diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..0be48bb --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,23 @@ +name: build ci + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Set up Go + uses: actions/setup-go@v3 + with: + go-version: 1.19 + + - name: build + run: make build diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..a81e8f7 --- /dev/null +++ b/Makefile @@ -0,0 +1,29 @@ +.PHONY: build build-local run test +build: + docker run --rm -v `pwd`:/go/src/go-filter -w /go/src/go-filter \ + -e GOPROXY=https://goproxy.cn \ + golang:1.19 \ + go build -v -o libgolang.so -buildmode=c-shared -buildvcs=false . + +build-local: + GOPROXY=https://goproxy.cn go build -v -o libgolang.so -buildmode=c-shared . + +run: + docker run --rm -v `pwd`/envoy.yaml:/etc/envoy/envoy.yaml \ + -v `pwd`/libgolang.so:/etc/envoy/libgolang.so \ + -p 10000:10000 \ + envoyproxy/envoy:contrib-dev \ + envoy -c /etc/envoy/envoy.yaml + +test-run: + docker run --rm -v `pwd`/example/envoy.yaml:/etc/envoy/envoy.yaml \ + -v `pwd`/libgolang.so:/etc/envoy/libgolang.so \ + -p 10000:10000 \ + envoyproxy/envoy:contrib-dev \ + envoy -c /etc/envoy/envoy.yaml + +test: + curl -s -I 'http://localhost:10000/' + curl -s -I 'http://localhost:10000/' -H 'Authorization: Basic dW5rbm93bjpkb2dvb2Q=' # generated by `echo -n "unknown:dogood" | base64` + curl -s -I 'http://localhost:10000/' -H 'Authorization: Basic aGFja2Vyczp1bmtub3du' # generated by `echo -n "hackers:unknown" | base64` + curl -s -I 'http://localhost:10000/' -H 'Authorization: Basic aGFja2Vyczpkb2dvb2Q=' # generated by `echo -n "hackers:dogood" | base64` diff --git a/README.md b/README.md index 47e664d..0dccbd1 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,212 @@ envoy-go-ldap-auth ================== -This is a simple LDAP auth filter for envoy written in go. +This is a simple LDAP auth filter for envoy written in go. Only requests that pass the LDAP server's authentication will be proxied to the upstream service. - -Status -====== +## Status This is under active development and is not ready for production use. +## Usage + +The client set credentials in `Authorization` header in the following format: + +```Plaintext +credentials := Basic base64(username:password) +``` + +An example of the `Authorization` header is as follows (`aGFja2Vyczpkb2dvb2Q=`, which is the base64-encoded value of `hackers:dogood`): + +```Plaintext +Authorization: Basic aGFja2Vyczpkb2dvb2Q= +``` + +Configure your envoy.yaml, include required fields: host, port, base_dn and attribute. + +```yaml +http_filters: + - name: envoy.filters.http.golang + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config + library_id: example + library_path: /etc/envoy/libgolang.so + plugin_name: envoy-go-ldap-auth + plugin_config: + "@type": type.googleapis.com/xds.type.v3.TypedStruct + value: + # required + host: localhost + port: 389 + base_dn: dc=example,dc=com + attribute: cn + # optional + # be used in search mode + bind_dn: + bind_password: + # if the filter is set, the filter application will run in search mode. + filter: + timeout: 60 +``` + +Then, you can start your filter. + +```bash +make build +make run +``` + +## Test + +This test case is based on glauth and can be utilized to evaluate your filter. + +Firstly, download [glauth](https://github.com/glauth/glauth/releases), and change its [sample config file](https://github.com/glauth/glauth/blob/master/v2/sample-simple.cfg). + +sample.yaml + +```yaml +[ldap] + enabled = true + # run on a non privileged port + listen = "192.168.64.1:3893" # 192.168.64.1 is your local network IP. Please synchronize it with envoy.yaml. +``` + +envoy.yaml, and you can find this example file in `example` directory + +```yaml +http_filters: + - name: envoy.filters.http.golang + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config + library_id: example + library_path: /etc/envoy/libgolang.so + plugin_name: envoy-go-ldap-auth + plugin_config: + "@type": type.googleapis.com/xds.type.v3.TypedStruct + value: + # required + host: 192.168.64.1 + port: 3893 + base_dn: dc=glauth,dc=com + attribute: cn + # optional + # be used in search mode + bind_dn: cn=serviceuser,ou=svcaccts,dc=glauth,dc=com + bind_password: mysecret + # if the filter is set, the filter application will run in search mode. + filter: (cn=%s) + timeout: 60 +``` + +Then, start glauth. + +```bash +./glauth -c sample.yaml +``` + +Start and test filter. + +```bash +make build +make test-run +make test +``` + +The following are the output results. + +```bash +$ make test +curl -s -I 'http://localhost:10000/' +HTTP/1.1 401 Unauthorized +content-length: 16 +content-type: text/plain +date: Sun, 28 May 2023 16:56:18 GMT +server: envoy + +curl -s -I 'http://localhost:10000/' -H 'Authorization: Basic dW5rbm93bjpkb2dvb2Q=' # generated by `echo -n "unknown:dogood" | base64` +HTTP/1.1 401 Unauthorized +content-length: 28 +content-type: text/plain +date: Sun, 28 May 2023 16:56:18 GMT +server: envoy + +curl -s -I 'http://localhost:10000/' -H 'Authorization: Basic aGFja2Vyczp1bmtub3du' # generated by `echo -n "hackers:unknown" | base64` +HTTP/1.1 401 Unauthorized +content-length: 28 +content-type: text/plain +date: Sun, 28 May 2023 16:56:18 GMT +server: envoy + +curl -s -I 'http://localhost:10000/' -H 'Authorization: Basic aGFja2Vyczpkb2dvb2Q=' # generated by `echo -n "hackers:dogood" | base64` +HTTP/1.1 200 OK +date: Sun, 28 May 2023 16:56:20 GMT +content-type: text/html; charset=utf-8 +content-length: 12725 +permissions-policy: interest-cohort=() +last-modified: Sat, 06 May 2023 08:09:59 GMT +access-control-allow-origin: * +strict-transport-security: max-age=31556952 +etag: "64560b57-31b5" +expires: Sun, 28 May 2023 17:04:05 GMT +cache-control: max-age=600 +x-proxy-cache: MISS +x-github-request-id: FD8A:64E8:E68E8:F6229:6473872C +accept-ranges: bytes +via: 1.1 varnish +age: 136 +x-served-by: cache-hkg17920-HKG +x-cache: HIT +x-cache-hits: 1 +x-timer: S1685292981.889966,VS0,VE30 +vary: Accept-Encoding +x-fastly-request-id: 5c0885547b1360efd368516eb77213e7a43586ba +server: envoy +x-envoy-upstream-service-time: 1974 +``` + +## Bind Mode and Search Mode + +If no filter is specified in its configuration, the middleware runs in the default bind mode, meaning it tries to make a simple bind request to the LDAP server with the credentials provided in the request headers. If the bind succeeds, the middleware forwards the request, otherwise it returns a `401 Unauthorized` status code. + +If a filter query is specified in the middleware configuration, and the Authentication Source referenced has a `bindDN` and a `bindPassword`, then the middleware runs in search mode. In this mode, a search query with the given filter is issued to the LDAP server before trying to bind. If result of this search returns only 1 record, it tries to issue a bind request with this record, otherwise it aborts a `401 Unauthorized` status code. + +## Configurations + +### Required + +- host, string, default "localhost", required + +Host on which the LDAP server is running. + +- port, number, default 389, required + +TCP port where the LDAP server is listening. 389 is the default port for LDAP. + +- base_dn, string, "dc=example,dc=com", required + +The `baseDN` option should be set to the base domain name that should be used for bind and search queries. + +- attribute, string, default "cn", required + +Attribute to be used to search the user; e.g., “cn”. + +### Optional + +- filter, string, default "" + +If not empty, the middleware will run in search mode, filtering search results with the given query. + +Filter queries can use the `%s` placeholder that is replaced by the username provided in the `Authorization` header of the request. For example: `(&(objectClass=inetOrgPerson)(gidNumber=500)(uid=%s))`, `(cn=%s)`. + +- bind_dn, string, default "" + +The domain name to bind to in order to authenticate to the LDAP server when running on search mode. Leaving this empty with search mode means binds are anonymous, which is rarely expected behavior. It is not used when running in bind_mode. + +- bind_password, string, default "" + +The password corresponding to the `bindDN` specified when running in search mode, used in order to authenticate to the LDAP server. + + +- timeout, number, default 60 + +An optional timeout in seconds when waiting for connection with LDAP server. + diff --git a/config.go b/config.go new file mode 100644 index 0000000..9d7e14d --- /dev/null +++ b/config.go @@ -0,0 +1,101 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package main + +import ( + xds "github.com/cncf/xds/go/xds/type/v3" + "github.com/envoyproxy/envoy/contrib/golang/filters/http/source/go/pkg/api" + "github.com/envoyproxy/envoy/contrib/golang/filters/http/source/go/pkg/http" + "google.golang.org/protobuf/types/known/anypb" +) + +func init() { + http.RegisterHttpFilterConfigFactory("envoy-go-ldap-auth", configFactory) + http.RegisterHttpFilterConfigParser(&parser{}) +} + +type config struct { + host string + port uint64 + baseDN string + attribute string + bindDN string + password string + filter string + timeout int32 +} + +type parser struct { +} + +func (p *parser) Parse(any *anypb.Any) (interface{}, error) { + configStruct := &xds.TypedStruct{} + if err := any.UnmarshalTo(configStruct); err != nil { + return nil, err + } + + v := configStruct.Value + conf := &config{} + m := v.AsMap() + if host, ok := m["host"].(string); ok { + conf.host = host + } + if port, ok := m["port"].(float64); ok { + conf.port = uint64(port) + } + if baseDN, ok := m["base_dn"].(string); ok { + conf.baseDN = baseDN + } + if attribute, ok := m["attribute"].(string); ok { + conf.attribute = attribute + } + if bindDN, ok := m["bind_dn"].(string); ok { + conf.bindDN = bindDN + } + if password, ok := m["bind_password"].(string); ok { + conf.password = password + } + if cFilter, ok := m["filter"].(string); ok { + conf.filter = cFilter + } + + if timeout, ok := m["timeout"].(float64); ok { + conf.timeout = int32(timeout) + } + if conf.timeout == 0 { + conf.timeout = 60 + } + return conf, nil +} + +func (p *parser) Merge(parent interface{}, child interface{}) interface{} { + panic("TODO") +} + +func configFactory(c interface{}) api.StreamFilterFactory { + conf, ok := c.(*config) + if !ok { + panic("unexpected config type, should not happen") + } + return func(callbacks api.FilterCallbackHandler) api.StreamFilter { + return &filter{ + callbacks: callbacks, + config: conf, + } + } +} diff --git a/example/envoy.yaml b/example/envoy.yaml new file mode 100644 index 0000000..ed7c2d6 --- /dev/null +++ b/example/envoy.yaml @@ -0,0 +1,75 @@ +static_resources: + + listeners: + - name: listener_0 + address: + socket_address: + address: 0.0.0.0 + port_value: 10000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + access_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog + http_filters: + - name: envoy.filters.http.golang + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config + library_id: example + library_path: /etc/envoy/libgolang.so + plugin_name: envoy-go-ldap-auth + plugin_config: + "@type": type.googleapis.com/xds.type.v3.TypedStruct + value: + # required + host: 192.168.66.163 + port: 3893 + base_dn: dc=glauth,dc=com + attribute: cn + # optional + # be used in search mode + bind_dn: cn=serviceuser,ou=svcaccts,dc=glauth,dc=com + bind_password: mysecret + # if the filter is set, the filter application will run in search mode. + filter: (cn=%s) + timeout: 60 + + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + route_config: + name: local_route + virtual_hosts: + - name: local_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + host_rewrite_literal: mosn.io + cluster: service_mosn_io + + clusters: + - name: service_mosn_io + type: LOGICAL_DNS + # Comment out the following line to test on v6 networks + dns_lookup_family: V4_ONLY + load_assignment: + cluster_name: service_mosn_io + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: mosn.io + port_value: 443 + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: mosn.io diff --git a/filter.go b/filter.go new file mode 100644 index 0000000..77842e8 --- /dev/null +++ b/filter.go @@ -0,0 +1,196 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package main + +import ( + "encoding/base64" + "fmt" + "github.com/envoyproxy/envoy/contrib/golang/filters/http/source/go/pkg/api" + "github.com/go-ldap/ldap/v3" + "net" + "strings" + "time" +) + +type filter struct { + callbacks api.FilterCallbackHandler + config *config +} + +func parseUsernameAndPassword(auth string) (username, password string, ok bool) { + const prefix = "Basic " + if len(auth) < len(prefix) || !strings.EqualFold(auth[:len(prefix)], prefix) { + return "", "", false + } + c, err := base64.StdEncoding.DecodeString(auth[len(prefix):]) + if err != nil { + return "", "", false + } + cs := string(c) + username, password, ok = strings.Cut(cs, ":") + if !ok { + return "", "", false + } + return username, password, true +} + +func dial(config *config) (*ldap.Conn, error) { + return ldap.DialURL( + // TODO: support TLS + fmt.Sprintf("ldap://%s:%d", config.host, config.port), + ldap.DialWithDialer(&net.Dialer{ + Timeout: time.Duration(config.timeout) * time.Second, + }), + ) +} + +// newLdapClient creates a new ldap client. +func newLdapClient(config *config) (*ldap.Conn, error) { + client, err := dial(config) + if err != nil { + fmt.Println("ldap dial error: ", err) + return nil, err + } + + err = client.Bind(config.bindDN, config.password) + // First bind with a read only user + if err != nil { + fmt.Println("bind with read only user error: ", err) + return nil, err + } + return client, err +} + +// authLdap authenticates the user against the ldap server. +func authLdap(config *config, username, password string) bool { + if config.filter != "" { + return searchMode(config, username, password) + } + + // run with bind mode + client, err := dial(config) + if err != nil { + fmt.Println("ldap dial error: ", err) + return false + } + + _, err = client.SimpleBind(&ldap.SimpleBindRequest{ + Username: fmt.Sprintf(config.attribute+"=%s,%s", username, config.baseDN), + Password: password, + }) + return err == nil +} + +func searchMode(config *config, username, password string) (auth bool) { + client, err := newLdapClient(config) + if err != nil { + fmt.Println("ldap dial error: ", err) + return + } + defer func() { + if client != nil { + client.Close() + } + err := recover() + if err != nil { + auth = false + return + } + }() + + req := ldap.NewSearchRequest(config.baseDN, + ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, + fmt.Sprintf(config.filter, username), + []string{config.attribute}, nil) + + sr, err := client.Search(req) + if err != nil { + fmt.Println("ldap search error: ", err) + return + } + + if len(sr.Entries) != 1 { + fmt.Println("ldap search not found: ", err) + return + } + + userDn := sr.Entries[0].DN + err = client.Bind(userDn, password) + if err != nil { + fmt.Println("ldap bind error: ", err) + return + } + + auth = true + return +} + +func (f *filter) verify(header api.RequestHeaderMap) (bool, string) { + auth, ok := header.Get("authorization") + if !ok { + return false, "no Authorization" + } + + username, password, ok := parseUsernameAndPassword(auth) + if !ok { + return false, "invalid Authorization format" + } + ok = authLdap(f.config, username, password) + if !ok { + return false, "invalid username or password" + } + return true, "" +} + +func (f *filter) DecodeHeaders(header api.RequestHeaderMap, endStream bool) api.StatusType { + go func() { + if ok, msg := f.verify(header); !ok { + // TODO: set the WWW-Authenticate response header + f.callbacks.SendLocalReply(401, msg, map[string]string{}, 0, "bad-request") + return + } + f.callbacks.Continue(api.Continue) + }() + return api.Running +} + +func (f *filter) DecodeData(buffer api.BufferInstance, endStream bool) api.StatusType { + return api.Continue +} + +func (f *filter) DecodeTrailers(trailers api.RequestTrailerMap) api.StatusType { + return api.Continue +} + +func (f *filter) EncodeHeaders(header api.ResponseHeaderMap, endStream bool) api.StatusType { + return api.Continue +} + +func (f *filter) EncodeData(buffer api.BufferInstance, endStream bool) api.StatusType { + return api.Continue +} + +func (f *filter) EncodeTrailers(trailers api.ResponseTrailerMap) api.StatusType { + return api.Continue +} + +func (f *filter) OnDestroy(reason api.DestroyReason) { +} + +func main() { +} diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..f0b01b0 --- /dev/null +++ b/go.mod @@ -0,0 +1,23 @@ +module envoy-go-ldap-auth + +go 1.19 + +require ( + github.com/cncf/xds/go v0.0.0-20230428030218-4003588d1b74 + github.com/envoyproxy/envoy v1.26.1 + github.com/go-ldap/ldap/v3 v3.4.4 + google.golang.org/protobuf v1.30.0 +) + +require ( + github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e // indirect + github.com/envoyproxy/protoc-gen-validate v0.1.0 // indirect + github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect + github.com/golang/protobuf v1.5.0 // indirect + golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect + golang.org/x/net v0.7.0 // indirect + golang.org/x/sys v0.5.0 // indirect + golang.org/x/text v0.7.0 // indirect + google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 // indirect + google.golang.org/grpc v1.25.1 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..54245aa --- /dev/null +++ b/go.sum @@ -0,0 +1,89 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e h1:NeAW1fUYUEWhft7pkxDf6WoUvEZJ/uOKsvtpjLnn8MU= +github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/xds/go v0.0.0-20230428030218-4003588d1b74 h1:zlUubfBUxApscKFsF4VSvvfhsBNTBu0eF/ddvpo96yk= +github.com/cncf/xds/go v0.0.0-20230428030218-4003588d1b74/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/envoyproxy/envoy v1.26.1 h1:dAghNkwTk9rTnFtlEeQ+LlRVBY/+KlNfE/fVqAnYufo= +github.com/envoyproxy/envoy v1.26.1/go.mod h1:miH794Gty39j4hAm+uZDi77Wqw4ajWzVlJHd4LjX9IU= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A= +github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs= +github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.5.0 h1:LUVKkCeviFUMKqHa4tXIIij/lbhnMbP7Fn5wKdKkRh4= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s= +github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY= +golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 h1:gSJIx1SDwno+2ElGhA4+qG2zF97qiUzTM+rQ0klBOcE= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1 h1:wdKvqQk7IttEw92GoRyKG2IDrUIpgpj6H6m81yfeMW0= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= +google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=