Merge pull request #5 from tiagoangelototvs/updated-libraries

Performed updates to libraries for improved security
cloud104 · Nov 16, 2023 · 8d8373d · 8d8373d
2 parents 7649da8 + d2395e9
commit 8d8373d
Show file tree

Hide file tree

Showing 6 changed files with 101 additions and 71 deletions.
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -10,8 +10,11 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '1.21.4'
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.29
+          version: v1.55.2
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,8 @@
-FROM golang:1.18.2-alpine3.15
+FROM golang:1.21.4-alpine3.18 AS build
 
-RUN apk add --no-cache --update alpine-sdk bash
+RUN apk --no-cache add \
+    alpine-sdk=~"1.0" \
+    bash=~"5.2.15"
 
 ENV GO111MODULE=on
 
@@ -15,19 +17,23 @@ COPY . .
 
 RUN make build
 
-FROM alpine:3
+FROM alpine:3.18.4
 
 # Dex connectors, such as GitHub and Google logins require root certificates.
 # Proper installations should manage those certificates, but it's a bad user
 # experience when this doesn't work out of the box.
 #
 # OpenSSL is required so wget can query HTTPS endpoints for health checking.
-RUN apk add --update ca-certificates openssl curl tini
+RUN apk --no-cache add \
+    ca-certificates=~"20230506" \
+    openssl=~"3.1.4" \
+    curl=~"8.4.0" \
+    tini=~"0.19.0"
 
 RUN mkdir -p /app/bin
-COPY --from=0 /app/bin/dex-k8s-authenticator /app/bin/
-COPY --from=0 /app/html /app/html
-COPY --from=0 /app/templates /app/templates
+COPY --from=build /app/bin/dex-k8s-authenticator /app/bin/
+COPY --from=build /app/html /app/html
+COPY --from=build /app/templates /app/templates
 
 # Add any required certs/key by mounting a volume on /certs
 # The entrypoint will copy them and run update-ca-certificates at startup

diff --git a/dex-auth.go b/dex-auth.go
@@ -4,9 +4,9 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"net/http"
+	"os"
 	"path"
 	"time"
 
@@ -110,7 +110,7 @@ func (cluster *Cluster) handleCallback(w http.ResponseWriter, r *http.Request) {
 	rawIDToken, ok := token.Extra("id_token").(string)
 	if !ok {
 		cluster.renderHTMLError(w, userErrorMsg, http.StatusBadRequest)
-		log.Printf("handleCallback: no id_token in response: %q", token)
+		log.Printf("handleCallback: no id_token in response: %+v", token)
 		return
 	}
 
@@ -138,7 +138,7 @@ func (cluster *Cluster) handleCallback(w http.ResponseWriter, r *http.Request) {
 	if cluster.Config.IDP_Ca_Pem != "" {
 		IdpCaPem = cluster.Config.IDP_Ca_Pem
 	} else if cluster.Config.IDP_Ca_Pem_File != "" {
-		content, err := ioutil.ReadFile(cluster.Config.IDP_Ca_Pem_File)
+		content, err := os.ReadFile(cluster.Config.IDP_Ca_Pem_File)
 		if err != nil {
 			log.Fatalf("Failed to load CA from file %s, %s", cluster.Config.IDP_Ca_Pem_File, err)
 		}

diff --git a/go.mod b/go.mod
@@ -1,13 +1,13 @@
 module github.com/mintel/dex-k8s-authenticator
 
-go 1.18
+go 1.21.4
 
 require (
 	github.com/coreos/go-oidc v2.2.1+incompatible
-	github.com/spf13/cast v1.5.0
-	github.com/spf13/cobra v1.6.1
-	github.com/spf13/viper v1.15.0
-	golang.org/x/oauth2 v0.6.0
+	github.com/spf13/cast v1.5.1
+	github.com/spf13/cobra v1.8.0
+	github.com/spf13/viper v1.17.0
+	golang.org/x/oauth2 v0.14.0
 )
 
 require (
@@ -17,18 +17,23 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.7 // indirect
-	github.com/pquerna/cachecontrol v0.1.0 // indirect
-	github.com/spf13/afero v1.9.5 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/pquerna/cachecontrol v0.2.0 // indirect
+	github.com/sagikazarmark/locafero v0.3.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.10.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/subosito/gotenv v1.4.2 // indirect
-	golang.org/x/crypto v0.7.0 // indirect
-	golang.org/x/net v0.8.0 // indirect
-	golang.org/x/sys v0.6.0 // indirect
-	golang.org/x/text v0.8.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
+	golang.org/x/crypto v0.15.0 // indirect
+	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
+	golang.org/x/net v0.18.0 // indirect
+	golang.org/x/sys v0.14.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect