +22,11 @@ import ( "fmt" "strings" + "github.com/tektoncd/pipeline/pkg/apis/config" "github.com/tektoncd/pipeline/pkg/substitution" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/utils/strings/slices" "knative.dev/pkg/apis" ) @@ -53,6 +55,10 @@ type ParamSpec struct { // parameter. // +optional Default *ParamValue `json:"default,omitempty"` + // Enum declares a set of allowed param input values for tasks/pipelines that can be validated. + // If Enum is not set, no input validation is performed for the param. + // +optional + Enum []string `json:"enum,omitempty"` } // ParamSpecs is a list of ParamSpec @@ -103,8 +109,8 @@ func (pp *ParamSpec) setDefaultsForProperties() { } } -// getNames returns all the names of the declared parameters -func (ps ParamSpecs) getNames() []string { +// GetNames returns all the names of the declared parameters +func (ps ParamSpecs) GetNames() []string { var names []string for _, p := range ps { names = append(names, p.Name) @@ -112,8 +118,8 @@ func (ps ParamSpecs) getNames() []string { return names } -// sortByType splits the input params into string params, array params, and object params, in that order -func (ps ParamSpecs) sortByType() (ParamSpecs, ParamSpecs, ParamSpecs) { +// SortByType splits the input params into string params, array params, and object params, in that order +func (ps ParamSpecs) SortByType() (ParamSpecs, ParamSpecs, ParamSpecs) { var stringParams, arrayParams, objectParams ParamSpecs for _, p := range ps { switch p.Type { @@ -130,24 +136,54 @@ func (ps ParamSpecs) sortByType() (ParamSpecs, ParamSpecs, ParamSpecs) { return stringParams, arrayParams, objectParams } -// validateNoDuplicateNames returns an error if any of the params have the same name -func (ps ParamSpecs) validateNoDuplicateNames() *apis.FieldError { - names := ps.getNames() - seen := sets.String{} - dups := sets.String{} +// ValidateNoDuplicateNames returns an error if any of the params have the same name +func (ps ParamSpecs) ValidateNoDuplicateNames() *apis.FieldError { var errs *apis.FieldError - for _, n := range names { - if seen.Has(n) { - dups.Insert(n) - } - seen.Insert(n) + names := ps.GetNames() + for dup := range findDups(names) { + errs = errs.Also(apis.ErrGeneric("parameter appears more than once", "").ViaFieldKey("params", dup)) } - for n := range dups { - errs = errs.Also(apis.ErrGeneric("parameter appears more than once", "").ViaFieldKey("params", n)) + return errs +} + +// validateParamEnum validates feature flag, duplication and allowed types for Param Enum +func (ps ParamSpecs) validateParamEnums(ctx context.Context) *apis.FieldError { + var errs *apis.FieldError + for _, p := range ps { + if len(p.Enum) == 0 { + continue + } + if !config.FromContextOrDefaults(ctx).FeatureFlags.EnableParamEnum { + errs = errs.Also(errs, apis.ErrGeneric(fmt.Sprintf("feature flag `%s` should be set to true to use Enum", config.EnableParamEnum), "").ViaKey(p.Name)) + } + if p.Type != ParamTypeString { + errs = errs.Also(apis.ErrGeneric("enum can only be set with string type param", "").ViaKey(p.Name)) + } + for dup := range findDups(p.Enum) { + errs = errs.Also(apis.ErrGeneric(fmt.Sprintf("parameter enum value %v appears more than once", dup), "").ViaKey(p.Name)) + } + if p.Default != nil && p.Default.StringVal != "" { + if !slices.Contains(p.Enum, p.Default.StringVal) { + errs = errs.Also(apis.ErrGeneric(fmt.Sprintf("param default value %v not in the enum list", p.Default.StringVal), "").ViaKey(p.Name)) + } + } } return errs } +// findDups returns the duplicate element in the given slice +func findDups(vals []string) sets.String { + seen := sets.String{} + dups := sets.String{} + for _, val := range vals { + if seen.Has(val) { + dups.Insert(val) + } + seen.Insert(val) + } + return dups +} + // Param declares an ParamValues to use for the parameter called name. type Param struct { Name string `json:"name"` @@ -293,7 +329,7 @@ func (ps ParamSpecs) ExtractDefaultParamArrayLengths() map[string]int { // it would return ["$(params.array-param[1])", "$(params.other-array-param[2])"]. func extractArrayIndexingParamRefs(paramReference string) []string { l := []string{} - list := substitution.ExtractParamsExpressions(paramReference) + list := substitution.ExtractArrayIndexingParamsExpressions(paramReference) for _, val := range list { indexString := substitution.ExtractIndexString(val) if indexString != "" { diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/pipeline_validation.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/pipeline_validation.go index 2552692d87..2dc3b884f7 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/pipeline_validation.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/pipeline_validation.go @@ -394,9 +394,9 @@ func (ps *PipelineSpec) validatePipelineParameterUsage(ctx context.Context) (err // validatePipelineTaskParameterUsage validates that parameters referenced in the Pipeline Tasks are declared by the Pipeline func validatePipelineTaskParameterUsage(tasks []PipelineTask, params ParamSpecs) (errs *apis.FieldError) { - allParamNames := sets.NewString(params.getNames()...) - _, arrayParams, objectParams := params.sortByType() - arrayParamNames := sets.NewString(arrayParams.getNames()...) + allParamNames := sets.NewString(params.GetNames()...) + _, arrayParams, objectParams := params.SortByType() + arrayParamNames := sets.NewString(arrayParams.GetNames()...) objectParameterNameKeys := map[string][]string{} for _, p := range objectParams { for k := range p.Properties { @@ -433,11 +433,12 @@ func validatePipelineTasksWorkspacesUsage(wss []PipelineWorkspaceDeclaration, pt // ValidatePipelineParameterVariables validates parameters with those specified by each pipeline task, // (1) it validates the type of parameter is either string or array (2) parameter default value matches -// with the type of that param +// with the type of that param (3) no duplication, feature flag and allowed param type when using param enum func ValidatePipelineParameterVariables(ctx context.Context, tasks []PipelineTask, params ParamSpecs) (errs *apis.FieldError) { // validates all the types within a slice of ParamSpecs errs = errs.Also(ValidateParameterTypes(ctx, params).ViaField("params")) - errs = errs.Also(params.validateNoDuplicateNames()) + errs = errs.Also(params.ValidateNoDuplicateNames()) + errs = errs.Also(params.validateParamEnums(ctx).ViaField("params")) for i, task := range tasks { errs = errs.Also(task.Params.validateDuplicateParameters().ViaField("params").ViaIndex(i)) } diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/pipelinerun_types.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/pipelinerun_types.go index 88aad636b8..c9db1bff01 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/pipelinerun_types.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/pipelinerun_types.go @@ -22,7 +22,6 @@ import ( "time" "github.com/tektoncd/pipeline/pkg/apis/config" - apisconfig "github.com/tektoncd/pipeline/pkg/apis/config" "github.com/tektoncd/pipeline/pkg/apis/pipeline" pod "github.com/tektoncd/pipeline/pkg/apis/pipeline/pod" runv1beta1 "github.com/tektoncd/pipeline/pkg/apis/run/v1beta1" @@ -117,7 +116,7 @@ func (pr *PipelineRun) TasksTimeout() *metav1.Duration { return t.Tasks } if t.Pipeline != nil && t.Finally != nil { - if t.Pipeline.Duration == apisconfig.NoTimeoutDuration || t.Finally.Duration == apisconfig.NoTimeoutDuration { + if t.Pipeline.Duration == config.NoTimeoutDuration || t.Finally.Duration == config.NoTimeoutDuration { return nil } return &metav1.Duration{Duration: (t.Pipeline.Duration - t.Finally.Duration)} @@ -136,7 +135,7 @@ func (pr *PipelineRun) FinallyTimeout() *metav1.Duration { return t.Finally } if t.Pipeline != nil && t.Tasks != nil { - if t.Pipeline.Duration == apisconfig.NoTimeoutDuration || t.Tasks.Duration == apisconfig.NoTimeoutDuration { + if t.Pipeline.Duration == config.NoTimeoutDuration || t.Tasks.Duration == config.NoTimeoutDuration { return nil } return &metav1.Duration{Duration: (t.Pipeline.Duration - t.Tasks.Duration)} @@ -409,6 +408,8 @@ const ( PipelineRunReasonCreateRunFailed PipelineRunReason = "CreateRunFailed" // ReasonCELEvaluationFailed indicates the pipeline fails the CEL evaluation PipelineRunReasonCELEvaluationFailed PipelineRunReason = "CELEvaluationFailed" + // PipelineRunReasonInvalidParamValue indicates that the PipelineRun Param input value is not allowed. + PipelineRunReasonInvalidParamValue PipelineRunReason = "InvalidParamValue" ) func (t PipelineRunReason) String() string { diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/result_defaults.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/result_defaults.go index 7fc6733b45..51dc7bd7e8 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/result_defaults.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/result_defaults.go @@ -37,3 +37,26 @@ func (tr *TaskResult) SetDefaults(context.Context) { } } } + +// SetDefaults set the default type for StepResult +func (sr *StepResult) SetDefaults(context.Context) { + if sr == nil { + return + } + if sr.Type == "" { + if sr.Properties != nil { + // Set type to object if `properties` is given + sr.Type = ResultsTypeObject + } else { + // ResultsTypeString is the default value + sr.Type = ResultsTypeString + } + } + + // Set default type of object values to string + for key, propertySpec := range sr.Properties { + if propertySpec.Type == "" { + sr.Properties[key] = PropertySpec{Type: ParamType(ResultsTypeString)} + } + } +} diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/result_types.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/result_types.go index 3a5b97d919..6361d7a362 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/result_types.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/result_types.go @@ -32,6 +32,30 @@ type TaskResult struct { // Description is a human-readable description of the result // +optional Description string `json:"description,omitempty"` + + // Value the expression used to retrieve the value of the result from an underlying Step. + // +optional + Value *ResultValue `json:"value,omitempty"` +} + +// StepResult used to describe the Results of a Step. +// +// This is field is at an ALPHA stability level and gated by "enable-step-actions" feature flag. +type StepResult struct { + // Name the given name + Name string `json:"name"` + + // The possible types are 'string', 'array', and 'object', with 'string' as the default. + // +optional + Type ResultsType `json:"type,omitempty"` + + // Properties is the JSON Schema properties to support key-value pairs results. + // +optional + Properties map[string]PropertySpec `json:"properties,omitempty"` + + // Description is a human-readable description of the result + // +optional + Description string `json:"description,omitempty"` } // TaskRunResult used to describe the results of a task @@ -48,6 +72,9 @@ type TaskRunResult struct { Value ResultValue `json:"value"` } +// TaskRunStepResult is a type alias of TaskRunResult +type TaskRunStepResult = TaskRunResult + // ResultValue is a type alias of ParamValue type ResultValue = ParamValue diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/result_validation.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/result_validation.go index 0d19c2ab0a..27cc4016f3 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/result_validation.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/result_validation.go @@ -16,7 +16,10 @@ package v1 import ( "context" "fmt" + "regexp" + "github.com/tektoncd/pipeline/pkg/apis/config" + "k8s.io/apimachinery/pkg/util/validation" "knative.dev/pkg/apis" ) @@ -28,20 +31,16 @@ func (tr TaskResult) Validate(ctx context.Context) (errs *apis.FieldError) { switch { case tr.Type == ResultsTypeObject: - errs := validateObjectResult(tr) - return errs + errs = errs.Also(validateObjectResult(tr)) case tr.Type == ResultsTypeArray: - return nil // Resources created before the result. Type was introduced may not have Type set // and should be considered valid case tr.Type == "": - return nil // By default, the result type is string case tr.Type != ResultsTypeString: - return apis.ErrInvalidValue(tr.Type, "type", "type must be string") + errs = errs.Also(apis.ErrInvalidValue(tr.Type, "type", "type must be string")) } - - return nil + return errs.Also(tr.validateValue(ctx)) } // validateObjectResult validates the object result and check if the Properties is missing @@ -66,3 +65,105 @@ func validateObjectResult(tr TaskResult) (errs *apis.FieldError) { } return nil } + +// validateValue validates the value of the TaskResult. +// It requires that enable-step-actions is true, the value is of type string +// and format $(steps..results.) +func (tr TaskResult) validateValue(ctx context.Context) (errs *apis.FieldError) { + if tr.Value == nil { + return nil + } + if !config.FromContextOrDefaults(ctx).FeatureFlags.EnableStepActions { + return apis.ErrGeneric("feature flag %s should be set to true to fetch Results from Steps using StepActions.", config.EnableStepActions) + } + if tr.Value.Type != ParamTypeString { + return &apis.FieldError{ + Message: fmt.Sprintf( + "Invalid Type. Wanted string but got: \"%v\"", tr.Value.Type), + Paths: []string{ + fmt.Sprintf("%s.type", tr.Name), + }, + } + } + if tr.Value.StringVal != "" { + stepName, resultName, err := ExtractStepResultName(tr.Value.StringVal) + if err != nil { + return &apis.FieldError{ + Message: fmt.Sprintf("%v", err), + Paths: []string{fmt.Sprintf("%s.value", tr.Name)}, + } + } + if e := validation.IsDNS1123Label(stepName); len(e) > 0 { + errs = errs.Also(&apis.FieldError{ + Message: fmt.Sprintf("invalid extracted step name %q", stepName), + Paths: []string{fmt.Sprintf("%s.value", tr.Name)}, + Details: "stepName in $(steps..results.) must be a valid DNS Label, For more info refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", + }) + } + if !resultNameFormatRegex.MatchString(resultName) { + errs = errs.Also(&apis.FieldError{ + Message: fmt.Sprintf("invalid extracted result name %q", resultName), + Paths: []string{fmt.Sprintf("%s.value", tr.Name)}, + Details: fmt.Sprintf("resultName in $(steps..results.) must consist of alphanumeric characters, '-', '_', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my-name', or 'my_name', regex used for validation is '%s')", ResultNameFormat), + }) + } + } + return errs +} + +// Validate implements apis.Validatable +func (sr StepResult) Validate(ctx context.Context) (errs *apis.FieldError) { + if !resultNameFormatRegex.MatchString(sr.Name) { + return apis.ErrInvalidKeyName(sr.Name, "name", fmt.Sprintf("Name must consist of alphanumeric characters, '-', '_', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my-name', or 'my_name', regex used for validation is '%s')", ResultNameFormat)) + } + + switch { + case sr.Type == ResultsTypeObject: + return validateObjectStepResult(sr) + case sr.Type == ResultsTypeArray: + return nil + // The Type is string by default if it is empty. + case sr.Type == "": + return nil + case sr.Type == ResultsTypeString: + return nil + default: + return apis.ErrInvalidValue(sr.Type, "type", fmt.Sprintf("invalid type %s", sr.Type)) + } +} + +// validateObjectStepResult validates the object result and check if the Properties is missing +// for Properties values it will check if the type is string. +func validateObjectStepResult(sr StepResult) (errs *apis.FieldError) { + if ParamType(sr.Type) == ParamTypeObject && sr.Properties == nil { + return apis.ErrMissingField(fmt.Sprintf("%s.properties", sr.Name)) + } + + invalidKeys := []string{} + for key, propertySpec := range sr.Properties { + // In case we need to support other types in the future like the nested objects #7069 + if propertySpec.Type != ParamTypeString { + invalidKeys = append(invalidKeys, key) + } + } + + if len(invalidKeys) != 0 { + return &apis.FieldError{ + Message: fmt.Sprintf("the value type specified for these keys %v is invalid, the type must be string", invalidKeys), + Paths: []string{fmt.Sprintf("%s.properties", sr.Name)}, + } + } + return nil +} + +// ExtractStepResultName extracts the step name and result name from a string matching +// formtat $(steps..results.). +// If a match is not found, an error is retured. +func ExtractStepResultName(value string) (string, string, error) { + re := regexp.MustCompile(`\$\(steps\.(.*?)\.results\.(.*?)\)`) + rs := re.FindStringSubmatch(value) + if len(rs) != 3 { + return "", "", fmt.Errorf("Could not extract step name and result name. Expected value to look like $(steps..results.) but got \"%v\"", value) + } + return rs[1], rs[2], nil +} diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/swagger.json b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/swagger.json index 76d325bfff..d99469bffd 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/swagger.json +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/swagger.json @@ -343,6 +343,14 @@ "description": "Description is a user-facing description of the parameter that may be used to populate a UI.", "type": "string" }, + "enum": { + "description": "Enum declares a set of allowed param input values for tasks/pipelines that can be validated. If Enum is not set, no input validation is performed for the param.", + "type": "array", + "items": { + "type": "string", + "default": "" + } + }, "name": { "description": "Name declares the name by which a parameter is referenced.", "type": "string", @@ -1093,6 +1101,16 @@ } } }, + "v1.Ref": { + "description": "Ref can be used to refer to a specific instance of a StepAction.", + "type": "object", + "properties": { + "name": { + "description": "Name of the referenced step", + "type": "string" + } + } + }, "v1.RefSource": { "description": "RefSource contains the information that can uniquely identify where a remote built definition came from i.e. Git repositories, Tekton Bundles in OCI registry and hub.", "type": "object", @@ -1445,6 +1463,28 @@ "description": "OnError defines the exiting behavior of a container on error can be set to [ continue | stopAndFail ]", "type": "string" }, + "params": { + "description": "Params declares parameters passed to this step action.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/v1.Param" + }, + "x-kubernetes-list-type": "atomic" + }, + "ref": { + "description": "Contains the reference to an existing StepAction.", + "$ref": "#/definitions/v1.Ref" + }, + "results": { + "description": "Results declares StepResults produced by the Step.\n\nThis is field is at an ALPHA stability level and gated by \"enable-step-actions\" feature flag.\n\nIt can be used in an inlined Step when used to store Results to $(step.results.resultName.path). It cannot be used when referencing StepActions using [v1.Step.Ref]. The Results declared by the StepActions will be stored here instead.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/v1.StepResult" + }, + "x-kubernetes-list-type": "atomic" + }, "script": { "description": "Script is the contents of an executable file to execute.\n\nIf Script is not empty, the Step cannot have an Command and the Args will be passed to the Script.", "type": "string" @@ -1512,6 +1552,36 @@ } } }, + "v1.StepResult": { + "description": "StepResult used to describe the Results of a Step.\n\nThis is field is at an ALPHA stability level and gated by \"enable-step-actions\" feature flag.", + "type": "object", + "required": [ + "name" + ], + "properties": { + "description": { + "description": "Description is a human-readable description of the result", + "type": "string" + }, + "name": { + "description": "Name the given name", + "type": "string", + "default": "" + }, + "properties": { + "description": "Properties is the JSON Schema properties to support key-value pairs results.", + "type": "object", + "additionalProperties": { + "default": {}, + "$ref": "#/definitions/v1.PropertySpec" + } + }, + "type": { + "description": "The possible types are 'string', 'array', and 'object', with 'string' as the default.", + "type": "string" + } + } + }, "v1.StepState": { "description": "StepState reports the results of running a step in a Task.", "type": "object", @@ -1525,6 +1595,13 @@ "name": { "type": "string" }, + "results": { + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/v1.TaskRunResult" + } + }, "running": { "description": "Details about a running container", "$ref": "#/definitions/v1.ContainerStateRunning" @@ -1732,6 +1809,10 @@ "type": { "description": "Type is the user-specified type of the result. The possible type is currently \"string\" and will support \"array\" in following work.", "type": "string" + }, + "value": { + "description": "Value the expression used to retrieve the value of the result from an underlying Step.", + "$ref": "#/definitions/v1.ParamValue" } } }, @@ -1813,7 +1894,7 @@ } }, "v1.TaskRunResult": { - "description": "TaskRunResult used to describe the results of a task", + "description": "TaskRunStepResult is a type alias of TaskRunResult", "type": "object", "required": [ "name", diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/task_defaults.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/task_defaults.go index 77a38425f2..5d130d43d1 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/task_defaults.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/task_defaults.go @@ -19,6 +19,7 @@ package v1 import ( "context" + "github.com/tektoncd/pipeline/pkg/apis/config" "knative.dev/pkg/apis" ) @@ -31,6 +32,12 @@ func (t *Task) SetDefaults(ctx context.Context) { // SetDefaults set any defaults for the task spec func (ts *TaskSpec) SetDefaults(ctx context.Context) { + cfg := config.FromContextOrDefaults(ctx) + for _, s := range ts.Steps { + if s.Ref != nil && s.Ref.Name == "" && s.Ref.Resolver == "" { + s.Ref.Resolver = ResolverName(cfg.Defaults.DefaultResolverType) + } + } for i := range ts.Params { ts.Params[i].SetDefaults(ctx) } diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/task_validation.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/task_validation.go index e85179d60d..d9686b6735 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/task_validation.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/task_validation.go @@ -20,6 +20,7 @@ import ( "context" "fmt" "path/filepath" + "reflect" "regexp" "strings" "time" @@ -129,16 +130,16 @@ func (ts *TaskSpec) ValidateBetaFields(ctx context.Context) *apis.FieldError { // ValidateUsageOfDeclaredParameters validates that all parameters referenced in the Task are declared by the Task. func ValidateUsageOfDeclaredParameters(ctx context.Context, steps []Step, params ParamSpecs) *apis.FieldError { var errs *apis.FieldError - _, _, objectParams := params.sortByType() - allParameterNames := sets.NewString(params.getNames()...) + _, _, objectParams := params.SortByType() + allParameterNames := sets.NewString(params.GetNames()...) errs = errs.Also(validateVariables(ctx, steps, "params", allParameterNames)) errs = errs.Also(validateObjectUsage(ctx, steps, objectParams)) - errs = errs.Also(validateObjectParamsHaveProperties(ctx, params)) + errs = errs.Also(ValidateObjectParamsHaveProperties(ctx, params)) return errs } -// validateObjectParamsHaveProperties returns an error if any declared object params are missing properties -func validateObjectParamsHaveProperties(ctx context.Context, params ParamSpecs) *apis.FieldError { +// ValidateObjectParamsHaveProperties returns an error if any declared object params are missing properties +func ValidateObjectParamsHaveProperties(ctx context.Context, params ParamSpecs) *apis.FieldError { var errs *apis.FieldError for _, p := range params { if p.Type == ParamTypeObject && p.Properties == nil { @@ -259,22 +260,122 @@ func validateSteps(ctx context.Context, steps []Step) (errs *apis.FieldError) { names := sets.NewString() for idx, s := range steps { errs = errs.Also(validateStep(ctx, s, names).ViaIndex(idx)) + if s.Results != nil { + errs = errs.Also(ValidateStepResultsVariables(ctx, s.Results, s.Script).ViaIndex(idx)) + errs = errs.Also(ValidateStepResults(ctx, s.Results).ViaIndex(idx).ViaField("results")) + } } return errs } -func validateStep(ctx context.Context, s Step, names sets.String) (errs *apis.FieldError) { - if s.Image == "" { - errs = errs.Also(apis.ErrMissingField("Image")) - } +// isCreateOrUpdateAndDiverged checks if the webhook event was create or update +// if create, it returns true. +// if update, it checks if the step results have diverged and returns if diverged. +// if neither, it returns false. +func isCreateOrUpdateAndDiverged(ctx context.Context, s Step) bool { + if apis.IsInCreate(ctx) { + return true + } + if apis.IsInUpdate(ctx) { + baseline := apis.GetBaseline(ctx) + var baselineStep Step + switch o := baseline.(type) { + case *TaskRun: + if o.Spec.TaskSpec != nil { + for _, step := range o.Spec.TaskSpec.Steps { + if s.Name == step.Name { + baselineStep = step + break + } + } + } + default: + // the baseline is not a taskrun. + // return true so that the validation can happen + return true + } + // If an update event, check if the results have diverged from the baseline + // this way, the feature flag check wont happen. + // This will avoid issues like https://github.com/tektoncd/pipeline/issues/5203 + // when the feature is turned off mid-run. + diverged := !reflect.DeepEqual(s.Results, baselineStep.Results) + return diverged + } + return false +} - if s.Script != "" { +func validateStep(ctx context.Context, s Step, names sets.String) (errs *apis.FieldError) { + if s.Ref != nil { + if !config.FromContextOrDefaults(ctx).FeatureFlags.EnableStepActions && isCreateOrUpdateAndDiverged(ctx, s) { + return apis.ErrGeneric("feature flag %s should be set to true to reference StepActions in Steps.", config.EnableStepActions) + } + errs = errs.Also(s.Ref.Validate(ctx)) + if s.Image != "" { + errs = errs.Also(&apis.FieldError{ + Message: "image cannot be used with Ref", + Paths: []string{"image"}, + }) + } if len(s.Command) > 0 { errs = errs.Also(&apis.FieldError{ - Message: "script cannot be used with command", + Message: "command cannot be used with Ref", + Paths: []string{"command"}, + }) + } + if len(s.Args) > 0 { + errs = errs.Also(&apis.FieldError{ + Message: "args cannot be used with Ref", + Paths: []string{"args"}, + }) + } + if s.Script != "" { + errs = errs.Also(&apis.FieldError{ + Message: "script cannot be used with Ref", Paths: []string{"script"}, }) } + if s.Env != nil { + errs = errs.Also(&apis.FieldError{ + Message: "env cannot be used with Ref", + Paths: []string{"env"}, + }) + } + if len(s.VolumeMounts) > 0 { + errs = errs.Also(&apis.FieldError{ + Message: "volumeMounts cannot be used with Ref", + Paths: []string{"volumeMounts"}, + }) + } + if len(s.Results) > 0 { + errs = errs.Also(&apis.FieldError{ + Message: "results cannot be used with Ref", + Paths: []string{"results"}, + }) + } + } else { + if len(s.Params) > 0 { + errs = errs.Also(&apis.FieldError{ + Message: "params cannot be used without Ref", + Paths: []string{"params"}, + }) + } + if len(s.Results) > 0 { + if !config.FromContextOrDefaults(ctx).FeatureFlags.EnableStepActions && isCreateOrUpdateAndDiverged(ctx, s) { + return apis.ErrGeneric("feature flag %s should be set to true in order to use Results in Steps.", config.EnableStepActions) + } + } + if s.Image == "" { + errs = errs.Also(apis.ErrMissingField("Image")) + } + + if s.Script != "" { + if len(s.Command) > 0 { + errs = errs.Also(&apis.FieldError{ + Message: "script cannot be used with command", + Paths: []string{"script"}, + }) + } + } } if s.Name != "" { @@ -398,11 +499,12 @@ func (p ParamSpec) ValidateObjectType(ctx context.Context) *apis.FieldError { // ValidateParameterVariables validates all variables within a slice of ParamSpecs against a slice of Steps func ValidateParameterVariables(ctx context.Context, steps []Step, params ParamSpecs) *apis.FieldError { var errs *apis.FieldError - errs = errs.Also(params.validateNoDuplicateNames()) - stringParams, arrayParams, objectParams := params.sortByType() - stringParameterNames := sets.NewString(stringParams.getNames()...) - arrayParameterNames := sets.NewString(arrayParams.getNames()...) - errs = errs.Also(validateNameFormat(stringParameterNames.Insert(arrayParameterNames.List()...), objectParams)) + errs = errs.Also(params.ValidateNoDuplicateNames()) + errs = errs.Also(params.validateParamEnums(ctx).ViaField("params")) + stringParams, arrayParams, objectParams := params.SortByType() + stringParameterNames := sets.NewString(stringParams.GetNames()...) + arrayParameterNames := sets.NewString(arrayParams.GetNames()...) + errs = errs.Also(ValidateNameFormat(stringParameterNames.Insert(arrayParameterNames.List()...), objectParams)) return errs.Also(validateArrayUsage(steps, "params", arrayParameterNames)) } @@ -523,8 +625,8 @@ func validateVariables(ctx context.Context, steps []Step, prefix string, vars se return errs } -// validateNameFormat validates that the name format of all param types follows the rules -func validateNameFormat(stringAndArrayParams sets.String, objectParams []ParamSpec) (errs *apis.FieldError) { +// ValidateNameFormat validates that the name format of all param types follows the rules +func ValidateNameFormat(stringAndArrayParams sets.String, objectParams []ParamSpec) (errs *apis.FieldError) { // checking string or array name format // ---- invalidStringAndArrayNames := []string{} @@ -623,3 +725,22 @@ func (ts *TaskSpec) GetIndexingReferencesToArrayParams() sets.String { } return sets.NewString(arrayIndexParamRefs...) } + +// ValidateStepResults validates that all of the declared StepResults are valid. +func ValidateStepResults(ctx context.Context, results []StepResult) (errs *apis.FieldError) { + for index, result := range results { + errs = errs.Also(result.Validate(ctx).ViaIndex(index)) + } + return errs +} + +// ValidateStepResultsVariables validates if the StepResults referenced in step script are defined in step's results. +func ValidateStepResultsVariables(ctx context.Context, results []StepResult, script string) (errs *apis.FieldError) { + resultsNames := sets.NewString() + for _, r := range results { + resultsNames.Insert(r.Name) + } + errs = errs.Also(substitution.ValidateNoReferencesToUnknownVariables(script, "step.results", resultsNames).ViaField("script")) + errs = errs.Also(substitution.ValidateNoReferencesToUnknownVariables(script, "results", resultsNames).ViaField("script")) + return errs +} diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/taskrun_types.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/taskrun_types.go index cc273950a9..ff78c122df 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/taskrun_types.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/taskrun_types.go @@ -179,12 +179,17 @@ const ( // TaskRunReasonResolvingTaskRef indicates that the TaskRun is waiting for // its taskRef to be asynchronously resolved. TaskRunReasonResolvingTaskRef = "ResolvingTaskRef" + // TaskRunReasonResolvingStepActionRef indicates that the TaskRun is waiting for + // its StepAction's Ref to be asynchronously resolved. + TaskRunReasonResolvingStepActionRef = "ResolvingStepActionRef" // TaskRunReasonImagePullFailed is the reason set when the step of a task fails due to image not being pulled TaskRunReasonImagePullFailed TaskRunReason = "TaskRunImagePullFailed" // TaskRunReasonResultLargerThanAllowedLimit is the reason set when one of the results exceeds its maximum allowed limit of 1 KB TaskRunReasonResultLargerThanAllowedLimit TaskRunReason = "TaskRunResultLargerThanAllowedLimit" // TaskRunReasonStopSidecarFailed indicates that the sidecar is not properly stopped. TaskRunReasonStopSidecarFailed = "TaskRunStopSidecarFailed" + // TaskRunReasonInvalidParamValue indicates that the TaskRun Param input value is not allowed. + TaskRunReasonInvalidParamValue = "InvalidParamValue" ) func (t TaskRunReason) String() string { @@ -333,9 +338,10 @@ func (trs *TaskRunStatus) SetCondition(newCond *apis.Condition) { // StepState reports the results of running a step in a Task. type StepState struct { corev1.ContainerState `json:",inline"` - Name string `json:"name,omitempty"` - Container string `json:"container,omitempty"` - ImageID string `json:"imageID,omitempty"` + Name string `json:"name,omitempty"` + Container string `json:"container,omitempty"` + ImageID string `json:"imageID,omitempty"` + Results []TaskRunStepResult `json:"results,omitempty"` } // SidecarState reports the results of running a sidecar in a Task. diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/zz_generated.deepcopy.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/zz_generated.deepcopy.go index d47e242753..40fe4ba804 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/zz_generated.deepcopy.go @@ -231,6 +231,11 @@ func (in *ParamSpec) DeepCopyInto(out *ParamSpec) { *out = new(ParamValue) (*in).DeepCopyInto(*out) } + if in.Enum != nil { + in, out := &in.Enum, &out.Enum + *out = make([]string, len(*in)) + copy(*out, *in) + } return } @@ -1008,6 +1013,23 @@ func (in *Provenance) DeepCopy() *Provenance { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Ref) DeepCopyInto(out *Ref) { + *out = *in + in.ResolverRef.DeepCopyInto(&out.ResolverRef) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Ref. +func (in *Ref) DeepCopy() *Ref { + if in == nil { + return nil + } + out := new(Ref) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RefSource) DeepCopyInto(out *RefSource) { *out = *in @@ -1263,6 +1285,25 @@ func (in *Step) DeepCopyInto(out *Step) { *out = new(StepOutputConfig) **out = **in } + if in.Ref != nil { + in, out := &in.Ref, &out.Ref + *out = new(Ref) + (*in).DeepCopyInto(*out) + } + if in.Params != nil { + in, out := &in.Params, &out.Params + *out = make(Params, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Results != nil { + in, out := &in.Results, &out.Results + *out = make([]StepResult, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -1292,10 +1333,40 @@ func (in *StepOutputConfig) DeepCopy() *StepOutputConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *StepResult) DeepCopyInto(out *StepResult) { + *out = *in + if in.Properties != nil { + in, out := &in.Properties, &out.Properties + *out = make(map[string]PropertySpec, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StepResult. +func (in *StepResult) DeepCopy() *StepResult { + if in == nil { + return nil + } + out := new(StepResult) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *StepState) DeepCopyInto(out *StepState) { *out = *in in.ContainerState.DeepCopyInto(&out.ContainerState) + if in.Results != nil { + in, out := &in.Results, &out.Results + *out = make([]TaskRunResult, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -1470,6 +1541,11 @@ func (in *TaskResult) DeepCopyInto(out *TaskResult) { (*out)[key] = val } } + if in.Value != nil { + in, out := &in.Value, &out.Value + *out = new(ParamValue) + (*in).DeepCopyInto(*out) + } return } diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/openapi_generated.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/openapi_generated.go index 876cb0bdc8..3426a815b7 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/openapi_generated.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/openapi_generated.go @@ -829,11 +829,76 @@ func schema_pkg_apis_pipeline_v1alpha1_StepActionSpec(ref common.ReferenceCallba Format: "", }, }, + "params": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "Params is a list of input parameters required to run the stepAction. Params must be supplied as inputs in Steps unless they declare a defaultvalue.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.ParamSpec"), + }, + }, + }, + }, + }, + "results": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "Results are values that this StepAction can output", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.StepResult"), + }, + }, + }, + }, + }, + "securityContext": { + SchemaProps: spec.SchemaProps{ + Description: "SecurityContext defines the security options the Step should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ The value set in StepAction will take precedence over the value from Task.", + Ref: ref("k8s.io/api/core/v1.SecurityContext"), + }, + }, + "volumeMounts": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + "x-kubernetes-patch-merge-key": "mountPath", + "x-kubernetes-patch-strategy": "merge", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "Volumes to mount into the Step's filesystem. Cannot be updated.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.VolumeMount"), + }, + }, + }, + }, + }, }, }, }, Dependencies: []string{ - "k8s.io/api/core/v1.EnvVar"}, + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.ParamSpec", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.StepResult", "k8s.io/api/core/v1.EnvVar", "k8s.io/api/core/v1.SecurityContext", "k8s.io/api/core/v1.VolumeMount"}, } } diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/stepaction_defaults.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/stepaction_defaults.go index 8b30d937e9..b0471f6648 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/stepaction_defaults.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/stepaction_defaults.go @@ -23,4 +23,15 @@ var _ apis.Defaultable = (*StepAction)(nil) // SetDefaults implements apis.Defaultable func (s *StepAction) SetDefaults(ctx context.Context) { + s.Spec.SetDefaults(ctx) +} + +// SetDefaults set any defaults for the StepAction spec +func (ss *StepActionSpec) SetDefaults(ctx context.Context) { + for i := range ss.Params { + ss.Params[i].SetDefaults(ctx) + } + for i := range ss.Results { + ss.Results[i].SetDefaults(ctx) + } } diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/stepaction_types.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/stepaction_types.go index 03bc560864..4209f1de4c 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/stepaction_types.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/stepaction_types.go @@ -14,6 +14,7 @@ limitations under the License. package v1alpha1 import ( + v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -111,6 +112,28 @@ type StepActionSpec struct { // If Script is not empty, the Step cannot have an Command and the Args will be passed to the Script. // +optional Script string `json:"script,omitempty"` + // Params is a list of input parameters required to run the stepAction. + // Params must be supplied as inputs in Steps unless they declare a defaultvalue. + // +optional + // +listType=atomic + Params v1.ParamSpecs `json:"params,omitempty"` + // Results are values that this StepAction can output + // +optional + // +listType=atomic + Results []v1.StepResult `json:"results,omitempty"` + // SecurityContext defines the security options the Step should be run with. + // If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. + // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + // The value set in StepAction will take precedence over the value from Task. + // +optional + SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty" protobuf:"bytes,15,opt,name=securityContext"` + // Volumes to mount into the Step's filesystem. + // Cannot be updated. + // +optional + // +patchMergeKey=mountPath + // +patchStrategy=merge + // +listType=atomic + VolumeMounts []corev1.VolumeMount `json:"volumeMounts,omitempty" patchStrategy:"merge" patchMergeKey:"mountPath" protobuf:"bytes,9,rep,name=volumeMounts"` } // StepActionObject is implemented by StepAction diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/stepaction_validation.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/stepaction_validation.go index 6209026c1b..f2d2ccfb7f 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/stepaction_validation.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/stepaction_validation.go @@ -15,11 +15,16 @@ package v1alpha1 import ( "context" + "fmt" "strings" "github.com/tektoncd/pipeline/pkg/apis/config" + v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" "github.com/tektoncd/pipeline/pkg/apis/validate" + "github.com/tektoncd/pipeline/pkg/substitution" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/sets" "knative.dev/pkg/apis" "knative.dev/pkg/webhook/resourcesemantics" ) @@ -58,5 +63,133 @@ func (ss *StepActionSpec) Validate(ctx context.Context) (errs *apis.FieldError) errs = errs.Also(config.ValidateEnabledAPIFields(ctx, "windows script support", config.AlphaAPIFields).ViaField("script")) } } + errs = errs.Also(validateUsageOfDeclaredParameters(ctx, *ss)) + errs = errs.Also(v1.ValidateParameterTypes(ctx, ss.Params).ViaField("params")) + errs = errs.Also(validateParameterVariables(ctx, *ss, ss.Params)) + errs = errs.Also(v1.ValidateStepResultsVariables(ctx, ss.Results, ss.Script)) + errs = errs.Also(v1.ValidateStepResults(ctx, ss.Results).ViaField("results")) + errs = errs.Also(validateVolumeMounts(ss.VolumeMounts, ss.Params).ViaField("volumeMounts")) + return errs +} + +// validateUsageOfDeclaredParameters validates that all parameters referenced in the Task are declared by the Task. +func validateUsageOfDeclaredParameters(ctx context.Context, sas StepActionSpec) *apis.FieldError { + params := sas.Params + var errs *apis.FieldError + _, _, objectParams := params.SortByType() + allParameterNames := sets.NewString(params.GetNames()...) + errs = errs.Also(validateStepActionVariables(ctx, sas, "params", allParameterNames)) + errs = errs.Also(validateObjectUsage(ctx, sas, objectParams)) + errs = errs.Also(v1.ValidateObjectParamsHaveProperties(ctx, params)) + return errs +} + +func validateVolumeMounts(volumeMounts []corev1.VolumeMount, params v1.ParamSpecs) (errs *apis.FieldError) { + if len(volumeMounts) == 0 { + return + } + paramNames := sets.String{} + for _, p := range params { + paramNames.Insert(p.Name) + } + for idx, v := range volumeMounts { + matches, _ := substitution.ExtractVariableExpressions(v.Name, "params") + if len(matches) != 1 { + errs = errs.Also(apis.ErrInvalidValue(v.Name, "name", "expect the Name to be a single param reference").ViaIndex(idx)) + return errs + } else if matches[0] != v.Name { + errs = errs.Also(apis.ErrInvalidValue(v.Name, "name", "expect the Name to be a single param reference").ViaIndex(idx)) + return errs + } + errs = errs.Also(substitution.ValidateNoReferencesToUnknownVariables(v.Name, "params", paramNames).ViaIndex(idx)) + } + return errs +} + +// validateParameterVariables validates all variables within a slice of ParamSpecs against a StepAction +func validateParameterVariables(ctx context.Context, sas StepActionSpec, params v1.ParamSpecs) *apis.FieldError { + var errs *apis.FieldError + errs = errs.Also(params.ValidateNoDuplicateNames()) + stringParams, arrayParams, objectParams := params.SortByType() + stringParameterNames := sets.NewString(stringParams.GetNames()...) + arrayParameterNames := sets.NewString(arrayParams.GetNames()...) + errs = errs.Also(v1.ValidateNameFormat(stringParameterNames.Insert(arrayParameterNames.List()...), objectParams)) + return errs.Also(validateStepActionArrayUsage(sas, "params", arrayParameterNames)) +} + +// validateObjectUsage validates the usage of individual attributes of an object param and the usage of the entire object +func validateObjectUsage(ctx context.Context, sas StepActionSpec, params v1.ParamSpecs) (errs *apis.FieldError) { + objectParameterNames := sets.NewString() + for _, p := range params { + // collect all names of object type params + objectParameterNames.Insert(p.Name) + + // collect all keys for this object param + objectKeys := sets.NewString() + for key := range p.Properties { + objectKeys.Insert(key) + } + + // check if the object's key names are referenced correctly i.e. param.objectParam.key1 + errs = errs.Also(validateStepActionVariables(ctx, sas, fmt.Sprintf("params\\.%s", p.Name), objectKeys)) + } + + return errs.Also(validateStepActionObjectUsageAsWhole(sas, "params", objectParameterNames)) +} + +// validateStepActionObjectUsageAsWhole returns an error if the StepAction contains references to the entire input object params in fields where these references are prohibited +func validateStepActionObjectUsageAsWhole(sas StepActionSpec, prefix string, vars sets.String) *apis.FieldError { + errs := substitution.ValidateNoReferencesToEntireProhibitedVariables(sas.Image, prefix, vars).ViaField("image") + errs = errs.Also(substitution.ValidateNoReferencesToEntireProhibitedVariables(sas.Script, prefix, vars).ViaField("script")) + for i, cmd := range sas.Command { + errs = errs.Also(substitution.ValidateNoReferencesToEntireProhibitedVariables(cmd, prefix, vars).ViaFieldIndex("command", i)) + } + for i, arg := range sas.Args { + errs = errs.Also(substitution.ValidateNoReferencesToEntireProhibitedVariables(arg, prefix, vars).ViaFieldIndex("args", i)) + } + for _, env := range sas.Env { + errs = errs.Also(substitution.ValidateNoReferencesToEntireProhibitedVariables(env.Value, prefix, vars).ViaFieldKey("env", env.Name)) + } + for i, vm := range sas.VolumeMounts { + errs = errs.Also(substitution.ValidateNoReferencesToEntireProhibitedVariables(vm.Name, prefix, vars).ViaFieldIndex("volumeMounts", i)) + } + return errs +} + +// validateStepActionArrayUsage returns an error if the Step contains references to the input array params in fields where these references are prohibited +func validateStepActionArrayUsage(sas StepActionSpec, prefix string, arrayParamNames sets.String) *apis.FieldError { + errs := substitution.ValidateNoReferencesToProhibitedVariables(sas.Image, prefix, arrayParamNames).ViaField("image") + errs = errs.Also(substitution.ValidateNoReferencesToProhibitedVariables(sas.Script, prefix, arrayParamNames).ViaField("script")) + for i, cmd := range sas.Command { + errs = errs.Also(substitution.ValidateVariableReferenceIsIsolated(cmd, prefix, arrayParamNames).ViaFieldIndex("command", i)) + } + for i, arg := range sas.Args { + errs = errs.Also(substitution.ValidateVariableReferenceIsIsolated(arg, prefix, arrayParamNames).ViaFieldIndex("args", i)) + } + for _, env := range sas.Env { + errs = errs.Also(substitution.ValidateNoReferencesToProhibitedVariables(env.Value, prefix, arrayParamNames).ViaFieldKey("env", env.Name)) + } + for i, vm := range sas.VolumeMounts { + errs = errs.Also(substitution.ValidateNoReferencesToProhibitedVariables(vm.Name, prefix, arrayParamNames).ViaFieldIndex("volumeMounts", i)) + } + return errs +} + +// validateStepActionVariables returns an error if the StepAction contains references to any unknown variables +func validateStepActionVariables(ctx context.Context, sas StepActionSpec, prefix string, vars sets.String) *apis.FieldError { + errs := substitution.ValidateNoReferencesToUnknownVariables(sas.Image, prefix, vars).ViaField("image") + errs = errs.Also(substitution.ValidateNoReferencesToUnknownVariables(sas.Script, prefix, vars).ViaField("script")) + for i, cmd := range sas.Command { + errs = errs.Also(substitution.ValidateNoReferencesToUnknownVariables(cmd, prefix, vars).ViaFieldIndex("command", i)) + } + for i, arg := range sas.Args { + errs = errs.Also(substitution.ValidateNoReferencesToUnknownVariables(arg, prefix, vars).ViaFieldIndex("args", i)) + } + for _, env := range sas.Env { + errs = errs.Also(substitution.ValidateNoReferencesToUnknownVariables(env.Value, prefix, vars).ViaFieldKey("env", env.Name)) + } + for i, vm := range sas.VolumeMounts { + errs = errs.Also(substitution.ValidateNoReferencesToUnknownVariables(vm.Name, prefix, vars).ViaFieldIndex("volumeMounts", i)) + } return errs } diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/swagger.json b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/swagger.json index 46e98e44f2..4423cb8c3c 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/swagger.json +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/swagger.json @@ -421,9 +421,42 @@ "description": "Image reference name to run for this StepAction. More info: https://kubernetes.io/docs/concepts/containers/images", "type": "string" }, + "params": { + "description": "Params is a list of input parameters required to run the stepAction. Params must be supplied as inputs in Steps unless they declare a defaultvalue.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/v1.ParamSpec" + }, + "x-kubernetes-list-type": "atomic" + }, + "results": { + "description": "Results are values that this StepAction can output", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/v1.StepResult" + }, + "x-kubernetes-list-type": "atomic" + }, "script": { "description": "Script is the contents of an executable file to execute.\n\nIf Script is not empty, the Step cannot have an Command and the Args will be passed to the Script.", "type": "string" + }, + "securityContext": { + "description": "SecurityContext defines the security options the Step should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ The value set in StepAction will take precedence over the value from Task.", + "$ref": "#/definitions/v1.SecurityContext" + }, + "volumeMounts": { + "description": "Volumes to mount into the Step's filesystem. Cannot be updated.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/v1.VolumeMount" + }, + "x-kubernetes-list-type": "atomic", + "x-kubernetes-patch-merge-key": "mountPath", + "x-kubernetes-patch-strategy": "merge" } } }, diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/zz_generated.deepcopy.go index 494ace1360..c25623d07d 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1/zz_generated.deepcopy.go @@ -23,6 +23,7 @@ package v1alpha1 import ( pod "github.com/tektoncd/pipeline/pkg/apis/pipeline/pod" + pipelinev1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" v1beta1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -297,6 +298,32 @@ func (in *StepActionSpec) DeepCopyInto(out *StepActionSpec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.Params != nil { + in, out := &in.Params, &out.Params + *out = make(pipelinev1.ParamSpecs, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Results != nil { + in, out := &in.Results, &out.Results + *out = make([]pipelinev1.StepResult, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.SecurityContext != nil { + in, out := &in.SecurityContext, &out.SecurityContext + *out = new(v1.SecurityContext) + (*in).DeepCopyInto(*out) + } + if in.VolumeMounts != nil { + in, out := &in.VolumeMounts, &out.VolumeMounts + *out = make([]v1.VolumeMount, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/container_conversion.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/container_conversion.go index 5bf1365fc7..2e828bc5ad 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/container_conversion.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/container_conversion.go @@ -22,6 +22,20 @@ import ( v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" ) +func (r Ref) convertTo(ctx context.Context, sink *v1.Ref) { + sink.Name = r.Name + new := v1.ResolverRef{} + r.ResolverRef.convertTo(ctx, &new) + sink.ResolverRef = new +} + +func (r *Ref) convertFrom(ctx context.Context, source v1.Ref) { + r.Name = source.Name + new := ResolverRef{} + new.convertFrom(ctx, source.ResolverRef) + r.ResolverRef = new +} + func (s Step) convertTo(ctx context.Context, sink *v1.Step) { sink.Name = s.Name sink.Image = s.Image @@ -47,6 +61,17 @@ func (s Step) convertTo(ctx context.Context, sink *v1.Step) { sink.OnError = (v1.OnErrorType)(s.OnError) sink.StdoutConfig = (*v1.StepOutputConfig)(s.StdoutConfig) sink.StderrConfig = (*v1.StepOutputConfig)(s.StderrConfig) + if s.Ref != nil { + sink.Ref = &v1.Ref{} + s.Ref.convertTo(ctx, sink.Ref) + } + sink.Params = nil + for _, p := range s.Params { + new := v1.Param{} + p.convertTo(ctx, &new) + sink.Params = append(sink.Params, new) + } + sink.Results = s.Results } func (s *Step) convertFrom(ctx context.Context, source v1.Step) { @@ -74,6 +99,18 @@ func (s *Step) convertFrom(ctx context.Context, source v1.Step) { s.OnError = (OnErrorType)(source.OnError) s.StdoutConfig = (*StepOutputConfig)(source.StdoutConfig) s.StderrConfig = (*StepOutputConfig)(source.StderrConfig) + if source.Ref != nil { + newRef := Ref{} + newRef.convertFrom(ctx, *source.Ref) + s.Ref = &newRef + } + s.Params = nil + for _, p := range source.Params { + new := Param{} + new.ConvertFrom(ctx, p) + s.Params = append(s.Params, new) + } + s.Results = source.Results } func (s StepTemplate) convertTo(ctx context.Context, sink *v1.StepTemplate) { diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/container_types.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/container_types.go index 980ad392c8..2b2cf7901a 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/container_types.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/container_types.go @@ -17,6 +17,7 @@ limitations under the License. package v1beta1 import ( + v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -228,6 +229,34 @@ type Step struct { // Stores configuration for the stderr stream of the step. // +optional StderrConfig *StepOutputConfig `json:"stderrConfig,omitempty"` + + // Contains the reference to an existing StepAction. + //+optional + Ref *Ref `json:"ref,omitempty"` + // Params declares parameters passed to this step action. + // +optional + // +listType=atomic + Params Params `json:"params,omitempty"` + // Results declares StepResults produced by the Step. + // + // This is field is at an ALPHA stability level and gated by "enable-step-actions" feature flag. + // + // It can be used in an inlined Step when used to store Results to $(step.results.resultName.path). + // It cannot be used when referencing StepActions using [v1beta1.Step.Ref]. + // The Results declared by the StepActions will be stored here instead. + // +optional + // +listType=atomic + Results []v1.StepResult `json:"results,omitempty"` +} + +// Ref can be used to refer to a specific instance of a StepAction. +type Ref struct { + // Name of the referenced step + Name string `json:"name,omitempty"` + // ResolverRef allows referencing a StepAction in a remote location + // like a git repo. + // +optional + ResolverRef `json:",omitempty"` } // OnErrorType defines a list of supported exiting behavior of a container on error diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/container_validation.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/container_validation.go new file mode 100644 index 0000000000..de7319da67 --- /dev/null +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/container_validation.go @@ -0,0 +1,62 @@ +/* +Copyright 2023 The Tekton Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + "context" + "strings" + + "github.com/tektoncd/pipeline/pkg/apis/config" + "k8s.io/apimachinery/pkg/util/validation" + "knative.dev/pkg/apis" +) + +// Validate ensures that a supplied Ref field is populated +// correctly. No errors are returned for a nil Ref. +func (ref *Ref) Validate(ctx context.Context) (errs *apis.FieldError) { + if ref == nil { + return + } + + switch { + case ref.Resolver != "" || ref.Params != nil: + if ref.Resolver != "" { + errs = errs.Also(config.ValidateEnabledAPIFields(ctx, "resolver", config.BetaAPIFields).ViaField("resolver")) + if ref.Name != "" { + errs = errs.Also(apis.ErrMultipleOneOf("name", "resolver")) + } + } + if ref.Params != nil { + errs = errs.Also(config.ValidateEnabledAPIFields(ctx, "resolver params", config.BetaAPIFields).ViaField("params")) + if ref.Name != "" { + errs = errs.Also(apis.ErrMultipleOneOf("name", "params")) + } + if ref.Resolver == "" { + errs = errs.Also(apis.ErrMissingField("resolver")) + } + errs = errs.Also(ValidateParameters(ctx, ref.Params)) + } + case ref.Name != "": + // Ref name must be a valid k8s name + if errSlice := validation.IsQualifiedName(ref.Name); len(errSlice) != 0 { + errs = errs.Also(apis.ErrInvalidValue(strings.Join(errSlice, ","), "name")) + } + default: + errs = errs.Also(apis.ErrMissingField("name")) + } + return errs +} diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/openapi_generated.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/openapi_generated.go index eba5a87241..d9eaff0ecc 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/openapi_generated.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/openapi_generated.go @@ -76,6 +76,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.PipelineWorkspaceDeclaration": schema_pkg_apis_pipeline_v1beta1_PipelineWorkspaceDeclaration(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.PropertySpec": schema_pkg_apis_pipeline_v1beta1_PropertySpec(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.Provenance": schema_pkg_apis_pipeline_v1beta1_Provenance(ref), + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.Ref": schema_pkg_apis_pipeline_v1beta1_Ref(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.RefSource": schema_pkg_apis_pipeline_v1beta1_RefSource(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ResolverRef": schema_pkg_apis_pipeline_v1beta1_ResolverRef(ref), "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ResultRef": schema_pkg_apis_pipeline_v1beta1_ResultRef(ref), @@ -1329,6 +1330,21 @@ func schema_pkg_apis_pipeline_v1beta1_ParamSpec(ref common.ReferenceCallback) co Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ParamValue"), }, }, + "enum": { + SchemaProps: spec.SchemaProps{ + Description: "Enum declares a set of allowed param input values for tasks/pipelines that can be validated. If Enum is not set, no input validation is performed for the param.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, }, Required: []string{"name"}, }, @@ -3054,6 +3070,26 @@ func schema_pkg_apis_pipeline_v1beta1_Provenance(ref common.ReferenceCallback) c } } +func schema_pkg_apis_pipeline_v1beta1_Ref(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Ref can be used to refer to a specific instance of a StepAction.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "Name of the referenced step", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_pkg_apis_pipeline_v1beta1_RefSource(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -3878,12 +3914,56 @@ func schema_pkg_apis_pipeline_v1beta1_Step(ref common.ReferenceCallback) common. Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.StepOutputConfig"), }, }, + "ref": { + SchemaProps: spec.SchemaProps{ + Description: "Contains the reference to an existing StepAction.", + Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.Ref"), + }, + }, + "params": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "Params declares parameters passed to this step action.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.Param"), + }, + }, + }, + }, + }, + "results": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "Results declares StepResults produced by the Step.\n\nThis is field is at an ALPHA stability level and gated by \"enable-step-actions\" feature flag.\n\nIt can be used in an inlined Step when used to store Results to $(step.results.resultName.path). It cannot be used when referencing StepActions using [v1beta1.Step.Ref]. The Results declared by the StepActions will be stored here instead.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.StepResult"), + }, + }, + }, + }, + }, }, Required: []string{"name"}, }, }, Dependencies: []string{ - "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.StepOutputConfig", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.WorkspaceUsage", "k8s.io/api/core/v1.ContainerPort", "k8s.io/api/core/v1.EnvFromSource", "k8s.io/api/core/v1.EnvVar", "k8s.io/api/core/v1.Lifecycle", "k8s.io/api/core/v1.Probe", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.SecurityContext", "k8s.io/api/core/v1.VolumeDevice", "k8s.io/api/core/v1.VolumeMount", "k8s.io/apimachinery/pkg/apis/meta/v1.Duration"}, + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.StepResult", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.Param", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.Ref", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.StepOutputConfig", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.WorkspaceUsage", "k8s.io/api/core/v1.ContainerPort", "k8s.io/api/core/v1.EnvFromSource", "k8s.io/api/core/v1.EnvVar", "k8s.io/api/core/v1.Lifecycle", "k8s.io/api/core/v1.Probe", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.SecurityContext", "k8s.io/api/core/v1.VolumeDevice", "k8s.io/api/core/v1.VolumeMount", "k8s.io/apimachinery/pkg/apis/meta/v1.Duration"}, } } @@ -3950,11 +4030,24 @@ func schema_pkg_apis_pipeline_v1beta1_StepState(ref common.ReferenceCallback) co Format: "", }, }, + "results": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.TaskRunResult"), + }, + }, + }, + }, + }, }, }, }, Dependencies: []string{ - "k8s.io/api/core/v1.ContainerStateRunning", "k8s.io/api/core/v1.ContainerStateTerminated", "k8s.io/api/core/v1.ContainerStateWaiting"}, + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.TaskRunResult", "k8s.io/api/core/v1.ContainerStateRunning", "k8s.io/api/core/v1.ContainerStateTerminated", "k8s.io/api/core/v1.ContainerStateWaiting"}, } } @@ -4576,12 +4669,18 @@ func schema_pkg_apis_pipeline_v1beta1_TaskResult(ref common.ReferenceCallback) c Format: "", }, }, + "value": { + SchemaProps: spec.SchemaProps{ + Description: "Value the expression used to retrieve the value of the result from an underlying Step.", + Ref: ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ParamValue"), + }, + }, }, Required: []string{"name"}, }, }, Dependencies: []string{ - "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.PropertySpec"}, + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ParamValue", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.PropertySpec"}, } } @@ -4842,7 +4941,7 @@ func schema_pkg_apis_pipeline_v1beta1_TaskRunResult(ref common.ReferenceCallback return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "TaskRunResult used to describe the results of a task", + Description: "TaskRunStepResult is a type alias of TaskRunResult", Type: []string{"object"}, Properties: map[string]spec.Schema{ "name": { diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/param_conversion.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/param_conversion.go index 5ac4f50a86..a47206b76e 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/param_conversion.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/param_conversion.go @@ -30,6 +30,7 @@ func (p ParamSpec) convertTo(ctx context.Context, sink *v1.ParamSpec) { sink.Type = v1.ParamType(ParamTypeString) } sink.Description = p.Description + sink.Enum = p.Enum var properties map[string]v1.PropertySpec if p.Properties != nil { properties = make(map[string]v1.PropertySpec) @@ -54,6 +55,7 @@ func (p *ParamSpec) convertFrom(ctx context.Context, source v1.ParamSpec) { p.Type = ParamTypeString } p.Description = source.Description + p.Enum = source.Enum var properties map[string]PropertySpec if source.Properties != nil { properties = make(map[string]PropertySpec) diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/param_types.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/param_types.go index c703fcd5a4..f0634f8c58 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/param_types.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/param_types.go @@ -22,9 +22,11 @@ import ( "fmt" "strings" + "github.com/tektoncd/pipeline/pkg/apis/config" "github.com/tektoncd/pipeline/pkg/substitution" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/utils/strings/slices" "knative.dev/pkg/apis" ) @@ -53,6 +55,10 @@ type ParamSpec struct { // parameter. // +optional Default *ParamValue `json:"default,omitempty"` + // Enum declares a set of allowed param input values for tasks/pipelines that can be validated. + // If Enum is not set, no input validation is performed for the param. + // +optional + Enum []string `json:"enum,omitempty"` } // ParamSpecs is a list of ParamSpec @@ -123,22 +129,52 @@ func (ps ParamSpecs) sortByType() (ParamSpecs, ParamSpecs, ParamSpecs) { // validateNoDuplicateNames returns an error if any of the params have the same name func (ps ParamSpecs) validateNoDuplicateNames() *apis.FieldError { + var errs *apis.FieldError names := ps.getNames() - seen := sets.String{} - dups := sets.String{} + for dup := range findDups(names) { + errs = errs.Also(apis.ErrGeneric("parameter appears more than once", "").ViaFieldKey("params", dup)) + } + return errs +} + +// validateParamEnum validates feature flag, duplication and allowed types for Param Enum +func (ps ParamSpecs) validateParamEnums(ctx context.Context) *apis.FieldError { var errs *apis.FieldError - for _, n := range names { - if seen.Has(n) { - dups.Insert(n) + for _, p := range ps { + if len(p.Enum) == 0 { + continue + } + if !config.FromContextOrDefaults(ctx).FeatureFlags.EnableParamEnum { + errs = errs.Also(errs, apis.ErrGeneric(fmt.Sprintf("feature flag `%s` should be set to true to use Enum", config.EnableParamEnum), "").ViaKey(p.Name)) + } + if p.Type != ParamTypeString { + errs = errs.Also(apis.ErrGeneric("enum can only be set with string type param", "").ViaKey(p.Name)) + } + for dup := range findDups(p.Enum) { + errs = errs.Also(apis.ErrGeneric(fmt.Sprintf("parameter enum value %v appears more than once", dup), "").ViaKey(p.Name)) + } + if p.Default != nil && p.Default.StringVal != "" { + if !slices.Contains(p.Enum, p.Default.StringVal) { + errs = errs.Also(apis.ErrGeneric(fmt.Sprintf("param default value %v not in the enum list", p.Default.StringVal), "").ViaKey(p.Name)) + } } - seen.Insert(n) - } - for n := range dups { - errs = errs.Also(apis.ErrGeneric("parameter appears more than once", "").ViaFieldKey("params", n)) } return errs } +// findDups returns the duplicate element in the given slice +func findDups(vals []string) sets.String { + seen := sets.String{} + dups := sets.String{} + for _, val := range vals { + if seen.Has(val) { + dups.Insert(val) + } + seen.Insert(val) + } + return dups +} + // setDefaultsForProperties sets default type for PropertySpec (string) if it's not specified func (pp *ParamSpec) setDefaultsForProperties() { for key, propertySpec := range pp.Properties { @@ -247,7 +283,7 @@ func (ps ParamSpecs) ExtractDefaultParamArrayLengths() map[string]int { // it would return ["$(params.array-param[1])", "$(params.other-array-param[2])"]. func extractArrayIndexingParamRefs(paramReference string) []string { l := []string{} - list := substitution.ExtractParamsExpressions(paramReference) + list := substitution.ExtractArrayIndexingParamsExpressions(paramReference) for _, val := range list { indexString := substitution.ExtractIndexString(val) if indexString != "" { diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/pipeline_validation.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/pipeline_validation.go index bf384b1c81..7ee9ba354e 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/pipeline_validation.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/pipeline_validation.go @@ -452,11 +452,12 @@ func validatePipelineTasksWorkspacesUsage(wss []PipelineWorkspaceDeclaration, pt // ValidatePipelineParameterVariables validates parameters with those specified by each pipeline task, // (1) it validates the type of parameter is either string or array (2) parameter default value matches -// with the type of that param +// with the type of that param (3) no duplication, feature flag and allowed param type when using param enum func ValidatePipelineParameterVariables(ctx context.Context, tasks []PipelineTask, params ParamSpecs) (errs *apis.FieldError) { // validates all the types within a slice of ParamSpecs errs = errs.Also(ValidateParameterTypes(ctx, params).ViaField("params")) errs = errs.Also(params.validateNoDuplicateNames()) + errs = errs.Also(params.validateParamEnums(ctx).ViaField("params")) for i, task := range tasks { errs = errs.Also(task.Params.validateDuplicateParameters().ViaField("params").ViaIndex(i)) } diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/result_conversion.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/result_conversion.go index c695de103c..8854a283cb 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/result_conversion.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/result_conversion.go @@ -33,6 +33,10 @@ func (r TaskResult) convertTo(ctx context.Context, sink *v1.TaskResult) { } sink.Properties = properties } + if r.Value != nil { + sink.Value = &v1.ParamValue{} + r.Value.convertTo(ctx, sink.Value) + } } func (r *TaskResult) convertFrom(ctx context.Context, source v1.TaskResult) { @@ -46,4 +50,8 @@ func (r *TaskResult) convertFrom(ctx context.Context, source v1.TaskResult) { } r.Properties = properties } + if source.Value != nil { + r.Value = &ParamValue{} + r.Value.convertFrom(ctx, *source.Value) + } } diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/result_types.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/result_types.go index b4e3764c89..ec3192d392 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/result_types.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/result_types.go @@ -32,6 +32,10 @@ type TaskResult struct { // Description is a human-readable description of the result // +optional Description string `json:"description,omitempty"` + + // Value the expression used to retrieve the value of the result from an underlying Step. + // +optional + Value *ResultValue `json:"value,omitempty"` } // TaskRunResult used to describe the results of a task @@ -48,6 +52,9 @@ type TaskRunResult struct { Value ResultValue `json:"value"` } +// TaskRunStepResult is a type alias of TaskRunResult +type TaskRunStepResult = TaskRunResult + // ResultValue is a type alias of ParamValue type ResultValue = ParamValue diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/result_validation.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/result_validation.go index ab9ee83c35..a9f776b527 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/result_validation.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/result_validation.go @@ -17,6 +17,9 @@ import ( "context" "fmt" + "github.com/tektoncd/pipeline/pkg/apis/config" + v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" + "k8s.io/apimachinery/pkg/util/validation" "knative.dev/pkg/apis" ) @@ -28,20 +31,16 @@ func (tr TaskResult) Validate(ctx context.Context) (errs *apis.FieldError) { switch { case tr.Type == ResultsTypeObject: - errs := validateObjectResult(tr) - return errs + errs = errs.Also(validateObjectResult(tr)) case tr.Type == ResultsTypeArray: - return errs // Resources created before the result. Type was introduced may not have Type set // and should be considered valid case tr.Type == "": - return nil // By default, the result type is string case tr.Type != ResultsTypeString: - return apis.ErrInvalidValue(tr.Type, "type", "type must be string") + errs = errs.Also(apis.ErrInvalidValue(tr.Type, "type", "type must be string")) } - - return nil + return errs.Also(tr.validateValue(ctx)) } // validateObjectResult validates the object result and check if the Properties is missing @@ -66,3 +65,48 @@ func validateObjectResult(tr TaskResult) (errs *apis.FieldError) { } return nil } + +// validateValue validates the value of the TaskResult. +// It requires that enable-step-actions is true, the value is of type string +// and format $(steps..results.) +func (tr TaskResult) validateValue(ctx context.Context) (errs *apis.FieldError) { + if tr.Value == nil { + return nil + } + if !config.FromContextOrDefaults(ctx).FeatureFlags.EnableStepActions { + return apis.ErrGeneric("feature flag %s should be set to true to fetch Results from Steps using StepActions.", config.EnableStepActions) + } + if tr.Value.Type != ParamTypeString { + return &apis.FieldError{ + Message: fmt.Sprintf( + "Invalid Type. Wanted string but got: \"%v\"", tr.Value.Type), + Paths: []string{ + fmt.Sprintf("%s.type", tr.Name), + }, + } + } + if tr.Value.StringVal != "" { + stepName, resultName, err := v1.ExtractStepResultName(tr.Value.StringVal) + if err != nil { + return &apis.FieldError{ + Message: fmt.Sprintf("%v", err), + Paths: []string{fmt.Sprintf("%s.value", tr.Name)}, + } + } + if e := validation.IsDNS1123Label(stepName); len(e) > 0 { + errs = errs.Also(&apis.FieldError{ + Message: fmt.Sprintf("invalid extracted step name %q", stepName), + Paths: []string{fmt.Sprintf("%s.value", tr.Name)}, + Details: "stepName in $(steps..results.) must be a valid DNS Label, For more info refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", + }) + } + if !resultNameFormatRegex.MatchString(resultName) { + errs = errs.Also(&apis.FieldError{ + Message: fmt.Sprintf("invalid extracted result name %q", resultName), + Paths: []string{fmt.Sprintf("%s.value", tr.Name)}, + Details: fmt.Sprintf("resultName in $(steps..results.) must consist of alphanumeric characters, '-', '_', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my-name', or 'my_name', regex used for validation is '%s')", ResultNameFormat), + }) + } + } + return errs +} diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/swagger.json b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/swagger.json index 4ff7d3d43a..63c4af3d15 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/swagger.json +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/swagger.json @@ -624,6 +624,14 @@ "description": "Description is a user-facing description of the parameter that may be used to populate a UI.", "type": "string" }, + "enum": { + "description": "Enum declares a set of allowed param input values for tasks/pipelines that can be validated. If Enum is not set, no input validation is performed for the param.", + "type": "array", + "items": { + "type": "string", + "default": "" + } + }, "name": { "description": "Name declares the name by which a parameter is referenced.", "type": "string", @@ -1555,6 +1563,16 @@ } } }, + "v1beta1.Ref": { + "description": "Ref can be used to refer to a specific instance of a StepAction.", + "type": "object", + "properties": { + "name": { + "description": "Name of the referenced step", + "type": "string" + } + } + }, "v1beta1.RefSource": { "description": "RefSource contains the information that can uniquely identify where a remote built definition came from i.e. Git repositories, Tekton Bundles in OCI registry and hub.", "type": "object", @@ -2052,6 +2070,15 @@ "description": "OnError defines the exiting behavior of a container on error can be set to [ continue | stopAndFail ]", "type": "string" }, + "params": { + "description": "Params declares parameters passed to this step action.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/v1beta1.Param" + }, + "x-kubernetes-list-type": "atomic" + }, "ports": { "description": "List of ports to expose from the Step's container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default \"0.0.0.0\" address inside a container will be accessible from the network. Cannot be updated.\n\nDeprecated: This field will be removed in a future release.", "type": "array", @@ -2071,11 +2098,24 @@ "description": "Periodic probe of container service readiness. Step will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes\n\nDeprecated: This field will be removed in a future release.", "$ref": "#/definitions/v1.Probe" }, + "ref": { + "description": "Contains the reference to an existing StepAction.", + "$ref": "#/definitions/v1beta1.Ref" + }, "resources": { "description": "Compute Resources required by this Step. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "default": {}, "$ref": "#/definitions/v1.ResourceRequirements" }, + "results": { + "description": "Results declares StepResults produced by the Step.\n\nThis is field is at an ALPHA stability level and gated by \"enable-step-actions\" feature flag.\n\nIt can be used in an inlined Step when used to store Results to $(step.results.resultName.path). It cannot be used when referencing StepActions using [v1beta1.Step.Ref]. The Results declared by the StepActions will be stored here instead.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/v1.StepResult" + }, + "x-kubernetes-list-type": "atomic" + }, "script": { "description": "Script is the contents of an executable file to execute.\n\nIf Script is not empty, the Step cannot have an Command and the Args will be passed to the Script.", "type": "string" @@ -2180,6 +2220,13 @@ "name": { "type": "string" }, + "results": { + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/v1beta1.TaskRunResult" + } + }, "running": { "description": "Details about a running container", "$ref": "#/definitions/v1.ContainerStateRunning" @@ -2533,6 +2580,10 @@ "type": { "description": "Type is the user-specified type of the result. The possible type is currently \"string\" and will support \"array\" in following work.", "type": "string" + }, + "value": { + "description": "Value the expression used to retrieve the value of the result from an underlying Step.", + "$ref": "#/definitions/v1beta1.ParamValue" } } }, @@ -2660,7 +2711,7 @@ } }, "v1beta1.TaskRunResult": { - "description": "TaskRunResult used to describe the results of a task", + "description": "TaskRunStepResult is a type alias of TaskRunResult", "type": "object", "required": [ "name", diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/task_validation.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/task_validation.go index 36646a4d1d..b87039a600 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/task_validation.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/task_validation.go @@ -20,12 +20,14 @@ import ( "context" "fmt" "path/filepath" + "reflect" "regexp" "strings" "time" "github.com/tektoncd/pipeline/pkg/apis/config" "github.com/tektoncd/pipeline/pkg/apis/pipeline" + v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" "github.com/tektoncd/pipeline/pkg/apis/validate" "github.com/tektoncd/pipeline/pkg/substitution" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" @@ -265,22 +267,122 @@ func validateSteps(ctx context.Context, steps []Step) (errs *apis.FieldError) { names := sets.NewString() for idx, s := range steps { errs = errs.Also(validateStep(ctx, s, names).ViaIndex(idx)) + if s.Results != nil { + errs = errs.Also(v1.ValidateStepResultsVariables(ctx, s.Results, s.Script).ViaIndex(idx)) + errs = errs.Also(v1.ValidateStepResults(ctx, s.Results).ViaIndex(idx).ViaField("results")) + } } return errs } -func validateStep(ctx context.Context, s Step, names sets.String) (errs *apis.FieldError) { - if s.Image == "" { - errs = errs.Also(apis.ErrMissingField("Image")) - } +// isCreateOrUpdateAndDiverged checks if the webhook event was create or update +// if create, it returns true. +// if update, it checks if the step results have diverged and returns if diverged. +// if neither, it returns false. +func isCreateOrUpdateAndDiverged(ctx context.Context, s Step) bool { + if apis.IsInCreate(ctx) { + return true + } + if apis.IsInUpdate(ctx) { + baseline := apis.GetBaseline(ctx) + var baselineStep Step + switch o := baseline.(type) { + case *TaskRun: + if o.Spec.TaskSpec != nil { + for _, step := range o.Spec.TaskSpec.Steps { + if s.Name == step.Name { + baselineStep = step + break + } + } + } + default: + // the baseline is not a taskrun. + // return true so that the validation can happen + return true + } + // If an update event, check if the results have diverged from the baseline + // this way, the feature flag check wont happen. + // This will avoid issues like https://github.com/tektoncd/pipeline/issues/5203 + // when the feature is turned off mid-run. + diverged := !reflect.DeepEqual(s.Results, baselineStep.Results) + return diverged + } + return false +} - if s.Script != "" { +func validateStep(ctx context.Context, s Step, names sets.String) (errs *apis.FieldError) { + if s.Ref != nil { + if !config.FromContextOrDefaults(ctx).FeatureFlags.EnableStepActions && isCreateOrUpdateAndDiverged(ctx, s) { + return apis.ErrGeneric("feature flag %s should be set to true to reference StepActions in Steps.", config.EnableStepActions) + } + errs = errs.Also(s.Ref.Validate(ctx)) + if s.Image != "" { + errs = errs.Also(&apis.FieldError{ + Message: "image cannot be used with Ref", + Paths: []string{"image"}, + }) + } if len(s.Command) > 0 { errs = errs.Also(&apis.FieldError{ - Message: "script cannot be used with command", + Message: "command cannot be used with Ref", + Paths: []string{"command"}, + }) + } + if len(s.Args) > 0 { + errs = errs.Also(&apis.FieldError{ + Message: "args cannot be used with Ref", + Paths: []string{"args"}, + }) + } + if s.Script != "" { + errs = errs.Also(&apis.FieldError{ + Message: "script cannot be used with Ref", Paths: []string{"script"}, }) } + if s.Env != nil { + errs = errs.Also(&apis.FieldError{ + Message: "env cannot be used with Ref", + Paths: []string{"env"}, + }) + } + if len(s.VolumeMounts) > 0 { + errs = errs.Also(&apis.FieldError{ + Message: "volumeMounts cannot be used with Ref", + Paths: []string{"volumeMounts"}, + }) + } + if len(s.Results) > 0 { + errs = errs.Also(&apis.FieldError{ + Message: "results cannot be used with Ref", + Paths: []string{"results"}, + }) + } + } else { + if len(s.Params) > 0 { + errs = errs.Also(&apis.FieldError{ + Message: "params cannot be used without Ref", + Paths: []string{"params"}, + }) + } + if len(s.Results) > 0 { + if !config.FromContextOrDefaults(ctx).FeatureFlags.EnableStepActions && isCreateOrUpdateAndDiverged(ctx, s) { + return apis.ErrGeneric("feature flag %s should be set to true in order to use Results in Steps.", config.EnableStepActions) + } + } + if s.Image == "" { + errs = errs.Also(apis.ErrMissingField("Image")) + } + + if s.Script != "" { + if len(s.Command) > 0 { + errs = errs.Also(&apis.FieldError{ + Message: "script cannot be used with command", + Paths: []string{"script"}, + }) + } + } } if s.Name != "" { @@ -405,6 +507,7 @@ func (p ParamSpec) ValidateObjectType(ctx context.Context) *apis.FieldError { func ValidateParameterVariables(ctx context.Context, steps []Step, params ParamSpecs) *apis.FieldError { var errs *apis.FieldError errs = errs.Also(params.validateNoDuplicateNames()) + errs = errs.Also(params.validateParamEnums(ctx).ViaField("params")) stringParams, arrayParams, objectParams := params.sortByType() stringParameterNames := sets.NewString(stringParams.getNames()...) arrayParameterNames := sets.NewString(arrayParams.getNames()...) diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/taskrun_conversion.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/taskrun_conversion.go index ed3fcc5856..f2e847c612 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/taskrun_conversion.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/taskrun_conversion.go @@ -330,6 +330,12 @@ func (ss StepState) convertTo(ctx context.Context, sink *v1.StepState) { sink.Name = ss.Name sink.Container = ss.ContainerName sink.ImageID = ss.ImageID + sink.Results = nil + for _, r := range ss.Results { + new := v1.TaskRunStepResult{} + r.convertTo(ctx, &new) + sink.Results = append(sink.Results, new) + } } func (ss *StepState) convertFrom(ctx context.Context, source v1.StepState) { @@ -337,6 +343,12 @@ func (ss *StepState) convertFrom(ctx context.Context, source v1.StepState) { ss.Name = source.Name ss.ContainerName = source.Container ss.ImageID = source.ImageID + ss.Results = nil + for _, r := range source.Results { + new := TaskRunStepResult{} + new.convertFrom(ctx, r) + ss.Results = append(ss.Results, new) + } } func (trr TaskRunResult) convertTo(ctx context.Context, sink *v1.TaskRunResult) { diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/taskrun_types.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/taskrun_types.go index 2b869121d2..a12676acb0 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/taskrun_types.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/taskrun_types.go @@ -367,9 +367,10 @@ func (trs *TaskRunStatus) SetCondition(newCond *apis.Condition) { // StepState reports the results of running a step in a Task. type StepState struct { corev1.ContainerState `json:",inline"` - Name string `json:"name,omitempty"` - ContainerName string `json:"container,omitempty"` - ImageID string `json:"imageID,omitempty"` + Name string `json:"name,omitempty"` + ContainerName string `json:"container,omitempty"` + ImageID string `json:"imageID,omitempty"` + Results []TaskRunStepResult `json:"results,omitempty"` } // SidecarState reports the results of running a sidecar in a Task. diff --git a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/zz_generated.deepcopy.go index aa44da6184..2dd4fd8edb 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/zz_generated.deepcopy.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/zz_generated.deepcopy.go @@ -24,6 +24,7 @@ package v1beta1 import ( config "github.com/tektoncd/pipeline/pkg/apis/config" pod "github.com/tektoncd/pipeline/pkg/apis/pipeline/pod" + pipelinev1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" v1alpha1 "github.com/tektoncd/pipeline/pkg/apis/resource/v1alpha1" runv1beta1 "github.com/tektoncd/pipeline/pkg/apis/run/v1beta1" result "github.com/tektoncd/pipeline/pkg/result" @@ -515,6 +516,11 @@ func (in *ParamSpec) DeepCopyInto(out *ParamSpec) { *out = new(ParamValue) (*in).DeepCopyInto(*out) } + if in.Enum != nil { + in, out := &in.Enum, &out.Enum + *out = make([]string, len(*in)) + copy(*out, *in) + } return } @@ -1455,6 +1461,23 @@ func (in *Provenance) DeepCopy() *Provenance { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Ref) DeepCopyInto(out *Ref) { + *out = *in + in.ResolverRef.DeepCopyInto(&out.ResolverRef) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Ref. +func (in *Ref) DeepCopy() *Ref { + if in == nil { + return nil + } + out := new(Ref) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RefSource) DeepCopyInto(out *RefSource) { *out = *in @@ -1735,6 +1758,25 @@ func (in *Step) DeepCopyInto(out *Step) { *out = new(StepOutputConfig) **out = **in } + if in.Ref != nil { + in, out := &in.Ref, &out.Ref + *out = new(Ref) + (*in).DeepCopyInto(*out) + } + if in.Params != nil { + in, out := &in.Params, &out.Params + *out = make(Params, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Results != nil { + in, out := &in.Results, &out.Results + *out = make([]pipelinev1.StepResult, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -1768,6 +1810,13 @@ func (in *StepOutputConfig) DeepCopy() *StepOutputConfig { func (in *StepState) DeepCopyInto(out *StepState) { *out = *in in.ContainerState.DeepCopyInto(&out.ContainerState) + if in.Results != nil { + in, out := &in.Results, &out.Results + *out = make([]TaskRunResult, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -2032,6 +2081,11 @@ func (in *TaskResult) DeepCopyInto(out *TaskResult) { (*out)[key] = val } } + if in.Value != nil { + in, out := &in.Value, &out.Value + *out = new(ParamValue) + (*in).DeepCopyInto(*out) + } return } diff --git a/vendor/github.com/tektoncd/pipeline/pkg/result/result.go b/vendor/github.com/tektoncd/pipeline/pkg/result/result.go index cfcbc3e90a..515fe9a602 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/result/result.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/result/result.go @@ -33,6 +33,8 @@ const ( InternalTektonResultType = 3 // UnknownResultType default unknown result type value UnknownResultType = 10 + // StepResultType default step result value + StepResultType ResultType = 4 ) // RunResult is used to write key/value pairs to TaskRun pod termination messages. @@ -80,6 +82,8 @@ func (r *ResultType) UnmarshalJSON(data []byte) error { } switch asString { + case "StepResult": + *r = StepResultType case "TaskRunResult": *r = TaskRunResultType case "InternalTektonResult": diff --git a/vendor/github.com/tektoncd/pipeline/pkg/substitution/substitution.go b/vendor/github.com/tektoncd/pipeline/pkg/substitution/substitution.go index 69b2c0d827..8e1acab2fe 100644 --- a/vendor/github.com/tektoncd/pipeline/pkg/substitution/substitution.go +++ b/vendor/github.com/tektoncd/pipeline/pkg/substitution/substitution.go @@ -334,11 +334,25 @@ func TrimArrayIndex(s string) string { return arrayIndexingRegex.ReplaceAllString(s, "") } -// ExtractParamsExpressions will find all `$(params.paramName[int])` expressions -func ExtractParamsExpressions(s string) []string { +// ExtractArrayIndexingParamsExpressions will find all `$(params.paramName[int])` expressions +func ExtractArrayIndexingParamsExpressions(s string) []string { return paramIndexingRegex.FindAllString(s, -1) } +func ExtractVariableExpressions(s, prefix string) ([]string, error) { + pattern := fmt.Sprintf(braceMatchingRegex, prefix, parameterSubstitution, parameterSubstitution, parameterSubstitution) + re, err := regexp.Compile(pattern) + if err != nil { + return nil, fmt.Errorf("failed to parse regex pattern: %w", err) + } + + matches := re.FindAllString(s, -1) + if len(matches) == 0 { + return []string{}, nil + } + return matches, nil +} + // ExtractIndexString will find the leftmost match of `[int]` func ExtractIndexString(s string) string { return intIndexRegex.FindString(s) diff --git a/vendor/github.com/tektoncd/pipeline/test/parse/yaml.go b/vendor/github.com/tektoncd/pipeline/test/parse/yaml.go index 3ee9f8349a..8b0a30e11c 100644 --- a/vendor/github.com/tektoncd/pipeline/test/parse/yaml.go +++ b/vendor/github.com/tektoncd/pipeline/test/parse/yaml.go @@ -23,6 +23,17 @@ import ( "k8s.io/apimachinery/pkg/runtime" ) +// MustParseV1alpha1StepAction takes YAML and parses it into a *v1alpha1.StepAction +func MustParseV1alpha1StepAction(t *testing.T, yaml string) *v1alpha1.StepAction { + t.Helper() + var sa v1alpha1.StepAction + yaml = `apiVersion: tekton.dev/v1alpha1 +kind: StepAction +` + yaml + mustParseYAML(t, yaml, &sa) + return &sa +} + // MustParseV1beta1TaskRun takes YAML and parses it into a *v1beta1.TaskRun func MustParseV1beta1TaskRun(t *testing.T, yaml string) *v1beta1.TaskRun { t.Helper() diff --git a/vendor/github.com/theupdateframework/go-tuf/.golangci.yml b/vendor/github.com/theupdateframework/go-tuf/.golangci.yml index 570c05d60d..992c1190a5 100644 --- a/vendor/github.com/theupdateframework/go-tuf/.golangci.yml +++ b/vendor/github.com/theupdateframework/go-tuf/.golangci.yml @@ -1,9 +1,3 @@ -run: - # Lint using Go 1.17, since some linters are disabled by default for Go 1.18 - # until generics are supported. - # See https://github.com/golangci/golangci-lint/issues/2649 - go: '1.17' - linters: disable-all: true enable: diff --git a/vendor/github.com/theupdateframework/go-tuf/README.md b/vendor/github.com/theupdateframework/go-tuf/README.md index 125978c1cf..fe2836743d 100644 --- a/vendor/github.com/theupdateframework/go-tuf/README.md +++ b/vendor/github.com/theupdateframework/go-tuf/README.md @@ -35,7 +35,7 @@ The directories contain the following files: `go-tuf` is tested on Go versions 1.18. ```bash -go get github.com/theupdateframework/go-tuf/cmd/tuf +go install github.com/theupdateframework/go-tuf/cmd/tuf@latest ``` ### Commands @@ -653,3 +653,10 @@ install tuf`). To update the data for these tests requires Docker and make (see test data [README.md](client/python_interop/testdata/README.md) for details). Please see [CONTRIBUTING.md](docs/CONTRIBUTING.md) for contribution guidelines before making your first contribution! + +## Comparison to other implementations + +There are TUF implementations in a variety of programming languages. Some other Go implementations of TUF include: + +* [Notary](https://github.com/notaryproject/notary): A version of TUF designed specifically for publishing and managing trusted collections of content. It was used by Docker Content Trust, and has since been superseded by the [Notation](https://github.com/notaryproject/notation) project. In contrast, go-tuf is a direct implementation of TUF and has been updated to conform to 1.0.0 of the TUF specification. + diff --git a/vendor/github.com/theupdateframework/go-tuf/data/types.go b/vendor/github.com/theupdateframework/go-tuf/data/types.go index 3e1806bde5..eb00489b67 100644 --- a/vendor/github.com/theupdateframework/go-tuf/data/types.go +++ b/vendor/github.com/theupdateframework/go-tuf/data/types.go @@ -24,9 +24,12 @@ type HashAlgorithm string const ( KeyIDLength = sha256.Size * 2 - KeyTypeEd25519 KeyType = "ed25519" - KeyTypeECDSA_SHA2_P256 KeyType = "ecdsa-sha2-nistp256" - KeyTypeRSASSA_PSS_SHA256 KeyType = "rsa" + KeyTypeEd25519 KeyType = "ed25519" + // From version 1.0.32, the reference implementation defines 'ecdsa', + // not 'ecdsa-sha2-nistp256' for NIST P-256 curves. + KeyTypeECDSA_SHA2_P256 KeyType = "ecdsa" + KeyTypeECDSA_SHA2_P256_OLD_FMT KeyType = "ecdsa-sha2-nistp256" + KeyTypeRSASSA_PSS_SHA256 KeyType = "rsa" KeySchemeEd25519 KeyScheme = "ed25519" KeySchemeECDSA_SHA2_P256 KeyScheme = "ecdsa-sha2-nistp256" diff --git a/vendor/github.com/theupdateframework/go-tuf/encrypted/encrypted.go b/vendor/github.com/theupdateframework/go-tuf/encrypted/encrypted.go index 4d174d61f9..b884d611e4 100644 --- a/vendor/github.com/theupdateframework/go-tuf/encrypted/encrypted.go +++ b/vendor/github.com/theupdateframework/go-tuf/encrypted/encrypted.go @@ -3,6 +3,10 @@ // // It uses scrypt derive a key from the passphrase and the NaCl secret box // cipher for authenticated encryption. +// +// Deprecated: The encrypted package from go-tuf is already moved to +// https://github.com/secure-systems-lab/go-securesystemslib and will be deprecated here. +// Use github.com/secure-systems-lab/go-securesystemslib/encrypted instead. package encrypted import ( @@ -23,13 +27,46 @@ const ( boxNonceSize = 24 ) +// KDFParameterStrength defines the KDF parameter strength level to be used for +// encryption key derivation. +type KDFParameterStrength uint8 + const ( - // N parameter was chosen to be ~100ms of work using the default implementation - // on the 2.3GHz Core i7 Haswell processor in a late-2013 Apple Retina Macbook - // Pro (it takes ~113ms). - scryptN = 32768 - scryptR = 8 - scryptP = 1 + // Legacy defines legacy scrypt parameters (N:2^15, r:8, p:1) + Legacy KDFParameterStrength = iota + 1 + // Standard defines standard scrypt parameters which is focusing 100ms of computation (N:2^16, r:8, p:1) + Standard + // OWASP defines OWASP recommended scrypt parameters (N:2^17, r:8, p:1) + OWASP +) + +var ( + // legacyParams represents old scrypt derivation parameters for backward + // compatibility. + legacyParams = scryptParams{ + N: 32768, // 2^15 + R: 8, + P: 1, + } + + // standardParams defines scrypt parameters based on the scrypt creator + // recommendation to limit key derivation in time boxed to 100ms. + standardParams = scryptParams{ + N: 65536, // 2^16 + R: 8, + P: 1, + } + + // owaspParams defines scrypt parameters recommended by OWASP + owaspParams = scryptParams{ + N: 131072, // 2^17 + R: 8, + P: 1, + } + + // defaultParams defines scrypt parameters which will be used to generate a + // new key. + defaultParams = standardParams ) const ( @@ -49,19 +86,33 @@ type scryptParams struct { P int `json:"p"` } -func newScryptKDF() (scryptKDF, error) { +func (sp *scryptParams) Equal(in *scryptParams) bool { + return in != nil && sp.N == in.N && sp.P == in.P && sp.R == in.R +} + +func newScryptKDF(level KDFParameterStrength) (scryptKDF, error) { salt := make([]byte, saltSize) if err := fillRandom(salt); err != nil { - return scryptKDF{}, err + return scryptKDF{}, fmt.Errorf("unable to generate a random salt: %w", err) + } + + var params scryptParams + switch level { + case Legacy: + params = legacyParams + case Standard: + params = standardParams + case OWASP: + params = owaspParams + default: + // Fallback to default parameters + params = defaultParams } + return scryptKDF{ - Name: nameScrypt, - Params: scryptParams{ - N: scryptN, - R: scryptR, - P: scryptP, - }, - Salt: salt, + Name: nameScrypt, + Params: params, + Salt: salt, }, nil } @@ -79,9 +130,14 @@ func (s *scryptKDF) Key(passphrase []byte) ([]byte, error) { // be. If we do not do this, an attacker could cause a DoS by tampering with // them. func (s *scryptKDF) CheckParams() error { - if s.Params.N != scryptN || s.Params.R != scryptR || s.Params.P != scryptP { - return errors.New("encrypted: unexpected kdf parameters") + switch { + case legacyParams.Equal(&s.Params): + case standardParams.Equal(&s.Params): + case owaspParams.Equal(&s.Params): + default: + return errors.New("unsupported scrypt parameters") } + return nil } @@ -151,7 +207,14 @@ func (s *secretBoxCipher) Decrypt(ciphertext, key []byte) ([]byte, error) { // Encrypt takes a passphrase and plaintext, and returns a JSON object // containing ciphertext and the details necessary to decrypt it. func Encrypt(plaintext, passphrase []byte) ([]byte, error) { - k, err := newScryptKDF() + return EncryptWithCustomKDFParameters(plaintext, passphrase, Standard) +} + +// EncryptWithCustomKDFParameters takes a passphrase, the plaintext and a KDF +// parameter level (Legacy, Standard, or OWASP), and returns a JSON object +// containing ciphertext and the details necessary to decrypt it. +func EncryptWithCustomKDFParameters(plaintext, passphrase []byte, kdfLevel KDFParameterStrength) ([]byte, error) { + k, err := newScryptKDF(kdfLevel) if err != nil { return nil, err } @@ -176,11 +239,16 @@ func Encrypt(plaintext, passphrase []byte) ([]byte, error) { // Marshal encrypts the JSON encoding of v using passphrase. func Marshal(v interface{}, passphrase []byte) ([]byte, error) { + return MarshalWithCustomKDFParameters(v, passphrase, Standard) +} + +// MarshalWithCustomKDFParameters encrypts the JSON encoding of v using passphrase. +func MarshalWithCustomKDFParameters(v interface{}, passphrase []byte, kdfLevel KDFParameterStrength) ([]byte, error) { data, err := json.MarshalIndent(v, "", "\t") if err != nil { return nil, err } - return Encrypt(data, passphrase) + return EncryptWithCustomKDFParameters(data, passphrase, kdfLevel) } // Decrypt takes a JSON-encoded ciphertext object encrypted using Encrypt and diff --git a/vendor/github.com/theupdateframework/go-tuf/local_store.go b/vendor/github.com/theupdateframework/go-tuf/local_store.go index fee03f314e..b59721e61c 100644 --- a/vendor/github.com/theupdateframework/go-tuf/local_store.go +++ b/vendor/github.com/theupdateframework/go-tuf/local_store.go @@ -12,8 +12,8 @@ import ( "path/filepath" "strings" + "github.com/secure-systems-lab/go-securesystemslib/encrypted" "github.com/theupdateframework/go-tuf/data" - "github.com/theupdateframework/go-tuf/encrypted" "github.com/theupdateframework/go-tuf/internal/fsutil" "github.com/theupdateframework/go-tuf/internal/sets" "github.com/theupdateframework/go-tuf/pkg/keys" diff --git a/vendor/github.com/theupdateframework/go-tuf/pkg/keys/ecdsa.go b/vendor/github.com/theupdateframework/go-tuf/pkg/keys/ecdsa.go index ee93e33007..9740d1f33c 100644 --- a/vendor/github.com/theupdateframework/go-tuf/pkg/keys/ecdsa.go +++ b/vendor/github.com/theupdateframework/go-tuf/pkg/keys/ecdsa.go @@ -20,7 +20,9 @@ func init() { // Note: we use LoadOrStore here to prevent accidentally overriding the // an explicit deprecated ECDSA verifier. // TODO: When deprecated ECDSA is removed, this can switch back to Store. + VerifierMap.LoadOrStore(data.KeyTypeECDSA_SHA2_P256_OLD_FMT, NewEcdsaVerifier) VerifierMap.LoadOrStore(data.KeyTypeECDSA_SHA2_P256, NewEcdsaVerifier) + SignerMap.Store(data.KeyTypeECDSA_SHA2_P256_OLD_FMT, newEcdsaSigner) SignerMap.Store(data.KeyTypeECDSA_SHA2_P256, newEcdsaSigner) } diff --git a/vendor/github.com/theupdateframework/go-tuf/repo.go b/vendor/github.com/theupdateframework/go-tuf/repo.go index c6a23deea4..db2ac66369 100644 --- a/vendor/github.com/theupdateframework/go-tuf/repo.go +++ b/vendor/github.com/theupdateframework/go-tuf/repo.go @@ -782,11 +782,13 @@ func (r *Repo) setMeta(roleFilename string, meta interface{}) error { return r.local.SetMeta(roleFilename, b) } -// SignPayload signs the given payload using the key(s) associated with role. +// CanonicalizeAndSign canonicalizes the signed portion of signed, then signs it using the key(s) associated with role. +// +// It appends the signature to signed. // // It returns the total number of keys used for signing, 0 (along with // ErrNoKeys) if no keys were found, or -1 (along with an error) in error cases. -func (r *Repo) SignPayload(role string, payload *data.Signed) (int, error) { +func (r *Repo) CanonicalizeAndSign(role string, signed *data.Signed) (int, error) { keys, err := r.signersForRole(role) if err != nil { return -1, err @@ -795,13 +797,46 @@ func (r *Repo) SignPayload(role string, payload *data.Signed) (int, error) { return 0, ErrNoKeys{role} } for _, k := range keys { - if err = sign.Sign(payload, k); err != nil { + if err = sign.Sign(signed, k); err != nil { return -1, err } } return len(keys), nil } +// SignPayload canonicalizes the signed portion of payload, then signs it using the key(s) associated with role. +// +// It returns the total number of keys used for signing, 0 (along with +// ErrNoKeys) if no keys were found, or -1 (along with an error) in error cases. +// +// DEPRECATED: please use CanonicalizeAndSign instead. +func (r *Repo) SignPayload(role string, payload *data.Signed) (int, error) { + return r.CanonicalizeAndSign(role, payload) +} + +// SignRaw signs the given (pre-canonicalized) payload using the key(s) associated with role. +// +// It returns the new data.Signatures. +func (r *Repo) SignRaw(role string, payload []byte) ([]data.Signature, error) { + keys, err := r.signersForRole(role) + if err != nil { + return nil, err + } + if len(keys) == 0 { + return nil, ErrNoKeys{role} + } + + allSigs := make([]data.Signature, 0, len(keys)) + for _, k := range keys { + sigs, err := sign.MakeSignatures(payload, k) + if err != nil { + return nil, err + } + allSigs = append(allSigs, sigs...) + } + return allSigs, nil +} + func (r *Repo) Sign(roleFilename string) error { signed, err := r.SignedMeta(roleFilename) if err != nil { diff --git a/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt b/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt index 00f20734bf..23822eecf4 100644 --- a/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt +++ b/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt @@ -1,5 +1,5 @@ -iso8601==1.1.0 -requests==2.28.2 -securesystemslib==0.26.0 +iso8601==2.0.0 +requests==2.31.0 +securesystemslib==0.28.0 six==1.16.0 -tuf==2.0.0 +tuf==3.0.0 diff --git a/vendor/github.com/theupdateframework/go-tuf/sign/sign.go b/vendor/github.com/theupdateframework/go-tuf/sign/sign.go index 6b15b6b4f7..e31b5465d9 100644 --- a/vendor/github.com/theupdateframework/go-tuf/sign/sign.go +++ b/vendor/github.com/theupdateframework/go-tuf/sign/sign.go @@ -2,46 +2,65 @@ package sign import ( "encoding/json" + "errors" "github.com/secure-systems-lab/go-securesystemslib/cjson" "github.com/theupdateframework/go-tuf/data" "github.com/theupdateframework/go-tuf/pkg/keys" ) -func Sign(s *data.Signed, k keys.Signer) error { +const maxSignatures = 1024 + +// MakeSignatures creates data.Signatures for canonical using signer k. +// +// There will be one data.Signature for each of k's IDs, each wih the same +// signature data. +func MakeSignatures(canonical []byte, k keys.Signer) ([]data.Signature, error) { + sigData, err := k.SignMessage(canonical) + if err != nil { + return nil, err + } + ids := k.PublicData().IDs() - signatures := make([]data.Signature, 0, len(s.Signatures)+1) - for _, sig := range s.Signatures { - found := false - for _, id := range ids { - if sig.KeyID == id { - found = true - break - } - } - if !found { - signatures = append(signatures, sig) - } + signatures := make([]data.Signature, 0, len(ids)) + for _, id := range ids { + signatures = append(signatures, data.Signature{ + KeyID: id, + Signature: sigData, + }) } + return signatures, nil +} + +// Sign signs the to-be-signed part of s using the signer k. +// +// The new signature(s) (one for each of k's key IDs) are appended to +// s.Signatures. Existing signatures for the Key IDs are replaced. +func Sign(s *data.Signed, k keys.Signer) error { canonical, err := cjson.EncodeCanonical(s.Signed) if err != nil { return err } - sig, err := k.SignMessage(canonical) + size := len(s.Signatures) + if size > maxSignatures-1 { + return errors.New("value too large") + } + signatures := make([]data.Signature, 0, size+1) + for _, oldSig := range s.Signatures { + if !k.PublicData().ContainsID(oldSig.KeyID) { + signatures = append(signatures, oldSig) + } + } + + newSigs, err := MakeSignatures(canonical, k) if err != nil { return err } + signatures = append(signatures, newSigs...) s.Signatures = signatures - for _, id := range ids { - s.Signatures = append(s.Signatures, data.Signature{ - KeyID: id, - Signature: sig, - }) - } - return nil } diff --git a/vendor/google.golang.org/api/internal/version.go b/vendor/google.golang.org/api/internal/version.go index b0a50e8416..5fac05c085 100644 --- a/vendor/google.golang.org/api/internal/version.go +++ b/vendor/google.golang.org/api/internal/version.go @@ -5,4 +5,4 @@ package internal // Version is the current tagged release of the library. -const Version = "0.147.0" +const Version = "0.148.0" diff --git a/vendor/modules.txt b/vendor/modules.txt index 71730ada38..bb11527385 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -235,7 +235,7 @@ github.com/aws/aws-sdk-go-v2/internal/shareddefaults github.com/aws/aws-sdk-go-v2/internal/strings github.com/aws/aws-sdk-go-v2/internal/sync/singleflight github.com/aws/aws-sdk-go-v2/internal/timeconv -# github.com/aws/aws-sdk-go-v2/config v1.18.45 +# github.com/aws/aws-sdk-go-v2/config v1.19.1 ## explicit; go 1.15 github.com/aws/aws-sdk-go-v2/config # github.com/aws/aws-sdk-go-v2/credentials v1.13.43 @@ -398,7 +398,7 @@ github.com/common-nighthawk/go-figure ## explicit; go 1.19 github.com/containerd/stargz-snapshotter/estargz github.com/containerd/stargz-snapshotter/estargz/errorutil -# github.com/coreos/go-oidc/v3 v3.6.0 +# github.com/coreos/go-oidc/v3 v3.7.0 ## explicit; go 1.19 github.com/coreos/go-oidc/v3/oidc # github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 @@ -1060,6 +1060,7 @@ github.com/sassoftware/relic/lib/x509tools ## explicit; go 1.20 github.com/secure-systems-lab/go-securesystemslib/cjson github.com/secure-systems-lab/go-securesystemslib/dsse +github.com/secure-systems-lab/go-securesystemslib/encrypted github.com/secure-systems-lab/go-securesystemslib/signerverifier # github.com/segmentio/ksuid v1.0.4 ## explicit; go 1.12 @@ -1153,7 +1154,7 @@ github.com/sigstore/rekor/pkg/types/intoto/v0.0.2 github.com/sigstore/rekor/pkg/types/rekord github.com/sigstore/rekor/pkg/types/rekord/v0.0.1 github.com/sigstore/rekor/pkg/util -# github.com/sigstore/sigstore v1.7.4 +# github.com/sigstore/sigstore v1.7.5 ## explicit; go 1.20 github.com/sigstore/sigstore/pkg/cryptoutils github.com/sigstore/sigstore/pkg/fulcioroots @@ -1248,7 +1249,7 @@ github.com/syndtr/goleveldb/leveldb/util # github.com/tchap/go-patricia/v2 v2.3.1 ## explicit; go 1.16 github.com/tchap/go-patricia/v2/patricia -# github.com/tektoncd/pipeline v0.53.2 +# github.com/tektoncd/pipeline v0.54.0 ## explicit; go 1.19 github.com/tektoncd/pipeline/pkg/apis/config github.com/tektoncd/pipeline/pkg/apis/pipeline @@ -1287,8 +1288,8 @@ github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1 # github.com/thales-e-security/pool v0.0.2 ## explicit; go 1.12 github.com/thales-e-security/pool -# github.com/theupdateframework/go-tuf v0.5.2 -## explicit; go 1.18 +# github.com/theupdateframework/go-tuf v0.6.1 +## explicit; go 1.20 github.com/theupdateframework/go-tuf github.com/theupdateframework/go-tuf/client github.com/theupdateframework/go-tuf/client/leveldbstore @@ -1560,7 +1561,7 @@ golang.org/x/tools/internal/typesinternal # gomodules.xyz/jsonpatch/v2 v2.4.0 ## explicit; go 1.20 gomodules.xyz/jsonpatch/v2 -# google.golang.org/api v0.147.0 +# google.golang.org/api v0.148.0 ## explicit; go 1.19 google.golang.org/api/googleapi/transport google.golang.org/api/idtoken @@ -1779,7 +1780,7 @@ k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextension k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1/fake k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1 k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1/fake -# k8s.io/apimachinery v0.28.2 => k8s.io/apimachinery v0.26.8 +# k8s.io/apimachinery v0.28.3 => k8s.io/apimachinery v0.26.8 ## explicit; go 1.19 k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/errors