hashicorp · hc-github-team-consul-core · Oct 13, 2023 · Oct 13, 2023 · Oct 13, 2023 · Oct 13, 2023
diff --git a/.changelog/19225.txt b/.changelog/19225.txt
@@ -0,0 +1,9 @@
+```release-note:security
+Upgrade Go to 1.20.10.
+This resolves vulnerability [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
+/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)(`net/http`).
+```
+```release-note:security
+Update `golang.org/x/net` to v0.17.0 to address [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
+/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)(`x/net/http2`).
+```
@@ -85,15 +85,15 @@ jobs:
     strategy:
       matrix:
         include:
-          - {go: "1.20.8", goos: "linux", goarch: "386"}
-          - {go: "1.20.8", goos: "linux", goarch: "amd64"}
-          - {go: "1.20.8", goos: "linux", goarch: "arm"}
-          - {go: "1.20.8", goos: "linux", goarch: "arm64"}
-          - {go: "1.20.8", goos: "freebsd", goarch: "386"}
-          - {go: "1.20.8", goos: "freebsd", goarch: "amd64"}
-          - {go: "1.20.8", goos: "windows", goarch: "386"}
-          - {go: "1.20.8", goos: "windows", goarch: "amd64"}
-          - {go: "1.20.8", goos: "solaris", goarch: "amd64"}
+          - {go: "1.20.10", goos: "linux", goarch: "386"}
+          - {go: "1.20.10", goos: "linux", goarch: "amd64"}
+          - {go: "1.20.10", goos: "linux", goarch: "arm"}
+          - {go: "1.20.10", goos: "linux", goarch: "arm64"}
+          - {go: "1.20.10", goos: "freebsd", goarch: "386"}
+          - {go: "1.20.10", goos: "freebsd", goarch: "amd64"}
+          - {go: "1.20.10", goos: "windows", goarch: "386"}
+          - {go: "1.20.10", goos: "windows", goarch: "amd64"}
+          - {go: "1.20.10", goos: "solaris", goarch: "amd64"}
       fail-fast: true
 
     name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build
@@ -182,7 +182,7 @@ jobs:
     strategy:
       matrix:
         include:
-          - {go: "1.20.8", goos: "linux", goarch: "s390x"}
+          - {go: "1.20.10", goos: "linux", goarch: "s390x"}
       fail-fast: true
 
     name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build
@@ -233,7 +233,7 @@ jobs:
       matrix:
         goos: [ darwin ]
         goarch: [ "amd64", "arm64" ]
-        go: [ "1.20.8" ]
+        go: [ "1.20.10" ]
       fail-fast: true
 
     name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build

diff --git a/.github/workflows/test-integrations.yml b/.github/workflows/test-integrations.yml
@@ -80,7 +80,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        nomad-version: ['v1.6.1', 'v1.5.8', 'v1.4.12']
+        nomad-version: ['v1.6.2', 'v1.5.9', 'v1.4.13']
     steps:
       - name: Checkout Nomad
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
@@ -159,7 +159,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        vault-version: ["1.14.1", "1.13.5", "1.12.9", "1.11.12"]
+        vault-version: ["1.15.0", "1.14.4", "1.13.8", "1.12.11"]
     env:
       VAULT_BINARY_VERSION: ${{ matrix.vault-version }}
     steps:

diff --git a/Makefile b/Makefile
@@ -438,6 +438,9 @@ codegen: codegen-tools ## Deep copy
 	@$(SHELL) $(CURDIR)/agent/consul/state/deep-copy.sh
 	@$(SHELL) $(CURDIR)/agent/config/deep-copy.sh
 	copywrite headers
+	# Special case for MPL headers in /api and /sdk
+	cd api && $(CURDIR)/build-support/scripts/copywrite-exceptions.sh
+	cd sdk && $(CURDIR)/build-support/scripts/copywrite-exceptions.sh
 
 print-%  : ; @echo $($*) ## utility to echo a makefile variable (i.e. 'make print-GOPATH')
 

diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go
@@ -90,6 +90,18 @@ func TestAgentEndpointsFailInV2(t *testing.T) {
 		})
 	}
 
+	t.Run("agent-self-with-params", func(t *testing.T) {
+		req, err := http.NewRequest("GET", "/v1/agent/self?dc=dc1", nil)
+		require.NoError(t, err)
+
+		resp := httptest.NewRecorder()
+		a.srv.h.ServeHTTP(resp, req)
+		require.Equal(t, http.StatusOK, resp.Code)
+
+		_, err = io.ReadAll(resp.Body)
+		require.NoError(t, err)
+	})
+
 	checkRequest("PUT", "/v1/agent/maintenance")
 	checkRequest("GET", "/v1/agent/services")
 	checkRequest("GET", "/v1/agent/service/web")

@@ -50,7 +50,7 @@ func (s *Server) Read(ctx context.Context, req *pbresource.ReadRequest) (*pbreso
 	authzNeedsData := false
 	err = reg.ACLs.Read(authz, authzContext, req.Id, nil)
 	switch {
-	case errors.Is(err, resource.ErrNeedData):
+	case errors.Is(err, resource.ErrNeedResource):
 		authzNeedsData = true
 		err = nil
 	case acl.IsErrPermissionDenied(err):

diff --git a/agent/http.go b/agent/http.go
@@ -396,7 +396,7 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc
 
 		rejectCatalogV1Endpoint := false
 		if s.agent.baseDeps.UseV2Resources() {
-			rejectCatalogV1Endpoint = isV1CatalogRequest(logURL)
+			rejectCatalogV1Endpoint = isV1CatalogRequest(req.URL.Path)
 		}
 
 		if s.denylist.Block(req.URL.Path) {

diff --git a/agent/xds/listeners_apigateway.go b/agent/xds/listeners_apigateway.go
@@ -152,7 +152,11 @@ func (s *ResourceGenerator) makeAPIGatewayListeners(address string, cfgSnap *pro
 
 			routes := make([]*structs.HTTPRouteConfigEntry, 0, len(readyListener.routeReferences))
 			for _, routeRef := range maps.Keys(readyListener.routeReferences) {
-				route, _ := cfgSnap.APIGateway.HTTPRoutes.Get(routeRef)
+				route, ok := cfgSnap.APIGateway.HTTPRoutes.Get(routeRef)
+				if !ok {
+					return nil, fmt.Errorf("missing route for routeRef %s:%s", routeRef.Kind, routeRef.Name)
+				}
+
 				routes = append(routes, route)
 			}
 			consolidatedRoutes := discoverychain.ConsolidateHTTPRoutes(cfgSnap.APIGateway.GatewayConfig, &readyListener.listenerCfg, routes...)
@@ -297,11 +301,9 @@ func getReadyListeners(cfgSnap *proxycfg.ConfigSnapshot) map[string]readyListene
 				continue
 			}
 
-			routeKey := l.Name + routeRef.String()
-
 			for _, upstream := range routeUpstreamsForListener {
 				// Insert or update readyListener for the listener to include this upstream
-				r, ok := ready[routeKey]
+				r, ok := ready[l.Name]
 				if !ok {
 					r = readyListener{
 						listenerKey:      listenerKey,
@@ -312,7 +314,7 @@ func getReadyListeners(cfgSnap *proxycfg.ConfigSnapshot) map[string]readyListene
 				}
 				r.routeReferences[routeRef] = struct{}{}
 				r.upstreams = append(r.upstreams, upstream)
-				ready[routeKey] = r
+				ready[l.Name] = r
 			}
 		}
 	}

diff --git a/agent/xds/testdata/routes/api-gateway-with-multiple-hostnames.latest.golden b/agent/xds/testdata/routes/api-gateway-with-multiple-hostnames.latest.golden
@@ -8,52 +8,38 @@
       "virtualHosts": [
         {
           "domains": [
-            "backend.example.com",
-            "backend.example.com:8080"
+            "frontend.example.com",
+            "frontend.example.com:8080"
           ],
-          "name": "api-gateway-http-5a84e719",
+          "name": "api-gateway-http-54620b06",
           "routes": [
             {
               "match": {
                 "prefix": "/"
               },
               "route": {
-                "cluster": "backend.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+                "cluster": "frontend.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
               }
             }
           ]
-        }
-      ]
-    },
-    {
-      "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration",
-      "name": "8080",
-      "validateClusters": true,
-      "virtualHosts": [
+        },
         {
           "domains": [
-            "frontend.example.com",
-            "frontend.example.com:8080"
+            "backend.example.com",
+            "backend.example.com:8080"
           ],
-          "name": "api-gateway-http-54620b06",
+          "name": "api-gateway-http-5a84e719",
           "routes": [
             {
               "match": {
                 "prefix": "/"
               },
               "route": {
-                "cluster": "frontend.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+                "cluster": "backend.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
               }
             }
           ]
-        }
-      ]
-    },
-    {
-      "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration",
-      "name": "8080",
-      "validateClusters": true,
-      "virtualHosts": [
+        },
         {
           "domains": [
             "*.example.com",

diff --git a/api/.copywrite.hcl b/api/.copywrite.hcl
@@ -0,0 +1,8 @@
+schema_version = 1
+
+project {
+  license		= "MPL-2.0"
+  copyright_year	= 2023
+
+  header_ignore		= []
+}
diff --git a/api/config_entry_routes_test.go b/api/config_entry_routes_test.go
@@ -1,3 +1,6 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
 package api
 
 import (

diff --git a/api/config_entry_status_test.go b/api/config_entry_status_test.go
@@ -1,3 +1,6 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
 package api
 
 import "testing"

diff --git a/api/go.mod b/api/go.mod
@@ -39,8 +39,8 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
-	golang.org/x/net v0.13.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/sys v0.11.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/api/go.sum b/api/go.sum
@@ -182,8 +182,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
-golang.org/x/net v0.13.0 h1:Nvo8UFsZ8X3BhAC9699Z1j7XQ3rsZnUUm7jfBEk1ueY=
-golang.org/x/net v0.13.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -211,8 +211,8 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=

diff --git a/api/internal.go b/api/internal.go
@@ -1,3 +1,6 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
 package api
 
 import "context"

diff --git a/api/internal_test.go b/api/internal_test.go
@@ -1,3 +1,6 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
 package api
 
 import (

diff --git a/api/operator_audit.go b/api/operator_audit.go
@@ -1,5 +1,5 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
+// SPDX-License-Identifier: MPL-2.0
 
 // The /v1/operator/audit-hash endpoint is available only in Consul Enterprise and
 // interact with its audit logging subsystem.

diff --git a/build-support/docker/Build-Go.dockerfile b/build-support/docker/Build-Go.dockerfile
@@ -1,7 +1,7 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: BUSL-1.1
 
-ARG GOLANG_VERSION=1.20.8
+ARG GOLANG_VERSION=1.20.10
 FROM golang:${GOLANG_VERSION}
 
 WORKDIR /consul
diff --git a/build-support/scripts/copywrite-exceptions.sh b/build-support/scripts/copywrite-exceptions.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# Used as a stopgap for copywrite bot in MPL-licensed subdirs, detects BUSL licensed
+# headers and deletes them, then runs the copywrite bot to utilize local subdir config
+# to inject correct headers.
+
+find . -type f -name '*.go' | while read line; do
+  if grep "SPDX-License-Identifier: BUSL-1.1" $line; then
+    sed -i '/SPDX-License-Identifier: BUSL-1.1/d' $line
+    sed -i '/Copyright (c) HashiCorp, Inc./d' $line
+  fi
+done
+
+copywrite headers
diff --git a/command/resource/testdata/nested_data.hcl b/command/resource/testdata/nested_data.hcl
@@ -21,6 +21,7 @@ Data {
       DestinationPort = "tcp"
 
       IpPort = {
+        Ip   = "127.0.0.1"
         Port = 1234
       }
     }

diff --git a/envoyextensions/go.mod b/envoyextensions/go.mod
@@ -41,7 +41,7 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 // indirect
-	golang.org/x/sys v0.11.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/envoyextensions/go.sum b/envoyextensions/go.sum
@@ -200,7 +200,7 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
-golang.org/x/net v0.13.0 h1:Nvo8UFsZ8X3BhAC9699Z1j7XQ3rsZnUUm7jfBEk1ueY=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -229,8 +229,8 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=

diff --git a/go.mod b/go.mod
@@ -109,12 +109,12 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v0.39.0
 	go.opentelemetry.io/proto/otlp v0.19.0
 	go.uber.org/goleak v1.1.10
-	golang.org/x/crypto v0.12.0
+	golang.org/x/crypto v0.14.0
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
-	golang.org/x/net v0.14.0
+	golang.org/x/net v0.17.0
 	golang.org/x/oauth2 v0.6.0
 	golang.org/x/sync v0.3.0
-	golang.org/x/sys v0.11.0
+	golang.org/x/sys v0.13.0
 	golang.org/x/time v0.3.0
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
 	google.golang.org/grpc v1.55.0
@@ -262,8 +262,8 @@ require (
 	go.uber.org/atomic v1.9.0 // indirect
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
 	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/term v0.11.0 // indirect
-	golang.org/x/text v0.12.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect
 	google.golang.org/api v0.114.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect