Merge pull request #187 from CSCfi/feature/update-fork

Update fork

Author: emm1R

.github/pull_request_template.md

@@ -0,0 +1,11 @@
+## PCI review checklist
+
+<!-- heimdall_github_prtemplate:grc-pci_dss-2024-01-05 -->
+
+- [ ] I have documented a clear reason for, and description of, the change I am making.
+
+- [ ] If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
+
+- [ ] If applicable, I've documented the impact of any changes to security controls.
+
+  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

.github/workflows/codeql-analysis.yml

@@ -2,10 +2,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [master]
+    branches: [main]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [master]
+    branches: [main]
   schedule:
     - cron: "0 15 * * 4"
 
@@ -22,15 +22,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
-        with:
-          # We must fetch at least the immediate parents so that if this is
-          # a pull request then we can checkout the head.
-          fetch-depth: 2
-
-      # If this run was triggered by a pull request event, then checkout
-      # the head of the pull request instead of the merge commit.
-      - run: git checkout HEAD^2
-        if: ${{ github.event_name == 'pull_request' }}
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/unittests.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: ["1.22"]
+        go-version: ["1.25"]
     steps:
       - name: Set up Go ${{ matrix.go-version }}
         uses: actions/setup-go@v5

LICENSE

@@ -1,3 +1,5 @@
+Copyright (c) 2021 HashiCorp, Inc.
+
 Mozilla Public License Version 2.0
 ==================================
 

environments/docker/environment.go

@@ -1,3 +1,6 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
 package docker
 
 import (
@@ -39,7 +42,7 @@ import (
 
 var _ stepwise.Environment = (*Cluster)(nil)
 
-const dockerVersion = "1.41"
+const dockerVersion = "1.51"
 const defaultImage = "hashicorp/vault:latest"
 
 // Cluster is used for managing the lifecycle of the test Vault cluster
@@ -433,7 +436,7 @@ func (n *dockerClusterNode) setupCert() error {
 		return err
 	}
 
-	certGetter := stepwise.NewCertificateGetter(n.ServerCertPEMFile, n.ServerKeyPEMFile, "")
+	certGetter := stepwise.NewCertificateGetter(n.ServerCertPEMFile, n.ServerKeyPEMFile)
 	if err := certGetter.Reload(); err != nil {
 		return err
 	}
@@ -797,10 +800,9 @@ func setupNetwork(cli *docker.Client, netName string) (string, error) {
 }
 
 func createNetwork(cli *docker.Client, netName string) (string, error) {
-	resp, err := cli.NetworkCreate(context.Background(), netName, types.NetworkCreate{
-		CheckDuplicate: true,
-		Driver:         "bridge",
-		Options:        map[string]string{},
+	resp, err := cli.NetworkCreate(context.Background(), netName, network.CreateOptions{
+		Driver:  "bridge",
+		Options: map[string]string{},
 		IPAM: &network.IPAM{
 			Driver:  "default",
 			Options: map[string]string{},
@@ -860,12 +862,14 @@ func (dc *Cluster) Setup() error {
 		// auth mounts via the /sys endpoint, we need to remove that prefix
 		authPath := strings.TrimPrefix(dc.MountPath(), "auth/")
 		err = client.Sys().EnableAuthWithOptions(authPath, &api.EnableAuthOptions{
-			Type: registryName,
+			Type:   registryName,
+			Config: dc.MountOptions.MountConfigInput,
 		})
 	case api.PluginTypeDatabase:
 	case api.PluginTypeSecrets:
 		err = client.Sys().Mount(dc.MountPath(), &api.MountInput{
-			Type: registryName,
+			Type:   registryName,
+			Config: dc.MountOptions.MountConfigInput,
 		})
 	default:
 		return fmt.Errorf("unknown plugin type: %s", dc.MountOptions.PluginType.String())

environments/docker/runner.go

@@ -1,17 +1,19 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
 package docker
 
 import (
 	"context"
 	"fmt"
 	"io"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/strslice"
 	docker "github.com/docker/docker/client"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 )
 
 // Runner manages the lifecycle of the Docker container
@@ -28,7 +30,7 @@ type Runner struct {
 // pulling the specified Vault image, creating the container, and copies the
 // plugin binary into the container file system before starting the container
 // itself.
-func (d *Runner) Start(ctx context.Context) (*types.ContainerJSON, error) {
+func (d *Runner) Start(ctx context.Context) (*container.InspectResponse, error) {
 	hostConfig := &container.HostConfig{
 		PublishAllPorts: true,
 		AutoRemove:      true,
@@ -69,29 +71,32 @@ func (d *Runner) Start(ctx context.Context) (*types.ContainerJSON, error) {
 	hostConfig.CapAdd = strslice.StrSlice{"IPC_LOCK", "NET_ADMIN"}
 	cfg.Hostname = d.ContainerName
 	fullName := d.ContainerName
-	dockerContainer, err := d.dockerAPI.ContainerCreate(ctx, &cfg, hostConfig, networkingConfig, nil, fullName)
+	newContainer, err := d.dockerAPI.ContainerCreate(ctx, &cfg, hostConfig, networkingConfig, nil, fullName)
 	if err != nil {
 		return nil, fmt.Errorf("container create failed: %v", err)
 	}
 
 	// copies the plugin binary into the Docker file system. This copy is only
 	// allowed before the container is started
 	for from, to := range d.CopyFromTo {
-		if err := copyToContainer(ctx, d.dockerAPI, dockerContainer.ID, from, to); err != nil {
-			_ = d.dockerAPI.ContainerRemove(ctx, dockerContainer.ID, container.RemoveOptions{})
+		if err := copyToContainer(ctx, d.dockerAPI, newContainer.ID, from, to); err != nil {
+			_ = d.dockerAPI.ContainerRemove(ctx, newContainer.ID, container.RemoveOptions{})
+
 			return nil, err
 		}
 	}
 
-	err = d.dockerAPI.ContainerStart(ctx, dockerContainer.ID, container.StartOptions{})
+	err = d.dockerAPI.ContainerStart(ctx, newContainer.ID, container.StartOptions{})
 	if err != nil {
-		_ = d.dockerAPI.ContainerRemove(ctx, dockerContainer.ID, container.RemoveOptions{})
+		_ = d.dockerAPI.ContainerRemove(ctx, newContainer.ID, container.RemoveOptions{})
+
 		return nil, fmt.Errorf("container start failed: %v", err)
 	}
 
-	inspect, err := d.dockerAPI.ContainerInspect(ctx, dockerContainer.ID)
+	inspect, err := d.dockerAPI.ContainerInspect(ctx, newContainer.ID)
 	if err != nil {
-		_ = d.dockerAPI.ContainerRemove(ctx, dockerContainer.ID, container.RemoveOptions{})
+		_ = d.dockerAPI.ContainerRemove(ctx, newContainer.ID, container.RemoveOptions{})
+
 		return nil, err
 	}
 	return &inspect, nil
@@ -117,7 +122,7 @@ func copyToContainer(ctx context.Context, d *docker.Client, containerID, from, t
 	}
 	defer content.Close()
 
-	err = d.CopyToContainer(ctx, containerID, dstDir, content, types.CopyToContainerOptions{})
+	err = d.CopyToContainer(ctx, containerID, dstDir, content, container.CopyToContainerOptions{})
 	if err != nil {
 		return fmt.Errorf("error copying from %q -> %q: %v", from, to, err)
 	}

go.mod

@@ -1,32 +1,33 @@
 module github.com/CSCfi/vault-testing-stepwise
 
-go 1.24.0
+go 1.25.0
 
 require (
-	github.com/docker/docker v26.1.5+incompatible
+	github.com/docker/docker v28.5.2+incompatible
 	github.com/docker/go-connections v0.6.0
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/vault/api v1.22.0
-	github.com/hashicorp/vault/sdk v0.14.0
+	github.com/hashicorp/vault/sdk v0.20.0
 	golang.org/x/net v0.48.0
 )
 
 require (
-	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/containerd/containerd v1.7.12 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
@@ -35,34 +36,33 @@ require (
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
-	github.com/klauspost/compress v1.16.5 // indirect
-	github.com/kr/pretty v0.3.0 // indirect
+	github.com/klauspost/compress v1.18.2 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/patternmatcher v0.5.0 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/moby/sys/user v0.1.0 // indirect
-	github.com/moby/term v0.5.0 // indirect
+	github.com/moby/go-archive v0.1.0 // indirect
+	github.com/moby/patternmatcher v0.6.0 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
+	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 // indirect
-	go.opentelemetry.io/otel v1.28.0 // indirect
-	go.opentelemetry.io/otel/metric v1.28.0 // indirect
-	go.opentelemetry.io/otel/trace v1.28.0 // indirect
-	golang.org/x/crypto v0.46.0 // indirect
-	golang.org/x/mod v0.30.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 // indirect
+	go.opentelemetry.io/otel v1.39.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 // indirect
+	go.opentelemetry.io/otel/metric v1.39.0 // indirect
+	go.opentelemetry.io/otel/trace v1.39.0 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
-	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.39.0 // indirect
-	gotest.tools/v3 v3.5.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
 )