diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index 43afc73bcb24c..ca82fa060b0c1 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -30,7 +30,7 @@ jobs: - name: Checkout code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup Golang - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.0 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0 with: go-version: ${{ env.GOLANG_VERSION }} - name: Download all Go modules @@ -48,7 +48,7 @@ jobs: - name: Checkout code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup Golang - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.0 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0 with: go-version: ${{ env.GOLANG_VERSION }} - name: Restore go build cache @@ -72,7 +72,7 @@ jobs: - name: Checkout code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup Golang - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.0 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0 with: go-version: ${{ env.GOLANG_VERSION }} - name: Run golangci-lint @@ -97,7 +97,7 @@ jobs: - name: Create symlink in GOPATH run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd - name: Setup Golang - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.0 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0 with: go-version: ${{ env.GOLANG_VERSION }} - name: Install required packages @@ -164,7 +164,7 @@ jobs: - name: Create symlink in GOPATH run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd - name: Setup Golang - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.0 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0 with: go-version: ${{ env.GOLANG_VERSION }} - name: Install required packages @@ -217,7 +217,7 @@ jobs: - name: Checkout code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup Golang - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.0 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0 with: go-version: ${{ env.GOLANG_VERSION }} - name: Create symlink in GOPATH @@ -381,7 +381,7 @@ jobs: - name: Checkout code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup Golang - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.0 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0 with: go-version: ${{ env.GOLANG_VERSION }} - name: GH actions workaround - Kill XSP4 process diff --git a/.github/workflows/image-reuse.yaml b/.github/workflows/image-reuse.yaml index 9cd200f0b51b6..a0a62669fc5b1 100644 --- a/.github/workflows/image-reuse.yaml +++ b/.github/workflows/image-reuse.yaml @@ -69,7 +69,7 @@ jobs: if: ${{ github.ref_type != 'tag'}} - name: Setup Golang - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ inputs.go-version }} @@ -79,7 +79,7 @@ jobs: cosign-release: 'v2.0.0' - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 - - uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0 + - uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 - name: Setup tags for container image as a CSV type run: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b504ba6424588..c2db4b531649d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -77,7 +77,7 @@ jobs: fi - name: Setup Golang - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.0 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0 with: go-version: ${{ env.GOLANG_VERSION }} @@ -127,13 +127,14 @@ jobs: upload-assets: true generate-sbom: - name: Create Sbom and sign assets + name: Create SBOM and generate hash needs: - argocd-image - goreleaser permissions: contents: write # Needed for release uploads - id-token: write # Needed for signing Sbom + outputs: + hashes: ${{ steps.sbom-hash.outputs.hashes}} if: github.repository == 'argoproj/argo-cd' runs-on: ubuntu-22.04 steps: @@ -144,15 +145,10 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} - name: Setup Golang - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ env.GOLANG_VERSION }} - - name: Install cosign - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 - with: - cosign-release: 'v2.0.0' - - name: Generate SBOM (spdx) id: spdx-builder env: @@ -182,23 +178,38 @@ jobs: fi cd /tmp && tar -zcf sbom.tar.gz *.spdx - - - name: Sign SBOM + + - name: Generate SBOM hash + shell: bash + id: sbom-hash run: | - cosign sign-blob \ - --output-certificate=/tmp/sbom.tar.gz.pem \ - --output-signature=/tmp/sbom.tar.gz.sig \ - -y \ - /tmp/sbom.tar.gz - - - name: Upload SBOM and signature assets + # sha256sum generates sha256 hash for sbom. + # base64 -w0 encodes to base64 and outputs on a single line. + # sha256sum /tmp/sbom.tar.gz ... | base64 -w0 + echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT" + + - name: Upload SBOM uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: files: | - /tmp/sbom.tar.* - + /tmp/sbom.tar.gz + + sbom-provenance: + needs: [generate-sbom] + permissions: + actions: read # for detecting the Github Actions environment + id-token: write # Needed for provenance signing and ID + contents: write # Needed for release uploads + if: github.repository == 'argoproj/argo-cd' + # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0 + with: + base64-subjects: "${{ needs.generate-sbom.outputs.hashes }}" + provenance-name: "argocd-sbom.intoto.jsonl" + upload-assets: true + post-release: needs: - argocd-image diff --git a/Dockerfile b/Dockerfile index dbed21ca65bad..90c411b22c403 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ ARG BASE_IMAGE=docker.io/library/ubuntu:22.04@sha256:ac58ff7fe25edc58bdf0067ca99 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image # Also used as the image in CI jobs so needs all dependencies #################################################################################################### -FROM docker.io/library/golang:1.20.5@sha256:4b1fc02d16fca272e5e6e6adc98396219b43ef663a377eef4a97e881d364393f AS builder +FROM docker.io/library/golang:1.20.6@sha256:8e5a0067e6b387263a01d06b91ef1a983f90e9638564f6e25392fd2695f7ab6c AS builder RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list @@ -83,7 +83,7 @@ WORKDIR /home/argocd #################################################################################################### # Argo CD UI stage #################################################################################################### -FROM --platform=$BUILDPLATFORM docker.io/library/node:20.4.0@sha256:b3ca7d32f0c12291df6e45a914d4ee60011a3fce4a978df5e609e356a4a2cb88 AS argocd-ui +FROM --platform=$BUILDPLATFORM docker.io/library/node:20.5.0@sha256:32ec50b65ac9572eda92baa6004a04dbbfc8021ea806fa62d37336183cad04e6 AS argocd-ui WORKDIR /src COPY ["ui/package.json", "ui/yarn.lock", "./"] @@ -101,7 +101,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP #################################################################################################### # Argo CD Build stage which performs the actual build of Argo CD binaries #################################################################################################### -FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.20.5@sha256:4b1fc02d16fca272e5e6e6adc98396219b43ef663a377eef4a97e881d364393f AS argocd-build +FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.20.6@sha256:8e5a0067e6b387263a01d06b91ef1a983f90e9638564f6e25392fd2695f7ab6c AS argocd-build WORKDIR /go/src/github.com/argoproj/argo-cd diff --git a/Makefile b/Makefile index d75fd364e31d9..4c119188105b9 100644 --- a/Makefile +++ b/Makefile @@ -460,6 +460,7 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local BIN_MODE=$(ARGOCD_BIN_MODE) \ ARGOCD_APPLICATION_NAMESPACES=argocd-e2e-external \ ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES=argocd-e2e-external \ + ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS=http://127.0.0.1:8341,http://127.0.0.1:8342,http://127.0.0.1:8343,http://127.0.0.1:8344 \ ARGOCD_E2E_TEST=true \ goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START} diff --git a/SECURITY.md b/SECURITY.md index 9e2ba5c6ba542..38574aa2bd0db 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -35,9 +35,7 @@ impact on Argo CD before opening an issue at least roughly. ## Supported Versions -We currently support the most recent release (`N`, e.g. `1.8`) and the release -previous to the most recent one (`N-1`, e.g. `1.7`). With the release of -`N+1`, `N-1` drops out of support and `N` becomes `N-1`. +We currently support the last 3 minor versions of Argo CD with security and bug fixes. We regularly perform patch releases (e.g. `1.8.5` and `1.7.12`) for the supported versions, which will contain fixes for security vulnerabilities and diff --git a/USERS.md b/USERS.md index 5d83fde59ed32..67c1ff51e4702 100644 --- a/USERS.md +++ b/USERS.md @@ -24,6 +24,7 @@ Currently, the following organizations are **officially** using Argo CD: 1. [AppDirect](https://www.appdirect.com) 1. [Arctiq Inc.](https://www.arctiq.ca) 1. [ARZ Allgemeines Rechenzentrum GmbH](https://www.arz.at/) +2. [Autodesk](https://www.autodesk.com) 1. [Axual B.V.](https://axual.com) 1. [Back Market](https://www.backmarket.com) 1. [Baloise](https://www.baloise.com) @@ -127,6 +128,7 @@ Currently, the following organizations are **officially** using Argo CD: 1. [Info Support](https://www.infosupport.com/) 1. [InsideBoard](https://www.insideboard.com) 1. [Intuit](https://www.intuit.com/) +1. [Jellysmack](https://www.jellysmack.com) 1. [Joblift](https://joblift.com/) 1. [JovianX](https://www.jovianx.com/) 1. [Kaltura](https://corp.kaltura.com/) @@ -193,6 +195,7 @@ Currently, the following organizations are **officially** using Argo CD: 1. [OpsVerse](https://opsverse.io) 1. [Optoro](https://www.optoro.com/) 1. [Orbital Insight](https://orbitalinsight.com/) +1. [Oscar Health Insurance](https://hioscar.com/) 1. [p3r](https://www.p3r.one/) 1. [Packlink](https://www.packlink.com/) 1. [PagerDuty](https://www.pagerduty.com/) diff --git a/applicationset/controllers/applicationset_controller.go b/applicationset/controllers/applicationset_controller.go index d785ad7289c4a..8b31f0a1e95a4 100644 --- a/applicationset/controllers/applicationset_controller.go +++ b/applicationset/controllers/applicationset_controller.go @@ -448,7 +448,7 @@ func (r *ApplicationSetReconciler) validateGeneratedApplications(ctx context.Con conditions, err := argoutil.ValidatePermissions(ctx, &app.Spec, proj, r.ArgoDB) if err != nil { - return nil, err + return nil, fmt.Errorf("error validating permissions: %s", err) } if len(conditions) > 0 { errorsByIndex[i] = fmt.Errorf("application spec is invalid: %s", argoutil.FormatAppConditions(conditions)) @@ -597,6 +597,9 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context, appLog := log.WithFields(log.Fields{"app": generatedApp.Name, "appSet": applicationSet.Name}) generatedApp.Namespace = applicationSet.Namespace + // Normalize to avoid fighting with the application controller. + generatedApp.Spec = *argoutil.NormalizeApplicationSpec(&generatedApp.Spec) + found := &argov1alpha1.Application{ ObjectMeta: metav1.ObjectMeta{ Name: generatedApp.Name, @@ -689,7 +692,7 @@ func (r *ApplicationSetReconciler) getCurrentApplications(_ context.Context, app err := r.Client.List(context.Background(), ¤t, client.MatchingFields{".metadata.controller": applicationSet.Name}) if err != nil { - return nil, err + return nil, fmt.Errorf("error retrieving applications: %w", err) } return current.Items, nil diff --git a/applicationset/controllers/applicationset_controller_test.go b/applicationset/controllers/applicationset_controller_test.go index dd934cc7dd53f..9fdc8b0434879 100644 --- a/applicationset/controllers/applicationset_controller_test.go +++ b/applicationset/controllers/applicationset_controller_test.go @@ -373,6 +373,7 @@ func TestCreateOrUpdateInCluster(t *testing.T) { Namespace: "namespace", ResourceVersion: "1", }, + Spec: v1alpha1.ApplicationSpec{Project: "default"}, }, }, }, @@ -900,6 +901,60 @@ func TestCreateOrUpdateInCluster(t *testing.T) { }, }, }, + }, { + name: "Ensure that the app spec is normalized before applying", + appSet: v1alpha1.ApplicationSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: "name", + Namespace: "namespace", + }, + Spec: v1alpha1.ApplicationSetSpec{ + Template: v1alpha1.ApplicationSetTemplate{ + Spec: v1alpha1.ApplicationSpec{ + Project: "project", + Source: &v1alpha1.ApplicationSource{ + Directory: &v1alpha1.ApplicationSourceDirectory{ + Jsonnet: v1alpha1.ApplicationSourceJsonnet{}, + }, + }, + }, + }, + }, + }, + desiredApps: []v1alpha1.Application{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "app1", + }, + Spec: v1alpha1.ApplicationSpec{ + Project: "project", + Source: &v1alpha1.ApplicationSource{ + Directory: &v1alpha1.ApplicationSourceDirectory{ + Jsonnet: v1alpha1.ApplicationSourceJsonnet{}, + }, + }, + }, + }, + }, + expected: []v1alpha1.Application{ + { + TypeMeta: metav1.TypeMeta{ + Kind: "Application", + APIVersion: "argoproj.io/v1alpha1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "app1", + Namespace: "namespace", + ResourceVersion: "1", + }, + Spec: v1alpha1.ApplicationSpec{ + Project: "project", + Source: &v1alpha1.ApplicationSource{ + // Directory and jsonnet block are removed + }, + }, + }, + }, }, } { @@ -1231,13 +1286,15 @@ func TestCreateApplications(t *testing.T) { err = v1alpha1.AddToScheme(scheme) assert.Nil(t, err) - for _, c := range []struct { + testCases := []struct { + name string appSet v1alpha1.ApplicationSet existsApps []v1alpha1.Application apps []v1alpha1.Application expected []v1alpha1.Application }{ { + name: "no existing apps", appSet: v1alpha1.ApplicationSet{ ObjectMeta: metav1.ObjectMeta{ Name: "name", @@ -1263,10 +1320,14 @@ func TestCreateApplications(t *testing.T) { Namespace: "namespace", ResourceVersion: "1", }, + Spec: v1alpha1.ApplicationSpec{ + Project: "default", + }, }, }, }, { + name: "existing apps", appSet: v1alpha1.ApplicationSet{ ObjectMeta: metav1.ObjectMeta{ Name: "name", @@ -1324,6 +1385,7 @@ func TestCreateApplications(t *testing.T) { }, }, { + name: "existing apps with different project", appSet: v1alpha1.ApplicationSet{ ObjectMeta: metav1.ObjectMeta{ Name: "name", @@ -1380,39 +1442,42 @@ func TestCreateApplications(t *testing.T) { }, }, }, - } { - initObjs := []crtclient.Object{&c.appSet} - for _, a := range c.existsApps { - err = controllerutil.SetControllerReference(&c.appSet, &a, scheme) - assert.Nil(t, err) - initObjs = append(initObjs, &a) - } - - client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(initObjs...).Build() + } - r := ApplicationSetReconciler{ - Client: client, - Scheme: scheme, - Recorder: record.NewFakeRecorder(len(initObjs) + len(c.expected)), - } + for _, c := range testCases { + t.Run(c.name, func(t *testing.T) { + initObjs := []crtclient.Object{&c.appSet} + for _, a := range c.existsApps { + err = controllerutil.SetControllerReference(&c.appSet, &a, scheme) + assert.Nil(t, err) + initObjs = append(initObjs, &a) + } - err = r.createInCluster(context.TODO(), c.appSet, c.apps) - assert.Nil(t, err) + client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(initObjs...).Build() - for _, obj := range c.expected { - got := &v1alpha1.Application{} - _ = client.Get(context.Background(), crtclient.ObjectKey{ - Namespace: obj.Namespace, - Name: obj.Name, - }, got) + r := ApplicationSetReconciler{ + Client: client, + Scheme: scheme, + Recorder: record.NewFakeRecorder(len(initObjs) + len(c.expected)), + } - err = controllerutil.SetControllerReference(&c.appSet, &obj, r.Scheme) + err = r.createInCluster(context.TODO(), c.appSet, c.apps) assert.Nil(t, err) - assert.Equal(t, obj, *got) - } - } + for _, obj := range c.expected { + got := &v1alpha1.Application{} + _ = client.Get(context.Background(), crtclient.ObjectKey{ + Namespace: obj.Namespace, + Name: obj.Name, + }, got) + err = controllerutil.SetControllerReference(&c.appSet, &obj, r.Scheme) + assert.Nil(t, err) + + assert.Equal(t, obj, *got) + } + }) + } } func TestDeleteInCluster(t *testing.T) { diff --git a/applicationset/controllers/requeue_after_test.go b/applicationset/controllers/requeue_after_test.go index a831b70ed2275..da6b0b10b47df 100644 --- a/applicationset/controllers/requeue_after_test.go +++ b/applicationset/controllers/requeue_after_test.go @@ -60,9 +60,9 @@ func TestRequeueAfter(t *testing.T) { "List": generators.NewListGenerator(), "Clusters": generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"), "Git": generators.NewGitGenerator(mockServer), - "SCMProvider": generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), generators.SCMAuthProviders{}, ""), + "SCMProvider": generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), generators.SCMAuthProviders{}, "", []string{""}), "ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"), - "PullRequest": generators.NewPullRequestGenerator(k8sClient, generators.SCMAuthProviders{}, ""), + "PullRequest": generators.NewPullRequestGenerator(k8sClient, generators.SCMAuthProviders{}, "", []string{""}), } nestedGenerators := map[string]generators.Generator{ diff --git a/applicationset/generators/duck_type.go b/applicationset/generators/duck_type.go index cdd13e8aeaf7a..f98afd0e01381 100644 --- a/applicationset/generators/duck_type.go +++ b/applicationset/generators/duck_type.go @@ -74,7 +74,7 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A // ListCluster from Argo CD's util/db package will include the local cluster in the list of clusters clustersFromArgoCD, err := utils.ListClusters(g.ctx, g.clientset, g.namespace) if err != nil { - return nil, err + return nil, fmt.Errorf("error listing clusters: %w", err) } if clustersFromArgoCD == nil { @@ -85,7 +85,7 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A cm, err := g.clientset.CoreV1().ConfigMaps(g.namespace).Get(g.ctx, appSetGenerator.ClusterDecisionResource.ConfigMapRef, metav1.GetOptions{}) if err != nil { - return nil, err + return nil, fmt.Errorf("error reading configMapRef: %w", err) } // Extract GVK data for the dynamic client to use diff --git a/applicationset/generators/generator_spec_processor.go b/applicationset/generators/generator_spec_processor.go index a6af3ae8c45cd..447e99d83ab37 100644 --- a/applicationset/generators/generator_spec_processor.go +++ b/applicationset/generators/generator_spec_processor.go @@ -125,7 +125,7 @@ func GetRelevantGenerators(requestedGenerator *argoprojiov1alpha1.ApplicationSet func flattenParameters(in map[string]interface{}) (map[string]string, error) { flat, err := flatten.Flatten(in, "", flatten.DotStyle) if err != nil { - return nil, err + return nil, fmt.Errorf("error flatenning parameters: %w", err) } out := make(map[string]string, len(flat)) diff --git a/applicationset/generators/matrix.go b/applicationset/generators/matrix.go index 2d5d18c8a203c..e4d1b74cb7ecc 100644 --- a/applicationset/generators/matrix.go +++ b/applicationset/generators/matrix.go @@ -50,7 +50,7 @@ func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.App g0, err := m.getParams(appSetGenerator.Matrix.Generators[0], appSet, nil) if err != nil { - return nil, err + return nil, fmt.Errorf("error failed to get params for first generator in matrix generator: %w", err) } for _, a := range g0 { g1, err := m.getParams(appSetGenerator.Matrix.Generators[1], appSet, a) @@ -94,7 +94,7 @@ func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Appli } mergeGen, err := getMergeGenerator(appSetBaseGenerator) if err != nil { - return nil, err + return nil, fmt.Errorf("error retrieving merge generator: %w", err) } if mergeGen != nil && !appSet.Spec.ApplyNestedSelectors { foundSelector := dropDisabledNestedSelectors(mergeGen.Generators) diff --git a/applicationset/generators/merge.go b/applicationset/generators/merge.go index 6d79925e5d61a..c53a10e4e8090 100644 --- a/applicationset/generators/merge.go +++ b/applicationset/generators/merge.go @@ -234,7 +234,7 @@ func getMergeGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*arg } merge, err := argoprojiov1alpha1.ToNestedMergeGenerator(r.Merge) if err != nil { - return nil, err + return nil, fmt.Errorf("error converting to nested merge generator: %w", err) } return merge.ToMergeGenerator(), nil } diff --git a/applicationset/generators/plugin.go b/applicationset/generators/plugin.go index 9876d0ff93a2a..3448d0967369c 100644 --- a/applicationset/generators/plugin.go +++ b/applicationset/generators/plugin.go @@ -81,7 +81,7 @@ func (g *PluginGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.App res, err := g.generateParams(appSetGenerator, applicationSetInfo, list.Output.Parameters, appSetGenerator.Plugin.Input.Parameters, applicationSetInfo.Spec.GoTemplate) if err != nil { - return nil, err + return nil, fmt.Errorf("error generating params: %w", err) } return res, nil diff --git a/applicationset/generators/pull_request.go b/applicationset/generators/pull_request.go index d861010daa65e..c024f1b723919 100644 --- a/applicationset/generators/pull_request.go +++ b/applicationset/generators/pull_request.go @@ -26,13 +26,15 @@ type PullRequestGenerator struct { selectServiceProviderFunc func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) auth SCMAuthProviders scmRootCAPath string + allowedSCMProviders []string } -func NewPullRequestGenerator(client client.Client, auth SCMAuthProviders, scmRootCAPath string) Generator { +func NewPullRequestGenerator(client client.Client, auth SCMAuthProviders, scmRootCAPath string, allowedScmProviders []string) Generator { g := &PullRequestGenerator{ - client: client, - auth: auth, - scmRootCAPath: scmRootCAPath, + client: client, + auth: auth, + scmRootCAPath: scmRootCAPath, + allowedSCMProviders: allowedScmProviders, } g.selectServiceProviderFunc = g.selectServiceProvider return g @@ -120,10 +122,16 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha // selectServiceProvider selects the provider to get pull requests from the configuration func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, generatorConfig *argoprojiov1alpha1.PullRequestGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) { if generatorConfig.Github != nil { + if !ScmProviderAllowed(applicationSetInfo, generatorConfig.Github.API, g.allowedSCMProviders) { + return nil, fmt.Errorf("scm provider not allowed: %s", generatorConfig.Github.API) + } return g.github(ctx, generatorConfig.Github, applicationSetInfo) } if generatorConfig.GitLab != nil { providerConfig := generatorConfig.GitLab + if !ScmProviderAllowed(applicationSetInfo, providerConfig.API, g.allowedSCMProviders) { + return nil, fmt.Errorf("scm provider not allowed: %s", providerConfig.API) + } token, err := g.getSecretRef(ctx, providerConfig.TokenRef, applicationSetInfo.Namespace) if err != nil { return nil, fmt.Errorf("error fetching Secret token: %v", err) @@ -132,6 +140,9 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera } if generatorConfig.Gitea != nil { providerConfig := generatorConfig.Gitea + if !ScmProviderAllowed(applicationSetInfo, providerConfig.API, g.allowedSCMProviders) { + return nil, fmt.Errorf("scm provider not allowed: %s", generatorConfig.Gitea.API) + } token, err := g.getSecretRef(ctx, providerConfig.TokenRef, applicationSetInfo.Namespace) if err != nil { return nil, fmt.Errorf("error fetching Secret token: %v", err) @@ -140,6 +151,9 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera } if generatorConfig.BitbucketServer != nil { providerConfig := generatorConfig.BitbucketServer + if !ScmProviderAllowed(applicationSetInfo, providerConfig.API, g.allowedSCMProviders) { + return nil, fmt.Errorf("scm provider not allowed: %s", providerConfig.API) + } if providerConfig.BasicAuth != nil { password, err := g.getSecretRef(ctx, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace) if err != nil { diff --git a/applicationset/generators/pull_request_test.go b/applicationset/generators/pull_request_test.go index eb0b3bcdd8a90..72017f522946e 100644 --- a/applicationset/generators/pull_request_test.go +++ b/applicationset/generators/pull_request_test.go @@ -273,3 +273,80 @@ func TestPullRequestGetSecretRef(t *testing.T) { }) } } + +func TestAllowedSCMProviderPullRequest(t *testing.T) { + cases := []struct { + name string + providerConfig *argoprojiov1alpha1.PullRequestGenerator + expectedError string + }{ + { + name: "Error Github", + providerConfig: &argoprojiov1alpha1.PullRequestGenerator{ + Github: &argoprojiov1alpha1.PullRequestGeneratorGithub{ + API: "https://myservice.mynamespace.svc.cluster.local", + }, + }, + expectedError: "failed to select pull request service provider: scm provider not allowed: https://myservice.mynamespace.svc.cluster.local", + }, + { + name: "Error Gitlab", + providerConfig: &argoprojiov1alpha1.PullRequestGenerator{ + GitLab: &argoprojiov1alpha1.PullRequestGeneratorGitLab{ + API: "https://myservice.mynamespace.svc.cluster.local", + }, + }, + expectedError: "failed to select pull request service provider: scm provider not allowed: https://myservice.mynamespace.svc.cluster.local", + }, + { + name: "Error Gitea", + providerConfig: &argoprojiov1alpha1.PullRequestGenerator{ + Gitea: &argoprojiov1alpha1.PullRequestGeneratorGitea{ + API: "https://myservice.mynamespace.svc.cluster.local", + }, + }, + expectedError: "failed to select pull request service provider: scm provider not allowed: https://myservice.mynamespace.svc.cluster.local", + }, + { + name: "Error Bitbucket", + providerConfig: &argoprojiov1alpha1.PullRequestGenerator{ + BitbucketServer: &argoprojiov1alpha1.PullRequestGeneratorBitbucketServer{ + API: "https://myservice.mynamespace.svc.cluster.local", + }, + }, + expectedError: "failed to select pull request service provider: scm provider not allowed: https://myservice.mynamespace.svc.cluster.local", + }, + } + + for _, testCase := range cases { + testCaseCopy := testCase + + t.Run(testCaseCopy.name, func(t *testing.T) { + t.Parallel() + + pullRequestGenerator := NewPullRequestGenerator(nil, SCMAuthProviders{}, "", []string{ + "github.myorg.com", + "gitlab.myorg.com", + "gitea.myorg.com", + "bitbucket.myorg.com", + "azuredevops.myorg.com", + }) + + applicationSetInfo := argoprojiov1alpha1.ApplicationSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: "set", + }, + Spec: argoprojiov1alpha1.ApplicationSetSpec{ + Generators: []argoprojiov1alpha1.ApplicationSetGenerator{{ + PullRequest: testCaseCopy.providerConfig, + }}, + }, + } + + _, err := pullRequestGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo) + + assert.Error(t, err, "Must return an error") + assert.Equal(t, testCaseCopy.expectedError, err.Error()) + }) + } +} diff --git a/applicationset/generators/scm_provider.go b/applicationset/generators/scm_provider.go index 34742f4822ef8..69e45a3f40834 100644 --- a/applicationset/generators/scm_provider.go +++ b/applicationset/generators/scm_provider.go @@ -9,9 +9,12 @@ import ( corev1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" + log "github.com/sirupsen/logrus" + "github.com/argoproj/argo-cd/v2/applicationset/services/github_app_auth" "github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider" "github.com/argoproj/argo-cd/v2/applicationset/utils" + "github.com/argoproj/argo-cd/v2/common" argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" ) @@ -26,18 +29,20 @@ type SCMProviderGenerator struct { // Testing hooks. overrideProvider scm_provider.SCMProviderService SCMAuthProviders - scmRootCAPath string + scmRootCAPath string + allowedSCMProviders []string } type SCMAuthProviders struct { GitHubApps github_app_auth.Credentials } -func NewSCMProviderGenerator(client client.Client, providers SCMAuthProviders, scmRootCAPath string) Generator { +func NewSCMProviderGenerator(client client.Client, providers SCMAuthProviders, scmRootCAPath string, allowedSCMProviders []string) Generator { return &SCMProviderGenerator{ - client: client, - SCMAuthProviders: providers, - scmRootCAPath: scmRootCAPath, + client: client, + SCMAuthProviders: providers, + scmRootCAPath: scmRootCAPath, + allowedSCMProviders: allowedSCMProviders, } } @@ -60,6 +65,26 @@ func (g *SCMProviderGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.A return &appSetGenerator.SCMProvider.Template } +func ScmProviderAllowed(applicationSetInfo *argoprojiov1alpha1.ApplicationSet, url string, allowedScmProviders []string) bool { + if url == "" || len(allowedScmProviders) == 0 { + return true + } + + for _, allowedScmProvider := range allowedScmProviders { + if url == allowedScmProvider { + return true + } + } + + log.WithFields(log.Fields{ + common.SecurityField: common.SecurityMedium, + "applicationset": applicationSetInfo.Name, + "appSetNamespace": applicationSetInfo.Namespace, + }).Debugf("attempted to use disallowed SCM %q", url) + + return false +} + func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) { if appSetGenerator == nil { return nil, EmptyAppSetGeneratorError @@ -77,21 +102,30 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha if g.overrideProvider != nil { provider = g.overrideProvider } else if providerConfig.Github != nil { + if !ScmProviderAllowed(applicationSetInfo, providerConfig.Github.API, g.allowedSCMProviders) { + return nil, fmt.Errorf("scm provider not allowed: %s", providerConfig.Github.API) + } var err error provider, err = g.githubProvider(ctx, providerConfig.Github, applicationSetInfo) if err != nil { return nil, fmt.Errorf("scm provider: %w", err) } } else if providerConfig.Gitlab != nil { + if !ScmProviderAllowed(applicationSetInfo, providerConfig.Gitlab.API, g.allowedSCMProviders) { + return nil, fmt.Errorf("scm provider not allowed: %s", providerConfig.Gitlab.API) + } token, err := g.getSecretRef(ctx, providerConfig.Gitlab.TokenRef, applicationSetInfo.Namespace) if err != nil { return nil, fmt.Errorf("error fetching Gitlab token: %v", err) } - provider, err = scm_provider.NewGitlabProvider(ctx, providerConfig.Gitlab.Group, token, providerConfig.Gitlab.API, providerConfig.Gitlab.AllBranches, providerConfig.Gitlab.IncludeSubgroups, providerConfig.Gitlab.Insecure, g.scmRootCAPath) + provider, err = scm_provider.NewGitlabProvider(ctx, providerConfig.Gitlab.Group, token, providerConfig.Gitlab.API, providerConfig.Gitlab.AllBranches, providerConfig.Gitlab.IncludeSubgroups, providerConfig.Gitlab.WillIncludeSharedProjects(), providerConfig.Gitlab.Insecure, g.scmRootCAPath) if err != nil { return nil, fmt.Errorf("error initializing Gitlab service: %v", err) } } else if providerConfig.Gitea != nil { + if !ScmProviderAllowed(applicationSetInfo, providerConfig.Gitea.API, g.allowedSCMProviders) { + return nil, fmt.Errorf("scm provider not allowed: %s", providerConfig.Gitea.API) + } token, err := g.getSecretRef(ctx, providerConfig.Gitea.TokenRef, applicationSetInfo.Namespace) if err != nil { return nil, fmt.Errorf("error fetching Gitea token: %v", err) @@ -102,6 +136,9 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha } } else if providerConfig.BitbucketServer != nil { providerConfig := providerConfig.BitbucketServer + if !ScmProviderAllowed(applicationSetInfo, providerConfig.API, g.allowedSCMProviders) { + return nil, fmt.Errorf("scm provider not allowed: %s", providerConfig.API) + } var scmError error if providerConfig.BasicAuth != nil { password, err := g.getSecretRef(ctx, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace) @@ -116,6 +153,9 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha return nil, fmt.Errorf("error initializing Bitbucket Server service: %v", scmError) } } else if providerConfig.AzureDevOps != nil { + if !ScmProviderAllowed(applicationSetInfo, providerConfig.AzureDevOps.API, g.allowedSCMProviders) { + return nil, fmt.Errorf("scm provider not allowed: %s", providerConfig.AzureDevOps.API) + } token, err := g.getSecretRef(ctx, providerConfig.AzureDevOps.AccessTokenRef, applicationSetInfo.Namespace) if err != nil { return nil, fmt.Errorf("error fetching Azure Devops access token: %v", err) diff --git a/applicationset/generators/scm_provider_test.go b/applicationset/generators/scm_provider_test.go index d51cb2703ad7f..4dcb8fdf3ce6f 100644 --- a/applicationset/generators/scm_provider_test.go +++ b/applicationset/generators/scm_provider_test.go @@ -200,3 +200,89 @@ func TestSCMProviderGenerateParams(t *testing.T) { }) } } + +func TestAllowedSCMProvider(t *testing.T) { + cases := []struct { + name string + providerConfig *argoprojiov1alpha1.SCMProviderGenerator + expectedError string + }{ + { + name: "Error Github", + providerConfig: &argoprojiov1alpha1.SCMProviderGenerator{ + Github: &argoprojiov1alpha1.SCMProviderGeneratorGithub{ + API: "https://myservice.mynamespace.svc.cluster.local", + }, + }, + expectedError: "scm provider not allowed: https://myservice.mynamespace.svc.cluster.local", + }, + { + name: "Error Gitlab", + providerConfig: &argoprojiov1alpha1.SCMProviderGenerator{ + Gitlab: &argoprojiov1alpha1.SCMProviderGeneratorGitlab{ + API: "https://myservice.mynamespace.svc.cluster.local", + }, + }, + expectedError: "scm provider not allowed: https://myservice.mynamespace.svc.cluster.local", + }, + { + name: "Error Gitea", + providerConfig: &argoprojiov1alpha1.SCMProviderGenerator{ + Gitea: &argoprojiov1alpha1.SCMProviderGeneratorGitea{ + API: "https://myservice.mynamespace.svc.cluster.local", + }, + }, + expectedError: "scm provider not allowed: https://myservice.mynamespace.svc.cluster.local", + }, + { + name: "Error Bitbucket", + providerConfig: &argoprojiov1alpha1.SCMProviderGenerator{ + BitbucketServer: &argoprojiov1alpha1.SCMProviderGeneratorBitbucketServer{ + API: "https://myservice.mynamespace.svc.cluster.local", + }, + }, + expectedError: "scm provider not allowed: https://myservice.mynamespace.svc.cluster.local", + }, + { + name: "Error AzureDevops", + providerConfig: &argoprojiov1alpha1.SCMProviderGenerator{ + AzureDevOps: &argoprojiov1alpha1.SCMProviderGeneratorAzureDevOps{ + API: "https://myservice.mynamespace.svc.cluster.local", + }, + }, + expectedError: "scm provider not allowed: https://myservice.mynamespace.svc.cluster.local", + }, + } + + for _, testCase := range cases { + testCaseCopy := testCase + + t.Run(testCaseCopy.name, func(t *testing.T) { + t.Parallel() + + scmGenerator := &SCMProviderGenerator{allowedSCMProviders: []string{ + "github.myorg.com", + "gitlab.myorg.com", + "gitea.myorg.com", + "bitbucket.myorg.com", + "azuredevops.myorg.com", + }} + + applicationSetInfo := argoprojiov1alpha1.ApplicationSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: "set", + }, + Spec: argoprojiov1alpha1.ApplicationSetSpec{ + Generators: []argoprojiov1alpha1.ApplicationSetGenerator{{ + SCMProvider: testCaseCopy.providerConfig, + }}, + }, + } + + _, err := scmGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo) + + assert.Error(t, err, "Must return an error") + assert.Equal(t, testCaseCopy.expectedError, err.Error()) + }) + } +} diff --git a/applicationset/services/repo_service.go b/applicationset/services/repo_service.go index 6697756a54af1..8ad261fda11cd 100644 --- a/applicationset/services/repo_service.go +++ b/applicationset/services/repo_service.go @@ -58,13 +58,13 @@ func (a *argoCDService) GetFiles(ctx context.Context, repoURL string, revision s } closer, client, err := a.repoServerClientSet.NewRepoServerClient() if err != nil { - return nil, err + return nil, fmt.Errorf("error initialising new repo server client: %w", err) } defer io.Close(closer) fileResponse, err := client.GetGitFiles(ctx, fileRequest) if err != nil { - return nil, err + return nil, fmt.Errorf("error retrieving Git files: %w", err) } return fileResponse.GetMap(), nil } @@ -83,13 +83,13 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi closer, client, err := a.repoServerClientSet.NewRepoServerClient() if err != nil { - return nil, err + return nil, fmt.Errorf("error initialising new repo server client: %w", err) } defer io.Close(closer) dirResponse, err := client.GetGitDirectories(ctx, dirRequest) if err != nil { - return nil, err + return nil, fmt.Errorf("error retrieving Git Directories: %w", err) } return dirResponse.GetPaths(), nil diff --git a/applicationset/services/scm_provider/gitlab.go b/applicationset/services/scm_provider/gitlab.go index ac3d5668d327c..b759f0fbec91e 100644 --- a/applicationset/services/scm_provider/gitlab.go +++ b/applicationset/services/scm_provider/gitlab.go @@ -13,15 +13,16 @@ import ( ) type GitlabProvider struct { - client *gitlab.Client - organization string - allBranches bool - includeSubgroups bool + client *gitlab.Client + organization string + allBranches bool + includeSubgroups bool + includeSharedProjects bool } var _ SCMProviderService = &GitlabProvider{} -func NewGitlabProvider(ctx context.Context, organization string, token string, url string, allBranches, includeSubgroups, insecure bool, scmRootCAPath string) (*GitlabProvider, error) { +func NewGitlabProvider(ctx context.Context, organization string, token string, url string, allBranches, includeSubgroups, includeSharedProjects, insecure bool, scmRootCAPath string) (*GitlabProvider, error) { // Undocumented environment variable to set a default token, to be used in testing to dodge anonymous rate limits. if token == "" { token = os.Getenv("GITLAB_TOKEN") @@ -47,7 +48,8 @@ func NewGitlabProvider(ctx context.Context, organization string, token string, u return nil, err } } - return &GitlabProvider{client: client, organization: organization, allBranches: allBranches, includeSubgroups: includeSubgroups}, nil + + return &GitlabProvider{client: client, organization: organization, allBranches: allBranches, includeSubgroups: includeSubgroups, includeSharedProjects: includeSharedProjects}, nil } func (g *GitlabProvider) GetBranches(ctx context.Context, repo *Repository) ([]*Repository, error) { @@ -75,7 +77,9 @@ func (g *GitlabProvider) ListRepos(ctx context.Context, cloneProtocol string) ([ opt := &gitlab.ListGroupProjectsOptions{ ListOptions: gitlab.ListOptions{PerPage: 100}, IncludeSubGroups: &g.includeSubgroups, + WithShared: &g.includeSharedProjects, } + repos := []*Repository{} for { gitlabRepos, resp, err := g.client.Groups.ListGroupProjects(g.organization, opt) diff --git a/applicationset/services/scm_provider/gitlab_test.go b/applicationset/services/scm_provider/gitlab_test.go index 6611669ba4941..5b284d90f0420 100644 --- a/applicationset/services/scm_provider/gitlab_test.go +++ b/applicationset/services/scm_provider/gitlab_test.go @@ -19,7 +19,7 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) { switch r.RequestURI { case "/api/v4": fmt.Println("here1") - case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100": + case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100", "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100&with_shared=false": fmt.Println("here") _, err := io.WriteString(w, `[{ "id": 27084533, @@ -143,6 +143,501 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) { if err != nil { t.Fail() } + case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=true&per_page=100&with_shared=false": + fmt.Println("here") + _, err := io.WriteString(w, `[{ + "id": 27084533, + "description": "", + "name": "argocd", + "name_with_namespace": "test argocd proton / argocd", + "path": "argocd", + "path_with_namespace": "test-argocd-proton/argocd", + "created_at": "2021-06-01T17:30:44.724Z", + "default_branch": "master", + "tag_list": [], + "topics": [], + "ssh_url_to_repo": "git@gitlab.com:test-argocd-proton/argocd.git", + "http_url_to_repo": "https://gitlab.com/test-argocd-proton/argocd.git", + "web_url": "https://gitlab.com/test-argocd-proton/argocd", + "readme_url": null, + "avatar_url": null, + "forks_count": 0, + "star_count": 0, + "last_activity_at": "2021-06-04T08:19:51.656Z", + "namespace": { + "id": 12258515, + "name": "test argocd proton", + "path": "test-argocd-proton", + "kind": "gro* Connection #0 to host gitlab.com left intact up ", + "full_path ": "test - argocd - proton ", + "parent_id ": null, + "avatar_url ": null, + "web_url ": "https: //gitlab.com/groups/test-argocd-proton" + }, + "container_registry_image_prefix": "registry.gitlab.com/test-argocd-proton/argocd", + "_links": { + "self": "https://gitlab.com/api/v4/projects/27084533", + "issues": "https://gitlab.com/api/v4/projects/27084533/issues", + "merge_requests": "https://gitlab.com/api/v4/projects/27084533/merge_requests", + "repo_branches": "https://gitlab.com/api/v4/projects/27084533/repository/branches", + "labels": "https://gitlab.com/api/v4/projects/27084533/labels", + "events": "https://gitlab.com/api/v4/projects/27084533/events", + "members": "https://gitlab.com/api/v4/projects/27084533/members", + "cluster_agents": "https://gitlab.com/api/v4/projects/27084533/cluster_agents" + }, + "packages_enabled": true, + "empty_repo": false, + "archived": false, + "visibility": "public", + "resolve_outdated_diff_discussions": false, + "container_expiration_policy": { + "cadence": "1d", + "enabled": false, + "keep_n": 10, + "older_than": "90d", + "name_regex": ".*", + "name_regex_keep": null, + "next_run_at": "2021-06-02T17:30:44.740Z" + }, + "issues_enabled": true, + "merge_requests_enabled": true, + "wiki_enabled": true, + "jobs_enabled": true, + "snippets_enabled": true, + "container_registry_enabled": true, + "service_desk_enabled": true, + "can_create_merge_request_in": false, + "issues_access_level": "enabled", + "repository_access_level": "enabled", + "merge_requests_access_level": "enabled", + "forking_access_level": "enabled", + "wiki_access_level": "enabled", + "builds_access_level": "enabled", + "snippets_access_level": "enabled", + "pages_access_level": "enabled", + "operations_access_level": "enabled", + "analytics_access_level": "enabled", + "container_registry_access_level": "enabled", + "security_and_compliance_access_level": "private", + "emails_disabled": null, + "shared_runners_enabled": true, + "lfs_enabled": true, + "creator_id": 2378866, + "import_status": "none", + "open_issues_count": 0, + "ci_default_git_depth": 50, + "ci_forward_deployment_enabled": true, + "ci_job_token_scope_enabled": false, + "public_jobs": true, + "build_timeout": 3600, + "auto_cancel_pending_pipelines": "enabled", + "ci_config_path": "", + "shared_with_groups": [], + "only_allow_merge_if_pipeline_succeeds": false, + "allow_merge_on_skipped_pipeline": null, + "restrict_user_defined_variables": false, + "request_access_enabled": true, + "only_allow_merge_if_all_discussions_are_resolved": false, + "remove_source_branch_after_merge": true, + "printing_merge_request_link_enabled": true, + "merge_method": "merge", + "squash_option": "default_off", + "suggestion_commit_message": null, + "merge_commit_template": null, + "squash_commit_template": null, + "auto_devops_enabled": false, + "auto_devops_deploy_strategy": "continuous", + "autoclose_referenced_issues": true, + "keep_latest_artifact": true, + "runner_token_expiration_interval": null, + "approvals_before_merge": 0, + "mirror": false, + "external_authorization_classification_label": "", + "marked_for_deletion_at": null, + "marked_for_deletion_on": null, + "requirements_enabled": true, + "requirements_access_level": "enabled", + "security_and_compliance_enabled": false, + "compliance_frameworks": [], + "issues_template": null, + "merge_requests_template": null, + "merge_pipelines_enabled": false, + "merge_trains_enabled": false + }, + { + "id": 27084538, + "description": "This is a Project from a Subgroup", + "name": "argocd-subgroup", + "name_with_namespace": "test argocd proton / subgroup / argocd-subgroup", + "path": "argocd-subgroup", + "path_with_namespace": "test-argocd-proton/subgroup/argocd-subgroup", + "created_at": "2021-06-01T17:30:44.724Z", + "default_branch": "master", + "tag_list": [], + "topics": [], + "ssh_url_to_repo": "git@gitlab.com:test-argocd-proton/subgroup/argocd-subgroup.git", + "http_url_to_repo": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup.git", + "web_url": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup", + "readme_url": null, + "avatar_url": null, + "forks_count": 0, + "star_count": 0, + "last_activity_at": "2021-06-04T08:19:51.656Z", + "namespace": { + "id": 12258542, + "name": "subgroup", + "path": "subgroup", + "kind": "group ", + "full_path ": "test-argocd-proton/subgroup", + "parent_id ": 12258515, + "avatar_url ": null, + "web_url ": "https: //gitlab.com/groups/test-argocd-proton/subgroup" + }, + "container_registry_image_prefix": "registry.gitlab.com/test-argocd-proton/subgroup/argocd", + "_links": { + "self": "https://gitlab.com/api/v4/projects/27084538", + "issues": "https://gitlab.com/api/v4/projects/27084538/issues", + "merge_requests": "https://gitlab.com/api/v4/projects/27084538/merge_requests", + "repo_branches": "https://gitlab.com/api/v4/projects/27084538/repository/branches", + "labels": "https://gitlab.com/api/v4/projects/27084538/labels", + "events": "https://gitlab.com/api/v4/projects/27084538/events", + "members": "https://gitlab.com/api/v4/projects/27084538/members", + "cluster_agents": "https://gitlab.com/api/v4/projects/27084538/cluster_agents" + }, + "packages_enabled": true, + "empty_repo": false, + "archived": false, + "visibility": "public", + "resolve_outdated_diff_discussions": false, + "container_expiration_policy": { + "cadence": "1d", + "enabled": false, + "keep_n": 10, + "older_than": "90d", + "name_regex": ".*", + "name_regex_keep": null, + "next_run_at": "2021-06-02T17:30:44.740Z" + }, + "issues_enabled": true, + "merge_requests_enabled": true, + "wiki_enabled": true, + "jobs_enabled": true, + "snippets_enabled": true, + "container_registry_enabled": true, + "service_desk_enabled": true, + "can_create_merge_request_in": false, + "issues_access_level": "enabled", + "repository_access_level": "enabled", + "merge_requests_access_level": "enabled", + "forking_access_level": "enabled", + "wiki_access_level": "enabled", + "builds_access_level": "enabled", + "snippets_access_level": "enabled", + "pages_access_level": "enabled", + "operations_access_level": "enabled", + "analytics_access_level": "enabled", + "container_registry_access_level": "enabled", + "security_and_compliance_access_level": "private", + "emails_disabled": null, + "shared_runners_enabled": true, + "lfs_enabled": true, + "creator_id": 2378866, + "import_status": "none", + "open_issues_count": 0, + "ci_default_git_depth": 50, + "ci_forward_deployment_enabled": true, + "ci_job_token_scope_enabled": false, + "public_jobs": true, + "build_timeout": 3600, + "auto_cancel_pending_pipelines": "enabled", + "ci_config_path": "", + "shared_with_groups": [], + "only_allow_merge_if_pipeline_succeeds": false, + "allow_merge_on_skipped_pipeline": null, + "restrict_user_defined_variables": false, + "request_access_enabled": true, + "only_allow_merge_if_all_discussions_are_resolved": false, + "remove_source_branch_after_merge": true, + "printing_merge_request_link_enabled": true, + "merge_method": "merge", + "squash_option": "default_off", + "suggestion_commit_message": null, + "merge_commit_template": null, + "squash_commit_template": null, + "auto_devops_enabled": false, + "auto_devops_deploy_strategy": "continuous", + "autoclose_referenced_issues": true, + "keep_latest_artifact": true, + "runner_token_expiration_interval": null, + "approvals_before_merge": 0, + "mirror": false, + "external_authorization_classification_label": "", + "marked_for_deletion_at": null, + "marked_for_deletion_on": null, + "requirements_enabled": true, + "requirements_access_level": "enabled", + "security_and_compliance_enabled": false, + "compliance_frameworks": [], + "issues_template": null, + "merge_requests_template": null, + "merge_pipelines_enabled": false, + "merge_trains_enabled": false + } + ]`) + if err != nil { + t.Fail() + } + case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=true&per_page=100&with_shared=true": + fmt.Println("here") + _, err := io.WriteString(w, `[{ + "id": 27084533, + "description": "", + "name": "argocd", + "name_with_namespace": "test argocd proton / argocd", + "path": "argocd", + "path_with_namespace": "test-argocd-proton/argocd", + "created_at": "2021-06-01T17:30:44.724Z", + "default_branch": "master", + "tag_list": [], + "topics": [], + "ssh_url_to_repo": "git@gitlab.com:test-argocd-proton/argocd.git", + "http_url_to_repo": "https://gitlab.com/test-argocd-proton/argocd.git", + "web_url": "https://gitlab.com/test-argocd-proton/argocd", + "readme_url": null, + "avatar_url": null, + "forks_count": 0, + "star_count": 0, + "last_activity_at": "2021-06-04T08:19:51.656Z", + "namespace": { + "id": 12258515, + "name": "test argocd proton", + "path": "test-argocd-proton", + "kind": "gro* Connection #0 to host gitlab.com left intact up ", + "full_path ": "test - argocd - proton ", + "parent_id ": null, + "avatar_url ": null, + "web_url ": "https: //gitlab.com/groups/test-argocd-proton" + }, + "container_registry_image_prefix": "registry.gitlab.com/test-argocd-proton/argocd", + "_links": { + "self": "https://gitlab.com/api/v4/projects/27084533", + "issues": "https://gitlab.com/api/v4/projects/27084533/issues", + "merge_requests": "https://gitlab.com/api/v4/projects/27084533/merge_requests", + "repo_branches": "https://gitlab.com/api/v4/projects/27084533/repository/branches", + "labels": "https://gitlab.com/api/v4/projects/27084533/labels", + "events": "https://gitlab.com/api/v4/projects/27084533/events", + "members": "https://gitlab.com/api/v4/projects/27084533/members", + "cluster_agents": "https://gitlab.com/api/v4/projects/27084533/cluster_agents" + }, + "packages_enabled": true, + "empty_repo": false, + "archived": false, + "visibility": "public", + "resolve_outdated_diff_discussions": false, + "container_expiration_policy": { + "cadence": "1d", + "enabled": false, + "keep_n": 10, + "older_than": "90d", + "name_regex": ".*", + "name_regex_keep": null, + "next_run_at": "2021-06-02T17:30:44.740Z" + }, + "issues_enabled": true, + "merge_requests_enabled": true, + "wiki_enabled": true, + "jobs_enabled": true, + "snippets_enabled": true, + "container_registry_enabled": true, + "service_desk_enabled": true, + "can_create_merge_request_in": false, + "issues_access_level": "enabled", + "repository_access_level": "enabled", + "merge_requests_access_level": "enabled", + "forking_access_level": "enabled", + "wiki_access_level": "enabled", + "builds_access_level": "enabled", + "snippets_access_level": "enabled", + "pages_access_level": "enabled", + "operations_access_level": "enabled", + "analytics_access_level": "enabled", + "container_registry_access_level": "enabled", + "security_and_compliance_access_level": "private", + "emails_disabled": null, + "shared_runners_enabled": true, + "lfs_enabled": true, + "creator_id": 2378866, + "import_status": "none", + "open_issues_count": 0, + "ci_default_git_depth": 50, + "ci_forward_deployment_enabled": true, + "ci_job_token_scope_enabled": false, + "public_jobs": true, + "build_timeout": 3600, + "auto_cancel_pending_pipelines": "enabled", + "ci_config_path": "", + "shared_with_groups": [], + "only_allow_merge_if_pipeline_succeeds": false, + "allow_merge_on_skipped_pipeline": null, + "restrict_user_defined_variables": false, + "request_access_enabled": true, + "only_allow_merge_if_all_discussions_are_resolved": false, + "remove_source_branch_after_merge": true, + "printing_merge_request_link_enabled": true, + "merge_method": "merge", + "squash_option": "default_off", + "suggestion_commit_message": null, + "merge_commit_template": null, + "squash_commit_template": null, + "auto_devops_enabled": false, + "auto_devops_deploy_strategy": "continuous", + "autoclose_referenced_issues": true, + "keep_latest_artifact": true, + "runner_token_expiration_interval": null, + "approvals_before_merge": 0, + "mirror": false, + "external_authorization_classification_label": "", + "marked_for_deletion_at": null, + "marked_for_deletion_on": null, + "requirements_enabled": true, + "requirements_access_level": "enabled", + "security_and_compliance_enabled": false, + "compliance_frameworks": [], + "issues_template": null, + "merge_requests_template": null, + "merge_pipelines_enabled": false, + "merge_trains_enabled": false + }, + { + "id": 27084534, + "description": "This is a Shared Project", + "name": "shared-argocd", + "name_with_namespace": "shared project to test argocd proton / argocd", + "path": "shared-argocd", + "path_with_namespace": "test-shared-argocd-proton/shared-argocd", + "created_at": "2021-06-11T17:30:44.724Z", + "default_branch": "master", + "tag_list": [], + "topics": [], + "ssh_url_to_repo": "git@gitlab.com:test-shared-argocd-proton/shared-argocd.git", + "http_url_to_repo": "https://gitlab.com/test-shared-argocd-proton/shared-argocd.git", + "web_url": "https://gitlab.com/test-shared-argocd-proton/shared-argocd", + "readme_url": null, + "avatar_url": null, + "forks_count": 0, + "star_count": 0, + "last_activity_at": "2021-06-04T08:19:51.656Z", + "namespace": { + "id": 12258518, + "name": "test shared argocd proton", + "path": "test-shared-argocd-proton", + "kind": "group", + "full_path ": "test-shared-argocd-proton", + "parent_id ": null, + "avatar_url ": null, + "web_url ": "https: //gitlab.com/groups/test-shared-argocd-proton" + }, + "container_registry_image_prefix": "registry.gitlab.com/test-shared-argocd-proton/shared-argocd", + "_links": { + "self": "https://gitlab.com/api/v4/projects/27084534", + "issues": "https://gitlab.com/api/v4/projects/27084534/issues", + "merge_requests": "https://gitlab.com/api/v4/projects/27084534/merge_requests", + "repo_branches": "https://gitlab.com/api/v4/projects/27084534/repository/branches", + "labels": "https://gitlab.com/api/v4/projects/27084534/labels", + "events": "https://gitlab.com/api/v4/projects/27084534/events", + "members": "https://gitlab.com/api/v4/projects/27084534/members", + "cluster_agents": "https://gitlab.com/api/v4/projects/27084534/cluster_agents" + }, + "packages_enabled": true, + "empty_repo": false, + "archived": false, + "visibility": "public", + "resolve_outdated_diff_discussions": false, + "container_expiration_policy": { + "cadence": "1d", + "enabled": false, + "keep_n": 10, + "older_than": "90d", + "name_regex": ".*", + "name_regex_keep": null, + "next_run_at": "2021-06-12T17:30:44.740Z" + }, + "issues_enabled": true, + "merge_requests_enabled": true, + "wiki_enabled": true, + "jobs_enabled": true, + "snippets_enabled": true, + "container_registry_enabled": true, + "service_desk_enabled": true, + "can_create_merge_request_in": false, + "issues_access_level": "enabled", + "repository_access_level": "enabled", + "merge_requests_access_level": "enabled", + "forking_access_level": "enabled", + "wiki_access_level": "enabled", + "builds_access_level": "enabled", + "snippets_access_level": "enabled", + "pages_access_level": "enabled", + "operations_access_level": "enabled", + "analytics_access_level": "enabled", + "container_registry_access_level": "enabled", + "security_and_compliance_access_level": "private", + "emails_disabled": null, + "shared_runners_enabled": true, + "lfs_enabled": true, + "creator_id": 2378866, + "import_status": "none", + "open_issues_count": 0, + "ci_default_git_depth": 50, + "ci_forward_deployment_enabled": true, + "ci_job_token_scope_enabled": false, + "public_jobs": true, + "build_timeout": 3600, + "auto_cancel_pending_pipelines": "enabled", + "ci_config_path": "", + "shared_with_groups": [ + { + "group_id": 12258515, + "group_name": "test-argocd-proton", + "group_full_path": "test-shared-argocd-proton", + "group_access_level": 30, + "expires_at": null + } + ], + "only_allow_merge_if_pipeline_succeeds": false, + "allow_merge_on_skipped_pipeline": null, + "restrict_user_defined_variables": false, + "request_access_enabled": true, + "only_allow_merge_if_all_discussions_are_resolved": false, + "remove_source_branch_after_merge": true, + "printing_merge_request_link_enabled": true, + "merge_method": "merge", + "squash_option": "default_off", + "suggestion_commit_message": null, + "merge_commit_template": null, + "squash_commit_template": null, + "auto_devops_enabled": false, + "auto_devops_deploy_strategy": "continuous", + "autoclose_referenced_issues": true, + "keep_latest_artifact": true, + "runner_token_expiration_interval": null, + "approvals_before_merge": 0, + "mirror": false, + "external_authorization_classification_label": "", + "marked_for_deletion_at": null, + "marked_for_deletion_on": null, + "requirements_enabled": true, + "requirements_access_level": "enabled", + "security_and_compliance_enabled": false, + "compliance_frameworks": [], + "issues_template": null, + "merge_requests_template": null, + "merge_pipelines_enabled": false, + "merge_trains_enabled": false + }]`) + if err != nil { + t.Fail() + } case "/api/v4/projects/27084533/repository/branches/master": fmt.Println("returning") _, err := io.WriteString(w, `{ @@ -229,6 +724,116 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) { if err != nil { t.Fail() } + case "/api/v4/projects/27084534/repository/branches?per_page=100": + _, err := io.WriteString(w, `[{ + "name": "master", + "commit": { + "id": "8898d7999fc99dd0fd578650b58b244fc63f6b53", + "short_id": "8898d799", + "created_at": "2021-06-04T08:24:44.000+00:00", + "parent_ids": null, + "title": "Merge branch 'pipeline-1317911429' into 'master'", + "message": "Merge branch 'pipeline-1317911429' into 'master'", + "author_name": "Martin Vozník", + "author_email": "martin@voznik.cz", + "authored_date": "2021-06-04T08:24:44.000+00:00", + "committer_name": "Martin Vozník", + "committer_email": "martin@voznik.cz", + "committed_date": "2021-06-04T08:24:44.000+00:00", + "trailers": null, + "web_url": "https://gitlab.com/test-shared-argocd-proton/shared-argocd/-/commit/8898d7999fc99dd0fd578650b58b244fc63f6b53" + }, + "merged": false, + "protected": true, + "developers_can_push": false, + "developers_can_merge": false, + "can_push": false, + "default": true, + "web_url": "https://gitlab.com/test-shared-argocd-proton/shared-argocd/-/tree/master" + }, { + "name": "pipeline-2310077506", + "commit": { + "id": "0f92540e5f396ba960adea4ed0aa905baf3f73d1", + "short_id": "0f92540e", + "created_at": "2021-06-01T18:39:59.000+00:00", + "parent_ids": null, + "title": "[testapp-ci] manifests/demo/test-app.yaml: release v1.0.1", + "message": "[testapp-ci] manifests/demo/test-app.yaml: release v1.0.1", + "author_name": "ci-test-app", + "author_email": "mvoznik+cicd@protonmail.com", + "authored_date": "2021-06-01T18:39:59.000+00:00", + "committer_name": "ci-test-app", + "committer_email": "mvoznik+cicd@protonmail.com", + "committed_date": "2021-06-01T18:39:59.000+00:00", + "trailers": null, + "web_url": "https://gitlab.com/test-shared-argocd-proton/shared-argocd/-/commit/0f92540e5f396ba960adea4ed0aa905baf3f73d1" + }, + "merged": false, + "protected": false, + "developers_can_push": false, + "developers_can_merge": false, + "can_push": false, + "default": false, + "web_url": "https://gitlab.com/test-shared-argocd-proton/shared-argocd/-/tree/pipeline-1310077506" + }]`) + if err != nil { + t.Fail() + } + case "/api/v4/projects/27084538/repository/branches?per_page=100": + _, err := io.WriteString(w, `[{ + "name": "master", + "commit": { + "id": "8898d7999fc99dd0fd578650b58b244fc63f6b58", + "short_id": "8898d801", + "created_at": "2021-06-04T08:24:44.000+00:00", + "parent_ids": null, + "title": "Merge branch 'pipeline-1317911429' into 'master'", + "message": "Merge branch 'pipeline-1317911429' into 'master'", + "author_name": "Martin Vozník", + "author_email": "martin@voznik.cz", + "authored_date": "2021-06-04T08:24:44.000+00:00", + "committer_name": "Martin Vozník", + "committer_email": "martin@voznik.cz", + "committed_date": "2021-06-04T08:24:44.000+00:00", + "trailers": null, + "web_url": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup/-/commit/8898d7999fc99dd0fd578650b58b244fc63f6b53" + }, + "merged": false, + "protected": true, + "developers_can_push": false, + "developers_can_merge": false, + "can_push": false, + "default": true, + "web_url": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup/-/tree/master" + }, { + "name": "pipeline-2310077506", + "commit": { + "id": "0f92540e5f396ba960adea4ed0aa905baf3f73d1", + "short_id": "0f92540e", + "created_at": "2021-06-01T18:39:59.000+00:00", + "parent_ids": null, + "title": "[testapp-ci] manifests/demo/test-app.yaml: release v1.0.1", + "message": "[testapp-ci] manifests/demo/test-app.yaml: release v1.0.1", + "author_name": "ci-test-app", + "author_email": "mvoznik+cicd@protonmail.com", + "authored_date": "2021-06-01T18:39:59.000+00:00", + "committer_name": "ci-test-app", + "committer_email": "mvoznik+cicd@protonmail.com", + "committed_date": "2021-06-01T18:39:59.000+00:00", + "trailers": null, + "web_url": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup/-/commit/0f92540e5f396ba960adea4ed0aa905baf3f73d1" + }, + "merged": false, + "protected": false, + "developers_can_push": false, + "developers_can_merge": false, + "can_push": false, + "default": false, + "web_url": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup/-/tree/pipeline-1310077506" + }]`) + if err != nil { + t.Fail() + } case "/api/v4/projects/test-argocd-proton%2Fargocd": fmt.Println("auct") _, err := io.WriteString(w, `{ @@ -286,10 +891,10 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) { } func TestGitlabListRepos(t *testing.T) { cases := []struct { - name, proto, url string - hasError, allBranches, includeSubgroups, insecure bool - branches []string - filters []v1alpha1.SCMProviderGeneratorFilter + name, proto, url string + hasError, allBranches, includeSubgroups, includeSharedProjects, insecure bool + branches []string + filters []v1alpha1.SCMProviderGeneratorFilter }{ { name: "blank protocol", @@ -317,32 +922,54 @@ func TestGitlabListRepos(t *testing.T) { url: "git@gitlab.com:test-argocd-proton/argocd.git", branches: []string{"master"}, }, + { + name: "all subgroups", + allBranches: true, + url: "git@gitlab.com:test-argocd-proton/argocd.git", + branches: []string{"master"}, + includeSharedProjects: false, + includeSubgroups: true, + }, + { + name: "all subgroups and shared projects", + allBranches: true, + url: "git@gitlab.com:test-argocd-proton/argocd.git", + branches: []string{"master"}, + includeSharedProjects: true, + includeSubgroups: true, + }, } ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { gitlabMockHandler(t)(w, r) })) for _, c := range cases { t.Run(c.name, func(t *testing.T) { - provider, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, c.allBranches, c.includeSubgroups, c.insecure, "") + provider, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, c.allBranches, c.includeSubgroups, c.includeSharedProjects, c.insecure, "") rawRepos, err := ListRepos(context.Background(), provider, c.filters, c.proto) if c.hasError { assert.NotNil(t, err) } else { assert.Nil(t, err) - // Just check that this one project shows up. Not a great test but better thing nothing? + // Just check that this one project shows up. Not a great test but better than nothing? repos := []*Repository{} + uniqueRepos := map[string]int{} branches := []string{} for _, r := range rawRepos { if r.Repository == "argocd" { repos = append(repos, r) branches = append(branches, r.Branch) } + uniqueRepos[r.Repository]++ } assert.NotEmpty(t, repos) assert.Equal(t, c.url, repos[0].URL) for _, b := range c.branches { assert.Contains(t, branches, b) } + // In case of listing subgroups, validate the number of returned projects + if c.includeSubgroups || c.includeSharedProjects { + assert.Equal(t, 2, len(uniqueRepos)) + } } }) } @@ -352,7 +979,7 @@ func TestGitlabHasPath(t *testing.T) { ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { gitlabMockHandler(t)(w, r) })) - host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true, false, "") + host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true, true, false, "") repo := &Repository{ Organization: "test-argocd-proton", Repository: "argocd", @@ -398,7 +1025,7 @@ func TestGitlabGetBranches(t *testing.T) { ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { gitlabMockHandler(t)(w, r) })) - host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true, false, "") + host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true, true, false, "") repo := &Repository{ RepositoryId: 27084533, diff --git a/applicationset/utils/utils.go b/applicationset/utils/utils.go index 5b5fbc69ca031..90e65ef5dafdc 100644 --- a/applicationset/utils/utils.go +++ b/applicationset/utils/utils.go @@ -283,7 +283,10 @@ func (r *Render) Replace(tmpl string, replaceMap map[string]interface{}, useGoTe return tmpl, nil } - fstTmpl := fasttemplate.New(tmpl, "{{", "}}") + fstTmpl, err := fasttemplate.NewTemplate(tmpl, "{{", "}}") + if err != nil { + return "", fmt.Errorf("invalid template: %w", err) + } replacedTmpl := fstTmpl.ExecuteFuncString(func(w io.Writer, tag string) (int, error) { trimmedTag := strings.TrimSpace(tag) replacement, ok := replaceMap[trimmedTag].(string) diff --git a/applicationset/utils/utils_test.go b/applicationset/utils/utils_test.go index b1f7c1164f104..0a62275befc9f 100644 --- a/applicationset/utils/utils_test.go +++ b/applicationset/utils/utils_test.go @@ -559,6 +559,14 @@ func TestRenderTemplateKeys(t *testing.T) { }) } +func Test_Render_Replace_no_panic_on_missing_closing_brace(t *testing.T) { + r := &Render{} + assert.NotPanics(t, func() { + _, err := r.Replace("{{properly.closed}} {{improperly.closed}", nil, false, []string{}) + assert.Error(t, err) + }) +} + func TestRenderTemplateParamsFinalizers(t *testing.T) { emptyApplication := &argoappsv1.Application{ diff --git a/assets/swagger.json b/assets/swagger.json index f8a7b3208793d..7fda4caeea71c 100644 --- a/assets/swagger.json +++ b/assets/swagger.json @@ -401,6 +401,11 @@ "type": "boolean", "name": "validate", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -462,6 +467,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -523,6 +533,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -649,6 +664,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -737,6 +757,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -773,6 +798,11 @@ "type": "string", "name": "namespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -885,6 +915,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -935,6 +970,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -971,6 +1011,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -1084,6 +1129,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -1154,6 +1204,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -1226,6 +1281,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -1295,6 +1355,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -1356,6 +1421,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -1423,6 +1493,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -1484,6 +1559,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -1529,6 +1609,11 @@ "description": "the application's namespace.", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -1574,6 +1659,11 @@ "description": "the application's namespace.", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -1662,6 +1752,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -1737,6 +1832,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -3833,6 +3933,11 @@ "type": "string", "name": "appNamespace", "in": "query" + }, + { + "type": "string", + "name": "project", + "in": "query" } ], "responses": { @@ -3998,6 +4103,9 @@ }, "name": { "type": "string" + }, + "project": { + "type": "string" } } }, @@ -4027,6 +4135,9 @@ }, "patchType": { "type": "string" + }, + "project": { + "type": "string" } } }, @@ -4057,6 +4168,9 @@ "name": { "type": "string" }, + "project": { + "type": "string" + }, "prune": { "type": "boolean" } @@ -4087,6 +4201,9 @@ "name": { "type": "string" }, + "project": { + "type": "string" + }, "prune": { "type": "boolean" }, @@ -5537,19 +5654,8 @@ }, "v1Time": { "description": "Time is a wrapper around time.Time which supports correct\nmarshaling to YAML and JSON. Wrappers are provided for many\nof the factory methods that the time package offers.\n\n+protobuf.options.marshal=false\n+protobuf.as=Timestamp\n+protobuf.options.(gogoproto.goproto_stringer)=false", - "type": "object", - "properties": { - "nanos": { - "description": "Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.", - "type": "integer", - "format": "int32" - }, - "seconds": { - "description": "Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.", - "type": "string", - "format": "int64" - } - } + "type": "string", + "format": "date-time" }, "v1alpha1AWSAuthConfig": { "type": "object", @@ -5735,16 +5841,16 @@ "title": "ApplicationDestination holds information about the application's destination", "properties": { "name": { - "type": "string", - "title": "Name is an alternate way of specifying the target cluster by its symbolic name" + "description": "Name is an alternate way of specifying the target cluster by its symbolic name. This must be set if Server is not set.", + "type": "string" }, "namespace": { "type": "string", "title": "Namespace specifies the target namespace for the application's resources.\nThe namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace" }, "server": { - "type": "string", - "title": "Server specifies the URL of the target cluster and must be set to the Kubernetes control plane API" + "description": "Server specifies the URL of the target cluster's Kubernetes control plane API. This must be set if Name is not set.", + "type": "string" } } }, @@ -7919,6 +8025,12 @@ "disabled": { "type": "boolean" }, + "displayName": { + "type": "string" + }, + "iconClass": { + "type": "string" + }, "name": { "type": "string" }, @@ -8100,13 +8212,15 @@ "$ref": "#/definitions/v1alpha1ResourceRef" } }, - "resourceRef": { - "$ref": "#/definitions/v1alpha1ResourceRef" - }, "resourceVersion": { "type": "string" } - } + }, + "allOf": [ + { + "$ref": "#/definitions/v1alpha1ResourceRef" + } + ] }, "v1alpha1ResourceOverride": { "type": "object", @@ -8565,6 +8679,10 @@ "description": "Gitlab group to scan. Required. You can use either the project id (recommended) or the full namespaced path.", "type": "string" }, + "includeSharedProjects": { + "type": "boolean", + "title": "When recursing through subgroups, also include shared Projects (true) or scan only the subgroups under same path (false). Defaults to \"true\"" + }, "includeSubgroups": { "type": "boolean", "title": "Recurse through subgroups (true) or scan only the base group (false). Defaults to \"false\"" diff --git a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go index f873c912d4f73..1226202de7e01 100644 --- a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go +++ b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go @@ -65,6 +65,7 @@ func NewCommand() *cobra.Command { repoServerTimeoutSeconds int maxConcurrentReconciliations int scmRootCAPath string + allowedScmProviders []string ) scheme := runtime.NewScheme() _ = clientgoscheme.AddToScheme(scheme) @@ -97,7 +98,7 @@ func NewCommand() *cobra.Command { policyObj, exists := utils.Policies[policy] if !exists { - log.Info("Policy value can be: sync, create-only, create-update, create-delete, default value: sync") + log.Error("Policy value can be: sync, create-only, create-update, create-delete, default value: sync") os.Exit(1) } @@ -107,6 +108,9 @@ func NewCommand() *cobra.Command { // If the applicationset-namespaces contains only one namespace it corresponds to the current namespace if len(applicationSetNamespaces) == 1 { watchedNamespace = (applicationSetNamespaces)[0] + } else if len(allowedScmProviders) == 0 { + log.Error("When enabling applicationset in any namespace using applicationset-namespaces, allowed-scm-providers is required") + os.Exit(1) } mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ @@ -159,9 +163,9 @@ func NewCommand() *cobra.Command { "List": generators.NewListGenerator(), "Clusters": generators.NewClusterGenerator(mgr.GetClient(), ctx, k8sClient, namespace), "Git": generators.NewGitGenerator(argoCDService), - "SCMProvider": generators.NewSCMProviderGenerator(mgr.GetClient(), scmAuth, scmRootCAPath), + "SCMProvider": generators.NewSCMProviderGenerator(mgr.GetClient(), scmAuth, scmRootCAPath, allowedScmProviders), "ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, dynamicClient, k8sClient, namespace), - "PullRequest": generators.NewPullRequestGenerator(mgr.GetClient(), scmAuth, scmRootCAPath), + "PullRequest": generators.NewPullRequestGenerator(mgr.GetClient(), scmAuth, scmRootCAPath, allowedScmProviders), "Plugin": generators.NewPluginGenerator(mgr.GetClient(), ctx, k8sClient, namespace), } @@ -241,6 +245,7 @@ func NewCommand() *cobra.Command { command.Flags().BoolVar(&debugLog, "debug", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG", false), "Print debug logs. Takes precedence over loglevel") command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT", "text"), "Set the logging format. One of: text|json") command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL", "info"), "Set the logging level. One of: debug|info|warn|error") + command.Flags().StringSliceVar(&allowedScmProviders, "allowed-scm-providers", env.StringsFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS", []string{}, ","), "The list of allowed scm providers. (Default: Empty = all)") command.Flags().BoolVar(&dryRun, "dry-run", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN", false), "Enable dry run mode") command.Flags().BoolVar(&enableProgressiveSyncs, "enable-progressive-syncs", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS", false), "Enable use of the experimental progressive syncs feature.") command.Flags().BoolVar(&enableNewGitFileGlobbing, "enable-new-git-file-globbing", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING", false), "Enable new globbing in Git files generator.") diff --git a/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go b/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go index 410364e6429df..ce0f3ee3a2f49 100644 --- a/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go +++ b/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go @@ -20,6 +20,7 @@ func NewCommand() *cobra.Command { command.AddCommand(newAWSCommand()) command.AddCommand(newGCPCommand()) + command.AddCommand(newAzureCommand()) return command } diff --git a/cmd/argocd-k8s-auth/commands/azure.go b/cmd/argocd-k8s-auth/commands/azure.go new file mode 100644 index 0000000000000..bc45bbacef48b --- /dev/null +++ b/cmd/argocd-k8s-auth/commands/azure.go @@ -0,0 +1,43 @@ +package commands + +import ( + "os" + + "github.com/Azure/kubelogin/pkg/token" + "github.com/spf13/cobra" + + "github.com/argoproj/argo-cd/v2/util/errors" +) + +var ( + envServerApplicationID = "AAD_SERVER_APPLICATION_ID" + envEnvironmentName = "AAD_ENVIRONMENT_NAME" +) + +const ( + DEFAULT_AAD_SERVER_APPLICATION_ID = "6dae42f8-4368-4678-94ff-3960e28e3630" +) + +func newAzureCommand() *cobra.Command { + o := token.NewOptions() + //we'll use default of WorkloadIdentityLogin for the login flow + o.LoginMethod = token.WorkloadIdentityLogin + o.ServerID = DEFAULT_AAD_SERVER_APPLICATION_ID + var command = &cobra.Command{ + Use: "azure", + Run: func(c *cobra.Command, args []string) { + o.UpdateFromEnv() + if v, ok := os.LookupEnv(envServerApplicationID); ok { + o.ServerID = v + } + if v, ok := os.LookupEnv(envEnvironmentName); ok { + o.Environment = v + } + plugin, err := token.New(&o) + errors.CheckError(err) + err = plugin.Do() + errors.CheckError(err) + }, + } + return command +} diff --git a/cmd/argocd/commands/admin/settings_rbac.go b/cmd/argocd/commands/admin/settings_rbac.go index 6164aa910a6e4..8d94feeaad466 100644 --- a/cmd/argocd/commands/admin/settings_rbac.go +++ b/cmd/argocd/commands/admin/settings_rbac.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "os" + "strings" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -373,6 +374,9 @@ func resolveRBACResourceName(name string) string { // isValidRBACAction checks whether a given action is a valid RBAC action func isValidRBACAction(action string) bool { + if strings.HasPrefix(action, rbacpolicy.ActionAction+"/") { + return true + } _, ok := validRBACActions[action] return ok } diff --git a/cmd/argocd/commands/admin/settings_rbac_test.go b/cmd/argocd/commands/admin/settings_rbac_test.go index e53a5ed6da1f9..a4b4b437e114c 100644 --- a/cmd/argocd/commands/admin/settings_rbac_test.go +++ b/cmd/argocd/commands/admin/settings_rbac_test.go @@ -27,6 +27,11 @@ func Test_isValidRBACAction(t *testing.T) { }) } +func Test_isValidRBACAction_ActionAction(t *testing.T) { + ok := isValidRBACAction("action/apps/Deployment/restart") + assert.True(t, ok) +} + func Test_isValidRBACResource(t *testing.T) { for k := range validRBACResources { t.Run(k, func(t *testing.T) { diff --git a/cmd/argocd/commands/app.go b/cmd/argocd/commands/app.go index dec772b4472e7..d246ba6ee5952 100644 --- a/cmd/argocd/commands/app.go +++ b/cmd/argocd/commands/app.go @@ -846,9 +846,9 @@ func targetObjects(resources []*argoappv1.ResourceDiff) ([]*unstructured.Unstruc return objs, nil } -func getLocalObjects(ctx context.Context, app *argoappv1.Application, proj *argoappv1.AppProject, local, localRepoRoot, appLabelKey, kubeVersion string, apiVersions []string, kustomizeOptions *argoappv1.KustomizeOptions, +func getLocalObjects(ctx context.Context, app *argoappv1.Application, local, localRepoRoot, appLabelKey, kubeVersion string, apiVersions []string, kustomizeOptions *argoappv1.KustomizeOptions, trackingMethod string) []*unstructured.Unstructured { - manifestStrings := getLocalObjectsString(ctx, app, proj, local, localRepoRoot, appLabelKey, kubeVersion, apiVersions, kustomizeOptions, trackingMethod) + manifestStrings := getLocalObjectsString(ctx, app, local, localRepoRoot, appLabelKey, kubeVersion, apiVersions, kustomizeOptions, trackingMethod) objs := make([]*unstructured.Unstructured, len(manifestStrings)) for i := range manifestStrings { obj := unstructured.Unstructured{} @@ -859,21 +859,19 @@ func getLocalObjects(ctx context.Context, app *argoappv1.Application, proj *argo return objs } -func getLocalObjectsString(ctx context.Context, app *argoappv1.Application, proj *argoappv1.AppProject, local, localRepoRoot, appLabelKey, kubeVersion string, apiVersions []string, kustomizeOptions *argoappv1.KustomizeOptions, +func getLocalObjectsString(ctx context.Context, app *argoappv1.Application, local, localRepoRoot, appLabelKey, kubeVersion string, apiVersions []string, kustomizeOptions *argoappv1.KustomizeOptions, trackingMethod string) []string { source := app.Spec.GetSource() res, err := repository.GenerateManifests(ctx, local, localRepoRoot, source.TargetRevision, &repoapiclient.ManifestRequest{ - Repo: &argoappv1.Repository{Repo: source.RepoURL}, - AppLabelKey: appLabelKey, - AppName: app.Name, - Namespace: app.Spec.Destination.Namespace, - ApplicationSource: &source, - KustomizeOptions: kustomizeOptions, - KubeVersion: kubeVersion, - ApiVersions: apiVersions, - TrackingMethod: trackingMethod, - ProjectName: proj.Name, - ProjectSourceRepos: proj.Spec.SourceRepos, + Repo: &argoappv1.Repository{Repo: source.RepoURL}, + AppLabelKey: appLabelKey, + AppName: app.Name, + Namespace: app.Spec.Destination.Namespace, + ApplicationSource: &source, + KustomizeOptions: kustomizeOptions, + KubeVersion: kubeVersion, + ApiVersions: apiVersions, + TrackingMethod: trackingMethod, }, true, &git.NoopCredsStore{}, resource.MustParse("0"), nil) errors.CheckError(err) @@ -991,8 +989,7 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co diffOption.cluster = cluster } } - proj := getProject(c, clientOpts, ctx, app.Spec.Project) - foundDiffs := findandPrintDiff(ctx, app, proj.Project, resources, argoSettings, diffOption) + foundDiffs := findandPrintDiff(ctx, app, resources, argoSettings, diffOption) if foundDiffs && exitCode { os.Exit(1) } @@ -1020,13 +1017,13 @@ type DifferenceOption struct { } // findandPrintDiff ... Prints difference between application current state and state stored in git or locally, returns boolean as true if difference is found else returns false -func findandPrintDiff(ctx context.Context, app *argoappv1.Application, proj *argoappv1.AppProject, resources *application.ManagedResourcesResponse, argoSettings *settings.Settings, diffOptions *DifferenceOption) bool { +func findandPrintDiff(ctx context.Context, app *argoappv1.Application, resources *application.ManagedResourcesResponse, argoSettings *settings.Settings, diffOptions *DifferenceOption) bool { var foundDiffs bool liveObjs, err := cmdutil.LiveObjects(resources.Items) errors.CheckError(err) items := make([]objKeyLiveTarget, 0) if diffOptions.local != "" { - localObjs := groupObjsByKey(getLocalObjects(ctx, app, proj, diffOptions.local, diffOptions.localRepoRoot, argoSettings.AppLabelKey, diffOptions.cluster.Info.ServerVersion, diffOptions.cluster.Info.APIVersions, argoSettings.KustomizeOptions, argoSettings.TrackingMethod), liveObjs, app.Spec.Destination.Namespace) + localObjs := groupObjsByKey(getLocalObjects(ctx, app, diffOptions.local, diffOptions.localRepoRoot, argoSettings.AppLabelKey, diffOptions.cluster.Info.ServerVersion, diffOptions.cluster.Info.APIVersions, argoSettings.KustomizeOptions, argoSettings.TrackingMethod), liveObjs, app.Spec.Destination.Namespace) items = groupObjsForDiff(resources, localObjs, items, argoSettings, app.InstanceName(argoSettings.ControllerNamespace), app.Spec.Destination.Namespace) } else if diffOptions.revision != "" { var unstructureds []*unstructured.Unstructured @@ -1662,8 +1659,15 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co errors.CheckError(err) if app.Spec.HasMultipleSources() { - log.Fatal("argocd cli does not work on multi-source app") - return + if revision != "" { + log.Fatal("argocd cli does not work on multi-source app with --revision flag") + return + } + + if local != "" { + log.Fatal("argocd cli does not work on multi-source app with --local flag") + return + } } // filters out only those resources that needs to be synced @@ -1691,8 +1695,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co errors.CheckError(err) argoio.Close(conn) - proj := getProject(c, clientOpts, ctx, app.Spec.Project) - localObjsStrings = getLocalObjectsString(ctx, app, proj.Project, local, localRepoRoot, argoSettings.AppLabelKey, cluster.Info.ServerVersion, cluster.Info.APIVersions, argoSettings.KustomizeOptions, argoSettings.TrackingMethod) + localObjsStrings = getLocalObjectsString(ctx, app, local, localRepoRoot, argoSettings.AppLabelKey, cluster.Info.ServerVersion, cluster.Info.APIVersions, argoSettings.KustomizeOptions, argoSettings.TrackingMethod) errors.CheckError(err) diffOption.local = local diffOption.localRepoRoot = localRepoRoot @@ -1765,8 +1768,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co foundDiffs := false fmt.Printf("====== Previewing differences between live and desired state of application %s ======\n", appQualifiedName) - proj := getProject(c, clientOpts, ctx, app.Spec.Project) - foundDiffs = findandPrintDiff(ctx, app, proj.Project, resources, argoSettings, diffOption) + foundDiffs = findandPrintDiff(ctx, app, resources, argoSettings, diffOption) if foundDiffs { if !diffChangesConfirm { yesno := cli.AskToProceed(fmt.Sprintf("Please review changes to application %s shown above. Do you want to continue the sync process? (y/n): ", appQualifiedName)) @@ -2378,8 +2380,7 @@ func NewApplicationManifestsCommand(clientOpts *argocdclient.ClientOptions) *cob cluster, err := clusterIf.Get(context.Background(), &clusterpkg.ClusterQuery{Name: app.Spec.Destination.Name, Server: app.Spec.Destination.Server}) errors.CheckError(err) - proj := getProject(c, clientOpts, ctx, app.Spec.Project) - unstructureds = getLocalObjects(context.Background(), app, proj.Project, local, localRepoRoot, argoSettings.AppLabelKey, cluster.ServerVersion, cluster.Info.APIVersions, argoSettings.KustomizeOptions, argoSettings.TrackingMethod) + unstructureds = getLocalObjects(context.Background(), app, local, localRepoRoot, argoSettings.AppLabelKey, cluster.ServerVersion, cluster.Info.APIVersions, argoSettings.KustomizeOptions, argoSettings.TrackingMethod) } else if revision != "" { q := application.ApplicationManifestQuery{ Name: &appName, diff --git a/cmd/argocd/commands/project.go b/cmd/argocd/commands/project.go index 4f08665eb437b..fc7b6617c13b9 100644 --- a/cmd/argocd/commands/project.go +++ b/cmd/argocd/commands/project.go @@ -1,7 +1,6 @@ package commands import ( - "context" "encoding/json" "fmt" "io" @@ -819,7 +818,10 @@ func NewProjectGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command os.Exit(1) } projName := args[0] - detailedProject := getProject(c, clientOpts, ctx, projName) + conn, projIf := headless.NewClientOrDie(clientOpts, c).NewProjectClientOrDie() + defer argoio.Close(conn) + detailedProject, err := projIf.GetDetailedProject(ctx, &projectpkg.ProjectQuery{Name: projName}) + errors.CheckError(err) switch output { case "yaml", "json": @@ -836,14 +838,6 @@ func NewProjectGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command return command } -func getProject(c *cobra.Command, clientOpts *argocdclient.ClientOptions, ctx context.Context, projName string) *projectpkg.DetailedProjectsResponse { - conn, projIf := headless.NewClientOrDie(clientOpts, c).NewProjectClientOrDie() - defer argoio.Close(conn) - detailedProject, err := projIf.GetDetailedProject(ctx, &projectpkg.ProjectQuery{Name: projName}) - errors.CheckError(err) - return detailedProject -} - func NewProjectEditCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command { var command = &cobra.Command{ Use: "edit PROJECT", diff --git a/cmpserver/plugin/plugin.go b/cmpserver/plugin/plugin.go index ca67ccecf214a..f03b73f24dcf6 100644 --- a/cmpserver/plugin/plugin.go +++ b/cmpserver/plugin/plugin.go @@ -97,6 +97,14 @@ func runCommand(ctx context.Context, command Command, path string, env []string) <-ctx.Done() // Kill by group ID to make sure child processes are killed. The - tells `kill` that it's a group ID. // Since we didn't set Pgid in SysProcAttr, the group ID is the same as the process ID. https://pkg.go.dev/syscall#SysProcAttr + + // Sending a TERM signal first to allow any potential cleanup if needed, and then sending a KILL signal + _ = sysCallTerm(-cmd.Process.Pid) + + // modify cleanup timeout to allow process to cleanup + cleanupTimeout := 5 * time.Second + time.Sleep(cleanupTimeout) + _ = sysCallKill(-cmd.Process.Pid) }() diff --git a/cmpserver/plugin/plugin_test.go b/cmpserver/plugin/plugin_test.go index 936a38caba934..b253dc414cbdc 100644 --- a/cmpserver/plugin/plugin_test.go +++ b/cmpserver/plugin/plugin_test.go @@ -369,6 +369,28 @@ func TestRunCommandEmptyCommand(t *testing.T) { assert.ErrorContains(t, err, "Command is empty") } +// TestRunCommandContextTimeoutWithGracefulTermination makes sure that the process is given enough time to cleanup before sending SIGKILL. +func TestRunCommandContextTimeoutWithCleanup(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), 900*time.Millisecond) + defer cancel() + + // Use a subshell so there's a child command. + // This command sleeps for 4 seconds which is currently less than the 5 second delay between SIGTERM and SIGKILL signal and then exits successfully. + command := Command{ + Command: []string{"sh", "-c"}, + Args: []string{`(trap 'echo "cleanup completed"; exit' TERM; sleep 4)`}, + } + + before := time.Now() + output, err := runCommand(ctx, command, "", []string{}) + after := time.Now() + + assert.Error(t, err) // The command should time out, causing an error. + assert.Less(t, after.Sub(before), 1*time.Second) + // The command should still have completed the cleanup after termination. + assert.Contains(t, output, "cleanup completed") +} + func Test_getParametersAnnouncement_empty_command(t *testing.T) { staticYAML := ` - name: static-a diff --git a/cmpserver/plugin/plugin_unix.go b/cmpserver/plugin/plugin_unix.go index a9dc157bc7ef8..ea6b7b5493910 100644 --- a/cmpserver/plugin/plugin_unix.go +++ b/cmpserver/plugin/plugin_unix.go @@ -14,3 +14,7 @@ func newSysProcAttr(setpgid bool) *syscall.SysProcAttr { func sysCallKill(pid int) error { return syscall.Kill(pid, syscall.SIGKILL) } + +func sysCallTerm(pid int) error { + return syscall.Kill(pid, syscall.SIGTERM) +} diff --git a/controller/appcontroller.go b/controller/appcontroller.go index d6690e4c93e54..9f3e32ba0b6e6 100644 --- a/controller/appcontroller.go +++ b/controller/appcontroller.go @@ -364,12 +364,14 @@ func (ctrl *ApplicationController) handleObjectUpdated(managedByApp map[string]b namespace = "(cluster-scoped)" } log.WithFields(log.Fields{ - "application": appKey, - "level": level, - "namespace": namespace, - "name": ref.Name, - "api-version": ref.APIVersion, - "kind": ref.Kind, + "application": appKey, + "level": level, + "namespace": namespace, + "name": ref.Name, + "api-version": ref.APIVersion, + "kind": ref.Kind, + "server": app.Spec.Destination.Server, + "cluster-name": app.Spec.Destination.Name, }).Debug("Requesting app refresh caused by object update") ctrl.requestAppRefresh(app.QualifiedName(), &level, nil) @@ -1246,40 +1248,44 @@ func (ctrl *ApplicationController) processRequestedAppOperation(app *appv1.Appli } func (ctrl *ApplicationController) setOperationState(app *appv1.Application, state *appv1.OperationState) { - kube.RetryUntilSucceed(context.Background(), updateOperationStateTimeout, "Update application operation state", logutils.NewLogrusLogger(logutils.NewWithCurrentConfig()), func() error { - if state.Phase == "" { - // expose any bugs where we neglect to set phase - panic("no phase was set") - } - if state.Phase.Completed() { - now := metav1.Now() - state.FinishedAt = &now - } - patch := map[string]interface{}{ - "status": map[string]interface{}{ - "operationState": state, - }, - } - if state.Phase.Completed() { - // If operation is completed, clear the operation field to indicate no operation is - // in progress. - patch["operation"] = nil - } - if reflect.DeepEqual(app.Status.OperationState, state) { - log.Infof("No operation updates necessary to '%s'. Skipping patch", app.QualifiedName()) - return nil - } - patchJSON, err := json.Marshal(patch) + logCtx := log.WithFields(log.Fields{"application": app.Name, "appNamespace": app.Namespace, "project": app.Spec.Project}) + + if state.Phase == "" { + // expose any bugs where we neglect to set phase + panic("no phase was set") + } + if state.Phase.Completed() { + now := metav1.Now() + state.FinishedAt = &now + } + patch := map[string]interface{}{ + "status": map[string]interface{}{ + "operationState": state, + }, + } + if state.Phase.Completed() { + // If operation is completed, clear the operation field to indicate no operation is + // in progress. + patch["operation"] = nil + } + if reflect.DeepEqual(app.Status.OperationState, state) { + logCtx.Infof("No operation updates necessary to '%s'. Skipping patch", app.QualifiedName()) + return + } + patchJSON, err := json.Marshal(patch) + if err != nil { + logCtx.Errorf("error marshaling json: %v", err) + return + } + if app.Status.OperationState != nil && app.Status.OperationState.FinishedAt != nil && state.FinishedAt == nil { + patchJSON, err = jsonpatch.MergeMergePatches(patchJSON, []byte(`{"status": {"operationState": {"finishedAt": null}}}`)) if err != nil { - return fmt.Errorf("error marshaling json: %w", err) - } - if app.Status.OperationState != nil && app.Status.OperationState.FinishedAt != nil && state.FinishedAt == nil { - patchJSON, err = jsonpatch.MergeMergePatches(patchJSON, []byte(`{"status": {"operationState": {"finishedAt": null}}}`)) - if err != nil { - return fmt.Errorf("error merging operation state patch: %w", err) - } + logCtx.Errorf("error merging operation state patch: %v", err) + return } + } + kube.RetryUntilSucceed(context.Background(), updateOperationStateTimeout, "Update application operation state", logutils.NewLogrusLogger(logutils.NewWithCurrentConfig()), func() error { appClient := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(app.Namespace) _, err = appClient.Patch(context.Background(), app.Name, types.MergePatchType, patchJSON, metav1.PatchOptions{}) if err != nil { @@ -1287,32 +1293,36 @@ func (ctrl *ApplicationController) setOperationState(app *appv1.Application, sta if apierr.IsNotFound(err) { return nil } + // kube.RetryUntilSucceed logs failed attempts at "debug" level, but we want to know if this fails. Log a + // warning. + logCtx.Warnf("error patching application with operation state: %v", err) return fmt.Errorf("error patching application with operation state: %w", err) } - log.Infof("updated '%s' operation (phase: %s)", app.QualifiedName(), state.Phase) - if state.Phase.Completed() { - eventInfo := argo.EventInfo{Reason: argo.EventReasonOperationCompleted} - var messages []string - if state.Operation.Sync != nil && len(state.Operation.Sync.Resources) > 0 { - messages = []string{"Partial sync operation"} - } else { - messages = []string{"Sync operation"} - } - if state.SyncResult != nil { - messages = append(messages, "to", state.SyncResult.Revision) - } - if state.Phase.Successful() { - eventInfo.Type = v1.EventTypeNormal - messages = append(messages, "succeeded") - } else { - eventInfo.Type = v1.EventTypeWarning - messages = append(messages, "failed:", state.Message) - } - ctrl.auditLogger.LogAppEvent(app, eventInfo, strings.Join(messages, " "), "") - ctrl.metricsServer.IncSync(app, state) - } return nil }) + + logCtx.Infof("updated '%s' operation (phase: %s)", app.QualifiedName(), state.Phase) + if state.Phase.Completed() { + eventInfo := argo.EventInfo{Reason: argo.EventReasonOperationCompleted} + var messages []string + if state.Operation.Sync != nil && len(state.Operation.Sync.Resources) > 0 { + messages = []string{"Partial sync operation"} + } else { + messages = []string{"Sync operation"} + } + if state.SyncResult != nil { + messages = append(messages, "to", state.SyncResult.Revision) + } + if state.Phase.Successful() { + eventInfo.Type = v1.EventTypeNormal + messages = append(messages, "succeeded") + } else { + eventInfo.Type = v1.EventTypeWarning + messages = append(messages, "failed:", state.Message) + } + ctrl.auditLogger.LogAppEvent(app, eventInfo, strings.Join(messages, " "), "") + ctrl.metricsServer.IncSync(app, state) + } } func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext bool) { diff --git a/controller/appcontroller_test.go b/controller/appcontroller_test.go index 439fe233e7ce5..f43e1329680fa 100644 --- a/controller/appcontroller_test.go +++ b/controller/appcontroller_test.go @@ -3,9 +3,11 @@ package controller import ( "context" "encoding/json" + "errors" "testing" "time" + "github.com/sirupsen/logrus" "k8s.io/apimachinery/pkg/api/resource" clustercache "github.com/argoproj/gitops-engine/pkg/cache" @@ -926,6 +928,41 @@ func TestSetOperationStateOnDeletedApp(t *testing.T) { assert.True(t, patched) } +type logHook struct { + entries []logrus.Entry +} + +func (h *logHook) Levels() []logrus.Level { + return []logrus.Level{logrus.WarnLevel} +} + +func (h *logHook) Fire(entry *logrus.Entry) error { + h.entries = append(h.entries, *entry) + return nil +} + +func TestSetOperationStateLogRetries(t *testing.T) { + hook := logHook{} + logrus.AddHook(&hook) + t.Cleanup(func() { + logrus.StandardLogger().ReplaceHooks(logrus.LevelHooks{}) + }) + ctrl := newFakeController(&fakeData{apps: []runtime.Object{}}) + fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset) + fakeAppCs.ReactionChain = nil + patched := false + fakeAppCs.AddReactor("patch", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) { + if !patched { + patched = true + return true, nil, errors.New("fake error") + } + return true, nil, nil + }) + ctrl.setOperationState(newFakeApp(), &v1alpha1.OperationState{Phase: synccommon.OperationSucceeded}) + assert.True(t, patched) + assert.Contains(t, hook.entries[0].Message, "fake error") +} + func TestNeedRefreshAppStatus(t *testing.T) { testCases := []struct { name string @@ -950,7 +987,8 @@ func TestNeedRefreshAppStatus(t *testing.T) { app.Status.Sync = v1alpha1.SyncStatus{ Status: v1alpha1.SyncStatusCodeSynced, ComparedTo: v1alpha1.ComparedTo{ - Destination: app.Spec.Destination, + Destination: app.Spec.Destination, + IgnoreDifferences: app.Spec.IgnoreDifferences, }, } @@ -1019,7 +1057,8 @@ func TestNeedRefreshAppStatus(t *testing.T) { app.Status.Sync = v1alpha1.SyncStatus{ Status: v1alpha1.SyncStatusCodeSynced, ComparedTo: v1alpha1.ComparedTo{ - Destination: app.Spec.Destination, + Destination: app.Spec.Destination, + IgnoreDifferences: app.Spec.IgnoreDifferences, }, } if app.Spec.HasMultipleSources() { @@ -1214,7 +1253,7 @@ func TestUpdateReconciledAt(t *testing.T) { app := newFakeApp() reconciledAt := metav1.NewTime(time.Now().Add(-1 * time.Second)) app.Status = v1alpha1.ApplicationStatus{ReconciledAt: &reconciledAt} - app.Status.Sync = v1alpha1.SyncStatus{ComparedTo: v1alpha1.ComparedTo{Source: app.Spec.GetSource(), Destination: app.Spec.Destination}} + app.Status.Sync = v1alpha1.SyncStatus{ComparedTo: v1alpha1.ComparedTo{Source: app.Spec.GetSource(), Destination: app.Spec.Destination, IgnoreDifferences: app.Spec.IgnoreDifferences}} ctrl := newFakeController(&fakeData{ apps: []runtime.Object{app, &defaultProj}, manifestResponse: &apiclient.ManifestResponse{ diff --git a/controller/cache/cache.go b/controller/cache/cache.go index 8623130f36dfa..ef0ce1f4fcf76 100644 --- a/controller/cache/cache.go +++ b/controller/cache/cache.go @@ -620,7 +620,7 @@ func (c *liveStateCache) GetNamespaceTopLevelResources(server string, namespace func (c *liveStateCache) GetManagedLiveObjs(a *appv1.Application, targetObjs []*unstructured.Unstructured) (map[kube.ResourceKey]*unstructured.Unstructured, error) { clusterInfo, err := c.getSyncedCluster(a.Spec.Destination.Server) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to get cluster info for %q: %w", a.Spec.Destination.Server, err) } return clusterInfo.GetManagedLiveObjs(targetObjs, func(r *clustercache.Resource) bool { return resInfo(r).AppName == a.InstanceName(c.settingsMgr.GetNamespace()) @@ -630,7 +630,7 @@ func (c *liveStateCache) GetManagedLiveObjs(a *appv1.Application, targetObjs []* func (c *liveStateCache) GetVersionsInfo(serverURL string) (string, []kube.APIResourceInfo, error) { clusterInfo, err := c.getSyncedCluster(serverURL) if err != nil { - return "", nil, err + return "", nil, fmt.Errorf("failed to get cluster info for %q: %w", serverURL, err) } return clusterInfo.GetServerVersion(), clusterInfo.GetAPIResources(), nil } @@ -775,12 +775,14 @@ func (c *liveStateCache) handleModEvent(oldCluster *appv1.Cluster, newCluster *a } func (c *liveStateCache) handleDeleteEvent(clusterServer string) { - c.lock.Lock() - defer c.lock.Unlock() + c.lock.RLock() cluster, ok := c.clusters[clusterServer] + c.lock.RUnlock() if ok { cluster.Invalidate() + c.lock.Lock() delete(c.clusters, clusterServer) + c.lock.Unlock() } } diff --git a/controller/cache/cache_test.go b/controller/cache/cache_test.go index 3549f03f6e0ea..de2d96eb7aa28 100644 --- a/controller/cache/cache_test.go +++ b/controller/cache/cache_test.go @@ -1,13 +1,16 @@ package cache import ( + "context" "errors" "net" "net/url" + "sync" "testing" + "time" "github.com/stretchr/testify/assert" - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" apierr "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -16,8 +19,10 @@ import ( "github.com/argoproj/gitops-engine/pkg/cache/mocks" "github.com/argoproj/gitops-engine/pkg/health" "github.com/stretchr/testify/mock" + "k8s.io/client-go/kubernetes/fake" appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" + argosettings "github.com/argoproj/argo-cd/v2/util/settings" ) type netError string @@ -108,6 +113,98 @@ func TestHandleAddEvent_ClusterExcluded(t *testing.T) { assert.Len(t, clustersCache.clusters, 0) } +func TestHandleDeleteEvent_CacheDeadlock(t *testing.T) { + testCluster := &appv1.Cluster{ + Server: "https://mycluster", + Config: appv1.ClusterConfig{Username: "bar"}, + } + fakeClient := fake.NewSimpleClientset() + settingsMgr := argosettings.NewSettingsManager(context.TODO(), fakeClient, "argocd") + externalLockRef := sync.RWMutex{} + gitopsEngineClusterCache := &mocks.ClusterCache{} + clustersCache := liveStateCache{ + clusters: map[string]cache.ClusterCache{ + testCluster.Server: gitopsEngineClusterCache, + }, + clusterFilter: func(cluster *appv1.Cluster) bool { + return true + }, + settingsMgr: settingsMgr, + // Set the lock here so we can reference it later + // nolint We need to overwrite here to have access to the lock + lock: externalLockRef, + } + channel := make(chan string) + // Mocked lock held by the gitops-engine cluster cache + mockMutex := sync.RWMutex{} + // Locks to force trigger condition during test + // Condition order: + // EnsuredSynced -> Locks gitops-engine + // handleDeleteEvent -> Locks liveStateCache + // EnsureSynced via sync, newResource, populateResourceInfoHandler -> attempts to Lock liveStateCache + // handleDeleteEvent via cluster.Invalidate -> attempts to Lock gitops-engine + handleDeleteWasCalled := sync.Mutex{} + engineHoldsLock := sync.Mutex{} + handleDeleteWasCalled.Lock() + engineHoldsLock.Lock() + gitopsEngineClusterCache.On("EnsureSynced").Run(func(args mock.Arguments) { + // Held by EnsureSync calling into sync and watchEvents + mockMutex.Lock() + defer mockMutex.Unlock() + // Continue Execution of timer func + engineHoldsLock.Unlock() + // Wait for handleDeleteEvent to be called triggering the lock + // on the liveStateCache + handleDeleteWasCalled.Lock() + t.Logf("handleDelete was called, EnsureSynced continuing...") + handleDeleteWasCalled.Unlock() + // Try and obtain the lock on the liveStateCache + alreadyFailed := !externalLockRef.TryLock() + if alreadyFailed { + channel <- "DEADLOCKED -- EnsureSynced could not obtain lock on liveStateCache" + return + } + externalLockRef.Lock() + t.Logf("EnsureSynce was able to lock liveStateCache") + externalLockRef.Unlock() + }).Return(nil).Once() + gitopsEngineClusterCache.On("Invalidate").Run(func(args mock.Arguments) { + // If deadlock is fixed should be able to acquire lock here + alreadyFailed := !mockMutex.TryLock() + if alreadyFailed { + channel <- "DEADLOCKED -- Invalidate could not obtain lock on gitops-engine" + return + } + mockMutex.Lock() + t.Logf("Invalidate was able to lock gitops-engine cache") + mockMutex.Unlock() + }).Return() + go func() { + // Start the gitops-engine lock holds + go func() { + err := gitopsEngineClusterCache.EnsureSynced() + if err != nil { + assert.Fail(t, err.Error()) + } + }() + // Wait for EnsureSynced to grab the lock for gitops-engine + engineHoldsLock.Lock() + t.Log("EnsureSynced has obtained lock on gitops-engine") + engineHoldsLock.Unlock() + // Run in background + go clustersCache.handleDeleteEvent(testCluster.Server) + // Allow execution to continue on clusters cache call to trigger lock + handleDeleteWasCalled.Unlock() + channel <- "PASSED" + }() + select { + case str := <-channel: + assert.Equal(t, "PASSED", str, str) + case <-time.After(5 * time.Second): + assert.Fail(t, "Ended up in deadlock") + } +} + func TestIsRetryableError(t *testing.T) { var ( tlsHandshakeTimeoutErr net.Error = netError("net/http: TLS handshake timeout") diff --git a/controller/metrics/metrics.go b/controller/metrics/metrics.go index 3cd9837ff7036..3cfb16a249339 100644 --- a/controller/metrics/metrics.go +++ b/controller/metrics/metrics.go @@ -56,7 +56,7 @@ var ( descAppInfo = prometheus.NewDesc( "argocd_app_info", "Information about application.", - append(descAppDefaultLabels, "repo", "dest_server", "dest_namespace", "sync_status", "health_status", "operation"), + append(descAppDefaultLabels, "autosync_enabled", "repo", "dest_server", "dest_namespace", "sync_status", "health_status", "operation"), nil, ) // DEPRECATED @@ -381,7 +381,9 @@ func (c *appCollector) collectApps(ch chan<- prometheus.Metric, app *argoappv1.A healthStatus = health.HealthStatusUnknown } - addGauge(descAppInfo, 1, git.NormalizeGitURL(app.Spec.GetSource().RepoURL), app.Spec.Destination.Server, app.Spec.Destination.Namespace, string(syncStatus), string(healthStatus), operation) + autoSyncEnabled := app.Spec.SyncPolicy != nil && app.Spec.SyncPolicy.Automated != nil + + addGauge(descAppInfo, 1, strconv.FormatBool(autoSyncEnabled), git.NormalizeGitURL(app.Spec.GetSource().RepoURL), app.Spec.Destination.Server, app.Spec.Destination.Namespace, string(syncStatus), string(healthStatus), operation) if len(c.appLabels) > 0 { labelValues := []string{} diff --git a/controller/metrics/metrics_test.go b/controller/metrics/metrics_test.go index 00309fb0944a7..61a99a46492a2 100644 --- a/controller/metrics/metrics_test.go +++ b/controller/metrics/metrics_test.go @@ -66,6 +66,10 @@ spec: source: path: some/path repoURL: https://github.com/argoproj/argocd-example-apps.git + syncPolicy: + automated: + selfHeal: false + prune: true status: sync: status: Synced @@ -97,6 +101,10 @@ spec: source: path: some/path repoURL: https://github.com/argoproj/argocd-example-apps.git + syncPolicy: + automated: + selfHeal: true + prune: false status: sync: status: OutOfSync @@ -227,9 +235,9 @@ func TestMetrics(t *testing.T) { responseContains: ` # HELP argocd_app_info Information about application. # TYPE argocd_app_info gauge -argocd_app_info{dest_namespace="dummy-namespace",dest_server="https://localhost:6443",health_status="Degraded",name="my-app-3",namespace="argocd",operation="delete",project="important-project",repo="https://github.com/argoproj/argocd-example-apps",sync_status="OutOfSync"} 1 -argocd_app_info{dest_namespace="dummy-namespace",dest_server="https://localhost:6443",health_status="Healthy",name="my-app",namespace="argocd",operation="",project="important-project",repo="https://github.com/argoproj/argocd-example-apps",sync_status="Synced"} 1 -argocd_app_info{dest_namespace="dummy-namespace",dest_server="https://localhost:6443",health_status="Healthy",name="my-app-2",namespace="argocd",operation="sync",project="important-project",repo="https://github.com/argoproj/argocd-example-apps",sync_status="Synced"} 1 +argocd_app_info{autosync_enabled="true",dest_namespace="dummy-namespace",dest_server="https://localhost:6443",health_status="Degraded",name="my-app-3",namespace="argocd",operation="delete",project="important-project",repo="https://github.com/argoproj/argocd-example-apps",sync_status="OutOfSync"} 1 +argocd_app_info{autosync_enabled="false",dest_namespace="dummy-namespace",dest_server="https://localhost:6443",health_status="Healthy",name="my-app",namespace="argocd",operation="",project="important-project",repo="https://github.com/argoproj/argocd-example-apps",sync_status="Synced"} 1 +argocd_app_info{autosync_enabled="true",dest_namespace="dummy-namespace",dest_server="https://localhost:6443",health_status="Healthy",name="my-app-2",namespace="argocd",operation="sync",project="important-project",repo="https://github.com/argoproj/argocd-example-apps",sync_status="Synced"} 1 `, }, { @@ -237,7 +245,7 @@ argocd_app_info{dest_namespace="dummy-namespace",dest_server="https://localhost: responseContains: ` # HELP argocd_app_info Information about application. # TYPE argocd_app_info gauge -argocd_app_info{dest_namespace="dummy-namespace",dest_server="https://localhost:6443",health_status="Healthy",name="my-app",namespace="argocd",operation="",project="default",repo="https://github.com/argoproj/argocd-example-apps",sync_status="Synced"} 1 +argocd_app_info{autosync_enabled="false",dest_namespace="dummy-namespace",dest_server="https://localhost:6443",health_status="Healthy",name="my-app",namespace="argocd",operation="",project="default",repo="https://github.com/argoproj/argocd-example-apps",sync_status="Synced"} 1 `, }, } diff --git a/controller/state.go b/controller/state.go index 9e6bdf9e44d09..a2765f249bc82 100644 --- a/controller/state.go +++ b/controller/state.go @@ -111,47 +111,47 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, sources []v1alp ts := stats.NewTimingStats() helmRepos, err := m.db.ListHelmRepositories(context.Background()) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to list Helm repositories: %w", err) } permittedHelmRepos, err := argo.GetPermittedRepos(proj, helmRepos) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to get permitted Helm repositories for project %q: %w", proj.Name, err) } ts.AddCheckpoint("repo_ms") helmRepositoryCredentials, err := m.db.GetAllHelmRepositoryCredentials(context.Background()) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to get Helm credentials: %w", err) } permittedHelmCredentials, err := argo.GetPermittedReposCredentials(proj, helmRepositoryCredentials) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to get permitted Helm credentials for project %q: %w", proj.Name, err) } enabledSourceTypes, err := m.settingsMgr.GetEnabledSourceTypes() if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to get enabled source types: %w", err) } ts.AddCheckpoint("plugins_ms") kustomizeSettings, err := m.settingsMgr.GetKustomizeSettings() if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to get Kustomize settings: %w", err) } helmOptions, err := m.settingsMgr.GetHelmSettings() if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to get Helm settings: %w", err) } ts.AddCheckpoint("build_options_ms") serverVersion, apiResources, err := m.liveStateCache.GetVersionsInfo(app.Spec.Destination.Server) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to get cluster version for cluster %q: %w", app.Spec.Destination.Server, err) } conn, repoClient, err := m.repoClientset.NewRepoServerClient() if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to connect to repo server: %w", err) } defer io.Close(conn) @@ -171,11 +171,11 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, sources []v1alp ts.AddCheckpoint("helm_ms") repo, err := m.db.GetRepository(context.Background(), source.RepoURL) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to get repo %q: %w", source.RepoURL, err) } kustomizeOptions, err := kustomizeSettings.GetOptions(source) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to get Kustomize options for source %d of %d: %w", i+1, len(sources), err) } ts.AddCheckpoint("version_ms") @@ -200,17 +200,15 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, sources []v1alp HelmOptions: helmOptions, HasMultipleSources: app.Spec.HasMultipleSources(), RefSources: refSources, - ProjectName: proj.Name, - ProjectSourceRepos: proj.Spec.SourceRepos, }) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to generate manifest for source %d of %d: %w", i+1, len(sources), err) } targetObj, err := unmarshalManifests(manifestInfo.Manifests) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to unmarshal manifests for source %d of %d: %w", i+1, len(sources), err) } targetObjs = append(targetObjs, targetObj...) @@ -351,7 +349,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1 if hasMultipleSources { return &comparisonResult{ syncStatus: &v1alpha1.SyncStatus{ - ComparedTo: v1alpha1.ComparedTo{Destination: app.Spec.Destination, Sources: sources}, + ComparedTo: v1alpha1.ComparedTo{Destination: app.Spec.Destination, Sources: sources, IgnoreDifferences: app.Spec.IgnoreDifferences}, Status: v1alpha1.SyncStatusCodeUnknown, Revisions: revisions, }, @@ -360,7 +358,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1 } else { return &comparisonResult{ syncStatus: &v1alpha1.SyncStatus{ - ComparedTo: v1alpha1.ComparedTo{Source: sources[0], Destination: app.Spec.Destination}, + ComparedTo: v1alpha1.ComparedTo{Source: sources[0], Destination: app.Spec.Destination, IgnoreDifferences: app.Spec.IgnoreDifferences}, Status: v1alpha1.SyncStatusCodeUnknown, Revision: revisions[0], }, @@ -400,7 +398,8 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1 targetObjs, manifestInfos, err = m.getRepoObjs(app, sources, appLabelKey, revisions, noCache, noRevisionCache, verifySignature, project) if err != nil { targetObjs = make([]*unstructured.Unstructured, 0) - conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now}) + msg := fmt.Sprintf("Failed to load target state: %s", err.Error()) + conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: msg, LastTransitionTime: &now}) failedToLoadObjs = true } } else { @@ -415,7 +414,8 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1 targetObjs, err = unmarshalManifests(localManifests) if err != nil { targetObjs = make([]*unstructured.Unstructured, 0) - conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now}) + msg := fmt.Sprintf("Failed to load local manifests: %s", err.Error()) + conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: msg, LastTransitionTime: &now}) failedToLoadObjs = true } } @@ -431,7 +431,8 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1 } targetObjs, dedupConditions, err := DeduplicateTargetObjects(app.Spec.Destination.Namespace, targetObjs, infoProvider) if err != nil { - conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now}) + msg := fmt.Sprintf("Failed to deduplicate target state: %s", err.Error()) + conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: msg, LastTransitionTime: &now}) } conditions = append(conditions, dedupConditions...) for i := len(targetObjs) - 1; i >= 0; i-- { @@ -451,7 +452,8 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1 liveObjByKey, err := m.liveStateCache.GetManagedLiveObjs(app, targetObjs) if err != nil { liveObjByKey = make(map[kubeutil.ResourceKey]*unstructured.Unstructured) - conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now}) + msg := fmt.Sprintf("Failed to load live state: %s", err.Error()) + conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: msg, LastTransitionTime: &now}) failedToLoadObjs = true } @@ -460,11 +462,16 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1 // filter out all resources which are not permitted in the application project for k, v := range liveObjByKey { permitted, err := project.IsLiveResourcePermitted(v, app.Spec.Destination.Server, app.Spec.Destination.Name, func(project string) ([]*v1alpha1.Cluster, error) { - return m.db.GetProjectClusters(context.TODO(), project) + clusters, err := m.db.GetProjectClusters(context.TODO(), project) + if err != nil { + return nil, fmt.Errorf("failed to get clusters for project %q: %v", project, err) + } + return clusters, nil }) if err != nil { - conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now}) + msg := fmt.Sprintf("Failed to check if live resource %q is permitted in project %q: %s", k.String(), app.Spec.Project, err.Error()) + conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: msg, LastTransitionTime: &now}) failedToLoadObjs = true continue } @@ -506,7 +513,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1 // restore comparison using cached diff result if previous comparison was performed for the same revision revisionChanged := len(manifestInfos) != len(sources) || !reflect.DeepEqual(app.Status.Sync.Revisions, manifestRevisions) - specChanged := !reflect.DeepEqual(app.Status.Sync.ComparedTo, v1alpha1.ComparedTo{Source: app.Spec.GetSource(), Destination: app.Spec.Destination, Sources: sources}) + specChanged := !reflect.DeepEqual(app.Status.Sync.ComparedTo, v1alpha1.ComparedTo{Source: app.Spec.GetSource(), Destination: app.Spec.Destination, Sources: sources, IgnoreDifferences: app.Spec.IgnoreDifferences}) _, refreshRequested := app.IsRefreshRequested() noCache = noCache || refreshRequested || app.Status.Expired(m.statusRefreshTimeout) || specChanged || revisionChanged @@ -541,7 +548,8 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1 if err != nil { diffResults = &diff.DiffResultList{} failedToLoadObjs = true - conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now}) + msg := fmt.Sprintf("Failed to compare desired state to live state: %s", err.Error()) + conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: msg, LastTransitionTime: &now}) } ts.AddCheckpoint("diff_ms") @@ -647,8 +655,9 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1 if hasMultipleSources { syncStatus = v1alpha1.SyncStatus{ ComparedTo: v1alpha1.ComparedTo{ - Destination: app.Spec.Destination, - Sources: sources, + Destination: app.Spec.Destination, + Sources: sources, + IgnoreDifferences: app.Spec.IgnoreDifferences, }, Status: syncCode, Revisions: manifestRevisions, @@ -656,8 +665,9 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1 } else { syncStatus = v1alpha1.SyncStatus{ ComparedTo: v1alpha1.ComparedTo{ - Destination: app.Spec.Destination, - Source: app.Spec.GetSource(), + Destination: app.Spec.Destination, + Source: app.Spec.GetSource(), + IgnoreDifferences: app.Spec.IgnoreDifferences, }, Status: syncCode, Revision: revision, diff --git a/docs/developer-guide/api-docs.md b/docs/developer-guide/api-docs.md index 7b4b44bf9269e..289e4d466652e 100644 --- a/docs/developer-guide/api-docs.md +++ b/docs/developer-guide/api-docs.md @@ -1,6 +1,6 @@ # API Docs -You can find the Swagger docs by setting the path to `/swagger-ui` in your Argo CD UI's. E.g. [http://localhost:8080/swagger-ui](http://localhost:8080/swagger-ui). +You can find the Swagger docs by setting the path to `/swagger-ui` in your Argo CD UI. E.g. [http://localhost:8080/swagger-ui](http://localhost:8080/swagger-ui). ## Authorization @@ -17,4 +17,17 @@ Then pass using the HTTP `Authorization` header, prefixing with `Bearer `: $ curl $ARGOCD_SERVER/api/v1/applications -H "Authorization: Bearer $ARGOCD_TOKEN" {"metadata":{"selfLink":"/apis/argoproj.io/v1alpha1/namespaces/argocd/applications","resourceVersion":"37755"},"items":...} ``` - + +## Services + +### Applications API + +#### How to Avoid 403 Errors for Missing Applications + +All endpoints of the Applications API accept an optional `project` query string parameter. If the parameter is +specified, and the specified Application does not exist, or if the Application does exist but is not in the given +project, the API will return a `404` error. + +If the `project` query string parameter is specified, and the Application does not exist, the API will return a `403` +error. This is to prevent leaking information about the existence of Applications to users who do not have access to +them. diff --git a/docs/developer-guide/extensions/proxy-extensions.md b/docs/developer-guide/extensions/proxy-extensions.md index 4ab80006d2613..8074537170811 100644 --- a/docs/developer-guide/extensions/proxy-extensions.md +++ b/docs/developer-guide/extensions/proxy-extensions.md @@ -52,6 +52,9 @@ data: maxIdleConnections: 30 services: - url: http://httpbin.org + headers: + - name: some-header + value: '$some.argocd.secret.key' cluster: name: some-cluster server: https://some-cluster @@ -111,6 +114,34 @@ Defines a list with backend url by cluster. Is the address where the extension backend must be available. +#### `extensions.backend.services.headers` (*list*) + +If provided, the headers list will be added on all outgoing requests +for this service config. Existing headers in the incoming request with +the same name will be overriden by the one in this list. Reserved header +names will be ignored (see the [headers](#incoming-request-headers) below). + +#### `extensions.backend.services.headers.name` (*string*) +(mandatory) + +Defines the name of the header. It is a mandatory field if a header is +provided. + +#### `extensions.backend.services.headers.value` (*string*) +(mandatory) + +Defines the value of the header. It is a mandatory field if a header is +provided. The value can be provided as verbatim or as a reference to an +Argo CD secret key. In order to provide it as a reference, it is +necessary to prefix it with a dollar sign. + +Example: + + value: '$some.argocd.secret.key' + +In the example above, the value will be replaced with the one from +the argocd-secret with key 'some.argocd.secret.key'. + #### `extensions.backend.services.cluster` (*object*) (optional) @@ -166,14 +197,14 @@ configuration: └─────────────────┘ ``` -### Headers +### Incoming Request Headers Note that Argo CD API Server requires additional HTTP headers to be sent in order to enforce if the incoming request is authenticated and authorized before being proxied to the backend service. The headers are documented below: -#### `Cookie` (*mandatory*) +#### `Cookie` Argo CD UI keeps the authentication token stored in a cookie (`argocd.token`). This value needs to be sent in the `Cookie` header @@ -212,6 +243,25 @@ same headers are also sent to the backend service. The backend service must also validate if the validated headers are compatible with the rest of the incoming request. +### Outgoing Requests Headers + +Requests sent to backend services will be decorated with additional +headers. The outgoing request headers are documented below: + +#### `Argocd-Target-Cluster-Name` + +Will be populated with the value from `app.Spec.Destination.Name` if +it is not empty string in the application resource. + +#### `Argocd-Target-Cluster-URL` + +Will be populated with the value from `app.Spec.Destination.Server` if +it is not empty string is the Application resource. + +Note that additional pre-configured headers can be added to outgoing +request. See [backend service headers](#extensionsbackendservicesheaders-list) +section for more details. + ### Multi Backend Use-Case In some cases when Argo CD is configured to sync with multiple remote @@ -256,6 +306,28 @@ is then sanitized before being sent to the backend service. The request sanitization will remove sensitive information from the request like the `Cookie` and `Authorization` headers. +A new `Authorization` header can be added to the outgoing request by +defining it as a header in the `extensions.backend.services.headers` +configuration. Consider the following example: + +```yaml +extension.config: | + extensions: + - name: some-extension + backend: + services: + - url: http://extension-name.com:8080 + headers: + - name: Authorization + value: '$some-extension.authorization.header' +``` + +In the example above, all requests sent to +`http://extension-name.com:8080` will have an additional +`Authorization` header. The value of this header will be the one from +the [argocd-secret](../../operator-manual/argocd-secret-yaml.md) with +key `some-extension.authorization.header` + [1]: https://github.com/argoproj/argoproj/blob/master/community/feature-status.md [2]: https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-cm.yaml [3]: ../../operator-manual/rbac.md#the-extensions-resource diff --git a/docs/operator-manual/application.yaml b/docs/operator-manual/application.yaml index 26baa8e9e1771..076e348f30801 100644 --- a/docs/operator-manual/application.yaml +++ b/docs/operator-manual/application.yaml @@ -188,6 +188,7 @@ spec: - CreateNamespace=true # Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster. - PrunePropagationPolicy=foreground # Supported policies are background, foreground and orphan. - PruneLast=true # Allow the ability for resource pruning to happen as a final, implicit wave of a sync operation + - RespectIgnoreDifferences=true # When syncing changes, respect fields ignored by the ignoreDifferences configuration managedNamespaceMetadata: # Sets the metadata for the application namespace. Only valid if CreateNamespace=true (see above), otherwise it's a no-op. labels: # The labels to set on the application namespace any: label @@ -206,7 +207,7 @@ spec: maxDuration: 3m # the maximum amount of time allowed for the backoff strategy # Will ignore differences between live and desired states during the diff. Note that these configurations are not - # used during the sync process. + # used during the sync process unless the `RespectIgnoreDifferences=true` sync option is enabled. ignoreDifferences: # for the specified json pointers - group: apps @@ -218,6 +219,9 @@ spec: kind: "*" managedFieldsManagers: - kube-controller-manager + # Name and namespace are optional. If specified, they must match exactly, these are not glob patterns. + name: my-deployment + namespace: my-namespace # RevisionHistoryLimit limits the number of items kept in the application's revision history, which is used for # informational purposes as well as for rollbacks to previous versions. This should only be changed in exceptional diff --git a/docs/operator-manual/applicationset/Appset-Any-Namespace.md b/docs/operator-manual/applicationset/Appset-Any-Namespace.md index adf694f655f13..494b36dbdcf36 100644 --- a/docs/operator-manual/applicationset/Appset-Any-Namespace.md +++ b/docs/operator-manual/applicationset/Appset-Any-Namespace.md @@ -23,7 +23,48 @@ This feature needs [App in any namespace](../app-any-namespace.md) feature activ This feature can only be enabled and used when your Argo CD ApplicationSet controller is installed as a cluster-wide instance, so it has permissions to list and manipulate resources on a cluster scope. It will *not* work with an Argo CD installed in namespace-scoped mode. -## Implementation details +### SCM Providers secrets consideration + +By allowing ApplicationSet in any namespace you must be aware that any secrets can be exfiltrated using `scmProvider` or `pullRequest` generators. + +Here is an example: + +```yaml +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: myapps +spec: + generators: + - scmProvider: + gitea: + # The Gitea owner to scan. + owner: myorg + # With this malicious setting, user can send all request to a Pod that will log incoming requests including headers with tokens + api: http://my-service.my-namespace.svc.cluster.local + # If true, scan every branch of every repository. If false, scan only the default branch. Defaults to false. + allBranches: true + # By changing this token reference, user can exfiltrate any secrets + tokenRef: + secretName: gitea-token + key: token + template: +``` + +Therefore administrator must restrict the urls of the allowed SCM Providers (example: `https://git.mydomain.com/,https://gitlab.mydomain.com/`) by setting the environment variable `ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS` to argocd-cmd-params-cm `applicationsetcontroller.allowed.scm.providers`. If another url is used, it will be rejected by the applicationset controller. + + +For example: +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cmd-params-cm +data: + applicationsetcontroller.allowed.scm.providers: https://git.mydomain.com/,https://gitlab.mydomain.com/ +``` + +> Please note url used in the `api` field of the `ApplicationSet` must match the url declared by the Administrator including the protocol ### Overview @@ -163,9 +204,9 @@ For other operations such as `POST` and `PUT`, the `appNamespace` parameter must For `ApplicationSet` resources in the control plane namespace, this parameter can be omitted. -## Secrets consideration +## Clusters secrets consideration -By allowing ApplicationSet in any namespace you must be aware that clusters, API token secrets (etc...) can be discovered and used. +By allowing ApplicationSet in any namespace you must be aware that clusters can be discovered and used. Example: @@ -177,4 +218,4 @@ spec: - clusters: {} # Automatically use all clusters defined within Argo CD ``` -If you don't want to allow users to discover secrets with ApplicationSets from other namespaces you may consider deploying ArgoCD in namespace scope or use OPA rules. \ No newline at end of file +If you don't want to allow users to discover all clusters with ApplicationSets from other namespaces you may consider deploying ArgoCD in namespace scope or use OPA rules. \ No newline at end of file diff --git a/docs/operator-manual/applicationset/Controlling-Resource-Modification.md b/docs/operator-manual/applicationset/Controlling-Resource-Modification.md index f43a9dbd359ba..b9c383cda404f 100644 --- a/docs/operator-manual/applicationset/Controlling-Resource-Modification.md +++ b/docs/operator-manual/applicationset/Controlling-Resource-Modification.md @@ -195,10 +195,6 @@ By default, the Argo CD notifications and the Argo CD refresh type annotations a Here is a list of commonly requested resource modification features which are not supported as of the current release. This lack of support is *not* necessarily by design; rather these behaviours are documented here to provide clear, concise descriptions of the current state of the feature. -### Limitation: Control resource modification on a per ApplicationSet basis - -There is currently no way to restrict modification/deletion of the Applications that are owned by an *individual* ApplicationSet. The global `--policy` parameters described above only allow targeting of *all* ApplicationSets (eg it is 'all or nothing'). - ### Limitation: No support for manual edits to individual Applications There is currently no way to allow modification of a single child Application of an ApplicationSet, for example, if you wanted to make manual edits to a single Application for debugging/testing purposes. diff --git a/docs/operator-manual/applicationset/Generators-Git.md b/docs/operator-manual/applicationset/Generators-Git.md index 690495dccfee5..25923a4a75d83 100644 --- a/docs/operator-manual/applicationset/Generators-Git.md +++ b/docs/operator-manual/applicationset/Generators-Git.md @@ -157,7 +157,7 @@ Or, a shorter way (using [path.Match](https://golang.org/pkg/path/#Match) syntax ```yaml - path: /d/* -- path: /d/[f|g] +- path: /d/[fg] exclude: true ``` diff --git a/docs/operator-manual/applicationset/Generators-Plugin.md b/docs/operator-manual/applicationset/Generators-Plugin.md index 57ae0f90fb840..3747c38865df5 100644 --- a/docs/operator-manual/applicationset/Generators-Plugin.md +++ b/docs/operator-manual/applicationset/Generators-Plugin.md @@ -94,8 +94,8 @@ metadata: type: Opaque data: # ... - # The secret value must be base64 encoded **once** - # this value corresponds to: `printf "strong-password" | base64` + # The secret value must be base64 encoded **once**. + # this value corresponds to: `printf "strong-password" | base64`. plugin.myplugin.token: "c3Ryb25nLXBhc3N3b3Jk" # ... ``` @@ -124,9 +124,9 @@ type: Opaque data: # ... # Store client secret like below. - # Ensure the secret is base64 encoded - plugin.myplugin.token: - # ... + # The secret value must be base64 encoded **once**. + # This value corresponds to: `printf "strong-password" | base64`. + plugin.myplugin.token: "c3Ryb25nLXBhc3N3b3Jk" ``` ### HTTP server @@ -138,7 +138,7 @@ You can deploy it either as a sidecar or as a standalone deployment (the latter In the example, the token is stored in a file at this location : `/var/run/argo/token` ``` -string-password +strong-password ``` ```python @@ -199,7 +199,7 @@ if __name__ == '__main__': Execute getparams with curl : ``` -curl http://localhost:4355/api/v1/getparams.execute -H "Authorization: Bearer string-password" -d \ +curl http://localhost:4355/api/v1/getparams.execute -H "Authorization: Bearer strong-password" -d \ '{ "applicationSetName": "fake-appset", "input": { @@ -283,7 +283,7 @@ To illustrate : - The generator plugin would then perform 2 requests as follows : ```shell -curl http://localhost:4355/api/v1/getparams.execute -H "Authorization: Bearer string-password" -d \ +curl http://localhost:4355/api/v1/getparams.execute -H "Authorization: Bearer strong-password" -d \ '{ "applicationSetName": "fb-matrix", "input": { @@ -297,7 +297,7 @@ curl http://localhost:4355/api/v1/getparams.execute -H "Authorization: Bearer st Then, ```shell -curl http://localhost:4355/api/v1/getparams.execute -H "Authorization: Bearer string-password" -d \ +curl http://localhost:4355/api/v1/getparams.execute -H "Authorization: Bearer strong-password" -d \ '{ "applicationSetName": "fb-matrix", "input": { diff --git a/docs/operator-manual/applicationset/Generators-SCM-Provider.md b/docs/operator-manual/applicationset/Generators-SCM-Provider.md index 095d6616ee5e3..8f4a6ad96a986 100644 --- a/docs/operator-manual/applicationset/Generators-SCM-Provider.md +++ b/docs/operator-manual/applicationset/Generators-SCM-Provider.md @@ -87,6 +87,9 @@ spec: allBranches: true # If true, recurses through subgroups. If false, it searches only in the base group. Defaults to false. includeSubgroups: true + # If true and includeSubgroups is also true, include Shared Projects, which is gitlab API default. + # If false only search Projects under the same path. Defaults to true. + includeSharedProjects: false # Reference to a Secret containing an access token. (optional) tokenRef: secretName: gitlab-token @@ -101,6 +104,7 @@ spec: * `api`: If using self-hosted GitLab, the URL to access it. * `allBranches`: By default (false) the template will only be evaluated for the default branch of each repo. If this is true, every branch of every repository will be passed to the filters. If using this flag, you likely want to use a `branchMatch` filter. * `includeSubgroups`: By default (false) the controller will only search for repos directly in the base group. If this is true, it will recurse through all the subgroups searching for repos to scan. +* `includeSharedProjects`: If true and includeSubgroups is also true, include Shared Projects, which is gitlab API default. If false only search Projects under the same path. In general most would want the behaviour when set to false. Defaults to true. * `tokenRef`: A `Secret` name and key containing the GitLab access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories. * `insecure`: By default (false) - Skip checking the validity of the SCM's certificate - useful for self-signed TLS certificates. diff --git a/docs/operator-manual/applicationset/Generators.md b/docs/operator-manual/applicationset/Generators.md index 4a2982c740aa7..78600c771fddd 100644 --- a/docs/operator-manual/applicationset/Generators.md +++ b/docs/operator-manual/applicationset/Generators.md @@ -6,7 +6,7 @@ Generators are primarily based on the data source that they use to generate the As of this writing there are nine generators: -- [List generator](Generators-List.md): The List generator allows you to target Argo CD Applications to clusters based on a fixed list of cluster name/URL values. +- [List generator](Generators-List.md): The List generator allows you to target Argo CD Applications to clusters based on a fixed list of any chosen key/value element pairs. - [Cluster generator](Generators-Cluster.md): The Cluster generator allows you to target Argo CD Applications to clusters, based on the list of clusters defined within (and managed by) Argo CD (which includes automatically responding to cluster addition/removal events from Argo CD). - [Git generator](Generators-Git.md): The Git generator allows you to create Applications based on files within a Git repository, or based on the directory structure of a Git repository. - [Matrix generator](Generators-Matrix.md): The Matrix generator may be used to combine the generated parameters of two separate generators. diff --git a/docs/operator-manual/argocd-cmd-params-cm.yaml b/docs/operator-manual/argocd-cmd-params-cm.yaml index 7dae71629995a..d4a754f0e44b9 100644 --- a/docs/operator-manual/argocd-cmd-params-cm.yaml +++ b/docs/operator-manual/argocd-cmd-params-cm.yaml @@ -179,6 +179,11 @@ data: applicationsetcontroller.namespaces: "argocd,argocd-appsets-*" # Path of the self-signed TLS certificate for SCM/PR Gitlab Generator applicationsetcontroller.scm.root.ca.path: "" + # A comma separated list of allowed SCM providers (default "" is all SCM providers). + # Setting this field is required when using ApplicationSets-in-any-namespace, to prevent users from + # sending secrets from `tokenRef`s to disallowed `api` domains. + # The url used in the scm generator must exactly match one in the list + applicationsetcontroller.allowed.scm.providers: "https://git.example.com/,https://gitlab.example.com/" ## Argo CD Notifications Controller Properties # Set the logging level. One of: debug|info|warn|error (default "info") diff --git a/docs/operator-manual/config-management-plugins.md b/docs/operator-manual/config-management-plugins.md index ae39bf1a9214a..3550dbd81f143 100644 --- a/docs/operator-manual/config-management-plugins.md +++ b/docs/operator-manual/config-management-plugins.md @@ -106,7 +106,7 @@ spec: # static parameter announcements list. command: [echo, '[{"name": "example-param", "string": "default-string-value"}]'] - # If set to then the plugin receives repository files with original file mode. Dangerous since the repository + # If set to `true` then the plugin receives repository files with original file mode. Dangerous since the repository # might have executable files. Set to true only if you trust the CMP plugin authors. preserveFileMode: false ``` diff --git a/docs/operator-manual/declarative-setup.md b/docs/operator-manual/declarative-setup.md index a7b7bb28ce08c..4519bb2d1c6a2 100644 --- a/docs/operator-manual/declarative-setup.md +++ b/docs/operator-manual/declarative-setup.md @@ -602,6 +602,8 @@ stringData: } ``` +### EKS + EKS cluster secret example using argocd-k8s-auth and [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html): ```yaml @@ -727,6 +729,7 @@ data: "rolearn": ":role/" "username": "" ``` +### GKE GKE cluster secret example using argocd-k8s-auth and [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity): @@ -757,6 +760,99 @@ stringData: Note that you must enable Workload Identity on your GKE cluster, create GCP service account with appropriate IAM role and bind it to Kubernetes service account for argocd-application-controller and argocd-server (showing Pod logs on UI). See [Use Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) and [Authenticating to the Kubernetes API server](https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication). +### AKS + +Azure cluster secret example using argocd-k8s-auth and [kubelogin](https://github.com/Azure/kubelogin). The option *azure* to the argocd-k8s-auth execProviderConfig encapsulates the *get-token* command for kubelogin. Depending upon which authentication flow is desired (devicecode, spn, ropc, msi, azurecli, workloadidentity), set the environment variable AAD_LOGIN_METHOD with this value. Set other appropriate environment variables depending upon which authentication flow is desired. + +|Variable Name|Description| +|-------------|-----------| +|AAD_LOGIN_METHOD|One of devicecode, spn, ropc, msi, azurecli, or workloadidentity| +|AAD_SERVICE_PRINCIPAL_CLIENT_CERTIFICATE|AAD client cert in pfx. Used in spn login| +|AAD_SERVICE_PRINCIPAL_CLIENT_ID|AAD client application ID| +|AAD_SERVICE_PRINCIPAL_CLIENT_SECRET|AAD client application secret| +|AAD_USER_PRINCIPAL_NAME|Used in the ropc flow| +|AAD_USER_PRINCIPAL_PASSWORD|Used in the ropc flow| +|AZURE_TENANT_ID|The AAD tenant ID.| +|AZURE_AUTHORITY_HOST|Used in the WorkloadIdentityLogin flow| +|AZURE_FEDERATED_TOKEN_FILE|Used in the WorkloadIdentityLogin flow| +|AZURE_CLIENT_ID|Used in the WorkloadIdentityLogin flow| + +In addition to the environment variables above, argocd-k8s-auth accepts two extra environment variables to set the AAD environment, and to set the AAD server application ID. The AAD server application ID will default to 6dae42f8-4368-4678-94ff-3960e28e3630 if not specified. See [here](https://github.com/azure/kubelogin#exec-plugin-format) for details. + +|Variable Name|Description| +|-------------|-----------| +|AAD_ENVIRONMENT_NAME|The azure environment to use, default of AzurePublicCloud| +|AAD_SERVER_APPLICATION_ID|The optional AAD server application ID, defaults to 6dae42f8-4368-4678-94ff-3960e28e3630| + +This is an example of using the [federated workload login flow](https://github.com/Azure/kubelogin#azure-workload-federated-identity-non-interactive). The federated token file needs to be mounted as a secret into argoCD, so it can be used in the flow. The location of the token file needs to be set in the environment variable AZURE_FEDERATED_TOKEN_FILE. + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: mycluster-secret + labels: + argocd.argoproj.io/secret-type: cluster +type: Opaque +stringData: + name: mycluster.com + server: https://mycluster.com + config: | + { + "execProviderConfig": { + "command": "argocd-k8s-auth", + "env": { + "AAD_ENVIRONMENT_NAME": "AzurePublicCloud", + "AZURE_CLIENT_ID": "fill in client id", + "AZURE_TENANT_ID": "fill in tenant id", + "AZURE_FEDERATED_TOKEN_FILE": "/opt/path/to/federated_file.json", + "AZURE_AUTHORITY_HOST": "https://login.microsoftonline.com/", + "AAD_LOGIN_METHOD": "workloadidentity" + }, + "args": ["azure"], + "apiVersion": "client.authentication.k8s.io/v1beta1" + }, + "tlsClientConfig": { + "insecure": false, + "caData": "" + } + } +``` + +This is an example of using the spn (service principal name) flow. + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: mycluster-secret + labels: + argocd.argoproj.io/secret-type: cluster +type: Opaque +stringData: + name: mycluster.com + server: https://mycluster.com + config: | + { + "execProviderConfig": { + "command": "argocd-k8s-auth", + "env": { + "AAD_ENVIRONMENT_NAME": "AzurePublicCloud", + "AAD_SERVICE_PRINCIPAL_CLIENT_SECRET": "fill in your service principal client secret", + "AZURE_TENANT_ID": "fill in tenant id", + "AAD_SERVICE_PRINCIPAL_CLIENT_ID": "fill in your service principal client id", + "AAD_LOGIN_METHOD": "spn" + }, + "args": ["azure"], + "apiVersion": "client.authentication.k8s.io/v1beta1" + }, + "tlsClientConfig": { + "insecure": false, + "caData": "" + } + } +``` + ## Helm Chart Repositories Non standard Helm Chart repositories have to be registered explicitly. diff --git a/docs/operator-manual/deep_links.md b/docs/operator-manual/deep_links.md index b768cfd4d8aac..c166a1d25d75d 100644 --- a/docs/operator-manual/deep_links.md +++ b/docs/operator-manual/deep_links.md @@ -21,7 +21,7 @@ Each link in the list has five subfields: 1. `title`: title/tag that will be displayed in the UI corresponding to that link 2. `url`: the actual URL where the deep link will redirect to, this field can be templated to use data from the - corresponding application, project or resource objects (depending on where it is located). This uses [text/template](pkg.go.dev/text/template) pkg for templating + corresponding application, project or resource objects (depending on where it is located). This uses [text/template](https://pkg.go.dev/text/template) pkg for templating 3. `description` (optional): a description for what the deep link is about 4. `icon.class` (optional): a font-awesome icon class to be used when displaying the links in dropdown menus 5. `if` (optional): a conditional statement that results in either `true` or `false`, it also has access to the same @@ -37,7 +37,7 @@ Each link in the list has five subfields: As mentioned earlier the links and conditions can be templated to use data from the resource, each category of links can access different types of data linked to that resource. Overall we have these 4 resources available for templating in the system: -- `application`: this key is used to access the application resource data. +- `app` or `application`: this key is used to access the application resource data. - `resource`: this key is used to access values for the actual k8s resource. - `cluster`: this key is used to access the related destination cluster data like name, server, namespaces etc. - `project`: this key is used to access the project resource data. @@ -45,7 +45,7 @@ Overall we have these 4 resources available for templating in the system: The above resources are accessible in particular link categories, here's a list of resources available in each category: - `resource.links`: `resource`, `application`, `cluster` and `project` -- `application.links`: `application` and `cluster` +- `application.links`: `app`/`application` and `cluster` - `project.links`: `project` An example `argocd-cm.yaml` file with deep links and their variations : @@ -60,16 +60,16 @@ An example `argocd-cm.yaml` file with deep links and their variations : # sample application level links application.links: | # pkg.go.dev/text/template is used for evaluating url templates - - url: https://mycompany.splunk.com?search={{.application.spec.destination.namespace}}&env={{.project.metadata.labels.env}} + - url: https://mycompany.splunk.com?search={{.app.spec.destination.namespace}}&env={{.project.metadata.labels.env}} title: Splunk # conditionally show link e.g. for specific project # github.com/antonmedv/expr is used for evaluation of conditions - - url: https://mycompany.splunk.com?search={{.application.spec.destination.namespace}} + - url: https://mycompany.splunk.com?search={{.app.spec.destination.namespace}} title: Splunk if: application.spec.project == "default" - - url: https://{{.application.metadata.annotations.splunkhost}}?search={{.application.spec.destination.namespace}} + - url: https://{{.app.metadata.annotations.splunkhost}}?search={{.app.spec.destination.namespace}} title: Splunk - if: application.metadata.annotations.splunkhost != "" + if: app.metadata.annotations.splunkhost != "" # sample resource level links resource.links: | - url: https://mycompany.splunk.com?search={{.resource.metadata.name}}&env={{.project.metadata.labels.env}} diff --git a/docs/operator-manual/notifications/index.md b/docs/operator-manual/notifications/index.md index dafb87169eb14..8d4f383930475 100644 --- a/docs/operator-manual/notifications/index.md +++ b/docs/operator-manual/notifications/index.md @@ -17,8 +17,9 @@ kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/st * Add Email username and password token to `argocd-notifications-secret` secret ```bash -export EMAIL_USER= -export PASSWORD= +EMAIL_USER= + PASSWORD= + kubectl apply -n argocd -f - << EOF apiVersion: v1 kind: Secret diff --git a/docs/operator-manual/reconcile.md b/docs/operator-manual/reconcile.md index 7c886005903e2..a956cd9cf7b28 100644 --- a/docs/operator-manual/reconcile.md +++ b/docs/operator-manual/reconcile.md @@ -13,7 +13,8 @@ When a resource update is ignored, if the resource's [health status](./health.md Argo CD allows ignoring resource updates at a specific JSON path, using [RFC6902 JSON patches](https://tools.ietf.org/html/rfc6902) and [JQ path expressions](https://stedolan.github.io/jq/manual/#path(path_expression)). It can be configured for a specified group and kind in `resource.customizations` key of the `argocd-cm` ConfigMap. -The feature is behind a flag. To enable it, set `resource.ignoreResourceUpdatesEnabled` to `"true"` in the `argocd-cm` ConfigMap. +!!!important "Enabling the feature" + The feature is behind a flag. To enable it, set `resource.ignoreResourceUpdatesEnabled` to `"true"` in the `argocd-cm` ConfigMap. Following is an example of a customization which ignores the `refreshTime` status field of an [`ExternalSecret`](https://external-secrets.io/main/api/externalsecret/) resource: @@ -22,6 +23,9 @@ data: resource.customizations.ignoreResourceUpdates.external-secrets.io_ExternalSecret: | jsonPointers: - /status/refreshTime + # JQ equivalent of the above: + # jqPathExpressions: + # - .status.refreshTime ``` It is possible to configure `ignoreResourceUpdates` to be applied to all tracked resources in every Application managed by an Argo CD instance. In order to do so, resource customizations can be configured like in the example below: @@ -61,4 +65,49 @@ To find these logs, search for `"Requesting app refresh caused by object update" fields for `api-version` and `kind`. Counting the number of refreshes triggered, by api-version/kind should reveal the high-churn resource kinds. -Note that these logs are at the `debug` level. Configure the application-controller's log level to `debug`. +!!!note + These logs are at the `debug` level. Configure the application-controller's log level to `debug`. + +Once you have identified some resources which change often, you can try to determine which fields are changing. Here is +one approach: + +```shell +kubectl get -o yaml > /tmp/before.yaml +# Wait a minute or two. +kubectl get -o yaml > /tmp/after.yaml +diff /tmp/before.yaml /tmp/after +``` + +The diff can give you a sense for which fields are changing and should perhaps be ignored. + +## Checking Whether Resource Updates are Ignored + +Whenever Argo CD skips a refresh due to an ignored resource update, the controller logs the following line: +"Ignoring change of object because none of the watched resource fields have changed". + +Search the application-controller logs for this line to confirm that your resource ignore rules are being applied. + +!!!note + These logs are at the `debug` level. Configure the application-controller's log level to `debug`. + +## Examples + +### argoproj.io/Application + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cm +data: + resource.customizations.ignoreResourceUpdates.argoproj.io_Application: | + jsonPointers: + # Ignore when ownerReferences change, for example when a parent ApplicationSet changes often. + - /metadata/ownerReferences + # Ignore reconciledAt, since by itself it doesn't indicate any important change. + - /status/reconciledAt + jqPathExpressions: + # Ignore lastTransitionTime for conditions; helpful when SharedResourceWarnings are being regularly updated but not + # actually changing in content. + - .status.conditions[].lastTransitionTime +``` diff --git a/docs/operator-manual/signed-release-assets.md b/docs/operator-manual/signed-release-assets.md index 4944f70ac1cb8..9aec6bb071047 100644 --- a/docs/operator-manual/signed-release-assets.md +++ b/docs/operator-manual/signed-release-assets.md @@ -136,11 +136,13 @@ slsa-verifier verify-artifact argocd-linux-amd64 \ ## Verification of Sbom +A single attestation (`argocd-sbom.intoto.jsonl`) from each release is provided along with the sbom (`sbom.tar.gz`). This can be used with [slsa-verifier](https://github.com/slsa-framework/slsa-verifier#verification-for-github-builders) to verify that the SBOM was generated using Argo CD workflows on GitHub and ensures it was cryptographically signed. + ```bash -cosign verify-blob --signature sbom.tar.gz.sig --certificate sbom.tar.gz.pem \ ---certificate-identity-regexp ^https://github.com/argoproj/argo-cd/.github/workflows/release.yaml@refs/tags/v \ ---certificate-oidc-issuer https://token.actions.githubusercontent.com \ - ~/Downloads/sbom.tar.gz | jq +slsa-verifier verify-artifact sbom.tar.gz \ + --provenance-path argocd-sbom.intoto.jsonl \ + --source-uri github.com/argoproj/argo-cd \ + --source-tag v2.7.0 ``` *** diff --git a/docs/operator-manual/upgrading/2.7-2.8.md b/docs/operator-manual/upgrading/2.7-2.8.md index 12622642d5eff..8ee91cdf984c6 100644 --- a/docs/operator-manual/upgrading/2.7-2.8.md +++ b/docs/operator-manual/upgrading/2.7-2.8.md @@ -65,3 +65,8 @@ p, role:action-runner, applications, action/argoproj.io/WorkflowTemplate/create- p, role:action-runner, applications, action/argoproj.io/CronWorkflow/create-workflow, *, allow p, role:action-runner, applications, action/batch/CronJob/create-job, *, allow ``` + +## Change default file open mode + +In version 2.7, the CMP plugin was changed to open Git/Helm files with all executable bits set (unless `preserveFileMode` was specified). +Version 2.8 removes the executable bits in cases where they are not necessary. diff --git a/docs/operator-manual/user-management/index.md b/docs/operator-manual/user-management/index.md index 5bac93db92d06..1b3b96cd72104 100644 --- a/docs/operator-manual/user-management/index.md +++ b/docs/operator-manual/user-management/index.md @@ -44,6 +44,24 @@ Each user might have two capabilities: * apiKey - allows generating authentication tokens for API access * login - allows to login using UI +### Delete user + +In order to delete a user, you must remove the corresponding entry defined in the `argocd-cm` ConfigMap: + +Example: + +```bash +kubectl patch -n argocd cm argocd-cm --type='json' -p='[{"op": "remove", "path": "/data/accounts.alice"}]' +``` + +It is recommended to also remove the password entry in the `argocd-secret` Secret: + +Example: + +```bash +kubectl patch -n argocd secrets argocd-secret --type='json' -p='[{"op": "remove", "path": "/data/accounts.alice.password"}]' +``` + ### Disable admin user As soon as additional users are created it is recommended to disable `admin` user: diff --git a/docs/proposals/feature-bounties.md b/docs/proposals/feature-bounties.md new file mode 100644 index 0000000000000..a3b978bf0becb --- /dev/null +++ b/docs/proposals/feature-bounties.md @@ -0,0 +1,49 @@ +--- +title: Offering Feature Bounties (Experimental) +authors: + - "@crenshaw-dev" + - "@todaywasawesome" +sponsors: + - "@jannfis" +reviewers: + - TBD +approvers: + - TBD + +creation-date: 2023-06-27 +--- +# Offering Feature Bounties (Experimental) + +## Summary +We'd like to have the ability to offer monetary rewards for significant features to be added to Argo. + +## Motivation +The Argo Project is driven by community contributions and in shared trust with maintainer companies. Sometimes there are important features worth investing in that represent substantial work and are tougher, or take longer to implement. + +By providing a financial incentive, we can spur additional development from the community and indepdent contributors. + +## Proposal +Add the ability to mark a proposal with a bounty and a specific amount. When a PR is successfully merged, release payment to the PR author(s). + +This proposal is experimental, meaning after trying a single bounty, we will review as a project and decide if we would like to continue this program. Accepting this proposal only constitutes the program for a single bounty as an experiment. + +### Guidelines and Rules + +#### Creating a Bounty +A bounty is a special proposal created under `docs/proposals/feature-bounties`. +* A bounty proposal may only be created by an existing Argo maintainer. +* The proposal document must be reviewed in regular maintainer meetings and an invitation for feedback will provide 7-days to comment. +* Bounty should have approval with [lazy-consensus](https://community.apache.org/committers/lazyConsensus.html) +* Once a bounty is created, they must be honored. +* Bounty progress will be tracked in a GitHub issue linked in the proposal. +* Creating a bounty requires the funds be available and not already committed elsewhere. + +#### Claiming a Bounty +* Argo will pay out bounties once a pull request implementing the requested features/changes/fixes is merged. +* A bounty is limited to a single successful PR. +* Those interested in working on the bounty are encouraged to comment on the issue, and users may team up to split a bounty if they prefer but collaboration is not required and users should not shame eachother for their preferences to work alone or together. +* A comment of interest does not constitute a claim and will not be treated as such. +* The first pull request submitted that is ready for merge will be reviewed by maintainers. Maintainers will also consider any competing pull requests submitted within 24-hours. We expect this will be a very rare circumstance. If multiple, high-quality, merge ready pull requests are submitted, 3-5 Approvers for the sub-project will vote to decide the final pull request merged. + +### Funding +The Argo Project has a small amount of funds from HackerOne bounties that can provide for a few feature bounties. \ No newline at end of file diff --git a/docs/proposals/native-ocp-support.md b/docs/proposals/native-ocp-support.md new file mode 100644 index 0000000000000..64918fde8904e --- /dev/null +++ b/docs/proposals/native-ocp-support.md @@ -0,0 +1,135 @@ +--- +title: Argo CD first-class OCI support +authors: + - "@sabre1041" + - "@crenshaw-dev" + - "@todaywasawesome" + +sponsors: + - TBD +reviewers: + - "@alexmt" +approvers: + - "@alexmt" + +creation-date: 2023-05-09 +--- + +# Argo CD first-class OCI support + +Storing and retrieving manifests within in OCI registries + +## Summary + +Currently, Argo CD supports obtaining manifests from either a Git repository, a Helm chart repository, or a Helm chart stored within an OCI registry. Given that OCI registries are more frequently being used to store content aside from container images, introduce a mechanism for storing and retrieving manifests that can be used by any of the existing supported tools in any of the supported methods of representing assets that are to be applied to a Kubernetes environment. + + +## Motivation + +The industry is seeing a rapid adoption of OCI Artifacts as a method for storing and retrieving content. Adding support for sourcing resources stored in OCI artifacts not only provides immediate benefits, but opens up additional possible integrations in the future. + +**Dependency Reduction** + + At the present time, a user must have access to either a Git repository, or a remote Helm chart repository. Most users or enterprise organizations already have access to an OCI registry as it represents the primary source of image related content within a Kubernetes environment. By sourcing assets from OCI registries, no additional infrastructure is required in order to store a variety of content types simplifying the set of requirements in order to begin to fully leverage the capabilities of Argo CD. + +**Market Relevance** + +Argo CD continues to be one of the most popular GitOps tools in the industry. As the industry continues to evolve, other tools within the GitOps market have already began to adopt OCI artifacts as a source for storing and retrieving GitOps resources. + +### Goals + +* Enable the retrieval of resources stored as artifacts in OCI registries that are formatted in any of the supported options (Kustomize, Jsonnet, Helm, plain-manifest, CMPs, etc) +* Define a format for storing resources that can be processed by Argo CD as an OCI artifact including the composition and [Media Type(s)](https://github.com/opencontainers/image-spec/blob/main/media-types.md) +* Support the retrieval of artifacts from OCI registries using custom / self signed TLS certificates. +* Support the retrieval of artifacts from OCI registries requiring authentication. + +### Non-Goals + +* CLI Integration to package and publish resources in a format for storage in an OCI registry +* Attach metadata to OCI artifact manifest to provide additional details related to the content (such as original Git source [URL, revision]) + +## Proposal + +This is where we get down to details of what the proposal is about. + +### Use cases + +Add a list of detailed use cases this enhancement intends to take care of. + +#### Publishing and retrieval of content from OCI registries: + +As a user, I would like to make use of content that is represented by any of the supported options (Kustomize, Jsonnet, Helm, plain-manifest, etc) or those that could be consumed using a Config Management Plugin from an OCI registry. + +#### Authenticating to OCI registries: + +As a user, I would like to enforce proper security controls by requiring authentication to an OCI registry and configure Argo CD to be able to interact with this registry. + +#### CLI Integration: + +As a user, I would like the ability to produce, store and retrieve resources (pull/push) in a OCI registry using the Argo CD CLI. + +### Implementation Details/Notes/Constraints + +The Argo CD repo-server currently maintains two types of clients - Helm and git. By adding a third client, and invoking it in the same places as the other two, we can support OCI artifacts. + +It seems likely that we should create a new, common interface to represent all three clients. Then we can instantiate the client we need, toggling on whatever value in the repo config determines what kind of repo we're fetching from. + +#### Format of OCI Artifact + +An OCI artifact can contain any type of binary content. It is important that the content be formatted in a manner that can be consumed by Argo CD. + +#### Content + +Resources that is consumed by Argo CD can be represented by a series of files and folders. To be stored within an OCI artifact, these assets are stored within a compressed tar archive (.tar.gz) OCI layer. The [OCI Image Specification](https://specs.opencontainers.org/image-spec/) allows for metadata to be added through the use of annotations to provide attribute based details describing the included content. This level of detail is important as it satisfies many of the existing capabilities of Argo CD for tracking content, such as Git repository URL, branch name/revision. + + +#### Media Types + +The [OCI Image Specification](https://specs.opencontainers.org/image-spec/) makes extensive use of Media Types to identity the format of content. To provide not only a way that signifies the content of the OCI artifact contains Argo CD manifests, but to define the structure of the content. An understanding of the composition and requirements enable a broad ecosystem of tooling that can be used to produce and consume Argo CD resources within OCI registries. + +Two new Media Types will be used for this purpose as defined below: + +* `application/vnd.cncf.argoproj.argocd.content.v1.tar+gzip` - Primary asset stored within the OCI artifact containing a gzip compressed tar archive of Argo CD resources. Further details are outlined in the prior section. +* `application/vnd.cncf.argoproj.argocd.config.v1+json` - An [OCI Image Configuration](https://specs.opencontainers.org/image-spec/config/) + + +### Detailed examples + + +### Security Considerations + +The direct integration with an external endpoint from the core subsystem of Argo CD introduces several considerations as it relates to security. It is worthy to note that Argo CD currently does support sourcing Helm charts that are stored within OCI registries. However, this interaction is performed by Helm and its underlying library, [ORAS](https://oras.land), and not Argo CD itself. Capabilities included within this proposal can make use of the same libraries to facilitate the interaction. + +#### Credentials + +Security controls may be enforced within the OCI registry to enforce that clients authenticate. The introduction of additional mechanisms to authenticate against target systems is outside the scope of this proposal. However, an integration with existing capabilities and features, such as sourcing from _repository_ credentials is required. + + +### Risks and Mitigation's + +#### Overlap with existing Helm OCI integration + +Argo CD already includes support for sourcing Helm Charts from OCI registries and the retrieval is delegated to functionality provided by Helm. Considerations must be taken into account to determine whether the intent by the end user is to consume an OCI artifact containing Argo CD related resources or a Helm chart. One such method for addressing this concern is to inspect the `mediaType` of the OCI artifact. + + +### Upgrade / Downgrade Strategy + +If applicable, how will the component be upgraded and downgraded? Make sure this is in the test +plan. + +Consider the following in developing an upgrade/downgrade strategy for this enhancement: + +- What changes (in invocations, configurations, API use, etc.) is an existing cluster required to + make on upgrade in order to keep previous behavior? +- What changes (in invocations, configurations, API use, etc.) is an existing cluster required to + make on upgrade in order to make use of the enhancement? + +## Drawbacks + +* Sourcing content from an OCI registry may be perceived to be against GitOps principles as content is not sourced from a Git repository. This concern could be mitigated by attaching additional details related to the content (such as original Git source [URL, revision]). Though it should be noted that the GitOps principles only require a source of truth to be visioned and immutable which OCI registires support. + +## Alternatives + +### Config Management Plugin + +Content stored within OCI artifacts could be sourced using a Config Management Plugin which would not require changes to the core capabilities provided by Argo CD. However, this would be hacky and not represent itself within the Argo CD UI. \ No newline at end of file diff --git a/docs/requirements.txt b/docs/requirements.txt index ca3bc2f803744..09b5d35eb5d5b 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,6 +1,6 @@ mkdocs==1.3.0 mkdocs-material==7.1.8 markdown_include==0.6.0 -pygments==2.7.4 +pygments==2.15.0 jinja2==3.0.3 markdown==3.3.7 \ No newline at end of file diff --git a/docs/snyk/index.md b/docs/snyk/index.md index b27c3646f1e17..386f930c6ac2c 100644 --- a/docs/snyk/index.md +++ b/docs/snyk/index.md @@ -14,62 +14,62 @@ recent minor releases. | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| | [go.mod](master/argocd-test.html) | 0 | 1 | 0 | 0 | -| [ui/yarn.lock](master/argocd-test.html) | 0 | 1 | 0 | 0 | -| [dex:v2.37.0](master/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 0 | 0 | -| [haproxy:2.6.14-alpine](master/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 | -| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 3 | 17 | -| [redis:7.0.11-alpine](master/redis_7.0.11-alpine.html) | 0 | 0 | 0 | 0 | +| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 0 | 0 | +| [dex:v2.37.0](master/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 2 | 1 | +| [haproxy:2.6.14-alpine](master/haproxy_2.6.14-alpine.html) | 0 | 0 | 2 | 1 | +| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 1 | 15 | +| [redis:7.0.11-alpine](master/redis_7.0.11-alpine.html) | 0 | 0 | 2 | 1 | | [install.yaml](master/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - | -### v2.8.0-rc2 +### v2.8.0-rc7 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v2.8.0-rc2/argocd-test.html) | 0 | 1 | 0 | 0 | -| [ui/yarn.lock](v2.8.0-rc2/argocd-test.html) | 0 | 1 | 0 | 0 | -| [dex:v2.37.0](v2.8.0-rc2/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 0 | 0 | -| [haproxy:2.6.14-alpine](v2.8.0-rc2/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 | -| [argocd:v2.8.0-rc2](v2.8.0-rc2/quay.io_argoproj_argocd_v2.8.0-rc2.html) | 0 | 0 | 3 | 17 | -| [redis:7.0.11-alpine](v2.8.0-rc2/redis_7.0.11-alpine.html) | 0 | 0 | 0 | 0 | -| [install.yaml](v2.8.0-rc2/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v2.8.0-rc2/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v2.8.0-rc7/argocd-test.html) | 0 | 1 | 0 | 0 | +| [ui/yarn.lock](v2.8.0-rc7/argocd-test.html) | 0 | 0 | 0 | 0 | +| [dex:v2.37.0](v2.8.0-rc7/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 2 | 1 | +| [haproxy:2.6.14-alpine](v2.8.0-rc7/haproxy_2.6.14-alpine.html) | 0 | 0 | 2 | 1 | +| [argocd:v2.8.0-rc7](v2.8.0-rc7/quay.io_argoproj_argocd_v2.8.0-rc7.html) | 0 | 0 | 1 | 15 | +| [redis:7.0.11-alpine](v2.8.0-rc7/redis_7.0.11-alpine.html) | 0 | 0 | 2 | 1 | +| [install.yaml](v2.8.0-rc7/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.8.0-rc7/argocd-iac-namespace-install.html) | - | - | - | - | -### v2.7.7 +### v2.7.10 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v2.7.7/argocd-test.html) | 0 | 0 | 0 | 0 | -| [ui/yarn.lock](v2.7.7/argocd-test.html) | 0 | 1 | 0 | 0 | -| [dex:v2.37.0](v2.7.7/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 0 | 0 | -| [haproxy:2.6.14-alpine](v2.7.7/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 | -| [argocd:v2.7.7](v2.7.7/quay.io_argoproj_argocd_v2.7.7.html) | 0 | 0 | 3 | 17 | -| [redis:7.0.11-alpine](v2.7.7/redis_7.0.11-alpine.html) | 0 | 0 | 0 | 0 | -| [install.yaml](v2.7.7/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v2.7.7/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v2.7.10/argocd-test.html) | 0 | 0 | 0 | 0 | +| [ui/yarn.lock](v2.7.10/argocd-test.html) | 0 | 1 | 0 | 0 | +| [dex:v2.37.0](v2.7.10/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 2 | 1 | +| [haproxy:2.6.14-alpine](v2.7.10/haproxy_2.6.14-alpine.html) | 0 | 0 | 2 | 1 | +| [argocd:v2.7.10](v2.7.10/quay.io_argoproj_argocd_v2.7.10.html) | 0 | 0 | 1 | 15 | +| [redis:7.0.11-alpine](v2.7.10/redis_7.0.11-alpine.html) | 0 | 0 | 2 | 1 | +| [install.yaml](v2.7.10/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.7.10/argocd-iac-namespace-install.html) | - | - | - | - | -### v2.6.12 +### v2.6.13 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v2.6.12/argocd-test.html) | 0 | 0 | 0 | 0 | -| [ui/yarn.lock](v2.6.12/argocd-test.html) | 0 | 1 | 0 | 0 | -| [dex:v2.37.0](v2.6.12/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 0 | 0 | -| [haproxy:2.6.14-alpine](v2.6.12/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 | -| [argocd:v2.6.12](v2.6.12/quay.io_argoproj_argocd_v2.6.12.html) | 0 | 0 | 3 | 17 | -| [redis:7.0.11-alpine](v2.6.12/redis_7.0.11-alpine.html) | 0 | 0 | 0 | 0 | -| [install.yaml](v2.6.12/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v2.6.12/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v2.6.13/argocd-test.html) | 0 | 0 | 0 | 0 | +| [ui/yarn.lock](v2.6.13/argocd-test.html) | 0 | 1 | 0 | 0 | +| [dex:v2.37.0](v2.6.13/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 2 | 1 | +| [haproxy:2.6.14-alpine](v2.6.13/haproxy_2.6.14-alpine.html) | 0 | 0 | 2 | 1 | +| [argocd:v2.6.13](v2.6.13/quay.io_argoproj_argocd_v2.6.13.html) | 0 | 0 | 2 | 15 | +| [redis:7.0.11-alpine](v2.6.13/redis_7.0.11-alpine.html) | 0 | 0 | 2 | 1 | +| [install.yaml](v2.6.13/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.6.13/argocd-iac-namespace-install.html) | - | - | - | - | -### v2.5.20 +### v2.5.21 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v2.5.20/argocd-test.html) | 0 | 0 | 2 | 0 | -| [ui/yarn.lock](v2.5.20/argocd-test.html) | 0 | 1 | 4 | 0 | -| [dex:v2.37.0](v2.5.20/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 0 | 0 | -| [haproxy:2.6.14-alpine](v2.5.20/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 | -| [argocd:v2.5.20](v2.5.20/quay.io_argoproj_argocd_v2.5.20.html) | 0 | 0 | 3 | 17 | -| [redis:7.0.11-alpine](v2.5.20/redis_7.0.11-alpine.html) | 0 | 0 | 0 | 0 | -| [install.yaml](v2.5.20/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v2.5.20/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v2.5.21/argocd-test.html) | 0 | 0 | 2 | 0 | +| [ui/yarn.lock](v2.5.21/argocd-test.html) | 0 | 1 | 4 | 0 | +| [dex:v2.37.0](v2.5.21/ghcr.io_dexidp_dex_v2.37.0.html) | 0 | 0 | 2 | 1 | +| [haproxy:2.6.14-alpine](v2.5.21/haproxy_2.6.14-alpine.html) | 0 | 0 | 2 | 1 | +| [argocd:v2.5.21](v2.5.21/quay.io_argoproj_argocd_v2.5.21.html) | 0 | 0 | 2 | 15 | +| [redis:7.0.11-alpine](v2.5.21/redis_7.0.11-alpine.html) | 0 | 0 | 2 | 1 | +| [install.yaml](v2.5.21/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.5.21/argocd-iac-namespace-install.html) | - | - | - | - | diff --git a/docs/snyk/master/argocd-iac-install.html b/docs/snyk/master/argocd-iac-install.html index 7b11441beb9e2..e09c623374e61 100644 --- a/docs/snyk/master/argocd-iac-install.html +++ b/docs/snyk/master/argocd-iac-install.html @@ -456,7 +456,7 @@

Snyk test report

-

July 9th 2023, 12:21:13 am (UTC+00:00)

+

August 6th 2023, 12:16:29 am (UTC+00:00)

Scanned the following path: @@ -507,7 +507,7 @@

Role with dangerous permissions

  • - Line number: 18454 + Line number: 18472
    • @@ -553,7 +553,7 @@

    Role with dangerous permissions

  • - Line number: 18531 + Line number: 18549
    • @@ -599,7 +599,7 @@

    Role with dangerous permissions

  • - Line number: 18559 + Line number: 18577
    • @@ -645,7 +645,7 @@

    Role with dangerous permissions

  • - Line number: 18607 + Line number: 18625
    • @@ -691,7 +691,7 @@

    Role with dangerous permissions

  • - Line number: 18589 + Line number: 18607
    • @@ -737,7 +737,7 @@

    Role with dangerous permissions

  • - Line number: 18623 + Line number: 18641
    • @@ -789,7 +789,7 @@

    Container could be running with outdated image

  • - Line number: 19707 + Line number: 19737
    • @@ -847,7 +847,7 @@

    Container has no CPU limit

  • - Line number: 19094 + Line number: 19112
    • @@ -905,7 +905,7 @@

    Container has no CPU limit

  • - Line number: 19315 + Line number: 19345
    • @@ -963,7 +963,7 @@

    Container has no CPU limit

  • - Line number: 19281 + Line number: 19311
    • @@ -1021,7 +1021,7 @@

    Container has no CPU limit

  • - Line number: 19375 + Line number: 19405
    • @@ -1079,7 +1079,7 @@

    Container has no CPU limit

  • - Line number: 19462 + Line number: 19492
    • @@ -1137,7 +1137,7 @@

    Container has no CPU limit

  • - Line number: 19707 + Line number: 19737
    • @@ -1195,7 +1195,7 @@

    Container has no CPU limit

  • - Line number: 19519 + Line number: 19549
    • @@ -1253,7 +1253,7 @@

    Container has no CPU limit

  • - Line number: 19792 + Line number: 19822
    • @@ -1311,7 +1311,7 @@

    Container has no CPU limit

  • - Line number: 20108 + Line number: 20138
    • @@ -1363,7 +1363,7 @@

    Container is running with multiple open ports

  • - Line number: 19295 + Line number: 19325
    • @@ -1415,7 +1415,7 @@

    Container is running without liveness probe

  • - Line number: 19094 + Line number: 19112
    • @@ -1467,7 +1467,7 @@

    Container is running without liveness probe

  • - Line number: 19281 + Line number: 19311
    • @@ -1519,7 +1519,7 @@

    Container is running without liveness probe

  • - Line number: 19315 + Line number: 19345
    • @@ -1571,7 +1571,7 @@

    Container is running without liveness probe

  • - Line number: 19462 + Line number: 19492
    • @@ -1623,7 +1623,7 @@

    Container is running without liveness probe

  • - Line number: 19707 + Line number: 19737
    • @@ -1681,7 +1681,7 @@

    Container is running without memory limit

  • - Line number: 19094 + Line number: 19112
    • @@ -1739,7 +1739,7 @@

    Container is running without memory limit

  • - Line number: 19281 + Line number: 19311
    • @@ -1797,7 +1797,7 @@

    Container is running without memory limit

  • - Line number: 19315 + Line number: 19345
    • @@ -1855,7 +1855,7 @@

    Container is running without memory limit

  • - Line number: 19375 + Line number: 19405
    • @@ -1913,7 +1913,7 @@

    Container is running without memory limit

  • - Line number: 19462 + Line number: 19492
    • @@ -1971,7 +1971,7 @@

    Container is running without memory limit

  • - Line number: 19707 + Line number: 19737
    • @@ -2029,7 +2029,7 @@

    Container is running without memory limit

  • - Line number: 19519 + Line number: 19549
    • @@ -2087,7 +2087,7 @@

    Container is running without memory limit

  • - Line number: 19792 + Line number: 19822
    • @@ -2145,7 +2145,7 @@

    Container is running without memory limit

  • - Line number: 20108 + Line number: 20138
    • @@ -2201,7 +2201,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19205 + Line number: 19235
    • @@ -2257,7 +2257,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19323 + Line number: 19353
    • @@ -2313,7 +2313,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19298 + Line number: 19328
    • @@ -2369,7 +2369,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19396 + Line number: 19426
    • @@ -2425,7 +2425,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19472 + Line number: 19502
    • @@ -2481,7 +2481,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19714 + Line number: 19744
    • @@ -2537,7 +2537,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19680 + Line number: 19710
    • @@ -2593,7 +2593,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 20018 + Line number: 20048
    • @@ -2649,7 +2649,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 20256 + Line number: 20286
    • diff --git a/docs/snyk/master/argocd-iac-namespace-install.html b/docs/snyk/master/argocd-iac-namespace-install.html index f8e4ebdfe8879..8681140fe63db 100644 --- a/docs/snyk/master/argocd-iac-namespace-install.html +++ b/docs/snyk/master/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    July 9th 2023, 12:21:26 am (UTC+00:00)

    +

    August 6th 2023, 12:16:42 am (UTC+00:00)

    Scanned the following path: @@ -789,7 +789,7 @@

    Container could be running with outdated image

  • - Line number: 1237 + Line number: 1249
    • @@ -905,7 +905,7 @@

    Container has no CPU limit

  • - Line number: 845 + Line number: 857
    • @@ -963,7 +963,7 @@

    Container has no CPU limit

  • - Line number: 811 + Line number: 823
    • @@ -1021,7 +1021,7 @@

    Container has no CPU limit

  • - Line number: 905 + Line number: 917
    • @@ -1079,7 +1079,7 @@

    Container has no CPU limit

  • - Line number: 992 + Line number: 1004
    • @@ -1137,7 +1137,7 @@

    Container has no CPU limit

  • - Line number: 1237 + Line number: 1249
    • @@ -1195,7 +1195,7 @@

    Container has no CPU limit

  • - Line number: 1049 + Line number: 1061
    • @@ -1253,7 +1253,7 @@

    Container has no CPU limit

  • - Line number: 1322 + Line number: 1334
    • @@ -1311,7 +1311,7 @@

    Container has no CPU limit

  • - Line number: 1638 + Line number: 1650
    • @@ -1363,7 +1363,7 @@

    Container is running with multiple open ports

  • - Line number: 825 + Line number: 837
    • @@ -1467,7 +1467,7 @@

    Container is running without liveness probe

  • - Line number: 811 + Line number: 823
    • @@ -1519,7 +1519,7 @@

    Container is running without liveness probe

  • - Line number: 845 + Line number: 857
    • @@ -1571,7 +1571,7 @@

    Container is running without liveness probe

  • - Line number: 992 + Line number: 1004
    • @@ -1623,7 +1623,7 @@

    Container is running without liveness probe

  • - Line number: 1237 + Line number: 1249
    • @@ -1739,7 +1739,7 @@

    Container is running without memory limit

  • - Line number: 811 + Line number: 823
    • @@ -1797,7 +1797,7 @@

    Container is running without memory limit

  • - Line number: 845 + Line number: 857
    • @@ -1855,7 +1855,7 @@

    Container is running without memory limit

  • - Line number: 905 + Line number: 917
    • @@ -1913,7 +1913,7 @@

    Container is running without memory limit

  • - Line number: 992 + Line number: 1004
    • @@ -1971,7 +1971,7 @@

    Container is running without memory limit

  • - Line number: 1237 + Line number: 1249
    • @@ -2029,7 +2029,7 @@

    Container is running without memory limit

  • - Line number: 1049 + Line number: 1061
    • @@ -2087,7 +2087,7 @@

    Container is running without memory limit

  • - Line number: 1322 + Line number: 1334
    • @@ -2145,7 +2145,7 @@

    Container is running without memory limit

  • - Line number: 1638 + Line number: 1650
    • @@ -2201,7 +2201,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 735 + Line number: 747
    • @@ -2257,7 +2257,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 853 + Line number: 865
    • @@ -2313,7 +2313,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 828 + Line number: 840
    • @@ -2369,7 +2369,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 926 + Line number: 938
    • @@ -2425,7 +2425,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1002 + Line number: 1014
    • @@ -2481,7 +2481,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1244 + Line number: 1256
    • @@ -2537,7 +2537,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1210 + Line number: 1222
    • @@ -2593,7 +2593,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1548 + Line number: 1560
    • @@ -2649,7 +2649,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1786 + Line number: 1798
    • diff --git a/docs/snyk/master/argocd-test.html b/docs/snyk/master/argocd-test.html index dff5d4eff951a..c81da2fd13242 100644 --- a/docs/snyk/master/argocd-test.html +++ b/docs/snyk/master/argocd-test.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    July 9th 2023, 12:18:34 am (UTC+00:00)

    +

    August 6th 2023, 12:14:07 am (UTC+00:00)

    Scanned the following paths: @@ -466,9 +466,9 @@

    Snyk test report

    -
    2 known vulnerabilities
    -
    2 vulnerable dependency paths
    -
    1805 dependencies
    +
    1 known vulnerabilities
    +
    1 vulnerable dependency paths
    +
    1859 dependencies

    @@ -476,156 +476,6 @@

    Snyk test report

    -
    -

    Regular Expression Denial of Service (ReDoS)

    -
    - -
    - high severity -
    - -
    - -
      -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - semver -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, superagent@8.0.9 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - superagent@8.0.9 - - semver@7.3.8 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    semver is a semantic version parser used by npm.

    -

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

    -

    PoC

    - 
    
-        const semver = require('semver')
-        const lengths_2 = [2000, 4000, 8000, 16000, 32000, 64000, 128000]
-        
-        console.log("n[+] Valid range - Test payloads")
-        for (let i = 0; i =1.2.3' + ' '.repeat(lengths_2[i]) + '<1.3.0';
-        const start = Date.now()
-        semver.validRange(value)
-        // semver.minVersion(value)
-        // semver.maxSatisfying(["1.2.3"], value)
-        // semver.minSatisfying(["1.2.3"], value)
-        // new semver.Range(value, {})
-        
-        const end = Date.now();
-        console.log('length=%d, time=%d ms', value.length, end - start);
-        }
-
    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    -

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    -

    Let’s take the following regular expression as an example:

    - 
    regex = /A(B|C+)+D/
-
    -

    This regular expression accomplishes the following:

    -
      -
    • A The string must start with the letter 'A'
      • -
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • -
    • D Finally, we ensure this section of the string ends with a 'D'
      • -
    -

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    -

    It most cases, it doesn't take very long for a regex engine to find a match:

    - 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
-        1.79s user 0.02s system 99% cpu 1.812 total
-
    -

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    -

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    -

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    -
      -
    1. CCC
      2. -
    2. CC+C
      3. -
    3. C+CC
      4. -
    4. C+C+C.
      5. -
    -

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    -

    From there, the number of steps the engine must use to validate a string just continues to grow.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    -

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    -

    Remediation

    -

    Upgrade semver to version 7.5.2 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -

    Denial of Service (DoS)

    diff --git a/docs/snyk/master/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/master/ghcr.io_dexidp_dex_v2.37.0.html index 606a45c9fbca5..e4081cb340c45 100644 --- a/docs/snyk/master/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/master/ghcr.io_dexidp_dex_v2.37.0.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    July 9th 2023, 12:18:46 am (UTC+00:00)

    +

    August 6th 2023, 12:14:19 am (UTC+00:00)

    Scanned the following paths: @@ -466,8 +466,8 @@

    Snyk test report

    -
    0 known vulnerabilities
    -
    0 vulnerable dependency paths
    +
    4 known vulnerabilities
    +
    22 vulnerable dependency paths
    786 dependencies
    @@ -475,7 +475,603 @@

    Snyk test report

    - No known vulnerabilities detected. +
    +
    +

    Improper Authentication

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

    +

    Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

    +

    The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

    +

    As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Inefficient Regular Expression Complexity

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    +

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

    +

    The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

    +

    However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

    +

    An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

    +

    The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

    +

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

    +

    The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Cross-site Scripting (XSS)

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.11.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

    +

    Details

    +

    A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

    +

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    +

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    +

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    +

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    +

    Types of attacks

    +

    There are a few methods by which XSS can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    +

    Affected environments

    +

    The following environments are susceptible to an XSS attack:

    +
      +
    • Web servers
      • +
    • Application servers
      • +
    • Web application environments
      • +
    +

    How to prevent

    +

    This section describes the top best practices designed to specifically protect your code:

    +
      +
    • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
      • +
    • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
      • +
    • Give users the option to disable client-side scripts.
      • +
    • Redirect invalid requests.
      • +
    • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
      • +
    • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
      • +
    • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
      • +
    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.13.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-3817

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    +

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

    +

    The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

    +

    An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

    +

    The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

    +

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

    +

    The OpenSSL SSL/TLS implementation is not affected by this issue.

    +

    The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    diff --git a/docs/snyk/master/haproxy_2.6.14-alpine.html b/docs/snyk/master/haproxy_2.6.14-alpine.html index a12c29f0b594c..cabb372c109f5 100644 --- a/docs/snyk/master/haproxy_2.6.14-alpine.html +++ b/docs/snyk/master/haproxy_2.6.14-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    July 9th 2023, 12:18:53 am (UTC+00:00)

    +

    August 6th 2023, 12:14:24 am (UTC+00:00)

    Scanned the following path: @@ -466,8 +466,8 @@

    Snyk test report

    -
    0 known vulnerabilities
    -
    0 vulnerable dependency paths
    +
    3 known vulnerabilities
    +
    27 vulnerable dependency paths
    18 dependencies
    @@ -484,7 +484,546 @@

    Snyk test report

    - No known vulnerabilities detected. +
    +
    +

    Improper Authentication

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

    +

    Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

    +

    The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

    +

    As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Inefficient Regular Expression Complexity

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    +

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

    +

    The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

    +

    However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

    +

    An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

    +

    The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

    +

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

    +

    The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-3817

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    +

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

    +

    The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

    +

    An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

    +

    The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

    +

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

    +

    The OpenSSL SSL/TLS implementation is not affected by this issue.

    +

    The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    diff --git a/docs/snyk/master/quay.io_argoproj_argocd_latest.html b/docs/snyk/master/quay.io_argoproj_argocd_latest.html index a8d60976762aa..e47e9c2a08848 100644 --- a/docs/snyk/master/quay.io_argoproj_argocd_latest.html +++ b/docs/snyk/master/quay.io_argoproj_argocd_latest.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    July 9th 2023, 12:19:18 am (UTC+00:00)

    +

    August 6th 2023, 12:14:47 am (UTC+00:00)

    Scanned the following paths: @@ -466,9 +466,9 @@

    Snyk test report

    -
    21 known vulnerabilities
    -
    95 vulnerable dependency paths
    -
    2114 dependencies
    +
    17 known vulnerabilities
    +
    74 vulnerable dependency paths
    +
    2126 dependencies
    @@ -557,7 +557,7 @@

    References

    -

    Improper Validation of Integrity Check Value

    +

    CVE-2023-4016

    @@ -573,12 +573,12 @@

    Improper Validation of Integrity Check Value

  • Vulnerable module: - systemd/libsystemd0 + procps/libprocps8
  • Introduced through: - docker-image|quay.io/argoproj/argocd@latest and systemd/libsystemd0@249.11-0ubuntu3.9 + docker-image|quay.io/argoproj/argocd@latest and procps/libprocps8@2:3.3.17-6ubuntu2
    • @@ -593,424 +593,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@latest - systemd/libsystemd0@249.11-0ubuntu3.9 - - - - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - apt@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - util-linux@2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - util-linux@2.37.2-4ubuntu3 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
    • - - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 systemd.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Validation of Integrity Check Value

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - systemd/libsystemd0 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@latest and systemd/libsystemd0@249.11-0ubuntu3.9 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - apt@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - util-linux@2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - util-linux@2.37.2-4ubuntu3 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 systemd.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Validation of Integrity Check Value

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - systemd/libsystemd0 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@latest and systemd/libsystemd0@249.11-0ubuntu3.9 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - apt@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - util-linux@2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 + procps/libprocps8@2:3.3.17-6ubuntu2 @@ -1019,9 +602,9 @@

      Detailed paths

      Introduced through: docker-image|quay.io/argoproj/argocd@latest - util-linux@2.37.2-4ubuntu3 + procps@2:3.3.17-6ubuntu2 - systemd/libudev1@249.11-0ubuntu3.9 + procps/libprocps8@2:3.3.17-6ubuntu2 @@ -1030,11 +613,7 @@

      Detailed paths

      Introduced through: docker-image|quay.io/argoproj/argocd@latest - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libudev1@249.11-0ubuntu3.9 + procps@2:3.3.17-6ubuntu2 @@ -1046,23 +625,21 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. +

      Note: Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Ubuntu:22.04. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      ** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

      +

      Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 systemd.

      +

      There is no fixed version for Ubuntu:22.04 procps.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -1195,7 +772,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@latest - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 shadow/passwd@1:4.8.1-2ubuntu2.1 @@ -1463,7 +1040,7 @@

    References

    -

    Information Exposure

    +

    Improper Authentication

    @@ -1479,12 +1056,12 @@

    Information Exposure

  • Vulnerable module: - openssh/openssh-client + openssl/libssl3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@latest and openssl/libssl3@3.0.2-0ubuntu1.10
    • @@ -1499,7 +1076,111 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@latest - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssl/libssl3@3.0.2-0ubuntu1.10 + + + + +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + libfido2/libfido2-1@1.10.0-1 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + openssh/openssh-client@1:8.9p1-3ubuntu0.3 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + ca-certificates@20230311ubuntu0.22.04.1 + + openssl@3.0.2-0ubuntu1.10 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 + + libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + openssl@3.0.2-0ubuntu1.10 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + ca-certificates@20230311ubuntu0.22.04.1 + + openssl@3.0.2-0ubuntu1.10 @@ -1511,28 +1192,42 @@

    Detailed paths

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu:22.04. +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu:22.04. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

    +

    Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

    +

    Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

    +

    The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

    +

    As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 openssh.

    +

    There is no fixed version for Ubuntu:22.04 openssl.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    • @@ -1558,7 +1253,7 @@

    CVE-2023-28531

  • Introduced through: - docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:8.9p1-3ubuntu0.3
    • @@ -1573,7 +1268,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@latest - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 @@ -1595,6 +1290,7 @@

    References

  • ADVISORY
  • cve@mitre.org
  • cve@mitre.org
    • +
  • cve@mitre.org
    • @@ -1643,7 +1339,7 @@

    Detailed paths

    gnupg2/dirmngr@2.2.27-3ubuntu2.1 - openldap/libldap-2.5-0@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-2.5-0@2.5.15+dfsg-0ubuntu0.22.04.1 @@ -1654,9 +1350,9 @@

    Detailed paths

    git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 - openldap/libldap-2.5-0@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-2.5-0@2.5.15+dfsg-0ubuntu0.22.04.1 @@ -1665,7 +1361,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@latest - openldap/libldap-common@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-common@2.5.15+dfsg-0ubuntu0.22.04.1 @@ -1688,6 +1384,12 @@

    References

  • secalert@redhat.com
  • secalert@redhat.com
  • secalert@redhat.com
    • +
  • secalert@redhat.com
    • +
  • secalert@redhat.com
    • +
  • secalert@redhat.com
    • +
  • secalert@redhat.com
    • +
  • secalert@redhat.com
    • +
  • secalert@redhat.com
    • @@ -1757,6 +1459,7 @@

    References

    @@ -1895,7 +1598,7 @@

    Detailed paths

    Introduced through: docker-image|quay.io/argoproj/argocd@latest - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -1908,7 +1611,7 @@

    Detailed paths

    git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -1921,7 +1624,7 @@

    Detailed paths

    git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 @@ -2533,150 +2236,6 @@

    References

    More about this vulnerability

    -
    -
    -

    CVE-2023-28322

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@latest, git@1:2.34.1-1ubuntu1.9 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.34.1-1ubuntu1.9 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously wasused to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Certificate Validation

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@latest, git@1:2.34.1-1ubuntu1.9 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.34.1-1ubuntu1.9 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    -

    Improper Input Validation

    diff --git a/docs/snyk/master/redis_7.0.11-alpine.html b/docs/snyk/master/redis_7.0.11-alpine.html index 27ada37d668cc..d50f12a8913d2 100644 --- a/docs/snyk/master/redis_7.0.11-alpine.html +++ b/docs/snyk/master/redis_7.0.11-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    July 9th 2023, 12:19:25 am (UTC+00:00)

    +

    August 6th 2023, 12:14:57 am (UTC+00:00)

    Scanned the following path: @@ -466,8 +466,8 @@

    Snyk test report

    -
    0 known vulnerabilities
    -
    0 vulnerable dependency paths
    +
    3 known vulnerabilities
    +
    27 vulnerable dependency paths
    18 dependencies
    @@ -484,7 +484,546 @@

    Snyk test report

    - No known vulnerabilities detected. +
    +
    +

    Improper Authentication

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

    +

    Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

    +

    The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

    +

    As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Inefficient Regular Expression Complexity

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    +

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

    +

    The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

    +

    However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

    +

    An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

    +

    The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

    +

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

    +

    The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-3817

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    +

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

    +

    The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

    +

    An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

    +

    The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

    +

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

    +

    The OpenSSL SSL/TLS implementation is not affected by this issue.

    +

    The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    diff --git a/docs/snyk/v2.5.20/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.5.20/ghcr.io_dexidp_dex_v2.37.0.html deleted file mode 100644 index 40175527343b2..0000000000000 --- a/docs/snyk/v2.5.20/ghcr.io_dexidp_dex_v2.37.0.html +++ /dev/null @@ -1,483 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    July 9th 2023, 12:32:36 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (apk)
    • ghcr.io/dexidp/dex:v2.37.0/hairyhenderson/gomplate/v3 (gomodules)
    • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
    • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
      • -
    -
    - -
    -
    0 known vulnerabilities
    -
    0 vulnerable dependency paths
    -
    786 dependencies
    -
    -
    -
    -
    - -
    - No known vulnerabilities detected. -
    -
    - - - diff --git a/docs/snyk/v2.5.20/haproxy_2.6.14-alpine.html b/docs/snyk/v2.5.20/haproxy_2.6.14-alpine.html deleted file mode 100644 index 27914ebb28b09..0000000000000 --- a/docs/snyk/v2.5.20/haproxy_2.6.14-alpine.html +++ /dev/null @@ -1,492 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    July 9th 2023, 12:32:46 am (UTC+00:00)

    -
    -
    - Scanned the following path: -
      -
    • haproxy:2.6.14-alpine (apk)
      • -
    -
    - -
    -
    0 known vulnerabilities
    -
    0 vulnerable dependency paths
    -
    18 dependencies
    -
    -
    -
    -
    -
    - - - - - - - -
    Project docker-image|haproxy
    Path haproxy:2.6.14-alpine
    Package Manager apk
    -
    -
    - No known vulnerabilities detected. -
    -
    - - - diff --git a/docs/snyk/v2.5.20/redis_7.0.11-alpine.html b/docs/snyk/v2.5.20/redis_7.0.11-alpine.html deleted file mode 100644 index fa6d133bffd86..0000000000000 --- a/docs/snyk/v2.5.20/redis_7.0.11-alpine.html +++ /dev/null @@ -1,492 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    July 9th 2023, 12:33:18 am (UTC+00:00)

    -
    -
    - Scanned the following path: -
      -
    • redis:7.0.11-alpine (apk)
      • -
    -
    - -
    -
    0 known vulnerabilities
    -
    0 vulnerable dependency paths
    -
    18 dependencies
    -
    -
    -
    -
    -
    - - - - - - - -
    Project docker-image|redis
    Path redis:7.0.11-alpine
    Package Manager apk
    -
    -
    - No known vulnerabilities detected. -
    -
    - - - diff --git a/docs/snyk/v2.5.20/argocd-iac-install.html b/docs/snyk/v2.5.21/argocd-iac-install.html similarity index 99% rename from docs/snyk/v2.5.20/argocd-iac-install.html rename to docs/snyk/v2.5.21/argocd-iac-install.html index f03aa03e35e63..877a64411205a 100644 --- a/docs/snyk/v2.5.20/argocd-iac-install.html +++ b/docs/snyk/v2.5.21/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    July 9th 2023, 12:34:20 am (UTC+00:00)

    +

    August 6th 2023, 12:26:07 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.5.20/argocd-iac-namespace-install.html b/docs/snyk/v2.5.21/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v2.5.20/argocd-iac-namespace-install.html rename to docs/snyk/v2.5.21/argocd-iac-namespace-install.html index 808622da80dc5..8eefa6b405146 100644 --- a/docs/snyk/v2.5.20/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.5.21/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    July 9th 2023, 12:34:34 am (UTC+00:00)

    +

    August 6th 2023, 12:26:17 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.5.20/argocd-test.html b/docs/snyk/v2.5.21/argocd-test.html similarity index 99% rename from docs/snyk/v2.5.20/argocd-test.html rename to docs/snyk/v2.5.21/argocd-test.html index 3eaa49d7e71ce..72561b2cb2f25 100644 --- a/docs/snyk/v2.5.20/argocd-test.html +++ b/docs/snyk/v2.5.21/argocd-test.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    July 9th 2023, 12:32:28 am (UTC+00:00)

    +

    August 6th 2023, 12:24:35 am (UTC+00:00)

    Scanned the following paths: @@ -609,10 +609,12 @@

    Details

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    Remediation

    -

    Upgrade semver to version 7.5.2 or higher.

    +

    Upgrade semver to version 5.7.2, 6.3.1, 7.5.2 or higher.

    References

      +
    • GitHub Commit
    • GitHub Commit
      • +
    • GitHub Commit
    • GitHub PR
    • Vulnerable Code
    • Vulnerable Code
      • diff --git a/docs/snyk/v2.5.21/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.5.21/ghcr.io_dexidp_dex_v2.37.0.html new file mode 100644 index 0000000000000..06a1a8ea17ae3 --- /dev/null +++ b/docs/snyk/v2.5.21/ghcr.io_dexidp_dex_v2.37.0.html @@ -0,0 +1,1079 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
      +
      +
      +
      + + + Snyk - Open Source Security + + + + + + + +
      +

      Snyk test report

      + +

      August 6th 2023, 12:24:44 am (UTC+00:00)

      +
      +
      + Scanned the following paths: +
        +
      • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (apk)
      • ghcr.io/dexidp/dex:v2.37.0/hairyhenderson/gomplate/v3 (gomodules)
      • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
      • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
        • +
      +
      + +
      +
      4 known vulnerabilities
      +
      22 vulnerable dependency paths
      +
      786 dependencies
      +
      +
      +
      +
      + +
      +
      +
      +

      Improper Authentication

      +
      + +
      + medium severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

      +

      Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

      +

      The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

      +

      As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      Inefficient Regular Expression Complexity

      +
      + +
      + medium severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: Checking excessively long DH keys or parameters may be very slow.

      +

      Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

      +

      The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

      +

      However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

      +

      An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

      +

      The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

      +

      Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

      +

      The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      Cross-site Scripting (XSS)

      +
      + +
      + medium severity +
      + +
      + +
        +
      • + Package Manager: golang +
        • +
      • + Vulnerable module: + + golang.org/x/net/html +
        • + +
      • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.11.0 + + + +
        • +
      + +
      + +
      + +

      Overview

      +

      golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

      +

      Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

      +

      Details

      +

      A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

      +

      This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

      +

      Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

      +

      Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

      +

      The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

      +

      Types of attacks

      +

      There are a few methods by which XSS can be manipulated:

      + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      TypeOriginDescription
      StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
      ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
      DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
      MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
      +

      Affected environments

      +

      The following environments are susceptible to an XSS attack:

      +
        +
      • Web servers
        • +
      • Application servers
        • +
      • Web application environments
        • +
      +

      How to prevent

      +

      This section describes the top best practices designed to specifically protect your code:

      +
        +
      • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
        • +
      • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
        • +
      • Give users the option to disable client-side scripts.
        • +
      • Redirect invalid requests.
        • +
      • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
        • +
      • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
        • +
      • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
        • +
      +

      Remediation

      +

      Upgrade golang.org/x/net/html to version 0.13.0 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      CVE-2023-3817

      +
      + +
      + low severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: Checking excessively long DH keys or parameters may be very slow.

      +

      Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

      +

      The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

      +

      An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

      +

      The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

      +

      Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

      +

      The OpenSSL SSL/TLS implementation is not affected by this issue.

      +

      The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +
      +
      + + + diff --git a/docs/snyk/v2.5.21/haproxy_2.6.14-alpine.html b/docs/snyk/v2.5.21/haproxy_2.6.14-alpine.html new file mode 100644 index 0000000000000..43a5d3be893f2 --- /dev/null +++ b/docs/snyk/v2.5.21/haproxy_2.6.14-alpine.html @@ -0,0 +1,1031 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
      +
      +
      +
      + + + Snyk - Open Source Security + + + + + + + +
      +

      Snyk test report

      + +

      August 6th 2023, 12:24:49 am (UTC+00:00)

      +
      +
      + Scanned the following path: +
        +
      • haproxy:2.6.14-alpine (apk)
        • +
      +
      + +
      +
      3 known vulnerabilities
      +
      27 vulnerable dependency paths
      +
      18 dependencies
      +
      +
      +
      +
      +
      + + + + + + + +
      Project docker-image|haproxy
      Path haproxy:2.6.14-alpine
      Package Manager apk
      +
      +
      +
      +
      +

      Improper Authentication

      +
      + +
      + medium severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

      +

      Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

      +

      The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

      +

      As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      Inefficient Regular Expression Complexity

      +
      + +
      + medium severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: Checking excessively long DH keys or parameters may be very slow.

      +

      Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

      +

      The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

      +

      However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

      +

      An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

      +

      The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

      +

      Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

      +

      The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      CVE-2023-3817

      +
      + +
      + low severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: Checking excessively long DH keys or parameters may be very slow.

      +

      Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

      +

      The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

      +

      An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

      +

      The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

      +

      Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

      +

      The OpenSSL SSL/TLS implementation is not affected by this issue.

      +

      The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +
      +
      + + + diff --git a/docs/snyk/v2.6.12/quay.io_argoproj_argocd_v2.6.12.html b/docs/snyk/v2.5.21/quay.io_argoproj_argocd_v2.5.21.html similarity index 84% rename from docs/snyk/v2.6.12/quay.io_argoproj_argocd_v2.6.12.html rename to docs/snyk/v2.5.21/quay.io_argoproj_argocd_v2.5.21.html index cc429f754e2fd..e2703c65c69b8 100644 --- a/docs/snyk/v2.6.12/quay.io_argoproj_argocd_v2.6.12.html +++ b/docs/snyk/v2.5.21/quay.io_argoproj_argocd_v2.5.21.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,19 +456,19 @@

      Snyk test report

      -

      July 9th 2023, 12:30:05 am (UTC+00:00)

      +

      August 6th 2023, 12:25:08 am (UTC+00:00)

      Scanned the following paths:
        -
      • quay.io/argoproj/argocd:v2.6.12/argoproj/argocd (deb)
      • quay.io/argoproj/argocd:v2.6.12/argoproj/argo-cd/v2 (gomodules)
      • quay.io/argoproj/argocd:v2.6.12/kustomize/kustomize/v4 (gomodules)
      • quay.io/argoproj/argocd:v2.6.12/helm/v3 (gomodules)
      • quay.io/argoproj/argocd:v2.6.12/git-lfs/git-lfs (gomodules)
        • +
      • quay.io/argoproj/argocd:v2.5.21/argoproj/argocd (deb)
      • quay.io/argoproj/argocd:v2.5.21/argoproj/argo-cd/v2 (gomodules)
      • quay.io/argoproj/argocd:v2.5.21/kustomize/kustomize/v4 (gomodules)
      • quay.io/argoproj/argocd:v2.5.21/helm/v3 (gomodules)
      • quay.io/argoproj/argocd:v2.5.21/git-lfs/git-lfs (gomodules)
      28 known vulnerabilities
      -
      104 vulnerable dependency paths
      -
      2064 dependencies
      +
      87 vulnerable dependency paths
      +
      2047 dependencies
    @@ -879,7 +879,7 @@

    References

    -

    Improper Validation of Integrity Check Value

    +

    CVE-2023-4016

    @@ -895,12 +895,12 @@

    Improper Validation of Integrity Check Value

  • Vulnerable module: - systemd/libsystemd0 + procps/libprocps8
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and systemd/libsystemd0@249.11-0ubuntu3.9 + docker-image|quay.io/argoproj/argocd@v2.5.21 and procps/libprocps8@2:3.3.17-6ubuntu2
    • @@ -913,110 +913,29 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - apt@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 - util-linux@2.37.2-4ubuntu3 + procps@2:3.3.17-6ubuntu2 - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - util-linux@2.37.2-4ubuntu3 - - systemd/libudev1@249.11-0ubuntu3.9 + procps/libprocps8@2:3.3.17-6ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - apt@2.4.9 + docker-image|quay.io/argoproj/argocd@v2.5.21 - apt/libapt-pkg6.0@2.4.9 - - systemd/libudev1@249.11-0ubuntu3.9 + procps@2:3.3.17-6ubuntu2 @@ -1028,28 +947,26 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. +

      Note: Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Ubuntu:22.04. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      ** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

      +

      Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 systemd.

      +

      There is no fixed version for Ubuntu:22.04 procps.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    Improper Validation of Integrity Check Value

    +

    Unquoted Search Path or Element

    @@ -1065,12 +982,12 @@

    Improper Validation of Integrity Check Value

  • Vulnerable module: - systemd/libsystemd0 + openssh/openssh-client
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and systemd/libsystemd0@249.11-0ubuntu3.9 + docker-image|quay.io/argoproj/argocd@v2.5.21 and openssh/openssh-client@1:8.9p1-3ubuntu0.1
    • @@ -1083,110 +1000,90 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 - systemd/libsystemd0@249.11-0ubuntu3.9 + openssh/openssh-client@1:8.9p1-3ubuntu0.1
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - apt@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - util-linux@2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu:22.04. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

    +

    Remediation

    +

    Upgrade Ubuntu:22.04 openssh to version 1:8.9p1-3ubuntu0.3 or higher.

    +

    References

    + -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    +

    More about this vulnerability

    +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
    • +
    +

    Denial of Service (DoS)

    +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
    + medium severity +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - util-linux@2.37.2-4ubuntu3 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
    -
    • +
      +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + gopkg.in/yaml.v2 +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v2@* and gopkg.in/yaml.v2@v2.2.4 + +
      • +
    + +
    + + +

    Detailed paths

    + +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - apt@2.4.9 + github.com/argoproj/argo-cd/v2@* - apt/libapt-pkg6.0@2.4.9 - - systemd/libudev1@249.11-0ubuntu3.9 + gopkg.in/yaml.v2@v2.2.4 @@ -1197,29 +1094,39 @@

      Detailed paths

      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      ** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

      +

      Overview

      +

      gopkg.in/yaml.v2 is a YAML support package for the Go language.

      +

      Affected versions of this package are vulnerable to Denial of Service (DoS). It is possible for authorized users to send malicious YAML payloads to cause kube-apiserver to consume excessive CPU cycles while parsing YAML.

      +

      Details

      +

      Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

      +

      Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

      +

      One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

      +

      When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

      +

      Two common types of DoS vulnerabilities:

      +
        +

      • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

        +
        • +

      • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

        +
        • +

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 systemd.

      +

      Upgrade gopkg.in/yaml.v2 to version 2.2.8 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    Improper Validation of Integrity Check Value

    +

    Improper Input Validation

    @@ -1230,17 +1137,17 @@

    Improper Validation of Integrity Check Value

    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • Vulnerable module: - systemd/libsystemd0 + golang.org/x/text/language
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and systemd/libsystemd0@249.11-0ubuntu3.9 + sigs.k8s.io/kustomize/kustomize/v4@* and golang.org/x/text/language@v0.3.7
    @@ -1253,110 +1160,86 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + sigs.k8s.io/kustomize/kustomize/v4@* - systemd/libsystemd0@249.11-0ubuntu3.9 + golang.org/x/text/language@v0.3.7
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - apt@2.4.9 + helm.sh/helm/v3@* - systemd/libsystemd0@249.11-0ubuntu3.9 + golang.org/x/text/language@v0.3.7
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - util-linux@2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Input Validation due to the parser being, by design, exposed to untrusted user input, which can be leveraged to force a program to consume significant time parsing Accept-Language headers.

    +

    Remediation

    +

    Upgrade golang.org/x/text/language to version 0.3.8 or higher.

    +

    References

    + -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
    +

    More about this vulnerability

    +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
    • +
    +

    Incorrect Privilege Assignment

    +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - util-linux@2.37.2-4ubuntu3 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
    + medium severity +
    -
    • +
    + +
      +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/sys/unix +
      • + +
    • Introduced through: + + helm.sh/helm/v3@* and golang.org/x/sys/unix@v0.0.0-20220722155257-8c9f86f7a55f + +
      • +
    + +
    + + +

    Detailed paths

    + +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 + helm.sh/helm/v3@* - systemd/libudev1@249.11-0ubuntu3.9 + golang.org/x/sys/unix@v0.0.0-20220722155257-8c9f86f7a55f @@ -1367,29 +1250,25 @@

      Detailed paths

      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      ** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

      +

      Overview

      +

      Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that when called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 systemd.

      +

      Upgrade golang.org/x/sys/unix to version 0.1.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    Improper Input Validation

    +

    Denial of Service (DoS)

    @@ -1405,12 +1284,12 @@

    Improper Input Validation

  • Vulnerable module: - golang.org/x/text/language + golang.org/x/net/http2
  • Introduced through: - sigs.k8s.io/kustomize/kustomize/v4@* and golang.org/x/text/language@v0.3.7 + helm.sh/helm/v3@* and golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
    • @@ -1421,20 +1300,11 @@

    Improper Input Validation

    Detailed paths

      -
    • - Introduced through: - sigs.k8s.io/kustomize/kustomize/v4@* - - golang.org/x/text/language@v0.3.7 - - - -
    • Introduced through: helm.sh/helm/v3@* - golang.org/x/text/language@v0.3.7 + golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b @@ -1446,27 +1316,39 @@

      Detailed paths

      Overview

      -

      Affected versions of this package are vulnerable to Improper Input Validation due to the parser being, by design, exposed to untrusted user input, which can be leveraged to force a program to consume significant time parsing Accept-Language headers.

      +

      golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

      +

      Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper checks and limitations for the number of entries in the cache, which can allow an attacker to consume unbounded amounts of memory by sending a small number of very large keys.

      +

      Details

      +

      Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

      +

      Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

      +

      One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

      +

      When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

      +

      Two common types of DoS vulnerabilities:

      +
        +

      • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

        +
        • +

      • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

        +
        • +

      Remediation

      -

      Upgrade golang.org/x/text/language to version 0.3.8 or higher.

      +

      Upgrade golang.org/x/net/http2 to version 0.4.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    Incorrect Privilege Assignment

    +

    Improper Verification of Cryptographic Signature

    @@ -1482,12 +1364,12 @@

    Incorrect Privilege Assignment

  • Vulnerable module: - golang.org/x/sys/unix + golang.org/x/crypto/openpgp/clearsign
  • Introduced through: - helm.sh/helm/v3@* and golang.org/x/sys/unix@v0.0.0-20220722155257-8c9f86f7a55f + helm.sh/helm/v3@* and golang.org/x/crypto/openpgp/clearsign@v0.0.0-20220525230936-793ad666bf5e
    • @@ -1502,7 +1384,7 @@

    Detailed paths

    Introduced through: helm.sh/helm/v3@* - golang.org/x/sys/unix@v0.0.0-20220722155257-8c9f86f7a55f + golang.org/x/crypto/openpgp/clearsign@v0.0.0-20220525230936-793ad666bf5e @@ -1514,24 +1396,25 @@

    Detailed paths

    Overview

    -

    Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that when called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

    +

    Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the crypto/openpgp/clearsign/clearsign.go component. An attacker can spoof the 'Hash' Armor Header, leading a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, the attacker can prepend arbitrary text to cleartext messages without invalidating the signatures.

    Remediation

    -

    Upgrade golang.org/x/sys/unix to version 0.1.0 or higher.

    +

    Upgrade golang.org/x/crypto/openpgp/clearsign to version 0.1.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Denial of Service (DoS)

    +

    Improper Input Validation

    @@ -1547,12 +1430,12 @@

    Denial of Service (DoS)

  • Vulnerable module: - golang.org/x/net/http2 + go.mongodb.org/mongo-driver/bson/bsonrw
  • Introduced through: - helm.sh/helm/v3@* and golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b + github.com/argoproj/argo-cd/v2@* and go.mongodb.org/mongo-driver/bson/bsonrw@v1.1.2
    • @@ -1565,9 +1448,9 @@

    Detailed paths

    • Introduced through: - helm.sh/helm/v3@* + github.com/argoproj/argo-cd/v2@* - golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b + go.mongodb.org/mongo-driver/bson/bsonrw@v1.1.2 @@ -1579,34 +1462,21 @@

      Detailed paths

      Overview

      -

      golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

      -

      Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper checks and limitations for the number of entries in the cache, which can allow an attacker to consume unbounded amounts of memory by sending a small number of very large keys.

      -

      Details

      -

      Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

      -

      Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

      -

      One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

      -

      When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

      -

      Two common types of DoS vulnerabilities:

      -
        -

      • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

        -
        • -

      • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

        -
        • -
      +

      go.mongodb.org/mongo-driver/bson/bsonrw is a The MongoDB supported driver for Go.

      +

      Affected versions of this package are vulnerable to Improper Input Validation. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents.

      Remediation

      -

      Upgrade golang.org/x/net/http2 to version 0.4.0 or higher.

      +

      Upgrade go.mongodb.org/mongo-driver/bson/bsonrw to version 1.5.1 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -1633,7 +1503,7 @@

    CVE-2022-46908

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12, gnupg2/gpg@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.5.21, gnupg2/gpg@2.2.27-3ubuntu2.1 and others
    • @@ -1645,7 +1515,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -1704,7 +1574,7 @@

      Arbitrary Code Injection

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and shadow/passwd@1:4.8.1-2ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.5.21 and shadow/passwd@1:4.8.1-2ubuntu2.1
    @@ -1717,7 +1587,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 shadow/passwd@1:4.8.1-2ubuntu2.1 @@ -1726,7 +1596,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 adduser@3.118ubuntu5 @@ -1737,7 +1607,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 openssh/openssh-client@1:8.9p1-3ubuntu0.1 @@ -1748,7 +1618,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 shadow/login@1:4.8.1-2ubuntu2.1 @@ -1805,7 +1675,7 @@

      Uncontrolled Recursion

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 + docker-image|quay.io/argoproj/argocd@v2.5.21 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
    @@ -1818,7 +1688,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 @@ -1827,7 +1697,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 grep@3.7-1build1 @@ -1889,7 +1759,7 @@

      Release of Invalid Pointer or Reference

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.5.21 and patch@2.7.6-7build2
    @@ -1902,7 +1772,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 patch@2.7.6-7build2 @@ -1956,7 +1826,7 @@

      Double Free

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.5.21 and patch@2.7.6-7build2
    @@ -1969,7 +1839,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 patch@2.7.6-7build2 @@ -2007,7 +1877,7 @@

      References

    -

    Information Exposure

    +

    Improper Authentication

    @@ -2023,12 +1893,12 @@

    Information Exposure

  • Vulnerable module: - openssh/openssh-client + openssl/libssl3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.5.21 and openssl/libssl3@3.0.2-0ubuntu1.10
    • @@ -2041,9 +1911,113 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.21 + + cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.21 + + libfido2/libfido2-1@1.10.0-1 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.21 openssh/openssh-client@1:8.9p1-3ubuntu0.1 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.21 + + ca-certificates@20230311ubuntu0.22.04.1 + + openssl@3.0.2-0ubuntu1.10 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.21 + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 + + libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.21 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.21 + + openssl@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.5.21 + + ca-certificates@20230311ubuntu0.22.04.1 + + openssl@3.0.2-0ubuntu1.10 @@ -2055,28 +2029,42 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu:22.04. +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu:22.04. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

      +

      Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

      +

      Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

      +

      The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

      +

      As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 openssh.

      +

      There is no fixed version for Ubuntu:22.04 openssl.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -2102,7 +2090,7 @@

    CVE-2023-28531

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.5.21 and openssh/openssh-client@1:8.9p1-3ubuntu0.1
    • @@ -2115,7 +2103,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 openssh/openssh-client@1:8.9p1-3ubuntu0.1 @@ -2139,6 +2127,7 @@

      References

    • ADVISORY
    • cve@mitre.org
    • cve@mitre.org
      • +
    • cve@mitre.org
    @@ -2171,7 +2160,7 @@

    NULL Pointer Dereference

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.5.21, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others
    • @@ -2183,7 +2172,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -2194,11 +2183,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 openldap/libldap-2.5-0@2.5.14+dfsg-0ubuntu0.22.04.2 @@ -2207,7 +2196,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 openldap/libldap-common@2.5.14+dfsg-0ubuntu0.22.04.2 @@ -2232,6 +2221,12 @@

      References

    • secalert@redhat.com
    • secalert@redhat.com
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
    @@ -2264,7 +2259,7 @@

    Resource Exhaustion

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12, meta-common-packages@meta and others + docker-image|quay.io/argoproj/argocd@v2.5.21, meta-common-packages@meta and others
    • @@ -2276,7 +2271,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 meta-common-packages@meta @@ -2301,6 +2296,7 @@

      References

      @@ -2332,7 +2328,7 @@

      Integer Overflow or Wraparound

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and krb5/libk5crypto3@1.19.2-2ubuntu0.2 + docker-image|quay.io/argoproj/argocd@v2.5.21 and krb5/libk5crypto3@1.19.2-2ubuntu0.2
    @@ -2345,7 +2341,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 krb5/libk5crypto3@1.19.2-2ubuntu0.2 @@ -2354,7 +2350,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 adduser@3.118ubuntu5 @@ -2375,7 +2371,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 adduser@3.118ubuntu5 @@ -2398,7 +2394,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 krb5/libkrb5-3@1.19.2-2ubuntu0.2 @@ -2407,7 +2403,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 adduser@3.118ubuntu5 @@ -2428,7 +2424,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -2437,7 +2433,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 openssh/openssh-client@1:8.9p1-3ubuntu0.1 @@ -2448,11 +2444,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -2461,11 +2457,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 @@ -2476,7 +2472,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 adduser@3.118ubuntu5 @@ -2495,7 +2491,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 meta-common-packages@meta @@ -2554,7 +2550,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and gnupg2/gpgv@2.2.27-3ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.5.21 and gnupg2/gpgv@2.2.27-3ubuntu2.1
    @@ -2567,7 +2563,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gpgv@2.2.27-3ubuntu2.1 @@ -2576,7 +2572,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 apt@2.4.9 @@ -2587,7 +2583,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2598,7 +2594,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -2609,7 +2605,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2620,7 +2616,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2633,7 +2629,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2646,7 +2642,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -2655,7 +2651,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2666,7 +2662,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2679,7 +2675,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 @@ -2688,7 +2684,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2699,7 +2695,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 @@ -2708,7 +2704,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2719,7 +2715,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2728,7 +2724,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2739,7 +2735,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2752,7 +2748,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2765,7 +2761,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 @@ -2774,7 +2770,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2785,7 +2781,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2798,7 +2794,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2811,7 +2807,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 @@ -2820,7 +2816,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2831,7 +2827,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 @@ -2840,7 +2836,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2851,7 +2847,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gpgsm@2.2.27-3ubuntu2.1 @@ -2860,7 +2856,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2871,7 +2867,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2930,7 +2926,7 @@

      Allocation of Resources Without Limits or Throttling

      Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and glibc/libc-bin@2.35-0ubuntu3.1 + docker-image|quay.io/argoproj/argocd@v2.5.21 and glibc/libc-bin@2.35-0ubuntu3.1
    @@ -2943,7 +2939,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 glibc/libc-bin@2.35-0ubuntu3.1 @@ -2952,7 +2948,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 meta-common-packages@meta @@ -3011,7 +3007,7 @@

      Improper Input Validation

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12, git@1:2.34.1-1ubuntu1.9 and others + docker-image|quay.io/argoproj/argocd@v2.5.21, git@1:2.34.1-1ubuntu1.9 and others
    @@ -3023,7 +3019,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 git@1:2.34.1-1ubuntu1.9 @@ -3034,7 +3030,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 git@1:2.34.1-1ubuntu1.9 @@ -3043,7 +3039,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 git-lfs@3.0.2-1ubuntu0.2 @@ -3077,150 +3073,6 @@

      References

      More about this vulnerability

    -
    -
    -

    CVE-2023-28322

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.6.12, git@1:2.34.1-1ubuntu1.9 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - git@1:2.34.1-1ubuntu1.9 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously wasused to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Certificate Validation

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.6.12, git@1:2.34.1-1ubuntu1.9 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 - - git@1:2.34.1-1ubuntu1.9 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    -

    Improper Input Validation

    @@ -3244,7 +3096,7 @@

    Improper Input Validation

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and coreutils@8.32-4.1ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.5.21 and coreutils@8.32-4.1ubuntu1
    • @@ -3257,7 +3109,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 coreutils@8.32-4.1ubuntu1 @@ -3314,7 +3166,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 and bash@5.1-6ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.5.21 and bash@5.1-6ubuntu1
    @@ -3327,7 +3179,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.6.12 + docker-image|quay.io/argoproj/argocd@v2.5.21 bash@5.1-6ubuntu1 diff --git a/docs/snyk/v2.5.21/redis_7.0.11-alpine.html b/docs/snyk/v2.5.21/redis_7.0.11-alpine.html new file mode 100644 index 0000000000000..1c90a35caf6f8 --- /dev/null +++ b/docs/snyk/v2.5.21/redis_7.0.11-alpine.html @@ -0,0 +1,1031 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
      +
      +
      +
      + + + Snyk - Open Source Security + + + + + + + +
      +

      Snyk test report

      + +

      August 6th 2023, 12:25:13 am (UTC+00:00)

      +
      +
      + Scanned the following path: +
        +
      • redis:7.0.11-alpine (apk)
        • +
      +
      + +
      +
      3 known vulnerabilities
      +
      27 vulnerable dependency paths
      +
      18 dependencies
      +
      +
      +
      +
      +
      + + + + + + + +
      Project docker-image|redis
      Path redis:7.0.11-alpine
      Package Manager apk
      +
      +
      +
      +
      +

      Improper Authentication

      +
      + +
      + medium severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

      +

      Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

      +

      The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

      +

      As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      Inefficient Regular Expression Complexity

      +
      + +
      + medium severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: Checking excessively long DH keys or parameters may be very slow.

      +

      Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

      +

      The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

      +

      However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

      +

      An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

      +

      The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

      +

      Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

      +

      The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      CVE-2023-3817

      +
      + +
      + low severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: Checking excessively long DH keys or parameters may be very slow.

      +

      Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

      +

      The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

      +

      An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

      +

      The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

      +

      Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

      +

      The OpenSSL SSL/TLS implementation is not affected by this issue.

      +

      The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +
      +
      + + + diff --git a/docs/snyk/v2.6.12/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.6.12/ghcr.io_dexidp_dex_v2.37.0.html deleted file mode 100644 index 4a788356b57a4..0000000000000 --- a/docs/snyk/v2.6.12/ghcr.io_dexidp_dex_v2.37.0.html +++ /dev/null @@ -1,483 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
      -
      -
      -
      - - - Snyk - Open Source Security - - - - - - - -
      -

      Snyk test report

      - -

      July 9th 2023, 12:28:45 am (UTC+00:00)

      -
      -
      - Scanned the following paths: -
        -
      • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (apk)
      • ghcr.io/dexidp/dex:v2.37.0/hairyhenderson/gomplate/v3 (gomodules)
      • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
      • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
        • -
      -
      - -
      -
      0 known vulnerabilities
      -
      0 vulnerable dependency paths
      -
      786 dependencies
      -
      -
      -
      -
      - -
      - No known vulnerabilities detected. -
      -
      - - - diff --git a/docs/snyk/v2.6.12/haproxy_2.6.14-alpine.html b/docs/snyk/v2.6.12/haproxy_2.6.14-alpine.html deleted file mode 100644 index fc41b97cb25eb..0000000000000 --- a/docs/snyk/v2.6.12/haproxy_2.6.14-alpine.html +++ /dev/null @@ -1,492 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
      -
      -
      -
      - - - Snyk - Open Source Security - - - - - - - -
      -

      Snyk test report

      - -

      July 9th 2023, 12:28:50 am (UTC+00:00)

      -
      -
      - Scanned the following path: -
        -
      • haproxy:2.6.14-alpine (apk)
        • -
      -
      - -
      -
      0 known vulnerabilities
      -
      0 vulnerable dependency paths
      -
      18 dependencies
      -
      -
      -
      -
      -
      - - - - - - - -
      Project docker-image|haproxy
      Path haproxy:2.6.14-alpine
      Package Manager apk
      -
      -
      - No known vulnerabilities detected. -
      -
      - - - diff --git a/docs/snyk/v2.6.12/redis_7.0.11-alpine.html b/docs/snyk/v2.6.12/redis_7.0.11-alpine.html deleted file mode 100644 index 2ff2fffce00ab..0000000000000 --- a/docs/snyk/v2.6.12/redis_7.0.11-alpine.html +++ /dev/null @@ -1,492 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
      -
      -
      -
      - - - Snyk - Open Source Security - - - - - - - -
      -

      Snyk test report

      - -

      July 9th 2023, 12:30:12 am (UTC+00:00)

      -
      -
      - Scanned the following path: -
        -
      • redis:7.0.11-alpine (apk)
        • -
      -
      - -
      -
      0 known vulnerabilities
      -
      0 vulnerable dependency paths
      -
      18 dependencies
      -
      -
      -
      -
      -
      - - - - - - - -
      Project docker-image|redis
      Path redis:7.0.11-alpine
      Package Manager apk
      -
      -
      - No known vulnerabilities detected. -
      -
      - - - diff --git a/docs/snyk/v2.6.12/argocd-iac-install.html b/docs/snyk/v2.6.13/argocd-iac-install.html similarity index 99% rename from docs/snyk/v2.6.12/argocd-iac-install.html rename to docs/snyk/v2.6.13/argocd-iac-install.html index 7e0c0c47dbbe7..287abd5cc29ef 100644 --- a/docs/snyk/v2.6.12/argocd-iac-install.html +++ b/docs/snyk/v2.6.13/argocd-iac-install.html @@ -456,7 +456,7 @@

      Snyk test report

      -

      July 9th 2023, 12:31:50 am (UTC+00:00)

      +

      August 6th 2023, 12:24:07 am (UTC+00:00)

      Scanned the following path: diff --git a/docs/snyk/v2.6.12/argocd-iac-namespace-install.html b/docs/snyk/v2.6.13/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v2.6.12/argocd-iac-namespace-install.html rename to docs/snyk/v2.6.13/argocd-iac-namespace-install.html index ed77c2323ab38..86fa68d4ff535 100644 --- a/docs/snyk/v2.6.12/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.6.13/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

      Snyk test report

      -

      July 9th 2023, 12:32:05 am (UTC+00:00)

      +

      August 6th 2023, 12:24:18 am (UTC+00:00)

      Scanned the following path: diff --git a/docs/snyk/v2.6.12/argocd-test.html b/docs/snyk/v2.6.13/argocd-test.html similarity index 98% rename from docs/snyk/v2.6.12/argocd-test.html rename to docs/snyk/v2.6.13/argocd-test.html index a0a754f473dca..cf9d2c9604c15 100644 --- a/docs/snyk/v2.6.12/argocd-test.html +++ b/docs/snyk/v2.6.13/argocd-test.html @@ -456,7 +456,7 @@

      Snyk test report

      -

      July 9th 2023, 12:28:39 am (UTC+00:00)

      +

      August 6th 2023, 12:22:11 am (UTC+00:00)

      Scanned the following paths: @@ -609,10 +609,12 @@

      Details

      By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

      Remediation

      -

      Upgrade semver to version 7.5.2 or higher.

      +

      Upgrade semver to version 5.7.2, 6.3.1, 7.5.2 or higher.

      References

        +
      • GitHub Commit
      • GitHub Commit
        • +
      • GitHub Commit
      • GitHub PR
      • Vulnerable Code
      • Vulnerable Code
        • diff --git a/docs/snyk/v2.6.13/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.6.13/ghcr.io_dexidp_dex_v2.37.0.html new file mode 100644 index 0000000000000..e8a88abf81efe --- /dev/null +++ b/docs/snyk/v2.6.13/ghcr.io_dexidp_dex_v2.37.0.html @@ -0,0 +1,1079 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
        +
        +
        +
        + + + Snyk - Open Source Security + + + + + + + +
        +

        Snyk test report

        + +

        August 6th 2023, 12:22:18 am (UTC+00:00)

        +
        +
        + Scanned the following paths: +
          +
        • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (apk)
        • ghcr.io/dexidp/dex:v2.37.0/hairyhenderson/gomplate/v3 (gomodules)
        • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
        • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
          • +
        +
        + +
        +
        4 known vulnerabilities
        +
        22 vulnerable dependency paths
        +
        786 dependencies
        +
        +
        +
        +
        + +
        +
        +
        +

        Improper Authentication

        +
        + +
        + medium severity +
        + +
        + +
          +
        • + Package Manager: alpine:3.18 +
          • +
        • + Vulnerable module: + + openssl/libcrypto3 +
          • + +
        • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        + +
        + +
        + +

        NVD Description

        +

        Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

        +

        Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

        +

        Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

        +

        The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

        +

        As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

        +

        Remediation

        +

        Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +

        Inefficient Regular Expression Complexity

        +
        + +
        + medium severity +
        + +
        + +
          +
        • + Package Manager: alpine:3.18 +
          • +
        • + Vulnerable module: + + openssl/libcrypto3 +
          • + +
        • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        + +
        + +
        + +

        NVD Description

        +

        Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

        +

        Issue summary: Checking excessively long DH keys or parameters may be very slow.

        +

        Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

        +

        The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

        +

        However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

        +

        An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

        +

        The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

        +

        Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

        +

        The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

        +

        Remediation

        +

        Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +

        Cross-site Scripting (XSS)

        +
        + +
        + medium severity +
        + +
        + +
          +
        • + Package Manager: golang +
          • +
        • + Vulnerable module: + + golang.org/x/net/html +
          • + +
        • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.11.0 + + + +
          • +
        + +
        + +
        + +

        Overview

        +

        golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

        +

        Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

        +

        Details

        +

        A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

        +

        This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

        +

        Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

        +

        Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

        +

        The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

        +

        Types of attacks

        +

        There are a few methods by which XSS can be manipulated:

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        TypeOriginDescription
        StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
        ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
        DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
        MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
        +

        Affected environments

        +

        The following environments are susceptible to an XSS attack:

        +
          +
        • Web servers
          • +
        • Application servers
          • +
        • Web application environments
          • +
        +

        How to prevent

        +

        This section describes the top best practices designed to specifically protect your code:

        +
          +
        • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
          • +
        • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
          • +
        • Give users the option to disable client-side scripts.
          • +
        • Redirect invalid requests.
          • +
        • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
          • +
        • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
          • +
        • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
          • +
        +

        Remediation

        +

        Upgrade golang.org/x/net/html to version 0.13.0 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +

        CVE-2023-3817

        +
        + +
        + low severity +
        + +
        + +
          +
        • + Package Manager: alpine:3.18 +
          • +
        • + Vulnerable module: + + openssl/libcrypto3 +
          • + +
        • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        + +
        + +
        + +

        NVD Description

        +

        Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

        +

        Issue summary: Checking excessively long DH keys or parameters may be very slow.

        +

        Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

        +

        The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

        +

        An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

        +

        The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

        +

        Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

        +

        The OpenSSL SSL/TLS implementation is not affected by this issue.

        +

        The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

        +

        Remediation

        +

        Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +
        +
        + + + diff --git a/docs/snyk/v2.6.13/haproxy_2.6.14-alpine.html b/docs/snyk/v2.6.13/haproxy_2.6.14-alpine.html new file mode 100644 index 0000000000000..66737e1821f83 --- /dev/null +++ b/docs/snyk/v2.6.13/haproxy_2.6.14-alpine.html @@ -0,0 +1,1031 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
        +
        +
        +
        + + + Snyk - Open Source Security + + + + + + + +
        +

        Snyk test report

        + +

        August 6th 2023, 12:22:22 am (UTC+00:00)

        +
        +
        + Scanned the following path: +
          +
        • haproxy:2.6.14-alpine (apk)
          • +
        +
        + +
        +
        3 known vulnerabilities
        +
        27 vulnerable dependency paths
        +
        18 dependencies
        +
        +
        +
        +
        +
        + + + + + + + +
        Project docker-image|haproxy
        Path haproxy:2.6.14-alpine
        Package Manager apk
        +
        +
        +
        +
        +

        Improper Authentication

        +
        + +
        + medium severity +
        + +
        + +
          +
        • + Package Manager: alpine:3.18 +
          • +
        • + Vulnerable module: + + openssl/libcrypto3 +
          • + +
        • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        + +
        + +
        + +

        NVD Description

        +

        Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

        +

        Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

        +

        Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

        +

        The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

        +

        As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

        +

        Remediation

        +

        Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +

        Inefficient Regular Expression Complexity

        +
        + +
        + medium severity +
        + +
        + +
          +
        • + Package Manager: alpine:3.18 +
          • +
        • + Vulnerable module: + + openssl/libcrypto3 +
          • + +
        • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        + +
        + +
        + +

        NVD Description

        +

        Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

        +

        Issue summary: Checking excessively long DH keys or parameters may be very slow.

        +

        Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

        +

        The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

        +

        However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

        +

        An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

        +

        The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

        +

        Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

        +

        The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

        +

        Remediation

        +

        Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +

        CVE-2023-3817

        +
        + +
        + low severity +
        + +
        + +
          +
        • + Package Manager: alpine:3.18 +
          • +
        • + Vulnerable module: + + openssl/libcrypto3 +
          • + +
        • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        + +
        + +
        + +

        NVD Description

        +

        Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

        +

        Issue summary: Checking excessively long DH keys or parameters may be very slow.

        +

        Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

        +

        The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

        +

        An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

        +

        The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

        +

        Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

        +

        The OpenSSL SSL/TLS implementation is not affected by this issue.

        +

        The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

        +

        Remediation

        +

        Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +
        +
        + + + diff --git a/docs/snyk/v2.7.7/quay.io_argoproj_argocd_v2.7.7.html b/docs/snyk/v2.6.13/quay.io_argoproj_argocd_v2.6.13.html similarity index 80% rename from docs/snyk/v2.7.7/quay.io_argoproj_argocd_v2.7.7.html rename to docs/snyk/v2.6.13/quay.io_argoproj_argocd_v2.6.13.html index 7d94f50a4ec52..5801ea204e715 100644 --- a/docs/snyk/v2.7.7/quay.io_argoproj_argocd_v2.7.7.html +++ b/docs/snyk/v2.6.13/quay.io_argoproj_argocd_v2.6.13.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,19 +456,19 @@

        Snyk test report

        -

        July 9th 2023, 12:26:27 am (UTC+00:00)

        +

        August 6th 2023, 12:22:46 am (UTC+00:00)

        Scanned the following paths:
          -
        • quay.io/argoproj/argocd:v2.7.7/argoproj/argocd (deb)
        • quay.io/argoproj/argocd:v2.7.7/argoproj/argo-cd/v2 (gomodules)
        • quay.io/argoproj/argocd:v2.7.7/kustomize/kustomize/v5 (gomodules)
        • quay.io/argoproj/argocd:v2.7.7/helm/v3 (gomodules)
        • quay.io/argoproj/argocd:v2.7.7/git-lfs/git-lfs (gomodules)
          • +
        • quay.io/argoproj/argocd:v2.6.13/argoproj/argocd (deb)
        • quay.io/argoproj/argocd:v2.6.13/argoproj/argo-cd/v2 (gomodules)
        • quay.io/argoproj/argocd:v2.6.13/kustomize/kustomize/v4 (gomodules)
        • quay.io/argoproj/argocd:v2.6.13/helm/v3 (gomodules)
        • quay.io/argoproj/argocd:v2.6.13/git-lfs/git-lfs (gomodules)
        -
        22 known vulnerabilities
        -
        96 vulnerable dependency paths
        -
        2066 dependencies
        +
        26 known vulnerabilities
        +
        85 vulnerable dependency paths
        +
        2064 dependencies
      @@ -476,6 +476,174 @@

      Snyk test report

      +
      +

      Denial of Service (DoS)

      +
      + +
      + high severity +
      + +
      + +
        +
      • + Package Manager: golang +
        • +
      • + Vulnerable module: + + gopkg.in/yaml.v3 +
        • + +
      • Introduced through: + + sigs.k8s.io/kustomize/kustomize/v4@* and gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + sigs.k8s.io/kustomize/kustomize/v4@* + + gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b + + + +
        • +
      + +
      + +
      + +

      Overview

      +

      gopkg.in/yaml.v3 is a YAML support package for the Go language.

      +

      Affected versions of this package are vulnerable to Denial of Service (DoS) via the Unmarshal function, which causes the program to crash when attempting to deserialize invalid input.

      +

      PoC

      + 
      package main
+        
+        import (
+            "gopkg.in/yaml.v3"
+        )
+        
+        func main() {
+            var t interface{}
+            yaml.Unmarshal([]byte("0: [:!00 \xef"), &t)
+        }
+
      +

      Details

      +

      Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

      +

      Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

      +

      One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

      +

      When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

      +

      Two common types of DoS vulnerabilities:

      +
        +

      • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

        +
        • +

      • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

        +
        • +
      +

      Remediation

      +

      Upgrade gopkg.in/yaml.v3 to version 3.0.0 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      NULL Pointer Dereference

      +
      + +
      + high severity +
      + +
      + +
        +
      • + Package Manager: golang +
        • +
      • + Vulnerable module: + + gopkg.in/yaml.v3 +
        • + +
      • Introduced through: + + sigs.k8s.io/kustomize/kustomize/v4@* and gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + sigs.k8s.io/kustomize/kustomize/v4@* + + gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b + + + +
        • +
      + +
      + +
      + +

      Overview

      +

      gopkg.in/yaml.v3 is a YAML support package for the Go language.

      +

      Affected versions of this package are vulnerable to NULL Pointer Dereference when parsing #\n-\n-\n0 via the parserc.go parser.

      +

      PoC

      + 
      package main
+        
+        import (
+            "gopkg.in/yaml.v3"
+        )
+        
+        func main() {
+            var t interface{}
+            yaml.Unmarshal([]byte("#\n-\n-\n0"), &t)
+        }
+
      +

      Remediation

      +

      Upgrade gopkg.in/yaml.v3 to version 3.0.1 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +

      Denial of Service (DoS)

      @@ -498,7 +666,7 @@

      Denial of Service (DoS)

    • Introduced through: - helm.sh/helm/v3@* and golang.org/x/net/http2/hpack@v0.5.0 + sigs.k8s.io/kustomize/kustomize/v4@* and golang.org/x/net/http2/hpack@v0.0.0-20220127200216-cd36cc0744dd
    @@ -509,11 +677,20 @@

    Denial of Service (DoS)

    Detailed paths

      +
    • + Introduced through: + sigs.k8s.io/kustomize/kustomize/v4@* + + golang.org/x/net/http2/hpack@v0.0.0-20220127200216-cd36cc0744dd + + + +
    • Introduced through: helm.sh/helm/v3@* - golang.org/x/net/http2/hpack@v0.5.0 + golang.org/x/net/http2/hpack@v0.0.0-20220722155237-a158d28d115b @@ -554,6 +731,72 @@

      References

      More about this vulnerability

    +
    +
    +

    Denial of Service

    +
    + +
    + high severity +
    + +
    + +
      +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/http2 +
      • + +
    • Introduced through: + + helm.sh/helm/v3@* and golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + helm.sh/helm/v3@* + + golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

    +

    Affected versions of this package are vulnerable to Denial of Service as an HTTP/2 connection can hang during closing if a shutdown was preempted by a fatal error.

    +

    Remediation

    +

    Upgrade golang.org/x/net/http2 to version 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    Denial of Service (DoS)

    @@ -577,7 +820,7 @@

    Denial of Service (DoS)

  • Introduced through: - helm.sh/helm/v3@* and golang.org/x/net/http2@v0.5.0 + helm.sh/helm/v3@* and golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
    • @@ -592,7 +835,7 @@

    Detailed paths

    Introduced through: helm.sh/helm/v3@* - golang.org/x/net/http2@v0.5.0 + golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b @@ -636,7 +879,7 @@

    References

    -

    Improper Validation of Integrity Check Value

    +

    CVE-2023-4016

    @@ -652,12 +895,12 @@

    Improper Validation of Integrity Check Value

  • Vulnerable module: - systemd/libsystemd0 + procps/libprocps8
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and systemd/libsystemd0@249.11-0ubuntu3.9 + docker-image|quay.io/argoproj/argocd@v2.6.13 and procps/libprocps8@2:3.3.17-6ubuntu2
    • @@ -670,110 +913,96 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 - systemd/libsystemd0@249.11-0ubuntu3.9 + procps/libprocps8@2:3.3.17-6ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - apt@2.4.9 + docker-image|quay.io/argoproj/argocd@v2.6.13 - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + procps@2:3.3.17-6ubuntu2 procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - util-linux@2.37.2-4ubuntu3 + docker-image|quay.io/argoproj/argocd@v2.6.13 - systemd/libsystemd0@249.11-0ubuntu3.9 + procps@2:3.3.17-6ubuntu2
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Ubuntu:22.04. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 procps.

    +

    References

    + -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - util-linux@2.37.2-4ubuntu3 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
    +

    More about this vulnerability

    +
    -
    • +
    +
    +

    Unquoted Search Path or Element

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + openssh/openssh-client +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.6.13 and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 + docker-image|quay.io/argoproj/argocd@v2.6.13 - systemd/libudev1@249.11-0ubuntu3.9 + openssh/openssh-client@1:8.9p1-3ubuntu0.1 @@ -785,28 +1014,40 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. +

      Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu:22.04. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      ** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

      +

      The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 systemd.

      +

      Upgrade Ubuntu:22.04 openssh to version 1:8.9p1-3ubuntu0.3 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    Improper Validation of Integrity Check Value

    +

    Improper Input Validation

    @@ -817,17 +1058,17 @@

    Improper Validation of Integrity Check Value

    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • Vulnerable module: - systemd/libsystemd0 + golang.org/x/text/language
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and systemd/libsystemd0@249.11-0ubuntu3.9 + sigs.k8s.io/kustomize/kustomize/v4@* and golang.org/x/text/language@v0.3.7
    @@ -840,110 +1081,86 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + sigs.k8s.io/kustomize/kustomize/v4@* - systemd/libsystemd0@249.11-0ubuntu3.9 + golang.org/x/text/language@v0.3.7
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - apt@2.4.9 + helm.sh/helm/v3@* - systemd/libsystemd0@249.11-0ubuntu3.9 + golang.org/x/text/language@v0.3.7
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - util-linux@2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Input Validation due to the parser being, by design, exposed to untrusted user input, which can be leveraged to force a program to consume significant time parsing Accept-Language headers.

    +

    Remediation

    +

    Upgrade golang.org/x/text/language to version 0.3.8 or higher.

    +

    References

    + -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
    +

    More about this vulnerability

    +
    -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
    • +
    +

    Incorrect Privilege Assignment

    +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - util-linux@2.37.2-4ubuntu3 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
    + medium severity +
    -
    • +
    + +
      +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/sys/unix +
      • + +
    • Introduced through: + + helm.sh/helm/v3@* and golang.org/x/sys/unix@v0.0.0-20220722155257-8c9f86f7a55f + +
      • +
    + +
    + + +

    Detailed paths

    + +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 + helm.sh/helm/v3@* - systemd/libudev1@249.11-0ubuntu3.9 + golang.org/x/sys/unix@v0.0.0-20220722155257-8c9f86f7a55f @@ -954,29 +1171,25 @@

      Detailed paths

      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      ** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

      +

      Overview

      +

      Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that when called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 systemd.

      +

      Upgrade golang.org/x/sys/unix to version 0.1.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -

    Improper Validation of Integrity Check Value

    +

    Denial of Service (DoS)

    @@ -987,17 +1200,17 @@

    Improper Validation of Integrity Check Value

    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • Vulnerable module: - systemd/libsystemd0 + golang.org/x/net/http2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and systemd/libsystemd0@249.11-0ubuntu3.9 + helm.sh/helm/v3@* and golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
    @@ -1010,110 +1223,89 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + helm.sh/helm/v3@* - systemd/libsystemd0@249.11-0ubuntu3.9 + golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - apt@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - util-linux@2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    + +

    Overview

    +

    golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

    +

    Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper checks and limitations for the number of entries in the cache, which can allow an attacker to consume unbounded amounts of memory by sending a small number of very large keys.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    +

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    +

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    +

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    +

    Two common types of DoS vulnerabilities:

    +
      +

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      +
      • +

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      +
      • +
    +

    Remediation

    +

    Upgrade golang.org/x/net/http2 to version 0.4.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    • +
    +

    Improper Verification of Cryptographic Signature

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - + golang.org/x/crypto/openpgp/clearsign +
      • - -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - +
    • Introduced through: -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - systemd/libudev1@249.11-0ubuntu3.9 - - + helm.sh/helm/v3@* and golang.org/x/crypto/openpgp/clearsign@v0.0.0-20220525230936-793ad666bf5e -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
      • +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - util-linux@2.37.2-4ubuntu3 - - systemd/libudev1@249.11-0ubuntu3.9 - - +
    -
    • + +

    Detailed paths

    + +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 + helm.sh/helm/v3@* - systemd/libudev1@249.11-0ubuntu3.9 + golang.org/x/crypto/openpgp/clearsign@v0.0.0-20220525230936-793ad666bf5e @@ -1124,24 +1316,21 @@

      Detailed paths

      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      ** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

      +

      Overview

      +

      Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the crypto/openpgp/clearsign/clearsign.go component. An attacker can spoof the 'Hash' Armor Header, leading a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, the attacker can prepend arbitrary text to cleartext messages without invalidating the signatures.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 systemd.

      +

      Upgrade golang.org/x/crypto/openpgp/clearsign to version 0.1.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -1168,7 +1357,7 @@

    CVE-2022-46908

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7, gnupg2/gpg@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.6.13, gnupg2/gpg@2.2.27-3ubuntu2.1 and others
    • @@ -1180,7 +1369,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -1239,7 +1428,7 @@

      Arbitrary Code Injection

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and shadow/passwd@1:4.8.1-2ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.6.13 and shadow/passwd@1:4.8.1-2ubuntu2.1
    @@ -1252,7 +1441,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 shadow/passwd@1:4.8.1-2ubuntu2.1 @@ -1261,7 +1450,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 adduser@3.118ubuntu5 @@ -1272,7 +1461,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 openssh/openssh-client@1:8.9p1-3ubuntu0.1 @@ -1283,7 +1472,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 shadow/login@1:4.8.1-2ubuntu2.1 @@ -1340,7 +1529,7 @@

      Uncontrolled Recursion

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 + docker-image|quay.io/argoproj/argocd@v2.6.13 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
    @@ -1353,7 +1542,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 @@ -1362,7 +1551,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 grep@3.7-1build1 @@ -1424,7 +1613,7 @@

      Release of Invalid Pointer or Reference

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.6.13 and patch@2.7.6-7build2
    @@ -1437,7 +1626,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 patch@2.7.6-7build2 @@ -1491,7 +1680,7 @@

      Double Free

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.6.13 and patch@2.7.6-7build2
    @@ -1504,7 +1693,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 patch@2.7.6-7build2 @@ -1542,7 +1731,7 @@

      References

    -

    Information Exposure

    +

    Improper Authentication

    @@ -1558,12 +1747,12 @@

    Information Exposure

  • Vulnerable module: - openssh/openssh-client + openssl/libssl3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.6.13 and openssl/libssl3@3.0.2-0ubuntu1.10
    • @@ -1576,9 +1765,113 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.13 + + cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.13 + + libfido2/libfido2-1@1.10.0-1 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.13 openssh/openssh-client@1:8.9p1-3ubuntu0.1 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.13 + + ca-certificates@20230311ubuntu0.22.04.1 + + openssl@3.0.2-0ubuntu1.10 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.13 + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 + + libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.13 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.13 + + openssl@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.6.13 + + ca-certificates@20230311ubuntu0.22.04.1 + + openssl@3.0.2-0ubuntu1.10 @@ -1590,28 +1883,42 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu:22.04. +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu:22.04. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

      +

      Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

      +

      Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

      +

      The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

      +

      As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 openssh.

      +

      There is no fixed version for Ubuntu:22.04 openssl.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -1637,7 +1944,7 @@

    CVE-2023-28531

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.6.13 and openssh/openssh-client@1:8.9p1-3ubuntu0.1
    • @@ -1650,7 +1957,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 openssh/openssh-client@1:8.9p1-3ubuntu0.1 @@ -1674,6 +1981,7 @@

      References

    • ADVISORY
    • cve@mitre.org
    • cve@mitre.org
      • +
    • cve@mitre.org
    @@ -1706,7 +2014,7 @@

    NULL Pointer Dereference

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.6.13, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others
    • @@ -1718,7 +2026,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -1729,11 +2037,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 openldap/libldap-2.5-0@2.5.14+dfsg-0ubuntu0.22.04.2 @@ -1742,7 +2050,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 openldap/libldap-common@2.5.14+dfsg-0ubuntu0.22.04.2 @@ -1767,6 +2075,12 @@

      References

    • secalert@redhat.com
    • secalert@redhat.com
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
    @@ -1799,7 +2113,7 @@

    Resource Exhaustion

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7, meta-common-packages@meta and others + docker-image|quay.io/argoproj/argocd@v2.6.13, meta-common-packages@meta and others
    • @@ -1811,7 +2125,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 meta-common-packages@meta @@ -1836,6 +2150,7 @@

      References

      @@ -1867,7 +2182,7 @@

      Integer Overflow or Wraparound

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and krb5/libk5crypto3@1.19.2-2ubuntu0.2 + docker-image|quay.io/argoproj/argocd@v2.6.13 and krb5/libk5crypto3@1.19.2-2ubuntu0.2
    @@ -1880,7 +2195,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 krb5/libk5crypto3@1.19.2-2ubuntu0.2 @@ -1889,7 +2204,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 adduser@3.118ubuntu5 @@ -1910,7 +2225,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 adduser@3.118ubuntu5 @@ -1933,7 +2248,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 krb5/libkrb5-3@1.19.2-2ubuntu0.2 @@ -1942,7 +2257,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 adduser@3.118ubuntu5 @@ -1963,7 +2278,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -1972,7 +2287,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 openssh/openssh-client@1:8.9p1-3ubuntu0.1 @@ -1983,11 +2298,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -1996,11 +2311,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.11 libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 @@ -2011,7 +2326,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 adduser@3.118ubuntu5 @@ -2030,7 +2345,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 meta-common-packages@meta @@ -2089,7 +2404,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and gnupg2/gpgv@2.2.27-3ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.6.13 and gnupg2/gpgv@2.2.27-3ubuntu2.1
    @@ -2102,7 +2417,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gpgv@2.2.27-3ubuntu2.1 @@ -2111,7 +2426,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 apt@2.4.9 @@ -2122,7 +2437,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2133,7 +2448,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -2144,7 +2459,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2155,7 +2470,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2168,7 +2483,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2181,7 +2496,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -2190,7 +2505,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2201,7 +2516,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2214,7 +2529,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 @@ -2223,7 +2538,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2234,7 +2549,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 @@ -2243,7 +2558,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2254,7 +2569,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2263,7 +2578,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2274,7 +2589,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2287,7 +2602,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2300,7 +2615,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 @@ -2309,7 +2624,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2320,7 +2635,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2333,7 +2648,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2346,7 +2661,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 @@ -2355,7 +2670,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2366,7 +2681,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 @@ -2375,7 +2690,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2386,7 +2701,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gpgsm@2.2.27-3ubuntu2.1 @@ -2395,7 +2710,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2406,7 +2721,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2465,7 +2780,7 @@

      Allocation of Resources Without Limits or Throttling

      Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and glibc/libc-bin@2.35-0ubuntu3.1 + docker-image|quay.io/argoproj/argocd@v2.6.13 and glibc/libc-bin@2.35-0ubuntu3.1
    @@ -2478,7 +2793,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 glibc/libc-bin@2.35-0ubuntu3.1 @@ -2487,7 +2802,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 meta-common-packages@meta @@ -2546,7 +2861,7 @@

      Improper Input Validation

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7, git@1:2.34.1-1ubuntu1.9 and others + docker-image|quay.io/argoproj/argocd@v2.6.13, git@1:2.34.1-1ubuntu1.9 and others
    @@ -2558,7 +2873,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 git@1:2.34.1-1ubuntu1.9 @@ -2569,7 +2884,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 git@1:2.34.1-1ubuntu1.9 @@ -2578,7 +2893,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 git-lfs@3.0.2-1ubuntu0.2 @@ -2612,150 +2927,6 @@

      References

      More about this vulnerability

    -
    -
    -

    CVE-2023-28322

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.7.7, git@1:2.34.1-1ubuntu1.9 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - git@1:2.34.1-1ubuntu1.9 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously wasused to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Certificate Validation

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.7.7, git@1:2.34.1-1ubuntu1.9 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 - - git@1:2.34.1-1ubuntu1.9 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    -

    Improper Input Validation

    @@ -2779,7 +2950,7 @@

    Improper Input Validation

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and coreutils@8.32-4.1ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.6.13 and coreutils@8.32-4.1ubuntu1
    • @@ -2792,7 +2963,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 coreutils@8.32-4.1ubuntu1 @@ -2849,7 +3020,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 and bash@5.1-6ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.6.13 and bash@5.1-6ubuntu1
    @@ -2862,7 +3033,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.7.7 + docker-image|quay.io/argoproj/argocd@v2.6.13 bash@5.1-6ubuntu1 diff --git a/docs/snyk/v2.6.13/redis_7.0.11-alpine.html b/docs/snyk/v2.6.13/redis_7.0.11-alpine.html new file mode 100644 index 0000000000000..7b140ab6e6550 --- /dev/null +++ b/docs/snyk/v2.6.13/redis_7.0.11-alpine.html @@ -0,0 +1,1031 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
      +
      +
      +
      + + + Snyk - Open Source Security + + + + + + + +
      +

      Snyk test report

      + +

      August 6th 2023, 12:22:51 am (UTC+00:00)

      +
      +
      + Scanned the following path: +
        +
      • redis:7.0.11-alpine (apk)
        • +
      +
      + +
      +
      3 known vulnerabilities
      +
      27 vulnerable dependency paths
      +
      18 dependencies
      +
      +
      +
      +
      +
      + + + + + + + +
      Project docker-image|redis
      Path redis:7.0.11-alpine
      Package Manager apk
      +
      +
      +
      +
      +

      Improper Authentication

      +
      + +
      + medium severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

      +

      Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

      +

      The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

      +

      As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      Inefficient Regular Expression Complexity

      +
      + +
      + medium severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: Checking excessively long DH keys or parameters may be very slow.

      +

      Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

      +

      The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

      +

      However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

      +

      An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

      +

      The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

      +

      Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

      +

      The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      CVE-2023-3817

      +
      + +
      + low severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: Checking excessively long DH keys or parameters may be very slow.

      +

      Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

      +

      The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

      +

      An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

      +

      The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

      +

      Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

      +

      The OpenSSL SSL/TLS implementation is not affected by this issue.

      +

      The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +
      +
      + + + diff --git a/docs/snyk/v2.7.7/argocd-iac-install.html b/docs/snyk/v2.7.10/argocd-iac-install.html similarity index 99% rename from docs/snyk/v2.7.7/argocd-iac-install.html rename to docs/snyk/v2.7.10/argocd-iac-install.html index 4e2362297bc40..6bcd9025d71e9 100644 --- a/docs/snyk/v2.7.7/argocd-iac-install.html +++ b/docs/snyk/v2.7.10/argocd-iac-install.html @@ -456,7 +456,7 @@

      Snyk test report

      -

      July 9th 2023, 12:28:09 am (UTC+00:00)

      +

      August 6th 2023, 12:21:45 am (UTC+00:00)

      Scanned the following path: diff --git a/docs/snyk/v2.7.7/argocd-iac-namespace-install.html b/docs/snyk/v2.7.10/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v2.7.7/argocd-iac-namespace-install.html rename to docs/snyk/v2.7.10/argocd-iac-namespace-install.html index 4b29fa86b708d..1105c6962e60e 100644 --- a/docs/snyk/v2.7.7/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.7.10/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

      Snyk test report

      -

      July 9th 2023, 12:28:22 am (UTC+00:00)

      +

      August 6th 2023, 12:21:57 am (UTC+00:00)

      Scanned the following path: diff --git a/docs/snyk/v2.7.7/argocd-test.html b/docs/snyk/v2.7.10/argocd-test.html similarity index 98% rename from docs/snyk/v2.7.7/argocd-test.html rename to docs/snyk/v2.7.10/argocd-test.html index 2c6423ddd2fff..b434910c23e84 100644 --- a/docs/snyk/v2.7.7/argocd-test.html +++ b/docs/snyk/v2.7.10/argocd-test.html @@ -456,7 +456,7 @@

      Snyk test report

      -

      July 9th 2023, 12:24:52 am (UTC+00:00)

      +

      August 6th 2023, 12:19:44 am (UTC+00:00)

      Scanned the following paths: @@ -609,10 +609,12 @@

      Details

      By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

      Remediation

      -

      Upgrade semver to version 7.5.2 or higher.

      +

      Upgrade semver to version 5.7.2, 6.3.1, 7.5.2 or higher.

      References

        +
      • GitHub Commit
      • GitHub Commit
        • +
      • GitHub Commit
      • GitHub PR
      • Vulnerable Code
      • Vulnerable Code
        • diff --git a/docs/snyk/v2.7.10/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.7.10/ghcr.io_dexidp_dex_v2.37.0.html new file mode 100644 index 0000000000000..6e13ca3147f6c --- /dev/null +++ b/docs/snyk/v2.7.10/ghcr.io_dexidp_dex_v2.37.0.html @@ -0,0 +1,1079 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
        +
        +
        +
        + + + Snyk - Open Source Security + + + + + + + +
        +

        Snyk test report

        + +

        August 6th 2023, 12:19:51 am (UTC+00:00)

        +
        +
        + Scanned the following paths: +
          +
        • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (apk)
        • ghcr.io/dexidp/dex:v2.37.0/hairyhenderson/gomplate/v3 (gomodules)
        • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
        • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
          • +
        +
        + +
        +
        4 known vulnerabilities
        +
        22 vulnerable dependency paths
        +
        786 dependencies
        +
        +
        +
        +
        + +
        +
        +
        +

        Improper Authentication

        +
        + +
        + medium severity +
        + +
        + +
          +
        • + Package Manager: alpine:3.18 +
          • +
        • + Vulnerable module: + + openssl/libcrypto3 +
          • + +
        • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        + +
        + +
        + +

        NVD Description

        +

        Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

        +

        Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

        +

        Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

        +

        The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

        +

        As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

        +

        Remediation

        +

        Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +

        Inefficient Regular Expression Complexity

        +
        + +
        + medium severity +
        + +
        + +
          +
        • + Package Manager: alpine:3.18 +
          • +
        • + Vulnerable module: + + openssl/libcrypto3 +
          • + +
        • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        + +
        + +
        + +

        NVD Description

        +

        Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

        +

        Issue summary: Checking excessively long DH keys or parameters may be very slow.

        +

        Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

        +

        The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

        +

        However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

        +

        An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

        +

        The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

        +

        Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

        +

        The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

        +

        Remediation

        +

        Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +

        Cross-site Scripting (XSS)

        +
        + +
        + medium severity +
        + +
        + +
          +
        • + Package Manager: golang +
          • +
        • + Vulnerable module: + + golang.org/x/net/html +
          • + +
        • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.11.0 + + + +
          • +
        + +
        + +
        + +

        Overview

        +

        golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

        +

        Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

        +

        Details

        +

        A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

        +

        This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

        +

        Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

        +

        Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

        +

        The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

        +

        Types of attacks

        +

        There are a few methods by which XSS can be manipulated:

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        TypeOriginDescription
        StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
        ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
        DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
        MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
        +

        Affected environments

        +

        The following environments are susceptible to an XSS attack:

        +
          +
        • Web servers
          • +
        • Application servers
          • +
        • Web application environments
          • +
        +

        How to prevent

        +

        This section describes the top best practices designed to specifically protect your code:

        +
          +
        • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
          • +
        • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
          • +
        • Give users the option to disable client-side scripts.
          • +
        • Redirect invalid requests.
          • +
        • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
          • +
        • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
          • +
        • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
          • +
        +

        Remediation

        +

        Upgrade golang.org/x/net/html to version 0.13.0 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +

        CVE-2023-3817

        +
        + +
        + low severity +
        + +
        + +
          +
        • + Package Manager: alpine:3.18 +
          • +
        • + Vulnerable module: + + openssl/libcrypto3 +
          • + +
        • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        + +
        + +
        + +

        NVD Description

        +

        Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

        +

        Issue summary: Checking excessively long DH keys or parameters may be very slow.

        +

        Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

        +

        The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

        +

        An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

        +

        The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

        +

        Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

        +

        The OpenSSL SSL/TLS implementation is not affected by this issue.

        +

        The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

        +

        Remediation

        +

        Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +
        +
        + + + diff --git a/docs/snyk/v2.7.10/haproxy_2.6.14-alpine.html b/docs/snyk/v2.7.10/haproxy_2.6.14-alpine.html new file mode 100644 index 0000000000000..1c387dbb62e40 --- /dev/null +++ b/docs/snyk/v2.7.10/haproxy_2.6.14-alpine.html @@ -0,0 +1,1031 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
        +
        +
        +
        + + + Snyk - Open Source Security + + + + + + + +
        +

        Snyk test report

        + +

        August 6th 2023, 12:19:56 am (UTC+00:00)

        +
        +
        + Scanned the following path: +
          +
        • haproxy:2.6.14-alpine (apk)
          • +
        +
        + +
        +
        3 known vulnerabilities
        +
        27 vulnerable dependency paths
        +
        18 dependencies
        +
        +
        +
        +
        +
        + + + + + + + +
        Project docker-image|haproxy
        Path haproxy:2.6.14-alpine
        Package Manager apk
        +
        +
        +
        +
        +

        Improper Authentication

        +
        + +
        + medium severity +
        + +
        + +
          +
        • + Package Manager: alpine:3.18 +
          • +
        • + Vulnerable module: + + openssl/libcrypto3 +
          • + +
        • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        + +
        + +
        + +

        NVD Description

        +

        Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

        +

        Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

        +

        Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

        +

        The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

        +

        As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

        +

        Remediation

        +

        Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +

        Inefficient Regular Expression Complexity

        +
        + +
        + medium severity +
        + +
        + +
          +
        • + Package Manager: alpine:3.18 +
          • +
        • + Vulnerable module: + + openssl/libcrypto3 +
          • + +
        • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        + +
        + +
        + +

        NVD Description

        +

        Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

        +

        Issue summary: Checking excessively long DH keys or parameters may be very slow.

        +

        Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

        +

        The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

        +

        However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

        +

        An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

        +

        The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

        +

        Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

        +

        The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

        +

        Remediation

        +

        Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +

        CVE-2023-3817

        +
        + +
        + low severity +
        + +
        + +
          +
        • + Package Manager: alpine:3.18 +
          • +
        • + Vulnerable module: + + openssl/libcrypto3 +
          • + +
        • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
          • +
        + +
        + + +

        Detailed paths

        + +
          +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
          • +
        + +
        + +
        + +

        NVD Description

        +

        Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

        +

        Issue summary: Checking excessively long DH keys or parameters may be very slow.

        +

        Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

        +

        The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

        +

        An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

        +

        The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

        +

        Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

        +

        The OpenSSL SSL/TLS implementation is not affected by this issue.

        +

        The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

        +

        Remediation

        +

        Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

        +

        References

        + + +
        + +
        +

        More about this vulnerability

        +
        + +
        +
        +
        +
        + + + diff --git a/docs/snyk/v2.8.0-rc2/quay.io_argoproj_argocd_v2.8.0-rc2.html b/docs/snyk/v2.7.10/quay.io_argoproj_argocd_v2.7.10.html similarity index 76% rename from docs/snyk/v2.8.0-rc2/quay.io_argoproj_argocd_v2.8.0-rc2.html rename to docs/snyk/v2.7.10/quay.io_argoproj_argocd_v2.7.10.html index 3517f43e60638..9cb763260edec 100644 --- a/docs/snyk/v2.8.0-rc2/quay.io_argoproj_argocd_v2.8.0-rc2.html +++ b/docs/snyk/v2.7.10/quay.io_argoproj_argocd_v2.7.10.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,19 +456,19 @@

        Snyk test report

        -

        July 9th 2023, 12:22:24 am (UTC+00:00)

        +

        August 6th 2023, 12:20:16 am (UTC+00:00)

        Scanned the following paths:
          -
        • quay.io/argoproj/argocd:v2.8.0-rc2/argoproj/argocd (deb)
        • quay.io/argoproj/argocd:v2.8.0-rc2/argoproj/argo-cd/v2 (gomodules)
        • quay.io/argoproj/argocd:v2.8.0-rc2/kustomize/kustomize/v5 (gomodules)
        • quay.io/argoproj/argocd:v2.8.0-rc2/helm/v3 (gomodules)
        • quay.io/argoproj/argocd:v2.8.0-rc2/git-lfs/git-lfs (gomodules)
          • +
        • quay.io/argoproj/argocd:v2.7.10/argoproj/argocd (deb)
        • quay.io/argoproj/argocd:v2.7.10/argoproj/argo-cd/v2 (gomodules)
        • quay.io/argoproj/argocd:v2.7.10/kustomize/kustomize/v5 (gomodules)
        • quay.io/argoproj/argocd:v2.7.10/helm/v3 (gomodules)
        • quay.io/argoproj/argocd:v2.7.10/git-lfs/git-lfs (gomodules)
        -
        21 known vulnerabilities
        -
        95 vulnerable dependency paths
        -
        2112 dependencies
        +
        18 known vulnerabilities
        +
        75 vulnerable dependency paths
        +
        2066 dependencies
      @@ -493,12 +493,12 @@

      Denial of Service (DoS)

    • Vulnerable module: - nhooyr.io/websocket + golang.org/x/net/http2/hpack
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and nhooyr.io/websocket@v1.8.6 + helm.sh/helm/v3@* and golang.org/x/net/http2/hpack@v0.5.0
    @@ -511,9 +511,9 @@

    Detailed paths

    • Introduced through: - github.com/argoproj/argo-cd/v2@* + helm.sh/helm/v3@* - nhooyr.io/websocket@v1.8.6 + golang.org/x/net/http2/hpack@v0.5.0 @@ -525,10 +525,7 @@

      Detailed paths

      Overview

      -

      nhooyr.io/websocket is a minimal and idiomatic WebSocket library for Go.

      -

      Affected versions of this package are vulnerable to Denial of Service (DoS). A double channel close panic is possible if a peer sent back multiple pongs for every ping. - If the second pong arrived before the ping goroutine deleted its channel from the map, the channel would be closed twice and a panic would - occur.

      +

      Affected versions of this package are vulnerable to Denial of Service (DoS) such that a maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder.

      Details

      Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

      Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

      @@ -542,43 +539,45 @@

      Details

    Remediation

    -

    Upgrade nhooyr.io/websocket to version 1.8.7 or higher.

    +

    Upgrade golang.org/x/net/http2/hpack to version 0.7.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -
    -

    Improper Validation of Integrity Check Value

    +
    +

    Denial of Service (DoS)

    -
    - medium severity +
    + high severity
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • Vulnerable module: - systemd/libsystemd0 + golang.org/x/net/http2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and systemd/libsystemd0@249.11-0ubuntu3.9 + helm.sh/helm/v3@* and golang.org/x/net/http2@v0.5.0
    @@ -591,110 +590,9 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - apt@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - util-linux@2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + helm.sh/helm/v3@* - util-linux@2.37.2-4ubuntu3 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libudev1@249.11-0ubuntu3.9 + golang.org/x/net/http2@v0.5.0 @@ -705,199 +603,40 @@

      Detailed paths

      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      ** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

      -

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 systemd.

      -

      References

      +

      Overview

      +

      golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

      +

      Affected versions of this package are vulnerable to Denial of Service (DoS) such that a maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder.

      +

      Details

      +

      Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

      +

      Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

      +

      One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

      +

      When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

      +

      Two common types of DoS vulnerabilities:

      - -
      - -
      -

      More about this vulnerability

      -
      - -
    -
    -

    Improper Validation of Integrity Check Value

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - systemd/libsystemd0 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and systemd/libsystemd0@249.11-0ubuntu3.9 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - apt@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - util-linux@2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - util-linux@2.37.2-4ubuntu3 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 systemd.

    +

    Upgrade golang.org/x/net/http2 to version 0.7.0 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Improper Validation of Integrity Check Value

    +

    CVE-2023-4016

    @@ -913,12 +652,12 @@

    Improper Validation of Integrity Check Value

  • Vulnerable module: - systemd/libsystemd0 + procps/libprocps8
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and systemd/libsystemd0@249.11-0ubuntu3.9 + docker-image|quay.io/argoproj/argocd@v2.7.10 and procps/libprocps8@2:3.3.17-6ubuntu2
    • @@ -931,110 +670,29 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - apt@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - util-linux@2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 - util-linux@2.37.2-4ubuntu3 + procps@2:3.3.17-6ubuntu2 - systemd/libudev1@249.11-0ubuntu3.9 + procps/libprocps8@2:3.3.17-6ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 + docker-image|quay.io/argoproj/argocd@v2.7.10 - systemd/libudev1@249.11-0ubuntu3.9 + procps@2:3.3.17-6ubuntu2 @@ -1046,23 +704,21 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. +

      Note: Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Ubuntu:22.04. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      ** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

      +

      Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 systemd.

      +

      There is no fixed version for Ubuntu:22.04 procps.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -1089,7 +745,7 @@

    CVE-2022-46908

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2, gnupg2/gpg@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.7.10, gnupg2/gpg@2.2.27-3ubuntu2.1 and others
    • @@ -1101,7 +757,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -1160,7 +816,7 @@

      Arbitrary Code Injection

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and shadow/passwd@1:4.8.1-2ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.7.10 and shadow/passwd@1:4.8.1-2ubuntu2.1
    @@ -1173,7 +829,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 shadow/passwd@1:4.8.1-2ubuntu2.1 @@ -1182,7 +838,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 adduser@3.118ubuntu5 @@ -1193,9 +849,9 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 shadow/passwd@1:4.8.1-2ubuntu2.1 @@ -1204,7 +860,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 shadow/login@1:4.8.1-2ubuntu2.1 @@ -1261,7 +917,7 @@

      Uncontrolled Recursion

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 + docker-image|quay.io/argoproj/argocd@v2.7.10 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
    @@ -1274,7 +930,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 @@ -1283,7 +939,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 grep@3.7-1build1 @@ -1345,7 +1001,7 @@

      Release of Invalid Pointer or Reference

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.7.10 and patch@2.7.6-7build2
    @@ -1358,7 +1014,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 patch@2.7.6-7build2 @@ -1412,7 +1068,7 @@

      Double Free

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.7.10 and patch@2.7.6-7build2
    @@ -1425,7 +1081,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 patch@2.7.6-7build2 @@ -1463,7 +1119,7 @@

      References

    -

    Information Exposure

    +

    Improper Authentication

    @@ -1479,12 +1135,12 @@

    Information Exposure

  • Vulnerable module: - openssh/openssh-client + openssl/libssl3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.7.10 and openssl/libssl3@3.0.2-0ubuntu1.10
    • @@ -1497,9 +1153,113 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.10 + + cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.10 + + libfido2/libfido2-1@1.10.0-1 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.10 + + openssh/openssh-client@1:8.9p1-3ubuntu0.3 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.10 + + ca-certificates@20230311ubuntu0.22.04.1 + + openssl@3.0.2-0ubuntu1.10 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.10 + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 + + libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.10 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.10 + + openssl@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.7.10 + + ca-certificates@20230311ubuntu0.22.04.1 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssl@3.0.2-0ubuntu1.10 @@ -1511,28 +1271,42 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu:22.04. +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu:22.04. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

      +

      Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

      +

      Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

      +

      The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

      +

      As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 openssh.

      +

      There is no fixed version for Ubuntu:22.04 openssl.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -1558,7 +1332,7 @@

    CVE-2023-28531

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.7.10 and openssh/openssh-client@1:8.9p1-3ubuntu0.3
    • @@ -1571,9 +1345,9 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 @@ -1595,6 +1369,7 @@

      References

    • ADVISORY
    • cve@mitre.org
    • cve@mitre.org
      • +
    • cve@mitre.org
    @@ -1627,7 +1402,7 @@

    NULL Pointer Dereference

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.7.10, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others
    • @@ -1639,33 +1414,33 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/dirmngr@2.2.27-3ubuntu2.1 - openldap/libldap-2.5-0@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-2.5-0@2.5.15+dfsg-0ubuntu0.22.04.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 - openldap/libldap-2.5-0@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-2.5-0@2.5.15+dfsg-0ubuntu0.22.04.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 - openldap/libldap-common@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-common@2.5.15+dfsg-0ubuntu0.22.04.1 @@ -1688,6 +1463,12 @@

      References

    • secalert@redhat.com
    • secalert@redhat.com
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
    @@ -1720,7 +1501,7 @@

    Resource Exhaustion

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2, meta-common-packages@meta and others + docker-image|quay.io/argoproj/argocd@v2.7.10, meta-common-packages@meta and others
    • @@ -1732,7 +1513,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 meta-common-packages@meta @@ -1757,6 +1538,7 @@

      References

      @@ -1788,7 +1570,7 @@

      Integer Overflow or Wraparound

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and krb5/libk5crypto3@1.19.2-2ubuntu0.2 + docker-image|quay.io/argoproj/argocd@v2.7.10 and krb5/libk5crypto3@1.19.2-2ubuntu0.2
    @@ -1801,7 +1583,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 krb5/libk5crypto3@1.19.2-2ubuntu0.2 @@ -1810,7 +1592,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 adduser@3.118ubuntu5 @@ -1831,7 +1613,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 adduser@3.118ubuntu5 @@ -1854,7 +1636,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 krb5/libkrb5-3@1.19.2-2ubuntu0.2 @@ -1863,7 +1645,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 adduser@3.118ubuntu5 @@ -1884,7 +1666,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -1893,9 +1675,9 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -1904,11 +1686,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -1917,11 +1699,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 @@ -1932,7 +1714,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 adduser@3.118ubuntu5 @@ -1951,7 +1733,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 meta-common-packages@meta @@ -2010,7 +1792,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and gnupg2/gpgv@2.2.27-3ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.7.10 and gnupg2/gpgv@2.2.27-3ubuntu2.1
    @@ -2023,7 +1805,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gpgv@2.2.27-3ubuntu2.1 @@ -2032,7 +1814,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 apt@2.4.9 @@ -2043,7 +1825,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2054,7 +1836,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -2065,7 +1847,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2076,7 +1858,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2089,7 +1871,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2102,7 +1884,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -2111,7 +1893,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2122,7 +1904,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2135,7 +1917,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 @@ -2144,7 +1926,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2155,7 +1937,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 @@ -2164,7 +1946,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2175,7 +1957,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2184,7 +1966,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2195,7 +1977,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2208,7 +1990,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2221,7 +2003,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 @@ -2230,7 +2012,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2241,7 +2023,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2254,7 +2036,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2267,7 +2049,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 @@ -2276,7 +2058,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2287,7 +2069,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 @@ -2296,7 +2078,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2307,7 +2089,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gpgsm@2.2.27-3ubuntu2.1 @@ -2316,7 +2098,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2327,7 +2109,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2386,7 +2168,7 @@

      Allocation of Resources Without Limits or Throttling

      Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and glibc/libc-bin@2.35-0ubuntu3.1 + docker-image|quay.io/argoproj/argocd@v2.7.10 and glibc/libc-bin@2.35-0ubuntu3.1
    @@ -2399,7 +2181,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 glibc/libc-bin@2.35-0ubuntu3.1 @@ -2408,7 +2190,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 meta-common-packages@meta @@ -2467,7 +2249,7 @@

      Improper Input Validation

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2, git@1:2.34.1-1ubuntu1.9 and others + docker-image|quay.io/argoproj/argocd@v2.7.10, git@1:2.34.1-1ubuntu1.9 and others
    @@ -2479,7 +2261,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 git@1:2.34.1-1ubuntu1.9 @@ -2490,7 +2272,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 git@1:2.34.1-1ubuntu1.9 @@ -2499,7 +2281,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 git-lfs@3.0.2-1ubuntu0.2 @@ -2533,150 +2315,6 @@

      References

      More about this vulnerability

    -
    -
    -

    CVE-2023-28322

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2, git@1:2.34.1-1ubuntu1.9 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - git@1:2.34.1-1ubuntu1.9 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously wasused to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Certificate Validation

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2, git@1:2.34.1-1ubuntu1.9 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 - - git@1:2.34.1-1ubuntu1.9 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    -

    Improper Input Validation

    @@ -2700,7 +2338,7 @@

    Improper Input Validation

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and coreutils@8.32-4.1ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.7.10 and coreutils@8.32-4.1ubuntu1
    • @@ -2713,7 +2351,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 coreutils@8.32-4.1ubuntu1 @@ -2770,7 +2408,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 and bash@5.1-6ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.7.10 and bash@5.1-6ubuntu1
    @@ -2783,7 +2421,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.8.0-rc2 + docker-image|quay.io/argoproj/argocd@v2.7.10 bash@5.1-6ubuntu1 diff --git a/docs/snyk/v2.7.10/redis_7.0.11-alpine.html b/docs/snyk/v2.7.10/redis_7.0.11-alpine.html new file mode 100644 index 0000000000000..dc7d6f7ecb4a1 --- /dev/null +++ b/docs/snyk/v2.7.10/redis_7.0.11-alpine.html @@ -0,0 +1,1031 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
      +
      +
      +
      + + + Snyk - Open Source Security + + + + + + + +
      +

      Snyk test report

      + +

      August 6th 2023, 12:20:21 am (UTC+00:00)

      +
      +
      + Scanned the following path: +
        +
      • redis:7.0.11-alpine (apk)
        • +
      +
      + +
      +
      3 known vulnerabilities
      +
      27 vulnerable dependency paths
      +
      18 dependencies
      +
      +
      +
      +
      +
      + + + + + + + +
      Project docker-image|redis
      Path redis:7.0.11-alpine
      Package Manager apk
      +
      +
      +
      +
      +

      Improper Authentication

      +
      + +
      + medium severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

      +

      Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

      +

      The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

      +

      As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      Inefficient Regular Expression Complexity

      +
      + +
      + medium severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: Checking excessively long DH keys or parameters may be very slow.

      +

      Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

      +

      The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

      +

      However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

      +

      An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

      +

      The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

      +

      Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

      +

      The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      CVE-2023-3817

      +
      + +
      + low severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: Checking excessively long DH keys or parameters may be very slow.

      +

      Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

      +

      The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

      +

      An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

      +

      The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

      +

      Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

      +

      The OpenSSL SSL/TLS implementation is not affected by this issue.

      +

      The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +
      +
      + + + diff --git a/docs/snyk/v2.7.7/haproxy_2.6.14-alpine.html b/docs/snyk/v2.7.7/haproxy_2.6.14-alpine.html deleted file mode 100644 index 1345240936aa0..0000000000000 --- a/docs/snyk/v2.7.7/haproxy_2.6.14-alpine.html +++ /dev/null @@ -1,492 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
      -
      -
      -
      - - - Snyk - Open Source Security - - - - - - - -
      -

      Snyk test report

      - -

      July 9th 2023, 12:25:05 am (UTC+00:00)

      -
      -
      - Scanned the following path: -
        -
      • haproxy:2.6.14-alpine (apk)
        • -
      -
      - -
      -
      0 known vulnerabilities
      -
      0 vulnerable dependency paths
      -
      18 dependencies
      -
      -
      -
      -
      -
      - - - - - - - -
      Project docker-image|haproxy
      Path haproxy:2.6.14-alpine
      Package Manager apk
      -
      -
      - No known vulnerabilities detected. -
      -
      - - - diff --git a/docs/snyk/v2.7.7/redis_7.0.11-alpine.html b/docs/snyk/v2.7.7/redis_7.0.11-alpine.html deleted file mode 100644 index af32078a9160b..0000000000000 --- a/docs/snyk/v2.7.7/redis_7.0.11-alpine.html +++ /dev/null @@ -1,492 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
      -
      -
      -
      - - - Snyk - Open Source Security - - - - - - - -
      -

      Snyk test report

      - -

      July 9th 2023, 12:26:32 am (UTC+00:00)

      -
      -
      - Scanned the following path: -
        -
      • redis:7.0.11-alpine (apk)
        • -
      -
      - -
      -
      0 known vulnerabilities
      -
      0 vulnerable dependency paths
      -
      18 dependencies
      -
      -
      -
      -
      -
      - - - - - - - -
      Project docker-image|redis
      Path redis:7.0.11-alpine
      Package Manager apk
      -
      -
      - No known vulnerabilities detected. -
      -
      - - - diff --git a/docs/snyk/v2.8.0-rc2/argocd-test.html b/docs/snyk/v2.8.0-rc2/argocd-test.html deleted file mode 100644 index 3504db482b43b..0000000000000 --- a/docs/snyk/v2.8.0-rc2/argocd-test.html +++ /dev/null @@ -1,716 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
      -
      -
      -
      - - - Snyk - Open Source Security - - - - - - - -
      -

      Snyk test report

      - -

      July 9th 2023, 12:21:45 am (UTC+00:00)

      -
      -
      - Scanned the following paths: -
        -
      • /argo-cd/argoproj/argo-cd/v2 (gomodules)
      • /argo-cd (yarn)
        • -
      -
      - -
      -
      2 known vulnerabilities
      -
      2 vulnerable dependency paths
      -
      1804 dependencies
      -
      -
      -
      -
      - -
      -
      -
      -

      Regular Expression Denial of Service (ReDoS)

      -
      - -
      - high severity -
      - -
      - -
        -
      • - Package Manager: npm -
        • -
      • - Vulnerable module: - - semver -
        • - -
      • Introduced through: - - - argo-cd-ui@1.0.0, superagent@8.0.9 and others -
        • -
      - -
      - - -

      Detailed paths

      - -
        -
      • - Introduced through: - argo-cd-ui@1.0.0 - - superagent@8.0.9 - - semver@7.3.8 - - - -
        • -
      - -
      - -
      - -

      Overview

      -

      semver is a semantic version parser used by npm.

      -

      Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

      -

      PoC

      - 
      
-        const semver = require('semver')
-        const lengths_2 = [2000, 4000, 8000, 16000, 32000, 64000, 128000]
-        
-        console.log("n[+] Valid range - Test payloads")
-        for (let i = 0; i =1.2.3' + ' '.repeat(lengths_2[i]) + '<1.3.0';
-        const start = Date.now()
-        semver.validRange(value)
-        // semver.minVersion(value)
-        // semver.maxSatisfying(["1.2.3"], value)
-        // semver.minSatisfying(["1.2.3"], value)
-        // new semver.Range(value, {})
-        
-        const end = Date.now();
-        console.log('length=%d, time=%d ms', value.length, end - start);
-        }
-
      -

      Details

      -

      Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

      -

      The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

      -

      Let’s take the following regular expression as an example:

      - 
      regex = /A(B|C+)+D/
-
      -

      This regular expression accomplishes the following:

      -
        -
      • A The string must start with the letter 'A'
        • -
      • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
        • -
      • D Finally, we ensure this section of the string ends with a 'D'
        • -
      -

      The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

      -

      It most cases, it doesn't take very long for a regex engine to find a match:

      - 
      $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
-        1.79s user 0.02s system 99% cpu 1.812 total
-
      -

      The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

      -

      Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

      -

      Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

      -
        -
      1. CCC
        2. -
      2. CC+C
        3. -
      3. C+CC
        4. -
      4. C+C+C.
        5. -
      -

      The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

      -

      From there, the number of steps the engine must use to validate a string just continues to grow.

      - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      StringNumber of C'sNumber of steps
      ACCCX338
      ACCCCX471
      ACCCCCX5136
      ACCCCCCCCCCCCCCX1465,553
      -

      By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

      -

      Remediation

      -

      Upgrade semver to version 7.5.2 or higher.

      -

      References

      - - -
      - -
      -

      More about this vulnerability

      -
      - -
      -
      -

      Denial of Service (DoS)

      -
      - -
      - high severity -
      - -
      - -
        -
      • - Package Manager: golang -
        • -
      • - Vulnerable module: - - nhooyr.io/websocket -
        • - -
      • Introduced through: - - - github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others -
        • -
      - -
      - - -

      Detailed paths

      - -
        -
      • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 - - nhooyr.io/websocket@1.8.6 - - - -
        • -
      - -
      - -
      - -

      Overview

      -

      nhooyr.io/websocket is a minimal and idiomatic WebSocket library for Go.

      -

      Affected versions of this package are vulnerable to Denial of Service (DoS). A double channel close panic is possible if a peer sent back multiple pongs for every ping. - If the second pong arrived before the ping goroutine deleted its channel from the map, the channel would be closed twice and a panic would - occur.

      -

      Details

      -

      Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

      -

      Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

      -

      One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

      -

      When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

      -

      Two common types of DoS vulnerabilities:

      -
        -

      • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

        -
        • -

      • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

        -
        • -
      -

      Remediation

      -

      Upgrade nhooyr.io/websocket to version 1.8.7 or higher.

      -

      References

      - - -
      - -
      -

      More about this vulnerability

      -
      - -
      -
      -
      -
      - - - diff --git a/docs/snyk/v2.8.0-rc2/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.8.0-rc2/ghcr.io_dexidp_dex_v2.37.0.html deleted file mode 100644 index f563be4c1dbf5..0000000000000 --- a/docs/snyk/v2.8.0-rc2/ghcr.io_dexidp_dex_v2.37.0.html +++ /dev/null @@ -1,483 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
      -
      -
      -
      - - - Snyk - Open Source Security - - - - - - - -
      -

      Snyk test report

      - -

      July 9th 2023, 12:21:56 am (UTC+00:00)

      -
      -
      - Scanned the following paths: -
        -
      • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (apk)
      • ghcr.io/dexidp/dex:v2.37.0/hairyhenderson/gomplate/v3 (gomodules)
      • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
      • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
        • -
      -
      - -
      -
      0 known vulnerabilities
      -
      0 vulnerable dependency paths
      -
      786 dependencies
      -
      -
      -
      -
      - -
      - No known vulnerabilities detected. -
      -
      - - - diff --git a/docs/snyk/v2.8.0-rc2/haproxy_2.6.14-alpine.html b/docs/snyk/v2.8.0-rc2/haproxy_2.6.14-alpine.html deleted file mode 100644 index 08faa4d358f3a..0000000000000 --- a/docs/snyk/v2.8.0-rc2/haproxy_2.6.14-alpine.html +++ /dev/null @@ -1,492 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
      -
      -
      -
      - - - Snyk - Open Source Security - - - - - - - -
      -

      Snyk test report

      - -

      July 9th 2023, 12:22:00 am (UTC+00:00)

      -
      -
      - Scanned the following path: -
        -
      • haproxy:2.6.14-alpine (apk)
        • -
      -
      - -
      -
      0 known vulnerabilities
      -
      0 vulnerable dependency paths
      -
      18 dependencies
      -
      -
      -
      -
      -
      - - - - - - - -
      Project docker-image|haproxy
      Path haproxy:2.6.14-alpine
      Package Manager apk
      -
      -
      - No known vulnerabilities detected. -
      -
      - - - diff --git a/docs/snyk/v2.8.0-rc2/redis_7.0.11-alpine.html b/docs/snyk/v2.8.0-rc2/redis_7.0.11-alpine.html deleted file mode 100644 index 6252a53e5bebf..0000000000000 --- a/docs/snyk/v2.8.0-rc2/redis_7.0.11-alpine.html +++ /dev/null @@ -1,492 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
      -
      -
      -
      - - - Snyk - Open Source Security - - - - - - - -
      -

      Snyk test report

      - -

      July 9th 2023, 12:22:28 am (UTC+00:00)

      -
      -
      - Scanned the following path: -
        -
      • redis:7.0.11-alpine (apk)
        • -
      -
      - -
      -
      0 known vulnerabilities
      -
      0 vulnerable dependency paths
      -
      18 dependencies
      -
      -
      -
      -
      -
      - - - - - - - -
      Project docker-image|redis
      Path redis:7.0.11-alpine
      Package Manager apk
      -
      -
      - No known vulnerabilities detected. -
      -
      - - - diff --git a/docs/snyk/v2.8.0-rc2/argocd-iac-install.html b/docs/snyk/v2.8.0-rc7/argocd-iac-install.html similarity index 98% rename from docs/snyk/v2.8.0-rc2/argocd-iac-install.html rename to docs/snyk/v2.8.0-rc7/argocd-iac-install.html index 37e7c7ae3112a..cfa514f9791ce 100644 --- a/docs/snyk/v2.8.0-rc2/argocd-iac-install.html +++ b/docs/snyk/v2.8.0-rc7/argocd-iac-install.html @@ -456,7 +456,7 @@

      Snyk test report

      -

      July 9th 2023, 12:24:16 am (UTC+00:00)

      +

      August 6th 2023, 12:19:11 am (UTC+00:00)

      Scanned the following path: @@ -507,7 +507,7 @@

      Role with dangerous permissions

    • - Line number: 18418 + Line number: 18466
    @@ -553,7 +553,7 @@

    Role with dangerous permissions

  • - Line number: 18495 + Line number: 18543
    • @@ -599,7 +599,7 @@

    Role with dangerous permissions

  • - Line number: 18523 + Line number: 18571
    • @@ -645,7 +645,7 @@

    Role with dangerous permissions

  • - Line number: 18571 + Line number: 18619
    • @@ -691,7 +691,7 @@

    Role with dangerous permissions

  • - Line number: 18553 + Line number: 18601
    • @@ -737,7 +737,7 @@

    Role with dangerous permissions

  • - Line number: 18587 + Line number: 18635
    • @@ -789,7 +789,7 @@

    Container could be running with outdated image

  • - Line number: 19671 + Line number: 19731
    • @@ -847,7 +847,7 @@

    Container has no CPU limit

  • - Line number: 19058 + Line number: 19106
    • @@ -905,7 +905,7 @@

    Container has no CPU limit

  • - Line number: 19279 + Line number: 19339
    • @@ -963,7 +963,7 @@

    Container has no CPU limit

  • - Line number: 19245 + Line number: 19305
    • @@ -1021,7 +1021,7 @@

    Container has no CPU limit

  • - Line number: 19339 + Line number: 19399
    • @@ -1079,7 +1079,7 @@

    Container has no CPU limit

  • - Line number: 19426 + Line number: 19486
    • @@ -1137,7 +1137,7 @@

    Container has no CPU limit

  • - Line number: 19671 + Line number: 19731
    • @@ -1195,7 +1195,7 @@

    Container has no CPU limit

  • - Line number: 19483 + Line number: 19543
    • @@ -1253,7 +1253,7 @@

    Container has no CPU limit

  • - Line number: 19756 + Line number: 19816
    • @@ -1311,7 +1311,7 @@

    Container has no CPU limit

  • - Line number: 20072 + Line number: 20132
    • @@ -1363,7 +1363,7 @@

    Container is running with multiple open ports

  • - Line number: 19259 + Line number: 19319
    • @@ -1415,7 +1415,7 @@

    Container is running without liveness probe

  • - Line number: 19058 + Line number: 19106
    • @@ -1467,7 +1467,7 @@

    Container is running without liveness probe

  • - Line number: 19245 + Line number: 19305
    • @@ -1519,7 +1519,7 @@

    Container is running without liveness probe

  • - Line number: 19279 + Line number: 19339
    • @@ -1571,7 +1571,7 @@

    Container is running without liveness probe

  • - Line number: 19426 + Line number: 19486
    • @@ -1623,7 +1623,7 @@

    Container is running without liveness probe

  • - Line number: 19671 + Line number: 19731
    • @@ -1681,7 +1681,7 @@

    Container is running without memory limit

  • - Line number: 19058 + Line number: 19106
    • @@ -1739,7 +1739,7 @@

    Container is running without memory limit

  • - Line number: 19245 + Line number: 19305
    • @@ -1797,7 +1797,7 @@

    Container is running without memory limit

  • - Line number: 19279 + Line number: 19339
    • @@ -1855,7 +1855,7 @@

    Container is running without memory limit

  • - Line number: 19339 + Line number: 19399
    • @@ -1913,7 +1913,7 @@

    Container is running without memory limit

  • - Line number: 19426 + Line number: 19486
    • @@ -1971,7 +1971,7 @@

    Container is running without memory limit

  • - Line number: 19671 + Line number: 19731
    • @@ -2029,7 +2029,7 @@

    Container is running without memory limit

  • - Line number: 19483 + Line number: 19543
    • @@ -2087,7 +2087,7 @@

    Container is running without memory limit

  • - Line number: 19756 + Line number: 19816
    • @@ -2145,7 +2145,7 @@

    Container is running without memory limit

  • - Line number: 20072 + Line number: 20132
    • @@ -2201,7 +2201,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19169 + Line number: 19229
    • @@ -2257,7 +2257,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19287 + Line number: 19347
    • @@ -2313,7 +2313,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19262 + Line number: 19322
    • @@ -2369,7 +2369,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19360 + Line number: 19420
    • @@ -2425,7 +2425,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19436 + Line number: 19496
    • @@ -2481,7 +2481,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19678 + Line number: 19738
    • @@ -2537,7 +2537,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19644 + Line number: 19704
    • @@ -2593,7 +2593,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 19982 + Line number: 20042
    • @@ -2649,7 +2649,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 20220 + Line number: 20280
    • diff --git a/docs/snyk/v2.8.0-rc2/argocd-iac-namespace-install.html b/docs/snyk/v2.8.0-rc7/argocd-iac-namespace-install.html similarity index 98% rename from docs/snyk/v2.8.0-rc2/argocd-iac-namespace-install.html rename to docs/snyk/v2.8.0-rc7/argocd-iac-namespace-install.html index 47cd7fe47ef63..fb3d83fdb0688 100644 --- a/docs/snyk/v2.8.0-rc2/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.8.0-rc7/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    July 9th 2023, 12:24:30 am (UTC+00:00)

    +

    August 6th 2023, 12:19:22 am (UTC+00:00)

    Scanned the following path: @@ -789,7 +789,7 @@

    Container could be running with outdated image

  • - Line number: 1237 + Line number: 1249
    • @@ -905,7 +905,7 @@

    Container has no CPU limit

  • - Line number: 845 + Line number: 857
    • @@ -963,7 +963,7 @@

    Container has no CPU limit

  • - Line number: 811 + Line number: 823
    • @@ -1021,7 +1021,7 @@

    Container has no CPU limit

  • - Line number: 905 + Line number: 917
    • @@ -1079,7 +1079,7 @@

    Container has no CPU limit

  • - Line number: 992 + Line number: 1004
    • @@ -1137,7 +1137,7 @@

    Container has no CPU limit

  • - Line number: 1237 + Line number: 1249
    • @@ -1195,7 +1195,7 @@

    Container has no CPU limit

  • - Line number: 1049 + Line number: 1061
    • @@ -1253,7 +1253,7 @@

    Container has no CPU limit

  • - Line number: 1322 + Line number: 1334
    • @@ -1311,7 +1311,7 @@

    Container has no CPU limit

  • - Line number: 1638 + Line number: 1650
    • @@ -1363,7 +1363,7 @@

    Container is running with multiple open ports

  • - Line number: 825 + Line number: 837
    • @@ -1467,7 +1467,7 @@

    Container is running without liveness probe

  • - Line number: 811 + Line number: 823
    • @@ -1519,7 +1519,7 @@

    Container is running without liveness probe

  • - Line number: 845 + Line number: 857
    • @@ -1571,7 +1571,7 @@

    Container is running without liveness probe

  • - Line number: 992 + Line number: 1004
    • @@ -1623,7 +1623,7 @@

    Container is running without liveness probe

  • - Line number: 1237 + Line number: 1249
    • @@ -1739,7 +1739,7 @@

    Container is running without memory limit

  • - Line number: 811 + Line number: 823
    • @@ -1797,7 +1797,7 @@

    Container is running without memory limit

  • - Line number: 845 + Line number: 857
    • @@ -1855,7 +1855,7 @@

    Container is running without memory limit

  • - Line number: 905 + Line number: 917
    • @@ -1913,7 +1913,7 @@

    Container is running without memory limit

  • - Line number: 992 + Line number: 1004
    • @@ -1971,7 +1971,7 @@

    Container is running without memory limit

  • - Line number: 1237 + Line number: 1249
    • @@ -2029,7 +2029,7 @@

    Container is running without memory limit

  • - Line number: 1049 + Line number: 1061
    • @@ -2087,7 +2087,7 @@

    Container is running without memory limit

  • - Line number: 1322 + Line number: 1334
    • @@ -2145,7 +2145,7 @@

    Container is running without memory limit

  • - Line number: 1638 + Line number: 1650
    • @@ -2201,7 +2201,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 735 + Line number: 747
    • @@ -2257,7 +2257,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 853 + Line number: 865
    • @@ -2313,7 +2313,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 828 + Line number: 840
    • @@ -2369,7 +2369,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 926 + Line number: 938
    • @@ -2425,7 +2425,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1002 + Line number: 1014
    • @@ -2481,7 +2481,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1244 + Line number: 1256
    • @@ -2537,7 +2537,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1210 + Line number: 1222
    • @@ -2593,7 +2593,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1548 + Line number: 1560
    • @@ -2649,7 +2649,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1786 + Line number: 1798
    • diff --git a/docs/snyk/v2.7.7/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.8.0-rc7/argocd-test.html similarity index 70% rename from docs/snyk/v2.7.7/ghcr.io_dexidp_dex_v2.37.0.html rename to docs/snyk/v2.8.0-rc7/argocd-test.html index 45783f437da31..2f25d5827e745 100644 --- a/docs/snyk/v2.7.7/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.8.0-rc7/argocd-test.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,26 +456,109 @@

    Snyk test report

    -

    July 9th 2023, 12:25:00 am (UTC+00:00)

    +

    August 6th 2023, 12:17:00 am (UTC+00:00)

    Scanned the following paths:
      -
    • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (apk)
    • ghcr.io/dexidp/dex:v2.37.0/hairyhenderson/gomplate/v3 (gomodules)
    • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
    • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
      • +
    • /argo-cd/argoproj/argo-cd/v2 (gomodules)
    • /argo-cd (yarn)
    -
    0 known vulnerabilities
    -
    0 vulnerable dependency paths
    -
    786 dependencies
    +
    1 known vulnerabilities
    +
    1 vulnerable dependency paths
    +
    1851 dependencies

    - No known vulnerabilities detected. +
    +
    +

    Denial of Service (DoS)

    +
    + +
    + high severity +
    + +
    + +
      +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + nhooyr.io/websocket +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v2@0.0.0 + + github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 + + nhooyr.io/websocket@1.8.6 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    nhooyr.io/websocket is a minimal and idiomatic WebSocket library for Go.

    +

    Affected versions of this package are vulnerable to Denial of Service (DoS). A double channel close panic is possible if a peer sent back multiple pongs for every ping. + If the second pong arrived before the ping goroutine deleted its channel from the map, the channel would be closed twice and a panic would + occur.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    +

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    +

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    +

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    +

    Two common types of DoS vulnerabilities:

    +
      +

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      +
      • +

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      +
      • +
    +

    Remediation

    +

    Upgrade nhooyr.io/websocket to version 1.8.7 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    diff --git a/docs/snyk/v2.8.0-rc7/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.8.0-rc7/ghcr.io_dexidp_dex_v2.37.0.html new file mode 100644 index 0000000000000..918845d798a4f --- /dev/null +++ b/docs/snyk/v2.8.0-rc7/ghcr.io_dexidp_dex_v2.37.0.html @@ -0,0 +1,1079 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    August 6th 2023, 12:17:09 am (UTC+00:00)

    +
    +
    + Scanned the following paths: +
      +
    • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (apk)
    • ghcr.io/dexidp/dex:v2.37.0/hairyhenderson/gomplate/v3 (gomodules)
    • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
    • ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)
      • +
    +
    + +
    +
    4 known vulnerabilities
    +
    22 vulnerable dependency paths
    +
    786 dependencies
    +
    +
    +
    +
    + +
    +
    +
    +

    Improper Authentication

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

    +

    Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

    +

    The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

    +

    As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Inefficient Regular Expression Complexity

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    +

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

    +

    The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

    +

    However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

    +

    An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

    +

    The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

    +

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

    +

    The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Cross-site Scripting (XSS)

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.11.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the render1() function in render.go. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.

    +

    Details

    +

    A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

    +

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    +

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    +

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    +

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    +

    Types of attacks

    +

    There are a few methods by which XSS can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    +

    Affected environments

    +

    The following environments are susceptible to an XSS attack:

    +
      +
    • Web servers
      • +
    • Application servers
      • +
    • Web application environments
      • +
    +

    How to prevent

    +

    This section describes the top best practices designed to specifically protect your code:

    +
      +
    • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
      • +
    • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
      • +
    • Give users the option to disable client-side scripts.
      • +
    • Redirect invalid requests.
      • +
    • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
      • +
    • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
      • +
    • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
      • +
    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.13.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-3817

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.37.0 + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    +

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

    +

    The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

    +

    An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

    +

    The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

    +

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

    +

    The OpenSSL SSL/TLS implementation is not affected by this issue.

    +

    The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v2.8.0-rc7/haproxy_2.6.14-alpine.html b/docs/snyk/v2.8.0-rc7/haproxy_2.6.14-alpine.html new file mode 100644 index 0000000000000..4afb600937e5f --- /dev/null +++ b/docs/snyk/v2.8.0-rc7/haproxy_2.6.14-alpine.html @@ -0,0 +1,1031 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    August 6th 2023, 12:17:14 am (UTC+00:00)

    +
    +
    + Scanned the following path: +
      +
    • haproxy:2.6.14-alpine (apk)
      • +
    +
    + +
    +
    3 known vulnerabilities
    +
    27 vulnerable dependency paths
    +
    18 dependencies
    +
    +
    +
    +
    +
    + + + + + + + +
    Project docker-image|haproxy
    Path haproxy:2.6.14-alpine
    Package Manager apk
    +
    +
    +
    +
    +

    Improper Authentication

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

    +

    Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

    +

    The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

    +

    As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Inefficient Regular Expression Complexity

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    +

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

    +

    The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

    +

    However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

    +

    An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

    +

    The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

    +

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

    +

    The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2023-3817

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Package Manager: alpine:3.18 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.1-r1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + .haproxy-rundeps@20230615.052124 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    • + Introduced through: + docker-image|haproxy@2.6.14-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

    +

    Issue summary: Checking excessively long DH keys or parameters may be very slow.

    +

    Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

    +

    The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

    +

    An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

    +

    The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

    +

    Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

    +

    The OpenSSL SSL/TLS implementation is not affected by this issue.

    +

    The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v2.5.20/quay.io_argoproj_argocd_v2.5.20.html b/docs/snyk/v2.8.0-rc7/quay.io_argoproj_argocd_v2.8.0-rc7.html similarity index 60% rename from docs/snyk/v2.5.20/quay.io_argoproj_argocd_v2.5.20.html rename to docs/snyk/v2.8.0-rc7/quay.io_argoproj_argocd_v2.8.0-rc7.html index 075d3efc7f4f8..2419cd08f7c0a 100644 --- a/docs/snyk/v2.5.20/quay.io_argoproj_argocd_v2.5.20.html +++ b/docs/snyk/v2.8.0-rc7/quay.io_argoproj_argocd_v2.8.0-rc7.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,19 +456,19 @@

    Snyk test report

    -

    July 9th 2023, 12:33:12 am (UTC+00:00)

    +

    August 6th 2023, 12:17:35 am (UTC+00:00)

    Scanned the following paths:
      -
    • quay.io/argoproj/argocd:v2.5.20/argoproj/argocd (deb)
    • quay.io/argoproj/argocd:v2.5.20/argoproj/argo-cd/v2 (gomodules)
    • quay.io/argoproj/argocd:v2.5.20/kustomize/kustomize/v4 (gomodules)
    • quay.io/argoproj/argocd:v2.5.20/helm/v3 (gomodules)
    • quay.io/argoproj/argocd:v2.5.20/git-lfs/git-lfs (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.8.0-rc7/argoproj/argocd (deb)
    • quay.io/argoproj/argocd:v2.8.0-rc7/argoproj/argo-cd/v2 (gomodules)
    • quay.io/argoproj/argocd:v2.8.0-rc7/kustomize/kustomize/v5 (gomodules)
    • quay.io/argoproj/argocd:v2.8.0-rc7/helm/v3 (gomodules)
    • quay.io/argoproj/argocd:v2.8.0-rc7/git-lfs/git-lfs (gomodules)
    -
    30 known vulnerabilities
    -
    106 vulnerable dependency paths
    -
    2047 dependencies
    +
    17 known vulnerabilities
    +
    74 vulnerable dependency paths
    +
    2117 dependencies
    @@ -493,12 +493,12 @@

    Denial of Service (DoS)

  • Vulnerable module: - gopkg.in/yaml.v3 + nhooyr.io/websocket
  • Introduced through: - sigs.k8s.io/kustomize/kustomize/v4@* and gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b + github.com/argoproj/argo-cd/v2@* and nhooyr.io/websocket@v1.8.6
    • @@ -511,1142 +511,9 @@

    Detailed paths

    • Introduced through: - sigs.k8s.io/kustomize/kustomize/v4@* - - gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    gopkg.in/yaml.v3 is a YAML support package for the Go language.

    -

    Affected versions of this package are vulnerable to Denial of Service (DoS) via the Unmarshal function, which causes the program to crash when attempting to deserialize invalid input.

    -

    PoC

    - 
    package main
-        
-        import (
-            "gopkg.in/yaml.v3"
-        )
-        
-        func main() {
-            var t interface{}
-            yaml.Unmarshal([]byte("0: [:!00 \xef"), &t)
-        }
-
    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    -

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    -

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    -

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    -

    Two common types of DoS vulnerabilities:

    -
      -

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      -
      • -

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      -
      • -
    -

    Remediation

    -

    Upgrade gopkg.in/yaml.v3 to version 3.0.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    NULL Pointer Dereference

    -
    - -
    - high severity -
    - -
    - -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - gopkg.in/yaml.v3 -
      • - -
    • Introduced through: - - sigs.k8s.io/kustomize/kustomize/v4@* and gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - sigs.k8s.io/kustomize/kustomize/v4@* - - gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    gopkg.in/yaml.v3 is a YAML support package for the Go language.

    -

    Affected versions of this package are vulnerable to NULL Pointer Dereference when parsing #\n-\n-\n0 via the parserc.go parser.

    -

    PoC

    - 
    package main
-        
-        import (
-            "gopkg.in/yaml.v3"
-        )
-        
-        func main() {
-            var t interface{}
-            yaml.Unmarshal([]byte("#\n-\n-\n0"), &t)
-        }
-
    -

    Remediation

    -

    Upgrade gopkg.in/yaml.v3 to version 3.0.1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Denial of Service (DoS)

    -
    - -
    - high severity -
    - -
    - -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/http2/hpack -
      • - -
    • Introduced through: - - sigs.k8s.io/kustomize/kustomize/v4@* and golang.org/x/net/http2/hpack@v0.0.0-20220127200216-cd36cc0744dd - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - sigs.k8s.io/kustomize/kustomize/v4@* - - golang.org/x/net/http2/hpack@v0.0.0-20220127200216-cd36cc0744dd - - - -
      • -
    • - Introduced through: - helm.sh/helm/v3@* - - golang.org/x/net/http2/hpack@v0.0.0-20220722155237-a158d28d115b - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Denial of Service (DoS) such that a maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder.

    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    -

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    -

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    -

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    -

    Two common types of DoS vulnerabilities:

    -
      -

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      -
      • -

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      -
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/net/http2/hpack to version 0.7.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Denial of Service

    -
    - -
    - high severity -
    - -
    - -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/http2 -
      • - -
    • Introduced through: - - helm.sh/helm/v3@* and golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - helm.sh/helm/v3@* - - golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

    -

    Affected versions of this package are vulnerable to Denial of Service as an HTTP/2 connection can hang during closing if a shutdown was preempted by a fatal error.

    -

    Remediation

    -

    Upgrade golang.org/x/net/http2 to version 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Denial of Service (DoS)

    -
    - -
    - high severity -
    - -
    - -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/http2 -
      • - -
    • Introduced through: - - helm.sh/helm/v3@* and golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - helm.sh/helm/v3@* - - golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

    -

    Affected versions of this package are vulnerable to Denial of Service (DoS) such that a maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder.

    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    -

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    -

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    -

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    -

    Two common types of DoS vulnerabilities:

    -
      -

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      -
      • -

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      -
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/net/http2 to version 0.7.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Validation of Integrity Check Value

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - systemd/libsystemd0 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.5.20 and systemd/libsystemd0@249.11-0ubuntu3.9 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - apt@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - util-linux@2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - util-linux@2.37.2-4ubuntu3 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 systemd.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Validation of Integrity Check Value

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - systemd/libsystemd0 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.5.20 and systemd/libsystemd0@249.11-0ubuntu3.9 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - apt@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - util-linux@2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - util-linux@2.37.2-4ubuntu3 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 systemd.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Validation of Integrity Check Value

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - systemd/libsystemd0 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.5.20 and systemd/libsystemd0@249.11-0ubuntu3.9 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - apt@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - procps/libprocps8@2:3.3.17-6ubuntu2 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - util-linux@2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - util-linux/bsdutils@1:2.37.2-4ubuntu3 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libsystemd0@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - util-linux@2.37.2-4ubuntu3 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - apt@2.4.9 - - apt/libapt-pkg6.0@2.4.9 - - systemd/libudev1@249.11-0ubuntu3.9 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    ** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 systemd.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Denial of Service (DoS)

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - gopkg.in/yaml.v2 -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and gopkg.in/yaml.v2@v2.2.4 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@* - - gopkg.in/yaml.v2@v2.2.4 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    gopkg.in/yaml.v2 is a YAML support package for the Go language.

    -

    Affected versions of this package are vulnerable to Denial of Service (DoS). It is possible for authorized users to send malicious YAML payloads to cause kube-apiserver to consume excessive CPU cycles while parsing YAML.

    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    -

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    -

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    -

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    -

    Two common types of DoS vulnerabilities:

    -
      -

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      -
      • -

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      -
      • -
    -

    Remediation

    -

    Upgrade gopkg.in/yaml.v2 to version 2.2.8 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Input Validation

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/text/language -
      • - -
    • Introduced through: - - sigs.k8s.io/kustomize/kustomize/v4@* and golang.org/x/text/language@v0.3.7 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - sigs.k8s.io/kustomize/kustomize/v4@* - - golang.org/x/text/language@v0.3.7 - - - -
      • -
    • - Introduced through: - helm.sh/helm/v3@* - - golang.org/x/text/language@v0.3.7 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Improper Input Validation due to the parser being, by design, exposed to untrusted user input, which can be leveraged to force a program to consume significant time parsing Accept-Language headers.

    -

    Remediation

    -

    Upgrade golang.org/x/text/language to version 0.3.8 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Incorrect Privilege Assignment

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/sys/unix -
      • - -
    • Introduced through: - - helm.sh/helm/v3@* and golang.org/x/sys/unix@v0.0.0-20220722155257-8c9f86f7a55f - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - helm.sh/helm/v3@* - - golang.org/x/sys/unix@v0.0.0-20220722155257-8c9f86f7a55f - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that when called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

    -

    Remediation

    -

    Upgrade golang.org/x/sys/unix to version 0.1.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Denial of Service (DoS)

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/http2 -
      • - -
    • Introduced through: - - helm.sh/helm/v3@* and golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - helm.sh/helm/v3@* + github.com/argoproj/argo-cd/v2@* - golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b + nhooyr.io/websocket@v1.8.6 @@ -1658,8 +525,10 @@

      Detailed paths

      Overview

      -

      golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

      -

      Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper checks and limitations for the number of entries in the cache, which can allow an attacker to consume unbounded amounts of memory by sending a small number of very large keys.

      +

      nhooyr.io/websocket is a minimal and idiomatic WebSocket library for Go.

      +

      Affected versions of this package are vulnerable to Denial of Service (DoS). A double channel close panic is possible if a peer sent back multiple pongs for every ping. + If the second pong arrived before the ping goroutine deleted its channel from the map, the channel would be closed twice and a panic would + occur.

      Details

      Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

      Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

      @@ -1673,24 +542,22 @@

      Details

    Remediation

    -

    Upgrade golang.org/x/net/http2 to version 0.4.0 or higher.

    +

    Upgrade nhooyr.io/websocket to version 1.8.7 or higher.

    References

    -

    More about this vulnerability

    +

    More about this vulnerability

    -

    Improper Input Validation

    +

    CVE-2023-4016

    @@ -1701,17 +568,17 @@

    Improper Input Validation

    • - Package Manager: golang + Package Manager: ubuntu:22.04
    • Vulnerable module: - go.mongodb.org/mongo-driver/bson/bsonrw + procps/libprocps8
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and go.mongodb.org/mongo-driver/bson/bsonrw@v1.1.2 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and procps/libprocps8@2:3.3.17-6ubuntu2
    @@ -1724,9 +591,29 @@

    Detailed paths

    • Introduced through: - github.com/argoproj/argo-cd/v2@* + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + procps/libprocps8@2:3.3.17-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + procps@2:3.3.17-6ubuntu2 + + procps/libprocps8@2:3.3.17-6ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 - go.mongodb.org/mongo-driver/bson/bsonrw@v1.1.2 + procps@2:3.3.17-6ubuntu2 @@ -1737,22 +624,22 @@

      Detailed paths

      -

      Overview

      -

      go.mongodb.org/mongo-driver/bson/bsonrw is a The MongoDB supported driver for Go.

      -

      Affected versions of this package are vulnerable to Improper Input Validation. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents.

      +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Ubuntu:22.04. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      +

      Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.

      Remediation

      -

      Upgrade go.mongodb.org/mongo-driver/bson/bsonrw to version 1.5.1 or higher.

      +

      There is no fixed version for Ubuntu:22.04 procps.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -1779,7 +666,7 @@

    CVE-2022-46908

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20, gnupg2/gpg@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7, gnupg2/gpg@2.2.27-3ubuntu2.1 and others
    • @@ -1791,7 +678,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -1850,7 +737,7 @@

      Arbitrary Code Injection

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 and shadow/passwd@1:4.8.1-2ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and shadow/passwd@1:4.8.1-2ubuntu2.1
    @@ -1863,7 +750,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 shadow/passwd@1:4.8.1-2ubuntu2.1 @@ -1872,7 +759,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 adduser@3.118ubuntu5 @@ -1883,9 +770,9 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 shadow/passwd@1:4.8.1-2ubuntu2.1 @@ -1894,7 +781,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 shadow/login@1:4.8.1-2ubuntu2.1 @@ -1951,7 +838,7 @@

      Uncontrolled Recursion

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
    @@ -1964,7 +851,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 @@ -1973,7 +860,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 grep@3.7-1build1 @@ -2035,7 +922,7 @@

      Release of Invalid Pointer or Reference

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and patch@2.7.6-7build2
    @@ -2048,7 +935,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 patch@2.7.6-7build2 @@ -2102,7 +989,7 @@

      Double Free

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and patch@2.7.6-7build2
    @@ -2115,7 +1002,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 patch@2.7.6-7build2 @@ -2153,7 +1040,7 @@

      References

    -

    Information Exposure

    +

    Improper Authentication

    @@ -2169,12 +1056,12 @@

    Information Exposure

  • Vulnerable module: - openssh/openssh-client + openssl/libssl3
  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and openssl/libssl3@3.0.2-0ubuntu1.10
    • @@ -2187,9 +1074,113 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + libfido2/libfido2-1@1.10.0-1 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + openssh/openssh-client@1:8.9p1-3ubuntu0.3 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + ca-certificates@20230311ubuntu0.22.04.1 + + openssl@3.0.2-0ubuntu1.10 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + git@1:2.34.1-1ubuntu1.9 + + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 + + libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.1 + + pam/libpam-modules@1.4.0-11ubuntu2.3 + + libnsl/libnsl2@1.3.0-2build2 + + libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 + + krb5/libkrb5-3@1.19.2-2ubuntu0.2 + + openssl/libssl3@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + openssl@3.0.2-0ubuntu1.10 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 + + ca-certificates@20230311ubuntu0.22.04.1 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssl@3.0.2-0ubuntu1.10 @@ -2201,28 +1192,42 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu:22.04. +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu:22.04. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

      +

      Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

      +

      Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

      +

      The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

      +

      As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 openssh.

      +

      There is no fixed version for Ubuntu:22.04 openssl.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -2248,7 +1253,7 @@

    CVE-2023-28531

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 and openssh/openssh-client@1:8.9p1-3ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and openssh/openssh-client@1:8.9p1-3ubuntu0.3
    • @@ -2261,9 +1266,9 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 @@ -2285,6 +1290,7 @@

      References

    • ADVISORY
    • cve@mitre.org
    • cve@mitre.org
      • +
    • cve@mitre.org
    @@ -2317,7 +1323,7 @@

    NULL Pointer Dereference

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others
    • @@ -2329,33 +1335,33 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/dirmngr@2.2.27-3ubuntu2.1 - openldap/libldap-2.5-0@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-2.5-0@2.5.15+dfsg-0ubuntu0.22.04.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 - openldap/libldap-2.5-0@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-2.5-0@2.5.15+dfsg-0ubuntu0.22.04.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 - openldap/libldap-common@2.5.14+dfsg-0ubuntu0.22.04.2 + openldap/libldap-common@2.5.15+dfsg-0ubuntu0.22.04.1 @@ -2378,6 +1384,12 @@

      References

    • secalert@redhat.com
    • secalert@redhat.com
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
      • +
    • secalert@redhat.com
    @@ -2410,7 +1422,7 @@

    Resource Exhaustion

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20, meta-common-packages@meta and others + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7, meta-common-packages@meta and others
    • @@ -2422,7 +1434,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 meta-common-packages@meta @@ -2447,6 +1459,7 @@

      References

      @@ -2478,7 +1491,7 @@

      Integer Overflow or Wraparound

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 and krb5/libk5crypto3@1.19.2-2ubuntu0.2 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and krb5/libk5crypto3@1.19.2-2ubuntu0.2
    @@ -2491,7 +1504,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 krb5/libk5crypto3@1.19.2-2ubuntu0.2 @@ -2500,7 +1513,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 adduser@3.118ubuntu5 @@ -2521,7 +1534,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 adduser@3.118ubuntu5 @@ -2544,7 +1557,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 krb5/libkrb5-3@1.19.2-2ubuntu0.2 @@ -2553,7 +1566,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 adduser@3.118ubuntu5 @@ -2574,7 +1587,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -2583,9 +1596,9 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 - openssh/openssh-client@1:8.9p1-3ubuntu0.1 + openssh/openssh-client@1:8.9p1-3ubuntu0.3 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -2594,11 +1607,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 @@ -2607,11 +1620,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 git@1:2.34.1-1ubuntu1.9 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.13 libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 @@ -2622,7 +1635,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 adduser@3.118ubuntu5 @@ -2641,7 +1654,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 meta-common-packages@meta @@ -2700,7 +1713,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 and gnupg2/gpgv@2.2.27-3ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and gnupg2/gpgv@2.2.27-3ubuntu2.1
    @@ -2713,7 +1726,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gpgv@2.2.27-3ubuntu2.1 @@ -2722,7 +1735,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 apt@2.4.9 @@ -2733,7 +1746,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2744,7 +1757,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -2755,7 +1768,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2766,7 +1779,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2779,7 +1792,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2792,7 +1805,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -2801,7 +1814,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2812,7 +1825,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2825,7 +1838,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 @@ -2834,7 +1847,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2845,7 +1858,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 @@ -2854,7 +1867,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2865,7 +1878,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2874,7 +1887,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2885,7 +1898,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2898,7 +1911,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2911,7 +1924,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 @@ -2920,7 +1933,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2931,7 +1944,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2944,7 +1957,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2957,7 +1970,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 @@ -2966,7 +1979,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2977,7 +1990,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 @@ -2986,7 +1999,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2997,7 +2010,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gpgsm@2.2.27-3ubuntu2.1 @@ -3006,7 +2019,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3017,7 +2030,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3076,7 +2089,7 @@

      Allocation of Resources Without Limits or Throttling

      Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 and glibc/libc-bin@2.35-0ubuntu3.1 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and glibc/libc-bin@2.35-0ubuntu3.1
    @@ -3089,7 +2102,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 glibc/libc-bin@2.35-0ubuntu3.1 @@ -3098,7 +2111,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 meta-common-packages@meta @@ -3157,7 +2170,7 @@

      Improper Input Validation

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20, git@1:2.34.1-1ubuntu1.9 and others + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7, git@1:2.34.1-1ubuntu1.9 and others
    @@ -3169,7 +2182,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 git@1:2.34.1-1ubuntu1.9 @@ -3180,7 +2193,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 git@1:2.34.1-1ubuntu1.9 @@ -3189,7 +2202,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 git-lfs@3.0.2-1ubuntu0.2 @@ -3223,150 +2236,6 @@

      References

      More about this vulnerability

    -
    -
    -

    CVE-2023-28322

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.5.20, git@1:2.34.1-1ubuntu1.9 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - git@1:2.34.1-1ubuntu1.9 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously wasused to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Certificate Validation

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.5.20, git@1:2.34.1-1ubuntu1.9 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 - - git@1:2.34.1-1ubuntu1.9 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.10 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu:22.04. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    -

    Improper Input Validation

    @@ -3390,7 +2259,7 @@

    Improper Input Validation

  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 and coreutils@8.32-4.1ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and coreutils@8.32-4.1ubuntu1
    • @@ -3403,7 +2272,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 coreutils@8.32-4.1ubuntu1 @@ -3460,7 +2329,7 @@

      Out-of-bounds Write

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 and bash@5.1-6ubuntu1 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 and bash@5.1-6ubuntu1
    @@ -3473,7 +2342,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.5.20 + docker-image|quay.io/argoproj/argocd@v2.8.0-rc7 bash@5.1-6ubuntu1 diff --git a/docs/snyk/v2.8.0-rc7/redis_7.0.11-alpine.html b/docs/snyk/v2.8.0-rc7/redis_7.0.11-alpine.html new file mode 100644 index 0000000000000..609f13a881840 --- /dev/null +++ b/docs/snyk/v2.8.0-rc7/redis_7.0.11-alpine.html @@ -0,0 +1,1031 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
      +
      +
      +
      + + + Snyk - Open Source Security + + + + + + + +
      +

      Snyk test report

      + +

      August 6th 2023, 12:17:39 am (UTC+00:00)

      +
      +
      + Scanned the following path: +
        +
      • redis:7.0.11-alpine (apk)
        • +
      +
      + +
      +
      3 known vulnerabilities
      +
      27 vulnerable dependency paths
      +
      18 dependencies
      +
      +
      +
      +
      +
      + + + + + + + +
      Project docker-image|redis
      Path redis:7.0.11-alpine
      Package Manager apk
      +
      +
      +
      +
      +

      Improper Authentication

      +
      + +
      + medium severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: The AES-SIV cipher implementation contains a bug that causes + it to ignore empty associated data entries which are unauthenticated as + a consequence.

      +

      Impact summary: Applications that use the AES-SIV algorithm and want to + authenticate empty data entries as associated data can be mislead by removing + adding or reordering such empty entries as these are ignored by the OpenSSL + implementation. We are currently unaware of any such applications.

      +

      The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with + NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such a call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated.

      +

      As this issue does not affect non-empty associated data authentication and + we expect it to be rare for an application to use empty associated data + entries this is qualified as Low severity issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.1-r2 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      Inefficient Regular Expression Complexity

      +
      + +
      + medium severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: Checking excessively long DH keys or parameters may be very slow.

      +

      Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

      +

      The function DH_check() performs various checks on DH parameters. One of those + checks confirms that the modulus ('p' parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use a modulus which + is over 10,000 bits in length.

      +

      However the DH_check() function checks numerous aspects of the key or parameters + that have been supplied. Some of those checks use the supplied modulus value + even if it has already been found to be too large.

      +

      An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulernable to a Denial of Service attack.

      +

      The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

      +

      Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the '-check' option.

      +

      The OpenSSL SSL/TLS implementation is not affected by this issue. + The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.1-r3 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +

      CVE-2023-3817

      +
      + +
      + low severity +
      + +
      + +
        +
      • + Package Manager: alpine:3.18 +
        • +
      • + Vulnerable module: + + openssl/libcrypto3 +
        • + +
      • Introduced through: + + docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 + +
        • +
      + +
      + + +

      Detailed paths

      + +
        +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + openssl/libcrypto3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + .redis-rundeps@20230614.215749 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + apk-tools/apk-tools@2.14.0-r2 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      • + Introduced through: + docker-image|redis@7.0.11-alpine + + busybox/ssl_client@1.36.1-r0 + + openssl/libssl3@3.1.1-r1 + + + +
        • +
      + +
      + +
      + +

      NVD Description

      +

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine:3.18. + See How to fix? for Alpine:3.18 relevant fixed versions and status.

      +

      Issue summary: Checking excessively long DH keys or parameters may be very slow.

      +

      Impact summary: Applications that use the functions DH_check(), DH_check_ex() + or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long + delays. Where the key or parameters that are being checked have been obtained + from an untrusted source this may lead to a Denial of Service.

      +

      The function DH_check() performs various checks on DH parameters. After fixing + CVE-2023-3446 it was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A correct q value, + if present, cannot be larger than the modulus p parameter, thus it is + unnecessary to perform these checks if q is larger than p.

      +

      An application that calls DH_check() and supplies a key or parameters obtained + from an untrusted source could be vulnerable to a Denial of Service attack.

      +

      The function DH_check() is itself called by a number of other OpenSSL functions. + An application calling any of those other functions may similarly be affected. + The other functions affected by this are DH_check_ex() and + EVP_PKEY_param_check().

      +

      Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications + when using the "-check" option.

      +

      The OpenSSL SSL/TLS implementation is not affected by this issue.

      +

      The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

      +

      Remediation

      +

      Upgrade Alpine:3.18 openssl to version 3.1.2-r0 or higher.

      +

      References

      + + +
      + +
      +

      More about this vulnerability

      +
      + +
      +
      +
      +
      + + + diff --git a/docs/user-guide/build-environment.md b/docs/user-guide/build-environment.md index 56f6e6b436463..8e2448f4f9e7f 100644 --- a/docs/user-guide/build-environment.md +++ b/docs/user-guide/build-environment.md @@ -3,10 +3,11 @@ [Custom tools](../operator-manual/config-management-plugins.md), [Helm](helm.md), [Jsonnet](jsonnet.md), and [Kustomize](kustomize.md) support the following build env vars: | Variable | Description | -| ----------------------------------- | ----------------------------------------------------------------------- | +|-------------------------------------|-------------------------------------------------------------------------| | `ARGOCD_APP_NAME` | The name of the application. | | `ARGOCD_APP_NAMESPACE` | The destination namespace of the application. | | `ARGOCD_APP_REVISION` | The resolved revision, e.g. `f913b6cbf58aa5ae5ca1f8a2b149477aebcbd9d8`. | +| `ARGOCD_APP_REVISION_SHORT` | The resolved short revision, e.g. `f913b6c`. | | `ARGOCD_APP_SOURCE_PATH` | The path of the app within the source repo. | | `ARGOCD_APP_SOURCE_REPO_URL` | The source repo URL. | | `ARGOCD_APP_SOURCE_TARGET_REVISION` | The target revision from the spec, e.g. `master`. | diff --git a/docs/user-guide/helm.md b/docs/user-guide/helm.md index bf5fbfdb186e6..5c8b8c020adf5 100644 --- a/docs/user-guide/helm.md +++ b/docs/user-guide/helm.md @@ -54,7 +54,7 @@ source: Argo CD supports the equivalent of a values file directly in the Application manifest using the `source.helm.valuesObject` key. -``` +```yaml source: helm: valuesObject: @@ -75,7 +75,7 @@ source: Alternatively, values can be passed in as a string using the `source.helm.values` key. -``` +```yaml source: helm: values: | @@ -254,7 +254,7 @@ One way to use this plugin is to prepare your own ArgoCD image where it is inclu Example `Dockerfile`: -``` +```dockerfile FROM argoproj/argocd:v1.5.7 USER root @@ -284,7 +284,7 @@ Some users find this pattern preferable to maintaining their own version of the Below is an example of how to add Helm plugins when installing ArgoCD with the [official ArgoCD helm chart](https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd): -``` +```yaml repoServer: volumes: - name: gcp-credentials diff --git a/examples/k8s-rbac/argocd-server-applications/argocd-server-rbac-clusterrole.yaml b/examples/k8s-rbac/argocd-server-applications/argocd-server-rbac-clusterrole.yaml index 20e93dbada6d2..a8d6c021c4e2e 100644 --- a/examples/k8s-rbac/argocd-server-applications/argocd-server-rbac-clusterrole.yaml +++ b/examples/k8s-rbac/argocd-server-applications/argocd-server-rbac-clusterrole.yaml @@ -7,6 +7,12 @@ metadata: app.kubernetes.io/component: server name: argocd-server-cluster-apps rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create - apiGroups: - "argoproj.io" resources: diff --git a/go.mod b/go.mod index 682c448d01c0d..1aacf12a538fe 100644 --- a/go.mod +++ b/go.mod @@ -4,27 +4,28 @@ go 1.19 require ( code.gitea.io/sdk/gitea v0.15.1 + github.com/Azure/kubelogin v0.0.20 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible github.com/Masterminds/semver/v3 v3.2.1 github.com/Masterminds/sprig/v3 v3.2.3 github.com/TomOnTime/utfutil v0.0.0-20180511104225-09c41003ee1d github.com/alicebob/miniredis/v2 v2.30.4 - github.com/antonmedv/expr v1.12.5 + github.com/antonmedv/expr v1.12.7 github.com/argoproj/gitops-engine v0.7.1-0.20230809134534-ed7c77a9290b github.com/argoproj/notifications-engine v0.4.1-0.20230620204159-3446d4ae8520 github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1 - github.com/aws/aws-sdk-go v1.44.298 + github.com/aws/aws-sdk-go v1.44.317 github.com/bmatcuk/doublestar/v4 v4.6.0 github.com/bombsimon/logrusr/v2 v2.0.1 - github.com/bradleyfalzon/ghinstallation/v2 v2.5.0 - github.com/casbin/casbin/v2 v2.71.1 + github.com/bradleyfalzon/ghinstallation/v2 v2.6.0 + github.com/casbin/casbin/v2 v2.73.0 github.com/coreos/go-oidc/v3 v3.6.0 github.com/cyphar/filepath-securejoin v0.2.3 github.com/dustin/go-humanize v1.0.1 github.com/evanphx/json-patch v5.6.0+incompatible github.com/fsnotify/fsnotify v1.6.0 github.com/gfleury/go-bitbucket-v1 v0.0.0-20220301131131-8e7ed04b843e - github.com/go-git/go-git/v5 v5.7.0 + github.com/go-git/go-git/v5 v5.8.1 github.com/go-logr/logr v1.2.4 github.com/go-openapi/loads v0.21.2 github.com/go-openapi/runtime v0.26.0 @@ -52,7 +53,7 @@ require ( github.com/itchyny/gojq v0.12.13 github.com/jeremywohl/flatten v1.0.1 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 - github.com/ktrysmt/go-bitbucket v0.9.61 + github.com/ktrysmt/go-bitbucket v0.9.63 github.com/mattn/go-isatty v0.0.19 github.com/mattn/go-zglob v0.0.4 github.com/microsoft/azure-devops-go-api/azuredevops v1.0.0-b5 @@ -70,17 +71,17 @@ require ( github.com/stretchr/testify v1.8.4 github.com/valyala/fasttemplate v1.2.2 github.com/whilp/git-urls v1.0.0 - github.com/xanzy/go-gitlab v0.86.0 + github.com/xanzy/go-gitlab v0.89.0 github.com/yuin/gopher-lua v1.1.0 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0 go.opentelemetry.io/otel v1.16.0 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.16.0 go.opentelemetry.io/otel/sdk v1.16.0 - golang.org/x/crypto v0.11.0 + golang.org/x/crypto v0.12.0 golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 - golang.org/x/oauth2 v0.10.0 + golang.org/x/oauth2 v0.11.0 golang.org/x/sync v0.3.0 - golang.org/x/term v0.10.0 + golang.org/x/term v0.11.0 google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc google.golang.org/grpc v1.56.2 google.golang.org/protobuf v1.31.0 @@ -96,17 +97,30 @@ require ( k8s.io/klog/v2 v2.70.1 k8s.io/kube-openapi v0.0.0-20220627174259-011e075b9cb8 k8s.io/kubectl v0.24.2 - k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 + k8s.io/utils v0.0.0-20220706174534-f6158b442e7c layeh.com/gopher-json v0.0.0-20190114024228-97fed8db8427 oras.land/oras-go/v2 v2.2.1 sigs.k8s.io/controller-runtime v0.11.0 - sigs.k8s.io/structured-merge-diff/v4 v4.2.3 + sigs.k8s.io/structured-merge-diff/v4 v4.3.0 sigs.k8s.io/yaml v1.3.0 ) require ( + dario.cat/mergo v1.0.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v0.5.2 // indirect + github.com/golang-jwt/jwt v3.2.2+incompatible // indirect + github.com/kylelemons/godebug v1.1.0 // indirect + github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect + github.com/tidwall/gjson v1.14.4 // indirect + github.com/tidwall/match v1.1.1 // indirect + github.com/tidwall/pretty v1.2.0 // indirect google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect + gopkg.in/retry.v1 v1.0.3 // indirect + k8s.io/klog v1.0.0 // indirect ) require ( @@ -114,16 +128,16 @@ require ( cloud.google.com/go/compute/metadata v0.2.3 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest v0.11.18 // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.13 // indirect + github.com/Azure/go-autorest/autorest v0.11.27 // indirect + github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect github.com/Masterminds/goutils v1.1.1 // indirect - github.com/Microsoft/go-winio v0.5.2 // indirect + github.com/Microsoft/go-winio v0.6.1 // indirect github.com/PagerDuty/go-pagerduty v1.6.0 // indirect - github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903 // indirect + github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 // indirect github.com/RocketChat/Rocket.Chat.Go.SDK v0.0.0-20210112200207-10ab4d695d60 // indirect github.com/acomagu/bufpipe v1.0.4 // indirect github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect @@ -143,10 +157,9 @@ require ( github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect github.com/fatih/camelcase v1.0.0 // indirect github.com/felixge/httpsnoop v1.0.3 // indirect - github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect github.com/fvbommel/sortorder v1.0.1 // indirect github.com/ghodss/yaml v1.0.0 // indirect - github.com/go-errors/errors v1.0.1 // indirect + github.com/go-errors/errors v1.4.2 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.4.1 // indirect github.com/go-jose/go-jose/v3 v3.0.0 // indirect @@ -162,12 +175,12 @@ require ( github.com/go-telegram-bot-api/telegram-bot-api/v5 v5.5.1 // indirect github.com/golang/glog v1.1.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/google/btree v1.0.1 // indirect - github.com/google/gnostic v0.5.7-v3refs // indirect + github.com/google/btree v1.1.2 // indirect + github.com/google/gnostic v0.6.9 // indirect github.com/google/go-github/v41 v41.0.0 // indirect - github.com/google/go-github/v53 v53.0.0 // indirect + github.com/google/go-github/v53 v53.2.0 // indirect github.com/google/go-querystring v1.1.0 // indirect - github.com/google/gofuzz v1.1.0 // indirect + github.com/google/gofuzz v1.2.0 // indirect github.com/gosimple/unidecode v1.0.1 // indirect github.com/gregdel/pushover v1.1.0 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect @@ -216,7 +229,7 @@ require ( github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/sergi/go-diff v1.1.0 // indirect github.com/shopspring/decimal v1.2.0 // indirect - github.com/skeema/knownhosts v1.1.1 // indirect + github.com/skeema/knownhosts v1.2.0 // indirect github.com/slack-go/slack v0.12.1 // indirect github.com/spf13/cast v1.5.0 // indirect github.com/stretchr/objx v0.5.0 // indirect @@ -225,18 +238,18 @@ require ( github.com/vmihailenco/msgpack/v5 v5.3.4 // indirect github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect - github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect + github.com/xlab/treeprint v1.1.0 // indirect go.mongodb.org/mongo-driver v1.11.3 // indirect go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0 // indirect go.opentelemetry.io/otel/metric v1.16.0 // indirect go.opentelemetry.io/otel/trace v1.16.0 // indirect go.opentelemetry.io/proto/otlp v0.19.0 // indirect - go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect + go.starlark.net v0.0.0-20220328144851-d1966c6b9fcd // indirect golang.org/x/mod v0.9.0 // indirect - golang.org/x/net v0.12.0 // indirect - golang.org/x/sys v0.10.0 // indirect - golang.org/x/text v0.11.0 // indirect + golang.org/x/net v0.14.0 // indirect + golang.org/x/sys v0.11.0 // indirect + golang.org/x/text v0.12.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.7.0 // indirect gomodules.xyz/envconfig v1.3.1-0.20190308184047-426f31af0d45 // indirect @@ -255,9 +268,9 @@ require ( k8s.io/kube-aggregator v0.24.2 // indirect k8s.io/kubernetes v1.24.2 // indirect nhooyr.io/websocket v1.8.6 // indirect - sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect - sigs.k8s.io/kustomize/api v0.11.4 // indirect - sigs.k8s.io/kustomize/kyaml v0.13.6 // indirect + sigs.k8s.io/json v0.0.0-20220525155127-227cbc7cc124 // indirect + sigs.k8s.io/kustomize/api v0.11.5 // indirect + sigs.k8s.io/kustomize/kyaml v0.13.7 // indirect ) replace ( diff --git a/go.sum b/go.sum index a498b0fec59a4..7dec9167e7cea 100644 --- a/go.sum +++ b/go.sum @@ -602,29 +602,45 @@ cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcP code.gitea.io/gitea-vet v0.2.1/go.mod h1:zcNbT/aJEmivCAhfmkHOlT645KNOf9W2KnkLgFjGGfE= code.gitea.io/sdk/gitea v0.15.1 h1:WJreC7YYuxbn0UDaPuWIe/mtiNKTvLN8MLkaw71yx/M= code.gitea.io/sdk/gitea v0.15.1/go.mod h1:klY2LVI3s3NChzIk/MzMn7G1FHrfU7qd63iSMVoHRBA= +dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= +dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= dmitri.shuralyov.com/gpu/mtl v0.0.0-20201218220906-28db891af037/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8= git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc= github.com/Azure/azure-sdk-for-go v55.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1 h1:tz19qLF65vuu2ibfTqGVJxG/zZAI27NEIIbvAOQwYbw= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0/go.mod h1:bhXu1AjYL+wutSL/kpSq6s7733q2Rb0yuot9Zgfqa/0= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 h1:jp0dGvZ7ZK0mgqnTSClMxa5xuRL7NZgHameVYF6BurY= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.18 h1:90Y4srNYrwOtAgVo3ndrQkTYn6kf1Eg/AjTFJ8Is2aM= github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= -github.com/Azure/go-autorest/autorest/adal v0.9.13 h1:Mp5hbtOePIzM8pJVRa3YLrWWmZtoxRXqUEzCfJt3+/Q= +github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= +github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= +github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= +github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg= +github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= +github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/Azure/kubelogin v0.0.20 h1:pDJhxzUWk2f/wjYQJFb0Vet7OYrcg6DLx1qj+sbXY70= +github.com/Azure/kubelogin v0.0.20/go.mod h1:QNuYUuwM2lqho9ovG5U/yv3/ZmFbEru3Jluw2ZeKcSk= +github.com/AzureAD/microsoft-authentication-library-for-go v0.5.2 h1:BGX4OiGP9htYSd6M3pAZctcUUSruhIAUVkv2X0Cn9yE= +github.com/AzureAD/microsoft-authentication-library-for-go v0.5.2/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/GoogleCloudPlatform/k8s-cloud-provider v1.16.1-0.20210702024009-ea6160c1d0e3/go.mod h1:8XasY4ymP2V/tn2OOV9ZadmiTE1FIB/h3W+yNlPttKw= @@ -645,8 +661,9 @@ github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= github.com/Microsoft/go-winio v0.4.15/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= github.com/Microsoft/go-winio v0.4.17/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= -github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= github.com/Microsoft/hcsshim v0.8.22/go.mod h1:91uVCVzvX2QD16sMCenoxxXo6L1wJnLMX2PSufFMtF0= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= @@ -654,8 +671,8 @@ github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAE github.com/PagerDuty/go-pagerduty v1.6.0 h1:am81SzvG5Pw+s3JZ5yEy6kGvsXXklTNRrGr3d8WKpsU= github.com/PagerDuty/go-pagerduty v1.6.0/go.mod h1:7eaBLzsDpK7VUvU0SJ5mohczQkoWrrr5CjDaw5gh1as= github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g= -github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903 h1:ZK3C5DtzV2nVAQTx5S5jQvMeDqWtD1By5mOoyY/xJek= -github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903/go.mod h1:8TI4H3IbrackdNgv+92dI+rhpCaLqM0IfpgCgenFvRE= +github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 h1:KLq8BE0KwCL+mmXnjLWEAOYO+2l2AE4YMmqG1ZpZHBs= +github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/RocketChat/Rocket.Chat.Go.SDK v0.0.0-20210112200207-10ab4d695d60 h1:prBTRx78AQnXzivNT9Crhu564W/zPPr3ibSlpT9xKcE= @@ -685,8 +702,8 @@ github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHG github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20210826220005-b48c857c3a0e/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= -github.com/antonmedv/expr v1.12.5 h1:Fq4okale9swwL3OeLLs9WD9H6GbgBLJyN/NUHRv+n0E= -github.com/antonmedv/expr v1.12.5/go.mod h1:FPC8iWArxls7axbVLsW+kpg1mz29A1b2M6jt+hZfDkU= +github.com/antonmedv/expr v1.12.7 h1:jfV/l/+dHWAadLwAtESXNxXdfbK9bE4+FNMHYCMntwk= +github.com/antonmedv/expr v1.12.7/go.mod h1:FPC8iWArxls7axbVLsW+kpg1mz29A1b2M6jt+hZfDkU= github.com/apache/arrow/go/v10 v10.0.1/go.mod h1:YvhnlEePVnBS4+0z3fhPfUy7W1Ikj0Ih0vcRo/gZ1M0= github.com/apache/arrow/go/v11 v11.0.0/go.mod h1:Eg5OsL5H+e299f7u5ssuXsuHQVEGC4xei5aX110hRiI= github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= @@ -720,8 +737,8 @@ github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN github.com/aws/aws-sdk-go v1.35.24/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k= github.com/aws/aws-sdk-go v1.38.49/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go v1.44.289/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= -github.com/aws/aws-sdk-go v1.44.298 h1:5qTxdubgV7PptZJmp/2qDwD2JL187ePL7VOxsSh1i3g= -github.com/aws/aws-sdk-go v1.44.298/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= +github.com/aws/aws-sdk-go v1.44.317 h1:+8XWrLmGMwPPXSRSLPzhgcGnzJ2mYkgkrcB9C/GnSOU= +github.com/aws/aws-sdk-go v1.44.317/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NRpg= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= @@ -742,16 +759,17 @@ github.com/bombsimon/logrusr/v2 v2.0.1 h1:1VgxVNQMCvjirZIYaT9JYn6sAVGVEcNtRE0y4m github.com/bombsimon/logrusr/v2 v2.0.1/go.mod h1:ByVAX+vHdLGAfdroiMg6q0zgq2FODY2lc5YJvzmOJio= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/bradleyfalzon/ghinstallation/v2 v2.5.0 h1:yaYcGQ7yEIGbsJfW/9z7v1sLiZg/5rSNNXwmMct5XaE= -github.com/bradleyfalzon/ghinstallation/v2 v2.5.0/go.mod h1:amcvPQMrRkWNdueWOjPytGL25xQGzox7425qMgzo+Vo= +github.com/bradleyfalzon/ghinstallation/v2 v2.6.0 h1:IRY7Xy588KylkoycsUhFpW7cdGpy5Y5BPsz4IfuJtGk= +github.com/bradleyfalzon/ghinstallation/v2 v2.6.0/go.mod h1:oQ3etOwN3TRH4EwgW5/7MxSVMGlMlzG/O8TU7eYdoSk= github.com/bsm/ginkgo/v2 v2.7.0 h1:ItPMPH90RbmZJt5GtkcNvIRuGEdwlBItdNVoyzaNQao= github.com/bsm/gomega v1.26.0 h1:LhQm+AFcgV2M0WyKroMASzAzCAJVpAxQXv4SaI9a69Y= +github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/bwmarrin/discordgo v0.19.0/go.mod h1:O9S4p+ofTFwB02em7jkpkV8M3R0/PUVOwN61zSZ0r4Q= github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ= -github.com/casbin/casbin/v2 v2.71.1 h1:LRHyqM0S1LzM/K59PmfUIN0ZJfLgcOjL4OhOQI/FNXU= -github.com/casbin/casbin/v2 v2.71.1/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRtgrQfcJqHg= +github.com/casbin/casbin/v2 v2.73.0 h1:Qgy70fd90wXrDvSLBAFrDBNYv34lCqppK24vF0OHv/M= +github.com/casbin/casbin/v2 v2.73.0/go.mod h1:mzGx0hYW9/ksOSpw3wNjk3NRAroq5VMFYUQ6G43iGPk= github.com/cenkalti/backoff v2.1.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= @@ -854,6 +872,7 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= +github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c= github.com/docker/distribution v2.8.0+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= @@ -912,14 +931,15 @@ github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5Kwzbycv github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= -github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c= github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= +github.com/frankban/quicktest v1.2.2/go.mod h1:Qh/WofXFeiAFII1aEBu529AtJo6Zg2VHscnEsbBnJ20= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= @@ -940,8 +960,9 @@ github.com/gin-gonic/gin v1.5.0/go.mod h1:Nd6IXA8m5kNZdNEHMBd93KT+mdY3+bewLgRvmC github.com/gin-gonic/gin v1.6.3 h1:ahKqKTFpO5KTPHxWZjEdPScmYaGtLo8Y4DMHoEsnp14= github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M= github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY= -github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w= github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= +github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g= github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks= github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY= @@ -952,8 +973,8 @@ github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmS github.com/go-git/go-billy/v5 v5.4.1 h1:Uwp5tDRkPr+l/TnbHOQzp+tmJfLceOlbVucgpTz8ix4= github.com/go-git/go-billy/v5 v5.4.1/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f h1:Pz0DHeFij3XFhoBRGUDPzSJ+w2UcK5/0JvF8DRI58r8= -github.com/go-git/go-git/v5 v5.7.0 h1:t9AudWVLmqzlo+4bqdf7GY+46SUuRsx59SboFxkq2aE= -github.com/go-git/go-git/v5 v5.7.0/go.mod h1:coJHKEOk5kUClpsNlXrUvPrDxY3w3gjHvhcZd8Fodw8= +github.com/go-git/go-git/v5 v5.8.1 h1:Zo79E4p7TRk0xoRgMq0RShiTHGKcKI4+DI6BfJc/Q+A= +github.com/go-git/go-git/v5 v5.8.1/go.mod h1:FHFuoD6yGz5OSKEBK+aWN9Oah0q54Jxl0abmj6GnqAo= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= @@ -1086,6 +1107,11 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= +github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= +github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= +github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= @@ -1119,15 +1145,18 @@ github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEW github.com/golangplus/testing v0.0.0-20180327235837-af21d9c3145e/go.mod h1:0AA//k/eakGydO4jKRoRL2j92ZKSzTgj9tclaCrvXHk= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= +github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= github.com/google/cadvisor v0.44.1/go.mod h1:GQ9KQfz0iNHQk3D6ftzJWK4TXabfIgM10Oy3FkR+Gzg= github.com/google/cel-go v0.10.1/go.mod h1:U7ayypeSkw23szu4GaQTPJGx66c20mx8JklMSxrmI1w= github.com/google/cel-spec v0.6.0/go.mod h1:Nwjgxy5CbjlPrtCWjeDjUyKMl8w41YBYGjsyDdqk0xA= github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= -github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= +github.com/google/gnostic v0.6.9 h1:ZK/5VhkoX835RikCHpSUJV9a+S3e1zLh59YnyWeBW+0= +github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.2.1-0.20190312032427-6f77996f0c42/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= @@ -1147,16 +1176,17 @@ github.com/google/go-github/v35 v35.3.0 h1:fU+WBzuukn0VssbayTT+Zo3/ESKX9JYWjbZTL github.com/google/go-github/v35 v35.3.0/go.mod h1:yWB7uCcVWaUbUP74Aq3whuMySRMatyRmq5U9FTNlbio= github.com/google/go-github/v41 v41.0.0 h1:HseJrM2JFf2vfiZJ8anY2hqBjdfY1Vlj/K27ueww4gg= github.com/google/go-github/v41 v41.0.0/go.mod h1:XgmCA5H323A9rtgExdTcnDkcqp6S30AVACCBDOonIxg= -github.com/google/go-github/v53 v53.0.0 h1:T1RyHbSnpHYnoF0ZYKiIPSgPtuJ8G6vgc0MKodXsQDQ= -github.com/google/go-github/v53 v53.0.0/go.mod h1:XhFRObz+m/l+UCm9b7KSIC3lT3NWSXGt7mOsAWEloao= +github.com/google/go-github/v53 v53.2.0 h1:wvz3FyF53v4BK+AsnvCmeNhf8AkTaeh2SoYu/XUvTtI= +github.com/google/go-github/v53 v53.2.0/go.mod h1:XhFRObz+m/l+UCm9b7KSIC3lT3NWSXGt7mOsAWEloao= github.com/google/go-jsonnet v0.20.0 h1:WG4TTSARuV7bSm4PMB4ohjxe33IHT5WVTrJSU33uT4g= github.com/google/go-jsonnet v0.20.0/go.mod h1:VbgWF9JX7ztlv770x/TolZNGGFfiHEVx9G6ca2eUmeA= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= @@ -1381,8 +1411,10 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/ktrysmt/go-bitbucket v0.9.61 h1:D91llgR+g+lPBafyb1bKZpeoqSiXE4UcObACwVXMA44= -github.com/ktrysmt/go-bitbucket v0.9.61/go.mod h1:QvxNfWkVjw8mPuvfGOgWHuv51P5yZKFqXdPh0JeG8B8= +github.com/ktrysmt/go-bitbucket v0.9.63 h1:Dfcl+h0FV2yRDWjyFkI1OnyzmkHn7zy9ljT0kgrkbX8= +github.com/ktrysmt/go-bitbucket v0.9.63/go.mod h1:QvxNfWkVjw8mPuvfGOgWHuv51P5yZKFqXdPh0JeG8B8= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw= github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y= github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= @@ -1484,6 +1516,7 @@ github.com/mohae/deepcopy v0.0.0-20170603005431-491d3605edfb/go.mod h1:TaXosZuwd github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= +github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/moul/http2curl v1.0.0/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= @@ -1592,6 +1625,9 @@ github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI= +github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -1660,6 +1696,8 @@ github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis= github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs= github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro= +github.com/rogpeppe/clock v0.0.0-20190514195947-2896927a307a h1:3QH7VyOaaiUHNrA9Se4YQIRkDTCw1EJls9xTUCaCeRM= +github.com/rogpeppe/clock v0.0.0-20190514195947-2896927a307a/go.mod h1:4r5QyqhjIWCcK8DO4KMclc5Iknq5qVBAlbYYzAbUScQ= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= @@ -1699,8 +1737,8 @@ github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic github.com/sirupsen/logrus v1.9.2/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/skeema/knownhosts v1.1.1 h1:MTk78x9FPgDFVFkDLTrsnnfCJl7g1C/nnKvePgrIngE= -github.com/skeema/knownhosts v1.1.1/go.mod h1:g4fPeYpque7P0xefxtGzV81ihjC8sX2IqpAoNkjxbMo= +github.com/skeema/knownhosts v1.2.0 h1:h9r9cf0+u7wSE+M183ZtMGgOJKiL96brpaz5ekfJCpM= +github.com/skeema/knownhosts v1.2.0/go.mod h1:g4fPeYpque7P0xefxtGzV81ihjC8sX2IqpAoNkjxbMo= github.com/skratchdot/open-golang v0.0.0-20160302144031-75fb7ed4208c h1:fyKiXKO1/I/B6Y2U8T7WdQGWzwehOuGIrljPtt7YTTI= github.com/skratchdot/open-golang v0.0.0-20160302144031-75fb7ed4208c/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= github.com/slack-go/slack v0.12.1 h1:X97b9g2hnITDtNsNe5GkGx6O2/Sz/uC20ejRZN6QxOw= @@ -1767,8 +1805,13 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= -github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4= +github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM= +github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= +github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= +github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= +github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= @@ -1797,8 +1840,8 @@ github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= github.com/whilp/git-urls v1.0.0 h1:95f6UMWN5FKW71ECsXRUd3FVYiXdrE7aX4NZKcPmIjU= github.com/whilp/git-urls v1.0.0/go.mod h1:J16SAmobsqc3Qcy98brfl5f5+e0clUvg1krgwk/qCfE= -github.com/xanzy/go-gitlab v0.86.0 h1:jR8V9cK9jXRQDb46KOB20NCF3ksY09luaG0IfXE6p7w= -github.com/xanzy/go-gitlab v0.86.0/go.mod h1:5ryv+MnpZStBH8I/77HuQBsMbBGANtVpLWC15qOjWAw= +github.com/xanzy/go-gitlab v0.89.0 h1:yJuy1Pw+to/NqHzVIiopt/VApoHvGDB5SEGuRs3EJpI= +github.com/xanzy/go-gitlab v0.89.0/go.mod h1:5ryv+MnpZStBH8I/77HuQBsMbBGANtVpLWC15qOjWAw= github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= @@ -1806,9 +1849,13 @@ github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+ github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g= github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM= github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca h1:1CFlNzQhALwjS9mBAUkycX616GzgsuYUOCHA5+HSlXI= github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca/go.mod h1:ce1O1j6UtZfjr22oyGxGLbauSBp2YVXpARAosm7dHBg= +github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk= +github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -1882,8 +1929,9 @@ go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqe go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.opentelemetry.io/proto/otlp v0.19.0 h1:IVN6GR+mhC4s5yfcTbmzHYODqvWAp3ZedA2SJPI1Nnw= go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= -go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= +go.starlark.net v0.0.0-20220328144851-d1966c6b9fcd h1:Uo/x0Ir5vQJ+683GXB9Ug+4fcjsbp7z7Ul8UaZbhsRM= +go.starlark.net v0.0.0-20220328144851-d1966c6b9fcd/go.mod h1:t3mmBBPzAVvK0L0n1drDmrQsJ8FoIx4INCqVMTr/Zo0= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= @@ -1922,6 +1970,7 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= @@ -1931,8 +1980,9 @@ golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2Uz golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= -golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk= +golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -2083,8 +2133,9 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= -golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= +golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -2117,8 +2168,9 @@ golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= -golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= +golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= +golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -2228,6 +2280,7 @@ golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210608053332-aa57babbf139/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -2275,8 +2328,9 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -2288,8 +2342,9 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= -golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= +golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0= +golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -2307,8 +2362,9 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= +golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -2749,6 +2805,8 @@ gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/retry.v1 v1.0.3 h1:a9CArYczAVv6Qs6VGoLMio99GEs7kY9UzSF9+LD+iGs= +gopkg.in/retry.v1 v1.0.3/go.mod h1:FJkXmWiMaAo7xB+xhvDF59zhfjDWyzmyAxiT4dB688g= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= @@ -2800,6 +2858,8 @@ k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 h1:TT1WdmqqXareKxZ/oNXEUSwKlLiHzPMyB0t8BaFeBYI= k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= @@ -2812,6 +2872,7 @@ k8s.io/kube-aggregator v0.24.2/go.mod h1:Ju2jNDixn+vqeeKEBfjfpc204bO1pbdXX0N9knC k8s.io/kube-controller-manager v0.24.2/go.mod h1:KDE0yqiEvxYiO0WRpPA4rVx8AcK1vsWydUF37AJ9lTI= k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42/go.mod h1:Z/45zLw8lUo4wdiUkI+v/ImEGAvu3WatcZl3lPMR4Rk= +k8s.io/kube-openapi v0.0.0-20220401212409-b28bf2818661/go.mod h1:daOouuuwd9JXpv1L7Y34iV3yf6nxzipkKMWWlqlvK9M= k8s.io/kube-openapi v0.0.0-20220627174259-011e075b9cb8 h1:yEQKdMCjzAOvGeiTwG4hO/hNVNtDOuUFvMUZ0OlaIzs= k8s.io/kube-openapi v0.0.0-20220627174259-011e075b9cb8/go.mod h1:mbJ+NSUoAhuR14N0S63bPkh8MGVSo3VYSGZtH/mfMe0= k8s.io/kube-proxy v0.24.2/go.mod h1:bozS2ufl/Ns6s40Ue34eV7rqyLVygi5usSmCgW7rFU8= @@ -2829,8 +2890,9 @@ k8s.io/sample-apiserver v0.24.2/go.mod h1:mf8qgDdu450wqpCJOkSAmoTgU4PIMAcfa5uTBw k8s.io/system-validators v1.7.0/go.mod h1:gP1Ky+R9wtrSiFbrpEPwWMeYz9yqyy1S/KOh0Vci7WI= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19Vz2GdbOCyI4qqhc= k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20220706174534-f6158b442e7c h1:hFZO68mv/0xe8+V0gRT9BAq3/31cKjjeVv4nScriuBk= +k8s.io/utils v0.0.0-20220706174534-f6158b442e7c/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= layeh.com/gopher-json v0.0.0-20190114024228-97fed8db8427 h1:RZkKxMR3jbQxdCEcglq3j7wY3PRJIopAwBlx1RE71X0= layeh.com/gopher-json v0.0.0-20190114024228-97fed8db8427/go.mod h1:ivKkcY8Zxw5ba0jldhZCYYQfGdb2K6u9tbYK1AwMIBc= lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk= @@ -2883,18 +2945,21 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw= sigs.k8s.io/controller-runtime v0.11.0 h1:DqO+c8mywcZLFJWILq4iktoECTyn30Bkj0CwgqMpZWQ= sigs.k8s.io/controller-runtime v0.11.0/go.mod h1:KKwLiTooNGu+JmLZGn9Sl3Gjmfj66eMbCQznLP5zcqA= -sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= -sigs.k8s.io/kustomize/api v0.11.4 h1:/0Mr3kfBBNcNPOW5Qwk/3eb8zkswCwnqQxxKtmrTkRo= +sigs.k8s.io/json v0.0.0-20220525155127-227cbc7cc124 h1:2sgAQQcY0dEW2SsQwTXhQV4vO6+rSslYx8K3XmM5hqQ= +sigs.k8s.io/json v0.0.0-20220525155127-227cbc7cc124/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= sigs.k8s.io/kustomize/api v0.11.4/go.mod h1:k+8RsqYbgpkIrJ4p9jcdPqe8DprLxFUUO0yNOq8C+xI= +sigs.k8s.io/kustomize/api v0.11.5 h1:vLDp++YAX7iy2y2CVPJNy9pk9CY8XaUKgHkjbVtnWag= +sigs.k8s.io/kustomize/api v0.11.5/go.mod h1:2UDpxS6AonWXow2ZbySd4AjUxmdXLeTlvGBC46uSiq8= sigs.k8s.io/kustomize/cmd/config v0.10.6/go.mod h1:/S4A4nUANUa4bZJ/Edt7ZQTyKOY9WCER0uBS1SW2Rco= sigs.k8s.io/kustomize/kustomize/v4 v4.5.4/go.mod h1:Zo/Xc5FKD6sHl0lilbrieeGeZHVYCA4BzxeAaLI05Bg= -sigs.k8s.io/kustomize/kyaml v0.13.6 h1:eF+wsn4J7GOAXlvajv6OknSunxpcOBQQqsnPxObtkGs= sigs.k8s.io/kustomize/kyaml v0.13.6/go.mod h1:yHP031rn1QX1lr/Xd934Ri/xdVNG8BE2ECa78Ht/kEg= +sigs.k8s.io/kustomize/kyaml v0.13.7 h1:/EZ/nPaLUzeJKF/BuJ4QCuMVJWiEVoI8iftOHY3g3tk= +sigs.k8s.io/kustomize/kyaml v0.13.7/go.mod h1:6K+IUOuir3Y7nucPRAjw9yth04KSWBnP5pqUTGwj/qU= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= +sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= diff --git a/hack/generate-proto.sh b/hack/generate-proto.sh index fcfe4e4f0e4d0..1df4655d485dc 100755 --- a/hack/generate-proto.sh +++ b/hack/generate-proto.sh @@ -118,7 +118,10 @@ EOF del(.definitions.v1alpha1OptionalArray) | .definitions.v1alpha1ApplicationSourcePluginParameter.properties.map = {"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}} | del(.definitions.v1alpha1OptionalMap) - ' "${COMBINED_SWAGGER}" > "${SWAGGER_OUT}" + ' "${COMBINED_SWAGGER}" | \ + jq '.definitions.v1Time.type = "string" | .definitions.v1Time.format = "date-time" | del(.definitions.v1Time.properties)' | \ + jq '.definitions.v1alpha1ResourceNode.allOf = [{"$ref": "#/definitions/v1alpha1ResourceRef"}] | del(.definitions.v1alpha1ResourceNode.properties.resourceRef) ' \ + > "${SWAGGER_OUT}" /bin/rm "${PRIMARY_SWAGGER}" "${COMBINED_SWAGGER}" } diff --git a/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml b/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml index e6dde8de5cbf4..ff7cf84c3e60a 100644 --- a/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml +++ b/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml @@ -133,6 +133,12 @@ spec: key: applicationsetcontroller.scm.root.ca.path name: argocd-cmd-params-cm optional: true + - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: applicationsetcontroller.allowed.scm.providers + optional: true volumeMounts: - mountPath: /app/config/ssh name: ssh-known-hosts diff --git a/manifests/core-install.yaml b/manifests/core-install.yaml index b0bc7f13f3764..642e1de181142 100644 --- a/manifests/core-install.yaml +++ b/manifests/core-install.yaml @@ -787,7 +787,8 @@ spec: properties: name: description: Name is an alternate way of specifying the target - cluster by its symbolic name + cluster by its symbolic name. This must be set if Server is + not set. type: string namespace: description: Namespace specifies the target namespace for the @@ -795,8 +796,9 @@ spec: namespace-scoped resources that have not set a value for .metadata.namespace type: string server: - description: Server specifies the URL of the target cluster and - must be set to the Kubernetes control plane API + description: Server specifies the URL of the target cluster's + Kubernetes control plane API. This must be set if Name is not + set. type: string type: object ignoreDifferences: @@ -3794,7 +3796,8 @@ spec: properties: name: description: Name is an alternate way of specifying the - target cluster by its symbolic name + target cluster by its symbolic name. This must be set + if Server is not set. type: string namespace: description: Namespace specifies the target namespace @@ -3803,8 +3806,9 @@ spec: not set a value for .metadata.namespace type: string server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API + description: Server specifies the URL of the target cluster's + Kubernetes control plane API. This must be set if Name + is not set. type: string type: object ignoreDifferences: @@ -10040,6 +10044,8 @@ spec: type: string group: type: string + includeSharedProjects: + type: boolean includeSubgroups: type: boolean insecure: @@ -14519,6 +14525,8 @@ spec: type: string group: type: string + includeSharedProjects: + type: boolean includeSubgroups: type: boolean insecure: @@ -16927,6 +16935,8 @@ spec: type: string group: type: string + includeSharedProjects: + type: boolean includeSubgroups: type: boolean insecure: @@ -18155,7 +18165,8 @@ spec: properties: name: description: Name is an alternate way of specifying the target - cluster by its symbolic name + cluster by its symbolic name. This must be set if Server is + not set. type: string namespace: description: Namespace specifies the target namespace for the @@ -18163,8 +18174,9 @@ spec: namespace-scoped resources that have not set a value for .metadata.namespace type: string server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API + description: Server specifies the URL of the target cluster's + Kubernetes control plane API. This must be set if Name is + not set. type: string type: object type: array @@ -18874,6 +18886,12 @@ spec: key: applicationsetcontroller.scm.root.ca.path name: argocd-cmd-params-cm optional: true + - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.allowed.scm.providers + name: argocd-cmd-params-cm + optional: true image: quay.io/argoproj/argocd:latest imagePullPolicy: Always name: argocd-applicationset-controller diff --git a/manifests/crds/application-crd.yaml b/manifests/crds/application-crd.yaml index fc6282dd321bd..1248bd37b421b 100644 --- a/manifests/crds/application-crd.yaml +++ b/manifests/crds/application-crd.yaml @@ -786,7 +786,8 @@ spec: properties: name: description: Name is an alternate way of specifying the target - cluster by its symbolic name + cluster by its symbolic name. This must be set if Server is + not set. type: string namespace: description: Namespace specifies the target namespace for the @@ -794,8 +795,9 @@ spec: namespace-scoped resources that have not set a value for .metadata.namespace type: string server: - description: Server specifies the URL of the target cluster and - must be set to the Kubernetes control plane API + description: Server specifies the URL of the target cluster's + Kubernetes control plane API. This must be set if Name is not + set. type: string type: object ignoreDifferences: @@ -3793,7 +3795,8 @@ spec: properties: name: description: Name is an alternate way of specifying the - target cluster by its symbolic name + target cluster by its symbolic name. This must be set + if Server is not set. type: string namespace: description: Namespace specifies the target namespace @@ -3802,8 +3805,9 @@ spec: not set a value for .metadata.namespace type: string server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API + description: Server specifies the URL of the target cluster's + Kubernetes control plane API. This must be set if Name + is not set. type: string type: object ignoreDifferences: diff --git a/manifests/crds/applicationset-crd.yaml b/manifests/crds/applicationset-crd.yaml index 72d23d94a46b8..f068d36996d12 100644 --- a/manifests/crds/applicationset-crd.yaml +++ b/manifests/crds/applicationset-crd.yaml @@ -5553,6 +5553,8 @@ spec: type: string group: type: string + includeSharedProjects: + type: boolean includeSubgroups: type: boolean insecure: @@ -10032,6 +10034,8 @@ spec: type: string group: type: string + includeSharedProjects: + type: boolean includeSubgroups: type: boolean insecure: @@ -12440,6 +12444,8 @@ spec: type: string group: type: string + includeSharedProjects: + type: boolean includeSubgroups: type: boolean insecure: diff --git a/manifests/crds/appproject-crd.yaml b/manifests/crds/appproject-crd.yaml index 335decfc564df..989b3004892f6 100644 --- a/manifests/crds/appproject-crd.yaml +++ b/manifests/crds/appproject-crd.yaml @@ -88,7 +88,8 @@ spec: properties: name: description: Name is an alternate way of specifying the target - cluster by its symbolic name + cluster by its symbolic name. This must be set if Server is + not set. type: string namespace: description: Namespace specifies the target namespace for the @@ -96,8 +97,9 @@ spec: namespace-scoped resources that have not set a value for .metadata.namespace type: string server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API + description: Server specifies the URL of the target cluster's + Kubernetes control plane API. This must be set if Name is + not set. type: string type: object type: array diff --git a/manifests/ha/install.yaml b/manifests/ha/install.yaml index 68b53246c0d32..26801daea28a2 100644 --- a/manifests/ha/install.yaml +++ b/manifests/ha/install.yaml @@ -787,7 +787,8 @@ spec: properties: name: description: Name is an alternate way of specifying the target - cluster by its symbolic name + cluster by its symbolic name. This must be set if Server is + not set. type: string namespace: description: Namespace specifies the target namespace for the @@ -795,8 +796,9 @@ spec: namespace-scoped resources that have not set a value for .metadata.namespace type: string server: - description: Server specifies the URL of the target cluster and - must be set to the Kubernetes control plane API + description: Server specifies the URL of the target cluster's + Kubernetes control plane API. This must be set if Name is not + set. type: string type: object ignoreDifferences: @@ -3794,7 +3796,8 @@ spec: properties: name: description: Name is an alternate way of specifying the - target cluster by its symbolic name + target cluster by its symbolic name. This must be set + if Server is not set. type: string namespace: description: Namespace specifies the target namespace @@ -3803,8 +3806,9 @@ spec: not set a value for .metadata.namespace type: string server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API + description: Server specifies the URL of the target cluster's + Kubernetes control plane API. This must be set if Name + is not set. type: string type: object ignoreDifferences: @@ -10040,6 +10044,8 @@ spec: type: string group: type: string + includeSharedProjects: + type: boolean includeSubgroups: type: boolean insecure: @@ -14519,6 +14525,8 @@ spec: type: string group: type: string + includeSharedProjects: + type: boolean includeSubgroups: type: boolean insecure: @@ -16927,6 +16935,8 @@ spec: type: string group: type: string + includeSharedProjects: + type: boolean includeSubgroups: type: boolean insecure: @@ -18155,7 +18165,8 @@ spec: properties: name: description: Name is an alternate way of specifying the target - cluster by its symbolic name + cluster by its symbolic name. This must be set if Server is + not set. type: string namespace: description: Namespace specifies the target namespace for the @@ -18163,8 +18174,9 @@ spec: namespace-scoped resources that have not set a value for .metadata.namespace type: string server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API + description: Server specifies the URL of the target cluster's + Kubernetes control plane API. This must be set if Name is + not set. type: string type: object type: array @@ -20111,6 +20123,12 @@ spec: key: applicationsetcontroller.scm.root.ca.path name: argocd-cmd-params-cm optional: true + - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.allowed.scm.providers + name: argocd-cmd-params-cm + optional: true image: quay.io/argoproj/argocd:latest imagePullPolicy: Always name: argocd-applicationset-controller diff --git a/manifests/ha/namespace-install.yaml b/manifests/ha/namespace-install.yaml index 6b9adc7d08071..9c6be39785fec 100644 --- a/manifests/ha/namespace-install.yaml +++ b/manifests/ha/namespace-install.yaml @@ -1629,6 +1629,12 @@ spec: key: applicationsetcontroller.scm.root.ca.path name: argocd-cmd-params-cm optional: true + - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.allowed.scm.providers + name: argocd-cmd-params-cm + optional: true image: quay.io/argoproj/argocd:latest imagePullPolicy: Always name: argocd-applicationset-controller diff --git a/manifests/install.yaml b/manifests/install.yaml index d9c3fc9d4eb14..6a5afae6a87ae 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -787,7 +787,8 @@ spec: properties: name: description: Name is an alternate way of specifying the target - cluster by its symbolic name + cluster by its symbolic name. This must be set if Server is + not set. type: string namespace: description: Namespace specifies the target namespace for the @@ -795,8 +796,9 @@ spec: namespace-scoped resources that have not set a value for .metadata.namespace type: string server: - description: Server specifies the URL of the target cluster and - must be set to the Kubernetes control plane API + description: Server specifies the URL of the target cluster's + Kubernetes control plane API. This must be set if Name is not + set. type: string type: object ignoreDifferences: @@ -3794,7 +3796,8 @@ spec: properties: name: description: Name is an alternate way of specifying the - target cluster by its symbolic name + target cluster by its symbolic name. This must be set + if Server is not set. type: string namespace: description: Namespace specifies the target namespace @@ -3803,8 +3806,9 @@ spec: not set a value for .metadata.namespace type: string server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API + description: Server specifies the URL of the target cluster's + Kubernetes control plane API. This must be set if Name + is not set. type: string type: object ignoreDifferences: @@ -10040,6 +10044,8 @@ spec: type: string group: type: string + includeSharedProjects: + type: boolean includeSubgroups: type: boolean insecure: @@ -14519,6 +14525,8 @@ spec: type: string group: type: string + includeSharedProjects: + type: boolean includeSubgroups: type: boolean insecure: @@ -16927,6 +16935,8 @@ spec: type: string group: type: string + includeSharedProjects: + type: boolean includeSubgroups: type: boolean insecure: @@ -18155,7 +18165,8 @@ spec: properties: name: description: Name is an alternate way of specifying the target - cluster by its symbolic name + cluster by its symbolic name. This must be set if Server is + not set. type: string namespace: description: Namespace specifies the target namespace for the @@ -18163,8 +18174,9 @@ spec: namespace-scoped resources that have not set a value for .metadata.namespace type: string server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API + description: Server specifies the URL of the target cluster's + Kubernetes control plane API. This must be set if Name is + not set. type: string type: object type: array @@ -19212,6 +19224,12 @@ spec: key: applicationsetcontroller.scm.root.ca.path name: argocd-cmd-params-cm optional: true + - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.allowed.scm.providers + name: argocd-cmd-params-cm + optional: true image: quay.io/argoproj/argocd:latest imagePullPolicy: Always name: argocd-applicationset-controller diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml index 9041dc52b3814..415ea143c5b64 100644 --- a/manifests/namespace-install.yaml +++ b/manifests/namespace-install.yaml @@ -730,6 +730,12 @@ spec: key: applicationsetcontroller.scm.root.ca.path name: argocd-cmd-params-cm optional: true + - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.allowed.scm.providers + name: argocd-cmd-params-cm + optional: true image: quay.io/argoproj/argocd:latest imagePullPolicy: Always name: argocd-applicationset-controller diff --git a/notifications_catalog/install.yaml b/notifications_catalog/install.yaml index d399dcf7a3fbd..e601615bac73f 100644 --- a/notifications_catalog/install.yaml +++ b/notifications_catalog/install.yaml @@ -513,12 +513,13 @@ data: - description: Application syncing has failed send: - app-sync-failed - when: app.status.operationState.phase in ['Error', 'Failed'] + when: app.status.operationState != nil and app.status.operationState.phase in ['Error', + 'Failed'] trigger.on-sync-running: | - description: Application is being synced send: - app-sync-running - when: app.status.operationState.phase in ['Running'] + when: app.status.operationState != nil and app.status.operationState.phase in ['Running'] trigger.on-sync-status-unknown: | - description: Application status is 'Unknown' send: @@ -528,7 +529,7 @@ data: - description: Application syncing has succeeded send: - app-sync-succeeded - when: app.status.operationState.phase in ['Succeeded'] + when: app.status.operationState != nil and app.status.operationState.phase in ['Succeeded'] kind: ConfigMap metadata: creationTimestamp: null diff --git a/notifications_catalog/triggers/on-sync-failed.yaml b/notifications_catalog/triggers/on-sync-failed.yaml index 888a007f39247..b19afc561b0d5 100644 --- a/notifications_catalog/triggers/on-sync-failed.yaml +++ b/notifications_catalog/triggers/on-sync-failed.yaml @@ -1,3 +1,3 @@ -- when: app.status.operationState.phase in ['Error', 'Failed'] +- when: app.status.operationState != nil and app.status.operationState.phase in ['Error', 'Failed'] description: Application syncing has failed send: [app-sync-failed] diff --git a/notifications_catalog/triggers/on-sync-running.yaml b/notifications_catalog/triggers/on-sync-running.yaml index 005d06177051e..8ed62c9bf9fe5 100644 --- a/notifications_catalog/triggers/on-sync-running.yaml +++ b/notifications_catalog/triggers/on-sync-running.yaml @@ -1,3 +1,3 @@ -- when: app.status.operationState.phase in ['Running'] +- when: app.status.operationState != nil and app.status.operationState.phase in ['Running'] description: Application is being synced send: [app-sync-running] diff --git a/notifications_catalog/triggers/on-sync-succeeded.yaml b/notifications_catalog/triggers/on-sync-succeeded.yaml index 9e1c9fef5af3b..c3eb0e1aead70 100644 --- a/notifications_catalog/triggers/on-sync-succeeded.yaml +++ b/notifications_catalog/triggers/on-sync-succeeded.yaml @@ -1,3 +1,3 @@ -- when: app.status.operationState.phase in ['Succeeded'] +- when: app.status.operationState != nil and app.status.operationState.phase in ['Succeeded'] description: Application syncing has succeeded send: [app-sync-succeeded] diff --git a/pkg/apiclient/apiclient.go b/pkg/apiclient/apiclient.go index de48d10923261..0563357c7624f 100644 --- a/pkg/apiclient/apiclient.go +++ b/pkg/apiclient/apiclient.go @@ -46,7 +46,6 @@ import ( settingspkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/settings" versionpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/version" "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" - argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" "github.com/argoproj/argo-cd/v2/util/argo" "github.com/argoproj/argo-cd/v2/util/env" grpc_util "github.com/argoproj/argo-cd/v2/util/grpc" @@ -104,7 +103,7 @@ type Client interface { NewProjectClientOrDie() (io.Closer, projectpkg.ProjectServiceClient) NewAccountClient() (io.Closer, accountpkg.AccountServiceClient, error) NewAccountClientOrDie() (io.Closer, accountpkg.AccountServiceClient) - WatchApplicationWithRetry(ctx context.Context, appName string, revision string) chan *argoappv1.ApplicationWatchEvent + WatchApplicationWithRetry(ctx context.Context, appName string, revision string) chan *v1alpha1.ApplicationWatchEvent } // ClientOptions hold address, security, and other settings for the API client. @@ -802,8 +801,8 @@ func (c *client) NewAccountClientOrDie() (io.Closer, accountpkg.AccountServiceCl // WatchApplicationWithRetry returns a channel of watch events for an application, retrying the // watch upon errors. Closes the returned channel when the context is cancelled. -func (c *client) WatchApplicationWithRetry(ctx context.Context, appName string, revision string) chan *argoappv1.ApplicationWatchEvent { - appEventsCh := make(chan *argoappv1.ApplicationWatchEvent) +func (c *client) WatchApplicationWithRetry(ctx context.Context, appName string, revision string) chan *v1alpha1.ApplicationWatchEvent { + appEventsCh := make(chan *v1alpha1.ApplicationWatchEvent) cancelled := false appName, appNs := argo.ParseFromQualifiedName(appName, "") go func() { diff --git a/pkg/apiclient/application/application.pb.go b/pkg/apiclient/application/application.pb.go index 0035796551791..8fd016ee36f68 100644 --- a/pkg/apiclient/application/application.pb.go +++ b/pkg/apiclient/application/application.pb.go @@ -36,7 +36,11 @@ var _ = math.Inf // proto package needs to be updated. const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package -// ApplicationQuery is a query for application resources +// ApplicationQuery is a query for application resources. When getting multiple applications, the "projects" field acts +// as a filter. When getting a single application, you may specify either zero or one project. If you specify zero +// projects, the application will be returned regardless of which project it belongs to (assuming you have access). If +// you specify one project, the application will only be returned if it exists and belongs to the specified project. +// Otherwise you will receive a 404. type ApplicationQuery struct { // the application's name Name *string `protobuf:"bytes,1,opt,name=name" json:"name,omitempty"` @@ -211,6 +215,7 @@ type RevisionMetadataQuery struct { Revision *string `protobuf:"bytes,2,req,name=revision" json:"revision,omitempty"` // the application's namespace AppNamespace *string `protobuf:"bytes,3,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,4,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -270,6 +275,13 @@ func (m *RevisionMetadataQuery) GetAppNamespace() string { return "" } +func (m *RevisionMetadataQuery) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + // ApplicationEventsQuery is a query for application resource events type ApplicationResourceEventsQuery struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` @@ -277,6 +289,7 @@ type ApplicationResourceEventsQuery struct { ResourceName *string `protobuf:"bytes,3,opt,name=resourceName" json:"resourceName,omitempty"` ResourceUID *string `protobuf:"bytes,4,opt,name=resourceUID" json:"resourceUID,omitempty"` AppNamespace *string `protobuf:"bytes,5,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,6,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -350,11 +363,19 @@ func (m *ApplicationResourceEventsQuery) GetAppNamespace() string { return "" } +func (m *ApplicationResourceEventsQuery) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + // ManifestQuery is a query for manifest resources type ApplicationManifestQuery struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` Revision *string `protobuf:"bytes,2,opt,name=revision" json:"revision,omitempty"` AppNamespace *string `protobuf:"bytes,3,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,4,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -414,6 +435,13 @@ func (m *ApplicationManifestQuery) GetAppNamespace() string { return "" } +func (m *ApplicationManifestQuery) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type FileChunk struct { Chunk []byte `protobuf:"bytes,1,req,name=chunk" json:"chunk,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` @@ -465,6 +493,7 @@ type ApplicationManifestQueryWithFiles struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` Checksum *string `protobuf:"bytes,2,req,name=checksum" json:"checksum,omitempty"` AppNamespace *string `protobuf:"bytes,3,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,4,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -524,6 +553,13 @@ func (m *ApplicationManifestQueryWithFiles) GetAppNamespace() string { return "" } +func (m *ApplicationManifestQueryWithFiles) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type ApplicationManifestQueryWithFilesWrapper struct { // Types that are valid to be assigned to Part: // *ApplicationManifestQueryWithFilesWrapper_Query @@ -721,6 +757,7 @@ func (m *ApplicationCreateRequest) GetValidate() bool { type ApplicationUpdateRequest struct { Application *v1alpha1.Application `protobuf:"bytes,1,req,name=application" json:"application,omitempty"` Validate *bool `protobuf:"varint,2,opt,name=validate" json:"validate,omitempty"` + Project *string `protobuf:"bytes,3,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -773,11 +810,19 @@ func (m *ApplicationUpdateRequest) GetValidate() bool { return false } +func (m *ApplicationUpdateRequest) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type ApplicationDeleteRequest struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` Cascade *bool `protobuf:"varint,2,opt,name=cascade" json:"cascade,omitempty"` PropagationPolicy *string `protobuf:"bytes,3,opt,name=propagationPolicy" json:"propagationPolicy,omitempty"` AppNamespace *string `protobuf:"bytes,4,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,5,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -844,6 +889,13 @@ func (m *ApplicationDeleteRequest) GetAppNamespace() string { return "" } +func (m *ApplicationDeleteRequest) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type SyncOptions struct { Items []string `protobuf:"bytes,1,rep,name=items" json:"items,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` @@ -904,6 +956,7 @@ type ApplicationSyncRequest struct { RetryStrategy *v1alpha1.RetryStrategy `protobuf:"bytes,10,opt,name=retryStrategy" json:"retryStrategy,omitempty"` SyncOptions *SyncOptions `protobuf:"bytes,11,opt,name=syncOptions" json:"syncOptions,omitempty"` AppNamespace *string `protobuf:"bytes,12,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,13,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -1019,12 +1072,20 @@ func (m *ApplicationSyncRequest) GetAppNamespace() string { return "" } +func (m *ApplicationSyncRequest) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + // ApplicationUpdateSpecRequest is a request to update application spec type ApplicationUpdateSpecRequest struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` Spec *v1alpha1.ApplicationSpec `protobuf:"bytes,2,req,name=spec" json:"spec,omitempty"` Validate *bool `protobuf:"varint,3,opt,name=validate" json:"validate,omitempty"` AppNamespace *string `protobuf:"bytes,4,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,5,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -1091,12 +1152,20 @@ func (m *ApplicationUpdateSpecRequest) GetAppNamespace() string { return "" } +func (m *ApplicationUpdateSpecRequest) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + // ApplicationPatchRequest is a request to patch an application type ApplicationPatchRequest struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` Patch *string `protobuf:"bytes,2,req,name=patch" json:"patch,omitempty"` PatchType *string `protobuf:"bytes,3,req,name=patchType" json:"patchType,omitempty"` AppNamespace *string `protobuf:"bytes,5,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,6,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -1163,12 +1232,20 @@ func (m *ApplicationPatchRequest) GetAppNamespace() string { return "" } +func (m *ApplicationPatchRequest) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type ApplicationRollbackRequest struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` Id *int64 `protobuf:"varint,2,req,name=id" json:"id,omitempty"` DryRun *bool `protobuf:"varint,3,opt,name=dryRun" json:"dryRun,omitempty"` Prune *bool `protobuf:"varint,4,opt,name=prune" json:"prune,omitempty"` AppNamespace *string `protobuf:"bytes,6,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,7,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -1242,6 +1319,13 @@ func (m *ApplicationRollbackRequest) GetAppNamespace() string { return "" } +func (m *ApplicationRollbackRequest) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type ApplicationResourceRequest struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` Namespace *string `protobuf:"bytes,2,opt,name=namespace" json:"namespace,omitempty"` @@ -1250,6 +1334,7 @@ type ApplicationResourceRequest struct { Group *string `protobuf:"bytes,5,opt,name=group" json:"group,omitempty"` Kind *string `protobuf:"bytes,6,req,name=kind" json:"kind,omitempty"` AppNamespace *string `protobuf:"bytes,7,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,8,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -1337,6 +1422,13 @@ func (m *ApplicationResourceRequest) GetAppNamespace() string { return "" } +func (m *ApplicationResourceRequest) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type ApplicationResourcePatchRequest struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` Namespace *string `protobuf:"bytes,2,opt,name=namespace" json:"namespace,omitempty"` @@ -1347,6 +1439,7 @@ type ApplicationResourcePatchRequest struct { Patch *string `protobuf:"bytes,7,req,name=patch" json:"patch,omitempty"` PatchType *string `protobuf:"bytes,8,req,name=patchType" json:"patchType,omitempty"` AppNamespace *string `protobuf:"bytes,9,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,10,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -1448,6 +1541,13 @@ func (m *ApplicationResourcePatchRequest) GetAppNamespace() string { return "" } +func (m *ApplicationResourcePatchRequest) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type ApplicationResourceDeleteRequest struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` Namespace *string `protobuf:"bytes,2,opt,name=namespace" json:"namespace,omitempty"` @@ -1458,6 +1558,7 @@ type ApplicationResourceDeleteRequest struct { Force *bool `protobuf:"varint,7,opt,name=force" json:"force,omitempty"` Orphan *bool `protobuf:"varint,8,opt,name=orphan" json:"orphan,omitempty"` AppNamespace *string `protobuf:"bytes,9,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,10,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -1559,6 +1660,13 @@ func (m *ApplicationResourceDeleteRequest) GetAppNamespace() string { return "" } +func (m *ApplicationResourceDeleteRequest) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type ResourceActionRunRequest struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` Namespace *string `protobuf:"bytes,2,opt,name=namespace" json:"namespace,omitempty"` @@ -1568,6 +1676,7 @@ type ResourceActionRunRequest struct { Kind *string `protobuf:"bytes,6,req,name=kind" json:"kind,omitempty"` Action *string `protobuf:"bytes,7,req,name=action" json:"action,omitempty"` AppNamespace *string `protobuf:"bytes,8,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,9,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -1662,6 +1771,13 @@ func (m *ResourceActionRunRequest) GetAppNamespace() string { return "" } +func (m *ResourceActionRunRequest) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type ResourceActionsListResponse struct { Actions []*v1alpha1.ResourceAction `protobuf:"bytes,1,rep,name=actions" json:"actions,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` @@ -1772,6 +1888,7 @@ type ApplicationPodLogsQuery struct { ResourceName *string `protobuf:"bytes,13,opt,name=resourceName" json:"resourceName,omitempty"` Previous *bool `protobuf:"varint,14,opt,name=previous" json:"previous,omitempty"` AppNamespace *string `protobuf:"bytes,15,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,16,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -1915,6 +2032,13 @@ func (m *ApplicationPodLogsQuery) GetAppNamespace() string { return "" } +func (m *ApplicationPodLogsQuery) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type LogEntry struct { Content *string `protobuf:"bytes,1,req,name=content" json:"content,omitempty"` // deprecated in favor of timeStampStr since meta.v1.Time don't support nano time @@ -1998,6 +2122,7 @@ func (m *LogEntry) GetPodName() string { type OperationTerminateRequest struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` AppNamespace *string `protobuf:"bytes,2,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,3,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -2050,9 +2175,17 @@ func (m *OperationTerminateRequest) GetAppNamespace() string { return "" } +func (m *OperationTerminateRequest) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type ApplicationSyncWindowsQuery struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` AppNamespace *string `protobuf:"bytes,2,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,3,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -2105,6 +2238,13 @@ func (m *ApplicationSyncWindowsQuery) GetAppNamespace() string { return "" } +func (m *ApplicationSyncWindowsQuery) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type ApplicationSyncWindowsResponse struct { ActiveWindows []*ApplicationSyncWindow `protobuf:"bytes,1,rep,name=activeWindows" json:"activeWindows,omitempty"` AssignedWindows []*ApplicationSyncWindow `protobuf:"bytes,2,rep,name=assignedWindows" json:"assignedWindows,omitempty"` @@ -2286,6 +2426,7 @@ type ResourcesQuery struct { Group *string `protobuf:"bytes,5,opt,name=group" json:"group,omitempty"` Kind *string `protobuf:"bytes,6,opt,name=kind" json:"kind,omitempty"` AppNamespace *string `protobuf:"bytes,7,opt,name=appNamespace" json:"appNamespace,omitempty"` + Project *string `protobuf:"bytes,8,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -2373,6 +2514,13 @@ func (m *ResourcesQuery) GetAppNamespace() string { return "" } +func (m *ResourcesQuery) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + type ManagedResourcesResponse struct { Items []*v1alpha1.ResourceDiff `protobuf:"bytes,1,rep,name=items" json:"items,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` @@ -2541,6 +2689,7 @@ func (m *LinksResponse) GetItems() []*LinkInfo { type ListAppLinksRequest struct { Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` Namespace *string `protobuf:"bytes,3,opt,name=namespace" json:"namespace,omitempty"` + Project *string `protobuf:"bytes,4,opt,name=project" json:"project,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -2593,6 +2742,13 @@ func (m *ListAppLinksRequest) GetNamespace() string { return "" } +func (m *ListAppLinksRequest) GetProject() string { + if m != nil && m.Project != nil { + return *m.Project + } + return "" +} + func init() { proto.RegisterType((*ApplicationQuery)(nil), "application.ApplicationQuery") proto.RegisterType((*NodeQuery)(nil), "application.NodeQuery") @@ -2636,172 +2792,175 @@ func init() { } var fileDescriptor_df6e82b174b5eaec = []byte{ - // 2630 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x5a, 0xcb, 0x8f, 0x1c, 0x49, - 0xd1, 0xff, 0xb2, 0xe7, 0xd5, 0x1d, 0x3d, 0x7e, 0xe5, 0xda, 0xf3, 0xd5, 0xb6, 0xc7, 0x66, 0x5c, - 0x7e, 0x8d, 0xc7, 0x9e, 0x6e, 0xbb, 0x31, 0xc8, 0x3b, 0xbb, 0x2b, 0xb0, 0xc7, 0x4f, 0x18, 0x7b, - 0x4d, 0x8d, 0x8d, 0xd1, 0x72, 0x80, 0xdc, 0xaa, 0x9c, 0x9e, 0x62, 0xaa, 0xab, 0xca, 0x55, 0xd5, - 0x6d, 0x8d, 0x8c, 0x2f, 0x8b, 0xb8, 0xad, 0x16, 0x69, 0x77, 0x0f, 0x68, 0xb5, 0x42, 0x68, 0x57, - 0x7b, 0xe1, 0xc2, 0x0d, 0x21, 0x71, 0x81, 0x0b, 0x02, 0x09, 0x24, 0xc4, 0xe3, 0x02, 0x17, 0x64, - 0x71, 0xe3, 0xc2, 0x81, 0x3f, 0x00, 0x65, 0x56, 0x66, 0x55, 0x56, 0x77, 0x75, 0x75, 0x0d, 0x33, - 0x68, 0x7d, 0xab, 0xc8, 0xce, 0x8c, 0xf8, 0x45, 0x64, 0x64, 0x44, 0x64, 0x64, 0xc3, 0xa9, 0x90, - 0x06, 0x7d, 0x1a, 0xb4, 0x88, 0xef, 0x3b, 0xb6, 0x49, 0x22, 0xdb, 0x73, 0xd5, 0xef, 0xa6, 0x1f, - 0x78, 0x91, 0x87, 0xeb, 0xca, 0x50, 0x63, 0xbe, 0xe3, 0x79, 0x1d, 0x87, 0xb6, 0x88, 0x6f, 0xb7, - 0x88, 0xeb, 0x7a, 0x11, 0x1f, 0x0e, 0xe3, 0xa9, 0x0d, 0x7d, 0xeb, 0x4a, 0xd8, 0xb4, 0x3d, 0xfe, - 0xab, 0xe9, 0x05, 0xb4, 0xd5, 0xbf, 0xd4, 0xea, 0x50, 0x97, 0x06, 0x24, 0xa2, 0x96, 0x98, 0x73, - 0x39, 0x9d, 0xd3, 0x25, 0xe6, 0xa6, 0xed, 0xd2, 0x60, 0xbb, 0xe5, 0x6f, 0x75, 0xd8, 0x40, 0xd8, - 0xea, 0xd2, 0x88, 0xe4, 0xad, 0x5a, 0xeb, 0xd8, 0xd1, 0x66, 0xef, 0xad, 0xa6, 0xe9, 0x75, 0x5b, - 0x24, 0xe8, 0x78, 0x7e, 0xe0, 0x7d, 0x87, 0x7f, 0x2c, 0x9b, 0x56, 0xab, 0xdf, 0x4e, 0x19, 0xa8, - 0xba, 0xf4, 0x2f, 0x11, 0xc7, 0xdf, 0x24, 0xc3, 0xdc, 0x6e, 0x8c, 0xe1, 0x16, 0x50, 0xdf, 0x13, - 0xb6, 0xe1, 0x9f, 0x76, 0xe4, 0x05, 0xdb, 0xca, 0x67, 0xcc, 0x46, 0xff, 0x37, 0x82, 0x83, 0x57, - 0x53, 0x79, 0x5f, 0xeb, 0xd1, 0x60, 0x1b, 0x63, 0x98, 0x74, 0x49, 0x97, 0x6a, 0x68, 0x01, 0x2d, - 0xd6, 0x0c, 0xfe, 0x8d, 0x35, 0x98, 0x09, 0xe8, 0x46, 0x40, 0xc3, 0x4d, 0xad, 0xc2, 0x87, 0x25, - 0x89, 0x1b, 0x50, 0x65, 0xc2, 0xa9, 0x19, 0x85, 0xda, 0xc4, 0xc2, 0xc4, 0x62, 0xcd, 0x48, 0x68, - 0xbc, 0x08, 0x07, 0x02, 0x1a, 0x7a, 0xbd, 0xc0, 0xa4, 0x5f, 0xa7, 0x41, 0x68, 0x7b, 0xae, 0x36, - 0xc9, 0x57, 0x0f, 0x0e, 0x33, 0x2e, 0x21, 0x75, 0xa8, 0x19, 0x79, 0x81, 0x36, 0xc5, 0xa7, 0x24, - 0x34, 0xc3, 0xc3, 0x80, 0x6b, 0xd3, 0x31, 0x1e, 0xf6, 0x8d, 0x75, 0x98, 0x25, 0xbe, 0x7f, 0x8f, - 0x74, 0x69, 0xe8, 0x13, 0x93, 0x6a, 0x33, 0xfc, 0xb7, 0xcc, 0x18, 0xc3, 0x2c, 0x90, 0x68, 0x55, - 0x0e, 0x4c, 0x92, 0xfa, 0x2a, 0xd4, 0xee, 0x79, 0x16, 0x1d, 0xad, 0xee, 0x20, 0xfb, 0xca, 0x30, - 0x7b, 0x7d, 0x0b, 0x8e, 0x18, 0xb4, 0x6f, 0x33, 0xf8, 0x77, 0x69, 0x44, 0x2c, 0x12, 0x91, 0x41, - 0x86, 0x95, 0x84, 0x61, 0x03, 0xaa, 0x81, 0x98, 0xac, 0x55, 0xf8, 0x78, 0x42, 0x0f, 0x09, 0x9b, - 0xc8, 0x11, 0xf6, 0x3b, 0x04, 0xc7, 0x95, 0x8d, 0x32, 0x84, 0xf9, 0x6e, 0xf4, 0xa9, 0x1b, 0x85, - 0xa3, 0xc5, 0x5e, 0x80, 0x43, 0xd2, 0xd2, 0x83, 0xca, 0x0c, 0xff, 0xc0, 0x80, 0xa8, 0x83, 0x12, - 0x88, 0x3a, 0x86, 0x17, 0xa0, 0x2e, 0xe9, 0x87, 0x77, 0xae, 0x8b, 0xed, 0x54, 0x87, 0x86, 0xd4, - 0x99, 0xca, 0x51, 0xc7, 0x05, 0x4d, 0xd1, 0xe6, 0x2e, 0x71, 0xed, 0x0d, 0x1a, 0x46, 0x65, 0xcd, - 0x87, 0x76, 0x6c, 0xbe, 0x13, 0x50, 0xbb, 0x69, 0x3b, 0x74, 0x75, 0xb3, 0xe7, 0x6e, 0xe1, 0xc3, - 0x30, 0x65, 0xb2, 0x0f, 0x2e, 0x61, 0xd6, 0x88, 0x09, 0xfd, 0x09, 0x9c, 0x18, 0x05, 0xe9, 0x91, - 0x1d, 0x6d, 0xb2, 0xe5, 0xe1, 0x28, 0x6c, 0xe6, 0x26, 0x35, 0xb7, 0xc2, 0x5e, 0x57, 0x6e, 0xad, - 0xa4, 0x4b, 0x61, 0xfb, 0x09, 0x82, 0xc5, 0xb1, 0x92, 0x1f, 0x05, 0xc4, 0xf7, 0x69, 0x80, 0x6f, - 0xc2, 0xd4, 0x63, 0xf6, 0x03, 0xf7, 0xd6, 0x7a, 0xbb, 0xd9, 0x54, 0xa3, 0xdd, 0x58, 0x2e, 0xb7, - 0xff, 0xcf, 0x88, 0x97, 0xe3, 0xa6, 0xb4, 0x41, 0x85, 0xf3, 0x99, 0xcb, 0xf0, 0x49, 0x4c, 0xc5, - 0xe6, 0xf3, 0x69, 0xd7, 0xa6, 0x61, 0xd2, 0x27, 0x41, 0xa4, 0x1f, 0x81, 0x97, 0xb2, 0x6e, 0xe8, - 0x7b, 0x6e, 0x48, 0xf5, 0x5f, 0xa0, 0xcc, 0x86, 0xae, 0x06, 0x94, 0x44, 0xd4, 0xa0, 0x8f, 0x7b, - 0x34, 0x8c, 0xf0, 0x16, 0xa8, 0x01, 0x98, 0xdb, 0xae, 0xde, 0xbe, 0xd3, 0x4c, 0x23, 0x58, 0x53, - 0x46, 0x30, 0xfe, 0xf1, 0x2d, 0xd3, 0x6a, 0xf6, 0xdb, 0x4d, 0x7f, 0xab, 0xd3, 0x64, 0xf1, 0x30, - 0x83, 0x4c, 0xc6, 0x43, 0x55, 0x55, 0x43, 0xe5, 0x8e, 0xe7, 0x60, 0xba, 0xe7, 0x87, 0x34, 0x88, - 0xb8, 0x66, 0x55, 0x43, 0x50, 0x6c, 0x97, 0xfa, 0xc4, 0xb1, 0x2d, 0x12, 0xc5, 0xbb, 0x50, 0x35, - 0x12, 0x5a, 0xff, 0x24, 0x8b, 0xfe, 0xa1, 0x6f, 0x7d, 0x56, 0xe8, 0x55, 0x94, 0x95, 0x01, 0x94, - 0x1f, 0x66, 0x51, 0x5e, 0xa7, 0x0e, 0x4d, 0x51, 0xe6, 0x39, 0xa6, 0x06, 0x33, 0x26, 0x09, 0x4d, - 0x62, 0x49, 0x5e, 0x92, 0x64, 0x61, 0xc1, 0x0f, 0x3c, 0x9f, 0x74, 0x38, 0xa7, 0xfb, 0x9e, 0x63, - 0x9b, 0xdb, 0xc2, 0x37, 0x87, 0x7f, 0x18, 0x72, 0xe2, 0xc9, 0x1c, 0x27, 0x3e, 0x09, 0xf5, 0xf5, - 0x6d, 0xd7, 0x7c, 0xc3, 0xe7, 0xc9, 0x94, 0x1d, 0x31, 0x3b, 0xa2, 0xdd, 0x50, 0x43, 0x3c, 0xf0, - 0xc6, 0x84, 0xfe, 0xd1, 0x14, 0xcc, 0x29, 0x1a, 0xb0, 0x05, 0x45, 0xf8, 0x8b, 0x0e, 0xfd, 0x1c, - 0x4c, 0x5b, 0xc1, 0xb6, 0xd1, 0x73, 0xc5, 0x66, 0x0a, 0x8a, 0x09, 0xf6, 0x83, 0x9e, 0x1b, 0x83, - 0xac, 0x1a, 0x31, 0x81, 0x37, 0xa0, 0x1a, 0x46, 0x2c, 0x7d, 0x76, 0xb6, 0x79, 0x38, 0xaa, 0xb7, - 0xbf, 0xb2, 0xbb, 0x0d, 0x64, 0xd0, 0xd7, 0x05, 0x47, 0x23, 0xe1, 0x8d, 0x1f, 0x43, 0x4d, 0x46, - 0xc2, 0x50, 0x9b, 0x59, 0x98, 0x58, 0xac, 0xb7, 0xd7, 0x77, 0x2f, 0xe8, 0x0d, 0x9f, 0xa5, 0x7e, - 0x25, 0xea, 0x1b, 0xa9, 0x14, 0x3c, 0x0f, 0xb5, 0xae, 0x38, 0xeb, 0xa1, 0x48, 0x73, 0xe9, 0x00, - 0xfe, 0x06, 0x4c, 0xd9, 0xee, 0x86, 0x17, 0x6a, 0x35, 0x0e, 0xe6, 0xda, 0xee, 0xc0, 0xdc, 0x71, - 0x37, 0x3c, 0x23, 0x66, 0x88, 0x1f, 0xc3, 0xbe, 0x80, 0x46, 0xc1, 0xb6, 0xb4, 0x82, 0x06, 0xdc, - 0xae, 0x5f, 0xdd, 0x9d, 0x04, 0x43, 0x65, 0x69, 0x64, 0x25, 0xe0, 0x15, 0xa8, 0x87, 0xa9, 0x8f, - 0x69, 0x75, 0x2e, 0x50, 0xcb, 0x30, 0x52, 0x7c, 0xd0, 0x50, 0x27, 0x0f, 0xf9, 0xf0, 0x6c, 0x8e, - 0x0f, 0xff, 0x05, 0xc1, 0xfc, 0x50, 0x18, 0x58, 0xf7, 0x69, 0xa1, 0x93, 0x12, 0x98, 0x0c, 0x7d, - 0x6a, 0xf2, 0xc8, 0x5f, 0x6f, 0xdf, 0xdd, 0xb3, 0xb8, 0xc0, 0xe5, 0x72, 0xd6, 0x45, 0xa1, 0xab, - 0xd4, 0xd9, 0xfc, 0x3e, 0x82, 0xff, 0x57, 0x38, 0xdf, 0x27, 0x91, 0xb9, 0x59, 0xa4, 0x12, 0x3b, - 0x43, 0x6c, 0x8e, 0xc8, 0x66, 0x31, 0xc1, 0x1c, 0x8d, 0x7f, 0x3c, 0xd8, 0xf6, 0x19, 0x0c, 0xf6, - 0x4b, 0x3a, 0x50, 0x2a, 0xe9, 0xbf, 0x87, 0xa0, 0xa1, 0x46, 0x3e, 0xcf, 0x71, 0xde, 0x22, 0xe6, - 0x56, 0x11, 0x94, 0xfd, 0x50, 0xb1, 0x2d, 0x8e, 0x63, 0xc2, 0xa8, 0xd8, 0xd6, 0x0e, 0x8f, 0xfd, - 0x20, 0xa8, 0xe9, 0x1c, 0x50, 0x7f, 0x1d, 0x00, 0x25, 0x8f, 0x58, 0x01, 0xa8, 0x79, 0xa8, 0xb9, - 0x03, 0xc5, 0x54, 0x3a, 0x90, 0x53, 0x44, 0x55, 0x86, 0x8a, 0x28, 0x0d, 0x66, 0xfa, 0x49, 0x3d, - 0xcc, 0x7e, 0x96, 0x24, 0x53, 0xa4, 0x13, 0x78, 0x3d, 0x5f, 0x18, 0x30, 0x26, 0x18, 0x8a, 0x2d, - 0xdb, 0xb5, 0xb4, 0xe9, 0x18, 0x05, 0xfb, 0x2e, 0x53, 0x01, 0xeb, 0xef, 0x57, 0xe0, 0x73, 0x39, - 0xca, 0x8d, 0xf5, 0x80, 0x17, 0x43, 0xc3, 0xc4, 0x0f, 0x67, 0x46, 0xfa, 0x61, 0x75, 0x9c, 0x1f, - 0xd6, 0x72, 0xac, 0xf2, 0x6e, 0x05, 0x16, 0x72, 0xac, 0x32, 0x3e, 0xa1, 0xbe, 0x30, 0x66, 0xd9, - 0xf0, 0x02, 0xb1, 0xe3, 0x55, 0x23, 0x26, 0xd8, 0xc9, 0xf0, 0x02, 0x7f, 0x93, 0xb8, 0x5a, 0x35, - 0x3e, 0x19, 0x31, 0x55, 0xca, 0x20, 0xff, 0x42, 0xa0, 0x49, 0x2b, 0x5c, 0x35, 0xb9, 0x4d, 0x7a, - 0xee, 0x8b, 0x6f, 0x88, 0x39, 0x98, 0x26, 0x1c, 0xad, 0x70, 0x10, 0x41, 0x0d, 0xa9, 0x5c, 0xcd, - 0x8f, 0x89, 0x47, 0xb3, 0x2a, 0x87, 0x6b, 0x76, 0x18, 0xc9, 0x82, 0x16, 0x6f, 0xc0, 0x4c, 0xcc, - 0x2d, 0x2e, 0x61, 0xea, 0xed, 0xb5, 0xdd, 0x26, 0xb6, 0x8c, 0x79, 0x25, 0x73, 0xfd, 0x15, 0x38, - 0x9a, 0x1b, 0x7d, 0x04, 0x8c, 0x06, 0x54, 0x65, 0x32, 0x17, 0x1b, 0x90, 0xd0, 0xfa, 0x3f, 0x27, - 0xb2, 0x61, 0xdd, 0xb3, 0xd6, 0xbc, 0x4e, 0xc1, 0x5d, 0xb0, 0x78, 0xd3, 0xd8, 0x65, 0xd9, 0xb3, - 0x94, 0x6b, 0x9f, 0x24, 0xd9, 0x3a, 0xd3, 0x73, 0x23, 0x62, 0xbb, 0x34, 0x10, 0xf9, 0x25, 0x1d, - 0x60, 0xc6, 0x0e, 0x6d, 0xd7, 0xa4, 0xeb, 0xd4, 0xf4, 0x5c, 0x2b, 0xe4, 0xbb, 0x36, 0x61, 0x64, - 0xc6, 0xf0, 0x6d, 0xa8, 0x71, 0xfa, 0x81, 0xdd, 0x8d, 0x83, 0x70, 0xbd, 0xbd, 0xd4, 0x8c, 0x9b, - 0x28, 0x4d, 0xb5, 0x89, 0x92, 0xda, 0xb0, 0x4b, 0x23, 0xd2, 0xec, 0x5f, 0x6a, 0xb2, 0x15, 0x46, - 0xba, 0x98, 0x61, 0x89, 0x88, 0xed, 0xac, 0xd9, 0x2e, 0x2f, 0xb0, 0x98, 0xa8, 0x74, 0x80, 0x39, - 0xc4, 0x86, 0xe7, 0x38, 0xde, 0x13, 0x79, 0x06, 0x62, 0x8a, 0xad, 0xea, 0xb9, 0x91, 0xed, 0x70, - 0xf9, 0xf1, 0x01, 0x48, 0x07, 0xf8, 0x2a, 0xdb, 0x89, 0x68, 0xc0, 0x4b, 0x98, 0x9a, 0x21, 0xa8, - 0xc4, 0xe5, 0xea, 0x71, 0x5f, 0x40, 0x9e, 0xbd, 0xd8, 0x39, 0x67, 0x55, 0xe7, 0x1c, 0x74, 0xf8, - 0x7d, 0x39, 0xf7, 0x66, 0xde, 0x26, 0xa1, 0x7d, 0xdb, 0xeb, 0x85, 0xda, 0xfe, 0x38, 0x89, 0x4b, - 0x7a, 0xc8, 0x61, 0x0f, 0xe4, 0x38, 0xec, 0x2f, 0x11, 0x54, 0xd7, 0xbc, 0xce, 0x0d, 0x37, 0x0a, - 0xb6, 0x79, 0x65, 0xef, 0xb9, 0x11, 0x75, 0xa5, 0x57, 0x48, 0x92, 0x99, 0x3a, 0xb2, 0xbb, 0x74, - 0x3d, 0x22, 0x5d, 0x5f, 0xd4, 0x24, 0x3b, 0x32, 0x75, 0xb2, 0x98, 0xa9, 0xef, 0x90, 0x30, 0xe2, - 0xa7, 0xb7, 0x6a, 0xf0, 0x6f, 0x06, 0x34, 0x99, 0xb0, 0x1e, 0x05, 0xe2, 0xe8, 0x66, 0xc6, 0x54, - 0x47, 0x9a, 0x8a, 0xb1, 0x09, 0x52, 0x5f, 0x87, 0x97, 0x93, 0x52, 0xf6, 0x01, 0x0d, 0xba, 0xb6, - 0x4b, 0x8a, 0xe3, 0x6d, 0x99, 0x2e, 0xcc, 0xc3, 0xcc, 0x01, 0x62, 0xf5, 0xdf, 0x23, 0xdb, 0xb5, - 0xbc, 0x27, 0x05, 0x07, 0xa1, 0x0c, 0xdb, 0x3f, 0x66, 0xfb, 0x2d, 0x0a, 0xdf, 0xe4, 0x6c, 0xde, - 0x86, 0x7d, 0xec, 0x14, 0xf7, 0xa9, 0xf8, 0x41, 0x04, 0x0a, 0x7d, 0xd4, 0x95, 0x3c, 0xe5, 0x61, - 0x64, 0x17, 0xe2, 0x35, 0x38, 0x40, 0xc2, 0xd0, 0xee, 0xb8, 0xd4, 0x92, 0xbc, 0x2a, 0xa5, 0x79, - 0x0d, 0x2e, 0x8d, 0xaf, 0x7d, 0x7c, 0x86, 0xd8, 0x3b, 0x49, 0xea, 0xdf, 0x43, 0x70, 0x24, 0x97, - 0x49, 0xe2, 0xeb, 0x48, 0x09, 0xaf, 0x0d, 0xa8, 0x86, 0xe6, 0x26, 0xb5, 0x7a, 0x0e, 0x95, 0x7d, - 0x0d, 0x49, 0xb3, 0xdf, 0xac, 0x5e, 0xbc, 0x93, 0x22, 0xbc, 0x27, 0x34, 0x3e, 0x0e, 0xd0, 0x25, - 0x6e, 0x8f, 0x38, 0x1c, 0xc2, 0x24, 0x87, 0xa0, 0x8c, 0xe8, 0xf3, 0xd0, 0xc8, 0x73, 0x03, 0xd1, - 0x49, 0xf8, 0x33, 0x82, 0xfd, 0x32, 0x0c, 0x8a, 0x3d, 0x5c, 0x84, 0x03, 0x8a, 0x19, 0xee, 0xa5, - 0xdb, 0x39, 0x38, 0x3c, 0x26, 0xc4, 0x49, 0x5f, 0x98, 0xc8, 0xf6, 0x35, 0xfb, 0x99, 0xce, 0x64, - 0xe9, 0x3c, 0x84, 0x76, 0x54, 0x89, 0x7d, 0x17, 0xb4, 0xbb, 0xc4, 0x25, 0x1d, 0x6a, 0x25, 0xca, - 0x25, 0x8e, 0xf4, 0x6d, 0xf5, 0xb2, 0xbc, 0xeb, 0xab, 0x69, 0x52, 0xce, 0xd8, 0x1b, 0x1b, 0xf2, - 0xe2, 0x1d, 0x40, 0x75, 0xcd, 0x76, 0xb7, 0xd8, 0xfd, 0x8d, 0xe9, 0x15, 0xd9, 0x91, 0x23, 0x6d, - 0x18, 0x13, 0xf8, 0x20, 0x4c, 0xf4, 0x02, 0x47, 0xec, 0x33, 0xfb, 0xc4, 0x0b, 0x50, 0xb7, 0x68, - 0x68, 0x06, 0xb6, 0x2f, 0x76, 0x99, 0x37, 0xfa, 0x94, 0x21, 0x66, 0x6d, 0xdb, 0xf4, 0xdc, 0x55, - 0x87, 0x84, 0xa1, 0x4c, 0x0c, 0xc9, 0x80, 0xfe, 0x1a, 0xec, 0x63, 0x32, 0x53, 0x35, 0xcf, 0x67, - 0xd5, 0x3c, 0x92, 0x81, 0x2f, 0xe1, 0x49, 0xc4, 0xb7, 0xe0, 0x25, 0x96, 0x8f, 0xaf, 0xfa, 0xbe, - 0x60, 0x52, 0xb2, 0x18, 0x99, 0x18, 0xd8, 0xf4, 0xf6, 0xdf, 0x4e, 0x02, 0x56, 0x7d, 0x9e, 0x06, - 0x7d, 0xdb, 0xa4, 0xf8, 0x3d, 0x04, 0x93, 0x4c, 0x00, 0x3e, 0x36, 0xea, 0x88, 0x71, 0xdf, 0x6b, - 0xec, 0xdd, 0x85, 0x8e, 0x49, 0xd3, 0xe7, 0xdf, 0xfe, 0xd3, 0x3f, 0xde, 0xaf, 0xcc, 0xe1, 0xc3, - 0xfc, 0x81, 0xa1, 0x7f, 0x49, 0x6d, 0xf6, 0x87, 0xf8, 0x1d, 0x04, 0x58, 0x54, 0x21, 0x4a, 0x77, - 0x17, 0x9f, 0x1f, 0x05, 0x31, 0xa7, 0x0b, 0xdc, 0x38, 0xa6, 0x44, 0xfb, 0xa6, 0xe9, 0x05, 0x94, - 0xc5, 0x76, 0x3e, 0x81, 0x03, 0x58, 0xe2, 0x00, 0x4e, 0x61, 0x3d, 0x0f, 0x40, 0xeb, 0x29, 0xb3, - 0xdb, 0xb3, 0x16, 0x8d, 0xe5, 0x7e, 0x8c, 0x60, 0xea, 0x11, 0xaf, 0xb9, 0xc7, 0x18, 0x69, 0x7d, - 0xcf, 0x8c, 0xc4, 0xc5, 0x71, 0xb4, 0xfa, 0x49, 0x8e, 0xf4, 0x18, 0x3e, 0x2a, 0x91, 0x86, 0x51, - 0x40, 0x49, 0x37, 0x03, 0xf8, 0x22, 0xc2, 0x9f, 0x22, 0x98, 0x8e, 0xdb, 0x8d, 0xf8, 0xf4, 0x28, - 0x94, 0x99, 0x76, 0x64, 0x63, 0xef, 0x7a, 0x77, 0xfa, 0x39, 0x8e, 0xf1, 0xa4, 0x9e, 0xbb, 0x9d, - 0x2b, 0x99, 0xce, 0xde, 0x07, 0x08, 0x26, 0x6e, 0xd1, 0xb1, 0xfe, 0xb6, 0x87, 0xe0, 0x86, 0x0c, - 0x98, 0xb3, 0xd5, 0xf8, 0x13, 0x04, 0x2f, 0xdf, 0xa2, 0x51, 0x7e, 0xaa, 0xc3, 0x8b, 0xe3, 0xf3, - 0x8f, 0x70, 0xbb, 0xf3, 0x25, 0x66, 0x26, 0x31, 0xbe, 0xc5, 0x91, 0x9d, 0xc3, 0x67, 0x8b, 0x9c, - 0x30, 0xdc, 0x76, 0xcd, 0x27, 0x02, 0xc7, 0x6f, 0x11, 0x1c, 0x1c, 0x7c, 0x6b, 0xc1, 0xd9, 0xe4, - 0x98, 0xfb, 0x14, 0xd3, 0xb8, 0xb7, 0xdb, 0x58, 0x9a, 0x65, 0xaa, 0x5f, 0xe5, 0xc8, 0x5f, 0xc5, - 0xaf, 0x14, 0x21, 0x97, 0x4d, 0xca, 0xb0, 0xf5, 0x54, 0x7e, 0x3e, 0xe3, 0xcf, 0x82, 0x1c, 0xf6, - 0xef, 0x11, 0x1c, 0x96, 0x7c, 0x57, 0x37, 0x49, 0x10, 0x5d, 0xa7, 0xac, 0x82, 0x0d, 0x4b, 0xe9, - 0xb3, 0xcb, 0xdc, 0xa0, 0xca, 0xd3, 0x6f, 0x70, 0x5d, 0xbe, 0x84, 0x5f, 0xdf, 0xb1, 0x2e, 0x26, - 0x63, 0x63, 0x09, 0xd8, 0x6f, 0x23, 0x98, 0xbd, 0x45, 0xa3, 0xbb, 0x49, 0xcf, 0xf1, 0x74, 0xa9, - 0x37, 0x89, 0xc6, 0x7c, 0x53, 0x79, 0x8d, 0x94, 0x3f, 0x25, 0x2e, 0xb2, 0xcc, 0xc1, 0x9d, 0xc5, - 0xa7, 0x8b, 0xc0, 0xa5, 0x7d, 0xce, 0x8f, 0x11, 0x1c, 0x51, 0x41, 0xa4, 0x2f, 0x36, 0x5f, 0xd8, - 0xd9, 0x0b, 0x89, 0x78, 0x67, 0x19, 0x83, 0xae, 0xcd, 0xd1, 0x5d, 0xd0, 0xf3, 0x1d, 0xb8, 0x3b, - 0x84, 0x62, 0x05, 0x2d, 0x2d, 0x22, 0xfc, 0x2b, 0x04, 0xd3, 0x71, 0x53, 0x71, 0xb4, 0x8d, 0x32, - 0x6f, 0x0f, 0x7b, 0x19, 0x0d, 0xc4, 0x6e, 0x37, 0x2e, 0xe6, 0x1b, 0x54, 0x5d, 0x2f, 0x5d, 0xb5, - 0xc9, 0xad, 0x9c, 0x0d, 0x63, 0x3f, 0x43, 0x00, 0x69, 0x63, 0x14, 0x9f, 0x2b, 0xd6, 0x43, 0x69, - 0x9e, 0x36, 0xf6, 0xb6, 0x35, 0xaa, 0x37, 0xb9, 0x3e, 0x8b, 0x8d, 0x85, 0xc2, 0x18, 0xe2, 0x53, - 0x73, 0x25, 0x6e, 0xa2, 0xfe, 0x18, 0xc1, 0x14, 0xef, 0x7b, 0xe1, 0x53, 0xa3, 0x30, 0xab, 0x6d, - 0xb1, 0xbd, 0x34, 0xfd, 0x19, 0x0e, 0x75, 0xa1, 0x5d, 0x14, 0x88, 0x57, 0xd0, 0x12, 0xee, 0xc3, - 0x74, 0xdc, 0x83, 0x1a, 0xed, 0x1e, 0x99, 0x1e, 0x55, 0x63, 0xa1, 0xa0, 0x30, 0x88, 0x1d, 0x55, - 0xe4, 0x80, 0xa5, 0x71, 0x39, 0x60, 0x92, 0x85, 0x69, 0x7c, 0xb2, 0x28, 0x88, 0xff, 0x0f, 0x0c, - 0x73, 0x9e, 0xa3, 0x3b, 0xad, 0x2f, 0x8c, 0xcb, 0x03, 0xcc, 0x3a, 0x3f, 0x44, 0x70, 0x70, 0xb0, - 0x84, 0xc6, 0x47, 0x07, 0x62, 0xa6, 0x7a, 0x6f, 0x68, 0x64, 0xad, 0x38, 0xaa, 0xfc, 0xd6, 0xbf, - 0xcc, 0x51, 0xac, 0xe0, 0x2b, 0x63, 0x4f, 0xc6, 0x3d, 0x19, 0x75, 0x18, 0xa3, 0xe5, 0xf4, 0x0d, - 0xe6, 0xe7, 0x08, 0x66, 0x25, 0xdf, 0x07, 0x01, 0xa5, 0xc5, 0xb0, 0xf6, 0xee, 0x20, 0x30, 0x59, - 0xfa, 0x6b, 0x1c, 0xfe, 0x17, 0xf1, 0xe5, 0x92, 0xf0, 0x25, 0xec, 0xe5, 0x88, 0x21, 0xfd, 0x35, - 0x82, 0x43, 0x8f, 0x62, 0xbf, 0xff, 0x8c, 0xf0, 0xaf, 0x72, 0xfc, 0xaf, 0xe3, 0x57, 0x0b, 0xea, - 0xbc, 0x71, 0x6a, 0x5c, 0x44, 0xf8, 0xa7, 0x08, 0xaa, 0xf2, 0x45, 0x01, 0x9f, 0x1d, 0x79, 0x30, - 0xb2, 0x6f, 0x0e, 0x7b, 0xe9, 0xcc, 0xa2, 0xa8, 0xd1, 0x4f, 0x15, 0xa6, 0x53, 0x21, 0x9f, 0x39, - 0xf4, 0x07, 0x08, 0x70, 0x72, 0xff, 0x4d, 0x6e, 0xc4, 0xf8, 0x4c, 0x46, 0xd4, 0xc8, 0x86, 0x49, - 0xe3, 0xec, 0xd8, 0x79, 0xd9, 0x54, 0xba, 0x54, 0x98, 0x4a, 0xbd, 0x44, 0xfe, 0xbb, 0x08, 0xea, - 0xb7, 0x68, 0x72, 0x07, 0x29, 0xb0, 0x65, 0xf6, 0xa9, 0xa4, 0xb1, 0x38, 0x7e, 0xa2, 0x40, 0x74, - 0x81, 0x23, 0x3a, 0x83, 0x8b, 0x4d, 0x25, 0x01, 0x7c, 0x84, 0x60, 0xdf, 0x7d, 0xd5, 0x45, 0xf1, - 0x85, 0x71, 0x92, 0x32, 0x91, 0xbc, 0x3c, 0xae, 0xcf, 0x73, 0x5c, 0xcb, 0x7a, 0x29, 0x5c, 0x2b, - 0xe2, 0x3d, 0xe2, 0x47, 0x28, 0xbe, 0xaa, 0x0e, 0x74, 0x93, 0xff, 0x5b, 0xbb, 0x15, 0x34, 0xa5, - 0xf5, 0xcb, 0x1c, 0x5f, 0x13, 0x5f, 0x28, 0x83, 0xaf, 0x25, 0x5a, 0xcc, 0xf8, 0x43, 0x04, 0x87, - 0x78, 0x3f, 0x5f, 0x65, 0x3c, 0x90, 0x62, 0x46, 0x75, 0xff, 0x4b, 0xa4, 0x18, 0x11, 0x7f, 0xf4, - 0x1d, 0x81, 0x5a, 0x91, 0xbd, 0xfa, 0x1f, 0x20, 0xd8, 0x2f, 0x93, 0x9a, 0xd8, 0xdd, 0xe5, 0x71, - 0x86, 0xdb, 0x69, 0x12, 0x14, 0xee, 0xb6, 0x54, 0xce, 0xdd, 0x3e, 0x45, 0x30, 0x23, 0x7a, 0xe9, - 0x05, 0xa5, 0x82, 0xd2, 0x6c, 0x6f, 0x0c, 0x74, 0x32, 0x44, 0x93, 0x56, 0xff, 0x26, 0x17, 0xfb, - 0x10, 0xb7, 0x8a, 0xc4, 0xfa, 0x9e, 0x15, 0xb6, 0x9e, 0x8a, 0x0e, 0xe9, 0xb3, 0x96, 0xe3, 0x75, - 0xc2, 0x37, 0x75, 0x5c, 0x98, 0x10, 0xd9, 0x9c, 0x8b, 0x08, 0x47, 0x50, 0x63, 0xce, 0xc1, 0xdb, - 0x23, 0x78, 0x61, 0xa0, 0x99, 0x32, 0xd4, 0x39, 0x69, 0x34, 0x86, 0xda, 0x2d, 0x69, 0x06, 0x14, - 0xd7, 0x58, 0x7c, 0xa2, 0x50, 0x2c, 0x17, 0xf4, 0x0e, 0x82, 0x43, 0xaa, 0xb7, 0xc7, 0xe2, 0x4b, - 0xfb, 0x7a, 0x11, 0x0a, 0x51, 0x54, 0xe3, 0xa5, 0x52, 0x8e, 0xc4, 0xe1, 0x5c, 0xbb, 0xf9, 0x9b, - 0xe7, 0xc7, 0xd1, 0x1f, 0x9e, 0x1f, 0x47, 0x7f, 0x7f, 0x7e, 0x1c, 0xbd, 0x79, 0xa5, 0xdc, 0x5f, - 0x2c, 0x4d, 0xc7, 0xa6, 0x6e, 0xa4, 0xb2, 0xff, 0x4f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x47, 0x97, - 0xe3, 0x09, 0x48, 0x2a, 0x00, 0x00, + // 2673 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x5a, 0xcd, 0x8f, 0x1c, 0x47, + 0x15, 0xa7, 0x66, 0xbf, 0x66, 0xde, 0xec, 0xfa, 0xa3, 0x12, 0x2f, 0x9d, 0xf6, 0xc6, 0x6c, 0xda, + 0x76, 0xbc, 0x59, 0x7b, 0x67, 0xec, 0xc1, 0x20, 0x67, 0x93, 0x08, 0xec, 0xf5, 0x27, 0xac, 0x1d, + 0xd3, 0x6b, 0x63, 0x14, 0x0e, 0x50, 0xe9, 0xae, 0x9d, 0x6d, 0xb6, 0xa7, 0xbb, 0xdd, 0xdd, 0x33, + 0xd6, 0xca, 0xf8, 0x12, 0x64, 0x09, 0xa1, 0x08, 0x04, 0xe4, 0x80, 0x10, 0x02, 0x14, 0x14, 0x09, + 0x21, 0x10, 0x17, 0x14, 0x21, 0x21, 0x24, 0xb8, 0x20, 0x38, 0x20, 0x21, 0x38, 0x72, 0x41, 0x16, + 0xe2, 0x08, 0x97, 0xfc, 0x01, 0xa8, 0xaa, 0xab, 0xba, 0xab, 0xe7, 0xa3, 0x67, 0x96, 0x19, 0x14, + 0xdf, 0xfa, 0xd5, 0x54, 0xbd, 0xf7, 0xab, 0x57, 0xbf, 0x7a, 0xaf, 0xea, 0xd5, 0xc0, 0x89, 0x88, + 0x86, 0x1d, 0x1a, 0xd6, 0x49, 0x10, 0xb8, 0x8e, 0x45, 0x62, 0xc7, 0xf7, 0xd4, 0xef, 0x5a, 0x10, + 0xfa, 0xb1, 0x8f, 0xab, 0x4a, 0x93, 0xbe, 0xd4, 0xf4, 0xfd, 0xa6, 0x4b, 0xeb, 0x24, 0x70, 0xea, + 0xc4, 0xf3, 0xfc, 0x98, 0x37, 0x47, 0x49, 0x57, 0xdd, 0xd8, 0xbd, 0x10, 0xd5, 0x1c, 0x9f, 0xff, + 0x6a, 0xf9, 0x21, 0xad, 0x77, 0xce, 0xd5, 0x9b, 0xd4, 0xa3, 0x21, 0x89, 0xa9, 0x2d, 0xfa, 0x9c, + 0xcf, 0xfa, 0xb4, 0x88, 0xb5, 0xe3, 0x78, 0x34, 0xdc, 0xab, 0x07, 0xbb, 0x4d, 0xd6, 0x10, 0xd5, + 0x5b, 0x34, 0x26, 0xfd, 0x46, 0x6d, 0x36, 0x9d, 0x78, 0xa7, 0xfd, 0x66, 0xcd, 0xf2, 0x5b, 0x75, + 0x12, 0x36, 0xfd, 0x20, 0xf4, 0xbf, 0xc2, 0x3f, 0xd6, 0x2c, 0xbb, 0xde, 0x69, 0x64, 0x0a, 0xd4, + 0xb9, 0x74, 0xce, 0x11, 0x37, 0xd8, 0x21, 0xbd, 0xda, 0xae, 0x0c, 0xd1, 0x16, 0xd2, 0xc0, 0x17, + 0xbe, 0xe1, 0x9f, 0x4e, 0xec, 0x87, 0x7b, 0xca, 0x67, 0xa2, 0xc6, 0xf8, 0x00, 0xc1, 0xa1, 0x8b, + 0x99, 0xbd, 0xcf, 0xb5, 0x69, 0xb8, 0x87, 0x31, 0x4c, 0x7b, 0xa4, 0x45, 0x35, 0xb4, 0x8c, 0x56, + 0x2a, 0x26, 0xff, 0xc6, 0x1a, 0xcc, 0x85, 0x74, 0x3b, 0xa4, 0xd1, 0x8e, 0x56, 0xe2, 0xcd, 0x52, + 0xc4, 0x3a, 0x94, 0x99, 0x71, 0x6a, 0xc5, 0x91, 0x36, 0xb5, 0x3c, 0xb5, 0x52, 0x31, 0x53, 0x19, + 0xaf, 0xc0, 0xc1, 0x90, 0x46, 0x7e, 0x3b, 0xb4, 0xe8, 0xe7, 0x69, 0x18, 0x39, 0xbe, 0xa7, 0x4d, + 0xf3, 0xd1, 0xdd, 0xcd, 0x4c, 0x4b, 0x44, 0x5d, 0x6a, 0xc5, 0x7e, 0xa8, 0xcd, 0xf0, 0x2e, 0xa9, + 0xcc, 0xf0, 0x30, 0xe0, 0xda, 0x6c, 0x82, 0x87, 0x7d, 0x63, 0x03, 0xe6, 0x49, 0x10, 0xdc, 0x22, + 0x2d, 0x1a, 0x05, 0xc4, 0xa2, 0xda, 0x1c, 0xff, 0x2d, 0xd7, 0xc6, 0x30, 0x0b, 0x24, 0x5a, 0x99, + 0x03, 0x93, 0xa2, 0xb1, 0x01, 0x95, 0x5b, 0xbe, 0x4d, 0x07, 0x4f, 0xb7, 0x5b, 0x7d, 0xa9, 0x57, + 0xbd, 0xf1, 0x18, 0xc1, 0x11, 0x93, 0x76, 0x1c, 0x86, 0xff, 0x26, 0x8d, 0x89, 0x4d, 0x62, 0xd2, + 0xad, 0xb1, 0x94, 0x6a, 0xd4, 0xa1, 0x1c, 0x8a, 0xce, 0x5a, 0x89, 0xb7, 0xa7, 0x72, 0x8f, 0xb5, + 0xa9, 0xe2, 0xc9, 0x24, 0x2e, 0x4c, 0x27, 0xf3, 0x2f, 0x04, 0xc7, 0x94, 0x35, 0x34, 0x85, 0x67, + 0xaf, 0x74, 0xa8, 0x17, 0x47, 0x83, 0x01, 0x9d, 0x81, 0xc3, 0x72, 0x11, 0xba, 0xe7, 0xd9, 0xfb, + 0x03, 0x83, 0xa8, 0x36, 0x4a, 0x88, 0x6a, 0x1b, 0x5e, 0x86, 0xaa, 0x94, 0xef, 0xde, 0xb8, 0x2c, + 0x60, 0xaa, 0x4d, 0x3d, 0x13, 0x9d, 0x29, 0x9e, 0xe8, 0x6c, 0x7e, 0xa2, 0x5f, 0x47, 0xa0, 0x29, + 0x13, 0xbd, 0x49, 0x3c, 0x67, 0x9b, 0x46, 0xf1, 0xa8, 0x3e, 0x47, 0x13, 0xf4, 0xf9, 0x0b, 0x50, + 0xb9, 0xea, 0xb8, 0x74, 0x63, 0xa7, 0xed, 0xed, 0xe2, 0x67, 0x61, 0xc6, 0x62, 0x1f, 0xdc, 0xf6, + 0xbc, 0x99, 0x08, 0xc6, 0xb7, 0x11, 0xbc, 0x30, 0x08, 0xed, 0x3d, 0x27, 0xde, 0x61, 0xe3, 0xa3, + 0x41, 0xb0, 0xad, 0x1d, 0x6a, 0xed, 0x46, 0xed, 0x96, 0xa4, 0x8a, 0x94, 0xc7, 0x84, 0xfd, 0x33, + 0x04, 0x2b, 0x43, 0x31, 0xdd, 0x0b, 0x49, 0x10, 0xd0, 0x10, 0x5f, 0x85, 0x99, 0xfb, 0xec, 0x07, + 0xbe, 0x31, 0xaa, 0x8d, 0x5a, 0x4d, 0x0d, 0xac, 0x43, 0xb5, 0x5c, 0xff, 0x88, 0x99, 0x0c, 0xc7, + 0x35, 0xe9, 0x9e, 0x12, 0xd7, 0xb3, 0x98, 0xd3, 0x93, 0x7a, 0x91, 0xf5, 0xe7, 0xdd, 0x2e, 0xcd, + 0xc2, 0x74, 0x40, 0xc2, 0xd8, 0x38, 0x02, 0xcf, 0xe4, 0x69, 0x1d, 0xf8, 0x5e, 0x44, 0x8d, 0xdf, + 0xe4, 0x59, 0xb0, 0x11, 0x52, 0x12, 0x53, 0x93, 0xde, 0x6f, 0xd3, 0x28, 0xc6, 0xbb, 0xa0, 0xc6, + 0x7a, 0xee, 0xd5, 0x6a, 0xe3, 0x46, 0x2d, 0x0b, 0x96, 0x35, 0x19, 0x2c, 0xf9, 0xc7, 0x97, 0x2c, + 0xbb, 0xd6, 0x69, 0xd4, 0x82, 0xdd, 0x66, 0x8d, 0x85, 0xde, 0x1c, 0x32, 0x19, 0x7a, 0xd5, 0xa9, + 0x9a, 0xaa, 0x76, 0xbc, 0x08, 0xb3, 0xed, 0x20, 0xa2, 0x61, 0xcc, 0x67, 0x56, 0x36, 0x85, 0xc4, + 0xd6, 0xaf, 0x43, 0x5c, 0xc7, 0x26, 0x71, 0xb2, 0x3e, 0x65, 0x33, 0x95, 0x8d, 0xdf, 0xe6, 0xd1, + 0xdf, 0x0d, 0xec, 0x0f, 0x0b, 0xbd, 0x8a, 0xb2, 0x94, 0x47, 0xa9, 0x32, 0x68, 0x2a, 0xcf, 0xa0, + 0x5f, 0xe5, 0xf1, 0x5f, 0xa6, 0x2e, 0xcd, 0xf0, 0xf7, 0x23, 0xb3, 0x06, 0x73, 0x16, 0x89, 0x2c, + 0x62, 0x4b, 0x2b, 0x52, 0x64, 0x01, 0x28, 0x08, 0xfd, 0x80, 0x34, 0xb9, 0xa6, 0xdb, 0xbe, 0xeb, + 0x58, 0x7b, 0xc2, 0x5c, 0xef, 0x0f, 0x3d, 0xc4, 0x9f, 0x2e, 0x26, 0xfe, 0x4c, 0x1e, 0xf6, 0x71, + 0xa8, 0x6e, 0xed, 0x79, 0xd6, 0xeb, 0x01, 0xcf, 0xf5, 0x6c, 0xc7, 0x3a, 0x31, 0x6d, 0x45, 0x1a, + 0xe2, 0x79, 0x21, 0x11, 0x8c, 0xf7, 0x67, 0x60, 0x51, 0x99, 0x1b, 0x1b, 0x50, 0x34, 0xb3, 0xa2, + 0xe8, 0xb2, 0x08, 0xb3, 0x76, 0xb8, 0x67, 0xb6, 0x3d, 0x41, 0x00, 0x21, 0x31, 0xc3, 0x41, 0xd8, + 0xf6, 0x12, 0xf8, 0x65, 0x33, 0x11, 0xf0, 0x36, 0x94, 0xa3, 0x98, 0x65, 0xf7, 0xe6, 0x1e, 0x07, + 0x5e, 0x6d, 0x7c, 0x66, 0xbc, 0x45, 0x67, 0xd0, 0xb7, 0x84, 0x46, 0x33, 0xd5, 0x8d, 0xef, 0x43, + 0x45, 0x46, 0xe3, 0x48, 0x9b, 0x5b, 0x9e, 0x5a, 0xa9, 0x36, 0xb6, 0xc6, 0x37, 0xf4, 0x7a, 0xc0, + 0x4e, 0x26, 0x4a, 0xe6, 0x31, 0x33, 0x2b, 0x78, 0x09, 0x2a, 0x2d, 0x11, 0x1f, 0x22, 0x91, 0x85, + 0xb3, 0x06, 0xfc, 0x05, 0x98, 0x71, 0xbc, 0x6d, 0x3f, 0xd2, 0x2a, 0x1c, 0xcc, 0xa5, 0xf1, 0xc0, + 0xdc, 0xf0, 0xb6, 0x7d, 0x33, 0x51, 0x88, 0xef, 0xc3, 0x42, 0x48, 0xe3, 0x70, 0x4f, 0x7a, 0x41, + 0x03, 0xee, 0xd7, 0xcf, 0x8e, 0x67, 0xc1, 0x54, 0x55, 0x9a, 0x79, 0x0b, 0x78, 0x1d, 0xaa, 0x51, + 0xc6, 0x31, 0xad, 0xca, 0x0d, 0x6a, 0x39, 0x45, 0x0a, 0x07, 0x4d, 0xb5, 0x73, 0x0f, 0xbb, 0xe7, + 0x8b, 0xd9, 0xbd, 0x90, 0x67, 0xf7, 0x7f, 0x10, 0x2c, 0xf5, 0x04, 0x95, 0xad, 0x80, 0x16, 0xd2, + 0x97, 0xc0, 0x74, 0x14, 0x50, 0x8b, 0x67, 0x98, 0x6a, 0xe3, 0xe6, 0xc4, 0xa2, 0x0c, 0xb7, 0xcb, + 0x55, 0x17, 0x05, 0xc2, 0x31, 0xf7, 0xf3, 0x8f, 0x10, 0x7c, 0x54, 0xb1, 0x79, 0x9b, 0xc4, 0xd6, + 0x4e, 0xd1, 0x64, 0xd9, 0xbe, 0x63, 0x7d, 0x44, 0x3e, 0x4d, 0x04, 0x46, 0x4e, 0xfe, 0x71, 0x67, + 0x2f, 0x60, 0x00, 0xd9, 0x2f, 0x59, 0xc3, 0x98, 0x87, 0x95, 0x9f, 0x23, 0xd0, 0xd5, 0xd8, 0xeb, + 0xbb, 0xee, 0x9b, 0xc4, 0xda, 0x2d, 0x02, 0x79, 0x00, 0x4a, 0x8e, 0xcd, 0x11, 0x4e, 0x99, 0x25, + 0xc7, 0xde, 0x67, 0x10, 0xe9, 0x86, 0x3b, 0x5b, 0x0c, 0x77, 0x2e, 0x0f, 0xf7, 0x83, 0x2e, 0xb8, + 0x72, 0x2b, 0x17, 0xc0, 0x5d, 0x82, 0x8a, 0xd7, 0x75, 0x70, 0xcc, 0x1a, 0xfa, 0x1c, 0x18, 0x4b, + 0x3d, 0x07, 0x46, 0x0d, 0xe6, 0x3a, 0xe9, 0xb5, 0x80, 0xfd, 0x2c, 0x45, 0x36, 0xc5, 0x66, 0xe8, + 0xb7, 0x03, 0xe1, 0xf4, 0x44, 0x60, 0x28, 0x76, 0x1d, 0xcf, 0xd6, 0x66, 0x13, 0x14, 0xec, 0x7b, + 0xff, 0x17, 0x81, 0xdc, 0xb4, 0x7f, 0x51, 0x82, 0x8f, 0xf5, 0x99, 0xf6, 0x50, 0x3e, 0x3d, 0x1d, + 0x73, 0x4f, 0x59, 0x3d, 0x37, 0x90, 0xd5, 0xe5, 0x61, 0xac, 0xae, 0x14, 0xfb, 0x0b, 0xf2, 0xfe, + 0xfa, 0x69, 0x09, 0x96, 0xfb, 0xf8, 0x6b, 0xf8, 0x31, 0xe0, 0xa9, 0x71, 0xd8, 0xb6, 0x1f, 0x0a, + 0x96, 0x94, 0xcd, 0x44, 0x60, 0xfb, 0xcc, 0x0f, 0x83, 0x1d, 0xe2, 0x71, 0x76, 0x94, 0x4d, 0x21, + 0x8d, 0xe9, 0xaa, 0x6f, 0x94, 0x40, 0x93, 0xfe, 0xb9, 0x68, 0x71, 0x6f, 0xb5, 0xbd, 0xa7, 0xdf, + 0x45, 0x8b, 0x30, 0x4b, 0x38, 0x5a, 0x41, 0x2a, 0x21, 0xf5, 0x38, 0xa3, 0x5c, 0xec, 0x8c, 0x4a, + 0xde, 0x19, 0x8f, 0x11, 0x1c, 0xcd, 0x3b, 0x23, 0xda, 0x74, 0xa2, 0x58, 0x1e, 0xea, 0xf1, 0x36, + 0xcc, 0x25, 0x76, 0x92, 0x23, 0x59, 0xb5, 0xb1, 0x39, 0x6e, 0xa2, 0xce, 0x39, 0x5e, 0x2a, 0x37, + 0x5e, 0x86, 0xa3, 0x7d, 0xa3, 0x9c, 0x80, 0xa1, 0x43, 0x59, 0x1e, 0x4e, 0xc4, 0xd2, 0xa4, 0xb2, + 0xf1, 0x78, 0x3a, 0x9f, 0x72, 0x7c, 0x7b, 0xd3, 0x6f, 0x16, 0xdc, 0xaf, 0x8b, 0x97, 0x93, 0xb9, + 0xca, 0xb7, 0x95, 0xab, 0xb4, 0x14, 0xd9, 0x38, 0xcb, 0xf7, 0x62, 0xe2, 0x78, 0x34, 0x14, 0x59, + 0x31, 0x6b, 0x60, 0xcb, 0x10, 0x39, 0x9e, 0x45, 0xb7, 0xa8, 0xe5, 0x7b, 0x76, 0xc4, 0xd7, 0x73, + 0xca, 0xcc, 0xb5, 0xe1, 0xeb, 0x50, 0xe1, 0xf2, 0x1d, 0xa7, 0x95, 0xa4, 0x81, 0x6a, 0x63, 0xb5, + 0x96, 0xd4, 0xac, 0x6a, 0x6a, 0xcd, 0x2a, 0xf3, 0x61, 0x8b, 0xc6, 0xa4, 0xd6, 0x39, 0x57, 0x63, + 0x23, 0xcc, 0x6c, 0x30, 0xc3, 0x12, 0x13, 0xc7, 0xdd, 0x74, 0x3c, 0x7e, 0x60, 0x64, 0xa6, 0xb2, + 0x06, 0x46, 0x95, 0x6d, 0xdf, 0x75, 0xfd, 0x07, 0x72, 0xdf, 0x24, 0x12, 0x1b, 0xd5, 0xf6, 0x62, + 0xc7, 0xe5, 0xf6, 0x13, 0x22, 0x64, 0x0d, 0x7c, 0x94, 0xe3, 0xc6, 0x34, 0x14, 0x1b, 0x46, 0x48, + 0x29, 0x19, 0xab, 0x49, 0x19, 0x46, 0xee, 0xd7, 0x84, 0xb6, 0xf3, 0x2a, 0x6d, 0xbb, 0xb7, 0xc2, + 0x42, 0x9f, 0x5a, 0x04, 0xaf, 0x4a, 0xd1, 0x8e, 0xe3, 0xb7, 0x23, 0xed, 0x40, 0x72, 0xf4, 0x90, + 0x72, 0x0f, 0x95, 0x0f, 0x16, 0x53, 0xf9, 0x50, 0x9e, 0xca, 0xbf, 0x43, 0x50, 0xde, 0xf4, 0x9b, + 0x57, 0xbc, 0x38, 0xdc, 0xe3, 0xb7, 0x1b, 0xdf, 0x8b, 0xa9, 0x27, 0xf9, 0x22, 0x45, 0xb6, 0x08, + 0xb1, 0xd3, 0xa2, 0x5b, 0x31, 0x69, 0x05, 0xe2, 0x8c, 0xb5, 0xaf, 0x45, 0x48, 0x07, 0x33, 0xc7, + 0xb8, 0x24, 0x8a, 0xf9, 0x8e, 0x2f, 0x9b, 0xfc, 0x9b, 0x4d, 0x21, 0xed, 0xb0, 0x15, 0x87, 0x62, + 0xbb, 0xe7, 0xda, 0x54, 0x8a, 0xcd, 0x24, 0xd8, 0x84, 0x68, 0xb4, 0xe0, 0xb9, 0xf4, 0xd0, 0x7e, + 0x87, 0x86, 0x2d, 0xc7, 0x23, 0xc5, 0xd1, 0x7b, 0x84, 0x72, 0x58, 0xc1, 0x9d, 0xd1, 0xcf, 0x6d, + 0x3a, 0x76, 0x06, 0xbe, 0xe7, 0x78, 0xb6, 0xff, 0xa0, 0x60, 0xf3, 0x8c, 0x67, 0xf0, 0xaf, 0xf9, + 0x8a, 0x98, 0x62, 0x31, 0xdd, 0xe9, 0xd7, 0x61, 0x81, 0xc5, 0x84, 0x0e, 0x15, 0x3f, 0x88, 0xb0, + 0x63, 0x0c, 0x2a, 0x72, 0x64, 0x3a, 0xcc, 0xfc, 0x40, 0xbc, 0x09, 0x07, 0x49, 0x14, 0x39, 0x4d, + 0x8f, 0xda, 0x52, 0x57, 0x69, 0x64, 0x5d, 0xdd, 0x43, 0x93, 0xeb, 0x32, 0xef, 0x21, 0xd6, 0x5b, + 0x8a, 0xc6, 0xd7, 0x10, 0x1c, 0xe9, 0xab, 0x24, 0xdd, 0x39, 0x48, 0x09, 0xe3, 0x3a, 0x94, 0x23, + 0x6b, 0x87, 0xda, 0x6d, 0x97, 0xca, 0x1a, 0x92, 0x94, 0xd9, 0x6f, 0x76, 0x3b, 0x59, 0x7d, 0x91, + 0x46, 0x52, 0x19, 0x1f, 0x03, 0x68, 0x11, 0xaf, 0x4d, 0x5c, 0x0e, 0x61, 0x9a, 0x43, 0x50, 0x5a, + 0x8c, 0x25, 0xd0, 0xfb, 0x51, 0x47, 0xd4, 0x66, 0xfe, 0x8d, 0xe0, 0x80, 0x0c, 0xaa, 0x62, 0x75, + 0x57, 0xe0, 0xa0, 0xe2, 0x86, 0x5b, 0xd9, 0x42, 0x77, 0x37, 0x0f, 0x09, 0x98, 0x92, 0x25, 0x53, + 0xf9, 0xa2, 0x74, 0x27, 0x57, 0x56, 0x1e, 0x39, 0xdf, 0xa1, 0x09, 0x9d, 0x1f, 0xbf, 0x0a, 0xda, + 0x4d, 0xe2, 0x91, 0x26, 0xb5, 0xd3, 0x69, 0xa7, 0x14, 0xfb, 0xb2, 0x5a, 0x64, 0x18, 0xfb, 0x4a, + 0x9f, 0x1e, 0xb5, 0x9c, 0xed, 0x6d, 0x59, 0xb0, 0x08, 0xa1, 0xbc, 0xe9, 0x78, 0xbb, 0xec, 0xde, + 0xcb, 0x66, 0x1c, 0x3b, 0xb1, 0x2b, 0xbd, 0x9b, 0x08, 0xf8, 0x10, 0x4c, 0xb5, 0x43, 0x57, 0x30, + 0x80, 0x7d, 0xe2, 0x65, 0xa8, 0xda, 0x34, 0xb2, 0x42, 0x27, 0x10, 0xeb, 0xcf, 0x8b, 0xb4, 0x4a, + 0x13, 0x5b, 0x07, 0xc7, 0xf2, 0xbd, 0x0d, 0x97, 0x44, 0x91, 0x4c, 0x40, 0x69, 0x83, 0xf1, 0x2a, + 0x2c, 0x30, 0x9b, 0xd9, 0x34, 0x4f, 0xe7, 0xa7, 0x79, 0x24, 0x07, 0x5f, 0xc2, 0x93, 0x88, 0x09, + 0x3c, 0xc3, 0xf2, 0xfe, 0xc5, 0x20, 0x10, 0x4a, 0x46, 0x3c, 0x0e, 0x4d, 0xf5, 0xcb, 0x9f, 0x7d, + 0x6b, 0x9c, 0x8d, 0xbf, 0x1f, 0x07, 0xac, 0xee, 0x13, 0x1a, 0x76, 0x1c, 0x8b, 0xe2, 0xef, 0x20, + 0x98, 0x66, 0xa6, 0xf1, 0xf3, 0x83, 0xb6, 0x25, 0xe7, 0xab, 0x3e, 0xb9, 0x8b, 0x30, 0xb3, 0x66, + 0x2c, 0xbd, 0xf5, 0xb7, 0x7f, 0x7e, 0xb7, 0xb4, 0x88, 0x9f, 0xe5, 0x2f, 0x4a, 0x9d, 0x73, 0xea, + 0xeb, 0x4e, 0x84, 0xdf, 0x46, 0x80, 0xc5, 0x39, 0x48, 0xa9, 0xd9, 0xe3, 0xd3, 0x83, 0x20, 0xf6, + 0xa9, 0xed, 0xeb, 0xcf, 0x2b, 0x59, 0xa5, 0x66, 0xf9, 0x21, 0x65, 0x39, 0x84, 0x77, 0xe0, 0x00, + 0x56, 0x39, 0x80, 0x13, 0xd8, 0xe8, 0x07, 0xa0, 0xfe, 0x90, 0x79, 0xf4, 0x51, 0x9d, 0x26, 0x76, + 0xdf, 0x45, 0x30, 0x73, 0x8f, 0xdf, 0x21, 0x86, 0x38, 0x69, 0x6b, 0x62, 0x4e, 0xe2, 0xe6, 0x38, + 0x5a, 0xe3, 0x38, 0x47, 0xfa, 0x3c, 0x3e, 0x2a, 0x91, 0x46, 0x71, 0x48, 0x49, 0x2b, 0x07, 0xf8, + 0x2c, 0xc2, 0xef, 0x21, 0x98, 0x4d, 0x8a, 0xbe, 0xf8, 0xe4, 0x20, 0x94, 0xb9, 0xa2, 0xb0, 0x3e, + 0xb9, 0x0a, 0xaa, 0xf1, 0x12, 0xc7, 0x78, 0xdc, 0xe8, 0xbb, 0x9c, 0xeb, 0xb9, 0xfa, 0xea, 0x3b, + 0x08, 0xa6, 0xae, 0xd1, 0xa1, 0x7c, 0x9b, 0x20, 0xb8, 0x1e, 0x07, 0xf6, 0x59, 0x6a, 0xfc, 0x13, + 0x04, 0xcf, 0x5d, 0xa3, 0x71, 0xff, 0xf4, 0x88, 0x57, 0x86, 0xe7, 0x2c, 0x41, 0xbb, 0xd3, 0x23, + 0xf4, 0x4c, 0xf3, 0x42, 0x9d, 0x23, 0x7b, 0x09, 0x9f, 0x2a, 0x22, 0x61, 0xb4, 0xe7, 0x59, 0x0f, + 0x04, 0x8e, 0x3f, 0x21, 0x38, 0xd4, 0xfd, 0xb6, 0x86, 0xf3, 0x09, 0xb5, 0xef, 0xd3, 0x9b, 0x7e, + 0x6b, 0xdc, 0x28, 0x9b, 0x57, 0x6a, 0x5c, 0xe4, 0xc8, 0x5f, 0xc1, 0x2f, 0x17, 0x21, 0x97, 0x65, + 0xdf, 0xa8, 0xfe, 0x50, 0x7e, 0x3e, 0xe2, 0xef, 0xc0, 0x1c, 0xf6, 0x9f, 0x11, 0x3c, 0x2b, 0xf5, + 0x6e, 0xec, 0x90, 0x30, 0xbe, 0x4c, 0xd9, 0x19, 0x3a, 0x1a, 0x69, 0x3e, 0x63, 0x66, 0x0d, 0xd5, + 0x9e, 0x71, 0x85, 0xcf, 0xe5, 0x53, 0xf8, 0xb5, 0x7d, 0xcf, 0xc5, 0x62, 0x6a, 0x6c, 0x01, 0xfb, + 0x2d, 0x04, 0xf3, 0xd7, 0x68, 0x7c, 0x33, 0xad, 0xe2, 0x9e, 0x1c, 0xe9, 0x65, 0x48, 0x5f, 0xaa, + 0x29, 0xcf, 0xcf, 0xf2, 0xa7, 0x94, 0x22, 0x6b, 0x1c, 0xdc, 0x29, 0x7c, 0xb2, 0x08, 0x5c, 0x56, + 0x39, 0x7e, 0x17, 0xc1, 0x11, 0x15, 0x44, 0xf6, 0xa2, 0xf6, 0x89, 0xfd, 0xbd, 0x53, 0x89, 0xd7, + 0xae, 0x21, 0xe8, 0x1a, 0x1c, 0xdd, 0x19, 0xa3, 0x3f, 0x81, 0x5b, 0x3d, 0x28, 0xd6, 0xd1, 0xea, + 0x0a, 0xc2, 0xbf, 0x47, 0x30, 0x9b, 0x14, 0x63, 0x07, 0xfb, 0x28, 0xf7, 0x02, 0x34, 0xc9, 0x68, + 0x20, 0x56, 0x5b, 0x3f, 0xdb, 0xdf, 0xa1, 0xea, 0x78, 0x49, 0xd5, 0x1a, 0xf7, 0x72, 0x3e, 0x8c, + 0xbd, 0x8f, 0x00, 0xb2, 0x82, 0x32, 0x7e, 0xa9, 0x78, 0x1e, 0x4a, 0xd1, 0x59, 0x9f, 0x6c, 0x49, + 0xd9, 0xa8, 0xf1, 0xf9, 0xac, 0xe8, 0xcb, 0x85, 0x31, 0x24, 0xa0, 0xd6, 0x7a, 0x52, 0x7c, 0xfe, + 0x31, 0x82, 0x19, 0x5e, 0xc7, 0xc3, 0x27, 0x06, 0x61, 0x56, 0xcb, 0x7c, 0x93, 0x74, 0xfd, 0x8b, + 0x1c, 0xea, 0x72, 0xa3, 0x28, 0x10, 0xaf, 0xa3, 0x55, 0xdc, 0x81, 0xd9, 0xa4, 0x72, 0x36, 0x98, + 0x1e, 0xb9, 0xca, 0x9a, 0xbe, 0x5c, 0x70, 0x30, 0x48, 0x88, 0x2a, 0x72, 0xc0, 0xea, 0xb0, 0x1c, + 0x30, 0xcd, 0xc2, 0x34, 0x3e, 0x5e, 0x14, 0xc4, 0xff, 0x0f, 0x8e, 0x39, 0xcd, 0xd1, 0x9d, 0x34, + 0x96, 0x87, 0xe5, 0x01, 0xe6, 0x9d, 0xef, 0x21, 0x38, 0xd4, 0x7d, 0xb8, 0xc6, 0x47, 0xbb, 0x62, + 0xa6, 0x7a, 0xd7, 0xd0, 0xf3, 0x5e, 0x1c, 0x74, 0x30, 0x37, 0x3e, 0xcd, 0x51, 0xac, 0xe3, 0x0b, + 0x43, 0x77, 0xc6, 0x2d, 0x19, 0x75, 0x98, 0xa2, 0xb5, 0xec, 0x55, 0xeb, 0xd7, 0x08, 0xe6, 0xa5, + 0xde, 0x3b, 0x21, 0xa5, 0xc5, 0xb0, 0x26, 0xb7, 0x11, 0x98, 0x2d, 0xe3, 0x55, 0x0e, 0xff, 0x93, + 0xf8, 0xfc, 0x88, 0xf0, 0x25, 0xec, 0xb5, 0x98, 0x21, 0xfd, 0x03, 0x82, 0xc3, 0xf7, 0x12, 0xde, + 0x7f, 0x48, 0xf8, 0x37, 0x38, 0xfe, 0xd7, 0xf0, 0x2b, 0x05, 0xe7, 0xbc, 0x61, 0xd3, 0x38, 0x8b, + 0xf0, 0x2f, 0x11, 0x94, 0xe5, 0xab, 0x0a, 0x3e, 0x35, 0x70, 0x63, 0xe4, 0xdf, 0x5d, 0x26, 0x49, + 0x66, 0x71, 0xa8, 0x31, 0x4e, 0x14, 0xa6, 0x53, 0x61, 0x9f, 0x11, 0xfa, 0x1d, 0x04, 0x38, 0xbd, + 0x33, 0xa7, 0xb7, 0x68, 0xfc, 0x62, 0xce, 0xd4, 0xc0, 0xc2, 0x8c, 0x7e, 0x6a, 0x68, 0xbf, 0x7c, + 0x2a, 0x5d, 0x2d, 0x4c, 0xa5, 0x7e, 0x6a, 0xff, 0x9b, 0x08, 0xaa, 0xd7, 0x68, 0x7a, 0x07, 0x29, + 0xf0, 0x65, 0xfe, 0x51, 0x48, 0x5f, 0x19, 0xde, 0x51, 0x20, 0x3a, 0xc3, 0x11, 0xbd, 0x88, 0x8b, + 0x5d, 0x25, 0x01, 0xfc, 0x00, 0xc1, 0xc2, 0x6d, 0x95, 0xa2, 0xf8, 0xcc, 0x30, 0x4b, 0xb9, 0x48, + 0x3e, 0x3a, 0xae, 0x8f, 0x73, 0x5c, 0x6b, 0xc6, 0x48, 0xb8, 0xd6, 0xc5, 0xfb, 0xca, 0x0f, 0x51, + 0x72, 0x89, 0xed, 0xaa, 0x67, 0xff, 0xaf, 0x7e, 0x2b, 0x28, 0x8b, 0x1b, 0xe7, 0x39, 0xbe, 0x1a, + 0x3e, 0x33, 0x0a, 0xbe, 0xba, 0x28, 0x72, 0xe3, 0xef, 0x23, 0x38, 0xcc, 0xdf, 0x1a, 0x54, 0xc5, + 0x5d, 0x29, 0x66, 0xd0, 0xcb, 0xc4, 0x08, 0x29, 0x46, 0xc4, 0x1f, 0x63, 0x5f, 0xa0, 0xd6, 0xe5, + 0x3b, 0xc2, 0xb7, 0x10, 0x1c, 0x90, 0x49, 0x4d, 0xac, 0xee, 0xda, 0x30, 0xc7, 0xed, 0x37, 0x09, + 0x0a, 0xba, 0xad, 0x8e, 0x46, 0xb7, 0xf7, 0x10, 0xcc, 0x89, 0x6a, 0x7e, 0xc1, 0x51, 0x41, 0x29, + 0xf7, 0xeb, 0x5d, 0x35, 0x0e, 0x51, 0x0c, 0x36, 0xbe, 0xc8, 0xcd, 0xde, 0xc5, 0xf5, 0x22, 0xb3, + 0x81, 0x6f, 0x47, 0xf5, 0x87, 0xa2, 0x12, 0xfb, 0xa8, 0xee, 0xfa, 0xcd, 0xe8, 0x0d, 0x03, 0x17, + 0x26, 0x44, 0xd6, 0xe7, 0x2c, 0xc2, 0x31, 0x54, 0x18, 0x39, 0x78, 0xe1, 0x04, 0x2f, 0x77, 0x95, + 0x59, 0x7a, 0x6a, 0x2a, 0xba, 0xde, 0x53, 0x88, 0xc9, 0x32, 0xa0, 0xb8, 0xc6, 0xe2, 0x17, 0x0a, + 0xcd, 0x72, 0x43, 0x6f, 0x23, 0x38, 0xac, 0xb2, 0x3d, 0x31, 0x3f, 0x32, 0xd7, 0x8b, 0x50, 0x88, + 0x43, 0x35, 0x5e, 0x1d, 0x89, 0x48, 0x1c, 0xce, 0xa5, 0xab, 0x7f, 0x7c, 0x72, 0x0c, 0xfd, 0xe5, + 0xc9, 0x31, 0xf4, 0x8f, 0x27, 0xc7, 0xd0, 0x1b, 0x17, 0x46, 0xfb, 0x4f, 0xad, 0xe5, 0x3a, 0xd4, + 0x8b, 0x55, 0xf5, 0xff, 0x0d, 0x00, 0x00, 0xff, 0xff, 0x30, 0xc0, 0x40, 0x7a, 0x39, 0x2c, 0x00, + 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -4180,6 +4339,13 @@ func (m *RevisionMetadataQuery) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x22 + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -4232,6 +4398,13 @@ func (m *ApplicationResourceEventsQuery) MarshalToSizedBuffer(dAtA []byte) (int, i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x32 + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -4296,6 +4469,13 @@ func (m *ApplicationManifestQuery) MarshalToSizedBuffer(dAtA []byte) (int, error i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x22 + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -4382,6 +4562,13 @@ func (m *ApplicationManifestQueryWithFiles) MarshalToSizedBuffer(dAtA []byte) (i i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x22 + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -4600,6 +4787,13 @@ func (m *ApplicationUpdateRequest) MarshalToSizedBuffer(dAtA []byte) (int, error i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x1a + } if m.Validate != nil { i-- if *m.Validate { @@ -4651,6 +4845,13 @@ func (m *ApplicationDeleteRequest) MarshalToSizedBuffer(dAtA []byte) (int, error i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x2a + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -4747,6 +4948,13 @@ func (m *ApplicationSyncRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x6a + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -4890,6 +5098,13 @@ func (m *ApplicationUpdateSpecRequest) MarshalToSizedBuffer(dAtA []byte) (int, e i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x2a + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -4957,6 +5172,13 @@ func (m *ApplicationPatchRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x32 + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -5018,6 +5240,13 @@ func (m *ApplicationRollbackRequest) MarshalToSizedBuffer(dAtA []byte) (int, err i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x3a + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -5088,6 +5317,13 @@ func (m *ApplicationResourceRequest) MarshalToSizedBuffer(dAtA []byte) (int, err i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x42 + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -5172,6 +5408,13 @@ func (m *ApplicationResourcePatchRequest) MarshalToSizedBuffer(dAtA []byte) (int i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x52 + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -5274,6 +5517,13 @@ func (m *ApplicationResourceDeleteRequest) MarshalToSizedBuffer(dAtA []byte) (in i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x52 + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -5378,6 +5628,13 @@ func (m *ResourceActionRunRequest) MarshalToSizedBuffer(dAtA []byte) (int, error i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x4a + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -5548,6 +5805,15 @@ func (m *ApplicationPodLogsQuery) MarshalToSizedBuffer(dAtA []byte) (int, error) i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0x82 + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -5769,6 +6035,13 @@ func (m *OperationTerminateRequest) MarshalToSizedBuffer(dAtA []byte) (int, erro i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x1a + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -5812,6 +6085,13 @@ func (m *ApplicationSyncWindowsQuery) MarshalToSizedBuffer(dAtA []byte) (int, er i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x1a + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -6015,6 +6295,13 @@ func (m *ResourcesQuery) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x42 + } if m.AppNamespace != nil { i -= len(*m.AppNamespace) copy(dAtA[i:], *m.AppNamespace) @@ -6234,6 +6521,13 @@ func (m *ListAppLinksRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.Project != nil { + i -= len(*m.Project) + copy(dAtA[i:], *m.Project) + i = encodeVarintApplication(dAtA, i, uint64(len(*m.Project))) + i-- + dAtA[i] = 0x22 + } if m.Namespace != nil { i -= len(*m.Namespace) copy(dAtA[i:], *m.Namespace) @@ -6350,6 +6644,10 @@ func (m *RevisionMetadataQuery) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6382,6 +6680,10 @@ func (m *ApplicationResourceEventsQuery) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6406,6 +6708,10 @@ func (m *ApplicationManifestQuery) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6446,6 +6752,10 @@ func (m *ApplicationManifestQueryWithFiles) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6538,6 +6848,10 @@ func (m *ApplicationUpdateRequest) Size() (n int) { if m.Validate != nil { n += 2 } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6565,6 +6879,10 @@ func (m *ApplicationDeleteRequest) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6643,6 +6961,10 @@ func (m *ApplicationSyncRequest) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6670,6 +6992,10 @@ func (m *ApplicationUpdateSpecRequest) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6698,6 +7024,10 @@ func (m *ApplicationPatchRequest) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6727,6 +7057,10 @@ func (m *ApplicationRollbackRequest) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6767,6 +7101,10 @@ func (m *ApplicationResourceRequest) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6815,6 +7153,10 @@ func (m *ApplicationResourcePatchRequest) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6861,6 +7203,10 @@ func (m *ApplicationResourceDeleteRequest) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6905,6 +7251,10 @@ func (m *ResourceActionRunRequest) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -7007,6 +7357,10 @@ func (m *ApplicationPodLogsQuery) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 2 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -7058,6 +7412,10 @@ func (m *OperationTerminateRequest) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -7078,6 +7436,10 @@ func (m *ApplicationSyncWindowsQuery) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -7184,6 +7546,10 @@ func (m *ResourcesQuery) Size() (n int) { l = len(*m.AppNamespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -7268,6 +7634,10 @@ func (m *ListAppLinksRequest) Size() (n int) { l = len(*m.Namespace) n += 1 + l + sovApplication(uint64(l)) } + if m.Project != nil { + l = len(*m.Project) + n += 1 + l + sovApplication(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -7841,6 +8211,39 @@ func (m *RevisionMetadataQuery) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -8065,6 +8468,39 @@ func (m *ApplicationResourceEventsQuery) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 6: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -8220,26 +8656,59 @@ func (m *ApplicationManifestQuery) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex - default: - iNdEx = preIndex - skippy, err := skipApplication(dAtA[iNdEx:]) - if err != nil { - return err - } - if (skippy < 0) || (iNdEx+skippy) < 0 { - return ErrInvalidLengthApplication - } - if (iNdEx + skippy) > l { - return io.ErrUnexpectedEOF + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) } - m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) - iNdEx += skippy - } - } - if hasFields[0]&uint64(0x00000001) == 0 { - return github_com_gogo_protobuf_proto.NewRequiredNotSetError("name") - } - + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipApplication(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthApplication + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + if hasFields[0]&uint64(0x00000001) == 0 { + return github_com_gogo_protobuf_proto.NewRequiredNotSetError("name") + } + if iNdEx > l { return io.ErrUnexpectedEOF } @@ -8466,6 +8935,39 @@ func (m *ApplicationManifestQueryWithFiles) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -8888,6 +9390,39 @@ func (m *ApplicationUpdateRequest) Unmarshal(dAtA []byte) error { } b := bool(v != 0) m.Validate = &b + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -9064,6 +9599,39 @@ func (m *ApplicationDeleteRequest) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 5: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -9552,6 +10120,39 @@ func (m *ApplicationSyncRequest) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 13: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -9732,6 +10333,39 @@ func (m *ApplicationUpdateSpecRequest) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 5: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -9925,6 +10559,39 @@ func (m *ApplicationPatchRequest) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 6: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -10116,6 +10783,39 @@ func (m *ApplicationRollbackRequest) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 7: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -10407,7 +11107,40 @@ func (m *ApplicationResourceRequest) Unmarshal(dAtA []byte) error { return io.ErrUnexpectedEOF } s := string(dAtA[iNdEx:postIndex]) - m.AppNamespace = &s + m.AppNamespace = &s + iNdEx = postIndex + case 8: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s iNdEx = postIndex default: iNdEx = preIndex @@ -10776,6 +11509,39 @@ func (m *ApplicationResourcePatchRequest) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 10: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -11123,6 +11889,39 @@ func (m *ApplicationResourceDeleteRequest) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 10: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -11456,6 +12255,39 @@ func (m *ResourceActionRunRequest) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 9: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -12146,6 +12978,39 @@ func (m *ApplicationPodLogsQuery) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 16: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -12496,6 +13361,39 @@ func (m *OperationTerminateRequest) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -12618,6 +13516,39 @@ func (m *ApplicationSyncWindowsQuery) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -13289,6 +14220,39 @@ func (m *ResourcesQuery) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.AppNamespace = &s iNdEx = postIndex + case 8: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) @@ -13773,6 +14737,39 @@ func (m *ListAppLinksRequest) Unmarshal(dAtA []byte) error { s := string(dAtA[iNdEx:postIndex]) m.Namespace = &s iNdEx = postIndex + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApplication + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApplication + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthApplication + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := string(dAtA[iNdEx:postIndex]) + m.Project = &s + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipApplication(dAtA[iNdEx:]) diff --git a/pkg/apis/application/v1alpha1/applicationset_types.go b/pkg/apis/application/v1alpha1/applicationset_types.go index 19edd05646209..137e40bdca973 100644 --- a/pkg/apis/application/v1alpha1/applicationset_types.go +++ b/pkg/apis/application/v1alpha1/applicationset_types.go @@ -441,6 +441,12 @@ type SCMProviderGeneratorGitlab struct { AllBranches bool `json:"allBranches,omitempty" protobuf:"varint,5,opt,name=allBranches"` // Skips validating the SCM provider's TLS certificate - useful for self-signed certificates.; default: false Insecure bool `json:"insecure,omitempty" protobuf:"varint,6,opt,name=insecure"` + // When recursing through subgroups, also include shared Projects (true) or scan only the subgroups under same path (false). Defaults to "true" + IncludeSharedProjects *bool `json:"includeSharedProjects,omitempty" protobuf:"varint,7,opt,name=includeSharedProjects"` +} + +func (s *SCMProviderGeneratorGitlab) WillIncludeSharedProjects() bool { + return s.IncludeSharedProjects == nil || *s.IncludeSharedProjects } // SCMProviderGeneratorBitbucket defines connection info specific to Bitbucket Cloud (API version 2). diff --git a/pkg/apis/application/v1alpha1/applicationset_types_test.go b/pkg/apis/application/v1alpha1/applicationset_types_test.go index 62ff3aac4e95d..1f9dc64b1fdb3 100644 --- a/pkg/apis/application/v1alpha1/applicationset_types_test.go +++ b/pkg/apis/application/v1alpha1/applicationset_types_test.go @@ -6,6 +6,7 @@ import ( "github.com/stretchr/testify/assert" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/pointer" ) func testAppSetCond(t ApplicationSetConditionType, msg string, lastTransitionTime *metav1.Time, status ApplicationSetConditionStatus, reason string) ApplicationSetCondition { @@ -167,3 +168,14 @@ func assertAppSetConditions(t *testing.T, expected []ApplicationSetCondition, ac assert.Equal(t, expected[i].Message, actual[i].Message) } } + +func TestSCMProviderGeneratorGitlab_WillIncludeSharedProjects(t *testing.T) { + settings := SCMProviderGeneratorGitlab{} + assert.True(t, settings.WillIncludeSharedProjects()) + + settings.IncludeSharedProjects = pointer.BoolPtr(false) + assert.False(t, settings.WillIncludeSharedProjects()) + + settings.IncludeSharedProjects = pointer.BoolPtr(true) + assert.True(t, settings.WillIncludeSharedProjects()) +} diff --git a/pkg/apis/application/v1alpha1/generated.pb.go b/pkg/apis/application/v1alpha1/generated.pb.go index 9e9ffa0023d55..2a07743f75ac3 100644 --- a/pkg/apis/application/v1alpha1/generated.pb.go +++ b/pkg/apis/application/v1alpha1/generated.pb.go @@ -4300,668 +4300,672 @@ func init() { } var fileDescriptor_030104ce3b95bcac = []byte{ - // 10576 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x7d, 0x6d, 0x70, 0x25, 0xd9, - 0x75, 0x90, 0xfb, 0x7d, 0x48, 0xef, 0x1d, 0x69, 0x3e, 0x74, 0x67, 0x66, 0x57, 0x3b, 0xde, 0x5d, - 0x4d, 0x7a, 0x2b, 0xeb, 0x35, 0xde, 0x95, 0xb2, 0xe3, 0x5d, 0xb3, 0x64, 0x13, 0x3b, 0x7a, 0xd2, - 0x8c, 0x46, 0x33, 0xd2, 0x48, 0x7b, 0xa5, 0x99, 0xb1, 0xd7, 0x59, 0xaf, 0x5b, 0xfd, 0xae, 0x9e, - 0x7a, 0xd4, 0xaf, 0xfb, 0x6d, 0x77, 0x3f, 0x8d, 0xb4, 0xb1, 0x1d, 0x3b, 0xce, 0x87, 0xc1, 0x9f, - 0xd8, 0x50, 0x71, 0x00, 0x07, 0x27, 0x0e, 0x14, 0x29, 0xd8, 0x22, 0xc0, 0x0f, 0x02, 0x81, 0x4a, - 0x25, 0xf0, 0xc3, 0x94, 0xa1, 0x48, 0x51, 0xa9, 0x38, 0x90, 0x44, 0xd8, 0xa2, 0x28, 0x28, 0xaa, - 0x48, 0x55, 0x80, 0x1f, 0x30, 0x50, 0x40, 0xdd, 0xef, 0xdb, 0xfd, 0xfa, 0x8d, 0x9e, 0xa4, 0xd6, - 0xcc, 0xd8, 0xd9, 0x7f, 0xef, 0xdd, 0x73, 0xfa, 0x9c, 0xd3, 0xb7, 0xef, 0x3d, 0xf7, 0xdc, 0x73, - 0xcf, 0x39, 0x17, 0x16, 0x5a, 0x5e, 0xb2, 0xd1, 0x5d, 0x9b, 0x74, 0xc3, 0xf6, 0x94, 0x13, 0xb5, - 0xc2, 0x4e, 0x14, 0xde, 0x66, 0x3f, 0x9e, 0x73, 0x9b, 0x53, 0x5b, 0x17, 0xa7, 0x3a, 0x9b, 0xad, - 0x29, 0xa7, 0xe3, 0xc5, 0x53, 0x4e, 0xa7, 0xe3, 0x7b, 0xae, 0x93, 0x78, 0x61, 0x30, 0xb5, 0xf5, - 0xbc, 0xe3, 0x77, 0x36, 0x9c, 0xe7, 0xa7, 0x5a, 0x24, 0x20, 0x91, 0x93, 0x90, 0xe6, 0x64, 0x27, - 0x0a, 0x93, 0x10, 0xfd, 0x88, 0xa6, 0x36, 0x29, 0xa9, 0xb1, 0x1f, 0xaf, 0xbb, 0xcd, 0xc9, 0xad, - 0x8b, 0x93, 0x9d, 0xcd, 0xd6, 0x24, 0xa5, 0x36, 0x69, 0x50, 0x9b, 0x94, 0xd4, 0xce, 0x3f, 0x67, - 0xc8, 0xd2, 0x0a, 0x5b, 0xe1, 0x14, 0x23, 0xba, 0xd6, 0x5d, 0x67, 0xff, 0xd8, 0x1f, 0xf6, 0x8b, - 0x33, 0x3b, 0x6f, 0x6f, 0xbe, 0x14, 0x4f, 0x7a, 0x21, 0x15, 0x6f, 0xca, 0x0d, 0x23, 0x32, 0xb5, - 0xd5, 0x23, 0xd0, 0xf9, 0x2b, 0x1a, 0x87, 0x6c, 0x27, 0x24, 0x88, 0xbd, 0x30, 0x88, 0x9f, 0xa3, - 0x22, 0x90, 0x68, 0x8b, 0x44, 0xe6, 0xeb, 0x19, 0x08, 0x79, 0x94, 0x5e, 0xd0, 0x94, 0xda, 0x8e, - 0xbb, 0xe1, 0x05, 0x24, 0xda, 0xd1, 0x8f, 0xb7, 0x49, 0xe2, 0xe4, 0x3d, 0x35, 0xd5, 0xef, 0xa9, - 0xa8, 0x1b, 0x24, 0x5e, 0x9b, 0xf4, 0x3c, 0xf0, 0xbe, 0xfd, 0x1e, 0x88, 0xdd, 0x0d, 0xd2, 0x76, - 0x7a, 0x9e, 0x7b, 0x6f, 0xbf, 0xe7, 0xba, 0x89, 0xe7, 0x4f, 0x79, 0x41, 0x12, 0x27, 0x51, 0xf6, - 0x21, 0xfb, 0x0d, 0x38, 0x31, 0x7d, 0x6b, 0x65, 0xba, 0x9b, 0x6c, 0xcc, 0x84, 0xc1, 0xba, 0xd7, - 0x42, 0x2f, 0xc2, 0x88, 0xeb, 0x77, 0xe3, 0x84, 0x44, 0xd7, 0x9d, 0x36, 0x19, 0xb7, 0x2e, 0x58, - 0xcf, 0xd4, 0x1b, 0x67, 0xbe, 0xb9, 0x3b, 0xf1, 0x8e, 0xbd, 0xdd, 0x89, 0x91, 0x19, 0x0d, 0xc2, - 0x26, 0x1e, 0x7a, 0x37, 0x0c, 0x47, 0xa1, 0x4f, 0xa6, 0xf1, 0xf5, 0xf1, 0x12, 0x7b, 0xe4, 0x94, - 0x78, 0x64, 0x18, 0xf3, 0x66, 0x2c, 0xe1, 0xf6, 0xef, 0x95, 0x00, 0xa6, 0x3b, 0x9d, 0xe5, 0x28, - 0xbc, 0x4d, 0xdc, 0x04, 0x7d, 0x14, 0x6a, 0xb4, 0xeb, 0x9a, 0x4e, 0xe2, 0x30, 0x6e, 0x23, 0x17, - 0x7f, 0x68, 0x92, 0xbf, 0xc9, 0xa4, 0xf9, 0x26, 0x7a, 0xe0, 0x50, 0xec, 0xc9, 0xad, 0xe7, 0x27, - 0x97, 0xd6, 0xe8, 0xf3, 0x8b, 0x24, 0x71, 0x1a, 0x48, 0x30, 0x03, 0xdd, 0x86, 0x15, 0x55, 0x14, - 0x40, 0x25, 0xee, 0x10, 0x97, 0x09, 0x36, 0x72, 0x71, 0x61, 0xf2, 0x28, 0x23, 0x74, 0x52, 0x4b, - 0xbe, 0xd2, 0x21, 0x6e, 0x63, 0x54, 0x70, 0xae, 0xd0, 0x7f, 0x98, 0xf1, 0x41, 0x5b, 0x30, 0x14, - 0x27, 0x4e, 0xd2, 0x8d, 0xc7, 0xcb, 0x8c, 0xe3, 0xf5, 0xc2, 0x38, 0x32, 0xaa, 0x8d, 0x93, 0x82, - 0xe7, 0x10, 0xff, 0x8f, 0x05, 0x37, 0xfb, 0x8f, 0x2c, 0x38, 0xa9, 0x91, 0x17, 0xbc, 0x38, 0x41, - 0x3f, 0xde, 0xd3, 0xb9, 0x93, 0x83, 0x75, 0x2e, 0x7d, 0x9a, 0x75, 0xed, 0x69, 0xc1, 0xac, 0x26, - 0x5b, 0x8c, 0x8e, 0x6d, 0x43, 0xd5, 0x4b, 0x48, 0x3b, 0x1e, 0x2f, 0x5d, 0x28, 0x3f, 0x33, 0x72, - 0xf1, 0x4a, 0x51, 0xef, 0xd9, 0x38, 0x21, 0x98, 0x56, 0xe7, 0x29, 0x79, 0xcc, 0xb9, 0xd8, 0xbf, - 0x3a, 0x6a, 0xbe, 0x1f, 0xed, 0x70, 0xf4, 0x3c, 0x8c, 0xc4, 0x61, 0x37, 0x72, 0x09, 0x26, 0x9d, - 0x30, 0x1e, 0xb7, 0x2e, 0x94, 0xe9, 0xd0, 0xa3, 0x23, 0x75, 0x45, 0x37, 0x63, 0x13, 0x07, 0x7d, - 0xc1, 0x82, 0xd1, 0x26, 0x89, 0x13, 0x2f, 0x60, 0xfc, 0xa5, 0xf0, 0xab, 0x47, 0x16, 0x5e, 0x36, - 0xce, 0x6a, 0xe2, 0x8d, 0xb3, 0xe2, 0x45, 0x46, 0x8d, 0xc6, 0x18, 0xa7, 0xf8, 0xd3, 0x19, 0xd7, - 0x24, 0xb1, 0x1b, 0x79, 0x1d, 0xfa, 0x9f, 0x8d, 0x19, 0x63, 0xc6, 0xcd, 0x6a, 0x10, 0x36, 0xf1, - 0x50, 0x00, 0x55, 0x3a, 0xa3, 0xe2, 0xf1, 0x0a, 0x93, 0x7f, 0xfe, 0x68, 0xf2, 0x8b, 0x4e, 0xa5, - 0x93, 0x55, 0xf7, 0x3e, 0xfd, 0x17, 0x63, 0xce, 0x06, 0x7d, 0xde, 0x82, 0x71, 0x31, 0xe3, 0x31, - 0xe1, 0x1d, 0x7a, 0x6b, 0xc3, 0x4b, 0x88, 0xef, 0xc5, 0xc9, 0x78, 0x95, 0xc9, 0x30, 0x35, 0xd8, - 0xd8, 0x9a, 0x8b, 0xc2, 0x6e, 0xe7, 0x9a, 0x17, 0x34, 0x1b, 0x17, 0x04, 0xa7, 0xf1, 0x99, 0x3e, - 0x84, 0x71, 0x5f, 0x96, 0xe8, 0x2b, 0x16, 0x9c, 0x0f, 0x9c, 0x36, 0x89, 0x3b, 0x0e, 0xfd, 0xb4, - 0x1c, 0xdc, 0xf0, 0x1d, 0x77, 0x93, 0x49, 0x34, 0x74, 0x38, 0x89, 0x6c, 0x21, 0xd1, 0xf9, 0xeb, - 0x7d, 0x49, 0xe3, 0x7b, 0xb0, 0x45, 0xdf, 0xb0, 0x60, 0x2c, 0x8c, 0x3a, 0x1b, 0x4e, 0x40, 0x9a, - 0x12, 0x1a, 0x8f, 0x0f, 0xb3, 0xa9, 0xf7, 0x91, 0xa3, 0x7d, 0xa2, 0xa5, 0x2c, 0xd9, 0xc5, 0x30, - 0xf0, 0x92, 0x30, 0x5a, 0x21, 0x49, 0xe2, 0x05, 0xad, 0xb8, 0x71, 0x6e, 0x6f, 0x77, 0x62, 0xac, - 0x07, 0x0b, 0xf7, 0xca, 0x83, 0x7e, 0x02, 0x46, 0xe2, 0x9d, 0xc0, 0xbd, 0xe5, 0x05, 0xcd, 0xf0, - 0x4e, 0x3c, 0x5e, 0x2b, 0x62, 0xfa, 0xae, 0x28, 0x82, 0x62, 0x02, 0x6a, 0x06, 0xd8, 0xe4, 0x96, - 0xff, 0xe1, 0xf4, 0x50, 0xaa, 0x17, 0xfd, 0xe1, 0xf4, 0x60, 0xba, 0x07, 0x5b, 0xf4, 0x73, 0x16, - 0x9c, 0x88, 0xbd, 0x56, 0xe0, 0x24, 0xdd, 0x88, 0x5c, 0x23, 0x3b, 0xf1, 0x38, 0x30, 0x41, 0xae, - 0x1e, 0xb1, 0x57, 0x0c, 0x92, 0x8d, 0x73, 0x42, 0xc6, 0x13, 0x66, 0x6b, 0x8c, 0xd3, 0x7c, 0xf3, - 0x26, 0x9a, 0x1e, 0xd6, 0x23, 0xc5, 0x4e, 0x34, 0x3d, 0xa8, 0xfb, 0xb2, 0x44, 0x3f, 0x06, 0xa7, - 0x79, 0x93, 0xea, 0xd9, 0x78, 0x7c, 0x94, 0x29, 0xda, 0xb3, 0x7b, 0xbb, 0x13, 0xa7, 0x57, 0x32, - 0x30, 0xdc, 0x83, 0x8d, 0xde, 0x80, 0x89, 0x0e, 0x89, 0xda, 0x5e, 0xb2, 0x14, 0xf8, 0x3b, 0x52, - 0x7d, 0xbb, 0x61, 0x87, 0x34, 0x85, 0x38, 0xf1, 0xf8, 0x89, 0x0b, 0xd6, 0x33, 0xb5, 0xc6, 0xbb, - 0x84, 0x98, 0x13, 0xcb, 0xf7, 0x46, 0xc7, 0xfb, 0xd1, 0xb3, 0xff, 0x45, 0x09, 0x4e, 0x67, 0x17, - 0x4e, 0xf4, 0x37, 0x2d, 0x38, 0x75, 0xfb, 0x4e, 0xb2, 0x1a, 0x6e, 0x92, 0x20, 0x6e, 0xec, 0x50, - 0xf5, 0xc6, 0x96, 0x8c, 0x91, 0x8b, 0x6e, 0xb1, 0x4b, 0xf4, 0xe4, 0xd5, 0x34, 0x97, 0x4b, 0x41, - 0x12, 0xed, 0x34, 0x1e, 0x15, 0x6f, 0x77, 0xea, 0xea, 0xad, 0x55, 0x13, 0x8a, 0xb3, 0x42, 0x9d, - 0xff, 0xac, 0x05, 0x67, 0xf3, 0x48, 0xa0, 0xd3, 0x50, 0xde, 0x24, 0x3b, 0xdc, 0x2a, 0xc3, 0xf4, - 0x27, 0x7a, 0x0d, 0xaa, 0x5b, 0x8e, 0xdf, 0x25, 0xc2, 0xba, 0x99, 0x3b, 0xda, 0x8b, 0x28, 0xc9, - 0x30, 0xa7, 0xfa, 0xc3, 0xa5, 0x97, 0x2c, 0xfb, 0x5f, 0x97, 0x61, 0xc4, 0x58, 0xdf, 0xee, 0x83, - 0xc5, 0x16, 0xa6, 0x2c, 0xb6, 0xc5, 0xc2, 0x96, 0xe6, 0xbe, 0x26, 0xdb, 0x9d, 0x8c, 0xc9, 0xb6, - 0x54, 0x1c, 0xcb, 0x7b, 0xda, 0x6c, 0x28, 0x81, 0x7a, 0xd8, 0xa1, 0x16, 0x39, 0x5d, 0xfa, 0x2b, - 0x45, 0x7c, 0xc2, 0x25, 0x49, 0xae, 0x71, 0x62, 0x6f, 0x77, 0xa2, 0xae, 0xfe, 0x62, 0xcd, 0xc8, - 0xfe, 0xb6, 0x05, 0x67, 0x0d, 0x19, 0x67, 0xc2, 0xa0, 0xe9, 0xb1, 0x4f, 0x7b, 0x01, 0x2a, 0xc9, - 0x4e, 0x47, 0x9a, 0xfd, 0xaa, 0xa7, 0x56, 0x77, 0x3a, 0x04, 0x33, 0x08, 0x35, 0xf4, 0xdb, 0x24, - 0x8e, 0x9d, 0x16, 0xc9, 0x1a, 0xfa, 0x8b, 0xbc, 0x19, 0x4b, 0x38, 0x8a, 0x00, 0xf9, 0x4e, 0x9c, - 0xac, 0x46, 0x4e, 0x10, 0x33, 0xf2, 0xab, 0x5e, 0x9b, 0x88, 0x0e, 0xfe, 0x33, 0x83, 0x8d, 0x18, - 0xfa, 0x44, 0xe3, 0x91, 0xbd, 0xdd, 0x09, 0xb4, 0xd0, 0x43, 0x09, 0xe7, 0x50, 0xb7, 0xbf, 0x62, - 0xc1, 0x23, 0xf9, 0xb6, 0x18, 0x7a, 0x1a, 0x86, 0xf8, 0x96, 0x4f, 0xbc, 0x9d, 0xfe, 0x24, 0xac, - 0x15, 0x0b, 0x28, 0x9a, 0x82, 0xba, 0x5a, 0x27, 0xc4, 0x3b, 0x8e, 0x09, 0xd4, 0xba, 0x5e, 0x5c, - 0x34, 0x0e, 0xed, 0x34, 0xfa, 0x47, 0x58, 0x6e, 0xaa, 0xd3, 0xd8, 0x26, 0x89, 0x41, 0xec, 0x7f, - 0x6f, 0xc1, 0x29, 0x43, 0xaa, 0xfb, 0x60, 0x9a, 0x07, 0x69, 0xd3, 0x7c, 0xbe, 0xb0, 0xf1, 0xdc, - 0xc7, 0x36, 0xff, 0xbc, 0x05, 0xe7, 0x0d, 0xac, 0x45, 0x27, 0x71, 0x37, 0x2e, 0x6d, 0x77, 0x22, - 0x12, 0xd3, 0xed, 0x34, 0x7a, 0xc2, 0xd0, 0x5b, 0x8d, 0x11, 0x41, 0xa1, 0x7c, 0x8d, 0xec, 0x70, - 0x25, 0xf6, 0x2c, 0xd4, 0xf8, 0xe0, 0x0c, 0x23, 0xd1, 0xe3, 0xea, 0xdd, 0x96, 0x44, 0x3b, 0x56, - 0x18, 0xc8, 0x86, 0x21, 0xa6, 0x9c, 0xe8, 0x64, 0xa5, 0xcb, 0x10, 0xd0, 0x8f, 0x78, 0x93, 0xb5, - 0x60, 0x01, 0xb1, 0x97, 0x52, 0xe2, 0x2c, 0x47, 0x84, 0x7d, 0xdc, 0xe6, 0x65, 0x8f, 0xf8, 0xcd, - 0x98, 0x6e, 0x1b, 0x9c, 0x20, 0x08, 0x13, 0xb1, 0x03, 0x30, 0xb6, 0x0d, 0xd3, 0xba, 0x19, 0x9b, - 0x38, 0xf6, 0x5e, 0x89, 0x6d, 0x3e, 0xd4, 0xb4, 0x26, 0xf7, 0x63, 0xe7, 0x1a, 0xa5, 0xf4, 0xe0, - 0x72, 0x71, 0x4a, 0x89, 0xf4, 0xdf, 0xbd, 0xbe, 0x99, 0x51, 0x85, 0xb8, 0x50, 0xae, 0xf7, 0xde, - 0xc1, 0xfe, 0x56, 0x09, 0x26, 0xd2, 0x0f, 0xf4, 0x68, 0x52, 0xba, 0x5d, 0x32, 0x18, 0x65, 0x1d, - 0x14, 0x06, 0x3e, 0x36, 0xf1, 0xfa, 0x28, 0xa3, 0xd2, 0x71, 0x2a, 0x23, 0x53, 0x57, 0x96, 0xf7, - 0xd1, 0x95, 0x4f, 0xab, 0x5e, 0xaf, 0x64, 0x94, 0x53, 0x7a, 0xbd, 0xb8, 0x00, 0x95, 0x38, 0x21, - 0x9d, 0xf1, 0x6a, 0x5a, 0xd7, 0xac, 0x24, 0xa4, 0x83, 0x19, 0xc4, 0xfe, 0x2f, 0x25, 0x78, 0x34, - 0xdd, 0x87, 0x5a, 0xbd, 0x7f, 0x20, 0xa5, 0xde, 0xdf, 0x63, 0xaa, 0xf7, 0xbb, 0xbb, 0x13, 0xef, - 0xec, 0xf3, 0xd8, 0xf7, 0x8c, 0xf6, 0x47, 0x73, 0x99, 0x5e, 0x9c, 0x4a, 0xf7, 0xe2, 0xdd, 0xdd, - 0x89, 0x27, 0xfa, 0xbc, 0x63, 0xa6, 0x9b, 0x9f, 0x86, 0xa1, 0x88, 0x38, 0x71, 0x18, 0x88, 0x8e, - 0x56, 0x9f, 0x03, 0xb3, 0x56, 0x2c, 0xa0, 0xf6, 0xbf, 0xa9, 0x67, 0x3b, 0x7b, 0x8e, 0x3b, 0xd8, - 0xc2, 0x08, 0x79, 0x50, 0x61, 0x26, 0x3b, 0x57, 0x0d, 0xd7, 0x8e, 0x36, 0x8d, 0xa8, 0x8a, 0x57, - 0xa4, 0x1b, 0x35, 0xfa, 0xd5, 0x68, 0x13, 0x66, 0x2c, 0xd0, 0x36, 0xd4, 0x5c, 0x69, 0x49, 0x97, - 0x8a, 0xf0, 0x39, 0x09, 0x3b, 0x5a, 0x73, 0x1c, 0xa5, 0xba, 0x58, 0x99, 0xdf, 0x8a, 0x1b, 0x22, - 0x50, 0x6e, 0x79, 0x89, 0xf8, 0xac, 0x47, 0xdc, 0x2b, 0xcd, 0x79, 0xc6, 0x2b, 0x0e, 0xd3, 0x05, - 0x62, 0xce, 0x4b, 0x30, 0xa5, 0x8f, 0x7e, 0xc6, 0x82, 0x91, 0xd8, 0x6d, 0x2f, 0x47, 0xe1, 0x96, - 0xd7, 0x24, 0x91, 0xb0, 0x94, 0x8e, 0xa8, 0x9a, 0x56, 0x66, 0x16, 0x25, 0x41, 0xcd, 0x97, 0xef, - 0x5d, 0x35, 0x04, 0x9b, 0x7c, 0xe9, 0x0e, 0xe2, 0x51, 0xf1, 0xee, 0xb3, 0xc4, 0xf5, 0xe8, 0xda, - 0x26, 0x37, 0x4c, 0x6c, 0xa4, 0x1c, 0xd9, 0x72, 0x9c, 0xed, 0xba, 0x9b, 0x74, 0xbe, 0x69, 0x81, - 0xde, 0xb9, 0xb7, 0x3b, 0xf1, 0xe8, 0x4c, 0x3e, 0x4f, 0xdc, 0x4f, 0x18, 0xd6, 0x61, 0x9d, 0xae, - 0xef, 0x63, 0xf2, 0x46, 0x97, 0x30, 0x77, 0x48, 0x01, 0x1d, 0xb6, 0xac, 0x09, 0x66, 0x3a, 0xcc, - 0x80, 0x60, 0x93, 0x2f, 0x7a, 0x03, 0x86, 0xda, 0x4e, 0x12, 0x79, 0xdb, 0xc2, 0x07, 0x72, 0x44, - 0x5b, 0x7e, 0x91, 0xd1, 0xd2, 0xcc, 0xd9, 0xd2, 0xcf, 0x1b, 0xb1, 0x60, 0x84, 0xda, 0x50, 0x6d, - 0x93, 0xa8, 0x45, 0xc6, 0x6b, 0x45, 0xf8, 0x7b, 0x17, 0x29, 0x29, 0xcd, 0xb0, 0x4e, 0x2d, 0x1f, - 0xd6, 0x86, 0x39, 0x17, 0xf4, 0x1a, 0xd4, 0x62, 0xe2, 0x13, 0x97, 0xda, 0x2e, 0x75, 0xc6, 0xf1, - 0xbd, 0x03, 0xda, 0x71, 0xce, 0x1a, 0xf1, 0x57, 0xc4, 0xa3, 0x7c, 0x82, 0xc9, 0x7f, 0x58, 0x91, - 0xa4, 0x1d, 0xd8, 0xf1, 0xbb, 0x2d, 0x2f, 0x18, 0x87, 0x22, 0x3a, 0x70, 0x99, 0xd1, 0xca, 0x74, - 0x20, 0x6f, 0xc4, 0x82, 0x91, 0xfd, 0x1f, 0x2d, 0x40, 0x69, 0xa5, 0x76, 0x1f, 0x0c, 0xd6, 0x37, - 0xd2, 0x06, 0xeb, 0x42, 0x91, 0x56, 0x47, 0x1f, 0x9b, 0xf5, 0x37, 0xea, 0x90, 0x59, 0x0e, 0xae, - 0x93, 0x38, 0x21, 0xcd, 0xb7, 0x55, 0xf8, 0xdb, 0x2a, 0xfc, 0x6d, 0x15, 0xae, 0x54, 0xf8, 0x5a, - 0x46, 0x85, 0xbf, 0xdf, 0x98, 0xf5, 0xfa, 0xc0, 0xf4, 0x75, 0x75, 0xa2, 0x6a, 0x4a, 0x60, 0x20, - 0x50, 0x4d, 0x70, 0x75, 0x65, 0xe9, 0x7a, 0xae, 0xce, 0x7e, 0x3d, 0xad, 0xb3, 0x8f, 0xca, 0xe2, - 0x4f, 0x83, 0x96, 0xfe, 0xab, 0x25, 0x78, 0x2c, 0xad, 0xbd, 0x70, 0xe8, 0xfb, 0x61, 0x37, 0xa1, - 0x7b, 0x01, 0xf4, 0x8b, 0x16, 0x9c, 0x6e, 0xa7, 0x37, 0xe1, 0xb1, 0xf0, 0x75, 0x7e, 0xb0, 0x30, - 0xd5, 0x9a, 0xd9, 0xe5, 0x37, 0xc6, 0x85, 0x9a, 0x3d, 0x9d, 0x01, 0xc4, 0xb8, 0x47, 0x16, 0xf4, - 0x1a, 0xd4, 0xdb, 0xce, 0xf6, 0x8d, 0x4e, 0xd3, 0x49, 0xe4, 0x36, 0xac, 0xff, 0xee, 0xb9, 0x9b, - 0x78, 0xfe, 0x24, 0x3f, 0xc1, 0x9e, 0x9c, 0x0f, 0x92, 0xa5, 0x68, 0x25, 0x89, 0xbc, 0xa0, 0xc5, - 0x3d, 0x5c, 0x8b, 0x92, 0x0c, 0xd6, 0x14, 0xed, 0xaf, 0x59, 0x59, 0xdd, 0xae, 0x7a, 0x27, 0x72, - 0x12, 0xd2, 0xda, 0x41, 0x1f, 0x83, 0x2a, 0xdd, 0x2f, 0xc9, 0x5e, 0xb9, 0x55, 0xe4, 0x82, 0x63, - 0x7c, 0x09, 0xbd, 0xf6, 0xd0, 0x7f, 0x31, 0xe6, 0x4c, 0xed, 0xaf, 0x0c, 0x67, 0xd7, 0x58, 0x76, - 0x9e, 0x79, 0x11, 0xa0, 0x15, 0xae, 0x92, 0x76, 0xc7, 0xa7, 0xdd, 0x62, 0x31, 0xa7, 0xb8, 0x72, - 0x11, 0xcc, 0x29, 0x08, 0x36, 0xb0, 0xd0, 0x9f, 0xb7, 0x00, 0x5a, 0x72, 0xa8, 0xc8, 0xf5, 0xf3, - 0x46, 0x91, 0xaf, 0xa3, 0x07, 0xa2, 0x96, 0x45, 0x31, 0xc4, 0x06, 0x73, 0xf4, 0x53, 0x16, 0xd4, - 0x12, 0x29, 0x3e, 0x5f, 0x51, 0x56, 0x8b, 0x94, 0x44, 0xbe, 0xb4, 0x36, 0x25, 0x54, 0x97, 0x28, - 0xbe, 0xe8, 0x67, 0x2d, 0x80, 0x78, 0x27, 0x70, 0x97, 0x43, 0xdf, 0x73, 0x77, 0xc4, 0x42, 0x73, - 0xb3, 0x50, 0x37, 0x86, 0xa2, 0xde, 0x38, 0x49, 0x7b, 0x43, 0xff, 0xc7, 0x06, 0x67, 0xf4, 0x09, - 0xa8, 0xc5, 0x62, 0xb8, 0x89, 0xa5, 0x65, 0xb5, 0x58, 0x67, 0x0a, 0xa7, 0x2d, 0xb4, 0x92, 0xf8, - 0x87, 0x15, 0x4f, 0xf4, 0xf3, 0x16, 0x9c, 0xea, 0xa4, 0x5d, 0x5f, 0x62, 0x15, 0x29, 0x4e, 0x07, - 0x64, 0x5c, 0x6b, 0x8d, 0x33, 0x7b, 0xbb, 0x13, 0xa7, 0x32, 0x8d, 0x38, 0x2b, 0x05, 0x9a, 0x81, - 0x31, 0x3d, 0x82, 0x97, 0x3a, 0xdc, 0x0d, 0x37, 0xcc, 0xdc, 0x70, 0xec, 0x14, 0x73, 0x2e, 0x0b, - 0xc4, 0xbd, 0xf8, 0x68, 0x19, 0xce, 0x52, 0xe9, 0x76, 0xb8, 0xd5, 0x26, 0xb5, 0x72, 0xcc, 0xd6, - 0x90, 0x5a, 0xe3, 0x71, 0x31, 0x42, 0x98, 0xa3, 0x3b, 0x8b, 0x83, 0x73, 0x9f, 0xb4, 0xbf, 0x55, - 0x4a, 0xf9, 0xc5, 0x95, 0xc3, 0x8a, 0xcd, 0x31, 0x57, 0xfa, 0x0a, 0xa4, 0xca, 0x28, 0x74, 0x8e, - 0x29, 0x4f, 0x84, 0x9e, 0x63, 0xaa, 0x29, 0xc6, 0x06, 0x73, 0x6a, 0xc0, 0x8c, 0x39, 0x59, 0xb7, - 0x98, 0x98, 0xf6, 0xaf, 0x15, 0x29, 0x52, 0xef, 0x29, 0xc6, 0x63, 0x42, 0xb4, 0xb1, 0x1e, 0x10, - 0xee, 0x15, 0xc9, 0xfe, 0x56, 0xda, 0x17, 0x6f, 0x8c, 0xd8, 0x01, 0xce, 0x19, 0xbe, 0x60, 0xc1, - 0x48, 0x14, 0xfa, 0xbe, 0x17, 0xb4, 0xe8, 0xec, 0x12, 0x4b, 0xc4, 0x87, 0x8f, 0x45, 0x4b, 0x8b, - 0x69, 0xc4, 0xcc, 0x20, 0xac, 0x79, 0x62, 0x53, 0x00, 0xfb, 0x8f, 0x2c, 0x18, 0xef, 0xa7, 0x05, - 0x10, 0x81, 0x77, 0xca, 0x21, 0xae, 0x4e, 0xd9, 0x97, 0x82, 0x59, 0xe2, 0x13, 0xe5, 0xa4, 0xac, - 0x35, 0x9e, 0x12, 0xaf, 0xf9, 0xce, 0xe5, 0xfe, 0xa8, 0xf8, 0x5e, 0x74, 0xd0, 0xab, 0x70, 0xda, - 0x78, 0xaf, 0x58, 0x75, 0x4c, 0xbd, 0x31, 0x49, 0x97, 0xdd, 0xe9, 0x0c, 0xec, 0xee, 0xee, 0xc4, - 0x23, 0xd9, 0x36, 0xa1, 0xa6, 0x7a, 0xe8, 0xd8, 0xbf, 0x52, 0xca, 0x7e, 0x2d, 0xb5, 0xc2, 0x7c, - 0xd5, 0xea, 0xd9, 0xfa, 0x7d, 0xf0, 0x38, 0xb4, 0x3a, 0xdb, 0x24, 0xaa, 0x83, 0xfc, 0xfe, 0x38, - 0x0f, 0xf0, 0xa4, 0xd0, 0xfe, 0x97, 0x15, 0xb8, 0x87, 0x64, 0xea, 0x2c, 0xc8, 0xea, 0x77, 0x16, - 0x74, 0xf0, 0xe3, 0xa5, 0xcf, 0x59, 0x30, 0xe4, 0x53, 0x2b, 0x94, 0x9f, 0x77, 0x8c, 0x5c, 0x6c, - 0x1e, 0x57, 0xdf, 0x73, 0x63, 0x37, 0xe6, 0xa7, 0xd5, 0xca, 0xe5, 0xc9, 0x1b, 0xb1, 0x90, 0x01, - 0x7d, 0xdd, 0x4a, 0x1f, 0x9e, 0xf0, 0xf0, 0x23, 0xef, 0xd8, 0x64, 0x32, 0x4e, 0x64, 0xb8, 0x60, - 0xda, 0xd7, 0xdf, 0xe7, 0xac, 0x06, 0x4d, 0x02, 0xac, 0x7b, 0x81, 0xe3, 0x7b, 0x6f, 0xd2, 0xdd, - 0x74, 0x95, 0x2d, 0x2b, 0x6c, 0x9d, 0xbe, 0xac, 0x5a, 0xb1, 0x81, 0x71, 0xfe, 0xcf, 0xc1, 0x88, - 0xf1, 0xe6, 0x39, 0x87, 0xec, 0x67, 0xcd, 0x43, 0xf6, 0xba, 0x71, 0x36, 0x7e, 0xfe, 0xfd, 0x70, - 0x3a, 0x2b, 0xe0, 0x41, 0x9e, 0xb7, 0xff, 0xe7, 0x70, 0xf6, 0xc4, 0x63, 0x95, 0x44, 0x6d, 0x2a, - 0xda, 0xdb, 0x5e, 0x88, 0xb7, 0xbd, 0x10, 0x6f, 0x7b, 0x21, 0x4c, 0x47, 0xb2, 0xd8, 0x61, 0x0f, - 0xdf, 0xa7, 0x1d, 0x76, 0xca, 0x67, 0x50, 0x2b, 0xdc, 0x67, 0x60, 0xef, 0x55, 0x21, 0x65, 0x47, - 0xf1, 0xfe, 0x7e, 0x37, 0x0c, 0x47, 0xa4, 0x13, 0xde, 0xc0, 0x0b, 0x62, 0x0d, 0xd1, 0x81, 0xd4, - 0xbc, 0x19, 0x4b, 0x38, 0x5d, 0x6b, 0x3a, 0x4e, 0xb2, 0x21, 0x16, 0x11, 0xb5, 0xd6, 0x2c, 0x3b, - 0xc9, 0x06, 0x66, 0x10, 0xf4, 0x7e, 0x38, 0x99, 0x38, 0x51, 0x8b, 0x24, 0x98, 0x6c, 0xb1, 0xcf, - 0x2a, 0xce, 0xc5, 0x1e, 0x11, 0xb8, 0x27, 0x57, 0x53, 0x50, 0x9c, 0xc1, 0x46, 0x6f, 0x40, 0x65, - 0x83, 0xf8, 0x6d, 0xd1, 0xe5, 0x2b, 0xc5, 0xe9, 0x78, 0xf6, 0xae, 0x57, 0x88, 0xdf, 0xe6, 0x1a, - 0x88, 0xfe, 0xc2, 0x8c, 0x15, 0x1d, 0x6f, 0xf5, 0xcd, 0x6e, 0x9c, 0x84, 0x6d, 0xef, 0x4d, 0xe9, - 0x0e, 0xfa, 0x60, 0xc1, 0x8c, 0xaf, 0x49, 0xfa, 0xdc, 0x81, 0xa0, 0xfe, 0x62, 0xcd, 0x99, 0xc9, - 0xd1, 0xf4, 0x22, 0xf6, 0xa9, 0x76, 0x84, 0x57, 0xa7, 0x68, 0x39, 0x66, 0x25, 0x7d, 0x2e, 0x87, - 0xfa, 0x8b, 0x35, 0x67, 0xb4, 0xa3, 0xc6, 0xfd, 0x08, 0x93, 0xe1, 0x46, 0xc1, 0x32, 0xf0, 0x31, - 0x9f, 0x3b, 0xfe, 0x9f, 0x82, 0xaa, 0xbb, 0xe1, 0x44, 0xc9, 0xf8, 0x28, 0x1b, 0x34, 0xca, 0x91, - 0x31, 0x43, 0x1b, 0x31, 0x87, 0xa1, 0x27, 0xa0, 0x1c, 0x91, 0x75, 0x16, 0xbf, 0x67, 0x44, 0x76, - 0x60, 0xb2, 0x8e, 0x69, 0xbb, 0xfd, 0x4b, 0xa5, 0xb4, 0xb9, 0x94, 0x7e, 0x6f, 0x3e, 0xda, 0xdd, - 0x6e, 0x14, 0x4b, 0x67, 0x87, 0x31, 0xda, 0x59, 0x33, 0x96, 0x70, 0xf4, 0x29, 0x0b, 0x86, 0x6f, - 0xc7, 0x61, 0x10, 0x90, 0x44, 0x2c, 0x4d, 0x37, 0x0b, 0xee, 0x8a, 0xab, 0x9c, 0xba, 0x96, 0x41, - 0x34, 0x60, 0xc9, 0x97, 0x8a, 0x4b, 0xb6, 0x5d, 0xbf, 0xdb, 0xec, 0x39, 0xd0, 0xbf, 0xc4, 0x9b, - 0xb1, 0x84, 0x53, 0x54, 0x2f, 0xe0, 0xa8, 0x95, 0x34, 0xea, 0x7c, 0x20, 0x50, 0x05, 0xdc, 0xfe, - 0xcb, 0x43, 0x70, 0x2e, 0x77, 0x72, 0x50, 0x43, 0x86, 0x99, 0x0a, 0x97, 0x3d, 0x9f, 0xc8, 0x30, - 0x15, 0x66, 0xc8, 0xdc, 0x54, 0xad, 0xd8, 0xc0, 0x40, 0x3f, 0x09, 0xd0, 0x71, 0x22, 0xa7, 0x4d, - 0xc4, 0x02, 0x5e, 0x3e, 0xba, 0xbd, 0x40, 0xe5, 0x58, 0x96, 0x34, 0xf5, 0xde, 0x54, 0x35, 0xc5, - 0xd8, 0x60, 0x89, 0x5e, 0x84, 0x91, 0x88, 0xf8, 0xc4, 0x89, 0x59, 0xf8, 0x67, 0x36, 0x96, 0x1d, - 0x6b, 0x10, 0x36, 0xf1, 0xd0, 0xd3, 0x2a, 0xa2, 0x27, 0x13, 0xfd, 0x90, 0x8e, 0xea, 0x41, 0x5f, - 0xb4, 0xe0, 0xe4, 0xba, 0xe7, 0x13, 0xcd, 0x5d, 0x44, 0x9e, 0x2f, 0x1d, 0xfd, 0x25, 0x2f, 0x9b, - 0x74, 0xb5, 0x86, 0x4c, 0x35, 0xc7, 0x38, 0xc3, 0x9e, 0x7e, 0xe6, 0x2d, 0x12, 0x31, 0xd5, 0x3a, - 0x94, 0xfe, 0xcc, 0x37, 0x79, 0x33, 0x96, 0x70, 0x34, 0x0d, 0xa7, 0x3a, 0x4e, 0x1c, 0xcf, 0x44, - 0xa4, 0x49, 0x82, 0xc4, 0x73, 0x7c, 0x1e, 0x17, 0x5e, 0xd3, 0x71, 0xa1, 0xcb, 0x69, 0x30, 0xce, - 0xe2, 0xa3, 0x0f, 0xc1, 0xa3, 0x5e, 0x2b, 0x08, 0x23, 0xb2, 0xe8, 0xc5, 0xb1, 0x17, 0xb4, 0xf4, - 0x30, 0x10, 0x4e, 0x8f, 0x09, 0x41, 0xea, 0xd1, 0xf9, 0x7c, 0x34, 0xdc, 0xef, 0x79, 0xf4, 0x2c, - 0xd4, 0xe2, 0x4d, 0xaf, 0x33, 0x13, 0x35, 0x63, 0xe6, 0x20, 0xaf, 0x69, 0x17, 0xdb, 0x8a, 0x68, - 0xc7, 0x0a, 0x03, 0xb9, 0x30, 0xca, 0x3f, 0x09, 0x0f, 0x5b, 0x12, 0xfa, 0xf1, 0xb9, 0xbe, 0xcb, - 0xa3, 0x48, 0x5d, 0x9a, 0xc4, 0xce, 0x9d, 0x4b, 0xd2, 0x5d, 0xdf, 0x38, 0xbd, 0xb7, 0x3b, 0x31, - 0x7a, 0xd3, 0x20, 0x83, 0x53, 0x44, 0xed, 0x5f, 0x28, 0xa5, 0x77, 0xdc, 0xe6, 0x24, 0x45, 0x31, - 0x9d, 0x8a, 0xc9, 0x4d, 0x27, 0x92, 0xde, 0x98, 0x23, 0x86, 0xaf, 0x0b, 0xba, 0x37, 0x9d, 0xc8, - 0x9c, 0xd4, 0x8c, 0x01, 0x96, 0x9c, 0xd0, 0x6d, 0xa8, 0x24, 0xbe, 0x53, 0x50, 0xbe, 0x8b, 0xc1, - 0x51, 0x3b, 0x40, 0x16, 0xa6, 0x63, 0xcc, 0x78, 0xa0, 0xc7, 0xa9, 0xd5, 0xbf, 0x26, 0x63, 0xdc, - 0x84, 0xa1, 0xbe, 0x16, 0x63, 0xd6, 0x6a, 0xff, 0xbf, 0x5a, 0x8e, 0x5e, 0x55, 0x0b, 0x19, 0xba, - 0x08, 0x40, 0x37, 0x90, 0xcb, 0x11, 0x59, 0xf7, 0xb6, 0x85, 0x21, 0xa1, 0xe6, 0xee, 0x75, 0x05, - 0xc1, 0x06, 0x96, 0x7c, 0x66, 0xa5, 0xbb, 0x4e, 0x9f, 0x29, 0xf5, 0x3e, 0xc3, 0x21, 0xd8, 0xc0, - 0x42, 0x2f, 0xc0, 0x90, 0xd7, 0x76, 0x5a, 0x2a, 0x14, 0xef, 0x71, 0x3a, 0x69, 0xe7, 0x59, 0xcb, - 0xdd, 0xdd, 0x89, 0x93, 0x4a, 0x20, 0xd6, 0x84, 0x05, 0x2e, 0xfa, 0x15, 0x0b, 0x46, 0xdd, 0xb0, - 0xdd, 0x0e, 0x03, 0xbe, 0xed, 0x12, 0x7b, 0xc8, 0xdb, 0xc7, 0xb5, 0xcc, 0x4f, 0xce, 0x18, 0xcc, - 0xf8, 0x26, 0x52, 0x25, 0xe6, 0x98, 0x20, 0x9c, 0x92, 0xca, 0x9c, 0xdb, 0xd5, 0x7d, 0xe6, 0xf6, - 0xaf, 0x5b, 0x30, 0xc6, 0x9f, 0x35, 0x76, 0x83, 0x22, 0x07, 0x25, 0x3c, 0xe6, 0xd7, 0xea, 0xd9, - 0x20, 0x2b, 0x2f, 0x5d, 0x0f, 0x1c, 0xf7, 0x0a, 0x89, 0xe6, 0x60, 0x6c, 0x3d, 0x8c, 0x5c, 0x62, - 0x76, 0x84, 0x50, 0x4c, 0x8a, 0xd0, 0xe5, 0x2c, 0x02, 0xee, 0x7d, 0x06, 0xdd, 0x84, 0x47, 0x8c, - 0x46, 0xb3, 0x1f, 0xb8, 0x6e, 0x7a, 0x52, 0x50, 0x7b, 0xe4, 0x72, 0x2e, 0x16, 0xee, 0xf3, 0x74, - 0xda, 0x61, 0x52, 0x1f, 0xc0, 0x61, 0xf2, 0x3a, 0x3c, 0xe6, 0xf6, 0xf6, 0xcc, 0x56, 0xdc, 0x5d, - 0x8b, 0xb9, 0xa6, 0xaa, 0x35, 0x7e, 0x40, 0x10, 0x78, 0x6c, 0xa6, 0x1f, 0x22, 0xee, 0x4f, 0x03, - 0x7d, 0x0c, 0x6a, 0x11, 0x61, 0x5f, 0x25, 0x16, 0x09, 0x19, 0x47, 0xdc, 0x25, 0x6b, 0x0b, 0x94, - 0x93, 0xd5, 0xba, 0x57, 0x34, 0xc4, 0x58, 0x71, 0x3c, 0xff, 0x01, 0x18, 0xeb, 0x19, 0xcf, 0x07, - 0xf2, 0x59, 0xcc, 0xc2, 0x23, 0xf9, 0x23, 0xe7, 0x40, 0x9e, 0x8b, 0x7f, 0x90, 0x89, 0x33, 0x34, - 0xac, 0xc9, 0x01, 0xbc, 0x60, 0x0e, 0x94, 0x49, 0xb0, 0x25, 0x14, 0xe9, 0xe5, 0xa3, 0xf5, 0xde, - 0xa5, 0x60, 0x8b, 0x0f, 0x7c, 0xb6, 0xd5, 0xbf, 0x14, 0x6c, 0x61, 0x4a, 0x1b, 0x7d, 0xd9, 0x4a, - 0x59, 0x43, 0xdc, 0x77, 0xf6, 0x91, 0x63, 0x31, 0x9f, 0x07, 0x36, 0x90, 0xec, 0x7f, 0x55, 0x82, - 0x0b, 0xfb, 0x11, 0x19, 0xa0, 0xfb, 0x9e, 0x82, 0xa1, 0x98, 0x1d, 0x81, 0x0a, 0xcd, 0x34, 0x42, - 0xb5, 0x12, 0x3f, 0x14, 0x7d, 0x1d, 0x0b, 0x10, 0xf2, 0xa1, 0xdc, 0x76, 0x3a, 0xc2, 0xa5, 0x32, - 0x7f, 0xd4, 0xac, 0x02, 0xfa, 0xdf, 0xf1, 0x17, 0x9d, 0x0e, 0xdf, 0xa8, 0x1b, 0x0d, 0x98, 0xb2, - 0x41, 0x09, 0x54, 0x9d, 0x28, 0x72, 0xe4, 0x79, 0xdb, 0xb5, 0x62, 0xf8, 0x4d, 0x53, 0x92, 0x8d, - 0xb1, 0xbd, 0xdd, 0x89, 0x13, 0xa9, 0x26, 0xcc, 0x99, 0xd9, 0x9f, 0x1b, 0x4e, 0x45, 0xd6, 0xb3, - 0x43, 0xd4, 0x18, 0x86, 0x84, 0x27, 0xc5, 0x2a, 0x3a, 0x99, 0x83, 0xa7, 0x46, 0xb1, 0xcd, 0x92, - 0x48, 0x30, 0x15, 0xac, 0xd0, 0x67, 0x2d, 0x96, 0xc6, 0x29, 0xb3, 0x0d, 0xc4, 0x16, 0xe5, 0x78, - 0xb2, 0x4a, 0xcd, 0xe4, 0x50, 0xd9, 0x88, 0x4d, 0xee, 0x74, 0xe9, 0xea, 0xf0, 0x84, 0xa4, 0xec, - 0x46, 0x45, 0x26, 0x7a, 0x4a, 0x38, 0xda, 0xce, 0x39, 0x2c, 0x2d, 0x20, 0x15, 0x70, 0x80, 0xe3, - 0xd1, 0xaf, 0x5b, 0x30, 0xc6, 0xcd, 0xd1, 0x59, 0x6f, 0x7d, 0x9d, 0x44, 0x24, 0x70, 0x89, 0x34, - 0xe8, 0x8f, 0x78, 0x1c, 0x2f, 0xdd, 0x57, 0xf3, 0x59, 0xf2, 0x7a, 0x4d, 0xeb, 0x01, 0xe1, 0x5e, - 0x61, 0x50, 0x13, 0x2a, 0x5e, 0xb0, 0x1e, 0x8a, 0x95, 0xbc, 0x71, 0x34, 0xa1, 0xe6, 0x83, 0xf5, - 0x50, 0xcf, 0x66, 0xfa, 0x0f, 0x33, 0xea, 0x68, 0x01, 0xce, 0x46, 0xc2, 0xe5, 0x72, 0xc5, 0x8b, - 0xe9, 0xc6, 0x78, 0xc1, 0x6b, 0x7b, 0x09, 0x5b, 0x85, 0xcb, 0x8d, 0xf1, 0xbd, 0xdd, 0x89, 0xb3, - 0x38, 0x07, 0x8e, 0x73, 0x9f, 0x42, 0x6f, 0xc2, 0xb0, 0xcc, 0x3b, 0xad, 0x15, 0xb1, 0x39, 0xea, - 0x1d, 0xff, 0x6a, 0x30, 0xad, 0x88, 0x14, 0x53, 0xc9, 0xd0, 0xfe, 0xe2, 0x08, 0xf4, 0x9e, 0x0d, - 0xa2, 0x8f, 0x43, 0x3d, 0x52, 0xb9, 0xb0, 0x56, 0x11, 0xf1, 0x7d, 0xf2, 0xfb, 0x8a, 0x73, 0x49, - 0x65, 0x0f, 0xe8, 0xac, 0x57, 0xcd, 0x91, 0x5a, 0xed, 0xb1, 0x3e, 0x42, 0x2c, 0x60, 0x6c, 0x0b, - 0xae, 0xfa, 0x78, 0x68, 0x27, 0x70, 0x31, 0xe3, 0x81, 0x22, 0x18, 0xda, 0x20, 0x8e, 0x9f, 0x6c, - 0x14, 0xe3, 0xc9, 0xbe, 0xc2, 0x68, 0x65, 0xb3, 0x26, 0x78, 0x2b, 0x16, 0x9c, 0xd0, 0x36, 0x0c, - 0x6f, 0xf0, 0x01, 0x20, 0x0c, 0xe9, 0xc5, 0xa3, 0x76, 0x6e, 0x6a, 0x54, 0xe9, 0xcf, 0x2d, 0x1a, - 0xb0, 0x64, 0xc7, 0x22, 0x2d, 0x8c, 0x63, 0x71, 0x3e, 0x75, 0x8b, 0x4b, 0x18, 0x19, 0xfc, 0x4c, - 0xfc, 0xa3, 0x30, 0x1a, 0x11, 0x37, 0x0c, 0x5c, 0xcf, 0x27, 0xcd, 0x69, 0xe9, 0xa5, 0x3e, 0x48, - 0x9a, 0x01, 0xdb, 0x8c, 0x62, 0x83, 0x06, 0x4e, 0x51, 0x44, 0x9f, 0xb1, 0xe0, 0xa4, 0x4a, 0xa0, - 0xa3, 0x1f, 0x84, 0x08, 0xaf, 0xe8, 0x42, 0x41, 0xe9, 0x7a, 0x8c, 0x66, 0x03, 0xed, 0xed, 0x4e, - 0x9c, 0x4c, 0xb7, 0xe1, 0x0c, 0x5f, 0xf4, 0x2a, 0x40, 0xb8, 0xc6, 0xc3, 0x29, 0xa6, 0x13, 0xe1, - 0x22, 0x3d, 0xc8, 0xab, 0x9e, 0xe4, 0xf9, 0x46, 0x92, 0x02, 0x36, 0xa8, 0xa1, 0x6b, 0x00, 0x7c, - 0xda, 0xac, 0xee, 0x74, 0xa4, 0xb5, 0x2d, 0xf3, 0x44, 0x60, 0x45, 0x41, 0xee, 0xee, 0x4e, 0xf4, - 0xba, 0xac, 0xd8, 0xe9, 0xbd, 0xf1, 0x38, 0xfa, 0x09, 0x18, 0x8e, 0xbb, 0xed, 0xb6, 0xa3, 0x1c, - 0xa8, 0x05, 0x66, 0x30, 0x71, 0xba, 0x86, 0x2a, 0xe2, 0x0d, 0x58, 0x72, 0x44, 0xb7, 0xa9, 0x52, - 0x8d, 0x85, 0x2f, 0x8d, 0xcd, 0x22, 0x6e, 0x13, 0x8c, 0xb0, 0x77, 0x7a, 0x9f, 0x8c, 0x0e, 0xc1, - 0x39, 0x38, 0x77, 0x77, 0x27, 0x1e, 0x49, 0xb7, 0x2f, 0x84, 0x22, 0xa7, 0x28, 0x97, 0x26, 0xba, - 0x2a, 0xcb, 0x50, 0xd0, 0xd7, 0x96, 0xd9, 0xd1, 0xcf, 0xe8, 0x32, 0x14, 0xac, 0xb9, 0x7f, 0x9f, - 0x99, 0x0f, 0xa3, 0x45, 0x38, 0xe3, 0x86, 0x41, 0x12, 0x85, 0xbe, 0xcf, 0x6b, 0xab, 0xf0, 0x8d, - 0x0f, 0x77, 0xb0, 0xbe, 0x53, 0x88, 0x7d, 0x66, 0xa6, 0x17, 0x05, 0xe7, 0x3d, 0x67, 0x07, 0xe9, - 0x38, 0x33, 0xd1, 0x39, 0x2f, 0xc0, 0x28, 0xd9, 0x4e, 0x48, 0x14, 0x38, 0xfe, 0x0d, 0xbc, 0x20, - 0x5d, 0x8b, 0x6c, 0x0e, 0x5c, 0x32, 0xda, 0x71, 0x0a, 0x0b, 0xd9, 0x6a, 0xb7, 0x5f, 0xd2, 0x89, - 0x77, 0x7c, 0xb7, 0x2f, 0xf7, 0xf6, 0xf6, 0xff, 0x2a, 0xa5, 0x0c, 0xb2, 0xd5, 0x88, 0x10, 0x14, - 0x42, 0x35, 0x08, 0x9b, 0x4a, 0xf7, 0x5f, 0x2d, 0x46, 0xf7, 0x5f, 0x0f, 0x9b, 0x46, 0xad, 0x0a, - 0xfa, 0x2f, 0xc6, 0x9c, 0x0f, 0x4b, 0xe6, 0x97, 0x55, 0x0f, 0x18, 0x40, 0x6c, 0x34, 0x8a, 0xe4, - 0xac, 0x92, 0xf9, 0x97, 0x4c, 0x46, 0x38, 0xcd, 0x17, 0x6d, 0x42, 0x75, 0x23, 0x8c, 0x13, 0xb9, - 0xfd, 0x38, 0xe2, 0x4e, 0xe7, 0x4a, 0x18, 0x27, 0xcc, 0x8a, 0x50, 0xaf, 0x4d, 0x5b, 0x62, 0xcc, - 0x79, 0xd8, 0xff, 0xc9, 0x4a, 0x39, 0x92, 0x6f, 0xb1, 0x98, 0xcb, 0x2d, 0x12, 0xd0, 0x69, 0x6d, - 0xc6, 0xdb, 0xfc, 0xd9, 0x4c, 0xe2, 0xd7, 0xbb, 0xfa, 0x55, 0x0e, 0xba, 0x43, 0x29, 0x4c, 0x32, - 0x12, 0x46, 0x68, 0xce, 0x27, 0xad, 0x74, 0x0a, 0x5e, 0xa9, 0x88, 0x0d, 0x86, 0x99, 0x62, 0xba, - 0x6f, 0x36, 0x9f, 0xfd, 0x65, 0x0b, 0x86, 0x1b, 0x8e, 0xbb, 0x19, 0xae, 0xaf, 0xa3, 0x67, 0xa1, - 0xd6, 0xec, 0x46, 0x66, 0x36, 0xa0, 0xda, 0x3d, 0xcf, 0x8a, 0x76, 0xac, 0x30, 0xe8, 0x18, 0x5e, - 0x77, 0x5c, 0x99, 0x68, 0x5a, 0xe6, 0x63, 0xf8, 0x32, 0x6b, 0xc1, 0x02, 0x82, 0x5e, 0x84, 0x91, - 0xb6, 0xb3, 0x2d, 0x1f, 0xce, 0x7a, 0xb1, 0x17, 0x35, 0x08, 0x9b, 0x78, 0xf6, 0x3f, 0xb7, 0x60, - 0xbc, 0xe1, 0xc4, 0x9e, 0x3b, 0xdd, 0x4d, 0x36, 0x1a, 0x5e, 0xb2, 0xd6, 0x75, 0x37, 0x49, 0xc2, - 0xb3, 0x8b, 0xa9, 0x94, 0xdd, 0x98, 0x4e, 0x25, 0xb5, 0xaf, 0x53, 0x52, 0xde, 0x10, 0xed, 0x58, - 0x61, 0xa0, 0x37, 0x61, 0xa4, 0xe3, 0xc4, 0xf1, 0x9d, 0x30, 0x6a, 0x62, 0xb2, 0x5e, 0x4c, 0x6e, - 0xff, 0x0a, 0x71, 0x23, 0x92, 0x60, 0xb2, 0x2e, 0x4e, 0x5a, 0x35, 0x7d, 0x6c, 0x32, 0xb3, 0xbf, - 0x60, 0xc1, 0x63, 0x0d, 0xe2, 0x44, 0x24, 0x62, 0xa5, 0x00, 0xd4, 0x8b, 0xcc, 0xf8, 0x61, 0xb7, - 0x89, 0xde, 0x80, 0x5a, 0x42, 0x9b, 0xa9, 0x58, 0x56, 0xb1, 0x62, 0xb1, 0x83, 0xd2, 0x55, 0x41, - 0x1c, 0x2b, 0x36, 0xf6, 0x5f, 0xb1, 0x60, 0x94, 0x9d, 0x39, 0xcd, 0x92, 0xc4, 0xf1, 0xfc, 0x9e, - 0x8a, 0x39, 0xd6, 0x80, 0x15, 0x73, 0x2e, 0x40, 0x65, 0x23, 0x6c, 0x93, 0xec, 0x79, 0xe9, 0x95, - 0x90, 0x6e, 0xab, 0x29, 0x04, 0x3d, 0x4f, 0x3f, 0xbc, 0x17, 0x24, 0x0e, 0x9d, 0x02, 0xd2, 0xa7, - 0x79, 0x8a, 0x7f, 0x74, 0xd5, 0x8c, 0x4d, 0x1c, 0xfb, 0xb7, 0xea, 0x30, 0x2c, 0x0e, 0xd5, 0x07, - 0xce, 0x30, 0x97, 0xfb, 0xfb, 0x52, 0xdf, 0xfd, 0x7d, 0x0c, 0x43, 0x2e, 0xab, 0xc7, 0x25, 0xcc, - 0xc8, 0x6b, 0x85, 0x44, 0x61, 0xf0, 0x12, 0x5f, 0x5a, 0x2c, 0xfe, 0x1f, 0x0b, 0x56, 0xe8, 0x4b, - 0x16, 0x9c, 0x72, 0xc3, 0x20, 0x20, 0xae, 0xb6, 0x71, 0x2a, 0x45, 0x1c, 0xb6, 0xcf, 0xa4, 0x89, - 0xea, 0x03, 0x8f, 0x0c, 0x00, 0x67, 0xd9, 0xa3, 0x97, 0xe1, 0x04, 0xef, 0xb3, 0x9b, 0x29, 0x47, - 0xac, 0x2e, 0xa4, 0x62, 0x02, 0x71, 0x1a, 0x17, 0x4d, 0x72, 0x87, 0xb6, 0x28, 0x59, 0x32, 0xa4, - 0x4f, 0xcf, 0x8c, 0x62, 0x25, 0x06, 0x06, 0x8a, 0x00, 0x45, 0x64, 0x3d, 0x22, 0xf1, 0x86, 0x08, - 0x3a, 0x60, 0xf6, 0xd5, 0xf0, 0xe1, 0x32, 0x56, 0x71, 0x0f, 0x25, 0x9c, 0x43, 0x1d, 0x6d, 0x8a, - 0x0d, 0x66, 0xad, 0x08, 0x1d, 0x2a, 0x3e, 0x73, 0xdf, 0x7d, 0xe6, 0x04, 0x54, 0xe3, 0x0d, 0x27, - 0x6a, 0x32, 0xbb, 0xae, 0xcc, 0xb3, 0x24, 0x56, 0x68, 0x03, 0xe6, 0xed, 0x68, 0x16, 0x4e, 0x67, - 0xca, 0xc0, 0xc4, 0xc2, 0x61, 0xaa, 0x42, 0xfb, 0x33, 0x05, 0x64, 0x62, 0xdc, 0xf3, 0x84, 0xe9, - 0x7c, 0x18, 0xd9, 0xc7, 0xf9, 0xb0, 0xa3, 0x42, 0xdb, 0x46, 0xd9, 0xfa, 0xf8, 0x4a, 0x21, 0x1d, - 0x30, 0x50, 0x1c, 0xdb, 0xe7, 0x33, 0x71, 0x6c, 0x27, 0x98, 0x00, 0x37, 0x8b, 0x11, 0xe0, 0xe0, - 0x41, 0x6b, 0x0f, 0x32, 0x08, 0xed, 0x7f, 0x58, 0x20, 0xbf, 0xeb, 0x8c, 0xe3, 0x6e, 0x10, 0x3a, - 0x64, 0xd0, 0xfb, 0xe1, 0xa4, 0xda, 0x42, 0xcf, 0x84, 0xdd, 0x80, 0xc7, 0x9f, 0x95, 0xf5, 0xc9, - 0x28, 0x4e, 0x41, 0x71, 0x06, 0x1b, 0x4d, 0x41, 0x9d, 0xf6, 0x13, 0x7f, 0x94, 0xaf, 0xb5, 0x6a, - 0x9b, 0x3e, 0xbd, 0x3c, 0x2f, 0x9e, 0xd2, 0x38, 0x28, 0x84, 0x31, 0xdf, 0x89, 0x13, 0x26, 0x01, - 0xdd, 0x51, 0x1f, 0x32, 0x5f, 0x9c, 0xc5, 0x8f, 0x2f, 0x64, 0x09, 0xe1, 0x5e, 0xda, 0xf6, 0xb7, - 0x2b, 0x70, 0x22, 0xa5, 0x19, 0x0f, 0xb8, 0x48, 0x3f, 0x0b, 0x35, 0xb9, 0x6e, 0x66, 0xab, 0x56, - 0xa8, 0xc5, 0x55, 0x61, 0xd0, 0x45, 0x6b, 0x4d, 0xaf, 0xaa, 0x59, 0xa3, 0xc2, 0x58, 0x70, 0xb1, - 0x89, 0xc7, 0x94, 0x72, 0xe2, 0xc7, 0x33, 0xbe, 0x47, 0x82, 0x84, 0x8b, 0x59, 0x8c, 0x52, 0x5e, - 0x5d, 0x58, 0x31, 0x89, 0x6a, 0xa5, 0x9c, 0x01, 0xe0, 0x2c, 0x7b, 0xf4, 0xd3, 0x16, 0x9c, 0x70, - 0xee, 0xc4, 0xba, 0x68, 0xa4, 0x88, 0x58, 0x3b, 0xe2, 0x22, 0x95, 0xaa, 0x43, 0xc9, 0x5d, 0xbe, - 0xa9, 0x26, 0x9c, 0x66, 0x8a, 0xbe, 0x6a, 0x01, 0x22, 0xdb, 0xc4, 0x95, 0x31, 0x75, 0x42, 0x96, - 0xa1, 0x22, 0x76, 0x9a, 0x97, 0x7a, 0xe8, 0x72, 0xad, 0xde, 0xdb, 0x8e, 0x73, 0x64, 0xb0, 0xff, - 0x71, 0x59, 0x4d, 0x28, 0x1d, 0xc6, 0xe9, 0x18, 0xe1, 0x64, 0xd6, 0xe1, 0xc3, 0xc9, 0xf4, 0xb1, - 0x7c, 0x6f, 0x1a, 0x5a, 0x2a, 0xfd, 0xa6, 0xf4, 0x80, 0xd2, 0x6f, 0x7e, 0xca, 0x4a, 0xd5, 0x67, - 0x19, 0xb9, 0xf8, 0x6a, 0xb1, 0x21, 0xa4, 0x93, 0x3c, 0x64, 0x20, 0xa3, 0xdd, 0xd3, 0x91, 0x22, - 0x54, 0x9b, 0x1a, 0x68, 0x07, 0xd2, 0x86, 0xff, 0xae, 0x0c, 0x23, 0xc6, 0x4a, 0x9a, 0x6b, 0x16, - 0x59, 0x0f, 0x99, 0x59, 0x54, 0x3a, 0x80, 0x59, 0xf4, 0x93, 0x50, 0x77, 0xa5, 0x96, 0x2f, 0xa6, - 0x42, 0x69, 0x76, 0xed, 0xd0, 0x8a, 0x5e, 0x35, 0x61, 0xcd, 0x13, 0xcd, 0xa5, 0xf2, 0x57, 0xc4, - 0x0a, 0x51, 0x61, 0x2b, 0x44, 0x5e, 0x82, 0x89, 0x58, 0x29, 0x7a, 0x9f, 0x61, 0x65, 0x7c, 0x3a, - 0x9e, 0x78, 0x2f, 0x19, 0xe8, 0xcd, 0xcb, 0xf8, 0x2c, 0xcf, 0xcb, 0x66, 0x6c, 0xe2, 0xd8, 0xdf, - 0xb6, 0xd4, 0xc7, 0xbd, 0x0f, 0x49, 0xed, 0xb7, 0xd3, 0x49, 0xed, 0x97, 0x0a, 0xe9, 0xe6, 0x3e, - 0xd9, 0xec, 0xd7, 0x61, 0x78, 0x26, 0x6c, 0xb7, 0x9d, 0xa0, 0x89, 0x7e, 0x10, 0x86, 0x5d, 0xfe, - 0x53, 0x38, 0x76, 0xd8, 0xf1, 0xa0, 0x80, 0x62, 0x09, 0x43, 0x8f, 0x43, 0xc5, 0x89, 0x5a, 0xd2, - 0x99, 0xc3, 0x22, 0x4c, 0xa6, 0xa3, 0x56, 0x8c, 0x59, 0xab, 0xfd, 0xf7, 0x2b, 0x00, 0x33, 0x61, - 0xbb, 0xe3, 0x44, 0xa4, 0xb9, 0x1a, 0xb2, 0x0a, 0x69, 0xc7, 0x7a, 0xa8, 0xa6, 0x37, 0x4b, 0x0f, - 0xf3, 0xc1, 0x9a, 0x71, 0xb8, 0x52, 0xbe, 0xcf, 0x87, 0x2b, 0x7d, 0xce, 0xcb, 0x2a, 0x0f, 0xd1, - 0x79, 0x99, 0xfd, 0x39, 0x0b, 0x10, 0x1d, 0x34, 0x61, 0x40, 0x82, 0x44, 0x1f, 0x68, 0x4f, 0x41, - 0xdd, 0x95, 0xad, 0xc2, 0xb0, 0xd2, 0x2a, 0x42, 0x02, 0xb0, 0xc6, 0x19, 0x60, 0x87, 0xfc, 0x94, - 0xd4, 0xdf, 0xe5, 0x74, 0x70, 0x2a, 0xd3, 0xfa, 0x42, 0x9d, 0xdb, 0xbf, 0x5d, 0x82, 0x47, 0xf8, - 0x92, 0xbc, 0xe8, 0x04, 0x4e, 0x8b, 0xb4, 0xa9, 0x54, 0x83, 0x86, 0x28, 0xb8, 0x74, 0x6b, 0xe6, - 0xc9, 0x60, 0xd3, 0xa3, 0xce, 0x5d, 0x3e, 0xe7, 0xf8, 0x2c, 0x9b, 0x0f, 0xbc, 0x04, 0x33, 0xe2, - 0x28, 0x86, 0x9a, 0x2c, 0xc9, 0x2d, 0x74, 0x71, 0x41, 0x8c, 0x94, 0x5a, 0x12, 0xeb, 0x26, 0xc1, - 0x8a, 0x11, 0x35, 0x5c, 0xfd, 0xd0, 0xdd, 0xc4, 0xa4, 0x13, 0x32, 0xbd, 0x6b, 0xc4, 0xfa, 0x2d, - 0x88, 0x76, 0xac, 0x30, 0xec, 0xdf, 0xb6, 0x20, 0xbb, 0x22, 0x19, 0xe5, 0xaa, 0xac, 0x7b, 0x96, - 0xab, 0x3a, 0x40, 0xbd, 0xa8, 0x1f, 0x87, 0x11, 0x27, 0xa1, 0x46, 0x04, 0xdf, 0x76, 0x97, 0x0f, - 0x77, 0xac, 0xb1, 0x18, 0x36, 0xbd, 0x75, 0x8f, 0x6d, 0xb7, 0x4d, 0x72, 0xf6, 0x7f, 0xab, 0xc0, - 0x58, 0x4f, 0x4a, 0x04, 0x7a, 0x09, 0x46, 0x5d, 0x31, 0x3c, 0x3a, 0xd2, 0xa1, 0x55, 0x37, 0x63, - 0xc3, 0x34, 0x0c, 0xa7, 0x30, 0x07, 0x18, 0xa0, 0xf3, 0x70, 0x26, 0xa2, 0x1b, 0xfd, 0x2e, 0x99, - 0x5e, 0x4f, 0x48, 0xb4, 0x42, 0xdc, 0x30, 0x68, 0xf2, 0xa2, 0x6a, 0xe5, 0xc6, 0xa3, 0x7b, 0xbb, - 0x13, 0x67, 0x70, 0x2f, 0x18, 0xe7, 0x3d, 0x83, 0x3a, 0x70, 0xc2, 0x37, 0x6d, 0x40, 0xb1, 0x01, - 0x38, 0x94, 0xf9, 0xa8, 0x6c, 0x84, 0x54, 0x33, 0x4e, 0x33, 0x48, 0x1b, 0x92, 0xd5, 0x07, 0x64, - 0x48, 0x7e, 0x5a, 0x1b, 0x92, 0xfc, 0xfc, 0xfd, 0xc3, 0x05, 0xa7, 0xc4, 0x1c, 0xb7, 0x25, 0xf9, - 0x0a, 0xd4, 0x64, 0x6c, 0xd2, 0x40, 0x31, 0x3d, 0x26, 0x9d, 0x3e, 0x1a, 0xed, 0x6e, 0x09, 0x72, - 0x36, 0x21, 0x74, 0x9e, 0xe9, 0x15, 0x3f, 0x35, 0xcf, 0x0e, 0xb6, 0xea, 0xa3, 0x6d, 0x1e, 0x97, - 0xc5, 0xd7, 0xb6, 0x0f, 0x15, 0xbd, 0x89, 0xd2, 0xa1, 0x5a, 0x2a, 0x53, 0x40, 0x85, 0x6b, 0x5d, - 0x04, 0xd0, 0x86, 0x9a, 0x88, 0x03, 0x57, 0xc7, 0xbe, 0xda, 0x9e, 0xc3, 0x06, 0x16, 0xdd, 0x53, - 0x7b, 0x41, 0x9c, 0x38, 0xbe, 0x7f, 0xc5, 0x0b, 0x12, 0xe1, 0x1c, 0x54, 0x8b, 0xf8, 0xbc, 0x06, - 0x61, 0x13, 0xef, 0xfc, 0xfb, 0x8c, 0xef, 0x72, 0x90, 0xef, 0xb9, 0x01, 0x8f, 0xcd, 0x79, 0x89, - 0xca, 0x5e, 0x50, 0xe3, 0x88, 0xda, 0x61, 0x2a, 0x1b, 0xc7, 0xea, 0x9b, 0x8d, 0x63, 0x64, 0x0f, - 0x94, 0xd2, 0xc9, 0x0e, 0xd9, 0xec, 0x01, 0xfb, 0x25, 0x38, 0x3b, 0xe7, 0x25, 0x97, 0x3d, 0x9f, - 0x1c, 0x90, 0x89, 0xfd, 0x9b, 0x43, 0x30, 0x6a, 0xe6, 0xbf, 0x1d, 0x24, 0xa1, 0xe8, 0x0b, 0xd4, - 0xd4, 0x12, 0x6f, 0xe7, 0xa9, 0x43, 0xb3, 0x5b, 0x47, 0x4e, 0xc6, 0xcb, 0xef, 0x31, 0xc3, 0xda, - 0xd2, 0x3c, 0xb1, 0x29, 0x00, 0xba, 0x03, 0xd5, 0x75, 0x16, 0xdd, 0x5e, 0x2e, 0x22, 0xb2, 0x20, - 0xaf, 0x47, 0xf5, 0x34, 0xe3, 0xf1, 0xf1, 0x9c, 0x1f, 0x5d, 0x21, 0xa3, 0x74, 0xca, 0x94, 0x11, - 0x91, 0x29, 0x92, 0xa5, 0x14, 0x46, 0x3f, 0x55, 0x5f, 0x3d, 0x84, 0xaa, 0x4f, 0x29, 0xde, 0xa1, - 0x07, 0xa4, 0x78, 0x59, 0xa6, 0x42, 0xb2, 0xc1, 0xec, 0x37, 0x11, 0x42, 0x3e, 0xcc, 0x3a, 0xc1, - 0xc8, 0x54, 0x48, 0x81, 0x71, 0x16, 0x1f, 0x7d, 0x42, 0xa9, 0xee, 0x5a, 0x11, 0x7e, 0x55, 0x73, - 0x44, 0x1f, 0xb7, 0xd6, 0xfe, 0x5c, 0x09, 0x4e, 0xce, 0x05, 0xdd, 0xe5, 0xb9, 0xe5, 0xee, 0x9a, - 0xef, 0xb9, 0xd7, 0xc8, 0x0e, 0x55, 0xcd, 0x9b, 0x64, 0x67, 0x7e, 0x56, 0xcc, 0x20, 0x35, 0x66, - 0xae, 0xd1, 0x46, 0xcc, 0x61, 0x54, 0x19, 0xad, 0x7b, 0x41, 0x8b, 0x44, 0x9d, 0xc8, 0x13, 0x2e, - 0x4f, 0x43, 0x19, 0x5d, 0xd6, 0x20, 0x6c, 0xe2, 0x51, 0xda, 0xe1, 0x9d, 0x80, 0x44, 0x59, 0x43, - 0x76, 0x89, 0x36, 0x62, 0x0e, 0xa3, 0x48, 0x49, 0xd4, 0x8d, 0x13, 0x31, 0x18, 0x15, 0xd2, 0x2a, - 0x6d, 0xc4, 0x1c, 0x46, 0x67, 0x7a, 0xdc, 0x5d, 0x63, 0x81, 0x1b, 0x99, 0x78, 0xf5, 0x15, 0xde, - 0x8c, 0x25, 0x9c, 0xa2, 0x6e, 0x92, 0x9d, 0x59, 0xba, 0xeb, 0xcd, 0xa4, 0xad, 0x5c, 0xe3, 0xcd, - 0x58, 0xc2, 0x59, 0x35, 0xb8, 0x74, 0x77, 0x7c, 0xcf, 0x55, 0x83, 0x4b, 0x8b, 0xdf, 0x67, 0xff, - 0xfc, 0xcb, 0x16, 0x8c, 0x9a, 0xe1, 0x56, 0xa8, 0x95, 0xb1, 0x71, 0x97, 0x7a, 0x8a, 0x89, 0xfe, - 0x68, 0xde, 0xcd, 0x49, 0x2d, 0x2f, 0x09, 0x3b, 0xf1, 0x73, 0x24, 0x68, 0x79, 0x01, 0x61, 0xa7, - 0xe8, 0x3c, 0x4c, 0x2b, 0x15, 0xcb, 0x35, 0x13, 0x36, 0xc9, 0x21, 0x8c, 0x64, 0xfb, 0x16, 0x8c, - 0xf5, 0xe4, 0x2a, 0x0d, 0x60, 0x5a, 0xec, 0x9b, 0x29, 0x6a, 0x63, 0x18, 0xa1, 0x84, 0x65, 0x69, - 0x95, 0x19, 0x18, 0xe3, 0x13, 0x89, 0x72, 0x5a, 0x71, 0x37, 0x48, 0x5b, 0xe5, 0x9f, 0x31, 0xff, - 0xfa, 0xcd, 0x2c, 0x10, 0xf7, 0xe2, 0xdb, 0x9f, 0xb7, 0xe0, 0x44, 0x2a, 0x7d, 0xac, 0x20, 0x23, - 0x88, 0xcd, 0xb4, 0x90, 0x45, 0xff, 0xb1, 0x10, 0xe8, 0x32, 0x5b, 0x4c, 0xf5, 0x4c, 0xd3, 0x20, - 0x6c, 0xe2, 0xd9, 0x5f, 0x2e, 0x41, 0x4d, 0x46, 0x50, 0x0c, 0x20, 0xca, 0x67, 0x2d, 0x38, 0xa1, - 0xce, 0x34, 0x98, 0xb3, 0xac, 0x54, 0x44, 0xac, 0x3f, 0x95, 0x40, 0x6d, 0xb7, 0x83, 0xf5, 0x50, - 0x5b, 0xe4, 0xd8, 0x64, 0x86, 0xd3, 0xbc, 0xd1, 0x4d, 0x80, 0x78, 0x27, 0x4e, 0x48, 0xdb, 0x70, - 0xdb, 0xd9, 0xc6, 0x8c, 0x9b, 0x74, 0xc3, 0x88, 0xd0, 0xf9, 0x75, 0x3d, 0x6c, 0x92, 0x15, 0x85, - 0xa9, 0x4d, 0x28, 0xdd, 0x86, 0x0d, 0x4a, 0xf6, 0xdf, 0x2d, 0xc1, 0xe9, 0xac, 0x48, 0xe8, 0xc3, - 0x30, 0x2a, 0xb9, 0x1b, 0xb7, 0x40, 0xc9, 0xb0, 0x91, 0x51, 0x6c, 0xc0, 0xee, 0xee, 0x4e, 0x4c, - 0xf4, 0xde, 0xc2, 0x35, 0x69, 0xa2, 0xe0, 0x14, 0x31, 0x7e, 0xb0, 0x24, 0x4e, 0x40, 0x1b, 0x3b, - 0xd3, 0x9d, 0x8e, 0x38, 0x1d, 0x32, 0x0e, 0x96, 0x4c, 0x28, 0xce, 0x60, 0xa3, 0x65, 0x38, 0x6b, - 0xb4, 0x5c, 0x27, 0x5e, 0x6b, 0x63, 0x2d, 0x8c, 0xe4, 0xce, 0xea, 0x71, 0x1d, 0xd8, 0xd5, 0x8b, - 0x83, 0x73, 0x9f, 0xa4, 0xab, 0xbd, 0xeb, 0x74, 0x1c, 0xd7, 0x4b, 0x76, 0x84, 0x1f, 0x52, 0xe9, - 0xa6, 0x19, 0xd1, 0x8e, 0x15, 0x86, 0xbd, 0x08, 0x95, 0x01, 0x47, 0xd0, 0x40, 0x16, 0xfd, 0x2b, - 0x50, 0xa3, 0xe4, 0xa4, 0x79, 0x57, 0x04, 0xc9, 0x10, 0x6a, 0xf2, 0x22, 0x07, 0x64, 0x43, 0xd9, - 0x73, 0xe4, 0xd9, 0x9d, 0x7a, 0xad, 0xf9, 0x38, 0xee, 0xb2, 0x4d, 0x32, 0x05, 0xa2, 0xa7, 0xa0, - 0x4c, 0xb6, 0x3b, 0xd9, 0x43, 0xba, 0x4b, 0xdb, 0x1d, 0x2f, 0x22, 0x31, 0x45, 0x22, 0xdb, 0x1d, - 0x74, 0x1e, 0x4a, 0x5e, 0x53, 0x2c, 0x52, 0x20, 0x70, 0x4a, 0xf3, 0xb3, 0xb8, 0xe4, 0x35, 0xed, - 0x6d, 0xa8, 0xab, 0x9b, 0x23, 0xd0, 0xa6, 0xd4, 0xdd, 0x56, 0x11, 0x21, 0x4f, 0x92, 0x6e, 0x1f, - 0xad, 0xdd, 0x05, 0xd0, 0x79, 0x74, 0x45, 0xe9, 0x97, 0x0b, 0x50, 0x71, 0x43, 0x91, 0xe3, 0x5b, - 0xd3, 0x64, 0x98, 0xd2, 0x66, 0x10, 0xfb, 0x16, 0x9c, 0xbc, 0x16, 0x84, 0x77, 0x58, 0x69, 0x6c, - 0x56, 0xd2, 0x8a, 0x12, 0x5e, 0xa7, 0x3f, 0xb2, 0x26, 0x02, 0x83, 0x62, 0x0e, 0x53, 0x65, 0x8f, - 0x4a, 0xfd, 0xca, 0x1e, 0xd9, 0x9f, 0xb4, 0xe0, 0xb4, 0xca, 0x06, 0x92, 0xda, 0xf8, 0x25, 0x18, - 0x5d, 0xeb, 0x7a, 0x7e, 0x53, 0x16, 0xca, 0xca, 0xb8, 0x29, 0x1a, 0x06, 0x0c, 0xa7, 0x30, 0xe9, - 0xa6, 0x6a, 0xcd, 0x0b, 0x9c, 0x68, 0x67, 0x59, 0xab, 0x7f, 0xa5, 0x11, 0x1a, 0x0a, 0x82, 0x0d, - 0x2c, 0xfb, 0xb3, 0xa6, 0x08, 0x22, 0xff, 0x68, 0x80, 0x9e, 0xbd, 0x01, 0x55, 0x57, 0x9d, 0xf5, - 0x1e, 0xaa, 0x98, 0x9f, 0xca, 0x2f, 0x67, 0xfe, 0x7e, 0x4e, 0xcd, 0xfe, 0x27, 0x25, 0x38, 0x91, - 0xaa, 0x59, 0x82, 0x7c, 0xa8, 0x11, 0x9f, 0xb9, 0xf2, 0xe4, 0x10, 0x3b, 0x6a, 0xb9, 0x48, 0x35, - 0x2d, 0x2e, 0x09, 0xba, 0x58, 0x71, 0x78, 0x38, 0x8e, 0xd4, 0x5e, 0x82, 0x51, 0x29, 0xd0, 0x87, - 0x9c, 0xb6, 0x2f, 0x66, 0xa1, 0x1a, 0x00, 0x97, 0x0c, 0x18, 0x4e, 0x61, 0xda, 0xff, 0xac, 0x0c, - 0xe3, 0xdc, 0xf7, 0xd9, 0x54, 0x51, 0x2f, 0x8b, 0xd2, 0xca, 0xfa, 0x0b, 0xba, 0xb2, 0x10, 0xef, - 0xc8, 0xb5, 0xa3, 0x56, 0x67, 0xce, 0x67, 0x34, 0x50, 0x3c, 0xc6, 0x2f, 0x66, 0xe2, 0x31, 0xf8, - 0x62, 0xdb, 0x3a, 0x26, 0x89, 0xbe, 0xb7, 0x02, 0x34, 0xfe, 0x56, 0x09, 0x4e, 0x65, 0x4a, 0x5f, - 0xa3, 0x2f, 0xa6, 0xcb, 0x3e, 0x5a, 0x45, 0x78, 0xc8, 0xee, 0x59, 0x0d, 0xf9, 0x60, 0xc5, 0x1f, - 0x1f, 0xd0, 0x54, 0xb1, 0x7f, 0xb7, 0x04, 0x27, 0xd3, 0x35, 0xbb, 0x1f, 0xc2, 0x9e, 0x7a, 0x0f, - 0xd4, 0x59, 0x59, 0x5a, 0x76, 0xcf, 0x18, 0x77, 0xc4, 0xf1, 0x52, 0xa6, 0xb2, 0x11, 0x6b, 0xf8, - 0x43, 0x51, 0x53, 0xd3, 0xfe, 0xdb, 0x16, 0x9c, 0xe3, 0x6f, 0x99, 0x1d, 0x87, 0x7f, 0x31, 0xaf, - 0x77, 0x5f, 0x2b, 0x56, 0xc0, 0x4c, 0x45, 0xac, 0xfd, 0xfa, 0x97, 0xdd, 0x6f, 0x24, 0xa4, 0x4d, - 0x0f, 0x85, 0x87, 0x50, 0xd8, 0x03, 0x0d, 0x06, 0xfb, 0x77, 0xcb, 0xa0, 0xaf, 0x74, 0x42, 0x9e, - 0xc8, 0x6c, 0x2a, 0xa4, 0x32, 0xd8, 0xca, 0x4e, 0xe0, 0xea, 0xcb, 0xa3, 0x6a, 0x99, 0xc4, 0xa6, - 0x9f, 0xb3, 0x60, 0xc4, 0x0b, 0xbc, 0xc4, 0x73, 0x98, 0xf1, 0x5c, 0xcc, 0x95, 0x34, 0x8a, 0xdd, - 0x3c, 0xa7, 0x1c, 0x46, 0xa6, 0xf7, 0x56, 0x31, 0xc3, 0x26, 0x67, 0xf4, 0x51, 0x11, 0x32, 0x59, - 0x2e, 0x2c, 0x27, 0xaf, 0x96, 0x89, 0x93, 0xec, 0x40, 0x35, 0x22, 0x49, 0x54, 0x50, 0x2a, 0x2b, - 0xa6, 0xa4, 0x54, 0x91, 0x49, 0x7d, 0xb9, 0x26, 0x6d, 0xc6, 0x9c, 0x91, 0x1d, 0x03, 0xea, 0xed, - 0x8b, 0x03, 0x86, 0xa3, 0x4d, 0x41, 0xdd, 0xe9, 0x26, 0x61, 0x9b, 0x76, 0x93, 0x70, 0x30, 0xeb, - 0x80, 0x3b, 0x09, 0xc0, 0x1a, 0xc7, 0xfe, 0x62, 0x15, 0x32, 0xa9, 0x46, 0x68, 0xdb, 0xbc, 0x8e, - 0xcc, 0x2a, 0xf6, 0x3a, 0x32, 0x25, 0x4c, 0xde, 0x95, 0x64, 0xa8, 0x05, 0xd5, 0xce, 0x86, 0x13, - 0x4b, 0xdb, 0xf8, 0x15, 0xd9, 0x4d, 0xcb, 0xb4, 0xf1, 0xee, 0xee, 0xc4, 0x8f, 0x0d, 0xe6, 0x6b, - 0xa1, 0x63, 0x75, 0x8a, 0x67, 0xee, 0x6b, 0xd6, 0x8c, 0x06, 0xe6, 0xf4, 0x0f, 0x72, 0x29, 0xcf, - 0xa7, 0x44, 0x21, 0x61, 0x4c, 0xe2, 0xae, 0x9f, 0x88, 0xd1, 0xf0, 0x4a, 0x81, 0xb3, 0x8c, 0x13, - 0xd6, 0x49, 0xb2, 0xfc, 0x3f, 0x36, 0x98, 0xa2, 0x0f, 0x43, 0x3d, 0x4e, 0x9c, 0x28, 0x39, 0x64, - 0x5a, 0x9b, 0xea, 0xf4, 0x15, 0x49, 0x04, 0x6b, 0x7a, 0xe8, 0x55, 0x56, 0x28, 0xd1, 0x8b, 0x37, - 0x0e, 0x19, 0xe9, 0x2c, 0x8b, 0x2a, 0x0a, 0x0a, 0xd8, 0xa0, 0x46, 0xb7, 0x1e, 0x6c, 0x6c, 0xf3, - 0xf0, 0x9e, 0x1a, 0xdb, 0x5b, 0x2a, 0x55, 0x88, 0x15, 0x04, 0x1b, 0x58, 0xf6, 0x0f, 0x41, 0x3a, - 0xcb, 0x1b, 0x4d, 0xc8, 0xa4, 0x72, 0xee, 0x7b, 0x62, 0x11, 0xcb, 0xa9, 0xfc, 0xef, 0x5f, 0xb7, - 0xc0, 0x4c, 0x45, 0x47, 0x6f, 0xf0, 0x9c, 0x77, 0xab, 0x88, 0xf3, 0x02, 0x83, 0xee, 0xe4, 0xa2, - 0xd3, 0xc9, 0x1c, 0x5c, 0xc9, 0xc4, 0xf7, 0xf3, 0xef, 0x83, 0x9a, 0x84, 0x1e, 0xc8, 0xa8, 0xfb, - 0x04, 0x9c, 0xc9, 0x5e, 0xd6, 0x2a, 0x7c, 0xcd, 0xad, 0x28, 0xec, 0x76, 0xb2, 0x1b, 0x49, 0x76, - 0x99, 0x27, 0xe6, 0x30, 0xba, 0x1d, 0xdb, 0xf4, 0x82, 0x66, 0x76, 0x23, 0x79, 0xcd, 0x0b, 0x9a, - 0x98, 0x41, 0x06, 0xb8, 0x94, 0xee, 0x37, 0x2c, 0xb8, 0xb0, 0xdf, 0x9d, 0xb2, 0xe8, 0x71, 0xa8, - 0xdc, 0x71, 0x22, 0x59, 0xc1, 0x96, 0x29, 0xca, 0x5b, 0x4e, 0x14, 0x60, 0xd6, 0x8a, 0x76, 0x60, - 0x88, 0xc7, 0x80, 0x08, 0x6b, 0xfd, 0x95, 0x62, 0x6f, 0xb8, 0xbd, 0x46, 0x8c, 0xed, 0x02, 0x8f, - 0x3f, 0xc1, 0x82, 0xa1, 0xfd, 0x1d, 0x0b, 0xd0, 0xd2, 0x16, 0x89, 0x22, 0xaf, 0x69, 0x44, 0xad, - 0xa0, 0x17, 0x60, 0xf4, 0xf6, 0xca, 0xd2, 0xf5, 0xe5, 0xd0, 0x0b, 0x58, 0xd5, 0x07, 0x23, 0xb1, - 0xed, 0xaa, 0xd1, 0x8e, 0x53, 0x58, 0x68, 0x06, 0xc6, 0x6e, 0xbf, 0x41, 0x37, 0xbf, 0x66, 0xb5, - 0xfc, 0x92, 0x76, 0x77, 0x5e, 0x7d, 0x25, 0x03, 0xc4, 0xbd, 0xf8, 0x68, 0x09, 0xce, 0xb5, 0xf9, - 0x76, 0x83, 0x17, 0xb9, 0xe6, 0x7b, 0x0f, 0x95, 0x46, 0xf2, 0xd8, 0xde, 0xee, 0xc4, 0xb9, 0xc5, - 0x3c, 0x04, 0x9c, 0xff, 0x9c, 0xfd, 0x3e, 0x40, 0x3c, 0x58, 0x65, 0x26, 0x2f, 0xf2, 0xa0, 0xef, - 0x4e, 0xdc, 0xfe, 0x5a, 0x15, 0x4e, 0x65, 0xea, 0x1b, 0xd2, 0xad, 0x5e, 0x6f, 0xa8, 0xc3, 0x91, - 0xd7, 0xef, 0x5e, 0xf1, 0x06, 0x0a, 0x9e, 0x08, 0xa0, 0xea, 0x05, 0x9d, 0x6e, 0x52, 0x4c, 0xe6, - 0x18, 0x17, 0x62, 0x9e, 0x12, 0x34, 0x9c, 0x44, 0xf4, 0x2f, 0xe6, 0x6c, 0x8a, 0x0c, 0xc5, 0x48, - 0x19, 0xe3, 0x95, 0x07, 0xe4, 0x0e, 0xf8, 0x94, 0x0e, 0x8c, 0xa8, 0x16, 0x71, 0x50, 0x9f, 0x19, - 0x2c, 0xc7, 0x7d, 0xc0, 0xf6, 0x6b, 0x25, 0x18, 0x31, 0x3e, 0x1a, 0xfa, 0xa5, 0x74, 0xa1, 0x16, - 0xab, 0xb8, 0x57, 0x62, 0xf4, 0x27, 0x75, 0x29, 0x16, 0xfe, 0x4a, 0x4f, 0xf7, 0xd6, 0x68, 0xb9, - 0xbb, 0x3b, 0x71, 0x3a, 0x53, 0x85, 0x25, 0x55, 0xb7, 0xe5, 0xfc, 0xc7, 0xe1, 0x54, 0x86, 0x4c, - 0xce, 0x2b, 0xaf, 0xa6, 0xef, 0xe2, 0x3d, 0xa2, 0x5b, 0xca, 0xec, 0xb2, 0xb7, 0x68, 0x97, 0xe9, - 0x2b, 0xda, 0x07, 0x70, 0xc7, 0x65, 0x72, 0xe4, 0x4a, 0x03, 0xe6, 0xc8, 0x3d, 0x03, 0xb5, 0x4e, - 0xe8, 0x7b, 0xae, 0xa7, 0x4a, 0x7a, 0xb1, 0xac, 0xbc, 0x65, 0xd1, 0x86, 0x15, 0x14, 0xdd, 0x81, - 0xba, 0xba, 0xb6, 0x58, 0x04, 0x21, 0x16, 0xe5, 0xea, 0x55, 0x46, 0x8b, 0xbe, 0x8e, 0x58, 0xf3, - 0x42, 0x36, 0x0c, 0xb1, 0x45, 0x50, 0x06, 0xfc, 0xb2, 0x0c, 0x4e, 0xb6, 0x3a, 0xc6, 0x58, 0x40, - 0xec, 0x6f, 0xd4, 0xe1, 0x6c, 0x5e, 0x91, 0x59, 0xf4, 0x31, 0x18, 0xe2, 0x32, 0x16, 0x53, 0xc7, - 0x3c, 0x8f, 0xc7, 0x1c, 0x23, 0x28, 0xc4, 0x62, 0xbf, 0xb1, 0xe0, 0x29, 0xb8, 0xfb, 0xce, 0x9a, - 0x18, 0x21, 0xc7, 0xc3, 0x7d, 0xc1, 0xd1, 0xdc, 0x17, 0x1c, 0xce, 0xdd, 0x77, 0xd6, 0xd0, 0x36, - 0x54, 0x5b, 0x5e, 0x42, 0x1c, 0xe1, 0x44, 0xb8, 0x75, 0x2c, 0xcc, 0x89, 0xc3, 0xad, 0x34, 0xf6, - 0x13, 0x73, 0x86, 0xe8, 0xeb, 0x16, 0x9c, 0x5a, 0x4b, 0x27, 0xc4, 0x0a, 0xe5, 0xe9, 0x1c, 0x43, - 0x21, 0xe1, 0x34, 0x23, 0x7e, 0x23, 0x45, 0xa6, 0x11, 0x67, 0xc5, 0x41, 0x9f, 0xb6, 0x60, 0x78, - 0xdd, 0xf3, 0x8d, 0x9a, 0x92, 0xc7, 0xf0, 0x71, 0x2e, 0x33, 0x06, 0x7a, 0xc7, 0xc1, 0xff, 0xc7, - 0x58, 0x72, 0xee, 0xb7, 0x52, 0x0d, 0x1d, 0x75, 0xa5, 0x1a, 0x7e, 0x40, 0x2b, 0xd5, 0x67, 0x2c, - 0xa8, 0xab, 0x9e, 0x16, 0x49, 0x8e, 0x1f, 0x3e, 0xc6, 0x4f, 0xce, 0x3d, 0x27, 0xea, 0x2f, 0xd6, - 0xcc, 0xd1, 0x97, 0x2c, 0x18, 0x71, 0xde, 0xec, 0x46, 0xa4, 0x49, 0xb6, 0xc2, 0x4e, 0x2c, 0x6e, - 0x81, 0x7a, 0xad, 0x78, 0x61, 0xa6, 0x29, 0x93, 0x59, 0xb2, 0xb5, 0xd4, 0x89, 0x45, 0x32, 0x82, - 0x6e, 0xc0, 0xa6, 0x08, 0xf6, 0x6e, 0x09, 0x26, 0xf6, 0xa1, 0x80, 0x5e, 0x82, 0xd1, 0x30, 0x6a, - 0x39, 0x81, 0xf7, 0xa6, 0x99, 0xe1, 0xae, 0xac, 0xac, 0x25, 0x03, 0x86, 0x53, 0x98, 0x66, 0x1a, - 0x66, 0x69, 0x9f, 0x34, 0xcc, 0x0b, 0x50, 0x89, 0x48, 0x27, 0xcc, 0x6e, 0x16, 0x58, 0x20, 0x30, - 0x83, 0xa0, 0x27, 0xa0, 0xec, 0x74, 0x3c, 0x11, 0x7e, 0xa2, 0xf6, 0x40, 0xd3, 0xcb, 0xf3, 0x98, - 0xb6, 0xa7, 0xb2, 0xc2, 0xab, 0xf7, 0x25, 0x2b, 0x9c, 0x2e, 0x03, 0xe2, 0xec, 0x62, 0x48, 0x2f, - 0x03, 0xe9, 0x33, 0x05, 0xfb, 0xab, 0x65, 0x78, 0xe2, 0x9e, 0xe3, 0x45, 0x47, 0xdf, 0x58, 0xf7, - 0x88, 0xbe, 0x91, 0xdd, 0x53, 0xda, 0xaf, 0x7b, 0xca, 0x7d, 0xba, 0xe7, 0xd3, 0x74, 0x1a, 0xc8, - 0xca, 0x00, 0xc5, 0x5c, 0x48, 0xd4, 0xaf, 0xd0, 0x80, 0x98, 0x01, 0x12, 0x8a, 0x35, 0x5f, 0xba, - 0x07, 0x48, 0xa5, 0x20, 0x56, 0x8b, 0x58, 0x06, 0xfa, 0x56, 0x0a, 0xe0, 0x63, 0xbf, 0x5f, 0x5e, - 0xa3, 0xfd, 0xf3, 0x25, 0x78, 0x6a, 0x00, 0xed, 0x6d, 0x8e, 0x62, 0x6b, 0xc0, 0x51, 0xfc, 0xbd, - 0xfd, 0x99, 0xec, 0xbf, 0x64, 0xc1, 0xf9, 0xfe, 0x8b, 0x07, 0x7a, 0x1e, 0x46, 0xd6, 0x22, 0x27, - 0x70, 0x37, 0xd8, 0x25, 0x6b, 0xb2, 0x53, 0x58, 0x5f, 0xeb, 0x66, 0x6c, 0xe2, 0xd0, 0xed, 0x2d, - 0x2f, 0xec, 0x6e, 0x60, 0xc8, 0x94, 0x31, 0xba, 0xbd, 0x5d, 0xcd, 0x02, 0x71, 0x2f, 0xbe, 0xfd, - 0x27, 0xa5, 0x7c, 0xb1, 0xb8, 0x91, 0x71, 0x90, 0xef, 0x24, 0xbe, 0x42, 0x69, 0x00, 0x5d, 0x52, - 0xbe, 0xdf, 0xba, 0xa4, 0xd2, 0x4f, 0x97, 0xa0, 0x59, 0x38, 0x6d, 0xdc, 0x47, 0xc0, 0xd3, 0x00, - 0x79, 0x98, 0x9d, 0xca, 0x8d, 0x5f, 0xce, 0xc0, 0x71, 0xcf, 0x13, 0xe8, 0x59, 0xa8, 0x79, 0x41, - 0x4c, 0xdc, 0x6e, 0xc4, 0xc3, 0x3b, 0x8d, 0xd4, 0x8b, 0x79, 0xd1, 0x8e, 0x15, 0x86, 0xfd, 0xcb, - 0x25, 0x78, 0xac, 0xaf, 0x9d, 0x75, 0x9f, 0x74, 0x97, 0xf9, 0x39, 0x2a, 0xf7, 0xe7, 0x73, 0x98, - 0x9d, 0x54, 0xdd, 0xb7, 0x93, 0x7e, 0xaf, 0xff, 0xc0, 0xa4, 0x36, 0xf7, 0xf7, 0x6d, 0x2f, 0xbd, - 0x0c, 0x27, 0x9c, 0x4e, 0x87, 0xe3, 0xb1, 0x28, 0xad, 0x4c, 0x6d, 0x8c, 0x69, 0x13, 0x88, 0xd3, - 0xb8, 0x03, 0xad, 0x9e, 0x7f, 0x68, 0x41, 0x1d, 0x93, 0x75, 0xae, 0x1d, 0xd0, 0x6d, 0xd1, 0x45, - 0x56, 0x11, 0x55, 0xf4, 0x68, 0xc7, 0xc6, 0x1e, 0xab, 0x2e, 0x97, 0xd7, 0xd9, 0xbd, 0xf7, 0x56, - 0x94, 0x0e, 0x74, 0x6f, 0x85, 0xba, 0xb9, 0xa0, 0xdc, 0xff, 0xe6, 0x02, 0xfb, 0xad, 0x61, 0xfa, - 0x7a, 0x9d, 0x70, 0x26, 0x22, 0xcd, 0x98, 0x7e, 0xdf, 0x6e, 0xe4, 0x8b, 0x41, 0xa2, 0xbe, 0xef, - 0x0d, 0xbc, 0x80, 0x69, 0x7b, 0xea, 0x28, 0xa6, 0x74, 0xa0, 0xca, 0x00, 0xe5, 0x7d, 0x2b, 0x03, - 0xbc, 0x0c, 0x27, 0xe2, 0x78, 0x63, 0x39, 0xf2, 0xb6, 0x9c, 0x84, 0x5c, 0x23, 0x3b, 0xc2, 0xca, - 0xd2, 0xd9, 0xbc, 0x2b, 0x57, 0x34, 0x10, 0xa7, 0x71, 0xd1, 0x1c, 0x8c, 0xe9, 0xfc, 0x7c, 0x12, - 0x25, 0x2c, 0xa6, 0x97, 0x8f, 0x04, 0x95, 0xba, 0xa7, 0x33, 0xfa, 0x05, 0x02, 0xee, 0x7d, 0x86, - 0xea, 0xb7, 0x54, 0x23, 0x15, 0x64, 0x28, 0xad, 0xdf, 0x52, 0x74, 0xa8, 0x2c, 0x3d, 0x4f, 0xa0, - 0x45, 0x38, 0xc3, 0x07, 0xc6, 0x74, 0xa7, 0x63, 0xbc, 0xd1, 0x70, 0xba, 0x7a, 0xd9, 0x5c, 0x2f, - 0x0a, 0xce, 0x7b, 0x0e, 0xbd, 0x08, 0x23, 0xaa, 0x79, 0x7e, 0x56, 0x9c, 0x22, 0x28, 0x2f, 0x86, - 0x22, 0x33, 0xdf, 0xc4, 0x26, 0x1e, 0xfa, 0x10, 0x3c, 0xaa, 0xff, 0xf2, 0xc4, 0x0f, 0x7e, 0xb4, - 0x36, 0x2b, 0x4a, 0x9f, 0xa8, 0x3a, 0xf9, 0x73, 0xb9, 0x68, 0x4d, 0xdc, 0xef, 0x79, 0xb4, 0x06, - 0xe7, 0x15, 0xe8, 0x52, 0x90, 0xb0, 0x28, 0xee, 0x98, 0x34, 0x9c, 0x98, 0xdc, 0x88, 0x7c, 0x56, - 0x2c, 0xa5, 0xae, 0xaf, 0x30, 0x9b, 0xf3, 0x92, 0x2b, 0x79, 0x98, 0x78, 0x01, 0xdf, 0x83, 0x0a, - 0x9a, 0x82, 0x3a, 0x09, 0x9c, 0x35, 0x9f, 0x2c, 0xcd, 0xcc, 0xb3, 0x12, 0x2a, 0xc6, 0x49, 0xde, - 0x25, 0x09, 0xc0, 0x1a, 0x47, 0xc5, 0x95, 0x8d, 0xf6, 0xbd, 0x4e, 0x6f, 0x19, 0xce, 0xb6, 0xdc, - 0x0e, 0xb5, 0x3d, 0x3c, 0x97, 0x4c, 0xbb, 0x2c, 0xb6, 0x8a, 0x7e, 0x18, 0x5e, 0x56, 0x4e, 0x05, - 0x4d, 0xce, 0xcd, 0x2c, 0xf7, 0xe0, 0xe0, 0xdc, 0x27, 0xe9, 0x1c, 0xeb, 0x44, 0xe1, 0xf6, 0xce, - 0xf8, 0x99, 0xf4, 0x1c, 0x5b, 0xa6, 0x8d, 0x98, 0xc3, 0xd0, 0x55, 0x40, 0x2c, 0x02, 0xf7, 0x4a, - 0x92, 0x74, 0x94, 0xb1, 0x33, 0x7e, 0x96, 0xbd, 0xd2, 0x79, 0xf1, 0x04, 0xba, 0xdc, 0x83, 0x81, - 0x73, 0x9e, 0xb2, 0xff, 0xc0, 0x82, 0x13, 0x6a, 0xbe, 0xde, 0x87, 0x18, 0x74, 0x3f, 0x1d, 0x83, - 0x3e, 0x77, 0x74, 0x8d, 0xc7, 0x24, 0xef, 0x13, 0xc8, 0xf8, 0x33, 0x23, 0x00, 0x5a, 0x2b, 0xaa, - 0x05, 0xc9, 0xea, 0xbb, 0x20, 0x3d, 0xb4, 0x1a, 0x29, 0xaf, 0x5e, 0x42, 0xf5, 0xc1, 0xd6, 0x4b, - 0x58, 0x81, 0x73, 0xd2, 0x5c, 0xe0, 0x67, 0x45, 0x57, 0xc2, 0x58, 0x29, 0xb8, 0x5a, 0xe3, 0x09, - 0x41, 0xe8, 0xdc, 0x7c, 0x1e, 0x12, 0xce, 0x7f, 0x36, 0x65, 0xa5, 0x0c, 0xef, 0x67, 0xa5, 0xe8, - 0x39, 0xbd, 0xb0, 0x2e, 0x0b, 0xe2, 0x67, 0xe6, 0xf4, 0xc2, 0xe5, 0x15, 0xac, 0x71, 0xf2, 0x15, - 0x7b, 0xbd, 0x20, 0xc5, 0x0e, 0x07, 0x56, 0xec, 0x52, 0xc5, 0x8c, 0xf4, 0x55, 0x31, 0xd2, 0x27, - 0x3d, 0xda, 0xd7, 0x27, 0xfd, 0x7e, 0x38, 0xe9, 0x05, 0x1b, 0x24, 0xf2, 0x12, 0xd2, 0x64, 0x73, - 0x81, 0xa9, 0x9f, 0x9a, 0x5e, 0xd6, 0xe7, 0x53, 0x50, 0x9c, 0xc1, 0x4e, 0xeb, 0xc5, 0x93, 0x03, - 0xe8, 0xc5, 0x3e, 0xab, 0xd1, 0xa9, 0x62, 0x56, 0xa3, 0xd3, 0x47, 0x5f, 0x8d, 0xc6, 0x8e, 0x75, - 0x35, 0x42, 0x85, 0xac, 0x46, 0x03, 0x29, 0x7a, 0x63, 0xfb, 0x77, 0x76, 0x9f, 0xed, 0x5f, 0xbf, - 0xa5, 0xe8, 0xdc, 0xa1, 0x97, 0xa2, 0xfc, 0x55, 0xe6, 0x91, 0x43, 0xad, 0x32, 0x9f, 0x29, 0xc1, - 0x39, 0xad, 0x87, 0xe9, 0xe8, 0xf7, 0xd6, 0xa9, 0x26, 0x62, 0x77, 0xaa, 0xf0, 0x73, 0x1b, 0x23, - 0x25, 0x42, 0x67, 0x57, 0x28, 0x08, 0x36, 0xb0, 0x58, 0x66, 0x01, 0x89, 0x58, 0xf1, 0xcc, 0xac, - 0x92, 0x9e, 0x11, 0xed, 0x58, 0x61, 0xd0, 0xf1, 0x45, 0x7f, 0x8b, 0x6c, 0xad, 0x6c, 0x89, 0xa8, - 0x19, 0x0d, 0xc2, 0x26, 0x1e, 0x7a, 0x86, 0x33, 0x61, 0x0a, 0x82, 0x2a, 0xea, 0x51, 0x71, 0xc9, - 0xa2, 0xd4, 0x09, 0x0a, 0x2a, 0xc5, 0x61, 0x29, 0x24, 0xd5, 0x5e, 0x71, 0x58, 0x08, 0x94, 0xc2, - 0xb0, 0xff, 0xbb, 0x05, 0x8f, 0xe5, 0x76, 0xc5, 0x7d, 0x58, 0x7c, 0xb7, 0xd3, 0x8b, 0xef, 0x4a, - 0x51, 0xdb, 0x0d, 0xe3, 0x2d, 0xfa, 0x2c, 0xc4, 0xff, 0xd6, 0x82, 0x93, 0x1a, 0xff, 0x3e, 0xbc, - 0xaa, 0x97, 0x7e, 0xd5, 0xe2, 0x76, 0x56, 0xf5, 0x9e, 0x77, 0xfb, 0x03, 0xf6, 0x6e, 0x3c, 0xb8, - 0x62, 0xda, 0x95, 0x45, 0x31, 0xf7, 0x39, 0x49, 0xdc, 0x81, 0x21, 0x76, 0x10, 0x1a, 0x17, 0x13, - 0xe4, 0x91, 0xe6, 0xcf, 0x0e, 0x55, 0xf5, 0x21, 0x33, 0xfb, 0x1b, 0x63, 0xc1, 0x90, 0x95, 0x76, - 0xf5, 0x62, 0xaa, 0xcd, 0x9b, 0x22, 0x19, 0x43, 0x97, 0x76, 0x15, 0xed, 0x58, 0x61, 0xd8, 0x6d, - 0x18, 0x4f, 0x13, 0x9f, 0x25, 0xeb, 0x2c, 0x70, 0x70, 0xa0, 0xd7, 0x9c, 0x82, 0xba, 0xc3, 0x9e, - 0x5a, 0xe8, 0x3a, 0xd9, 0x7b, 0x79, 0xa7, 0x25, 0x00, 0x6b, 0x1c, 0xfb, 0x57, 0x2d, 0x38, 0x93, - 0xf3, 0x32, 0x05, 0x26, 0xa1, 0x24, 0x5a, 0x0b, 0xe4, 0x2d, 0xb8, 0xef, 0x86, 0xe1, 0x26, 0x59, - 0x77, 0x64, 0x68, 0x9a, 0xa1, 0x73, 0x67, 0x79, 0x33, 0x96, 0x70, 0xfb, 0xbf, 0x5a, 0x70, 0x2a, - 0x2d, 0x6b, 0x4c, 0xb5, 0x26, 0x7f, 0x99, 0x59, 0x2f, 0x76, 0xc3, 0x2d, 0x12, 0xed, 0xd0, 0x37, - 0xe7, 0x52, 0x2b, 0xad, 0x39, 0xdd, 0x83, 0x81, 0x73, 0x9e, 0x62, 0xc5, 0x14, 0x9b, 0xaa, 0xb7, - 0xe5, 0x48, 0xb9, 0x59, 0xe4, 0x48, 0xd1, 0x1f, 0xd3, 0x3c, 0xc6, 0x56, 0x2c, 0xb1, 0xc9, 0xdf, - 0xfe, 0x4e, 0x05, 0x54, 0x96, 0x1a, 0x8b, 0x0b, 0x2a, 0x28, 0xaa, 0x2a, 0x75, 0x17, 0x51, 0x79, - 0x80, 0xbb, 0x88, 0xe4, 0x60, 0xa8, 0xdc, 0xeb, 0xa0, 0x9e, 0x7b, 0x2f, 0x4c, 0x97, 0xa2, 0x7a, - 0xc3, 0x55, 0x0d, 0xc2, 0x26, 0x1e, 0x95, 0xc4, 0xf7, 0xb6, 0x08, 0x7f, 0x68, 0x28, 0x2d, 0xc9, - 0x82, 0x04, 0x60, 0x8d, 0x43, 0x25, 0x69, 0x7a, 0xeb, 0xeb, 0x62, 0x2b, 0xae, 0x24, 0xa1, 0xbd, - 0x83, 0x19, 0x84, 0xd7, 0xc7, 0x0d, 0x37, 0x85, 0x75, 0x6a, 0xd4, 0xc7, 0x0d, 0x37, 0x31, 0x83, - 0x50, 0x7b, 0x2a, 0x08, 0xa3, 0x36, 0xbb, 0x37, 0xb9, 0xa9, 0xb8, 0x08, 0xab, 0x54, 0xd9, 0x53, - 0xd7, 0x7b, 0x51, 0x70, 0xde, 0x73, 0x74, 0x04, 0x76, 0x22, 0xd2, 0xf4, 0xdc, 0xc4, 0xa4, 0x06, - 0xe9, 0x11, 0xb8, 0xdc, 0x83, 0x81, 0x73, 0x9e, 0x42, 0xd3, 0x70, 0x4a, 0x66, 0x19, 0xca, 0x1a, - 0x12, 0x23, 0xe9, 0x9c, 0x75, 0x9c, 0x06, 0xe3, 0x2c, 0x3e, 0xd5, 0x36, 0x6d, 0x51, 0x3e, 0x86, - 0x19, 0xb1, 0x86, 0xb6, 0x91, 0x65, 0x65, 0xb0, 0xc2, 0xb0, 0x3f, 0x55, 0xa6, 0xab, 0x63, 0x9f, - 0xb2, 0x49, 0xf7, 0x2d, 0x8a, 0x2f, 0x3d, 0x22, 0x2b, 0x03, 0x8c, 0xc8, 0x17, 0x60, 0xf4, 0x76, - 0x1c, 0x06, 0x2a, 0x42, 0xae, 0xda, 0x37, 0x42, 0xce, 0xc0, 0xca, 0x8f, 0x90, 0x1b, 0x2a, 0x2a, - 0x42, 0x6e, 0xf8, 0x90, 0x11, 0x72, 0xdf, 0xaa, 0x82, 0x2a, 0xd4, 0x7f, 0x9d, 0x24, 0x77, 0xc2, - 0x68, 0xd3, 0x0b, 0x5a, 0x2c, 0x3b, 0xf3, 0xeb, 0x16, 0x8c, 0xf2, 0xf9, 0xb2, 0x60, 0x66, 0x38, - 0xad, 0x17, 0x54, 0x01, 0x3e, 0xc5, 0x6c, 0x72, 0xd5, 0x60, 0x94, 0xb9, 0x5f, 0xce, 0x04, 0xe1, - 0x94, 0x44, 0xe8, 0xe3, 0x00, 0xd2, 0x6f, 0xb9, 0x2e, 0x55, 0xe6, 0x7c, 0x31, 0xf2, 0x61, 0xb2, - 0xae, 0x6d, 0xd3, 0x55, 0xc5, 0x04, 0x1b, 0x0c, 0xd1, 0x67, 0xb2, 0xf7, 0xca, 0x7f, 0xf4, 0x58, - 0xfa, 0x66, 0x90, 0xdc, 0x2f, 0x0c, 0xc3, 0x5e, 0xd0, 0xa2, 0xe3, 0x44, 0x44, 0x12, 0xbd, 0x2b, - 0x2f, 0xb3, 0x79, 0x21, 0x74, 0x9a, 0x0d, 0xc7, 0x77, 0x02, 0x97, 0x44, 0xf3, 0x1c, 0xdd, 0xbc, - 0x55, 0x95, 0x35, 0x60, 0x49, 0xa8, 0xe7, 0x8a, 0x83, 0xea, 0x20, 0x57, 0x1c, 0x9c, 0xff, 0x00, - 0x8c, 0xf5, 0x7c, 0xcc, 0x03, 0xa5, 0x7a, 0x1d, 0x3e, 0x4b, 0xcc, 0xfe, 0xa7, 0x43, 0x7a, 0xd1, - 0xba, 0x1e, 0x36, 0x79, 0xa1, 0xfd, 0x48, 0x7f, 0x51, 0x61, 0x7b, 0x16, 0x38, 0x44, 0x8c, 0x9b, - 0x59, 0x55, 0x23, 0x36, 0x59, 0xd2, 0x31, 0xda, 0x71, 0x22, 0x12, 0x1c, 0xf7, 0x18, 0x5d, 0x56, - 0x4c, 0xb0, 0xc1, 0x10, 0x6d, 0xa4, 0x72, 0x3d, 0x2e, 0x1f, 0x3d, 0xd7, 0x83, 0xd5, 0x7c, 0xc9, - 0xab, 0x8d, 0xfd, 0x25, 0x0b, 0x4e, 0x06, 0xa9, 0x91, 0x5b, 0x4c, 0x78, 0x67, 0xfe, 0xac, 0xe0, - 0xf7, 0xbc, 0xa4, 0xdb, 0x70, 0x86, 0x7f, 0xde, 0x92, 0x56, 0x3d, 0xe0, 0x92, 0xa6, 0x6f, 0xec, - 0x18, 0xea, 0x77, 0x63, 0x07, 0x0a, 0xd4, 0x95, 0x45, 0xc3, 0x85, 0x5f, 0x59, 0x04, 0x39, 0xd7, - 0x15, 0xdd, 0x82, 0xba, 0x1b, 0x11, 0x27, 0x39, 0xe4, 0xed, 0x35, 0xec, 0xe0, 0x7c, 0x46, 0x12, - 0xc0, 0x9a, 0x96, 0xfd, 0xbf, 0x2b, 0x70, 0x5a, 0xf6, 0x88, 0x0c, 0x0d, 0xa7, 0xeb, 0x23, 0xe7, - 0xab, 0x8d, 0x5b, 0xb5, 0x3e, 0x5e, 0x91, 0x00, 0xac, 0x71, 0xa8, 0x3d, 0xd6, 0x8d, 0xc9, 0x52, - 0x87, 0x04, 0x0b, 0xde, 0x5a, 0x2c, 0xce, 0x1f, 0xd5, 0x44, 0xb9, 0xa1, 0x41, 0xd8, 0xc4, 0xa3, - 0xc6, 0x38, 0xb7, 0x8b, 0xe3, 0x6c, 0x5a, 0x89, 0xb0, 0xb7, 0xb1, 0x84, 0xa3, 0x5f, 0xc8, 0xad, - 0xe3, 0x58, 0x4c, 0x42, 0x55, 0x4f, 0x44, 0xfc, 0x01, 0x2f, 0x3c, 0xfb, 0x1b, 0x16, 0x9c, 0xe3, - 0xad, 0xb2, 0x27, 0x6f, 0x74, 0x9a, 0x4e, 0x42, 0xe2, 0x62, 0xea, 0x2a, 0xe7, 0xc8, 0xa7, 0x9d, - 0xaf, 0x79, 0x6c, 0x71, 0xbe, 0x34, 0xe8, 0x8b, 0x16, 0x9c, 0xda, 0x4c, 0x65, 0xe0, 0xcb, 0xa5, - 0xe3, 0x88, 0xb5, 0x62, 0xd2, 0x69, 0xfd, 0x7a, 0xaa, 0xa5, 0xdb, 0x63, 0x9c, 0xe5, 0x6e, 0xff, - 0x89, 0x05, 0xa6, 0x1a, 0x1d, 0xcc, 0x02, 0x34, 0xae, 0x98, 0x2d, 0xed, 0x73, 0xc5, 0xac, 0x34, - 0x16, 0xcb, 0x83, 0x6d, 0x4e, 0x2a, 0x07, 0xd8, 0x9c, 0x54, 0xfb, 0x5a, 0x97, 0x4f, 0x40, 0xb9, - 0xeb, 0x35, 0xc5, 0xfe, 0x42, 0x9f, 0x8a, 0xce, 0xcf, 0x62, 0xda, 0x6e, 0xff, 0xa3, 0xaa, 0xf6, - 0x27, 0x88, 0x7c, 0xa5, 0xef, 0x8b, 0xd7, 0x5e, 0x57, 0xa5, 0x7f, 0xf8, 0x9b, 0x5f, 0xef, 0x29, - 0xfd, 0xf3, 0x23, 0x07, 0x4f, 0x47, 0xe3, 0x1d, 0xd4, 0xaf, 0xf2, 0xcf, 0xf0, 0x3e, 0xb9, 0x68, - 0xb7, 0xa1, 0x46, 0xb7, 0x60, 0xcc, 0x31, 0x58, 0x4b, 0x09, 0x55, 0xbb, 0x22, 0xda, 0xef, 0xee, - 0x4e, 0xfc, 0xf0, 0xc1, 0xc5, 0x92, 0x4f, 0x63, 0x45, 0x1f, 0xc5, 0x50, 0xa7, 0xbf, 0x59, 0xda, - 0x9c, 0xd8, 0xdc, 0xdd, 0x50, 0x3a, 0x53, 0x02, 0x0a, 0xc9, 0xc9, 0xd3, 0x7c, 0x50, 0x00, 0x75, - 0x76, 0x37, 0x24, 0x63, 0xca, 0xf7, 0x80, 0xcb, 0x2a, 0x79, 0x4d, 0x02, 0xee, 0xee, 0x4e, 0xbc, - 0x7c, 0x70, 0xa6, 0xea, 0x71, 0xac, 0x59, 0xd8, 0x5f, 0xae, 0xe8, 0xb1, 0x2b, 0x2a, 0x3e, 0x7d, - 0x5f, 0x8c, 0xdd, 0x97, 0x32, 0x63, 0xf7, 0x42, 0xcf, 0xd8, 0x3d, 0xa9, 0xef, 0x30, 0x4c, 0x8d, - 0xc6, 0xfb, 0x6d, 0x08, 0xec, 0xef, 0x6f, 0x60, 0x16, 0xd0, 0x1b, 0x5d, 0x2f, 0x22, 0xf1, 0x72, - 0xd4, 0x0d, 0xbc, 0xa0, 0x25, 0xee, 0xa6, 0x37, 0x2c, 0xa0, 0x14, 0x18, 0x67, 0xf1, 0xd9, 0xbd, - 0xf6, 0x3b, 0x81, 0x7b, 0xcb, 0xd9, 0xe2, 0xa3, 0xca, 0x28, 0x82, 0xb3, 0x22, 0xda, 0xb1, 0xc2, - 0xb0, 0xdf, 0x62, 0x67, 0xcc, 0x46, 0xbe, 0x2e, 0x1d, 0x13, 0x3e, 0xbb, 0x8c, 0x93, 0x57, 0xd0, - 0x51, 0x63, 0x82, 0xdf, 0xc0, 0xc9, 0x61, 0xe8, 0x0e, 0x0c, 0xaf, 0xf1, 0xdb, 0xa8, 0x8a, 0xa9, - 0x16, 0x2c, 0xae, 0xb6, 0x62, 0x77, 0x0e, 0xc8, 0x7b, 0xae, 0xee, 0xea, 0x9f, 0x58, 0x72, 0xb3, - 0xbf, 0x59, 0x81, 0x53, 0x99, 0xeb, 0x1a, 0x53, 0xb5, 0x0b, 0x4b, 0xfb, 0xd6, 0x2e, 0xfc, 0x08, - 0x40, 0x93, 0x74, 0xfc, 0x70, 0x87, 0x99, 0x63, 0x95, 0x03, 0x9b, 0x63, 0xca, 0x82, 0x9f, 0x55, - 0x54, 0xb0, 0x41, 0x51, 0x94, 0x0d, 0xe2, 0xa5, 0x10, 0x33, 0x65, 0x83, 0x8c, 0x9a, 0xe2, 0x43, - 0xf7, 0xb7, 0xa6, 0xb8, 0x07, 0xa7, 0xb8, 0x88, 0x2a, 0x2b, 0xf6, 0x10, 0xc9, 0xaf, 0x2c, 0xaf, - 0x60, 0x36, 0x4d, 0x06, 0x67, 0xe9, 0x3e, 0xc8, 0xdb, 0x58, 0xd1, 0x7b, 0xa0, 0x2e, 0xbf, 0x73, - 0x3c, 0x5e, 0xd7, 0x95, 0x05, 0xe4, 0x30, 0x60, 0xb7, 0xa4, 0x8a, 0x9f, 0xf6, 0x17, 0x4a, 0xd4, - 0x7a, 0xe6, 0xff, 0x54, 0x85, 0x98, 0xa7, 0x61, 0xc8, 0xe9, 0x26, 0x1b, 0x61, 0xcf, 0x8d, 0x56, - 0xd3, 0xac, 0x15, 0x0b, 0x28, 0x5a, 0x80, 0x4a, 0x53, 0x57, 0xfd, 0x38, 0x48, 0x2f, 0x6a, 0x47, - 0xa4, 0x93, 0x10, 0xcc, 0xa8, 0xa0, 0xc7, 0xa1, 0x92, 0x38, 0x2d, 0x99, 0x80, 0xc4, 0x92, 0x4e, - 0x57, 0x9d, 0x56, 0x8c, 0x59, 0xab, 0xb9, 0x68, 0x56, 0xf6, 0x59, 0x34, 0x5f, 0x86, 0x13, 0xb1, - 0xd7, 0x0a, 0x9c, 0xa4, 0x1b, 0x11, 0xe3, 0xd0, 0x4b, 0xc7, 0x31, 0x98, 0x40, 0x9c, 0xc6, 0xb5, - 0x7f, 0x73, 0x14, 0xce, 0xae, 0xcc, 0x2c, 0xca, 0x0a, 0xb6, 0xc7, 0x96, 0x43, 0x94, 0xc7, 0xe3, - 0xfe, 0xe5, 0x10, 0xf5, 0xe1, 0xee, 0x1b, 0x39, 0x44, 0xbe, 0x91, 0x43, 0x94, 0x4e, 0xe8, 0x28, - 0x17, 0x91, 0xd0, 0x91, 0x27, 0xc1, 0x20, 0x09, 0x1d, 0xc7, 0x96, 0x54, 0x74, 0x4f, 0x81, 0x0e, - 0x94, 0x54, 0xa4, 0x32, 0xae, 0x0a, 0x09, 0xb5, 0xef, 0xf3, 0xa9, 0x72, 0x33, 0xae, 0x54, 0xb6, - 0x0b, 0x4f, 0x23, 0x11, 0x0a, 0xf6, 0xb5, 0xe2, 0x05, 0x18, 0x20, 0xdb, 0x45, 0x64, 0xb2, 0x98, - 0x19, 0x56, 0xc3, 0x45, 0x64, 0x58, 0xe5, 0x89, 0xb3, 0x6f, 0x86, 0xd5, 0xcb, 0x70, 0xc2, 0xf5, - 0xc3, 0x80, 0x2c, 0x47, 0x61, 0x12, 0xba, 0xa1, 0x2f, 0x8c, 0x69, 0xa5, 0x12, 0x66, 0x4c, 0x20, - 0x4e, 0xe3, 0xf6, 0x4b, 0xcf, 0xaa, 0x1f, 0x35, 0x3d, 0x0b, 0x1e, 0x50, 0x7a, 0xd6, 0xcf, 0xea, - 0x44, 0xe2, 0x11, 0xf6, 0x45, 0x3e, 0x52, 0xfc, 0x17, 0x19, 0x24, 0x9b, 0x18, 0x7d, 0x95, 0x5f, - 0x29, 0x45, 0xcd, 0xd1, 0x99, 0xb0, 0x4d, 0xcd, 0xad, 0x51, 0xd6, 0x25, 0xaf, 0x1f, 0xc3, 0x80, - 0xbd, 0xb5, 0xa2, 0xd9, 0xa8, 0x6b, 0xa6, 0x74, 0x13, 0x4e, 0x0b, 0x72, 0x94, 0x44, 0xe7, 0xaf, - 0x95, 0xe0, 0x07, 0xf6, 0x15, 0x01, 0xdd, 0x01, 0x48, 0x9c, 0x96, 0x18, 0xa8, 0xe2, 0x98, 0xe2, - 0x88, 0xc1, 0x86, 0xab, 0x92, 0x1e, 0xaf, 0xd0, 0xa1, 0xfe, 0xb2, 0x03, 0x00, 0xf9, 0x9b, 0xc5, - 0x18, 0x86, 0x7e, 0x4f, 0x35, 0x42, 0x1c, 0xfa, 0x04, 0x33, 0x08, 0x5d, 0xfe, 0x23, 0xd2, 0xd2, - 0x77, 0xa0, 0xaa, 0xcf, 0x87, 0x59, 0x2b, 0x16, 0x50, 0xf4, 0x22, 0x8c, 0x38, 0xbe, 0xcf, 0xb3, - 0x45, 0xd8, 0x95, 0x24, 0x29, 0x9f, 0xd9, 0xb4, 0x06, 0x61, 0x13, 0xcf, 0xfe, 0xe3, 0x12, 0x4c, - 0xec, 0xa3, 0x53, 0x7a, 0xf2, 0xdf, 0xaa, 0x03, 0xe7, 0xbf, 0x89, 0x88, 0xfd, 0xa1, 0x3e, 0x11, - 0xfb, 0x2f, 0xc2, 0x48, 0x42, 0x9c, 0xb6, 0x08, 0x4f, 0x12, 0xfb, 0x6f, 0x7d, 0xee, 0xaa, 0x41, - 0xd8, 0xc4, 0xa3, 0x5a, 0xec, 0xa4, 0xe3, 0xba, 0x24, 0x8e, 0x65, 0x48, 0xbe, 0xf0, 0x61, 0x16, - 0x16, 0xef, 0xcf, 0x5c, 0xc3, 0xd3, 0x29, 0x16, 0x38, 0xc3, 0x32, 0xdb, 0xe1, 0xf5, 0x01, 0x3b, - 0xfc, 0x1b, 0x25, 0x78, 0xe2, 0x9e, 0xab, 0xdb, 0xc0, 0xd9, 0x12, 0xdd, 0x98, 0x44, 0xd9, 0x81, - 0x73, 0x23, 0x26, 0x11, 0x66, 0x10, 0xde, 0x4b, 0x9d, 0x8e, 0x71, 0xc7, 0x6c, 0xd1, 0xa9, 0x3c, - 0xbc, 0x97, 0x52, 0x2c, 0x70, 0x86, 0xe5, 0x61, 0x87, 0xe5, 0xdf, 0x29, 0xc1, 0x53, 0x03, 0xd8, - 0x00, 0x05, 0xa6, 0x3c, 0xa5, 0x13, 0xcf, 0xca, 0x0f, 0x28, 0x3f, 0xf0, 0x90, 0xdd, 0xf5, 0x56, - 0x09, 0xce, 0xf7, 0x5f, 0x8a, 0xd1, 0x8f, 0xd2, 0x3d, 0xbc, 0x8c, 0x49, 0x32, 0x73, 0xd6, 0xce, - 0xf0, 0xfd, 0x7b, 0x0a, 0x84, 0xb3, 0xb8, 0x68, 0x12, 0xa0, 0xe3, 0x24, 0x1b, 0xf1, 0xa5, 0x6d, - 0x2f, 0x4e, 0x44, 0x4d, 0x96, 0x93, 0xfc, 0xc4, 0x48, 0xb6, 0x62, 0x03, 0x83, 0xb2, 0x63, 0xff, - 0x66, 0xc3, 0xeb, 0x61, 0xc2, 0x1f, 0xe2, 0xdb, 0x88, 0x33, 0xb2, 0x6e, 0xbd, 0x01, 0xc2, 0x59, - 0x5c, 0xca, 0x8e, 0x9d, 0x49, 0x72, 0x41, 0xf9, 0xfe, 0x82, 0xb1, 0x5b, 0x50, 0xad, 0xd8, 0xc0, - 0xc8, 0x66, 0xe3, 0x55, 0xf7, 0xcf, 0xc6, 0xb3, 0xff, 0x61, 0x09, 0x1e, 0xeb, 0x6b, 0xca, 0x0d, - 0x36, 0x01, 0x1f, 0xbe, 0x0c, 0xba, 0xc3, 0x8d, 0x9d, 0x03, 0x66, 0x7a, 0xfd, 0x61, 0x9f, 0x91, - 0x26, 0x32, 0xbd, 0x0e, 0x9f, 0x2a, 0xfd, 0xf0, 0xf5, 0x67, 0x4f, 0x72, 0x57, 0xe5, 0x00, 0xc9, - 0x5d, 0x99, 0x8f, 0x51, 0x1d, 0x70, 0x22, 0xff, 0xdf, 0xfe, 0xdd, 0x4b, 0xb7, 0x7e, 0x03, 0x79, - 0x47, 0x67, 0xe1, 0xb4, 0x17, 0xb0, 0x3b, 0x4c, 0x56, 0xba, 0x6b, 0xa2, 0x4c, 0x47, 0x29, 0x7d, - 0x83, 0xf0, 0x7c, 0x06, 0x8e, 0x7b, 0x9e, 0x78, 0x08, 0x93, 0xed, 0x0e, 0xd7, 0xa5, 0x07, 0x4c, - 0xf7, 0xfc, 0x08, 0xd4, 0x95, 0x24, 0x3c, 0xdc, 0x58, 0x7d, 0xfe, 0x9e, 0x70, 0x63, 0xf5, 0xed, - 0x0d, 0x2c, 0xda, 0x6f, 0xd4, 0x38, 0xcd, 0x8c, 0xe3, 0x6b, 0x64, 0x87, 0x59, 0xaa, 0xf6, 0x7b, - 0x61, 0x54, 0x79, 0x3c, 0x06, 0xbd, 0xd6, 0xc2, 0xfe, 0xf2, 0x10, 0x9c, 0x48, 0x15, 0xad, 0x4b, - 0x39, 0x18, 0xad, 0x7d, 0x1d, 0x8c, 0x2c, 0x7c, 0xbc, 0x1b, 0xc8, 0x3b, 0x6f, 0x8c, 0xf0, 0xf1, - 0x6e, 0x40, 0x30, 0x87, 0x51, 0x43, 0xb3, 0x19, 0xed, 0xe0, 0x6e, 0x20, 0xc2, 0x3c, 0x95, 0xa1, - 0x39, 0xcb, 0x5a, 0xb1, 0x80, 0xa2, 0x4f, 0x5a, 0x30, 0x1a, 0x33, 0xef, 0x35, 0x77, 0xcf, 0x8a, - 0xcf, 0x7f, 0xf5, 0xe8, 0x35, 0xf9, 0x54, 0x81, 0x46, 0x16, 0x21, 0x62, 0xb6, 0xe0, 0x14, 0x47, - 0xf4, 0xd3, 0x16, 0xd4, 0x55, 0x69, 0x7e, 0x71, 0x31, 0xd5, 0x4a, 0xb1, 0x35, 0x01, 0xb9, 0x5f, - 0x4f, 0x1d, 0x04, 0xe8, 0xbb, 0xb6, 0x35, 0x63, 0x14, 0x2b, 0xdf, 0xe9, 0xf0, 0xf1, 0xf8, 0x4e, - 0x21, 0xc7, 0x6f, 0xfa, 0x1e, 0xa8, 0xb7, 0x9d, 0xc0, 0x5b, 0x27, 0x71, 0xc2, 0xdd, 0x99, 0xb2, - 0x54, 0xa9, 0x6c, 0xc4, 0x1a, 0x4e, 0x97, 0xc6, 0x98, 0xbd, 0x58, 0x62, 0xf8, 0x1f, 0xd9, 0xd2, - 0xb8, 0xa2, 0x9b, 0xb1, 0x89, 0x63, 0x3a, 0x4b, 0xe1, 0x81, 0x3a, 0x4b, 0x47, 0xf6, 0x71, 0x96, - 0xfe, 0x3d, 0x0b, 0xce, 0xe5, 0x7e, 0xb5, 0x87, 0x37, 0xf0, 0xcf, 0xfe, 0x4a, 0x15, 0xce, 0xe4, - 0x54, 0x9f, 0x44, 0x3b, 0xe6, 0x78, 0xb6, 0x8a, 0x38, 0x43, 0x4f, 0x1f, 0x09, 0xcb, 0x6e, 0xcc, - 0x19, 0xc4, 0x07, 0x3b, 0xaa, 0xd0, 0xc7, 0x05, 0xe5, 0xfb, 0x7b, 0x5c, 0x60, 0x0c, 0xcb, 0xca, - 0x03, 0x1d, 0x96, 0xd5, 0x7b, 0x0f, 0x4b, 0xf4, 0x6b, 0x16, 0x8c, 0xb7, 0xfb, 0x94, 0x3c, 0x17, - 0x2e, 0xc0, 0x9b, 0xc7, 0x53, 0x50, 0xbd, 0xf1, 0xf8, 0xde, 0xee, 0x44, 0xdf, 0x4a, 0xf3, 0xb8, - 0xaf, 0x54, 0xf6, 0x77, 0xca, 0xc0, 0x4a, 0x9f, 0xb2, 0x0a, 0x63, 0x3b, 0xe8, 0x13, 0x66, 0x11, - 0x5b, 0xab, 0xa8, 0x82, 0xab, 0x9c, 0xb8, 0x2a, 0x82, 0xcb, 0x7b, 0x30, 0xaf, 0x26, 0x6e, 0x56, - 0x69, 0x95, 0x06, 0x50, 0x5a, 0xbe, 0xac, 0x16, 0x5c, 0x2e, 0xbe, 0x5a, 0x70, 0x3d, 0x5b, 0x29, - 0xf8, 0xde, 0x9f, 0xb8, 0xf2, 0x50, 0x7e, 0xe2, 0xbf, 0x66, 0x71, 0xc5, 0x93, 0xf9, 0x0a, 0xda, - 0x32, 0xb0, 0xee, 0x61, 0x19, 0x3c, 0xcb, 0x6e, 0x4d, 0x5f, 0xbf, 0x42, 0x1c, 0x5f, 0x58, 0x10, - 0xe6, 0x05, 0xe8, 0xac, 0x1d, 0x2b, 0x0c, 0x76, 0x89, 0xa0, 0xef, 0x87, 0x77, 0x2e, 0xb5, 0x3b, - 0xc9, 0x8e, 0xb0, 0x25, 0xf4, 0x25, 0x82, 0x0a, 0x82, 0x0d, 0x2c, 0xfb, 0xaf, 0x97, 0xf8, 0x08, - 0x14, 0x41, 0x00, 0x2f, 0x65, 0xae, 0x7d, 0x1a, 0xfc, 0xfc, 0xfc, 0x63, 0x00, 0xae, 0xba, 0x30, - 0x59, 0x9c, 0xce, 0x5c, 0x39, 0xf2, 0x6d, 0xae, 0x82, 0x9e, 0x7e, 0x0d, 0xdd, 0x86, 0x0d, 0x7e, - 0x29, 0x5d, 0x5a, 0xde, 0x57, 0x97, 0xa6, 0xd4, 0x4a, 0x65, 0x9f, 0xd5, 0xee, 0x8f, 0x2d, 0x48, - 0x59, 0x44, 0xa8, 0x03, 0x55, 0x2a, 0xee, 0x4e, 0x31, 0x77, 0x41, 0x9b, 0xa4, 0xa9, 0x6a, 0x14, - 0xc3, 0x9e, 0xfd, 0xc4, 0x9c, 0x11, 0xf2, 0x45, 0xac, 0x40, 0xa9, 0x88, 0xfb, 0xca, 0x4d, 0x86, - 0x57, 0xc2, 0x70, 0x93, 0x1f, 0x31, 0xea, 0xb8, 0x03, 0xfb, 0x25, 0x18, 0xeb, 0x11, 0x8a, 0xdd, - 0xf0, 0x12, 0xca, 0x0b, 0xb0, 0x8d, 0xe1, 0xca, 0x12, 0x0b, 0x31, 0x87, 0xd9, 0x6f, 0x59, 0x70, - 0x3a, 0x4b, 0x1e, 0x7d, 0xd5, 0x82, 0xb1, 0x38, 0x4b, 0xef, 0xb8, 0xfa, 0x4e, 0xc5, 0xfb, 0xf5, - 0x80, 0x70, 0xaf, 0x10, 0xf6, 0xff, 0x11, 0x83, 0xff, 0x96, 0x17, 0x34, 0xc3, 0x3b, 0xca, 0x30, - 0xb1, 0xfa, 0x1a, 0x26, 0x74, 0x3e, 0xba, 0x1b, 0xa4, 0xd9, 0xf5, 0x7b, 0x32, 0x1a, 0x57, 0x44, - 0x3b, 0x56, 0x18, 0x2c, 0x81, 0xab, 0x2b, 0xca, 0x89, 0x67, 0x06, 0xe5, 0xac, 0x68, 0xc7, 0x0a, - 0x03, 0xbd, 0x00, 0xa3, 0xe6, 0x25, 0xef, 0x62, 0x5c, 0x32, 0x83, 0xdc, 0xbc, 0x0f, 0x1e, 0xa7, - 0xb0, 0xd0, 0x24, 0x80, 0x32, 0x72, 0xe4, 0x12, 0xc9, 0x5c, 0x36, 0x4a, 0x13, 0xc5, 0xd8, 0xc0, - 0x60, 0xe9, 0x92, 0xfc, 0x26, 0x75, 0x19, 0x15, 0xcb, 0xd3, 0x25, 0x45, 0x1b, 0x56, 0x50, 0xaa, - 0x4d, 0xda, 0x4e, 0xd0, 0x75, 0x7c, 0xda, 0x43, 0x22, 0xc7, 0x5b, 0x4d, 0xc3, 0x45, 0x05, 0xc1, - 0x06, 0x16, 0x7d, 0xe3, 0xc4, 0x6b, 0x93, 0x57, 0xc3, 0x40, 0xc6, 0x69, 0xe9, 0x03, 0x18, 0xd1, - 0x8e, 0x15, 0x86, 0xfd, 0x9f, 0x2d, 0x38, 0xa5, 0x93, 0xaf, 0xf9, 0x5d, 0xae, 0xe6, 0x9e, 0xd1, - 0xda, 0x37, 0xaf, 0x3c, 0x9d, 0x95, 0x5a, 0x1a, 0x28, 0x2b, 0xd5, 0x4c, 0x18, 0x2d, 0xdf, 0x33, - 0x61, 0xf4, 0x07, 0xf5, 0x3d, 0x81, 0x3c, 0xb3, 0x74, 0x24, 0xef, 0x8e, 0x40, 0x64, 0xc3, 0x90, - 0xeb, 0xa8, 0xca, 0x23, 0xa3, 0x7c, 0xef, 0x30, 0x33, 0xcd, 0x90, 0x04, 0xc4, 0x5e, 0x82, 0xba, - 0x3a, 0x87, 0x90, 0x1b, 0x55, 0x2b, 0x7f, 0xa3, 0x3a, 0x50, 0x82, 0x5c, 0x63, 0xed, 0x9b, 0xdf, - 0x7d, 0xf2, 0x1d, 0xbf, 0xf3, 0xdd, 0x27, 0xdf, 0xf1, 0xfb, 0xdf, 0x7d, 0xf2, 0x1d, 0x9f, 0xdc, - 0x7b, 0xd2, 0xfa, 0xe6, 0xde, 0x93, 0xd6, 0xef, 0xec, 0x3d, 0x69, 0xfd, 0xfe, 0xde, 0x93, 0xd6, - 0x77, 0xf6, 0x9e, 0xb4, 0xbe, 0xf4, 0x1f, 0x9e, 0x7c, 0xc7, 0xab, 0xb9, 0x81, 0x7a, 0xf4, 0xc7, - 0x73, 0x6e, 0x73, 0x6a, 0xeb, 0x22, 0x8b, 0x15, 0xa3, 0xd3, 0x6b, 0xca, 0x18, 0x53, 0x53, 0x72, - 0x7a, 0xfd, 0xff, 0x00, 0x00, 0x00, 0xff, 0xff, 0xe1, 0x5f, 0x0c, 0xde, 0x1c, 0xd9, 0x00, 0x00, + // 10639 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0xbd, 0x7d, 0x70, 0x1c, 0xc9, + 0x75, 0x18, 0xae, 0xd9, 0x0f, 0x60, 0xf7, 0x01, 0xfc, 0x40, 0x93, 0xbc, 0x03, 0xa9, 0xbb, 0x03, + 0x3d, 0x57, 0x3e, 0x9f, 0x7e, 0xba, 0x03, 0x7c, 0xd4, 0x9d, 0x7e, 0x17, 0x9f, 0x2d, 0x19, 0x0b, + 0x90, 0x20, 0x48, 0x80, 0xc0, 0x35, 0x40, 0x52, 0x3a, 0xf9, 0x74, 0x1a, 0xcc, 0x36, 0x16, 0x43, + 0xcc, 0xce, 0xec, 0xcd, 0xcc, 0x82, 0xc0, 0x59, 0x92, 0x25, 0xcb, 0x1f, 0x4a, 0xf4, 0x19, 0x29, + 0x29, 0xcb, 0x49, 0xe4, 0xc8, 0x96, 0x93, 0x8a, 0x2b, 0x51, 0xc5, 0x49, 0xfe, 0x88, 0x13, 0x27, + 0xe5, 0xb2, 0x9d, 0x3f, 0x94, 0x52, 0x52, 0x76, 0xa5, 0x5c, 0x96, 0x93, 0xd8, 0x88, 0x84, 0x54, + 0x2a, 0xa9, 0x54, 0xc5, 0x55, 0x4e, 0xf2, 0x47, 0xc2, 0xa4, 0x2a, 0xa9, 0xfe, 0xee, 0x99, 0x9d, + 0x25, 0x16, 0xc0, 0x80, 0xa4, 0x94, 0xfb, 0x6f, 0xb7, 0xdf, 0x9b, 0xf7, 0x7a, 0x7a, 0xba, 0x5f, + 0xbf, 0xf7, 0xfa, 0xbd, 0xd7, 0xb0, 0xd0, 0xf2, 0x92, 0x8d, 0xee, 0xda, 0xa4, 0x1b, 0xb6, 0xa7, + 0x9c, 0xa8, 0x15, 0x76, 0xa2, 0xf0, 0x0e, 0xfb, 0xf1, 0xbc, 0xdb, 0x9c, 0xda, 0xba, 0x34, 0xd5, + 0xd9, 0x6c, 0x4d, 0x39, 0x1d, 0x2f, 0x9e, 0x72, 0x3a, 0x1d, 0xdf, 0x73, 0x9d, 0xc4, 0x0b, 0x83, + 0xa9, 0xad, 0x17, 0x1c, 0xbf, 0xb3, 0xe1, 0xbc, 0x30, 0xd5, 0x22, 0x01, 0x89, 0x9c, 0x84, 0x34, + 0x27, 0x3b, 0x51, 0x98, 0x84, 0xe8, 0x47, 0x35, 0xb5, 0x49, 0x49, 0x8d, 0xfd, 0x78, 0xc3, 0x6d, + 0x4e, 0x6e, 0x5d, 0x9a, 0xec, 0x6c, 0xb6, 0x26, 0x29, 0xb5, 0x49, 0x83, 0xda, 0xa4, 0xa4, 0x76, + 0xe1, 0x79, 0xa3, 0x2f, 0xad, 0xb0, 0x15, 0x4e, 0x31, 0xa2, 0x6b, 0xdd, 0x75, 0xf6, 0x8f, 0xfd, + 0x61, 0xbf, 0x38, 0xb3, 0x0b, 0xf6, 0xe6, 0xcb, 0xf1, 0xa4, 0x17, 0xd2, 0xee, 0x4d, 0xb9, 0x61, + 0x44, 0xa6, 0xb6, 0x7a, 0x3a, 0x74, 0xe1, 0xaa, 0xc6, 0x21, 0xdb, 0x09, 0x09, 0x62, 0x2f, 0x0c, + 0xe2, 0xe7, 0x69, 0x17, 0x48, 0xb4, 0x45, 0x22, 0xf3, 0xf5, 0x0c, 0x84, 0x3c, 0x4a, 0x2f, 0x6a, + 0x4a, 0x6d, 0xc7, 0xdd, 0xf0, 0x02, 0x12, 0xed, 0xe8, 0xc7, 0xdb, 0x24, 0x71, 0xf2, 0x9e, 0x9a, + 0xea, 0xf7, 0x54, 0xd4, 0x0d, 0x12, 0xaf, 0x4d, 0x7a, 0x1e, 0x78, 0xef, 0x7e, 0x0f, 0xc4, 0xee, + 0x06, 0x69, 0x3b, 0x3d, 0xcf, 0xbd, 0xa7, 0xdf, 0x73, 0xdd, 0xc4, 0xf3, 0xa7, 0xbc, 0x20, 0x89, + 0x93, 0x28, 0xfb, 0x90, 0xfd, 0x26, 0x9c, 0x98, 0xbe, 0xbd, 0x32, 0xdd, 0x4d, 0x36, 0x66, 0xc2, + 0x60, 0xdd, 0x6b, 0xa1, 0x97, 0x60, 0xc4, 0xf5, 0xbb, 0x71, 0x42, 0xa2, 0x1b, 0x4e, 0x9b, 0x8c, + 0x5b, 0x17, 0xad, 0x67, 0xeb, 0x8d, 0x33, 0xdf, 0xdc, 0x9d, 0x78, 0xc7, 0xde, 0xee, 0xc4, 0xc8, + 0x8c, 0x06, 0x61, 0x13, 0x0f, 0xbd, 0x0b, 0x86, 0xa3, 0xd0, 0x27, 0xd3, 0xf8, 0xc6, 0x78, 0x89, + 0x3d, 0x72, 0x4a, 0x3c, 0x32, 0x8c, 0x79, 0x33, 0x96, 0x70, 0xfb, 0x0f, 0x4b, 0x00, 0xd3, 0x9d, + 0xce, 0x72, 0x14, 0xde, 0x21, 0x6e, 0x82, 0x3e, 0x02, 0x35, 0x3a, 0x74, 0x4d, 0x27, 0x71, 0x18, + 0xb7, 0x91, 0x4b, 0x3f, 0x3c, 0xc9, 0xdf, 0x64, 0xd2, 0x7c, 0x13, 0x3d, 0x71, 0x28, 0xf6, 0xe4, + 0xd6, 0x0b, 0x93, 0x4b, 0x6b, 0xf4, 0xf9, 0x45, 0x92, 0x38, 0x0d, 0x24, 0x98, 0x81, 0x6e, 0xc3, + 0x8a, 0x2a, 0x0a, 0xa0, 0x12, 0x77, 0x88, 0xcb, 0x3a, 0x36, 0x72, 0x69, 0x61, 0xf2, 0x28, 0x33, + 0x74, 0x52, 0xf7, 0x7c, 0xa5, 0x43, 0xdc, 0xc6, 0xa8, 0xe0, 0x5c, 0xa1, 0xff, 0x30, 0xe3, 0x83, + 0xb6, 0x60, 0x28, 0x4e, 0x9c, 0xa4, 0x1b, 0x8f, 0x97, 0x19, 0xc7, 0x1b, 0x85, 0x71, 0x64, 0x54, + 0x1b, 0x27, 0x05, 0xcf, 0x21, 0xfe, 0x1f, 0x0b, 0x6e, 0xf6, 0x9f, 0x58, 0x70, 0x52, 0x23, 0x2f, + 0x78, 0x71, 0x82, 0x7e, 0xa2, 0x67, 0x70, 0x27, 0x07, 0x1b, 0x5c, 0xfa, 0x34, 0x1b, 0xda, 0xd3, + 0x82, 0x59, 0x4d, 0xb6, 0x18, 0x03, 0xdb, 0x86, 0xaa, 0x97, 0x90, 0x76, 0x3c, 0x5e, 0xba, 0x58, + 0x7e, 0x76, 0xe4, 0xd2, 0xd5, 0xa2, 0xde, 0xb3, 0x71, 0x42, 0x30, 0xad, 0xce, 0x53, 0xf2, 0x98, + 0x73, 0xb1, 0x7f, 0x6d, 0xd4, 0x7c, 0x3f, 0x3a, 0xe0, 0xe8, 0x05, 0x18, 0x89, 0xc3, 0x6e, 0xe4, + 0x12, 0x4c, 0x3a, 0x61, 0x3c, 0x6e, 0x5d, 0x2c, 0xd3, 0xa9, 0x47, 0x67, 0xea, 0x8a, 0x6e, 0xc6, + 0x26, 0x0e, 0xfa, 0xbc, 0x05, 0xa3, 0x4d, 0x12, 0x27, 0x5e, 0xc0, 0xf8, 0xcb, 0xce, 0xaf, 0x1e, + 0xb9, 0xf3, 0xb2, 0x71, 0x56, 0x13, 0x6f, 0x9c, 0x15, 0x2f, 0x32, 0x6a, 0x34, 0xc6, 0x38, 0xc5, + 0x9f, 0xae, 0xb8, 0x26, 0x89, 0xdd, 0xc8, 0xeb, 0xd0, 0xff, 0x6c, 0xce, 0x18, 0x2b, 0x6e, 0x56, + 0x83, 0xb0, 0x89, 0x87, 0x02, 0xa8, 0xd2, 0x15, 0x15, 0x8f, 0x57, 0x58, 0xff, 0xe7, 0x8f, 0xd6, + 0x7f, 0x31, 0xa8, 0x74, 0xb1, 0xea, 0xd1, 0xa7, 0xff, 0x62, 0xcc, 0xd9, 0xa0, 0xcf, 0x59, 0x30, + 0x2e, 0x56, 0x3c, 0x26, 0x7c, 0x40, 0x6f, 0x6f, 0x78, 0x09, 0xf1, 0xbd, 0x38, 0x19, 0xaf, 0xb2, + 0x3e, 0x4c, 0x0d, 0x36, 0xb7, 0xe6, 0xa2, 0xb0, 0xdb, 0xb9, 0xee, 0x05, 0xcd, 0xc6, 0x45, 0xc1, + 0x69, 0x7c, 0xa6, 0x0f, 0x61, 0xdc, 0x97, 0x25, 0xfa, 0xb2, 0x05, 0x17, 0x02, 0xa7, 0x4d, 0xe2, + 0x8e, 0x43, 0x3f, 0x2d, 0x07, 0x37, 0x7c, 0xc7, 0xdd, 0x64, 0x3d, 0x1a, 0x3a, 0x5c, 0x8f, 0x6c, + 0xd1, 0xa3, 0x0b, 0x37, 0xfa, 0x92, 0xc6, 0xf7, 0x61, 0x8b, 0xbe, 0x6e, 0xc1, 0x58, 0x18, 0x75, + 0x36, 0x9c, 0x80, 0x34, 0x25, 0x34, 0x1e, 0x1f, 0x66, 0x4b, 0xef, 0xc3, 0x47, 0xfb, 0x44, 0x4b, + 0x59, 0xb2, 0x8b, 0x61, 0xe0, 0x25, 0x61, 0xb4, 0x42, 0x92, 0xc4, 0x0b, 0x5a, 0x71, 0xe3, 0xdc, + 0xde, 0xee, 0xc4, 0x58, 0x0f, 0x16, 0xee, 0xed, 0x0f, 0xfa, 0x49, 0x18, 0x89, 0x77, 0x02, 0xf7, + 0xb6, 0x17, 0x34, 0xc3, 0xbb, 0xf1, 0x78, 0xad, 0x88, 0xe5, 0xbb, 0xa2, 0x08, 0x8a, 0x05, 0xa8, + 0x19, 0x60, 0x93, 0x5b, 0xfe, 0x87, 0xd3, 0x53, 0xa9, 0x5e, 0xf4, 0x87, 0xd3, 0x93, 0xe9, 0x3e, + 0x6c, 0xd1, 0xcf, 0x5b, 0x70, 0x22, 0xf6, 0x5a, 0x81, 0x93, 0x74, 0x23, 0x72, 0x9d, 0xec, 0xc4, + 0xe3, 0xc0, 0x3a, 0x72, 0xed, 0x88, 0xa3, 0x62, 0x90, 0x6c, 0x9c, 0x13, 0x7d, 0x3c, 0x61, 0xb6, + 0xc6, 0x38, 0xcd, 0x37, 0x6f, 0xa1, 0xe9, 0x69, 0x3d, 0x52, 0xec, 0x42, 0xd3, 0x93, 0xba, 0x2f, + 0x4b, 0xf4, 0xe3, 0x70, 0x9a, 0x37, 0xa9, 0x91, 0x8d, 0xc7, 0x47, 0x99, 0xa0, 0x3d, 0xbb, 0xb7, + 0x3b, 0x71, 0x7a, 0x25, 0x03, 0xc3, 0x3d, 0xd8, 0xe8, 0x4d, 0x98, 0xe8, 0x90, 0xa8, 0xed, 0x25, + 0x4b, 0x81, 0xbf, 0x23, 0xc5, 0xb7, 0x1b, 0x76, 0x48, 0x53, 0x74, 0x27, 0x1e, 0x3f, 0x71, 0xd1, + 0x7a, 0xb6, 0xd6, 0xf8, 0x21, 0xd1, 0xcd, 0x89, 0xe5, 0xfb, 0xa3, 0xe3, 0xfd, 0xe8, 0xd9, 0xff, + 0xbc, 0x04, 0xa7, 0xb3, 0x1b, 0x27, 0xfa, 0x9b, 0x16, 0x9c, 0xba, 0x73, 0x37, 0x59, 0x0d, 0x37, + 0x49, 0x10, 0x37, 0x76, 0xa8, 0x78, 0x63, 0x5b, 0xc6, 0xc8, 0x25, 0xb7, 0xd8, 0x2d, 0x7a, 0xf2, + 0x5a, 0x9a, 0xcb, 0xe5, 0x20, 0x89, 0x76, 0x1a, 0x8f, 0x8b, 0xb7, 0x3b, 0x75, 0xed, 0xf6, 0xaa, + 0x09, 0xc5, 0xd9, 0x4e, 0x5d, 0xf8, 0x8c, 0x05, 0x67, 0xf3, 0x48, 0xa0, 0xd3, 0x50, 0xde, 0x24, + 0x3b, 0x5c, 0x2b, 0xc3, 0xf4, 0x27, 0x7a, 0x1d, 0xaa, 0x5b, 0x8e, 0xdf, 0x25, 0x42, 0xbb, 0x99, + 0x3b, 0xda, 0x8b, 0xa8, 0x9e, 0x61, 0x4e, 0xf5, 0x47, 0x4a, 0x2f, 0x5b, 0xf6, 0xef, 0x95, 0x61, + 0xc4, 0xd8, 0xdf, 0x1e, 0x80, 0xc6, 0x16, 0xa6, 0x34, 0xb6, 0xc5, 0xc2, 0xb6, 0xe6, 0xbe, 0x2a, + 0xdb, 0xdd, 0x8c, 0xca, 0xb6, 0x54, 0x1c, 0xcb, 0xfb, 0xea, 0x6c, 0x28, 0x81, 0x7a, 0xd8, 0xa1, + 0x1a, 0x39, 0xdd, 0xfa, 0x2b, 0x45, 0x7c, 0xc2, 0x25, 0x49, 0xae, 0x71, 0x62, 0x6f, 0x77, 0xa2, + 0xae, 0xfe, 0x62, 0xcd, 0xc8, 0xfe, 0xb6, 0x05, 0x67, 0x8d, 0x3e, 0xce, 0x84, 0x41, 0xd3, 0x63, + 0x9f, 0xf6, 0x22, 0x54, 0x92, 0x9d, 0x8e, 0x54, 0xfb, 0xd5, 0x48, 0xad, 0xee, 0x74, 0x08, 0x66, + 0x10, 0xaa, 0xe8, 0xb7, 0x49, 0x1c, 0x3b, 0x2d, 0x92, 0x55, 0xf4, 0x17, 0x79, 0x33, 0x96, 0x70, + 0x14, 0x01, 0xf2, 0x9d, 0x38, 0x59, 0x8d, 0x9c, 0x20, 0x66, 0xe4, 0x57, 0xbd, 0x36, 0x11, 0x03, + 0xfc, 0xff, 0x0d, 0x36, 0x63, 0xe8, 0x13, 0x8d, 0xc7, 0xf6, 0x76, 0x27, 0xd0, 0x42, 0x0f, 0x25, + 0x9c, 0x43, 0xdd, 0xfe, 0xb2, 0x05, 0x8f, 0xe5, 0xeb, 0x62, 0xe8, 0x19, 0x18, 0xe2, 0x26, 0x9f, + 0x78, 0x3b, 0xfd, 0x49, 0x58, 0x2b, 0x16, 0x50, 0x34, 0x05, 0x75, 0xb5, 0x4f, 0x88, 0x77, 0x1c, + 0x13, 0xa8, 0x75, 0xbd, 0xb9, 0x68, 0x1c, 0x3a, 0x68, 0xf4, 0x8f, 0xd0, 0xdc, 0xd4, 0xa0, 0x31, + 0x23, 0x89, 0x41, 0xec, 0x7f, 0x67, 0xc1, 0x29, 0xa3, 0x57, 0x0f, 0x40, 0x35, 0x0f, 0xd2, 0xaa, + 0xf9, 0x7c, 0x61, 0xf3, 0xb9, 0x8f, 0x6e, 0xfe, 0x39, 0x0b, 0x2e, 0x18, 0x58, 0x8b, 0x4e, 0xe2, + 0x6e, 0x5c, 0xde, 0xee, 0x44, 0x24, 0xa6, 0xe6, 0x34, 0x7a, 0xd2, 0x90, 0x5b, 0x8d, 0x11, 0x41, + 0xa1, 0x7c, 0x9d, 0xec, 0x70, 0x21, 0xf6, 0x1c, 0xd4, 0xf8, 0xe4, 0x0c, 0x23, 0x31, 0xe2, 0xea, + 0xdd, 0x96, 0x44, 0x3b, 0x56, 0x18, 0xc8, 0x86, 0x21, 0x26, 0x9c, 0xe8, 0x62, 0xa5, 0xdb, 0x10, + 0xd0, 0x8f, 0x78, 0x8b, 0xb5, 0x60, 0x01, 0xb1, 0x97, 0x52, 0xdd, 0x59, 0x8e, 0x08, 0xfb, 0xb8, + 0xcd, 0x2b, 0x1e, 0xf1, 0x9b, 0x31, 0x35, 0x1b, 0x9c, 0x20, 0x08, 0x13, 0x61, 0x01, 0x18, 0x66, + 0xc3, 0xb4, 0x6e, 0xc6, 0x26, 0x8e, 0xbd, 0x57, 0x62, 0xc6, 0x87, 0x5a, 0xd6, 0xe4, 0x41, 0x58, + 0xae, 0x51, 0x4a, 0x0e, 0x2e, 0x17, 0x27, 0x94, 0x48, 0x7f, 0xeb, 0xf5, 0xad, 0x8c, 0x28, 0xc4, + 0x85, 0x72, 0xbd, 0xbf, 0x05, 0xfb, 0xdb, 0x25, 0x98, 0x48, 0x3f, 0xd0, 0x23, 0x49, 0xa9, 0xb9, + 0x64, 0x30, 0xca, 0x3a, 0x28, 0x0c, 0x7c, 0x6c, 0xe2, 0xf5, 0x11, 0x46, 0xa5, 0xe3, 0x14, 0x46, + 0xa6, 0xac, 0x2c, 0xef, 0x23, 0x2b, 0x9f, 0x51, 0xa3, 0x5e, 0xc9, 0x08, 0xa7, 0xf4, 0x7e, 0x71, + 0x11, 0x2a, 0x71, 0x42, 0x3a, 0xe3, 0xd5, 0xb4, 0xac, 0x59, 0x49, 0x48, 0x07, 0x33, 0x88, 0xfd, + 0x9f, 0x4b, 0xf0, 0x78, 0x7a, 0x0c, 0xb5, 0x78, 0x7f, 0x7f, 0x4a, 0xbc, 0xbf, 0xdb, 0x14, 0xef, + 0xf7, 0x76, 0x27, 0xde, 0xd9, 0xe7, 0xb1, 0xef, 0x19, 0xe9, 0x8f, 0xe6, 0x32, 0xa3, 0x38, 0x95, + 0x1e, 0xc5, 0x7b, 0xbb, 0x13, 0x4f, 0xf6, 0x79, 0xc7, 0xcc, 0x30, 0x3f, 0x03, 0x43, 0x11, 0x71, + 0xe2, 0x30, 0x10, 0x03, 0xad, 0x3e, 0x07, 0x66, 0xad, 0x58, 0x40, 0xed, 0x7f, 0x55, 0xcf, 0x0e, + 0xf6, 0x1c, 0x77, 0xb0, 0x85, 0x11, 0xf2, 0xa0, 0xc2, 0x54, 0x76, 0x2e, 0x1a, 0xae, 0x1f, 0x6d, + 0x19, 0x51, 0x11, 0xaf, 0x48, 0x37, 0x6a, 0xf4, 0xab, 0xd1, 0x26, 0xcc, 0x58, 0xa0, 0x6d, 0xa8, + 0xb9, 0x52, 0x93, 0x2e, 0x15, 0xe1, 0x73, 0x12, 0x7a, 0xb4, 0xe6, 0x38, 0x4a, 0x65, 0xb1, 0x52, + 0xbf, 0x15, 0x37, 0x44, 0xa0, 0xdc, 0xf2, 0x12, 0xf1, 0x59, 0x8f, 0x68, 0x2b, 0xcd, 0x79, 0xc6, + 0x2b, 0x0e, 0xd3, 0x0d, 0x62, 0xce, 0x4b, 0x30, 0xa5, 0x8f, 0x7e, 0xd6, 0x82, 0x91, 0xd8, 0x6d, + 0x2f, 0x47, 0xe1, 0x96, 0xd7, 0x24, 0x91, 0xd0, 0x94, 0x8e, 0x28, 0x9a, 0x56, 0x66, 0x16, 0x25, + 0x41, 0xcd, 0x97, 0xdb, 0xae, 0x1a, 0x82, 0x4d, 0xbe, 0xd4, 0x82, 0x78, 0x5c, 0xbc, 0xfb, 0x2c, + 0x71, 0x3d, 0xba, 0xb7, 0x49, 0x83, 0x89, 0xcd, 0x94, 0x23, 0x6b, 0x8e, 0xb3, 0x5d, 0x77, 0x93, + 0xae, 0x37, 0xdd, 0xa1, 0x77, 0xee, 0xed, 0x4e, 0x3c, 0x3e, 0x93, 0xcf, 0x13, 0xf7, 0xeb, 0x0c, + 0x1b, 0xb0, 0x4e, 0xd7, 0xf7, 0x31, 0x79, 0xb3, 0x4b, 0x98, 0x3b, 0xa4, 0x80, 0x01, 0x5b, 0xd6, + 0x04, 0x33, 0x03, 0x66, 0x40, 0xb0, 0xc9, 0x17, 0xbd, 0x09, 0x43, 0x6d, 0x27, 0x89, 0xbc, 0x6d, + 0xe1, 0x03, 0x39, 0xa2, 0x2e, 0xbf, 0xc8, 0x68, 0x69, 0xe6, 0x6c, 0xeb, 0xe7, 0x8d, 0x58, 0x30, + 0x42, 0x6d, 0xa8, 0xb6, 0x49, 0xd4, 0x22, 0xe3, 0xb5, 0x22, 0xfc, 0xbd, 0x8b, 0x94, 0x94, 0x66, + 0x58, 0xa7, 0x9a, 0x0f, 0x6b, 0xc3, 0x9c, 0x0b, 0x7a, 0x1d, 0x6a, 0x31, 0xf1, 0x89, 0x4b, 0x75, + 0x97, 0x3a, 0xe3, 0xf8, 0x9e, 0x01, 0xf5, 0x38, 0x67, 0x8d, 0xf8, 0x2b, 0xe2, 0x51, 0xbe, 0xc0, + 0xe4, 0x3f, 0xac, 0x48, 0xd2, 0x01, 0xec, 0xf8, 0xdd, 0x96, 0x17, 0x8c, 0x43, 0x11, 0x03, 0xb8, + 0xcc, 0x68, 0x65, 0x06, 0x90, 0x37, 0x62, 0xc1, 0xc8, 0xfe, 0x0f, 0x16, 0xa0, 0xb4, 0x50, 0x7b, + 0x00, 0x0a, 0xeb, 0x9b, 0x69, 0x85, 0x75, 0xa1, 0x48, 0xad, 0xa3, 0x8f, 0xce, 0xfa, 0x9b, 0x75, + 0xc8, 0x6c, 0x07, 0x37, 0x48, 0x9c, 0x90, 0xe6, 0xdb, 0x22, 0xfc, 0x6d, 0x11, 0xfe, 0xb6, 0x08, + 0x57, 0x22, 0x7c, 0x2d, 0x23, 0xc2, 0xdf, 0x67, 0xac, 0x7a, 0x7d, 0x60, 0xfa, 0x86, 0x3a, 0x51, + 0x35, 0x7b, 0x60, 0x20, 0x50, 0x49, 0x70, 0x6d, 0x65, 0xe9, 0x46, 0xae, 0xcc, 0x7e, 0x23, 0x2d, + 0xb3, 0x8f, 0xca, 0xe2, 0xff, 0x05, 0x29, 0xfd, 0x57, 0x4b, 0x70, 0x3e, 0x2d, 0xbd, 0x70, 0xe8, + 0xfb, 0x61, 0x37, 0xa1, 0xb6, 0x00, 0xfa, 0x25, 0x0b, 0x4e, 0xb7, 0xd3, 0x46, 0x78, 0x2c, 0x7c, + 0x9d, 0x1f, 0x28, 0x4c, 0xb4, 0x66, 0xac, 0xfc, 0xc6, 0xb8, 0x10, 0xb3, 0xa7, 0x33, 0x80, 0x18, + 0xf7, 0xf4, 0x05, 0xbd, 0x0e, 0xf5, 0xb6, 0xb3, 0x7d, 0xb3, 0xd3, 0x74, 0x12, 0x69, 0x86, 0xf5, + 0xb7, 0x9e, 0xbb, 0x89, 0xe7, 0x4f, 0xf2, 0x13, 0xec, 0xc9, 0xf9, 0x20, 0x59, 0x8a, 0x56, 0x92, + 0xc8, 0x0b, 0x5a, 0xdc, 0xc3, 0xb5, 0x28, 0xc9, 0x60, 0x4d, 0xd1, 0xfe, 0xaa, 0x95, 0x95, 0xed, + 0x6a, 0x74, 0x22, 0x27, 0x21, 0xad, 0x1d, 0xf4, 0x51, 0xa8, 0x52, 0x7b, 0x49, 0x8e, 0xca, 0xed, + 0x22, 0x37, 0x1c, 0xe3, 0x4b, 0xe8, 0xbd, 0x87, 0xfe, 0x8b, 0x31, 0x67, 0x6a, 0x7f, 0x79, 0x38, + 0xbb, 0xc7, 0xb2, 0xf3, 0xcc, 0x4b, 0x00, 0xad, 0x70, 0x95, 0xb4, 0x3b, 0x3e, 0x1d, 0x16, 0x8b, + 0x39, 0xc5, 0x95, 0x8b, 0x60, 0x4e, 0x41, 0xb0, 0x81, 0x85, 0xfe, 0xbc, 0x05, 0xd0, 0x92, 0x53, + 0x45, 0xee, 0x9f, 0x37, 0x8b, 0x7c, 0x1d, 0x3d, 0x11, 0x75, 0x5f, 0x14, 0x43, 0x6c, 0x30, 0x47, + 0x3f, 0x6d, 0x41, 0x2d, 0x91, 0xdd, 0xe7, 0x3b, 0xca, 0x6a, 0x91, 0x3d, 0x91, 0x2f, 0xad, 0x55, + 0x09, 0x35, 0x24, 0x8a, 0x2f, 0xfa, 0x39, 0x0b, 0x20, 0xde, 0x09, 0xdc, 0xe5, 0xd0, 0xf7, 0xdc, + 0x1d, 0xb1, 0xd1, 0xdc, 0x2a, 0xd4, 0x8d, 0xa1, 0xa8, 0x37, 0x4e, 0xd2, 0xd1, 0xd0, 0xff, 0xb1, + 0xc1, 0x19, 0x7d, 0x1c, 0x6a, 0xb1, 0x98, 0x6e, 0x62, 0x6b, 0x59, 0x2d, 0xd6, 0x99, 0xc2, 0x69, + 0x0b, 0xa9, 0x24, 0xfe, 0x61, 0xc5, 0x13, 0xfd, 0x82, 0x05, 0xa7, 0x3a, 0x69, 0xd7, 0x97, 0xd8, + 0x45, 0x8a, 0x93, 0x01, 0x19, 0xd7, 0x5a, 0xe3, 0xcc, 0xde, 0xee, 0xc4, 0xa9, 0x4c, 0x23, 0xce, + 0xf6, 0x02, 0xcd, 0xc0, 0x98, 0x9e, 0xc1, 0x4b, 0x1d, 0xee, 0x86, 0x1b, 0x66, 0x6e, 0x38, 0x76, + 0x8a, 0x39, 0x97, 0x05, 0xe2, 0x5e, 0x7c, 0xb4, 0x0c, 0x67, 0x69, 0xef, 0x76, 0xb8, 0xd6, 0x26, + 0xa5, 0x72, 0xcc, 0xf6, 0x90, 0x5a, 0xe3, 0x09, 0x31, 0x43, 0x98, 0xa3, 0x3b, 0x8b, 0x83, 0x73, + 0x9f, 0xb4, 0xbf, 0x55, 0x4a, 0xf9, 0xc5, 0x95, 0xc3, 0x8a, 0xad, 0x31, 0x57, 0xfa, 0x0a, 0xa4, + 0xc8, 0x28, 0x74, 0x8d, 0x29, 0x4f, 0x84, 0x5e, 0x63, 0xaa, 0x29, 0xc6, 0x06, 0x73, 0xaa, 0xc0, + 0x8c, 0x39, 0x59, 0xb7, 0x98, 0x58, 0xf6, 0xaf, 0x17, 0xd9, 0xa5, 0xde, 0x53, 0x8c, 0xf3, 0xa2, + 0x6b, 0x63, 0x3d, 0x20, 0xdc, 0xdb, 0x25, 0xfb, 0x5b, 0x69, 0x5f, 0xbc, 0x31, 0x63, 0x07, 0x38, + 0x67, 0xf8, 0xbc, 0x05, 0x23, 0x51, 0xe8, 0xfb, 0x5e, 0xd0, 0xa2, 0xab, 0x4b, 0x6c, 0x11, 0x1f, + 0x3a, 0x16, 0x29, 0x2d, 0x96, 0x11, 0x53, 0x83, 0xb0, 0xe6, 0x89, 0xcd, 0x0e, 0xd8, 0x7f, 0x62, + 0xc1, 0x78, 0x3f, 0x29, 0x80, 0x08, 0xbc, 0x53, 0x4e, 0x71, 0x75, 0xca, 0xbe, 0x14, 0xcc, 0x12, + 0x9f, 0x28, 0x27, 0x65, 0xad, 0xf1, 0xb4, 0x78, 0xcd, 0x77, 0x2e, 0xf7, 0x47, 0xc5, 0xf7, 0xa3, + 0x83, 0x5e, 0x83, 0xd3, 0xc6, 0x7b, 0xc5, 0x6a, 0x60, 0xea, 0x8d, 0x49, 0xba, 0xed, 0x4e, 0x67, + 0x60, 0xf7, 0x76, 0x27, 0x1e, 0xcb, 0xb6, 0x09, 0x31, 0xd5, 0x43, 0xc7, 0xfe, 0xd5, 0x52, 0xf6, + 0x6b, 0xa9, 0x1d, 0xe6, 0x2b, 0x56, 0x8f, 0xe9, 0xf7, 0x81, 0xe3, 0x90, 0xea, 0xcc, 0x48, 0x54, + 0x07, 0xf9, 0xfd, 0x71, 0x1e, 0xe2, 0x49, 0xa1, 0xfd, 0x2f, 0x2a, 0x70, 0x9f, 0x9e, 0xa9, 0xb3, + 0x20, 0xab, 0xdf, 0x59, 0xd0, 0xc1, 0x8f, 0x97, 0x3e, 0x6b, 0xc1, 0x90, 0x4f, 0xb5, 0x50, 0x7e, + 0xde, 0x31, 0x72, 0xa9, 0x79, 0x5c, 0x63, 0xcf, 0x95, 0xdd, 0x98, 0x9f, 0x56, 0x2b, 0x97, 0x27, + 0x6f, 0xc4, 0xa2, 0x0f, 0xe8, 0x6b, 0x56, 0xfa, 0xf0, 0x84, 0x87, 0x1f, 0x79, 0xc7, 0xd6, 0x27, + 0xe3, 0x44, 0x86, 0x77, 0x4c, 0xfb, 0xfa, 0xfb, 0x9c, 0xd5, 0xa0, 0x49, 0x80, 0x75, 0x2f, 0x70, + 0x7c, 0xef, 0x2d, 0x6a, 0x4d, 0x57, 0xd9, 0xb6, 0xc2, 0xf6, 0xe9, 0x2b, 0xaa, 0x15, 0x1b, 0x18, + 0x17, 0xfe, 0x1c, 0x8c, 0x18, 0x6f, 0x9e, 0x73, 0xc8, 0x7e, 0xd6, 0x3c, 0x64, 0xaf, 0x1b, 0x67, + 0xe3, 0x17, 0xde, 0x07, 0xa7, 0xb3, 0x1d, 0x3c, 0xc8, 0xf3, 0xf6, 0xff, 0x18, 0xce, 0x9e, 0x78, + 0xac, 0x92, 0xa8, 0x4d, 0xbb, 0xf6, 0xb6, 0x17, 0xe2, 0x6d, 0x2f, 0xc4, 0xdb, 0x5e, 0x08, 0xd3, + 0x91, 0x2c, 0x2c, 0xec, 0xe1, 0x07, 0x64, 0x61, 0xa7, 0x7c, 0x06, 0xb5, 0xc2, 0x7d, 0x06, 0xf6, + 0x5e, 0x15, 0x52, 0x7a, 0x14, 0x1f, 0xef, 0x77, 0xc1, 0x70, 0x44, 0x3a, 0xe1, 0x4d, 0xbc, 0x20, + 0xf6, 0x10, 0x1d, 0x48, 0xcd, 0x9b, 0xb1, 0x84, 0xd3, 0xbd, 0xa6, 0xe3, 0x24, 0x1b, 0x62, 0x13, + 0x51, 0x7b, 0xcd, 0xb2, 0x93, 0x6c, 0x60, 0x06, 0x41, 0xef, 0x83, 0x93, 0x89, 0x13, 0xb5, 0x48, + 0x82, 0xc9, 0x16, 0xfb, 0xac, 0xe2, 0x5c, 0xec, 0x31, 0x81, 0x7b, 0x72, 0x35, 0x05, 0xc5, 0x19, + 0x6c, 0xf4, 0x26, 0x54, 0x36, 0x88, 0xdf, 0x16, 0x43, 0xbe, 0x52, 0x9c, 0x8c, 0x67, 0xef, 0x7a, + 0x95, 0xf8, 0x6d, 0x2e, 0x81, 0xe8, 0x2f, 0xcc, 0x58, 0xd1, 0xf9, 0x56, 0xdf, 0xec, 0xc6, 0x49, + 0xd8, 0xf6, 0xde, 0x92, 0xee, 0xa0, 0x0f, 0x14, 0xcc, 0xf8, 0xba, 0xa4, 0xcf, 0x1d, 0x08, 0xea, + 0x2f, 0xd6, 0x9c, 0x59, 0x3f, 0x9a, 0x5e, 0xc4, 0x3e, 0xd5, 0x8e, 0xf0, 0xea, 0x14, 0xdd, 0x8f, + 0x59, 0x49, 0x9f, 0xf7, 0x43, 0xfd, 0xc5, 0x9a, 0x33, 0xda, 0x51, 0xf3, 0x7e, 0x84, 0xf5, 0xe1, + 0x66, 0xc1, 0x7d, 0xe0, 0x73, 0x3e, 0x77, 0xfe, 0x3f, 0x0d, 0x55, 0x77, 0xc3, 0x89, 0x92, 0xf1, + 0x51, 0x36, 0x69, 0x94, 0x23, 0x63, 0x86, 0x36, 0x62, 0x0e, 0x43, 0x4f, 0x42, 0x39, 0x22, 0xeb, + 0x2c, 0x7e, 0xcf, 0x88, 0xec, 0xc0, 0x64, 0x1d, 0xd3, 0x76, 0xfb, 0x97, 0x4b, 0x69, 0x75, 0x29, + 0xfd, 0xde, 0x7c, 0xb6, 0xbb, 0xdd, 0x28, 0x96, 0xce, 0x0e, 0x63, 0xb6, 0xb3, 0x66, 0x2c, 0xe1, + 0xe8, 0x93, 0x16, 0x0c, 0xdf, 0x89, 0xc3, 0x20, 0x20, 0x89, 0xd8, 0x9a, 0x6e, 0x15, 0x3c, 0x14, + 0xd7, 0x38, 0x75, 0xdd, 0x07, 0xd1, 0x80, 0x25, 0x5f, 0xda, 0x5d, 0xb2, 0xed, 0xfa, 0xdd, 0x66, + 0xcf, 0x81, 0xfe, 0x65, 0xde, 0x8c, 0x25, 0x9c, 0xa2, 0x7a, 0x01, 0x47, 0xad, 0xa4, 0x51, 0xe7, + 0x03, 0x81, 0x2a, 0xe0, 0xf6, 0x5f, 0x1e, 0x82, 0x73, 0xb9, 0x8b, 0x83, 0x2a, 0x32, 0x4c, 0x55, + 0xb8, 0xe2, 0xf9, 0x44, 0x86, 0xa9, 0x30, 0x45, 0xe6, 0x96, 0x6a, 0xc5, 0x06, 0x06, 0xfa, 0x29, + 0x80, 0x8e, 0x13, 0x39, 0x6d, 0x22, 0x36, 0xf0, 0xf2, 0xd1, 0xf5, 0x05, 0xda, 0x8f, 0x65, 0x49, + 0x53, 0xdb, 0xa6, 0xaa, 0x29, 0xc6, 0x06, 0x4b, 0xf4, 0x12, 0x8c, 0x44, 0xc4, 0x27, 0x4e, 0xcc, + 0xc2, 0x3f, 0xb3, 0xb1, 0xec, 0x58, 0x83, 0xb0, 0x89, 0x87, 0x9e, 0x51, 0x11, 0x3d, 0x99, 0xe8, + 0x87, 0x74, 0x54, 0x0f, 0xfa, 0x82, 0x05, 0x27, 0xd7, 0x3d, 0x9f, 0x68, 0xee, 0x22, 0xf2, 0x7c, + 0xe9, 0xe8, 0x2f, 0x79, 0xc5, 0xa4, 0xab, 0x25, 0x64, 0xaa, 0x39, 0xc6, 0x19, 0xf6, 0xf4, 0x33, + 0x6f, 0x91, 0x88, 0x89, 0xd6, 0xa1, 0xf4, 0x67, 0xbe, 0xc5, 0x9b, 0xb1, 0x84, 0xa3, 0x69, 0x38, + 0xd5, 0x71, 0xe2, 0x78, 0x26, 0x22, 0x4d, 0x12, 0x24, 0x9e, 0xe3, 0xf3, 0xb8, 0xf0, 0x9a, 0x8e, + 0x0b, 0x5d, 0x4e, 0x83, 0x71, 0x16, 0x1f, 0x7d, 0x10, 0x1e, 0xf7, 0x5a, 0x41, 0x18, 0x91, 0x45, + 0x2f, 0x8e, 0xbd, 0xa0, 0xa5, 0xa7, 0x81, 0x70, 0x7a, 0x4c, 0x08, 0x52, 0x8f, 0xcf, 0xe7, 0xa3, + 0xe1, 0x7e, 0xcf, 0xa3, 0xe7, 0xa0, 0x16, 0x6f, 0x7a, 0x9d, 0x99, 0xa8, 0x19, 0x33, 0x07, 0x79, + 0x4d, 0xbb, 0xd8, 0x56, 0x44, 0x3b, 0x56, 0x18, 0xc8, 0x85, 0x51, 0xfe, 0x49, 0x78, 0xd8, 0x92, + 0x90, 0x8f, 0xcf, 0xf7, 0xdd, 0x1e, 0x45, 0xea, 0xd2, 0x24, 0x76, 0xee, 0x5e, 0x96, 0xee, 0xfa, + 0xc6, 0xe9, 0xbd, 0xdd, 0x89, 0xd1, 0x5b, 0x06, 0x19, 0x9c, 0x22, 0x6a, 0xff, 0x62, 0x29, 0x6d, + 0x71, 0x9b, 0x8b, 0x14, 0xc5, 0x74, 0x29, 0x26, 0xb7, 0x9c, 0x48, 0x7a, 0x63, 0x8e, 0x18, 0xbe, + 0x2e, 0xe8, 0xde, 0x72, 0x22, 0x73, 0x51, 0x33, 0x06, 0x58, 0x72, 0x42, 0x77, 0xa0, 0x92, 0xf8, + 0x4e, 0x41, 0xf9, 0x2e, 0x06, 0x47, 0xed, 0x00, 0x59, 0x98, 0x8e, 0x31, 0xe3, 0x81, 0x9e, 0xa0, + 0x5a, 0xff, 0x9a, 0x8c, 0x71, 0x13, 0x8a, 0xfa, 0x5a, 0x8c, 0x59, 0xab, 0xfd, 0x7f, 0x6a, 0x39, + 0x72, 0x55, 0x6d, 0x64, 0xe8, 0x12, 0x00, 0x35, 0x20, 0x97, 0x23, 0xb2, 0xee, 0x6d, 0x0b, 0x45, + 0x42, 0xad, 0xdd, 0x1b, 0x0a, 0x82, 0x0d, 0x2c, 0xf9, 0xcc, 0x4a, 0x77, 0x9d, 0x3e, 0x53, 0xea, + 0x7d, 0x86, 0x43, 0xb0, 0x81, 0x85, 0x5e, 0x84, 0x21, 0xaf, 0xed, 0xb4, 0x54, 0x28, 0xde, 0x13, + 0x74, 0xd1, 0xce, 0xb3, 0x96, 0x7b, 0xbb, 0x13, 0x27, 0x55, 0x87, 0x58, 0x13, 0x16, 0xb8, 0xe8, + 0x57, 0x2d, 0x18, 0x75, 0xc3, 0x76, 0x3b, 0x0c, 0xb8, 0xd9, 0x25, 0x6c, 0xc8, 0x3b, 0xc7, 0xb5, + 0xcd, 0x4f, 0xce, 0x18, 0xcc, 0xb8, 0x11, 0xa9, 0x12, 0x73, 0x4c, 0x10, 0x4e, 0xf5, 0xca, 0x5c, + 0xdb, 0xd5, 0x7d, 0xd6, 0xf6, 0x6f, 0x58, 0x30, 0xc6, 0x9f, 0x35, 0xac, 0x41, 0x91, 0x83, 0x12, + 0x1e, 0xf3, 0x6b, 0xf5, 0x18, 0xc8, 0xca, 0x4b, 0xd7, 0x03, 0xc7, 0xbd, 0x9d, 0x44, 0x73, 0x30, + 0xb6, 0x1e, 0x46, 0x2e, 0x31, 0x07, 0x42, 0x08, 0x26, 0x45, 0xe8, 0x4a, 0x16, 0x01, 0xf7, 0x3e, + 0x83, 0x6e, 0xc1, 0x63, 0x46, 0xa3, 0x39, 0x0e, 0x5c, 0x36, 0x3d, 0x25, 0xa8, 0x3d, 0x76, 0x25, + 0x17, 0x0b, 0xf7, 0x79, 0x3a, 0xed, 0x30, 0xa9, 0x0f, 0xe0, 0x30, 0x79, 0x03, 0xce, 0xbb, 0xbd, + 0x23, 0xb3, 0x15, 0x77, 0xd7, 0x62, 0x2e, 0xa9, 0x6a, 0x8d, 0x1f, 0x10, 0x04, 0xce, 0xcf, 0xf4, + 0x43, 0xc4, 0xfd, 0x69, 0xa0, 0x8f, 0x42, 0x2d, 0x22, 0xec, 0xab, 0xc4, 0x22, 0x21, 0xe3, 0x88, + 0x56, 0xb2, 0xd6, 0x40, 0x39, 0x59, 0x2d, 0x7b, 0x45, 0x43, 0x8c, 0x15, 0xc7, 0x0b, 0xef, 0x87, + 0xb1, 0x9e, 0xf9, 0x7c, 0x20, 0x9f, 0xc5, 0x2c, 0x3c, 0x96, 0x3f, 0x73, 0x0e, 0xe4, 0xb9, 0xf8, + 0x07, 0x99, 0x38, 0x43, 0x43, 0x9b, 0x1c, 0xc0, 0x0b, 0xe6, 0x40, 0x99, 0x04, 0x5b, 0x42, 0x90, + 0x5e, 0x39, 0xda, 0xe8, 0x5d, 0x0e, 0xb6, 0xf8, 0xc4, 0x67, 0xa6, 0xfe, 0xe5, 0x60, 0x0b, 0x53, + 0xda, 0xe8, 0x4b, 0x56, 0x4a, 0x1b, 0xe2, 0xbe, 0xb3, 0x0f, 0x1f, 0x8b, 0xfa, 0x3c, 0xb0, 0x82, + 0x64, 0xff, 0xcb, 0x12, 0x5c, 0xdc, 0x8f, 0xc8, 0x00, 0xc3, 0xf7, 0x34, 0x0c, 0xc5, 0xec, 0x08, + 0x54, 0x48, 0xa6, 0x11, 0x2a, 0x95, 0xf8, 0xa1, 0xe8, 0x1b, 0x58, 0x80, 0x90, 0x0f, 0xe5, 0xb6, + 0xd3, 0x11, 0x2e, 0x95, 0xf9, 0xa3, 0x66, 0x15, 0xd0, 0xff, 0x8e, 0xbf, 0xe8, 0x74, 0xb8, 0xa1, + 0x6e, 0x34, 0x60, 0xca, 0x06, 0x25, 0x50, 0x75, 0xa2, 0xc8, 0x91, 0xe7, 0x6d, 0xd7, 0x8b, 0xe1, + 0x37, 0x4d, 0x49, 0x36, 0xc6, 0xf6, 0x76, 0x27, 0x4e, 0xa4, 0x9a, 0x30, 0x67, 0x66, 0x7f, 0x76, + 0x38, 0x15, 0x59, 0xcf, 0x0e, 0x51, 0x63, 0x18, 0x12, 0x9e, 0x14, 0xab, 0xe8, 0x64, 0x0e, 0x9e, + 0x1a, 0xc5, 0x8c, 0x25, 0x91, 0x60, 0x2a, 0x58, 0xa1, 0xcf, 0x58, 0x2c, 0x8d, 0x53, 0x66, 0x1b, + 0x08, 0x13, 0xe5, 0x78, 0xb2, 0x4a, 0xcd, 0xe4, 0x50, 0xd9, 0x88, 0x4d, 0xee, 0x74, 0xeb, 0xea, + 0xf0, 0x84, 0xa4, 0xac, 0xa1, 0x22, 0x13, 0x3d, 0x25, 0x1c, 0x6d, 0xe7, 0x1c, 0x96, 0x16, 0x90, + 0x0a, 0x38, 0xc0, 0xf1, 0xe8, 0xd7, 0x2c, 0x18, 0xe3, 0xea, 0xe8, 0xac, 0xb7, 0xbe, 0x4e, 0x22, + 0x12, 0xb8, 0x44, 0x2a, 0xf4, 0x47, 0x3c, 0x8e, 0x97, 0xee, 0xab, 0xf9, 0x2c, 0x79, 0xbd, 0xa7, + 0xf5, 0x80, 0x70, 0x6f, 0x67, 0x50, 0x13, 0x2a, 0x5e, 0xb0, 0x1e, 0x8a, 0x9d, 0xbc, 0x71, 0xb4, + 0x4e, 0xcd, 0x07, 0xeb, 0xa1, 0x5e, 0xcd, 0xf4, 0x1f, 0x66, 0xd4, 0xd1, 0x02, 0x9c, 0x8d, 0x84, + 0xcb, 0xe5, 0xaa, 0x17, 0x53, 0xc3, 0x78, 0xc1, 0x6b, 0x7b, 0x09, 0xdb, 0x85, 0xcb, 0x8d, 0xf1, + 0xbd, 0xdd, 0x89, 0xb3, 0x38, 0x07, 0x8e, 0x73, 0x9f, 0x42, 0x6f, 0xc1, 0xb0, 0xcc, 0x3b, 0xad, + 0x15, 0x61, 0x1c, 0xf5, 0xce, 0x7f, 0x35, 0x99, 0x56, 0x44, 0x8a, 0xa9, 0x64, 0x68, 0x7f, 0x61, + 0x04, 0x7a, 0xcf, 0x06, 0xd1, 0xc7, 0xa0, 0x1e, 0xa9, 0x5c, 0x58, 0xab, 0x88, 0xf8, 0x3e, 0xf9, + 0x7d, 0xc5, 0xb9, 0xa4, 0xd2, 0x07, 0x74, 0xd6, 0xab, 0xe6, 0x48, 0xb5, 0xf6, 0x58, 0x1f, 0x21, + 0x16, 0x30, 0xb7, 0x05, 0x57, 0x7d, 0x3c, 0xb4, 0x13, 0xb8, 0x98, 0xf1, 0x40, 0x11, 0x0c, 0x6d, + 0x10, 0xc7, 0x4f, 0x36, 0x8a, 0xf1, 0x64, 0x5f, 0x65, 0xb4, 0xb2, 0x59, 0x13, 0xbc, 0x15, 0x0b, + 0x4e, 0x68, 0x1b, 0x86, 0x37, 0xf8, 0x04, 0x10, 0x8a, 0xf4, 0xe2, 0x51, 0x07, 0x37, 0x35, 0xab, + 0xf4, 0xe7, 0x16, 0x0d, 0x58, 0xb2, 0x63, 0x91, 0x16, 0xc6, 0xb1, 0x38, 0x5f, 0xba, 0xc5, 0x25, + 0x8c, 0x0c, 0x7e, 0x26, 0xfe, 0x11, 0x18, 0x8d, 0x88, 0x1b, 0x06, 0xae, 0xe7, 0x93, 0xe6, 0xb4, + 0xf4, 0x52, 0x1f, 0x24, 0xcd, 0x80, 0x19, 0xa3, 0xd8, 0xa0, 0x81, 0x53, 0x14, 0xd1, 0xa7, 0x2d, + 0x38, 0xa9, 0x12, 0xe8, 0xe8, 0x07, 0x21, 0xc2, 0x2b, 0xba, 0x50, 0x50, 0xba, 0x1e, 0xa3, 0xd9, + 0x40, 0x7b, 0xbb, 0x13, 0x27, 0xd3, 0x6d, 0x38, 0xc3, 0x17, 0xbd, 0x06, 0x10, 0xae, 0xf1, 0x70, + 0x8a, 0xe9, 0x44, 0xb8, 0x48, 0x0f, 0xf2, 0xaa, 0x27, 0x79, 0xbe, 0x91, 0xa4, 0x80, 0x0d, 0x6a, + 0xe8, 0x3a, 0x00, 0x5f, 0x36, 0xab, 0x3b, 0x1d, 0xa9, 0x6d, 0xcb, 0x3c, 0x11, 0x58, 0x51, 0x90, + 0x7b, 0xbb, 0x13, 0xbd, 0x2e, 0x2b, 0x76, 0x7a, 0x6f, 0x3c, 0x8e, 0x7e, 0x12, 0x86, 0xe3, 0x6e, + 0xbb, 0xed, 0x28, 0x07, 0x6a, 0x81, 0x19, 0x4c, 0x9c, 0xae, 0x21, 0x8a, 0x78, 0x03, 0x96, 0x1c, + 0xd1, 0x1d, 0x2a, 0x54, 0x63, 0xe1, 0x4b, 0x63, 0xab, 0x88, 0xeb, 0x04, 0x23, 0xec, 0x9d, 0xde, + 0x2b, 0xa3, 0x43, 0x70, 0x0e, 0xce, 0xbd, 0xdd, 0x89, 0xc7, 0xd2, 0xed, 0x0b, 0xa1, 0xc8, 0x29, + 0xca, 0xa5, 0x89, 0xae, 0xc9, 0x32, 0x14, 0xf4, 0xb5, 0x65, 0x76, 0xf4, 0xb3, 0xba, 0x0c, 0x05, + 0x6b, 0xee, 0x3f, 0x66, 0xe6, 0xc3, 0x68, 0x11, 0xce, 0xb8, 0x61, 0x90, 0x44, 0xa1, 0xef, 0xf3, + 0xda, 0x2a, 0xdc, 0xf0, 0xe1, 0x0e, 0xd6, 0x77, 0x8a, 0x6e, 0x9f, 0x99, 0xe9, 0x45, 0xc1, 0x79, + 0xcf, 0xd9, 0x41, 0x3a, 0xce, 0x4c, 0x0c, 0xce, 0x8b, 0x30, 0x4a, 0xb6, 0x13, 0x12, 0x05, 0x8e, + 0x7f, 0x13, 0x2f, 0x48, 0xd7, 0x22, 0x5b, 0x03, 0x97, 0x8d, 0x76, 0x9c, 0xc2, 0x42, 0xb6, 0xb2, + 0xf6, 0x4b, 0x3a, 0xf1, 0x8e, 0x5b, 0xfb, 0xd2, 0xb6, 0xb7, 0xff, 0x67, 0x29, 0xa5, 0x90, 0xad, + 0x46, 0x84, 0xa0, 0x10, 0xaa, 0x41, 0xd8, 0x54, 0xb2, 0xff, 0x5a, 0x31, 0xb2, 0xff, 0x46, 0xd8, + 0x34, 0x6a, 0x55, 0xd0, 0x7f, 0x31, 0xe6, 0x7c, 0x58, 0x32, 0xbf, 0xac, 0x7a, 0xc0, 0x00, 0xc2, + 0xd0, 0x28, 0x92, 0xb3, 0x4a, 0xe6, 0x5f, 0x32, 0x19, 0xe1, 0x34, 0x5f, 0xb4, 0x09, 0xd5, 0x8d, + 0x30, 0x4e, 0xa4, 0xf9, 0x71, 0x44, 0x4b, 0xe7, 0x6a, 0x18, 0x27, 0x4c, 0x8b, 0x50, 0xaf, 0x4d, + 0x5b, 0x62, 0xcc, 0x79, 0xd8, 0xff, 0xd1, 0x4a, 0x39, 0x92, 0x6f, 0xb3, 0x98, 0xcb, 0x2d, 0x12, + 0xd0, 0x65, 0x6d, 0xc6, 0xdb, 0xfc, 0xff, 0x99, 0xc4, 0xaf, 0x1f, 0xea, 0x57, 0x39, 0xe8, 0x2e, + 0xa5, 0x30, 0xc9, 0x48, 0x18, 0xa1, 0x39, 0x9f, 0xb0, 0xd2, 0x29, 0x78, 0xa5, 0x22, 0x0c, 0x0c, + 0x33, 0xc5, 0x74, 0xdf, 0x6c, 0x3e, 0xfb, 0x4b, 0x16, 0x0c, 0x37, 0x1c, 0x77, 0x33, 0x5c, 0x5f, + 0x47, 0xcf, 0x41, 0xad, 0xd9, 0x8d, 0xcc, 0x6c, 0x40, 0x65, 0x3d, 0xcf, 0x8a, 0x76, 0xac, 0x30, + 0xe8, 0x1c, 0x5e, 0x77, 0x5c, 0x99, 0x68, 0x5a, 0xe6, 0x73, 0xf8, 0x0a, 0x6b, 0xc1, 0x02, 0x82, + 0x5e, 0x82, 0x91, 0xb6, 0xb3, 0x2d, 0x1f, 0xce, 0x7a, 0xb1, 0x17, 0x35, 0x08, 0x9b, 0x78, 0xf6, + 0x3f, 0xb3, 0x60, 0xbc, 0xe1, 0xc4, 0x9e, 0x3b, 0xdd, 0x4d, 0x36, 0x1a, 0x5e, 0xb2, 0xd6, 0x75, + 0x37, 0x49, 0xc2, 0xb3, 0x8b, 0x69, 0x2f, 0xbb, 0x31, 0x5d, 0x4a, 0xca, 0xae, 0x53, 0xbd, 0xbc, + 0x29, 0xda, 0xb1, 0xc2, 0x40, 0x6f, 0xc1, 0x48, 0xc7, 0x89, 0xe3, 0xbb, 0x61, 0xd4, 0xc4, 0x64, + 0xbd, 0x98, 0xdc, 0xfe, 0x15, 0xe2, 0x46, 0x24, 0xc1, 0x64, 0x5d, 0x9c, 0xb4, 0x6a, 0xfa, 0xd8, + 0x64, 0x66, 0x7f, 0xde, 0x82, 0xf3, 0x0d, 0xe2, 0x44, 0x24, 0x62, 0xa5, 0x00, 0xd4, 0x8b, 0xcc, + 0xf8, 0x61, 0xb7, 0x89, 0xde, 0x84, 0x5a, 0x42, 0x9b, 0x69, 0xb7, 0xac, 0x62, 0xbb, 0xc5, 0x0e, + 0x4a, 0x57, 0x05, 0x71, 0xac, 0xd8, 0xd8, 0x7f, 0xc5, 0x82, 0x51, 0x76, 0xe6, 0x34, 0x4b, 0x12, + 0xc7, 0xf3, 0x7b, 0x2a, 0xe6, 0x58, 0x03, 0x56, 0xcc, 0xb9, 0x08, 0x95, 0x8d, 0xb0, 0x4d, 0xb2, + 0xe7, 0xa5, 0x57, 0x43, 0x6a, 0x56, 0x53, 0x08, 0x7a, 0x81, 0x7e, 0x78, 0x2f, 0x48, 0x1c, 0xba, + 0x04, 0xa4, 0x4f, 0xf3, 0x14, 0xff, 0xe8, 0xaa, 0x19, 0x9b, 0x38, 0xf6, 0x6f, 0xd7, 0x61, 0x58, + 0x1c, 0xaa, 0x0f, 0x9c, 0x61, 0x2e, 0xed, 0xfb, 0x52, 0x5f, 0xfb, 0x3e, 0x86, 0x21, 0x97, 0xd5, + 0xe3, 0x12, 0x6a, 0xe4, 0xf5, 0x42, 0xa2, 0x30, 0x78, 0x89, 0x2f, 0xdd, 0x2d, 0xfe, 0x1f, 0x0b, + 0x56, 0xe8, 0x8b, 0x16, 0x9c, 0x72, 0xc3, 0x20, 0x20, 0xae, 0xd6, 0x71, 0x2a, 0x45, 0x1c, 0xb6, + 0xcf, 0xa4, 0x89, 0xea, 0x03, 0x8f, 0x0c, 0x00, 0x67, 0xd9, 0xa3, 0x57, 0xe0, 0x04, 0x1f, 0xb3, + 0x5b, 0x29, 0x47, 0xac, 0x2e, 0xa4, 0x62, 0x02, 0x71, 0x1a, 0x17, 0x4d, 0x72, 0x87, 0xb6, 0x28, + 0x59, 0x32, 0xa4, 0x4f, 0xcf, 0x8c, 0x62, 0x25, 0x06, 0x06, 0x8a, 0x00, 0x45, 0x64, 0x3d, 0x22, + 0xf1, 0x86, 0x08, 0x3a, 0x60, 0xfa, 0xd5, 0xf0, 0xe1, 0x32, 0x56, 0x71, 0x0f, 0x25, 0x9c, 0x43, + 0x1d, 0x6d, 0x0a, 0x03, 0xb3, 0x56, 0x84, 0x0c, 0x15, 0x9f, 0xb9, 0xaf, 0x9d, 0x39, 0x01, 0xd5, + 0x78, 0xc3, 0x89, 0x9a, 0x4c, 0xaf, 0x2b, 0xf3, 0x2c, 0x89, 0x15, 0xda, 0x80, 0x79, 0x3b, 0x9a, + 0x85, 0xd3, 0x99, 0x32, 0x30, 0xb1, 0x70, 0x98, 0xaa, 0xd0, 0xfe, 0x4c, 0x01, 0x99, 0x18, 0xf7, + 0x3c, 0x61, 0x3a, 0x1f, 0x46, 0xf6, 0x71, 0x3e, 0xec, 0xa8, 0xd0, 0xb6, 0x51, 0xb6, 0x3f, 0xbe, + 0x5a, 0xc8, 0x00, 0x0c, 0x14, 0xc7, 0xf6, 0xb9, 0x4c, 0x1c, 0xdb, 0x09, 0xd6, 0x81, 0x5b, 0xc5, + 0x74, 0xe0, 0xe0, 0x41, 0x6b, 0x0f, 0x33, 0x08, 0xed, 0xbf, 0x5b, 0x20, 0xbf, 0xeb, 0x8c, 0xe3, + 0x6e, 0x10, 0x3a, 0x65, 0xd0, 0xfb, 0xe0, 0xa4, 0x32, 0xa1, 0x67, 0xc2, 0x6e, 0xc0, 0xe3, 0xcf, + 0xca, 0xfa, 0x64, 0x14, 0xa7, 0xa0, 0x38, 0x83, 0x8d, 0xa6, 0xa0, 0x4e, 0xc7, 0x89, 0x3f, 0xca, + 0xf7, 0x5a, 0x65, 0xa6, 0x4f, 0x2f, 0xcf, 0x8b, 0xa7, 0x34, 0x0e, 0x0a, 0x61, 0xcc, 0x77, 0xe2, + 0x84, 0xf5, 0x80, 0x5a, 0xd4, 0x87, 0xcc, 0x17, 0x67, 0xf1, 0xe3, 0x0b, 0x59, 0x42, 0xb8, 0x97, + 0xb6, 0xfd, 0xed, 0x0a, 0x9c, 0x48, 0x49, 0xc6, 0x03, 0x6e, 0xd2, 0xcf, 0x41, 0x4d, 0xee, 0x9b, + 0xd9, 0xaa, 0x15, 0x6a, 0x73, 0x55, 0x18, 0x74, 0xd3, 0x5a, 0xd3, 0xbb, 0x6a, 0x56, 0xa9, 0x30, + 0x36, 0x5c, 0x6c, 0xe2, 0x31, 0xa1, 0x9c, 0xf8, 0xf1, 0x8c, 0xef, 0x91, 0x20, 0xe1, 0xdd, 0x2c, + 0x46, 0x28, 0xaf, 0x2e, 0xac, 0x98, 0x44, 0xb5, 0x50, 0xce, 0x00, 0x70, 0x96, 0x3d, 0xfa, 0x19, + 0x0b, 0x4e, 0x38, 0x77, 0x63, 0x5d, 0x34, 0x52, 0x44, 0xac, 0x1d, 0x71, 0x93, 0x4a, 0xd5, 0xa1, + 0xe4, 0x2e, 0xdf, 0x54, 0x13, 0x4e, 0x33, 0x45, 0x5f, 0xb1, 0x00, 0x91, 0x6d, 0xe2, 0xca, 0x98, + 0x3a, 0xd1, 0x97, 0xa1, 0x22, 0x2c, 0xcd, 0xcb, 0x3d, 0x74, 0xb9, 0x54, 0xef, 0x6d, 0xc7, 0x39, + 0x7d, 0xb0, 0xff, 0x71, 0x59, 0x2d, 0x28, 0x1d, 0xc6, 0xe9, 0x18, 0xe1, 0x64, 0xd6, 0xe1, 0xc3, + 0xc9, 0xf4, 0xb1, 0x7c, 0x6f, 0x1a, 0x5a, 0x2a, 0xfd, 0xa6, 0xf4, 0x90, 0xd2, 0x6f, 0x7e, 0xda, + 0x4a, 0xd5, 0x67, 0x19, 0xb9, 0xf4, 0x5a, 0xb1, 0x21, 0xa4, 0x93, 0x3c, 0x64, 0x20, 0x23, 0xdd, + 0xd3, 0x91, 0x22, 0x54, 0x9a, 0x1a, 0x68, 0x07, 0x92, 0x86, 0xff, 0xa6, 0x0c, 0x23, 0xc6, 0x4e, + 0x9a, 0xab, 0x16, 0x59, 0x8f, 0x98, 0x5a, 0x54, 0x3a, 0x80, 0x5a, 0xf4, 0x53, 0x50, 0x77, 0xa5, + 0x94, 0x2f, 0xa6, 0x42, 0x69, 0x76, 0xef, 0xd0, 0x82, 0x5e, 0x35, 0x61, 0xcd, 0x13, 0xcd, 0xa5, + 0xf2, 0x57, 0xc4, 0x0e, 0x51, 0x61, 0x3b, 0x44, 0x5e, 0x82, 0x89, 0xd8, 0x29, 0x7a, 0x9f, 0x61, + 0x65, 0x7c, 0x3a, 0x9e, 0x78, 0x2f, 0x19, 0xe8, 0xcd, 0xcb, 0xf8, 0x2c, 0xcf, 0xcb, 0x66, 0x6c, + 0xe2, 0xd8, 0xdf, 0xb6, 0xd4, 0xc7, 0x7d, 0x00, 0x49, 0xed, 0x77, 0xd2, 0x49, 0xed, 0x97, 0x0b, + 0x19, 0xe6, 0x3e, 0xd9, 0xec, 0x37, 0x60, 0x78, 0x26, 0x6c, 0xb7, 0x9d, 0xa0, 0x89, 0x7e, 0x10, + 0x86, 0x5d, 0xfe, 0x53, 0x38, 0x76, 0xd8, 0xf1, 0xa0, 0x80, 0x62, 0x09, 0x43, 0x4f, 0x40, 0xc5, + 0x89, 0x5a, 0xd2, 0x99, 0xc3, 0x22, 0x4c, 0xa6, 0xa3, 0x56, 0x8c, 0x59, 0xab, 0xfd, 0xf7, 0x2b, + 0x00, 0x33, 0x61, 0xbb, 0xe3, 0x44, 0xa4, 0xb9, 0x1a, 0xb2, 0x0a, 0x69, 0xc7, 0x7a, 0xa8, 0xa6, + 0x8d, 0xa5, 0x47, 0xf9, 0x60, 0xcd, 0x38, 0x5c, 0x29, 0x3f, 0xe0, 0xc3, 0x95, 0x3e, 0xe7, 0x65, + 0x95, 0x47, 0xe8, 0xbc, 0xcc, 0xfe, 0xac, 0x05, 0x88, 0x4e, 0x9a, 0x30, 0x20, 0x41, 0xa2, 0x0f, + 0xb4, 0xa7, 0xa0, 0xee, 0xca, 0x56, 0xa1, 0x58, 0x69, 0x11, 0x21, 0x01, 0x58, 0xe3, 0x0c, 0x60, + 0x21, 0x3f, 0x2d, 0xe5, 0x77, 0x39, 0x1d, 0x9c, 0xca, 0xa4, 0xbe, 0x10, 0xe7, 0xf6, 0xef, 0x94, + 0xe0, 0x31, 0xbe, 0x25, 0x2f, 0x3a, 0x81, 0xd3, 0x22, 0x6d, 0xda, 0xab, 0x41, 0x43, 0x14, 0x5c, + 0x6a, 0x9a, 0x79, 0x32, 0xd8, 0xf4, 0xa8, 0x6b, 0x97, 0xaf, 0x39, 0xbe, 0xca, 0xe6, 0x03, 0x2f, + 0xc1, 0x8c, 0x38, 0x8a, 0xa1, 0x26, 0x4b, 0x72, 0x0b, 0x59, 0x5c, 0x10, 0x23, 0x25, 0x96, 0xc4, + 0xbe, 0x49, 0xb0, 0x62, 0x44, 0x15, 0x57, 0x3f, 0x74, 0x37, 0x31, 0xe9, 0x84, 0x4c, 0xee, 0x1a, + 0xb1, 0x7e, 0x0b, 0xa2, 0x1d, 0x2b, 0x0c, 0xfb, 0x77, 0x2c, 0xc8, 0xee, 0x48, 0x46, 0xb9, 0x2a, + 0xeb, 0xbe, 0xe5, 0xaa, 0x0e, 0x50, 0x2f, 0xea, 0x27, 0x60, 0xc4, 0x49, 0xa8, 0x12, 0xc1, 0xcd, + 0xee, 0xf2, 0xe1, 0x8e, 0x35, 0x16, 0xc3, 0xa6, 0xb7, 0xee, 0x31, 0x73, 0xdb, 0x24, 0x67, 0xff, + 0xd7, 0x0a, 0x8c, 0xf5, 0xa4, 0x44, 0xa0, 0x97, 0x61, 0xd4, 0x15, 0xd3, 0xa3, 0x23, 0x1d, 0x5a, + 0x75, 0x33, 0x36, 0x4c, 0xc3, 0x70, 0x0a, 0x73, 0x80, 0x09, 0x3a, 0x0f, 0x67, 0x22, 0x6a, 0xe8, + 0x77, 0xc9, 0xf4, 0x7a, 0x42, 0xa2, 0x15, 0xe2, 0x86, 0x41, 0x93, 0x17, 0x55, 0x2b, 0x37, 0x1e, + 0xdf, 0xdb, 0x9d, 0x38, 0x83, 0x7b, 0xc1, 0x38, 0xef, 0x19, 0xd4, 0x81, 0x13, 0xbe, 0xa9, 0x03, + 0x0a, 0x03, 0xe0, 0x50, 0xea, 0xa3, 0xd2, 0x11, 0x52, 0xcd, 0x38, 0xcd, 0x20, 0xad, 0x48, 0x56, + 0x1f, 0x92, 0x22, 0xf9, 0x29, 0xad, 0x48, 0xf2, 0xf3, 0xf7, 0x0f, 0x15, 0x9c, 0x12, 0x73, 0xdc, + 0x9a, 0xe4, 0xab, 0x50, 0x93, 0xb1, 0x49, 0x03, 0xc5, 0xf4, 0x98, 0x74, 0xfa, 0x48, 0xb4, 0x7b, + 0x25, 0xc8, 0x31, 0x42, 0xe8, 0x3a, 0xd3, 0x3b, 0x7e, 0x6a, 0x9d, 0x1d, 0x6c, 0xd7, 0x47, 0xdb, + 0x3c, 0x2e, 0x8b, 0xef, 0x6d, 0x1f, 0x2c, 0xda, 0x88, 0xd2, 0xa1, 0x5a, 0x2a, 0x53, 0x40, 0x85, + 0x6b, 0x5d, 0x02, 0xd0, 0x8a, 0x9a, 0x88, 0x03, 0x57, 0xc7, 0xbe, 0x5a, 0x9f, 0xc3, 0x06, 0x16, + 0xb5, 0xa9, 0xbd, 0x20, 0x4e, 0x1c, 0xdf, 0xbf, 0xea, 0x05, 0x89, 0x70, 0x0e, 0xaa, 0x4d, 0x7c, + 0x5e, 0x83, 0xb0, 0x89, 0x77, 0xe1, 0xbd, 0xc6, 0x77, 0x39, 0xc8, 0xf7, 0xdc, 0x80, 0xf3, 0x73, + 0x5e, 0xa2, 0xb2, 0x17, 0xd4, 0x3c, 0xa2, 0x7a, 0x98, 0xca, 0xc6, 0xb1, 0xfa, 0x66, 0xe3, 0x18, + 0xd9, 0x03, 0xa5, 0x74, 0xb2, 0x43, 0x36, 0x7b, 0xc0, 0x7e, 0x19, 0xce, 0xce, 0x79, 0xc9, 0x15, + 0xcf, 0x27, 0x07, 0x64, 0x62, 0xff, 0xd6, 0x10, 0x8c, 0x9a, 0xf9, 0x6f, 0x07, 0x49, 0x28, 0xfa, + 0x3c, 0x55, 0xb5, 0xc4, 0xdb, 0x79, 0xea, 0xd0, 0xec, 0xf6, 0x91, 0x93, 0xf1, 0xf2, 0x47, 0xcc, + 0xd0, 0xb6, 0x34, 0x4f, 0x6c, 0x76, 0x00, 0xdd, 0x85, 0xea, 0x3a, 0x8b, 0x6e, 0x2f, 0x17, 0x11, + 0x59, 0x90, 0x37, 0xa2, 0x7a, 0x99, 0xf1, 0xf8, 0x78, 0xce, 0x8f, 0xee, 0x90, 0x51, 0x3a, 0x65, + 0xca, 0x88, 0xc8, 0x14, 0xc9, 0x52, 0x0a, 0xa3, 0x9f, 0xa8, 0xaf, 0x1e, 0x42, 0xd4, 0xa7, 0x04, + 0xef, 0xd0, 0x43, 0x12, 0xbc, 0x2c, 0x53, 0x21, 0xd9, 0x60, 0xfa, 0x9b, 0x08, 0x21, 0x1f, 0x66, + 0x83, 0x60, 0x64, 0x2a, 0xa4, 0xc0, 0x38, 0x8b, 0x8f, 0x3e, 0xae, 0x44, 0x77, 0xad, 0x08, 0xbf, + 0xaa, 0x39, 0xa3, 0x8f, 0x5b, 0x6a, 0x7f, 0xb6, 0x04, 0x27, 0xe7, 0x82, 0xee, 0xf2, 0xdc, 0x72, + 0x77, 0xcd, 0xf7, 0xdc, 0xeb, 0x64, 0x87, 0x8a, 0xe6, 0x4d, 0xb2, 0x33, 0x3f, 0x2b, 0x56, 0x90, + 0x9a, 0x33, 0xd7, 0x69, 0x23, 0xe6, 0x30, 0x2a, 0x8c, 0xd6, 0xbd, 0xa0, 0x45, 0xa2, 0x4e, 0xe4, + 0x09, 0x97, 0xa7, 0x21, 0x8c, 0xae, 0x68, 0x10, 0x36, 0xf1, 0x28, 0xed, 0xf0, 0x6e, 0x40, 0xa2, + 0xac, 0x22, 0xbb, 0x44, 0x1b, 0x31, 0x87, 0x51, 0xa4, 0x24, 0xea, 0xc6, 0x89, 0x98, 0x8c, 0x0a, + 0x69, 0x95, 0x36, 0x62, 0x0e, 0xa3, 0x2b, 0x3d, 0xee, 0xae, 0xb1, 0xc0, 0x8d, 0x4c, 0xbc, 0xfa, + 0x0a, 0x6f, 0xc6, 0x12, 0x4e, 0x51, 0x37, 0xc9, 0xce, 0x2c, 0xb5, 0x7a, 0x33, 0x69, 0x2b, 0xd7, + 0x79, 0x33, 0x96, 0x70, 0x56, 0x0d, 0x2e, 0x3d, 0x1c, 0xdf, 0x73, 0xd5, 0xe0, 0xd2, 0xdd, 0xef, + 0x63, 0x3f, 0xff, 0x8a, 0x05, 0xa3, 0x66, 0xb8, 0x15, 0x6a, 0x65, 0x74, 0xdc, 0xa5, 0x9e, 0x62, + 0xa2, 0x3f, 0x96, 0x77, 0x73, 0x52, 0xcb, 0x4b, 0xc2, 0x4e, 0xfc, 0x3c, 0x09, 0x5a, 0x5e, 0x40, + 0xd8, 0x29, 0x3a, 0x0f, 0xd3, 0x4a, 0xc5, 0x72, 0xcd, 0x84, 0x4d, 0x72, 0x08, 0x25, 0xd9, 0xbe, + 0x0d, 0x63, 0x3d, 0xb9, 0x4a, 0x03, 0xa8, 0x16, 0xfb, 0x66, 0x8a, 0xda, 0x18, 0x46, 0x28, 0x61, + 0x59, 0x5a, 0x65, 0x06, 0xc6, 0xf8, 0x42, 0xa2, 0x9c, 0x56, 0xdc, 0x0d, 0xd2, 0x56, 0xf9, 0x67, + 0xcc, 0xbf, 0x7e, 0x2b, 0x0b, 0xc4, 0xbd, 0xf8, 0xf6, 0xe7, 0x2c, 0x38, 0x91, 0x4a, 0x1f, 0x2b, + 0x48, 0x09, 0x62, 0x2b, 0x2d, 0x64, 0xd1, 0x7f, 0x2c, 0x04, 0xba, 0xcc, 0x36, 0x53, 0xbd, 0xd2, + 0x34, 0x08, 0x9b, 0x78, 0xf6, 0x97, 0x4a, 0x50, 0x93, 0x11, 0x14, 0x03, 0x74, 0xe5, 0x33, 0x16, + 0x9c, 0x50, 0x67, 0x1a, 0xcc, 0x59, 0x56, 0x2a, 0x22, 0xd6, 0x9f, 0xf6, 0x40, 0x99, 0xdb, 0xc1, + 0x7a, 0xa8, 0x35, 0x72, 0x6c, 0x32, 0xc3, 0x69, 0xde, 0xe8, 0x16, 0x40, 0xbc, 0x13, 0x27, 0xa4, + 0x6d, 0xb8, 0xed, 0x6c, 0x63, 0xc5, 0x4d, 0xba, 0x61, 0x44, 0xe8, 0xfa, 0xba, 0x11, 0x36, 0xc9, + 0x8a, 0xc2, 0xd4, 0x2a, 0x94, 0x6e, 0xc3, 0x06, 0x25, 0xfb, 0xef, 0x96, 0xe0, 0x74, 0xb6, 0x4b, + 0xe8, 0x43, 0x30, 0x2a, 0xb9, 0x1b, 0xb7, 0x40, 0xc9, 0xb0, 0x91, 0x51, 0x6c, 0xc0, 0xee, 0xed, + 0x4e, 0x4c, 0xf4, 0xde, 0xc2, 0x35, 0x69, 0xa2, 0xe0, 0x14, 0x31, 0x7e, 0xb0, 0x24, 0x4e, 0x40, + 0x1b, 0x3b, 0xd3, 0x9d, 0x8e, 0x38, 0x1d, 0x32, 0x0e, 0x96, 0x4c, 0x28, 0xce, 0x60, 0xa3, 0x65, + 0x38, 0x6b, 0xb4, 0xdc, 0x20, 0x5e, 0x6b, 0x63, 0x2d, 0x8c, 0xa4, 0x65, 0xf5, 0x84, 0x0e, 0xec, + 0xea, 0xc5, 0xc1, 0xb9, 0x4f, 0xd2, 0xdd, 0xde, 0x75, 0x3a, 0x8e, 0xeb, 0x25, 0x3b, 0xc2, 0x0f, + 0xa9, 0x64, 0xd3, 0x8c, 0x68, 0xc7, 0x0a, 0xc3, 0x5e, 0x84, 0xca, 0x80, 0x33, 0x68, 0x20, 0x8d, + 0xfe, 0x55, 0xa8, 0x51, 0x72, 0x52, 0xbd, 0x2b, 0x82, 0x64, 0x08, 0x35, 0x79, 0x91, 0x03, 0xb2, + 0xa1, 0xec, 0x39, 0xf2, 0xec, 0x4e, 0xbd, 0xd6, 0x7c, 0x1c, 0x77, 0x99, 0x91, 0x4c, 0x81, 0xe8, + 0x69, 0x28, 0x93, 0xed, 0x4e, 0xf6, 0x90, 0xee, 0xf2, 0x76, 0xc7, 0x8b, 0x48, 0x4c, 0x91, 0xc8, + 0x76, 0x07, 0x5d, 0x80, 0x92, 0xd7, 0x14, 0x9b, 0x14, 0x08, 0x9c, 0xd2, 0xfc, 0x2c, 0x2e, 0x79, + 0x4d, 0x7b, 0x1b, 0xea, 0xea, 0xe6, 0x08, 0xb4, 0x29, 0x65, 0xb7, 0x55, 0x44, 0xc8, 0x93, 0xa4, + 0xdb, 0x47, 0x6a, 0x77, 0x01, 0x74, 0x1e, 0x5d, 0x51, 0xf2, 0xe5, 0x22, 0x54, 0xdc, 0x50, 0xe4, + 0xf8, 0xd6, 0x34, 0x19, 0x26, 0xb4, 0x19, 0xc4, 0xbe, 0x0d, 0x27, 0xaf, 0x07, 0xe1, 0x5d, 0x56, + 0x1a, 0x9b, 0x95, 0xb4, 0xa2, 0x84, 0xd7, 0xe9, 0x8f, 0xac, 0x8a, 0xc0, 0xa0, 0x98, 0xc3, 0x54, + 0xd9, 0xa3, 0x52, 0xbf, 0xb2, 0x47, 0xf6, 0x27, 0x2c, 0x38, 0xad, 0xb2, 0x81, 0xa4, 0x34, 0x7e, + 0x19, 0x46, 0xd7, 0xba, 0x9e, 0xdf, 0x94, 0x85, 0xb2, 0x32, 0x6e, 0x8a, 0x86, 0x01, 0xc3, 0x29, + 0x4c, 0x6a, 0x54, 0xad, 0x79, 0x81, 0x13, 0xed, 0x2c, 0x6b, 0xf1, 0xaf, 0x24, 0x42, 0x43, 0x41, + 0xb0, 0x81, 0x65, 0x7f, 0xc6, 0xec, 0x82, 0xc8, 0x3f, 0x1a, 0x60, 0x64, 0x6f, 0x42, 0xd5, 0x55, + 0x67, 0xbd, 0x87, 0x2a, 0xe6, 0xa7, 0xf2, 0xcb, 0x99, 0xbf, 0x9f, 0x53, 0xb3, 0xff, 0x49, 0x09, + 0x4e, 0xa4, 0x6a, 0x96, 0x20, 0x1f, 0x6a, 0xc4, 0x67, 0xae, 0x3c, 0x39, 0xc5, 0x8e, 0x5a, 0x2e, + 0x52, 0x2d, 0x8b, 0xcb, 0x82, 0x2e, 0x56, 0x1c, 0x1e, 0x8d, 0x23, 0xb5, 0x97, 0x61, 0x54, 0x76, + 0xe8, 0x83, 0x4e, 0xdb, 0x17, 0xab, 0x50, 0x4d, 0x80, 0xcb, 0x06, 0x0c, 0xa7, 0x30, 0xed, 0xdf, + 0x2d, 0xc3, 0x38, 0xf7, 0x7d, 0x36, 0x55, 0xd4, 0xcb, 0xa2, 0xd4, 0xb2, 0xfe, 0x82, 0xae, 0x2c, + 0xc4, 0x07, 0x72, 0xed, 0xa8, 0xd5, 0x99, 0xf3, 0x19, 0x0d, 0x14, 0x8f, 0xf1, 0x4b, 0x99, 0x78, + 0x0c, 0xbe, 0xd9, 0xb6, 0x8e, 0xa9, 0x47, 0xdf, 0x5b, 0x01, 0x1a, 0x7f, 0xab, 0x04, 0xa7, 0x32, + 0xa5, 0xaf, 0xd1, 0x17, 0xd2, 0x65, 0x1f, 0xad, 0x22, 0x3c, 0x64, 0xf7, 0xad, 0x86, 0x7c, 0xb0, + 0xe2, 0x8f, 0x0f, 0x69, 0xa9, 0xd8, 0x7f, 0x50, 0x82, 0x93, 0xe9, 0x9a, 0xdd, 0x8f, 0xe0, 0x48, + 0xbd, 0x1b, 0xea, 0xac, 0x2c, 0x2d, 0xbb, 0x67, 0x8c, 0x3b, 0xe2, 0x78, 0x29, 0x53, 0xd9, 0x88, + 0x35, 0xfc, 0x91, 0xa8, 0xa9, 0x69, 0xff, 0x6d, 0x0b, 0xce, 0xf1, 0xb7, 0xcc, 0xce, 0xc3, 0xbf, + 0x98, 0x37, 0xba, 0xaf, 0x17, 0xdb, 0xc1, 0x4c, 0x45, 0xac, 0xfd, 0xc6, 0x97, 0xdd, 0x6f, 0x24, + 0x7a, 0x9b, 0x9e, 0x0a, 0x8f, 0x60, 0x67, 0x0f, 0x34, 0x19, 0xec, 0x3f, 0x28, 0x83, 0xbe, 0xd2, + 0x09, 0x79, 0x22, 0xb3, 0xa9, 0x90, 0xca, 0x60, 0x2b, 0x3b, 0x81, 0xab, 0x2f, 0x8f, 0xaa, 0x65, + 0x12, 0x9b, 0x7e, 0xde, 0x82, 0x11, 0x2f, 0xf0, 0x12, 0xcf, 0x61, 0xca, 0x73, 0x31, 0x57, 0xd2, + 0x28, 0x76, 0xf3, 0x9c, 0x72, 0x18, 0x99, 0xde, 0x5b, 0xc5, 0x0c, 0x9b, 0x9c, 0xd1, 0x47, 0x44, + 0xc8, 0x64, 0xb9, 0xb0, 0x9c, 0xbc, 0x5a, 0x26, 0x4e, 0xb2, 0x03, 0xd5, 0x88, 0x24, 0x51, 0x41, + 0xa9, 0xac, 0x98, 0x92, 0x52, 0x45, 0x26, 0xf5, 0xe5, 0x9a, 0xb4, 0x19, 0x73, 0x46, 0x76, 0x0c, + 0xa8, 0x77, 0x2c, 0x0e, 0x18, 0x8e, 0x36, 0x05, 0x75, 0xa7, 0x9b, 0x84, 0x6d, 0x3a, 0x4c, 0xc2, + 0xc1, 0xac, 0x03, 0xee, 0x24, 0x00, 0x6b, 0x1c, 0xfb, 0x0b, 0x55, 0xc8, 0xa4, 0x1a, 0xa1, 0x6d, + 0xf3, 0x3a, 0x32, 0xab, 0xd8, 0xeb, 0xc8, 0x54, 0x67, 0xf2, 0xae, 0x24, 0x43, 0x2d, 0xa8, 0x76, + 0x36, 0x9c, 0x58, 0xea, 0xc6, 0xaf, 0xca, 0x61, 0x5a, 0xa6, 0x8d, 0xf7, 0x76, 0x27, 0x7e, 0x7c, + 0x30, 0x5f, 0x0b, 0x9d, 0xab, 0x53, 0x3c, 0x73, 0x5f, 0xb3, 0x66, 0x34, 0x30, 0xa7, 0x7f, 0x90, + 0x4b, 0x79, 0x3e, 0x29, 0x0a, 0x09, 0x63, 0x12, 0x77, 0xfd, 0x44, 0xcc, 0x86, 0x57, 0x0b, 0x5c, + 0x65, 0x9c, 0xb0, 0x4e, 0x92, 0xe5, 0xff, 0xb1, 0xc1, 0x14, 0x7d, 0x08, 0xea, 0x71, 0xe2, 0x44, + 0xc9, 0x21, 0xd3, 0xda, 0xd4, 0xa0, 0xaf, 0x48, 0x22, 0x58, 0xd3, 0x43, 0xaf, 0xb1, 0x42, 0x89, + 0x5e, 0xbc, 0x71, 0xc8, 0x48, 0x67, 0x59, 0x54, 0x51, 0x50, 0xc0, 0x06, 0x35, 0x6a, 0x7a, 0xb0, + 0xb9, 0xcd, 0xc3, 0x7b, 0x6a, 0xcc, 0xb6, 0x54, 0xa2, 0x10, 0x2b, 0x08, 0x36, 0xb0, 0xec, 0x1f, + 0x86, 0x74, 0x96, 0x37, 0x9a, 0x90, 0x49, 0xe5, 0xdc, 0xf7, 0xc4, 0x22, 0x96, 0x53, 0xf9, 0xdf, + 0xbf, 0x61, 0x81, 0x99, 0x8a, 0x8e, 0xde, 0xe4, 0x39, 0xef, 0x56, 0x11, 0xe7, 0x05, 0x06, 0xdd, + 0xc9, 0x45, 0xa7, 0x93, 0x39, 0xb8, 0x92, 0x89, 0xef, 0x17, 0xde, 0x0b, 0x35, 0x09, 0x3d, 0x90, + 0x52, 0xf7, 0x71, 0x38, 0x93, 0xbd, 0xac, 0x55, 0xf8, 0x9a, 0x5b, 0x51, 0xd8, 0xed, 0x64, 0x0d, + 0x49, 0x76, 0x99, 0x27, 0xe6, 0x30, 0x6a, 0x8e, 0x6d, 0x7a, 0x41, 0x33, 0x6b, 0x48, 0x5e, 0xf7, + 0x82, 0x26, 0x66, 0x90, 0x01, 0x2e, 0xa5, 0xfb, 0x4d, 0x0b, 0x2e, 0xee, 0x77, 0xa7, 0x2c, 0x7a, + 0x02, 0x2a, 0x77, 0x9d, 0x48, 0x56, 0xb0, 0x65, 0x82, 0xf2, 0xb6, 0x13, 0x05, 0x98, 0xb5, 0xa2, + 0x1d, 0x18, 0xe2, 0x31, 0x20, 0x42, 0x5b, 0x7f, 0xb5, 0xd8, 0x1b, 0x6e, 0xaf, 0x13, 0xc3, 0x5c, + 0xe0, 0xf1, 0x27, 0x58, 0x30, 0xb4, 0xbf, 0x63, 0x01, 0x5a, 0xda, 0x22, 0x51, 0xe4, 0x35, 0x8d, + 0xa8, 0x15, 0xf4, 0x22, 0x8c, 0xde, 0x59, 0x59, 0xba, 0xb1, 0x1c, 0x7a, 0x01, 0xab, 0xfa, 0x60, + 0x24, 0xb6, 0x5d, 0x33, 0xda, 0x71, 0x0a, 0x0b, 0xcd, 0xc0, 0xd8, 0x9d, 0x37, 0xa9, 0xf1, 0x6b, + 0x56, 0xcb, 0x2f, 0x69, 0x77, 0xe7, 0xb5, 0x57, 0x33, 0x40, 0xdc, 0x8b, 0x8f, 0x96, 0xe0, 0x5c, + 0x9b, 0x9b, 0x1b, 0xbc, 0xc8, 0x35, 0xb7, 0x3d, 0x54, 0x1a, 0xc9, 0xf9, 0xbd, 0xdd, 0x89, 0x73, + 0x8b, 0x79, 0x08, 0x38, 0xff, 0x39, 0xfb, 0xbd, 0x80, 0x78, 0xb0, 0xca, 0x4c, 0x5e, 0xe4, 0x41, + 0x5f, 0x4b, 0xdc, 0xfe, 0x6a, 0x15, 0x4e, 0x65, 0xea, 0x1b, 0x52, 0x53, 0xaf, 0x37, 0xd4, 0xe1, + 0xc8, 0xfb, 0x77, 0x6f, 0xf7, 0x06, 0x0a, 0x9e, 0x08, 0xa0, 0xea, 0x05, 0x9d, 0x6e, 0x52, 0x4c, + 0xe6, 0x18, 0xef, 0xc4, 0x3c, 0x25, 0x68, 0x38, 0x89, 0xe8, 0x5f, 0xcc, 0xd9, 0x14, 0x19, 0x8a, + 0x91, 0x52, 0xc6, 0x2b, 0x0f, 0xc9, 0x1d, 0xf0, 0x49, 0x1d, 0x18, 0x51, 0x2d, 0xe2, 0xa0, 0x3e, + 0x33, 0x59, 0x8e, 0xfb, 0x80, 0xed, 0xd7, 0x4b, 0x30, 0x62, 0x7c, 0x34, 0xf4, 0xcb, 0xe9, 0x42, + 0x2d, 0x56, 0x71, 0xaf, 0xc4, 0xe8, 0x4f, 0xea, 0x52, 0x2c, 0xfc, 0x95, 0x9e, 0xe9, 0xad, 0xd1, + 0x72, 0x6f, 0x77, 0xe2, 0x74, 0xa6, 0x0a, 0x4b, 0xaa, 0x6e, 0xcb, 0x85, 0x8f, 0xc1, 0xa9, 0x0c, + 0x99, 0x9c, 0x57, 0x5e, 0x4d, 0xdf, 0xc5, 0x7b, 0x44, 0xb7, 0x94, 0x39, 0x64, 0xdf, 0xa0, 0x43, + 0xa6, 0xaf, 0x68, 0x1f, 0xc0, 0x1d, 0x97, 0xc9, 0x91, 0x2b, 0x0d, 0x98, 0x23, 0xf7, 0x2c, 0xd4, + 0x3a, 0xa1, 0xef, 0xb9, 0x9e, 0x2a, 0xe9, 0xc5, 0xb2, 0xf2, 0x96, 0x45, 0x1b, 0x56, 0x50, 0x74, + 0x17, 0xea, 0xea, 0xda, 0x62, 0x11, 0x84, 0x58, 0x94, 0xab, 0x57, 0x29, 0x2d, 0xfa, 0x3a, 0x62, + 0xcd, 0x0b, 0xd9, 0x30, 0xc4, 0x36, 0x41, 0x19, 0xf0, 0xcb, 0x32, 0x38, 0xd9, 0xee, 0x18, 0x63, + 0x01, 0xb1, 0xbf, 0x5e, 0x87, 0xb3, 0x79, 0x45, 0x66, 0xd1, 0x47, 0x61, 0x88, 0xf7, 0xb1, 0x98, + 0x3a, 0xe6, 0x79, 0x3c, 0xe6, 0x18, 0x41, 0xd1, 0x2d, 0xf6, 0x1b, 0x0b, 0x9e, 0x82, 0xbb, 0xef, + 0xac, 0x89, 0x19, 0x72, 0x3c, 0xdc, 0x17, 0x1c, 0xcd, 0x7d, 0xc1, 0xe1, 0xdc, 0x7d, 0x67, 0x0d, + 0x6d, 0x43, 0xb5, 0xe5, 0x25, 0xc4, 0x11, 0x4e, 0x84, 0xdb, 0xc7, 0xc2, 0x9c, 0x38, 0x5c, 0x4b, + 0x63, 0x3f, 0x31, 0x67, 0x88, 0xbe, 0x66, 0xc1, 0xa9, 0xb5, 0x74, 0x42, 0xac, 0x10, 0x9e, 0xce, + 0x31, 0x14, 0x12, 0x4e, 0x33, 0xe2, 0x37, 0x52, 0x64, 0x1a, 0x71, 0xb6, 0x3b, 0xe8, 0x53, 0x16, + 0x0c, 0xaf, 0x7b, 0xbe, 0x51, 0x53, 0xf2, 0x18, 0x3e, 0xce, 0x15, 0xc6, 0x40, 0x5b, 0x1c, 0xfc, + 0x7f, 0x8c, 0x25, 0xe7, 0x7e, 0x3b, 0xd5, 0xd0, 0x51, 0x77, 0xaa, 0xe1, 0x87, 0xb4, 0x53, 0x7d, + 0xda, 0x82, 0xba, 0x1a, 0x69, 0x91, 0xe4, 0xf8, 0xa1, 0x63, 0xfc, 0xe4, 0xdc, 0x73, 0xa2, 0xfe, + 0x62, 0xcd, 0x1c, 0x7d, 0xd1, 0x82, 0x11, 0xe7, 0xad, 0x6e, 0x44, 0x9a, 0x64, 0x2b, 0xec, 0xc4, + 0xe2, 0x16, 0xa8, 0xd7, 0x8b, 0xef, 0xcc, 0x34, 0x65, 0x32, 0x4b, 0xb6, 0x96, 0x3a, 0xb1, 0x48, + 0x46, 0xd0, 0x0d, 0xd8, 0xec, 0x82, 0xbd, 0x5b, 0x82, 0x89, 0x7d, 0x28, 0xa0, 0x97, 0x61, 0x34, + 0x8c, 0x5a, 0x4e, 0xe0, 0xbd, 0x65, 0x66, 0xb8, 0x2b, 0x2d, 0x6b, 0xc9, 0x80, 0xe1, 0x14, 0xa6, + 0x99, 0x86, 0x59, 0xda, 0x27, 0x0d, 0xf3, 0x22, 0x54, 0x22, 0xd2, 0x09, 0xb3, 0xc6, 0x02, 0x0b, + 0x04, 0x66, 0x10, 0xf4, 0x24, 0x94, 0x9d, 0x8e, 0x27, 0xc2, 0x4f, 0x94, 0x0d, 0x34, 0xbd, 0x3c, + 0x8f, 0x69, 0x7b, 0x2a, 0x2b, 0xbc, 0xfa, 0x40, 0xb2, 0xc2, 0xe9, 0x36, 0x20, 0xce, 0x2e, 0x86, + 0xf4, 0x36, 0x90, 0x3e, 0x53, 0xb0, 0xbf, 0x52, 0x86, 0x27, 0xef, 0x3b, 0x5f, 0x74, 0xf4, 0x8d, + 0x75, 0x9f, 0xe8, 0x1b, 0x39, 0x3c, 0xa5, 0xfd, 0x86, 0xa7, 0xdc, 0x67, 0x78, 0x3e, 0x45, 0x97, + 0x81, 0xac, 0x0c, 0x50, 0xcc, 0x85, 0x44, 0xfd, 0x0a, 0x0d, 0x88, 0x15, 0x20, 0xa1, 0x58, 0xf3, + 0xa5, 0x36, 0x40, 0x2a, 0x05, 0xb1, 0x5a, 0xc4, 0x36, 0xd0, 0xb7, 0x52, 0x00, 0x9f, 0xfb, 0xfd, + 0xf2, 0x1a, 0xed, 0x5f, 0x28, 0xc1, 0xd3, 0x03, 0x48, 0x6f, 0x73, 0x16, 0x5b, 0x03, 0xce, 0xe2, + 0xef, 0xed, 0xcf, 0x64, 0xff, 0x25, 0x0b, 0x2e, 0xf4, 0xdf, 0x3c, 0xd0, 0x0b, 0x30, 0xb2, 0x16, + 0x39, 0x81, 0xbb, 0xc1, 0x2e, 0x59, 0x93, 0x83, 0xc2, 0xc6, 0x5a, 0x37, 0x63, 0x13, 0x87, 0x9a, + 0xb7, 0xbc, 0xb0, 0xbb, 0x81, 0x21, 0x53, 0xc6, 0xa8, 0x79, 0xbb, 0x9a, 0x05, 0xe2, 0x5e, 0x7c, + 0xfb, 0xcf, 0x4a, 0xf9, 0xdd, 0xe2, 0x4a, 0xc6, 0x41, 0xbe, 0x93, 0xf8, 0x0a, 0xa5, 0x01, 0x64, + 0x49, 0xf9, 0x41, 0xcb, 0x92, 0x4a, 0x3f, 0x59, 0x82, 0x66, 0xe1, 0xb4, 0x71, 0x1f, 0x01, 0x4f, + 0x03, 0xe4, 0x61, 0x76, 0x2a, 0x37, 0x7e, 0x39, 0x03, 0xc7, 0x3d, 0x4f, 0xa0, 0xe7, 0xa0, 0xe6, + 0x05, 0x31, 0x71, 0xbb, 0x11, 0x0f, 0xef, 0x34, 0x52, 0x2f, 0xe6, 0x45, 0x3b, 0x56, 0x18, 0xf6, + 0xaf, 0x94, 0xe0, 0x7c, 0x5f, 0x3d, 0xeb, 0x01, 0xc9, 0x2e, 0xf3, 0x73, 0x54, 0x1e, 0xcc, 0xe7, + 0x30, 0x07, 0xa9, 0xba, 0xef, 0x20, 0xfd, 0x61, 0xff, 0x89, 0x49, 0x75, 0xee, 0xef, 0xdb, 0x51, + 0x7a, 0x05, 0x4e, 0x38, 0x9d, 0x0e, 0xc7, 0x63, 0x51, 0x5a, 0x99, 0xda, 0x18, 0xd3, 0x26, 0x10, + 0xa7, 0x71, 0x07, 0xda, 0x3d, 0xff, 0xd8, 0x82, 0x3a, 0x26, 0xeb, 0x5c, 0x3a, 0xa0, 0x3b, 0x62, + 0x88, 0xac, 0x22, 0xaa, 0xe8, 0xd1, 0x81, 0x8d, 0x3d, 0x56, 0x5d, 0x2e, 0x6f, 0xb0, 0x7b, 0xef, + 0xad, 0x28, 0x1d, 0xe8, 0xde, 0x0a, 0x75, 0x73, 0x41, 0xb9, 0xff, 0xcd, 0x05, 0xf6, 0x37, 0x86, + 0xe9, 0xeb, 0x75, 0xc2, 0x99, 0x88, 0x34, 0x63, 0xfa, 0x7d, 0xbb, 0x91, 0x2f, 0x26, 0x89, 0xfa, + 0xbe, 0x37, 0xf1, 0x02, 0xa6, 0xed, 0xa9, 0xa3, 0x98, 0xd2, 0x81, 0x2a, 0x03, 0x94, 0xf7, 0xad, + 0x0c, 0xf0, 0x0a, 0x9c, 0x88, 0xe3, 0x8d, 0xe5, 0xc8, 0xdb, 0x72, 0x12, 0x72, 0x9d, 0xec, 0x08, + 0x2d, 0x4b, 0x67, 0xf3, 0xae, 0x5c, 0xd5, 0x40, 0x9c, 0xc6, 0x45, 0x73, 0x30, 0xa6, 0xf3, 0xf3, + 0x49, 0x94, 0xb0, 0x98, 0x5e, 0x3e, 0x13, 0x54, 0xea, 0x9e, 0xce, 0xe8, 0x17, 0x08, 0xb8, 0xf7, + 0x19, 0x2a, 0xdf, 0x52, 0x8d, 0xb4, 0x23, 0x43, 0x69, 0xf9, 0x96, 0xa2, 0x43, 0xfb, 0xd2, 0xf3, + 0x04, 0x5a, 0x84, 0x33, 0x7c, 0x62, 0x4c, 0x77, 0x3a, 0xc6, 0x1b, 0x0d, 0xa7, 0xab, 0x97, 0xcd, + 0xf5, 0xa2, 0xe0, 0xbc, 0xe7, 0xd0, 0x4b, 0x30, 0xa2, 0x9a, 0xe7, 0x67, 0xc5, 0x29, 0x82, 0xf2, + 0x62, 0x28, 0x32, 0xf3, 0x4d, 0x6c, 0xe2, 0xa1, 0x0f, 0xc2, 0xe3, 0xfa, 0x2f, 0x4f, 0xfc, 0xe0, + 0x47, 0x6b, 0xb3, 0xa2, 0xf4, 0x89, 0xaa, 0x93, 0x3f, 0x97, 0x8b, 0xd6, 0xc4, 0xfd, 0x9e, 0x47, + 0x6b, 0x70, 0x41, 0x81, 0x2e, 0x07, 0x09, 0x8b, 0xe2, 0x8e, 0x49, 0xc3, 0x89, 0xc9, 0xcd, 0xc8, + 0x67, 0xc5, 0x52, 0xea, 0xfa, 0x0a, 0xb3, 0x39, 0x2f, 0xb9, 0x9a, 0x87, 0x89, 0x17, 0xf0, 0x7d, + 0xa8, 0xa0, 0x29, 0xa8, 0x93, 0xc0, 0x59, 0xf3, 0xc9, 0xd2, 0xcc, 0x3c, 0x2b, 0xa1, 0x62, 0x9c, + 0xe4, 0x5d, 0x96, 0x00, 0xac, 0x71, 0x54, 0x5c, 0xd9, 0x68, 0xdf, 0xeb, 0xf4, 0x96, 0xe1, 0x6c, + 0xcb, 0xed, 0x50, 0xdd, 0xc3, 0x73, 0xc9, 0xb4, 0xcb, 0x62, 0xab, 0xe8, 0x87, 0xe1, 0x65, 0xe5, + 0x54, 0xd0, 0xe4, 0xdc, 0xcc, 0x72, 0x0f, 0x0e, 0xce, 0x7d, 0x92, 0xae, 0xb1, 0x4e, 0x14, 0x6e, + 0xef, 0x8c, 0x9f, 0x49, 0xaf, 0xb1, 0x65, 0xda, 0x88, 0x39, 0x0c, 0x5d, 0x03, 0xc4, 0x22, 0x70, + 0xaf, 0x26, 0x49, 0x47, 0x29, 0x3b, 0xe3, 0x67, 0xd9, 0x2b, 0x5d, 0x10, 0x4f, 0xa0, 0x2b, 0x3d, + 0x18, 0x38, 0xe7, 0x29, 0xfb, 0xdf, 0x5a, 0x70, 0x42, 0xad, 0xd7, 0x07, 0x10, 0x83, 0xee, 0xa7, + 0x63, 0xd0, 0xe7, 0x8e, 0x2e, 0xf1, 0x58, 0xcf, 0xfb, 0x04, 0x32, 0xfe, 0xec, 0x08, 0x80, 0x96, + 0x8a, 0x6a, 0x43, 0xb2, 0xfa, 0x6e, 0x48, 0x8f, 0xac, 0x44, 0xca, 0xab, 0x97, 0x50, 0x7d, 0xb8, + 0xf5, 0x12, 0x56, 0xe0, 0x9c, 0x54, 0x17, 0xf8, 0x59, 0xd1, 0xd5, 0x30, 0x56, 0x02, 0xae, 0xd6, + 0x78, 0x52, 0x10, 0x3a, 0x37, 0x9f, 0x87, 0x84, 0xf3, 0x9f, 0x4d, 0x69, 0x29, 0xc3, 0xfb, 0x69, + 0x29, 0x7a, 0x4d, 0x2f, 0xac, 0xcb, 0x82, 0xf8, 0x99, 0x35, 0xbd, 0x70, 0x65, 0x05, 0x6b, 0x9c, + 0x7c, 0xc1, 0x5e, 0x2f, 0x48, 0xb0, 0xc3, 0x81, 0x05, 0xbb, 0x14, 0x31, 0x23, 0x7d, 0x45, 0x8c, + 0xf4, 0x49, 0x8f, 0xf6, 0xf5, 0x49, 0xbf, 0x0f, 0x4e, 0x7a, 0xc1, 0x06, 0x89, 0xbc, 0x84, 0x34, + 0xd9, 0x5a, 0x60, 0xe2, 0xa7, 0xa6, 0xb7, 0xf5, 0xf9, 0x14, 0x14, 0x67, 0xb0, 0xd3, 0x72, 0xf1, + 0xe4, 0x00, 0x72, 0xb1, 0xcf, 0x6e, 0x74, 0xaa, 0x98, 0xdd, 0xe8, 0xf4, 0xd1, 0x77, 0xa3, 0xb1, + 0x63, 0xdd, 0x8d, 0x50, 0x21, 0xbb, 0xd1, 0x40, 0x82, 0xde, 0x30, 0xff, 0xce, 0xee, 0x63, 0xfe, + 0xf5, 0xdb, 0x8a, 0xce, 0x1d, 0x7a, 0x2b, 0xca, 0xdf, 0x65, 0x1e, 0x3b, 0xd4, 0x2e, 0xf3, 0xe9, + 0x12, 0x9c, 0xd3, 0x72, 0x98, 0xce, 0x7e, 0x6f, 0x9d, 0x4a, 0x22, 0x76, 0xa7, 0x0a, 0x3f, 0xb7, + 0x31, 0x52, 0x22, 0x74, 0x76, 0x85, 0x82, 0x60, 0x03, 0x8b, 0x65, 0x16, 0x90, 0x88, 0x15, 0xcf, + 0xcc, 0x0a, 0xe9, 0x19, 0xd1, 0x8e, 0x15, 0x06, 0x9d, 0x5f, 0xf4, 0xb7, 0xc8, 0xd6, 0xca, 0x96, + 0x88, 0x9a, 0xd1, 0x20, 0x6c, 0xe2, 0xa1, 0x67, 0x39, 0x13, 0x26, 0x20, 0xa8, 0xa0, 0x1e, 0x15, + 0x97, 0x2c, 0x4a, 0x99, 0xa0, 0xa0, 0xb2, 0x3b, 0x2c, 0x85, 0xa4, 0xda, 0xdb, 0x1d, 0x16, 0x02, + 0xa5, 0x30, 0xec, 0xff, 0x66, 0xc1, 0xf9, 0xdc, 0xa1, 0x78, 0x00, 0x9b, 0xef, 0x76, 0x7a, 0xf3, + 0x5d, 0x29, 0xca, 0xdc, 0x30, 0xde, 0xa2, 0xcf, 0x46, 0xfc, 0xaf, 0x2d, 0x38, 0xa9, 0xf1, 0x1f, + 0xc0, 0xab, 0x7a, 0xe9, 0x57, 0x2d, 0xce, 0xb2, 0xaa, 0xf7, 0xbc, 0xdb, 0xef, 0x96, 0x40, 0x95, + 0x6d, 0x9b, 0x76, 0x65, 0x51, 0xcc, 0x7d, 0x4e, 0x12, 0x77, 0x60, 0x88, 0x1d, 0x84, 0xc6, 0xc5, + 0x04, 0x79, 0xa4, 0xf9, 0xb3, 0x43, 0x55, 0x7d, 0xc8, 0xcc, 0xfe, 0xc6, 0x58, 0x30, 0x64, 0xa5, + 0x5d, 0xbd, 0x98, 0x4a, 0xf3, 0xa6, 0x48, 0xc6, 0xd0, 0xa5, 0x5d, 0x45, 0x3b, 0x56, 0x18, 0x74, + 0x7b, 0xf0, 0xdc, 0x30, 0x98, 0xf1, 0x9d, 0x58, 0x5e, 0x24, 0xa6, 0xb6, 0x87, 0x79, 0x09, 0xc0, + 0x1a, 0x87, 0x9d, 0x91, 0x7a, 0x71, 0xc7, 0x77, 0x76, 0x0c, 0xfb, 0xd9, 0xc8, 0x4a, 0x56, 0x20, + 0x6c, 0xe2, 0xd9, 0x6d, 0x18, 0x4f, 0xbf, 0xc4, 0x2c, 0x59, 0x67, 0x01, 0x8a, 0x03, 0x0d, 0xe7, + 0x14, 0xd4, 0x1d, 0xf6, 0xd4, 0x42, 0xd7, 0xc9, 0xde, 0xff, 0x3b, 0x2d, 0x01, 0x58, 0xe3, 0xd8, + 0xbf, 0x66, 0xc1, 0x99, 0x9c, 0x41, 0x2b, 0x30, 0xd9, 0x25, 0xd1, 0xd2, 0x26, 0x6f, 0x63, 0x7f, + 0x17, 0x0c, 0x37, 0xc9, 0xba, 0x23, 0x43, 0xe0, 0x0c, 0xd9, 0x3e, 0xcb, 0x9b, 0xb1, 0x84, 0xdb, + 0xff, 0xc5, 0x82, 0x53, 0xe9, 0xbe, 0xc6, 0x54, 0x3a, 0xf3, 0x97, 0x99, 0xf5, 0x62, 0x37, 0xdc, + 0x22, 0xd1, 0x0e, 0x7d, 0x73, 0xde, 0x6b, 0x25, 0x9d, 0xa7, 0x7b, 0x30, 0x70, 0xce, 0x53, 0xac, + 0x68, 0x63, 0x53, 0x8d, 0xb6, 0x9c, 0x91, 0xb7, 0x8a, 0x9c, 0x91, 0xfa, 0x63, 0x9a, 0xc7, 0xe5, + 0x8a, 0x25, 0x36, 0xf9, 0xdb, 0xdf, 0xa9, 0x80, 0xca, 0x86, 0x63, 0xf1, 0x47, 0x05, 0x45, 0x6f, + 0xa5, 0xee, 0x3c, 0x2a, 0x0f, 0x70, 0xe7, 0x91, 0x9c, 0x0c, 0x95, 0xfb, 0x05, 0x04, 0x70, 0x2f, + 0x89, 0xe9, 0xba, 0x54, 0x6f, 0xb8, 0xaa, 0x41, 0xd8, 0xc4, 0xa3, 0x3d, 0xf1, 0xbd, 0x2d, 0xc2, + 0x1f, 0x1a, 0x4a, 0xf7, 0x64, 0x41, 0x02, 0xb0, 0xc6, 0xa1, 0x3d, 0x69, 0x7a, 0xeb, 0xeb, 0xc2, + 0xe4, 0x57, 0x3d, 0xa1, 0xa3, 0x83, 0x19, 0x84, 0xd7, 0xe1, 0x0d, 0x37, 0x85, 0x16, 0x6c, 0xd4, + 0xe1, 0x0d, 0x37, 0x31, 0x83, 0x50, 0xbd, 0x2d, 0x08, 0xa3, 0x36, 0xbb, 0x9f, 0xb9, 0xa9, 0xb8, + 0x08, 0xed, 0x57, 0xe9, 0x6d, 0x37, 0x7a, 0x51, 0x70, 0xde, 0x73, 0x74, 0x06, 0x76, 0x22, 0xd2, + 0xf4, 0xdc, 0xc4, 0xa4, 0x06, 0xe9, 0x19, 0xb8, 0xdc, 0x83, 0x81, 0x73, 0x9e, 0x42, 0xd3, 0x70, + 0x4a, 0x66, 0x33, 0xca, 0x5a, 0x15, 0x23, 0xe9, 0xdc, 0x78, 0x9c, 0x06, 0xe3, 0x2c, 0x3e, 0x95, + 0x6a, 0x6d, 0x51, 0xa6, 0x86, 0x29, 0xcb, 0x86, 0x54, 0x93, 0xe5, 0x6b, 0xb0, 0xc2, 0xb0, 0x3f, + 0x59, 0xa6, 0xbb, 0x70, 0x9f, 0xf2, 0x4c, 0x0f, 0x2c, 0x5a, 0x30, 0x3d, 0x23, 0x2b, 0x03, 0xcc, + 0xc8, 0x17, 0x61, 0xf4, 0x4e, 0x1c, 0x06, 0x2a, 0x12, 0xaf, 0xda, 0x37, 0x12, 0xcf, 0xc0, 0xca, + 0x8f, 0xc4, 0x1b, 0x2a, 0x2a, 0x12, 0x6f, 0xf8, 0x90, 0x91, 0x78, 0xdf, 0xaa, 0x82, 0xba, 0x10, + 0xe0, 0x06, 0x49, 0xee, 0x86, 0xd1, 0xa6, 0x17, 0xb4, 0x58, 0x16, 0xe8, 0xd7, 0x2c, 0x18, 0xe5, + 0xeb, 0x65, 0xc1, 0xcc, 0xa4, 0x5a, 0x2f, 0xa8, 0xd2, 0x7c, 0x8a, 0xd9, 0xe4, 0xaa, 0xc1, 0x28, + 0x73, 0x8f, 0x9d, 0x09, 0xc2, 0xa9, 0x1e, 0xa1, 0x8f, 0x01, 0x48, 0xff, 0xe8, 0xba, 0x14, 0x99, + 0xf3, 0xc5, 0xf4, 0x0f, 0x93, 0x75, 0xad, 0x03, 0xaf, 0x2a, 0x26, 0xd8, 0x60, 0x88, 0x3e, 0x9d, + 0xbd, 0xbf, 0xfe, 0x23, 0xc7, 0x32, 0x36, 0x83, 0xe4, 0x98, 0x61, 0x18, 0xf6, 0x82, 0x16, 0x9d, + 0x27, 0x22, 0x62, 0xe9, 0x87, 0xf2, 0x32, 0xa8, 0x17, 0x42, 0xa7, 0xd9, 0x70, 0x7c, 0x27, 0x70, + 0x49, 0x34, 0xcf, 0xd1, 0xcd, 0xdb, 0x5b, 0x59, 0x03, 0x96, 0x84, 0x7a, 0xae, 0x52, 0xa8, 0x0e, + 0x72, 0x95, 0xc2, 0x85, 0xf7, 0xc3, 0x58, 0xcf, 0xc7, 0x3c, 0x50, 0x4a, 0xd9, 0xe1, 0xb3, 0xd1, + 0xec, 0x7f, 0x3a, 0xa4, 0x37, 0xad, 0x1b, 0x61, 0x93, 0x17, 0xf4, 0x8f, 0xf4, 0x17, 0x15, 0x3a, + 0x6e, 0x81, 0x53, 0xc4, 0xb8, 0x01, 0x56, 0x35, 0x62, 0x93, 0x25, 0x9d, 0xa3, 0x1d, 0x27, 0x22, + 0xc1, 0x71, 0xcf, 0xd1, 0x65, 0xc5, 0x04, 0x1b, 0x0c, 0xd1, 0x46, 0x2a, 0xa7, 0xe4, 0xca, 0xd1, + 0x73, 0x4a, 0x58, 0x6d, 0x99, 0xbc, 0x1a, 0xdc, 0x5f, 0xb4, 0xe0, 0x64, 0x90, 0x9a, 0xb9, 0xc5, + 0x84, 0x91, 0xe6, 0xaf, 0x0a, 0x7e, 0x9f, 0x4c, 0xba, 0x0d, 0x67, 0xf8, 0xe7, 0x6d, 0x69, 0xd5, + 0x03, 0x6e, 0x69, 0xfa, 0x66, 0x90, 0xa1, 0x7e, 0x37, 0x83, 0xa0, 0x40, 0x5d, 0x8d, 0x34, 0x5c, + 0xf8, 0xd5, 0x48, 0x90, 0x73, 0x2d, 0xd2, 0x6d, 0xa8, 0xbb, 0x11, 0x71, 0x92, 0x43, 0xde, 0x92, + 0xc3, 0x0e, 0xe8, 0x67, 0x24, 0x01, 0xac, 0x69, 0xd9, 0xff, 0xab, 0x02, 0xa7, 0xe5, 0x88, 0xc8, + 0x10, 0x74, 0xba, 0x3f, 0x72, 0xbe, 0x5a, 0xb9, 0x55, 0xfb, 0xe3, 0x55, 0x09, 0xc0, 0x1a, 0x87, + 0xea, 0x63, 0xdd, 0x98, 0x2c, 0x75, 0x48, 0xb0, 0xe0, 0xad, 0xc5, 0xe2, 0x9c, 0x53, 0x2d, 0x94, + 0x9b, 0x1a, 0x84, 0x4d, 0x3c, 0xaa, 0x8c, 0x73, 0xbd, 0x38, 0xce, 0xa6, 0xaf, 0x08, 0x7d, 0x1b, + 0x4b, 0x38, 0xfa, 0xc5, 0xdc, 0x7a, 0x91, 0xc5, 0x24, 0x6e, 0xf5, 0x44, 0xde, 0x1f, 0xf0, 0x62, + 0xb5, 0xbf, 0x61, 0xc1, 0x39, 0xde, 0x2a, 0x47, 0xf2, 0x66, 0xa7, 0xe9, 0x24, 0x24, 0x2e, 0xa6, + 0x7e, 0x73, 0x4e, 0xff, 0xb4, 0x93, 0x37, 0x8f, 0x2d, 0xce, 0xef, 0x0d, 0xfa, 0x82, 0x05, 0xa7, + 0x36, 0x53, 0x99, 0xfe, 0x72, 0xeb, 0x38, 0x62, 0x4d, 0x9a, 0x74, 0xf9, 0x00, 0xbd, 0xd4, 0xd2, + 0xed, 0x31, 0xce, 0x72, 0xb7, 0xff, 0xcc, 0x02, 0x53, 0x8c, 0x0e, 0xa6, 0x01, 0x1a, 0x57, 0xd9, + 0x96, 0xf6, 0xb9, 0xca, 0x56, 0x2a, 0x8b, 0xe5, 0xc1, 0x8c, 0x93, 0xca, 0x01, 0x8c, 0x93, 0x6a, + 0x5f, 0xed, 0xf2, 0x49, 0x28, 0x77, 0xbd, 0xa6, 0xb0, 0x2f, 0xf4, 0xe9, 0xeb, 0xfc, 0x2c, 0xa6, + 0xed, 0xf6, 0x3f, 0xaa, 0x6a, 0xbf, 0x85, 0xc8, 0x8b, 0xfa, 0xbe, 0x78, 0xed, 0x75, 0x55, 0x62, + 0x88, 0xbf, 0xf9, 0x8d, 0x9e, 0x12, 0x43, 0x3f, 0x7a, 0xf0, 0xb4, 0x37, 0x3e, 0x40, 0xfd, 0x2a, + 0x0c, 0x0d, 0xef, 0x93, 0xf3, 0x76, 0x07, 0x6a, 0xd4, 0x04, 0x63, 0x0e, 0xc8, 0x5a, 0xaa, 0x53, + 0xb5, 0xab, 0xa2, 0xfd, 0xde, 0xee, 0xc4, 0x8f, 0x1c, 0xbc, 0x5b, 0xf2, 0x69, 0xac, 0xe8, 0xa3, + 0x18, 0xea, 0xf4, 0x37, 0x4b, 0xcf, 0x13, 0xc6, 0xdd, 0x4d, 0x25, 0x33, 0x25, 0xa0, 0x90, 0xdc, + 0x3f, 0xcd, 0x07, 0x05, 0x50, 0x67, 0x77, 0x50, 0x32, 0xa6, 0xdc, 0x06, 0x5c, 0x56, 0x49, 0x72, + 0x12, 0x70, 0x6f, 0x77, 0xe2, 0x95, 0x83, 0x33, 0x55, 0x8f, 0x63, 0xcd, 0xc2, 0xfe, 0x52, 0x45, + 0xcf, 0x5d, 0x51, 0x59, 0xea, 0xfb, 0x62, 0xee, 0xbe, 0x9c, 0x99, 0xbb, 0x17, 0x7b, 0xe6, 0xee, + 0x49, 0x7d, 0x57, 0x62, 0x6a, 0x36, 0x3e, 0x68, 0x45, 0x60, 0x7f, 0x7f, 0x03, 0xd3, 0x80, 0xde, + 0xec, 0x7a, 0x11, 0x89, 0x97, 0xa3, 0x6e, 0xe0, 0x05, 0x2d, 0x71, 0x07, 0xbe, 0xa1, 0x01, 0xa5, + 0xc0, 0x38, 0x8b, 0xcf, 0xee, 0xcf, 0xdf, 0x09, 0xdc, 0xdb, 0xce, 0x16, 0x9f, 0x55, 0x46, 0xb1, + 0x9d, 0x15, 0xd1, 0x8e, 0x15, 0x86, 0xfd, 0x0d, 0x76, 0x96, 0x6d, 0xe4, 0x05, 0xd3, 0x39, 0xe1, + 0xb3, 0x4b, 0x3f, 0x79, 0xa5, 0x1e, 0x35, 0x27, 0xf8, 0x4d, 0x9f, 0x1c, 0x86, 0xee, 0xc2, 0xf0, + 0x1a, 0xbf, 0xf5, 0xaa, 0x98, 0xaa, 0xc4, 0xe2, 0x0a, 0x2d, 0x76, 0xb7, 0x81, 0xbc, 0x4f, 0xeb, + 0x9e, 0xfe, 0x89, 0x25, 0x37, 0xfb, 0x9b, 0x15, 0x38, 0x95, 0xb9, 0x16, 0x32, 0x55, 0x23, 0xb1, + 0xb4, 0x6f, 0x8d, 0xc4, 0x0f, 0x03, 0x34, 0x49, 0xc7, 0x0f, 0x77, 0x98, 0x3a, 0x56, 0x39, 0xb0, + 0x3a, 0xa6, 0x34, 0xf8, 0x59, 0x45, 0x05, 0x1b, 0x14, 0x45, 0x79, 0x22, 0x5e, 0x72, 0x31, 0x53, + 0x9e, 0xc8, 0xa8, 0x5d, 0x3e, 0xf4, 0x60, 0x6b, 0x97, 0x7b, 0x70, 0x8a, 0x77, 0x51, 0x65, 0xdf, + 0x1e, 0x22, 0xc9, 0x96, 0xe5, 0x2f, 0xcc, 0xa6, 0xc9, 0xe0, 0x2c, 0xdd, 0x87, 0x79, 0xeb, 0x2b, + 0x7a, 0x37, 0xd4, 0xe5, 0x77, 0x8e, 0xc7, 0xeb, 0xba, 0x82, 0x81, 0x9c, 0x06, 0xec, 0x36, 0x56, + 0xf1, 0xd3, 0xfe, 0x7c, 0x89, 0x6a, 0xcf, 0xfc, 0x9f, 0xaa, 0x44, 0xf3, 0x0c, 0x0c, 0x39, 0xdd, + 0x64, 0x23, 0xec, 0xb9, 0x39, 0x6b, 0x9a, 0xb5, 0x62, 0x01, 0x45, 0x0b, 0x50, 0x69, 0xea, 0xea, + 0x22, 0x07, 0x19, 0x45, 0xed, 0x88, 0x74, 0x12, 0x82, 0x19, 0x15, 0xf4, 0x04, 0x54, 0x12, 0xa7, + 0x25, 0x13, 0x9d, 0x58, 0x72, 0xeb, 0xaa, 0xd3, 0x8a, 0x31, 0x6b, 0x35, 0x37, 0xcd, 0xca, 0x3e, + 0x9b, 0xe6, 0x2b, 0x70, 0x22, 0xf6, 0x5a, 0x81, 0x93, 0x74, 0x23, 0x62, 0x1c, 0xae, 0xe9, 0x78, + 0x09, 0x13, 0x88, 0xd3, 0xb8, 0xf6, 0x6f, 0x8d, 0xc2, 0xd9, 0x95, 0x99, 0x45, 0x59, 0x29, 0xf7, + 0xd8, 0x72, 0x95, 0xf2, 0x78, 0x3c, 0xb8, 0x5c, 0xa5, 0x3e, 0xdc, 0x7d, 0x23, 0x57, 0xc9, 0x37, + 0x72, 0x95, 0xd2, 0x89, 0x23, 0xe5, 0x22, 0x12, 0x47, 0xf2, 0x7a, 0x30, 0x48, 0xe2, 0xc8, 0xb1, + 0x25, 0x2f, 0xdd, 0xb7, 0x43, 0x07, 0x4a, 0x5e, 0x52, 0x99, 0x5d, 0x85, 0x84, 0xf4, 0xf7, 0xf9, + 0x54, 0xb9, 0x99, 0x5d, 0x2a, 0xab, 0x86, 0xa7, 0xab, 0x08, 0x01, 0xfb, 0x7a, 0xf1, 0x1d, 0x18, + 0x20, 0xab, 0x46, 0x64, 0xcc, 0x98, 0x99, 0x5c, 0xc3, 0x45, 0x64, 0x72, 0xe5, 0x75, 0x67, 0xdf, + 0x4c, 0xae, 0x57, 0xe0, 0x84, 0xeb, 0x87, 0x01, 0x59, 0x8e, 0xc2, 0x24, 0x74, 0x43, 0x5f, 0x28, + 0xd3, 0x4a, 0x24, 0xcc, 0x98, 0x40, 0x9c, 0xc6, 0xed, 0x97, 0x06, 0x56, 0x3f, 0x6a, 0x1a, 0x18, + 0x3c, 0xa4, 0x34, 0xb0, 0x9f, 0xd3, 0x09, 0xcb, 0x23, 0xec, 0x8b, 0x7c, 0xb8, 0xf8, 0x2f, 0x32, + 0x48, 0xd6, 0x32, 0xfa, 0x0a, 0xbf, 0xba, 0x8a, 0xaa, 0xa3, 0x33, 0x61, 0x9b, 0xaa, 0x5b, 0xa3, + 0x6c, 0x48, 0xde, 0x38, 0x86, 0x09, 0x7b, 0x7b, 0x45, 0xb3, 0x51, 0xd7, 0x59, 0xe9, 0x26, 0x9c, + 0xee, 0xc8, 0x51, 0x12, 0xaa, 0xbf, 0x5a, 0x82, 0x1f, 0xd8, 0xb7, 0x0b, 0xe8, 0x2e, 0x40, 0xe2, + 0xb4, 0xc4, 0x44, 0x15, 0xc7, 0x14, 0x47, 0x0c, 0x6a, 0x5c, 0x95, 0xf4, 0x78, 0x25, 0x10, 0xf5, + 0x97, 0x1d, 0x00, 0xc8, 0xdf, 0x2c, 0x96, 0x31, 0xf4, 0x7b, 0xaa, 0x1e, 0xe2, 0xd0, 0x27, 0x98, + 0x41, 0xe8, 0xf6, 0x1f, 0x91, 0x96, 0xbe, 0x6b, 0x55, 0x7d, 0x3e, 0xcc, 0x5a, 0xb1, 0x80, 0xa2, + 0x97, 0x60, 0xc4, 0xf1, 0x7d, 0x9e, 0x95, 0x42, 0x62, 0x71, 0x77, 0x85, 0xae, 0xdc, 0xa6, 0x41, + 0xd8, 0xc4, 0xb3, 0xff, 0xb4, 0x04, 0x13, 0xfb, 0xc8, 0x94, 0x9e, 0x3c, 0xbb, 0xea, 0xc0, 0x79, + 0x76, 0x22, 0x33, 0x60, 0xa8, 0x4f, 0x66, 0xc0, 0x4b, 0x30, 0x92, 0x10, 0xa7, 0x2d, 0xc2, 0xa0, + 0x84, 0xfd, 0xad, 0xcf, 0x5d, 0x35, 0x08, 0x9b, 0x78, 0x54, 0x8a, 0x9d, 0x74, 0x5c, 0x97, 0xc4, + 0xb1, 0x0c, 0xfd, 0x17, 0x3e, 0xcc, 0xc2, 0xf2, 0x0a, 0x98, 0x6b, 0x78, 0x3a, 0xc5, 0x02, 0x67, + 0x58, 0x66, 0x07, 0xbc, 0x3e, 0xe0, 0x80, 0x7f, 0xbd, 0x04, 0x4f, 0xde, 0x77, 0x77, 0x1b, 0x38, + 0x2b, 0xa3, 0x1b, 0x93, 0x28, 0x3b, 0x71, 0x6e, 0xc6, 0x24, 0xc2, 0x0c, 0xc2, 0x47, 0xa9, 0xd3, + 0x31, 0xee, 0xb2, 0x2d, 0x3a, 0x65, 0x88, 0x8f, 0x52, 0x8a, 0x05, 0xce, 0xb0, 0x3c, 0xec, 0xb4, + 0xfc, 0x3b, 0x25, 0x78, 0x7a, 0x00, 0x1d, 0xa0, 0xc0, 0xd4, 0xaa, 0x74, 0x82, 0x5b, 0xf9, 0x21, + 0xe5, 0x21, 0x1e, 0x72, 0xb8, 0xbe, 0x51, 0x82, 0x0b, 0xfd, 0xb7, 0x62, 0xf4, 0x63, 0xd4, 0x86, + 0x97, 0xb1, 0x4f, 0x66, 0x6e, 0xdc, 0x19, 0x6e, 0xbf, 0xa7, 0x40, 0x38, 0x8b, 0x8b, 0x26, 0x01, + 0x3a, 0x4e, 0xb2, 0x11, 0x5f, 0xde, 0xf6, 0xe2, 0x44, 0xd4, 0x7e, 0x39, 0xc9, 0x4f, 0x8c, 0x64, + 0x2b, 0x36, 0x30, 0x28, 0x3b, 0xf6, 0x6f, 0x36, 0xbc, 0x11, 0x26, 0xfc, 0x21, 0x6e, 0x46, 0x9c, + 0x91, 0xf5, 0xf1, 0x0d, 0x10, 0xce, 0xe2, 0x52, 0x76, 0xec, 0x4c, 0x92, 0x77, 0x94, 0xdb, 0x17, + 0x8c, 0xdd, 0x82, 0x6a, 0xc5, 0x06, 0x46, 0x36, 0xeb, 0xaf, 0xba, 0x7f, 0xd6, 0x9f, 0xfd, 0x0f, + 0x4b, 0x70, 0xbe, 0xaf, 0x2a, 0x37, 0xd8, 0x02, 0x7c, 0xf4, 0x32, 0xf5, 0x0e, 0x37, 0x77, 0x0e, + 0x98, 0x51, 0xf6, 0xc7, 0x7d, 0x66, 0x9a, 0xc8, 0x28, 0x3b, 0x7c, 0x4a, 0xf6, 0xa3, 0x37, 0x9e, + 0x3d, 0x49, 0x64, 0x95, 0x03, 0x24, 0x91, 0x65, 0x3e, 0x46, 0x75, 0xc0, 0x85, 0xfc, 0x7b, 0xe5, + 0xbe, 0xc3, 0x4b, 0x4d, 0xbf, 0x81, 0xbc, 0xa3, 0xb3, 0x70, 0xda, 0x0b, 0xd8, 0x5d, 0x29, 0x2b, + 0xdd, 0x35, 0x51, 0x0e, 0xa4, 0x94, 0xbe, 0xa9, 0x78, 0x3e, 0x03, 0xc7, 0x3d, 0x4f, 0x3c, 0x82, + 0x49, 0x7d, 0x87, 0x1b, 0xd2, 0x83, 0xa5, 0x95, 0xa2, 0x25, 0x38, 0x27, 0x87, 0x62, 0xc3, 0x89, + 0x48, 0x53, 0x6c, 0x23, 0xb1, 0x48, 0x63, 0x38, 0xcf, 0x53, 0x21, 0x72, 0x10, 0x70, 0xfe, 0x73, + 0xf6, 0x87, 0xa1, 0xae, 0x5e, 0x8d, 0xc7, 0x49, 0xab, 0xf9, 0xd4, 0x13, 0x27, 0xad, 0x26, 0x93, + 0x81, 0x45, 0x3f, 0x04, 0xd5, 0x76, 0x33, 0x0b, 0xe3, 0x3a, 0xd9, 0x61, 0xaa, 0xaf, 0xfd, 0x1e, + 0x18, 0x55, 0x2e, 0x94, 0x41, 0xef, 0xe3, 0xb0, 0xbf, 0x34, 0x04, 0x27, 0x52, 0xd5, 0xf6, 0x52, + 0x1e, 0x4b, 0x6b, 0x5f, 0x8f, 0x25, 0x8b, 0x7b, 0xef, 0x06, 0xf2, 0xb2, 0x1e, 0x23, 0xee, 0xbd, + 0x1b, 0x10, 0xcc, 0x61, 0x54, 0x73, 0x6d, 0x46, 0x3b, 0xb8, 0x1b, 0x88, 0xf8, 0x54, 0xa5, 0xb9, + 0xce, 0xb2, 0x56, 0x2c, 0xa0, 0xe8, 0x13, 0x16, 0x8c, 0xc6, 0xcc, 0x1d, 0xce, 0xfd, 0xbd, 0x62, + 0x3e, 0x5d, 0x3b, 0x7a, 0x31, 0x41, 0x55, 0x59, 0x92, 0x85, 0x9c, 0x98, 0x2d, 0x38, 0xc5, 0x11, + 0xfd, 0x8c, 0x05, 0x75, 0x75, 0xa7, 0x80, 0xb8, 0x51, 0x6b, 0xa5, 0xd8, 0x62, 0x86, 0xdc, 0x51, + 0xa8, 0x4e, 0x16, 0xf4, 0x25, 0xe1, 0x9a, 0x31, 0x8a, 0x95, 0x33, 0x76, 0xf8, 0x78, 0x9c, 0xb1, + 0x90, 0xe3, 0x88, 0x7d, 0x37, 0xd4, 0xdb, 0x4e, 0xe0, 0xad, 0x93, 0x38, 0xe1, 0xfe, 0x51, 0x59, + 0x63, 0x55, 0x36, 0x62, 0x0d, 0xa7, 0x7b, 0x6d, 0xcc, 0x5e, 0x2c, 0x31, 0x1c, 0x9a, 0x6c, 0xaf, + 0x5d, 0xd1, 0xcd, 0xd8, 0xc4, 0x31, 0xbd, 0xaf, 0xf0, 0x50, 0xbd, 0xaf, 0x23, 0xfb, 0x78, 0x5f, + 0xff, 0x9e, 0x05, 0xe7, 0x72, 0xbf, 0xda, 0xa3, 0x1b, 0x49, 0x68, 0x7f, 0xb9, 0x0a, 0x67, 0x72, + 0xca, 0x66, 0xa2, 0x1d, 0x73, 0x3e, 0x5b, 0x45, 0x1c, 0xca, 0xa7, 0xcf, 0x98, 0xe5, 0x30, 0xe6, + 0x4c, 0xe2, 0x83, 0x9d, 0x7d, 0xe8, 0xf3, 0x87, 0xf2, 0x83, 0x3d, 0x7f, 0x30, 0xa6, 0x65, 0xe5, + 0xa1, 0x4e, 0xcb, 0xea, 0xfd, 0xa7, 0x25, 0xfa, 0x75, 0x0b, 0xc6, 0xdb, 0x7d, 0x6a, 0xb5, 0x0b, + 0x9f, 0xe2, 0xad, 0xe3, 0xa9, 0x04, 0xdf, 0x78, 0x62, 0x6f, 0x77, 0xa2, 0x6f, 0x89, 0x7c, 0xdc, + 0xb7, 0x57, 0xf6, 0x77, 0xca, 0xc0, 0x6a, 0xb6, 0xb2, 0xd2, 0x68, 0x3b, 0xe8, 0xe3, 0x66, 0xf5, + 0x5d, 0xab, 0xa8, 0x4a, 0xb1, 0x9c, 0xb8, 0xaa, 0xde, 0xcb, 0x47, 0x30, 0xaf, 0x98, 0x6f, 0x56, + 0x68, 0x95, 0x06, 0x10, 0x5a, 0xbe, 0x2c, 0x73, 0x5c, 0x2e, 0xbe, 0xcc, 0x71, 0x3d, 0x5b, 0xe2, + 0xf8, 0xfe, 0x9f, 0xb8, 0xf2, 0x48, 0x7e, 0xe2, 0xbf, 0x66, 0x71, 0xc1, 0x93, 0xf9, 0x0a, 0x5a, + 0x33, 0xb0, 0xee, 0xa3, 0x19, 0x3c, 0xc7, 0xae, 0x7b, 0x5f, 0xbf, 0x4a, 0x1c, 0x5f, 0x68, 0x10, + 0xe6, 0xcd, 0xed, 0xac, 0x1d, 0x2b, 0x0c, 0x76, 0xfb, 0xa1, 0xef, 0x87, 0x77, 0x2f, 0xb7, 0x3b, + 0xc9, 0x8e, 0xd0, 0x25, 0xf4, 0xed, 0x87, 0x0a, 0x82, 0x0d, 0x2c, 0xfb, 0xaf, 0x97, 0xf8, 0x0c, + 0x14, 0x51, 0x05, 0x2f, 0x67, 0xee, 0xab, 0x1a, 0xfc, 0x40, 0xfe, 0xa3, 0x00, 0xae, 0xba, 0xe9, + 0x59, 0x1c, 0xf7, 0x5c, 0x3d, 0xf2, 0x35, 0xb4, 0x82, 0x9e, 0x7e, 0x0d, 0xdd, 0x86, 0x0d, 0x7e, + 0x29, 0x59, 0x5a, 0xde, 0x57, 0x96, 0xa6, 0xc4, 0x4a, 0x65, 0x9f, 0xdd, 0xee, 0x4f, 0x2d, 0x48, + 0x69, 0x44, 0xa8, 0x03, 0x55, 0xda, 0xdd, 0x9d, 0x62, 0x2e, 0xb1, 0x36, 0x49, 0x53, 0xd1, 0x28, + 0xa6, 0x3d, 0xfb, 0x89, 0x39, 0x23, 0xe4, 0x8b, 0xe0, 0x83, 0x52, 0x11, 0x17, 0xad, 0x9b, 0x0c, + 0xaf, 0x86, 0xe1, 0x26, 0x3f, 0xb3, 0xd4, 0x81, 0x0c, 0xf6, 0xcb, 0x30, 0xd6, 0xd3, 0x29, 0x76, + 0x35, 0x4d, 0x28, 0x6f, 0xee, 0x36, 0xa6, 0x2b, 0xcb, 0x88, 0xc4, 0x1c, 0x66, 0x7f, 0xc3, 0x82, + 0xd3, 0x59, 0xf2, 0xe8, 0x2b, 0x16, 0x8c, 0xc5, 0x59, 0x7a, 0xc7, 0x35, 0x76, 0x2a, 0x80, 0xb0, + 0x07, 0x84, 0x7b, 0x3b, 0x61, 0xff, 0x6f, 0x31, 0xf9, 0x6f, 0x7b, 0x41, 0x33, 0xbc, 0xab, 0x14, + 0x13, 0xab, 0xaf, 0x62, 0x42, 0xd7, 0xa3, 0xbb, 0x41, 0x9a, 0x5d, 0xbf, 0x27, 0x15, 0x73, 0x45, + 0xb4, 0x63, 0x85, 0xc1, 0x32, 0xcf, 0xba, 0xa2, 0x0e, 0x7a, 0x66, 0x52, 0xce, 0x8a, 0x76, 0xac, + 0x30, 0xd0, 0x8b, 0x30, 0x6a, 0xde, 0x4e, 0x2f, 0xe6, 0x25, 0x53, 0xc8, 0xcd, 0x8b, 0xec, 0x71, + 0x0a, 0x0b, 0x4d, 0x02, 0x28, 0x25, 0x47, 0x6e, 0x91, 0xcc, 0x07, 0xa4, 0x24, 0x51, 0x8c, 0x0d, + 0x0c, 0x96, 0xe7, 0xc9, 0xaf, 0x80, 0x97, 0x61, 0xb6, 0x3c, 0xcf, 0x53, 0xb4, 0x61, 0x05, 0xa5, + 0xd2, 0xa4, 0xed, 0x04, 0x5d, 0xc7, 0xa7, 0x23, 0x24, 0xac, 0x3a, 0xb5, 0x0c, 0x17, 0x15, 0x04, + 0x1b, 0x58, 0xf4, 0x8d, 0x13, 0xaf, 0x4d, 0x5e, 0x0b, 0x03, 0x19, 0xf8, 0xa5, 0x4f, 0x74, 0x44, + 0x3b, 0x56, 0x18, 0xf6, 0x7f, 0xb2, 0xe0, 0x94, 0xce, 0x1a, 0xe7, 0x97, 0xd0, 0x9a, 0x46, 0xa8, + 0xb5, 0xaf, 0x11, 0x9a, 0x4e, 0xa7, 0x2d, 0x0d, 0x94, 0x4e, 0x6b, 0x66, 0xba, 0x96, 0xef, 0x9b, + 0xe9, 0xfa, 0x83, 0xfa, 0x82, 0x43, 0x9e, 0x12, 0x3b, 0x92, 0x77, 0xb9, 0x21, 0xb2, 0x61, 0xc8, + 0x75, 0x54, 0xc9, 0x94, 0x51, 0x6e, 0x3b, 0xcc, 0x4c, 0x33, 0x24, 0x01, 0xb1, 0x97, 0xa0, 0xae, + 0x0e, 0x36, 0xa4, 0xa1, 0x6a, 0xe5, 0x1b, 0xaa, 0x03, 0x65, 0xdc, 0x35, 0xd6, 0xbe, 0xf9, 0xdd, + 0xa7, 0xde, 0xf1, 0xfb, 0xdf, 0x7d, 0xea, 0x1d, 0x7f, 0xf4, 0xdd, 0xa7, 0xde, 0xf1, 0x89, 0xbd, + 0xa7, 0xac, 0x6f, 0xee, 0x3d, 0x65, 0xfd, 0xfe, 0xde, 0x53, 0xd6, 0x1f, 0xed, 0x3d, 0x65, 0x7d, + 0x67, 0xef, 0x29, 0xeb, 0x8b, 0xff, 0xfe, 0xa9, 0x77, 0xbc, 0x96, 0x1b, 0xf9, 0x47, 0x7f, 0x3c, + 0xef, 0x36, 0xa7, 0xb6, 0x2e, 0xb1, 0xe0, 0x33, 0xba, 0xbc, 0xa6, 0x8c, 0x39, 0x35, 0x25, 0x97, + 0xd7, 0xff, 0x0d, 0x00, 0x00, 0xff, 0xff, 0x22, 0xdf, 0x41, 0x72, 0xd5, 0xd9, 0x00, 0x00, } func (m *AWSAuthConfig) Marshal() (dAtA []byte, err error) { @@ -11446,6 +11450,16 @@ func (m *ResourceAction) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + i -= len(m.DisplayName) + copy(dAtA[i:], m.DisplayName) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.DisplayName))) + i-- + dAtA[i] = 0x2a + i -= len(m.IconClass) + copy(dAtA[i:], m.IconClass) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.IconClass))) + i-- + dAtA[i] = 0x22 i-- if m.Disabled { dAtA[i] = 1 @@ -13023,6 +13037,16 @@ func (m *SCMProviderGeneratorGitlab) MarshalToSizedBuffer(dAtA []byte) (int, err _ = i var l int _ = l + if m.IncludeSharedProjects != nil { + i-- + if *m.IncludeSharedProjects { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x38 + } i-- if m.Insecure { dAtA[i] = 1 @@ -16260,6 +16284,10 @@ func (m *ResourceAction) Size() (n int) { } } n += 2 + l = len(m.IconClass) + n += 1 + l + sovGenerated(uint64(l)) + l = len(m.DisplayName) + n += 1 + l + sovGenerated(uint64(l)) return n } @@ -16856,6 +16884,9 @@ func (m *SCMProviderGeneratorGitlab) Size() (n int) { } n += 2 n += 2 + if m.IncludeSharedProjects != nil { + n += 2 + } return n } @@ -19007,6 +19038,8 @@ func (this *ResourceAction) String() string { `Name:` + fmt.Sprintf("%v", this.Name) + `,`, `Params:` + repeatedStringForParams + `,`, `Disabled:` + fmt.Sprintf("%v", this.Disabled) + `,`, + `IconClass:` + fmt.Sprintf("%v", this.IconClass) + `,`, + `DisplayName:` + fmt.Sprintf("%v", this.DisplayName) + `,`, `}`, }, "") return s @@ -19425,6 +19458,7 @@ func (this *SCMProviderGeneratorGitlab) String() string { `TokenRef:` + strings.Replace(this.TokenRef.String(), "SecretRef", "SecretRef", 1) + `,`, `AllBranches:` + fmt.Sprintf("%v", this.AllBranches) + `,`, `Insecure:` + fmt.Sprintf("%v", this.Insecure) + `,`, + `IncludeSharedProjects:` + valueToStringGenerated(this.IncludeSharedProjects) + `,`, `}`, }, "") return s @@ -40596,6 +40630,70 @@ func (m *ResourceAction) Unmarshal(dAtA []byte) error { } } m.Disabled = bool(v != 0) + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field IconClass", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.IconClass = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 5: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field DisplayName", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.DisplayName = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) @@ -46256,6 +46354,27 @@ func (m *SCMProviderGeneratorGitlab) Unmarshal(dAtA []byte) error { } } m.Insecure = bool(v != 0) + case 7: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field IncludeSharedProjects", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + b := bool(v != 0) + m.IncludeSharedProjects = &b default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) diff --git a/pkg/apis/application/v1alpha1/generated.proto b/pkg/apis/application/v1alpha1/generated.proto index 67fcf772d731b..7291baf390a11 100644 --- a/pkg/apis/application/v1alpha1/generated.proto +++ b/pkg/apis/application/v1alpha1/generated.proto @@ -130,14 +130,14 @@ message ApplicationCondition { // ApplicationDestination holds information about the application's destination message ApplicationDestination { - // Server specifies the URL of the target cluster and must be set to the Kubernetes control plane API + // Server specifies the URL of the target cluster's Kubernetes control plane API. This must be set if Name is not set. optional string server = 1; // Namespace specifies the target namespace for the application's resources. // The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace optional string namespace = 2; - // Name is an alternate way of specifying the target cluster by its symbolic name + // Name is an alternate way of specifying the target cluster by its symbolic name. This must be set if Server is not set. optional string name = 3; } @@ -1594,6 +1594,10 @@ message ResourceAction { repeated ResourceActionParam params = 2; optional bool disabled = 3; + + optional string iconClass = 4; + + optional string displayName = 5; } // TODO: describe this type @@ -2028,6 +2032,9 @@ message SCMProviderGeneratorGitlab { // Skips validating the SCM provider's TLS certificate - useful for self-signed certificates.; default: false optional bool insecure = 6; + + // When recursing through subgroups, also include shared Projects (true) or scan only the subgroups under same path (false). Defaults to "true" + optional bool includeSharedProjects = 7; } // Utility struct for a reference to a secret key. diff --git a/pkg/apis/application/v1alpha1/openapi_generated.go b/pkg/apis/application/v1alpha1/openapi_generated.go index d96f744fbe65f..9acb42e4e732c 100644 --- a/pkg/apis/application/v1alpha1/openapi_generated.go +++ b/pkg/apis/application/v1alpha1/openapi_generated.go @@ -595,7 +595,7 @@ func schema_pkg_apis_application_v1alpha1_ApplicationDestination(ref common.Refe Properties: map[string]spec.Schema{ "server": { SchemaProps: spec.SchemaProps{ - Description: "Server specifies the URL of the target cluster and must be set to the Kubernetes control plane API", + Description: "Server specifies the URL of the target cluster's Kubernetes control plane API. This must be set if Name is not set.", Type: []string{"string"}, Format: "", }, @@ -609,7 +609,7 @@ func schema_pkg_apis_application_v1alpha1_ApplicationDestination(ref common.Refe }, "name": { SchemaProps: spec.SchemaProps{ - Description: "Name is an alternate way of specifying the target cluster by its symbolic name", + Description: "Name is an alternate way of specifying the target cluster by its symbolic name. This must be set if Server is not set.", Type: []string{"string"}, Format: "", }, @@ -5514,6 +5514,18 @@ func schema_pkg_apis_application_v1alpha1_ResourceAction(ref common.ReferenceCal Format: "", }, }, + "iconClass": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "displayName": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, }, }, }, @@ -6937,6 +6949,13 @@ func schema_pkg_apis_application_v1alpha1_SCMProviderGeneratorGitlab(ref common. Format: "", }, }, + "includeSharedProjects": { + SchemaProps: spec.SchemaProps{ + Description: "When recursing through subgroups, also include shared Projects (true) or scan only the subgroups under same path (false). Defaults to \"true\"", + Type: []string{"boolean"}, + Format: "", + }, + }, }, Required: []string{"group"}, }, diff --git a/pkg/apis/application/v1alpha1/types.go b/pkg/apis/application/v1alpha1/types.go index cae6b16052174..4bf07fc2317da 100644 --- a/pkg/apis/application/v1alpha1/types.go +++ b/pkg/apis/application/v1alpha1/types.go @@ -16,7 +16,6 @@ import ( "time" "unicode" - "github.com/argoproj/argo-cd/v2/util/env" "github.com/argoproj/gitops-engine/pkg/health" synccommon "github.com/argoproj/gitops-engine/pkg/sync/common" "github.com/robfig/cron/v3" @@ -36,6 +35,8 @@ import ( "k8s.io/client-go/tools/clientcmd/api" "sigs.k8s.io/yaml" + "github.com/argoproj/argo-cd/v2/util/env" + "github.com/argoproj/argo-cd/v2/common" "github.com/argoproj/argo-cd/v2/util/collections" "github.com/argoproj/argo-cd/v2/util/helm" @@ -859,12 +860,12 @@ func (c *ApplicationSourcePlugin) RemoveEnvEntry(key string) error { // ApplicationDestination holds information about the application's destination type ApplicationDestination struct { - // Server specifies the URL of the target cluster and must be set to the Kubernetes control plane API + // Server specifies the URL of the target cluster's Kubernetes control plane API. This must be set if Name is not set. Server string `json:"server,omitempty" protobuf:"bytes,1,opt,name=server"` // Namespace specifies the target namespace for the application's resources. // The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace Namespace string `json:"namespace,omitempty" protobuf:"bytes,2,opt,name=namespace"` - // Name is an alternate way of specifying the target cluster by its symbolic name + // Name is an alternate way of specifying the target cluster by its symbolic name. This must be set if Server is not set. Name string `json:"name,omitempty" protobuf:"bytes,3,opt,name=name"` // nolint:govet @@ -1942,9 +1943,11 @@ type ResourceActionDefinition struct { // TODO: describe this type // TODO: describe members of this type type ResourceAction struct { - Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"` - Params []ResourceActionParam `json:"params,omitempty" protobuf:"bytes,2,rep,name=params"` - Disabled bool `json:"disabled,omitempty" protobuf:"varint,3,opt,name=disabled"` + Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"` + Params []ResourceActionParam `json:"params,omitempty" protobuf:"bytes,2,rep,name=params"` + Disabled bool `json:"disabled,omitempty" protobuf:"varint,3,opt,name=disabled"` + IconClass string `json:"iconClass,omitempty" protobuf:"bytes,4,opt,name=iconClass"` + DisplayName string `json:"displayName,omitempty" protobuf:"bytes,5,opt,name=displayName"` } // TODO: describe this type diff --git a/pkg/apis/application/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/application/v1alpha1/zz_generated.deepcopy.go index 8d10b219f0be0..79b97e330ad09 100644 --- a/pkg/apis/application/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/application/v1alpha1/zz_generated.deepcopy.go @@ -3799,6 +3799,11 @@ func (in *SCMProviderGeneratorGitlab) DeepCopyInto(out *SCMProviderGeneratorGitl *out = new(SecretRef) **out = **in } + if in.IncludeSharedProjects != nil { + in, out := &in.IncludeSharedProjects, &out.IncludeSharedProjects + *out = new(bool) + **out = **in + } return } diff --git a/reposerver/apiclient/clientset.go b/reposerver/apiclient/clientset.go index c48a508d06599..4a42235b7049c 100644 --- a/reposerver/apiclient/clientset.go +++ b/reposerver/apiclient/clientset.go @@ -3,6 +3,7 @@ package apiclient import ( "crypto/tls" "crypto/x509" + "fmt" "time" grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware" @@ -48,7 +49,7 @@ type clientSet struct { func (c *clientSet) NewRepoServerClient() (io.Closer, RepoServerServiceClient, error) { conn, err := NewConnection(c.address, c.timeoutSeconds, &c.tlsConfig) if err != nil { - return nil, nil, err + return nil, nil, fmt.Errorf("failed to open a new connection to repo server: %w", err) } return conn, NewRepoServerServiceClient(conn), nil } diff --git a/reposerver/apiclient/repository.pb.go b/reposerver/apiclient/repository.pb.go index 4c05248b87e16..3dcacedd00933 100644 --- a/reposerver/apiclient/repository.pb.go +++ b/reposerver/apiclient/repository.pb.go @@ -46,21 +46,17 @@ type ManifestRequest struct { KubeVersion string `protobuf:"bytes,14,opt,name=kubeVersion,proto3" json:"kubeVersion,omitempty"` ApiVersions []string `protobuf:"bytes,15,rep,name=apiVersions,proto3" json:"apiVersions,omitempty"` // Request to verify the signature when generating the manifests (only for Git repositories) - VerifySignature bool `protobuf:"varint,16,opt,name=verifySignature,proto3" json:"verifySignature,omitempty"` - HelmRepoCreds []*v1alpha1.RepoCreds `protobuf:"bytes,17,rep,name=helmRepoCreds,proto3" json:"helmRepoCreds,omitempty"` - NoRevisionCache bool `protobuf:"varint,18,opt,name=noRevisionCache,proto3" json:"noRevisionCache,omitempty"` - TrackingMethod string `protobuf:"bytes,19,opt,name=trackingMethod,proto3" json:"trackingMethod,omitempty"` - EnabledSourceTypes map[string]bool `protobuf:"bytes,20,rep,name=enabledSourceTypes,proto3" json:"enabledSourceTypes,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"varint,2,opt,name=value,proto3"` - HelmOptions *v1alpha1.HelmOptions `protobuf:"bytes,21,opt,name=helmOptions,proto3" json:"helmOptions,omitempty"` - HasMultipleSources bool `protobuf:"varint,22,opt,name=hasMultipleSources,proto3" json:"hasMultipleSources,omitempty"` - RefSources map[string]*v1alpha1.RefTarget `protobuf:"bytes,23,rep,name=refSources,proto3" json:"refSources,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - // This is used to surface "source not permitted" errors for Helm repositories - ProjectSourceRepos []string `protobuf:"bytes,24,rep,name=projectSourceRepos,proto3" json:"projectSourceRepos,omitempty"` - // This is used to surface "source not permitted" errors for Helm repositories - ProjectName string `protobuf:"bytes,25,opt,name=projectName,proto3" json:"projectName,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` + VerifySignature bool `protobuf:"varint,16,opt,name=verifySignature,proto3" json:"verifySignature,omitempty"` + HelmRepoCreds []*v1alpha1.RepoCreds `protobuf:"bytes,17,rep,name=helmRepoCreds,proto3" json:"helmRepoCreds,omitempty"` + NoRevisionCache bool `protobuf:"varint,18,opt,name=noRevisionCache,proto3" json:"noRevisionCache,omitempty"` + TrackingMethod string `protobuf:"bytes,19,opt,name=trackingMethod,proto3" json:"trackingMethod,omitempty"` + EnabledSourceTypes map[string]bool `protobuf:"bytes,20,rep,name=enabledSourceTypes,proto3" json:"enabledSourceTypes,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"varint,2,opt,name=value,proto3"` + HelmOptions *v1alpha1.HelmOptions `protobuf:"bytes,21,opt,name=helmOptions,proto3" json:"helmOptions,omitempty"` + HasMultipleSources bool `protobuf:"varint,22,opt,name=hasMultipleSources,proto3" json:"hasMultipleSources,omitempty"` + RefSources map[string]*v1alpha1.RefTarget `protobuf:"bytes,23,rep,name=refSources,proto3" json:"refSources,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` } func (m *ManifestRequest) Reset() { *m = ManifestRequest{} } @@ -236,20 +232,6 @@ func (m *ManifestRequest) GetRefSources() map[string]*v1alpha1.RefTarget { return nil } -func (m *ManifestRequest) GetProjectSourceRepos() []string { - if m != nil { - return m.ProjectSourceRepos - } - return nil -} - -func (m *ManifestRequest) GetProjectName() string { - if m != nil { - return m.ProjectName - } - return "" -} - type ManifestRequestWithFiles struct { // Types that are valid to be assigned to Part: // *ManifestRequestWithFiles_Request @@ -2189,140 +2171,138 @@ func init() { } var fileDescriptor_dd8723cfcc820480 = []byte{ - // 2114 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5a, 0x5b, 0x6f, 0x1b, 0xc7, - 0x15, 0xe6, 0x92, 0xba, 0x90, 0x47, 0xb2, 0x44, 0x8d, 0x75, 0x59, 0x31, 0x8e, 0xa0, 0x6c, 0x6b, - 0x43, 0xb5, 0x13, 0x12, 0x92, 0x91, 0xb8, 0x70, 0xd2, 0x14, 0x8a, 0x62, 0x4b, 0x8e, 0x2d, 0x5b, - 0x5d, 0xbb, 0x2d, 0xd2, 0xba, 0x2d, 0x86, 0xcb, 0x21, 0xb9, 0xe1, 0x5e, 0xc6, 0xbb, 0xb3, 0x0a, - 0x64, 0xa0, 0x0f, 0x45, 0x8b, 0x02, 0xfd, 0x03, 0x7d, 0xe8, 0xff, 0x28, 0xfa, 0x54, 0xf4, 0xa9, - 0x97, 0xc7, 0xa0, 0x7f, 0xa0, 0x85, 0x1f, 0xfb, 0x2b, 0x8a, 0xb9, 0xec, 0x95, 0x2b, 0xd9, 0x29, - 0x65, 0x19, 0xcd, 0x8b, 0xbd, 0x73, 0xe6, 0xcc, 0x39, 0x67, 0xce, 0x9c, 0xcb, 0x37, 0x43, 0xc1, - 0xb5, 0x80, 0x50, 0x3f, 0x24, 0xc1, 0x31, 0x09, 0x3a, 0xe2, 0xd3, 0x66, 0x7e, 0x70, 0x92, 0xf9, - 0x6c, 0xd3, 0xc0, 0x67, 0x3e, 0x82, 0x94, 0xd2, 0x7a, 0x30, 0xb0, 0xd9, 0x30, 0xea, 0xb6, 0x2d, - 0xdf, 0xed, 0xe0, 0x60, 0xe0, 0xd3, 0xc0, 0xff, 0x42, 0x7c, 0xbc, 0x67, 0xf5, 0x3a, 0xc7, 0x3b, - 0x1d, 0x3a, 0x1a, 0x74, 0x30, 0xb5, 0xc3, 0x0e, 0xa6, 0xd4, 0xb1, 0x2d, 0xcc, 0x6c, 0xdf, 0xeb, - 0x1c, 0x6f, 0x63, 0x87, 0x0e, 0xf1, 0x76, 0x67, 0x40, 0x3c, 0x12, 0x60, 0x46, 0x7a, 0x52, 0x72, - 0xeb, 0xad, 0x81, 0xef, 0x0f, 0x1c, 0xd2, 0x11, 0xa3, 0x6e, 0xd4, 0xef, 0x10, 0x97, 0x32, 0xa5, - 0xd6, 0xf8, 0xcf, 0x3c, 0x2c, 0x1e, 0x62, 0xcf, 0xee, 0x93, 0x90, 0x99, 0xe4, 0x59, 0x44, 0x42, - 0x86, 0x9e, 0xc2, 0x14, 0x37, 0x46, 0xd7, 0x36, 0xb5, 0xad, 0xb9, 0x9d, 0x83, 0x76, 0x6a, 0x4d, - 0x3b, 0xb6, 0x46, 0x7c, 0xfc, 0xc2, 0xea, 0xb5, 0x8f, 0x77, 0xda, 0x74, 0x34, 0x68, 0x73, 0x6b, - 0xda, 0x19, 0x6b, 0xda, 0xb1, 0x35, 0x6d, 0x33, 0xd9, 0x96, 0x29, 0xa4, 0xa2, 0x16, 0xd4, 0x03, - 0x72, 0x6c, 0x87, 0xb6, 0xef, 0xe9, 0xd5, 0x4d, 0x6d, 0xab, 0x61, 0x26, 0x63, 0xa4, 0xc3, 0xac, - 0xe7, 0xef, 0x61, 0x6b, 0x48, 0xf4, 0xda, 0xa6, 0xb6, 0x55, 0x37, 0xe3, 0x21, 0xda, 0x84, 0x39, - 0x4c, 0xe9, 0x03, 0xdc, 0x25, 0xce, 0x7d, 0x72, 0xa2, 0x4f, 0x89, 0x85, 0x59, 0x12, 0x5f, 0x8b, - 0x29, 0x7d, 0x88, 0x5d, 0xa2, 0x4f, 0x8b, 0xd9, 0x78, 0x88, 0xae, 0x40, 0xc3, 0xc3, 0x2e, 0x09, - 0x29, 0xb6, 0x88, 0x5e, 0x17, 0x73, 0x29, 0x01, 0xfd, 0x12, 0x96, 0x32, 0x86, 0x3f, 0xf6, 0xa3, - 0xc0, 0x22, 0x3a, 0x88, 0xad, 0x3f, 0x9a, 0x6c, 0xeb, 0xbb, 0x45, 0xb1, 0xe6, 0xb8, 0x26, 0xf4, - 0x73, 0x98, 0x16, 0x27, 0xaf, 0xcf, 0x6d, 0xd6, 0xce, 0xd5, 0xdb, 0x52, 0x2c, 0xf2, 0x60, 0x96, - 0x3a, 0xd1, 0xc0, 0xf6, 0x42, 0x7d, 0x5e, 0x68, 0x78, 0x32, 0x99, 0x86, 0x3d, 0xdf, 0xeb, 0xdb, - 0x83, 0x43, 0xec, 0xe1, 0x01, 0x71, 0x89, 0xc7, 0x8e, 0x84, 0x70, 0x33, 0x56, 0x82, 0x9e, 0x43, - 0x73, 0x14, 0x85, 0xcc, 0x77, 0xed, 0xe7, 0xe4, 0x11, 0xe5, 0x6b, 0x43, 0xfd, 0x92, 0xf0, 0xe6, - 0xc3, 0xc9, 0x14, 0xdf, 0x2f, 0x48, 0x35, 0xc7, 0xf4, 0xf0, 0x20, 0x19, 0x45, 0x5d, 0xf2, 0x23, - 0x12, 0x88, 0xe8, 0x5a, 0x90, 0x41, 0x92, 0x21, 0xc9, 0x30, 0xb2, 0xd5, 0x28, 0xd4, 0x17, 0x37, - 0x6b, 0x32, 0x8c, 0x12, 0x12, 0xda, 0x82, 0xc5, 0x63, 0x12, 0xd8, 0xfd, 0x93, 0xc7, 0xf6, 0xc0, - 0xc3, 0x2c, 0x0a, 0x88, 0xde, 0x14, 0xa1, 0x58, 0x24, 0x23, 0x17, 0x2e, 0x0d, 0x89, 0xe3, 0x72, - 0x97, 0xef, 0x05, 0xa4, 0x17, 0xea, 0x4b, 0xc2, 0xbf, 0xfb, 0x93, 0x9f, 0xa0, 0x10, 0x67, 0xe6, - 0xa5, 0x73, 0xc3, 0x3c, 0xdf, 0x54, 0x99, 0x22, 0x73, 0x04, 0x49, 0xc3, 0x0a, 0x64, 0x74, 0x0d, - 0x16, 0x58, 0x80, 0xad, 0x91, 0xed, 0x0d, 0x0e, 0x09, 0x1b, 0xfa, 0x3d, 0xfd, 0xb2, 0xf0, 0x44, - 0x81, 0x8a, 0x2c, 0x40, 0xc4, 0xc3, 0x5d, 0x87, 0xf4, 0x64, 0x2c, 0x3e, 0x39, 0xa1, 0x24, 0xd4, - 0x97, 0xc5, 0x2e, 0x6e, 0xb6, 0x33, 0x15, 0xaa, 0x50, 0x20, 0xda, 0x77, 0xc6, 0x56, 0xdd, 0xf1, - 0x58, 0x70, 0x62, 0x96, 0x88, 0x43, 0x23, 0x98, 0xe3, 0xfb, 0x88, 0x43, 0x61, 0x45, 0x84, 0xc2, - 0xbd, 0xc9, 0x7c, 0x74, 0x90, 0x0a, 0x34, 0xb3, 0xd2, 0x51, 0x1b, 0xd0, 0x10, 0x87, 0x87, 0x91, - 0xc3, 0x6c, 0xea, 0x10, 0x69, 0x46, 0xa8, 0xaf, 0x0a, 0x37, 0x95, 0xcc, 0xa0, 0xfb, 0x00, 0x01, - 0xe9, 0xc7, 0x7c, 0x6b, 0x62, 0xe7, 0x37, 0xce, 0xda, 0xb9, 0x99, 0x70, 0xcb, 0x1d, 0x67, 0x96, - 0x73, 0xe5, 0x7c, 0x1b, 0xc4, 0x62, 0x2a, 0xdb, 0x45, 0x5a, 0xeb, 0x22, 0xc4, 0x4a, 0x66, 0x78, - 0x2c, 0x2a, 0xaa, 0x28, 0x5a, 0xeb, 0x32, 0x5a, 0x33, 0xa4, 0xd6, 0x1d, 0x58, 0x3b, 0xc5, 0xd5, - 0xa8, 0x09, 0xb5, 0x11, 0x39, 0x11, 0x25, 0xba, 0x61, 0xf2, 0x4f, 0xb4, 0x0c, 0xd3, 0xc7, 0xd8, - 0x89, 0x88, 0x28, 0xaa, 0x75, 0x53, 0x0e, 0x6e, 0x57, 0xbf, 0xab, 0xb5, 0x7e, 0xab, 0xc1, 0x62, - 0xc1, 0xf0, 0x92, 0xf5, 0x3f, 0xcb, 0xae, 0x3f, 0x87, 0x30, 0xee, 0x3f, 0xc1, 0xc1, 0x80, 0xb0, - 0x8c, 0x21, 0xc6, 0x3f, 0x35, 0xd0, 0x0b, 0x1e, 0xfd, 0xb1, 0xcd, 0x86, 0x77, 0x6d, 0x87, 0x84, - 0xe8, 0x16, 0xcc, 0x06, 0x92, 0xa6, 0x1a, 0xcf, 0x5b, 0x67, 0x1c, 0xc4, 0x41, 0xc5, 0x8c, 0xb9, - 0xd1, 0xc7, 0x50, 0x77, 0x09, 0xc3, 0x3d, 0xcc, 0xb0, 0xb2, 0x7d, 0xb3, 0x6c, 0x25, 0xd7, 0x72, - 0xa8, 0xf8, 0x0e, 0x2a, 0x66, 0xb2, 0x06, 0xbd, 0x0f, 0xd3, 0xd6, 0x30, 0xf2, 0x46, 0xa2, 0xe5, - 0xcc, 0xed, 0xbc, 0x7d, 0xda, 0xe2, 0x3d, 0xce, 0x74, 0x50, 0x31, 0x25, 0xf7, 0x27, 0x33, 0x30, - 0x45, 0x71, 0xc0, 0x8c, 0xbb, 0xb0, 0x5c, 0xa6, 0x82, 0xf7, 0x39, 0x6b, 0x48, 0xac, 0x51, 0x18, - 0xb9, 0xca, 0xcd, 0xc9, 0x18, 0x21, 0x98, 0x0a, 0xed, 0xe7, 0xd2, 0xd5, 0x35, 0x53, 0x7c, 0x1b, - 0xdf, 0x81, 0xa5, 0x31, 0x6d, 0xfc, 0x50, 0xa5, 0x6d, 0x5c, 0xc2, 0xbc, 0x52, 0x6d, 0x44, 0xb0, - 0xf2, 0x44, 0xf8, 0x22, 0x29, 0xf6, 0x17, 0xd1, 0xb9, 0x8d, 0x03, 0x58, 0x2d, 0xaa, 0x0d, 0xa9, - 0xef, 0x85, 0x84, 0x87, 0xbe, 0xa8, 0x8e, 0x36, 0xe9, 0xa5, 0xb3, 0xc2, 0x8a, 0xba, 0x59, 0x32, - 0x63, 0xfc, 0xaa, 0x0a, 0xab, 0x26, 0x09, 0x7d, 0xe7, 0x98, 0xc4, 0xa5, 0xeb, 0x62, 0xc0, 0xc7, - 0x4f, 0xa1, 0x86, 0x29, 0x55, 0x61, 0x72, 0xef, 0xdc, 0xda, 0xbb, 0xc9, 0xa5, 0xa2, 0x77, 0x61, - 0x09, 0xbb, 0x5d, 0x7b, 0x10, 0xf9, 0x51, 0x18, 0x6f, 0x4b, 0x04, 0x55, 0xc3, 0x1c, 0x9f, 0x30, - 0x2c, 0x58, 0x1b, 0x73, 0x81, 0x72, 0x67, 0x16, 0x22, 0x69, 0x05, 0x88, 0x54, 0xaa, 0xa4, 0x7a, - 0x9a, 0x92, 0xbf, 0x69, 0xd0, 0x4c, 0x53, 0x47, 0x89, 0xbf, 0x02, 0x0d, 0x57, 0xd1, 0x42, 0x5d, - 0x13, 0xf5, 0x29, 0x25, 0xe4, 0xd1, 0x52, 0xb5, 0x88, 0x96, 0x56, 0x61, 0x46, 0x82, 0x59, 0xb5, - 0x31, 0x35, 0xca, 0x99, 0x3c, 0x55, 0x30, 0x79, 0x03, 0x20, 0x4c, 0xea, 0x97, 0x3e, 0x23, 0x66, - 0x33, 0x14, 0x64, 0xc0, 0xbc, 0xec, 0xad, 0x26, 0x09, 0x23, 0x87, 0xe9, 0xb3, 0x82, 0x23, 0x47, - 0x33, 0x7c, 0x58, 0x7c, 0x60, 0xf3, 0x3d, 0xf4, 0xc3, 0x8b, 0x09, 0xf6, 0x0f, 0x60, 0x8a, 0x2b, - 0xe3, 0x1b, 0xeb, 0x06, 0xd8, 0xb3, 0x86, 0x24, 0xf6, 0x55, 0x32, 0xe6, 0x69, 0xcc, 0xf0, 0x20, - 0xd4, 0xab, 0x82, 0x2e, 0xbe, 0x8d, 0x3f, 0x55, 0xa5, 0xa5, 0xbb, 0x94, 0x86, 0x6f, 0x1e, 0x50, - 0x97, 0xb7, 0xf8, 0xda, 0x78, 0x8b, 0x2f, 0x98, 0xfc, 0x75, 0x5a, 0xfc, 0x39, 0xb5, 0x29, 0x23, - 0x82, 0xd9, 0x5d, 0x4a, 0xb9, 0x21, 0x68, 0x1b, 0xa6, 0x30, 0xa5, 0xd2, 0xe1, 0x85, 0x8a, 0xac, - 0x58, 0xf8, 0xff, 0xca, 0x24, 0xc1, 0xda, 0xba, 0x05, 0x8d, 0x84, 0xf4, 0x32, 0xb5, 0x8d, 0xac, - 0xda, 0x4d, 0x00, 0x89, 0x61, 0xef, 0x79, 0x7d, 0x9f, 0x1f, 0x29, 0x0f, 0x76, 0xb5, 0x54, 0x7c, - 0x1b, 0xb7, 0x63, 0x0e, 0x61, 0xdb, 0xbb, 0x30, 0x6d, 0x33, 0xe2, 0xc6, 0xc6, 0xad, 0x66, 0x8d, - 0x4b, 0x05, 0x99, 0x92, 0xc9, 0xf8, 0x7b, 0x1d, 0xd6, 0xf9, 0x89, 0x3d, 0x16, 0x69, 0xb2, 0x4b, - 0xe9, 0xa7, 0x84, 0x61, 0xdb, 0x09, 0x7f, 0x10, 0x91, 0xe0, 0xe4, 0x35, 0x07, 0xc6, 0x00, 0x66, - 0x64, 0x96, 0xa9, 0x7a, 0x77, 0xee, 0xd7, 0x19, 0x25, 0x3e, 0xbd, 0xc3, 0xd4, 0x5e, 0xcf, 0x1d, - 0xa6, 0xec, 0x4e, 0x31, 0x75, 0x41, 0x77, 0x8a, 0xd3, 0xaf, 0x95, 0x99, 0xcb, 0xea, 0x4c, 0xfe, - 0xb2, 0x5a, 0x02, 0xd5, 0x67, 0x5f, 0x15, 0xaa, 0xd7, 0x4b, 0xa1, 0xba, 0x5b, 0x9a, 0xc7, 0x0d, - 0xe1, 0xee, 0xef, 0x65, 0x23, 0xf0, 0xd4, 0x58, 0x9b, 0x04, 0xb4, 0xc3, 0x6b, 0x05, 0xed, 0x3f, - 0xcc, 0x81, 0x70, 0x79, 0x0d, 0x7e, 0xff, 0xd5, 0xf6, 0x74, 0x06, 0x1c, 0xff, 0xc6, 0x81, 0xe7, - 0xdf, 0x08, 0xcc, 0x44, 0xfd, 0xd4, 0x07, 0x49, 0x43, 0xe7, 0x7d, 0x88, 0xb7, 0x56, 0x55, 0xb4, - 0xf8, 0x37, 0xba, 0x01, 0x53, 0xdc, 0xc9, 0x0a, 0xd4, 0xae, 0x65, 0xfd, 0xc9, 0x4f, 0x62, 0x97, - 0xd2, 0xc7, 0x94, 0x58, 0xa6, 0x60, 0x42, 0xb7, 0xa1, 0x91, 0x04, 0xbe, 0xca, 0xac, 0x2b, 0xd9, - 0x15, 0x49, 0x9e, 0xc4, 0xcb, 0x52, 0x76, 0xbe, 0xb6, 0x67, 0x07, 0xc4, 0x12, 0x90, 0x6f, 0x7a, - 0x7c, 0xed, 0xa7, 0xf1, 0x64, 0xb2, 0x36, 0x61, 0x47, 0xdb, 0x30, 0x23, 0xdf, 0x0d, 0x44, 0x06, - 0xcd, 0xed, 0xac, 0x8f, 0x17, 0xd3, 0x78, 0x95, 0x62, 0x34, 0xfe, 0xaa, 0xc1, 0x3b, 0x69, 0x40, - 0xc4, 0xd9, 0x14, 0xa3, 0xee, 0x37, 0xdf, 0x71, 0xaf, 0xc1, 0x82, 0x80, 0xf9, 0xe9, 0xf3, 0x81, - 0x7c, 0xc9, 0x2a, 0x50, 0x8d, 0x3f, 0x6a, 0x70, 0x75, 0x7c, 0x1f, 0x7b, 0x43, 0x1c, 0xb0, 0xe4, - 0x78, 0x2f, 0x62, 0x2f, 0x71, 0xc3, 0xab, 0xa6, 0x0d, 0x2f, 0xb7, 0xbf, 0x5a, 0x7e, 0x7f, 0xc6, - 0x5f, 0xaa, 0x30, 0x97, 0x09, 0xa0, 0xb2, 0x86, 0xc9, 0x01, 0x9f, 0x88, 0x5b, 0x71, 0xb1, 0x13, - 0x4d, 0xa1, 0x61, 0x66, 0x28, 0x68, 0x04, 0x40, 0x71, 0x80, 0x5d, 0xc2, 0x48, 0xc0, 0x2b, 0x39, - 0xcf, 0xf8, 0xfb, 0x93, 0x57, 0x97, 0xa3, 0x58, 0xa6, 0x99, 0x11, 0xcf, 0x11, 0xab, 0x50, 0x1d, - 0xaa, 0xfa, 0xad, 0x46, 0xe8, 0x4b, 0x58, 0xe8, 0xdb, 0x0e, 0x39, 0x4a, 0x0d, 0x99, 0x11, 0x86, - 0x3c, 0x9a, 0xdc, 0x90, 0xbb, 0x59, 0xb9, 0x66, 0x41, 0x8d, 0x71, 0x1d, 0x9a, 0xc5, 0x7c, 0xe2, - 0x46, 0xda, 0x2e, 0x1e, 0x24, 0xde, 0x52, 0x23, 0x03, 0x41, 0xb3, 0x98, 0x3f, 0xc6, 0xbf, 0xaa, - 0xb0, 0x92, 0x88, 0xdb, 0xf5, 0x3c, 0x3f, 0xf2, 0x2c, 0xf1, 0x14, 0x57, 0x7a, 0x16, 0xcb, 0x30, - 0xcd, 0x6c, 0xe6, 0x24, 0xc0, 0x47, 0x0c, 0x78, 0xef, 0x62, 0xbe, 0xef, 0x30, 0x9b, 0xaa, 0x03, - 0x8e, 0x87, 0xf2, 0xec, 0x9f, 0x45, 0x76, 0x40, 0x7a, 0xa2, 0x12, 0xd4, 0xcd, 0x64, 0xcc, 0xe7, - 0x38, 0xaa, 0x11, 0x30, 0x5e, 0x3a, 0x33, 0x19, 0x8b, 0xb8, 0xf7, 0x1d, 0x87, 0x58, 0xdc, 0x1d, - 0x19, 0xa0, 0x5f, 0xa0, 0x8a, 0x0b, 0x04, 0x0b, 0x6c, 0x6f, 0xa0, 0x60, 0xbe, 0x1a, 0x71, 0x3b, - 0x71, 0x10, 0xe0, 0x13, 0xbd, 0x2e, 0x1c, 0x20, 0x07, 0xe8, 0x23, 0xa8, 0xb9, 0x98, 0xaa, 0x46, - 0x77, 0x3d, 0x57, 0x1d, 0xca, 0x3c, 0xd0, 0x3e, 0xc4, 0x54, 0x76, 0x02, 0xbe, 0xac, 0xf5, 0x01, - 0xd4, 0x63, 0xc2, 0xd7, 0x82, 0x84, 0x5f, 0xc0, 0xa5, 0x5c, 0xf1, 0x41, 0x9f, 0xc3, 0x6a, 0x1a, - 0x51, 0x59, 0x85, 0x0a, 0x04, 0xbe, 0xf3, 0x52, 0xcb, 0xcc, 0x53, 0x04, 0x18, 0xcf, 0x60, 0x89, - 0x87, 0x8c, 0x48, 0xfc, 0x0b, 0xba, 0xda, 0x7c, 0x08, 0x8d, 0x44, 0x65, 0x69, 0xcc, 0xb4, 0xa0, - 0x7e, 0x1c, 0x3f, 0x91, 0xca, 0xbb, 0x4d, 0x32, 0x36, 0x76, 0x01, 0x65, 0xed, 0x55, 0x1d, 0xe8, - 0x46, 0x1e, 0x14, 0xaf, 0x14, 0xdb, 0x8d, 0x60, 0x8f, 0x31, 0xf1, 0xef, 0xaa, 0xb0, 0xb8, 0x6f, - 0x8b, 0x57, 0x8e, 0x0b, 0x2a, 0x72, 0xd7, 0xa1, 0x19, 0x46, 0x5d, 0xd7, 0xef, 0x45, 0x0e, 0x51, - 0xa0, 0x40, 0x75, 0xfa, 0x31, 0xfa, 0x59, 0xc5, 0x8f, 0x3b, 0x8b, 0x62, 0x36, 0x54, 0x37, 0x5c, - 0xf1, 0x8d, 0x3e, 0x82, 0xf5, 0x87, 0xe4, 0x4b, 0xb5, 0x9f, 0x7d, 0xc7, 0xef, 0x76, 0x6d, 0x6f, - 0x10, 0x2b, 0x99, 0x16, 0x4a, 0x4e, 0x67, 0x30, 0x7e, 0xad, 0x41, 0x33, 0xf5, 0x85, 0xf2, 0xe6, - 0x2d, 0x19, 0xf5, 0xd2, 0x97, 0x57, 0xb3, 0xbe, 0x2c, 0xb2, 0xfe, 0xef, 0x01, 0x3f, 0x9f, 0x0d, - 0xf8, 0x3f, 0x6b, 0xb0, 0xb2, 0x6f, 0xb3, 0xb8, 0xd4, 0xd8, 0xff, 0x67, 0xe7, 0x62, 0xb4, 0x61, - 0xb5, 0x68, 0xbe, 0x72, 0xe5, 0x32, 0x4c, 0xf3, 0x53, 0x8a, 0xef, 0xee, 0x72, 0xb0, 0xf3, 0x55, - 0x03, 0x96, 0xd2, 0xe6, 0xcb, 0xff, 0xb5, 0x2d, 0x82, 0x1e, 0x41, 0x73, 0x5f, 0xfd, 0x76, 0x16, - 0xbf, 0x99, 0xa0, 0xb3, 0x1e, 0x21, 0x5b, 0x57, 0xca, 0x27, 0xa5, 0x6a, 0xa3, 0x82, 0x2c, 0x58, - 0x2f, 0x0a, 0x4c, 0xdf, 0x3b, 0xbf, 0x7d, 0x86, 0xe4, 0x84, 0xeb, 0x65, 0x2a, 0xb6, 0x34, 0xf4, - 0x39, 0x2c, 0xe4, 0x5f, 0xe5, 0x50, 0xae, 0x1a, 0x95, 0x3e, 0x14, 0xb6, 0x8c, 0xb3, 0x58, 0x12, - 0xfb, 0x9f, 0x72, 0xe8, 0x9b, 0x7b, 0xa2, 0x42, 0x46, 0x1e, 0x98, 0x97, 0x3d, 0xe1, 0xb5, 0xbe, - 0x75, 0x26, 0x4f, 0x22, 0xfd, 0x43, 0xa8, 0xc7, 0x4f, 0x3a, 0x79, 0x37, 0x17, 0x1e, 0x7a, 0x5a, - 0xcd, 0xbc, 0xbc, 0x7e, 0x68, 0x54, 0xd0, 0xc7, 0x72, 0x31, 0xbf, 0xf2, 0x8f, 0x2f, 0xce, 0x3c, - 0x64, 0xb4, 0x2e, 0x97, 0x3c, 0x1e, 0x18, 0x15, 0xf4, 0x7d, 0x98, 0xe3, 0x5f, 0x47, 0xea, 0x57, - 0xab, 0xd5, 0xb6, 0xfc, 0x91, 0xb4, 0x1d, 0xff, 0x48, 0xda, 0xbe, 0xe3, 0x52, 0x76, 0xd2, 0x2a, - 0xb9, 0xdd, 0x2b, 0x01, 0x4f, 0xe1, 0xd2, 0x3e, 0x61, 0x29, 0x18, 0x47, 0x57, 0x5f, 0xe9, 0xca, - 0xd2, 0x32, 0x8a, 0x6c, 0xe3, 0x78, 0xde, 0xa8, 0xa0, 0xdf, 0x6b, 0x70, 0x79, 0x9f, 0xb0, 0x22, - 0xbc, 0x45, 0xef, 0x95, 0x2b, 0x39, 0x05, 0x06, 0xb7, 0x1e, 0x4e, 0x9a, 0xaf, 0x79, 0xb1, 0x46, - 0x05, 0xfd, 0x41, 0x83, 0xb5, 0x8c, 0x61, 0x59, 0xbc, 0x8a, 0xb6, 0xcf, 0x36, 0xae, 0x04, 0xdb, - 0xb6, 0x3e, 0x9b, 0xf0, 0xc7, 0xc8, 0x8c, 0x48, 0xa3, 0x82, 0x8e, 0xc4, 0x99, 0xa4, 0xed, 0x09, - 0xbd, 0x5d, 0xda, 0x87, 0x12, 0xed, 0x1b, 0xa7, 0x4d, 0x27, 0xe7, 0xf0, 0x19, 0xcc, 0xed, 0x13, - 0x16, 0x57, 0xdd, 0x7c, 0xa4, 0x15, 0x5a, 0x58, 0x3e, 0x55, 0x8b, 0x85, 0x5a, 0x44, 0xcc, 0x92, - 0x94, 0x95, 0xa9, 0x53, 0xf9, 0x5c, 0x2d, 0x2d, 0xc1, 0xf9, 0x88, 0x29, 0x2f, 0x73, 0x46, 0xe5, - 0x93, 0xdd, 0x7f, 0xbc, 0xd8, 0xd0, 0xbe, 0x7a, 0xb1, 0xa1, 0xfd, 0xfb, 0xc5, 0x86, 0xf6, 0x93, - 0x9b, 0x2f, 0xf9, 0x0b, 0x82, 0xcc, 0x1f, 0x25, 0x60, 0x6a, 0x5b, 0x8e, 0x4d, 0x3c, 0xd6, 0x9d, - 0x11, 0xc1, 0x7f, 0xf3, 0xbf, 0x01, 0x00, 0x00, 0xff, 0xff, 0xf8, 0x86, 0xe4, 0x0d, 0xb3, 0x20, - 0x00, 0x00, + // 2085 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe4, 0x5a, 0x5b, 0x6f, 0x1b, 0xc7, + 0xf5, 0xe7, 0x92, 0xba, 0x90, 0x47, 0xb6, 0x45, 0x8d, 0x75, 0x59, 0x33, 0x8e, 0xa0, 0xec, 0xff, + 0x6f, 0x43, 0xb5, 0x13, 0x12, 0x92, 0x91, 0xb8, 0x70, 0xd2, 0x14, 0x8a, 0x62, 0x4b, 0x8e, 0x2d, + 0x5b, 0x5d, 0xbb, 0x2d, 0xd2, 0xba, 0x2d, 0x86, 0xcb, 0xe1, 0x72, 0xc2, 0xbd, 0x8c, 0x77, 0x67, + 0x15, 0xc8, 0x40, 0x1f, 0x8a, 0x16, 0x05, 0xfa, 0x05, 0x8a, 0xa2, 0xdf, 0xa3, 0xe8, 0x53, 0xd1, + 0xa7, 0x5e, 0x1e, 0x83, 0x7e, 0x81, 0x16, 0xfe, 0x24, 0xc5, 0xcc, 0xce, 0x5e, 0xb9, 0x92, 0x9d, + 0x52, 0x56, 0x50, 0xf4, 0xc5, 0xde, 0x99, 0x39, 0xb7, 0x39, 0x73, 0xe6, 0x9c, 0xdf, 0x19, 0x0a, + 0xae, 0x07, 0x84, 0xf9, 0x21, 0x09, 0x8e, 0x48, 0xd0, 0x93, 0x9f, 0x94, 0xfb, 0xc1, 0x71, 0xee, + 0xb3, 0xcb, 0x02, 0x9f, 0xfb, 0x08, 0xb2, 0x99, 0xce, 0x43, 0x9b, 0xf2, 0x51, 0xd4, 0xef, 0x5a, + 0xbe, 0xdb, 0xc3, 0x81, 0xed, 0xb3, 0xc0, 0xff, 0x42, 0x7e, 0xbc, 0x67, 0x0d, 0x7a, 0x47, 0xdb, + 0x3d, 0x36, 0xb6, 0x7b, 0x98, 0xd1, 0xb0, 0x87, 0x19, 0x73, 0xa8, 0x85, 0x39, 0xf5, 0xbd, 0xde, + 0xd1, 0x16, 0x76, 0xd8, 0x08, 0x6f, 0xf5, 0x6c, 0xe2, 0x91, 0x00, 0x73, 0x32, 0x88, 0x25, 0x77, + 0xde, 0xb2, 0x7d, 0xdf, 0x76, 0x48, 0x4f, 0x8e, 0xfa, 0xd1, 0xb0, 0x47, 0x5c, 0xc6, 0x95, 0x5a, + 0xe3, 0x77, 0x17, 0x60, 0xf1, 0x00, 0x7b, 0x74, 0x48, 0x42, 0x6e, 0x92, 0xe7, 0x11, 0x09, 0x39, + 0x7a, 0x06, 0x33, 0xc2, 0x18, 0x5d, 0xdb, 0xd0, 0x36, 0x17, 0xb6, 0xf7, 0xbb, 0x99, 0x35, 0xdd, + 0xc4, 0x1a, 0xf9, 0xf1, 0x33, 0x6b, 0xd0, 0x3d, 0xda, 0xee, 0xb2, 0xb1, 0xdd, 0x15, 0xd6, 0x74, + 0x73, 0xd6, 0x74, 0x13, 0x6b, 0xba, 0x66, 0xba, 0x2d, 0x53, 0x4a, 0x45, 0x1d, 0x68, 0x06, 0xe4, + 0x88, 0x86, 0xd4, 0xf7, 0xf4, 0xfa, 0x86, 0xb6, 0xd9, 0x32, 0xd3, 0x31, 0xd2, 0x61, 0xde, 0xf3, + 0x77, 0xb1, 0x35, 0x22, 0x7a, 0x63, 0x43, 0xdb, 0x6c, 0x9a, 0xc9, 0x10, 0x6d, 0xc0, 0x02, 0x66, + 0xec, 0x21, 0xee, 0x13, 0xe7, 0x01, 0x39, 0xd6, 0x67, 0x24, 0x63, 0x7e, 0x4a, 0xf0, 0x62, 0xc6, + 0x1e, 0x61, 0x97, 0xe8, 0xb3, 0x72, 0x35, 0x19, 0xa2, 0xab, 0xd0, 0xf2, 0xb0, 0x4b, 0x42, 0x86, + 0x2d, 0xa2, 0x37, 0xe5, 0x5a, 0x36, 0x81, 0x7e, 0x0e, 0x4b, 0x39, 0xc3, 0x9f, 0xf8, 0x51, 0x60, + 0x11, 0x1d, 0xe4, 0xd6, 0x1f, 0x4f, 0xb7, 0xf5, 0x9d, 0xb2, 0x58, 0x73, 0x52, 0x13, 0xfa, 0x29, + 0xcc, 0xca, 0x93, 0xd7, 0x17, 0x36, 0x1a, 0x67, 0xea, 0xed, 0x58, 0x2c, 0xf2, 0x60, 0x9e, 0x39, + 0x91, 0x4d, 0xbd, 0x50, 0xbf, 0x20, 0x35, 0x3c, 0x9d, 0x4e, 0xc3, 0xae, 0xef, 0x0d, 0xa9, 0x7d, + 0x80, 0x3d, 0x6c, 0x13, 0x97, 0x78, 0xfc, 0x50, 0x0a, 0x37, 0x13, 0x25, 0xe8, 0x05, 0xb4, 0xc7, + 0x51, 0xc8, 0x7d, 0x97, 0xbe, 0x20, 0x8f, 0x99, 0xe0, 0x0d, 0xf5, 0x8b, 0xd2, 0x9b, 0x8f, 0xa6, + 0x53, 0xfc, 0xa0, 0x24, 0xd5, 0x9c, 0xd0, 0x23, 0x82, 0x64, 0x1c, 0xf5, 0xc9, 0x0f, 0x48, 0x20, + 0xa3, 0xeb, 0x52, 0x1c, 0x24, 0xb9, 0xa9, 0x38, 0x8c, 0xa8, 0x1a, 0x85, 0xfa, 0xe2, 0x46, 0x23, + 0x0e, 0xa3, 0x74, 0x0a, 0x6d, 0xc2, 0xe2, 0x11, 0x09, 0xe8, 0xf0, 0xf8, 0x09, 0xb5, 0x3d, 0xcc, + 0xa3, 0x80, 0xe8, 0x6d, 0x19, 0x8a, 0xe5, 0x69, 0xe4, 0xc2, 0xc5, 0x11, 0x71, 0x5c, 0xe1, 0xf2, + 0xdd, 0x80, 0x0c, 0x42, 0x7d, 0x49, 0xfa, 0x77, 0x6f, 0xfa, 0x13, 0x94, 0xe2, 0xcc, 0xa2, 0x74, + 0x61, 0x98, 0xe7, 0x9b, 0xea, 0xa6, 0xc4, 0x77, 0x04, 0xc5, 0x86, 0x95, 0xa6, 0xd1, 0x75, 0xb8, + 0xc4, 0x03, 0x6c, 0x8d, 0xa9, 0x67, 0x1f, 0x10, 0x3e, 0xf2, 0x07, 0xfa, 0x65, 0xe9, 0x89, 0xd2, + 0x2c, 0xb2, 0x00, 0x11, 0x0f, 0xf7, 0x1d, 0x32, 0x88, 0x63, 0xf1, 0xe9, 0x31, 0x23, 0xa1, 0xbe, + 0x2c, 0x77, 0x71, 0xab, 0x9b, 0xcb, 0x50, 0xa5, 0x04, 0xd1, 0xbd, 0x3b, 0xc1, 0x75, 0xd7, 0xe3, + 0xc1, 0xb1, 0x59, 0x21, 0x0e, 0x8d, 0x61, 0x41, 0xec, 0x23, 0x09, 0x85, 0x15, 0x19, 0x0a, 0xf7, + 0xa7, 0xf3, 0xd1, 0x7e, 0x26, 0xd0, 0xcc, 0x4b, 0x47, 0x5d, 0x40, 0x23, 0x1c, 0x1e, 0x44, 0x0e, + 0xa7, 0xcc, 0x21, 0xb1, 0x19, 0xa1, 0xbe, 0x2a, 0xdd, 0x54, 0xb1, 0x82, 0x1e, 0x00, 0x04, 0x64, + 0x98, 0xd0, 0xad, 0xc9, 0x9d, 0xdf, 0x3c, 0x6d, 0xe7, 0x66, 0x4a, 0x1d, 0xef, 0x38, 0xc7, 0xde, + 0xb9, 0x0b, 0x6b, 0x27, 0x38, 0x06, 0xb5, 0xa1, 0x31, 0x26, 0xc7, 0x32, 0xa1, 0xb6, 0x4c, 0xf1, + 0x89, 0x96, 0x61, 0xf6, 0x08, 0x3b, 0x11, 0x91, 0x29, 0xb0, 0x69, 0xc6, 0x83, 0x3b, 0xf5, 0x6f, + 0x6b, 0x9d, 0x5f, 0x6b, 0xb0, 0x58, 0x52, 0x53, 0xc1, 0xff, 0x93, 0x3c, 0xff, 0x19, 0x04, 0xdd, + 0xf0, 0x29, 0x0e, 0x6c, 0xc2, 0x73, 0x86, 0x18, 0xff, 0xd0, 0x40, 0x2f, 0xed, 0xff, 0x87, 0x94, + 0x8f, 0xee, 0x51, 0x87, 0x84, 0xe8, 0x36, 0xcc, 0x07, 0xf1, 0x9c, 0x2a, 0x13, 0x6f, 0x9d, 0xe2, + 0xb6, 0xfd, 0x9a, 0x99, 0x50, 0xa3, 0x8f, 0xa1, 0xe9, 0x12, 0x8e, 0x07, 0x98, 0x63, 0x65, 0xfb, + 0x46, 0x15, 0xa7, 0xd0, 0x72, 0xa0, 0xe8, 0xf6, 0x6b, 0x66, 0xca, 0x83, 0xde, 0x87, 0x59, 0x6b, + 0x14, 0x79, 0x63, 0x59, 0x20, 0x16, 0xb6, 0xdf, 0x3e, 0x89, 0x79, 0x57, 0x10, 0xed, 0xd7, 0xcc, + 0x98, 0xfa, 0x93, 0x39, 0x98, 0x61, 0x38, 0xe0, 0xc6, 0x3d, 0x58, 0xae, 0x52, 0x21, 0xaa, 0x92, + 0x35, 0x22, 0xd6, 0x38, 0x8c, 0x5c, 0xe5, 0xe6, 0x74, 0x8c, 0x10, 0xcc, 0x84, 0xf4, 0x45, 0xec, + 0xea, 0x86, 0x29, 0xbf, 0x8d, 0x6f, 0xc1, 0xd2, 0x84, 0x36, 0x71, 0xa8, 0xb1, 0x6d, 0x42, 0xc2, + 0x05, 0xa5, 0xda, 0x88, 0x60, 0xe5, 0xa9, 0xf4, 0x45, 0x9a, 0x9a, 0xcf, 0xa3, 0xce, 0x1a, 0xfb, + 0xb0, 0x5a, 0x56, 0x1b, 0x32, 0xdf, 0x0b, 0x89, 0xb8, 0x25, 0x32, 0x97, 0x51, 0x32, 0xc8, 0x56, + 0xa5, 0x15, 0x4d, 0xb3, 0x62, 0xc5, 0xf8, 0x45, 0x1d, 0x56, 0x4d, 0x12, 0xfa, 0xce, 0x11, 0x49, + 0x12, 0xcd, 0xf9, 0x40, 0x85, 0x1f, 0x43, 0x03, 0x33, 0xa6, 0xc2, 0xe4, 0xfe, 0x99, 0x15, 0x63, + 0x53, 0x48, 0x45, 0xef, 0xc2, 0x12, 0x76, 0xfb, 0xd4, 0x8e, 0xfc, 0x28, 0x4c, 0xb6, 0x25, 0x83, + 0xaa, 0x65, 0x4e, 0x2e, 0x18, 0x16, 0xac, 0x4d, 0xb8, 0x40, 0xb9, 0x33, 0x0f, 0x68, 0xb4, 0x12, + 0xa0, 0xa9, 0x54, 0x52, 0x3f, 0x49, 0xc9, 0x5f, 0x35, 0x68, 0x67, 0x57, 0x47, 0x89, 0xbf, 0x0a, + 0x2d, 0x57, 0xcd, 0x85, 0xba, 0x26, 0x0b, 0x56, 0x36, 0x51, 0xc4, 0x36, 0xf5, 0x32, 0xb6, 0x59, + 0x85, 0xb9, 0x18, 0x7a, 0xaa, 0x8d, 0xa9, 0x51, 0xc1, 0xe4, 0x99, 0x92, 0xc9, 0xeb, 0x00, 0x61, + 0x9a, 0xbf, 0xf4, 0x39, 0xb9, 0x9a, 0x9b, 0x41, 0x06, 0x5c, 0x88, 0x2b, 0xa1, 0x49, 0xc2, 0xc8, + 0xe1, 0xfa, 0xbc, 0xa4, 0x28, 0xcc, 0x19, 0x3e, 0x2c, 0x3e, 0xa4, 0x62, 0x0f, 0xc3, 0xf0, 0x7c, + 0x82, 0xfd, 0x03, 0x98, 0x11, 0xca, 0xc4, 0xc6, 0xfa, 0x01, 0xf6, 0xac, 0x11, 0x49, 0x7c, 0x95, + 0x8e, 0xc5, 0x35, 0xe6, 0xd8, 0x0e, 0xf5, 0xba, 0x9c, 0x97, 0xdf, 0xc6, 0x1f, 0xeb, 0xb1, 0xa5, + 0x3b, 0x8c, 0x85, 0xdf, 0x3c, 0xfc, 0xad, 0x2e, 0xc8, 0x8d, 0xc9, 0x82, 0x5c, 0x32, 0xf9, 0xeb, + 0x14, 0xe4, 0x33, 0x2a, 0x53, 0x46, 0x04, 0xf3, 0x3b, 0x8c, 0x09, 0x43, 0xd0, 0x16, 0xcc, 0x60, + 0xc6, 0x62, 0x87, 0x97, 0x32, 0xb2, 0x22, 0x11, 0xff, 0x2b, 0x93, 0x24, 0x69, 0xe7, 0x36, 0xb4, + 0xd2, 0xa9, 0x57, 0xa9, 0x6d, 0xe5, 0xd5, 0x6e, 0x00, 0xc4, 0x88, 0xf3, 0xbe, 0x37, 0xf4, 0xc5, + 0x91, 0x8a, 0x60, 0x57, 0xac, 0xf2, 0xdb, 0xb8, 0x93, 0x50, 0x48, 0xdb, 0xde, 0x85, 0x59, 0xca, + 0x89, 0x9b, 0x18, 0xb7, 0x9a, 0x37, 0x2e, 0x13, 0x64, 0xc6, 0x44, 0xc6, 0xdf, 0x9a, 0x70, 0x45, + 0x9c, 0xd8, 0x13, 0x79, 0x4d, 0x76, 0x18, 0xfb, 0x94, 0x70, 0x4c, 0x9d, 0xf0, 0x7b, 0x11, 0x09, + 0x8e, 0xdf, 0x70, 0x60, 0xd8, 0x30, 0x17, 0xdf, 0x32, 0x95, 0xef, 0xce, 0xbc, 0xf9, 0x50, 0xe2, + 0xb3, 0x8e, 0xa3, 0xf1, 0x66, 0x3a, 0x8e, 0xaa, 0x0e, 0x60, 0xe6, 0x9c, 0x3a, 0x80, 0x93, 0x9b, + 0xc0, 0x5c, 0x6b, 0x39, 0x57, 0x6c, 0x2d, 0x2b, 0x80, 0xf5, 0xfc, 0xeb, 0x02, 0xeb, 0x66, 0x25, + 0xb0, 0x76, 0x2b, 0xef, 0x71, 0x4b, 0xba, 0xfb, 0x3b, 0xf9, 0x08, 0x3c, 0x31, 0xd6, 0xa6, 0x81, + 0xd8, 0xf0, 0x46, 0x21, 0xf6, 0xf7, 0x0b, 0x90, 0x39, 0x6e, 0x5a, 0xdf, 0x7f, 0xbd, 0x3d, 0xfd, + 0x2f, 0x81, 0xe7, 0x5f, 0x49, 0xcc, 0xc4, 0xfc, 0xcc, 0x07, 0x69, 0x41, 0x17, 0x75, 0x48, 0x94, + 0x56, 0x95, 0xb4, 0xc4, 0x37, 0xba, 0x09, 0x33, 0xc2, 0xc9, 0x0a, 0xd4, 0xae, 0xe5, 0xfd, 0x29, + 0x4e, 0x62, 0x87, 0xb1, 0x27, 0x8c, 0x58, 0xa6, 0x24, 0x42, 0x77, 0xa0, 0x95, 0x06, 0xbe, 0xba, + 0x59, 0x57, 0xf3, 0x1c, 0xe9, 0x3d, 0x49, 0xd8, 0x32, 0x72, 0xc1, 0x3b, 0xa0, 0x01, 0xb1, 0x24, + 0xe4, 0x9b, 0x9d, 0xe4, 0xfd, 0x34, 0x59, 0x4c, 0x79, 0x53, 0x72, 0xb4, 0x05, 0x73, 0x71, 0x97, + 0x2f, 0x6f, 0xd0, 0xc2, 0xf6, 0x95, 0xc9, 0x64, 0x9a, 0x70, 0x29, 0x42, 0xe3, 0x2f, 0x1a, 0xbc, + 0x93, 0x05, 0x44, 0x72, 0x9b, 0x12, 0xd4, 0xfd, 0xcd, 0x57, 0xdc, 0xeb, 0x70, 0x49, 0xc2, 0xfc, + 0xac, 0xd9, 0x8f, 0xdf, 0x9d, 0x4a, 0xb3, 0xc6, 0x1f, 0x34, 0xb8, 0x36, 0xb9, 0x8f, 0xdd, 0x11, + 0x0e, 0x78, 0x7a, 0xbc, 0xe7, 0xb1, 0x97, 0xa4, 0xe0, 0xd5, 0xb3, 0x82, 0x57, 0xd8, 0x5f, 0xa3, + 0xb8, 0x3f, 0xe3, 0xcf, 0x75, 0x58, 0xc8, 0x05, 0x50, 0x55, 0xc1, 0x14, 0x80, 0x4f, 0xc6, 0xad, + 0x6c, 0xec, 0x64, 0x51, 0x68, 0x99, 0xb9, 0x19, 0x34, 0x06, 0x60, 0x38, 0xc0, 0x2e, 0xe1, 0x24, + 0x10, 0x99, 0x5c, 0xdc, 0xf8, 0x07, 0xd3, 0x67, 0x97, 0xc3, 0x44, 0xa6, 0x99, 0x13, 0x2f, 0x10, + 0xab, 0x54, 0x1d, 0xaa, 0xfc, 0xad, 0x46, 0xe8, 0x4b, 0xb8, 0x34, 0xa4, 0x0e, 0x39, 0xcc, 0x0c, + 0x99, 0x93, 0x86, 0x3c, 0x9e, 0xde, 0x90, 0x7b, 0x79, 0xb9, 0x66, 0x49, 0x8d, 0x71, 0x03, 0xda, + 0xe5, 0xfb, 0x24, 0x8c, 0xa4, 0x2e, 0xb6, 0x53, 0x6f, 0xa9, 0x91, 0x81, 0xa0, 0x5d, 0xbe, 0x3f, + 0xc6, 0x3f, 0xeb, 0xb0, 0x92, 0x8a, 0xdb, 0xf1, 0x3c, 0x3f, 0xf2, 0x2c, 0xf9, 0x70, 0x56, 0x79, + 0x16, 0xcb, 0x30, 0xcb, 0x29, 0x77, 0x52, 0xe0, 0x23, 0x07, 0xa2, 0x76, 0x71, 0xdf, 0x77, 0x38, + 0x65, 0xea, 0x80, 0x93, 0x61, 0x7c, 0xf6, 0xcf, 0x23, 0x1a, 0x90, 0x81, 0xcc, 0x04, 0x4d, 0x33, + 0x1d, 0x8b, 0x35, 0x81, 0x6a, 0x24, 0x8c, 0x8f, 0x9d, 0x99, 0x8e, 0x65, 0xdc, 0xfb, 0x8e, 0x43, + 0x2c, 0xe1, 0x8e, 0x1c, 0xd0, 0x2f, 0xcd, 0xca, 0x06, 0x82, 0x07, 0xd4, 0xb3, 0x15, 0xcc, 0x57, + 0x23, 0x61, 0x27, 0x0e, 0x02, 0x7c, 0xac, 0x37, 0xa5, 0x03, 0xe2, 0x01, 0xfa, 0x08, 0x1a, 0x2e, + 0x66, 0xaa, 0xd0, 0xdd, 0x28, 0x64, 0x87, 0x2a, 0x0f, 0x74, 0x0f, 0x30, 0x8b, 0x2b, 0x81, 0x60, + 0xeb, 0x7c, 0x00, 0xcd, 0x64, 0xe2, 0x6b, 0x41, 0xc2, 0x2f, 0xe0, 0x62, 0x21, 0xf9, 0xa0, 0xcf, + 0x61, 0x35, 0x8b, 0xa8, 0xbc, 0x42, 0x05, 0x02, 0xdf, 0x79, 0xa5, 0x65, 0xe6, 0x09, 0x02, 0x8c, + 0xe7, 0xb0, 0x24, 0x42, 0x46, 0x5e, 0xfc, 0x73, 0x6a, 0x6d, 0x3e, 0x84, 0x56, 0xaa, 0xb2, 0x32, + 0x66, 0x3a, 0xd0, 0x3c, 0x4a, 0x1e, 0x34, 0xe3, 0xde, 0x26, 0x1d, 0x1b, 0x3b, 0x80, 0xf2, 0xf6, + 0xaa, 0x0a, 0x74, 0xb3, 0x08, 0x8a, 0x57, 0xca, 0xe5, 0x46, 0x92, 0x27, 0x98, 0xf8, 0x37, 0x75, + 0x58, 0xdc, 0xa3, 0xf2, 0x95, 0xe3, 0x9c, 0x92, 0xdc, 0x0d, 0x68, 0x87, 0x51, 0xdf, 0xf5, 0x07, + 0x91, 0x43, 0x14, 0x28, 0x50, 0x95, 0x7e, 0x62, 0xfe, 0xb4, 0xe4, 0x27, 0x9c, 0xc5, 0x30, 0x1f, + 0xa9, 0x0e, 0x57, 0x7e, 0xa3, 0x8f, 0xe0, 0xca, 0x23, 0xf2, 0xa5, 0xda, 0xcf, 0x9e, 0xe3, 0xf7, + 0xfb, 0xd4, 0xb3, 0x13, 0x25, 0xb3, 0x52, 0xc9, 0xc9, 0x04, 0xc6, 0x2f, 0x35, 0x68, 0x67, 0xbe, + 0x50, 0xde, 0xbc, 0x1d, 0x47, 0x7d, 0xec, 0xcb, 0x6b, 0x79, 0x5f, 0x96, 0x49, 0xff, 0xf3, 0x80, + 0xbf, 0x90, 0x0f, 0xf8, 0x3f, 0x69, 0xb0, 0xb2, 0x47, 0x79, 0x92, 0x6a, 0xe8, 0x7f, 0xd9, 0xb9, + 0x18, 0x5d, 0x58, 0x2d, 0x9b, 0xaf, 0x5c, 0xb9, 0x0c, 0xb3, 0xe2, 0x94, 0x92, 0xde, 0x3d, 0x1e, + 0x6c, 0x7f, 0xd5, 0x82, 0xa5, 0xac, 0xf8, 0x8a, 0x7f, 0xa9, 0x45, 0xd0, 0x63, 0x68, 0xef, 0xa9, + 0x5f, 0xba, 0x92, 0x37, 0x13, 0x74, 0xda, 0x23, 0x64, 0xe7, 0x6a, 0xf5, 0x62, 0xac, 0xda, 0xa8, + 0x21, 0x0b, 0xae, 0x94, 0x05, 0x66, 0xef, 0x9d, 0xff, 0x7f, 0x8a, 0xe4, 0x94, 0xea, 0x55, 0x2a, + 0x36, 0x35, 0xf4, 0x39, 0x5c, 0x2a, 0xbe, 0xca, 0xa1, 0x42, 0x36, 0xaa, 0x7c, 0x28, 0xec, 0x18, + 0xa7, 0x91, 0xa4, 0xf6, 0x3f, 0x13, 0xd0, 0xb7, 0xf0, 0x44, 0x85, 0x8c, 0x22, 0x30, 0xaf, 0x7a, + 0xc2, 0xeb, 0xfc, 0xdf, 0xa9, 0x34, 0xa9, 0xf4, 0x0f, 0xa1, 0x99, 0x3c, 0xe9, 0x14, 0xdd, 0x5c, + 0x7a, 0xe8, 0xe9, 0xb4, 0x8b, 0xf2, 0x86, 0xa1, 0x51, 0x43, 0x1f, 0xc7, 0xcc, 0xa2, 0xe5, 0x9f, + 0x64, 0xce, 0x3d, 0x64, 0x74, 0x2e, 0x57, 0x3c, 0x1e, 0x18, 0x35, 0xf4, 0x5d, 0x58, 0x10, 0x5f, + 0x87, 0xea, 0x37, 0xa6, 0xd5, 0x6e, 0xfc, 0x93, 0x66, 0x37, 0xf9, 0x49, 0xb3, 0x7b, 0xd7, 0x65, + 0xfc, 0xb8, 0x53, 0xd1, 0xdd, 0x2b, 0x01, 0xcf, 0xe0, 0xe2, 0x1e, 0xe1, 0x19, 0x18, 0x47, 0xd7, + 0x5e, 0xab, 0x65, 0xe9, 0x18, 0x65, 0xb2, 0x49, 0x3c, 0x6f, 0xd4, 0xd0, 0x6f, 0x35, 0xb8, 0xbc, + 0x47, 0x78, 0x19, 0xde, 0xa2, 0xf7, 0xaa, 0x95, 0x9c, 0x00, 0x83, 0x3b, 0x8f, 0xa6, 0xbd, 0xaf, + 0x45, 0xb1, 0x46, 0x0d, 0xfd, 0x5e, 0x83, 0xb5, 0x9c, 0x61, 0x79, 0xbc, 0x8a, 0xb6, 0x4e, 0x37, + 0xae, 0x02, 0xdb, 0x76, 0x3e, 0x9b, 0xf2, 0xa7, 0xc3, 0x9c, 0x48, 0xa3, 0x86, 0x0e, 0xe5, 0x99, + 0x64, 0xe5, 0x09, 0xbd, 0x5d, 0x59, 0x87, 0x52, 0xed, 0xeb, 0x27, 0x2d, 0xa7, 0xe7, 0xf0, 0x19, + 0x2c, 0xec, 0x11, 0x9e, 0x64, 0xdd, 0x62, 0xa4, 0x95, 0x4a, 0x58, 0xf1, 0xaa, 0x96, 0x13, 0xb5, + 0x8c, 0x98, 0xa5, 0x58, 0x56, 0x2e, 0x4f, 0x15, 0xef, 0x6a, 0x65, 0x0a, 0x2e, 0x46, 0x4c, 0x75, + 0x9a, 0x33, 0x6a, 0x9f, 0xec, 0xfc, 0xfd, 0xe5, 0xba, 0xf6, 0xd5, 0xcb, 0x75, 0xed, 0x5f, 0x2f, + 0xd7, 0xb5, 0x1f, 0xdd, 0x7a, 0xc5, 0xef, 0xfd, 0xb9, 0x3f, 0x21, 0xc0, 0x8c, 0x5a, 0x0e, 0x25, + 0x1e, 0xef, 0xcf, 0xc9, 0xe0, 0xbf, 0xf5, 0xef, 0x00, 0x00, 0x00, 0xff, 0xff, 0x55, 0x0b, 0x09, + 0x7b, 0x61, 0x20, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -2922,26 +2902,6 @@ func (m *ManifestRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } - if len(m.ProjectName) > 0 { - i -= len(m.ProjectName) - copy(dAtA[i:], m.ProjectName) - i = encodeVarintRepository(dAtA, i, uint64(len(m.ProjectName))) - i-- - dAtA[i] = 0x1 - i-- - dAtA[i] = 0xca - } - if len(m.ProjectSourceRepos) > 0 { - for iNdEx := len(m.ProjectSourceRepos) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.ProjectSourceRepos[iNdEx]) - copy(dAtA[i:], m.ProjectSourceRepos[iNdEx]) - i = encodeVarintRepository(dAtA, i, uint64(len(m.ProjectSourceRepos[iNdEx]))) - i-- - dAtA[i] = 0x1 - i-- - dAtA[i] = 0xc2 - } - } if len(m.RefSources) > 0 { for k := range m.RefSources { v := m.RefSources[k] @@ -4982,16 +4942,6 @@ func (m *ManifestRequest) Size() (n int) { n += mapEntrySize + 2 + sovRepository(uint64(mapEntrySize)) } } - if len(m.ProjectSourceRepos) > 0 { - for _, s := range m.ProjectSourceRepos { - l = len(s) - n += 2 + l + sovRepository(uint64(l)) - } - } - l = len(m.ProjectName) - if l > 0 { - n += 2 + l + sovRepository(uint64(l)) - } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6586,70 +6536,6 @@ func (m *ManifestRequest) Unmarshal(dAtA []byte) error { } m.RefSources[mapkey] = mapvalue iNdEx = postIndex - case 24: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field ProjectSourceRepos", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRepository - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRepository - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRepository - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.ProjectSourceRepos = append(m.ProjectSourceRepos, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 25: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field ProjectName", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRepository - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRepository - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRepository - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.ProjectName = string(dAtA[iNdEx:postIndex]) - iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipRepository(dAtA[iNdEx:]) diff --git a/reposerver/repository/lock.go b/reposerver/repository/lock.go index 05eddf667d82a..fa8da9c3e5089 100644 --- a/reposerver/repository/lock.go +++ b/reposerver/repository/lock.go @@ -55,7 +55,7 @@ func (r *repositoryLock) Lock(path string, revision string, allowConcurrent bool initCloser, err := init() if err != nil { state.cond.L.Unlock() - return nil, err + return nil, fmt.Errorf("failed to initialize repository resources: %w", err) } state.initCloser = initCloser state.revision = revision diff --git a/reposerver/repository/repository.go b/reposerver/repository/repository.go index c91d9f1c9bfcb..25a5a0f937e3b 100644 --- a/reposerver/repository/repository.go +++ b/reposerver/repository/repository.go @@ -199,7 +199,7 @@ func (s *Service) ListRefs(ctx context.Context, q *apiclient.ListRefsRequest) (* func (s *Service) ListApps(ctx context.Context, q *apiclient.ListAppsRequest) (*apiclient.AppList, error) { gitClient, commitSHA, err := s.newClientResolveRevision(q.Repo, q.Revision) if err != nil { - return nil, err + return nil, fmt.Errorf("error setting up git client and resolving given revision: %w", err) } if apps, err := s.cache.ListApps(q.Repo.Repo, commitSHA); err == nil { log.Infof("cache hit: %s/%s", q.Repo.Repo, q.Revision) @@ -214,13 +214,13 @@ func (s *Service) ListApps(ctx context.Context, q *apiclient.ListAppsRequest) (* }) if err != nil { - return nil, err + return nil, fmt.Errorf("error acquiring repository lock: %w", err) } defer io.Close(closer) apps, err := discovery.Discover(ctx, gitClient.Root(), gitClient.Root(), q.EnabledSourceTypes, s.initConstants.CMPTarExcludedGlobs) if err != nil { - return nil, err + return nil, fmt.Errorf("error discovering applications: %w", err) } err = s.cache.SetApps(q.Repo.Repo, commitSHA, apps) if err != nil { @@ -943,7 +943,7 @@ func (s *Service) getManifestCacheEntry(cacheKey string, q *apiclient.ManifestRe func getHelmRepos(appPath string, repositories []*v1alpha1.Repository, helmRepoCreds []*v1alpha1.RepoCreds) ([]helm.HelmRepository, error) { dependencies, err := getHelmDependencyRepos(appPath) if err != nil { - return nil, err + return nil, fmt.Errorf("error retrieving helm dependency repos: %w", err) } reposByName := make(map[string]*v1alpha1.Repository) reposByUrl := make(map[string]*v1alpha1.Repository) @@ -956,11 +956,13 @@ func getHelmRepos(appPath string, repositories []*v1alpha1.Repository, helmRepoC repos := make([]helm.HelmRepository, 0) for _, dep := range dependencies { + // find matching repo credentials by URL or name repo, ok := reposByUrl[dep.Repo] if !ok && dep.Name != "" { repo, ok = reposByName[dep.Name] } if !ok { + // if no matching repo credentials found, use the repo creds from the credential list repo = &v1alpha1.Repository{Repo: dep.Repo, Name: dep.Name, EnableOCI: dep.EnableOCI} if repositoryCredential := getRepoCredential(helmRepoCreds, dep.Repo); repositoryCredential != nil { repo.EnableOCI = repositoryCredential.EnableOCI @@ -969,6 +971,16 @@ func getHelmRepos(appPath string, repositories []*v1alpha1.Repository, helmRepoC repo.SSHPrivateKey = repositoryCredential.SSHPrivateKey repo.TLSClientCertData = repositoryCredential.TLSClientCertData repo.TLSClientCertKey = repositoryCredential.TLSClientCertKey + } else if repo.EnableOCI { + // finally if repo is OCI and no credentials found, use the first OCI credential matching by hostname + // see https://github.com/argoproj/argo-cd/issues/14636 + for _, cred := range repositories { + if depURL, err := url.Parse("oci://" + dep.Repo); err == nil && cred.EnableOCI && depURL.Host == cred.Repo { + repo.Username = cred.Username + repo.Password = cred.Password + break + } + } } } repos = append(repos, helm.HelmRepository{Name: repo.Name, Repo: repo.Repo, Creds: repo.GetHelmCreds(), EnableOci: repo.EnableOCI}) @@ -988,12 +1000,12 @@ func getHelmDependencyRepos(appPath string) ([]*v1alpha1.Repository, error) { repos := make([]*v1alpha1.Repository, 0) f, err := os.ReadFile(filepath.Join(appPath, "Chart.yaml")) if err != nil { - return nil, err + return nil, fmt.Errorf("error reading helm chart from %s: %w", filepath.Join(appPath, "Chart.yaml"), err) } d := &dependencies{} if err = yaml.Unmarshal(f, d); err != nil { - return nil, err + return nil, fmt.Errorf("error unmarshalling the helm chart while getting helm dependency repos: %w", err) } for _, r := range d.Dependencies { @@ -1054,11 +1066,6 @@ func runHelmBuild(appPath string, h helm.Helm) error { return os.WriteFile(markerFile, []byte("marker"), 0644) } -func isSourcePermitted(url string, repos []string) bool { - p := v1alpha1.AppProject{Spec: v1alpha1.AppProjectSpec{SourceRepos: repos}} - return p.IsSourcePermitted(v1alpha1.ApplicationSource{RepoURL: url}) -} - func helmTemplate(appPath string, repoRoot string, env *v1alpha1.Env, q *apiclient.ManifestRequest, isLocal bool, gitRepoPaths io.TempPaths) ([]*unstructured.Unstructured, error) { concurrencyAllowed := isConcurrencyAllowed(appPath) if !concurrencyAllowed { @@ -1155,20 +1162,6 @@ func helmTemplate(appPath string, repoRoot string, env *v1alpha1.Env, q *apiclie if err != nil { return nil, err } - - var reposNotPermitted []string - // We do a sanity check here to give a nicer error message in case any of the Helm repositories are not permitted by - // the AppProject which the application is a part of - for _, repo := range helmRepos { - if !isSourcePermitted(repo.Repo, q.ProjectSourceRepos) { - reposNotPermitted = append(reposNotPermitted, repo.Repo) - } - } - - if len(reposNotPermitted) > 0 { - return nil, status.Errorf(codes.PermissionDenied, "helm repos %s are not permitted in project '%s'", strings.Join(reposNotPermitted, ", "), q.ProjectName) - } - h, err := helm.NewHelmApp(appPath, helmRepos, isLocal, version, proxy, passCredentials) if err != nil { return nil, err @@ -1419,10 +1412,15 @@ func GenerateManifests(ctx context.Context, appPath, repoRoot, revision string, } func newEnv(q *apiclient.ManifestRequest, revision string) *v1alpha1.Env { + shortRevision := revision + if len(shortRevision) > 7 { + shortRevision = shortRevision[:7] + } return &v1alpha1.Env{ &v1alpha1.EnvEntry{Name: "ARGOCD_APP_NAME", Value: q.AppName}, &v1alpha1.EnvEntry{Name: "ARGOCD_APP_NAMESPACE", Value: q.Namespace}, &v1alpha1.EnvEntry{Name: "ARGOCD_APP_REVISION", Value: revision}, + &v1alpha1.EnvEntry{Name: "ARGOCD_APP_REVISION_SHORT", Value: shortRevision}, &v1alpha1.EnvEntry{Name: "ARGOCD_APP_SOURCE_REPO_URL", Value: q.Repo.Repo}, &v1alpha1.EnvEntry{Name: "ARGOCD_APP_SOURCE_PATH", Value: q.ApplicationSource.Path}, &v1alpha1.EnvEntry{Name: "ARGOCD_APP_SOURCE_TARGET_REVISION", Value: q.ApplicationSource.TargetRevision}, diff --git a/reposerver/repository/repository.proto b/reposerver/repository/repository.proto index 8e4b69000f7e1..37babd739b1c1 100644 --- a/reposerver/repository/repository.proto +++ b/reposerver/repository/repository.proto @@ -32,10 +32,6 @@ message ManifestRequest { github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.HelmOptions helmOptions = 21; bool hasMultipleSources = 22; map refSources = 23; - // This is used to surface "source not permitted" errors for Helm repositories - repeated string projectSourceRepos = 24; - // This is used to surface "source not permitted" errors for Helm repositories - string projectName = 25; } message ManifestRequestWithFiles { diff --git a/reposerver/repository/repository_test.go b/reposerver/repository/repository_test.go index e3e29d0b0c0ad..18429b7665ab7 100644 --- a/reposerver/repository/repository_test.go +++ b/reposerver/repository/repository_test.go @@ -154,10 +154,8 @@ func TestGenerateYamlManifestInDir(t *testing.T) { src := argoappv1.ApplicationSource{Path: "."} q := apiclient.ManifestRequest{ - Repo: &argoappv1.Repository{}, - ApplicationSource: &src, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + Repo: &argoappv1.Repository{}, + ApplicationSource: &src, } // update this value if we add/remove manifests @@ -224,8 +222,7 @@ func Test_GenerateManifests_NoOutOfBoundsAccess(t *testing.T) { mustNotContain = testCaseCopy.mustNotContain } - q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &argoappv1.ApplicationSource{}, ProjectName: "something", - ProjectSourceRepos: []string{"*"}} + q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &argoappv1.ApplicationSource{}} res, err := GenerateManifests(context.Background(), repoDir, "", "", &q, false, &git.NoopCredsStore{}, resource.MustParse("0"), nil) require.Error(t, err) assert.NotContains(t, err.Error(), mustNotContain) @@ -240,8 +237,7 @@ func TestGenerateManifests_MissingSymlinkDestination(t *testing.T) { err := os.Symlink("/obviously/does/not/exist", path.Join(repoDir, "test.yaml")) require.NoError(t, err) - q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &argoappv1.ApplicationSource{}, ProjectName: "something", - ProjectSourceRepos: []string{"*"}} + q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &argoappv1.ApplicationSource{}} _, err = GenerateManifests(context.Background(), repoDir, "", "", &q, false, &git.NoopCredsStore{}, resource.MustParse("0"), nil) require.NoError(t, err) } @@ -251,11 +247,9 @@ func TestGenerateManifests_K8SAPIResetCache(t *testing.T) { src := argoappv1.ApplicationSource{Path: "."} q := apiclient.ManifestRequest{ - KubeVersion: "v1.16.0", - Repo: &argoappv1.Repository{}, - ApplicationSource: &src, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + KubeVersion: "v1.16.0", + Repo: &argoappv1.Repository{}, + ApplicationSource: &src, } cachedFakeResponse := &apiclient.ManifestResponse{Manifests: []string{"Fake"}} @@ -279,10 +273,8 @@ func TestGenerateManifests_EmptyCache(t *testing.T) { src := argoappv1.ApplicationSource{Path: "."} q := apiclient.ManifestRequest{ - Repo: &argoappv1.Repository{}, - ApplicationSource: &src, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + Repo: &argoappv1.Repository{}, + ApplicationSource: &src, } err := service.cache.SetManifests(mock.Anything, &src, q.RefSources, &q, "", "", "", "", &cache.CachedManifestResponse{ManifestResponse: nil}, nil) @@ -297,8 +289,7 @@ func TestGenerateManifests_EmptyCache(t *testing.T) { func TestHelmManifestFromChartRepo(t *testing.T) { service := newService(".") source := &argoappv1.ApplicationSource{Chart: "my-chart", TargetRevision: ">= 1.0.0"} - request := &apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: source, NoCache: true, ProjectName: "something", - ProjectSourceRepos: []string{"*"}} + request := &apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: source, NoCache: true} response, err := service.GenerateManifest(context.Background(), request) assert.NoError(t, err) assert.NotNil(t, response) @@ -327,8 +318,7 @@ func TestHelmChartReferencingExternalValues(t *testing.T) { }, nil) refSources, err := argo.GetRefSources(context.Background(), spec, repoDB) require.NoError(t, err) - request := &apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &spec.Sources[0], NoCache: true, RefSources: refSources, HasMultipleSources: true, ProjectName: "something", - ProjectSourceRepos: []string{"*"}} + request := &apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &spec.Sources[0], NoCache: true, RefSources: refSources, HasMultipleSources: true} response, err := service.GenerateManifest(context.Background(), request) assert.NoError(t, err) assert.NotNil(t, response) @@ -380,8 +370,7 @@ func TestGenerateManifestsUseExactRevision(t *testing.T) { src := argoappv1.ApplicationSource{Path: "./testdata/recurse", Directory: &argoappv1.ApplicationSourceDirectory{Recurse: true}} - q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, Revision: "abc", ProjectName: "something", - ProjectSourceRepos: []string{"*"}} + q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, Revision: "abc"} res1, err := service.GenerateManifest(context.Background(), &q) assert.Nil(t, err) @@ -394,8 +383,7 @@ func TestRecurseManifestsInDir(t *testing.T) { src := argoappv1.ApplicationSource{Path: "./testdata/recurse", Directory: &argoappv1.ApplicationSourceDirectory{Recurse: true}} - q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, ProjectName: "something", - ProjectSourceRepos: []string{"*"}} + q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src} res1, err := service.GenerateManifest(context.Background(), &q) assert.Nil(t, err) @@ -413,6 +401,28 @@ func TestInvalidManifestsInDir(t *testing.T) { assert.NotNil(t, err) } +func TestInvalidMetadata(t *testing.T) { + service := newService(".") + + src := argoappv1.ApplicationSource{Path: "./testdata/invalid-metadata", Directory: &argoappv1.ApplicationSourceDirectory{Recurse: true}} + q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, AppLabelKey: "test", AppName: "invalid-metadata", TrackingMethod: "annotation+label"} + _, err := service.GenerateManifest(context.Background(), &q) + assert.Error(t, err) + assert.Contains(t, err.Error(), "contains non-string key in the map") +} + +func TestNilMetadataAccessors(t *testing.T) { + service := newService(".") + expected := "{\"apiVersion\":\"v1\",\"kind\":\"ConfigMap\",\"metadata\":{\"annotations\":{\"argocd.argoproj.io/tracking-id\":\"nil-metadata-accessors:/ConfigMap:/my-map\"},\"labels\":{\"test\":\"nil-metadata-accessors\"},\"name\":\"my-map\"},\"stringData\":{\"foo\":\"bar\"}}" + + src := argoappv1.ApplicationSource{Path: "./testdata/nil-metadata-accessors", Directory: &argoappv1.ApplicationSourceDirectory{Recurse: true}} + q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, AppLabelKey: "test", AppName: "nil-metadata-accessors", TrackingMethod: "annotation+label"} + res, err := service.GenerateManifest(context.Background(), &q) + assert.NoError(t, err) + assert.Equal(t, len(res.Manifests), 1) + assert.Equal(t, expected, res.Manifests[0]) +} + func TestGenerateJsonnetManifestInDir(t *testing.T) { service := newService(".") @@ -428,8 +438,6 @@ func TestGenerateJsonnetManifestInDir(t *testing.T) { }, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, } res1, err := service.GenerateManifest(context.Background(), &q) assert.Nil(t, err) @@ -451,8 +459,6 @@ func TestGenerateJsonnetManifestInRootDir(t *testing.T) { }, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, } res1, err := service.GenerateManifest(context.Background(), &q) assert.Nil(t, err) @@ -472,8 +478,6 @@ func TestGenerateJsonnetLibOutside(t *testing.T) { }, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, } _, err := service.GenerateManifest(context.Background(), &q) require.Error(t, err) @@ -648,8 +652,6 @@ func TestManifestGenErrorCacheFileContentsChange(t *testing.T) { ApplicationSource: &argoappv1.ApplicationSource{ Path: ".", }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) fmt.Println("-", step, "-", res != nil, err != nil, errorExpected) @@ -818,8 +820,6 @@ func TestGenerateHelmWithValues(t *testing.T) { ValuesObject: &runtime.RawExtension{Raw: []byte(`cluster: {slaveCount: 2}`)}, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) assert.NoError(t, err) @@ -855,8 +855,6 @@ func TestHelmWithMissingValueFiles(t *testing.T) { ValueFiles: []string{"values-production.yaml", missingValuesFile}, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, } // Should fail since we're passing a non-existent values file, and error should indicate that @@ -882,8 +880,6 @@ func TestGenerateHelmWithEnvVars(t *testing.T) { ValueFiles: []string{"values-$ARGOCD_APP_NAME.yaml"}, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) assert.NoError(t, err) @@ -919,8 +915,6 @@ func TestGenerateHelmWithValuesDirectoryTraversal(t *testing.T) { ValuesObject: &runtime.RawExtension{Raw: []byte(`cluster: {slaveCount: 2}`)}, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) assert.NoError(t, err) @@ -932,8 +926,6 @@ func TestGenerateHelmWithValuesDirectoryTraversal(t *testing.T) { ApplicationSource: &argoappv1.ApplicationSource{ Path: "./my-chart", }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) assert.NoError(t, err) } @@ -958,11 +950,10 @@ func TestHelmManifestFromChartRepoWithValueFile(t *testing.T) { }, } request := &apiclient.ManifestRequest{ - Repo: &argoappv1.Repository{}, - ApplicationSource: source, - NoCache: true, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}} + Repo: &argoappv1.Repository{}, + ApplicationSource: source, + NoCache: true, + } response, err := service.GenerateManifest(context.Background(), request) assert.NoError(t, err) assert.NotNil(t, response) @@ -1001,8 +992,7 @@ func TestHelmManifestFromChartRepoWithValueFileLinks(t *testing.T) { ValueFiles: []string{"my-chart-link.yaml"}, }, } - request := &apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: source, NoCache: true, ProjectName: "something", - ProjectSourceRepos: []string{"*"}} + request := &apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: source, NoCache: true} _, err := service.GenerateManifest(context.Background(), request) assert.NoError(t, err) }) @@ -1021,9 +1011,8 @@ func TestGenerateHelmWithURL(t *testing.T) { ValuesObject: &runtime.RawExtension{Raw: []byte(`cluster: {slaveCount: 2}`)}, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, - HelmOptions: &argoappv1.HelmOptions{ValuesFileSchemes: []string{"https"}}, + + HelmOptions: &argoappv1.HelmOptions{ValuesFileSchemes: []string{"https"}}, }) assert.NoError(t, err) } @@ -1043,8 +1032,6 @@ func TestGenerateHelmWithValuesDirectoryTraversalOutsideRepo(t *testing.T) { ValuesObject: &runtime.RawExtension{Raw: []byte(`cluster: {slaveCount: 2}`)}, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) assert.Error(t, err) assert.Contains(t, err.Error(), "outside repository root") @@ -1062,8 +1049,6 @@ func TestGenerateHelmWithValuesDirectoryTraversalOutsideRepo(t *testing.T) { ValuesObject: &runtime.RawExtension{Raw: []byte(`cluster: {slaveCount: 2}`)}, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) assert.NoError(t, err) }) @@ -1080,8 +1065,6 @@ func TestGenerateHelmWithValuesDirectoryTraversalOutsideRepo(t *testing.T) { ValuesObject: &runtime.RawExtension{Raw: []byte(`cluster: {slaveCount: 2}`)}, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) assert.NoError(t, err) }) @@ -1098,8 +1081,6 @@ func TestGenerateHelmWithValuesDirectoryTraversalOutsideRepo(t *testing.T) { ValuesObject: &runtime.RawExtension{Raw: []byte(`cluster: {slaveCount: 2}`)}, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) assert.Error(t, err) assert.Contains(t, err.Error(), "outside repository root") @@ -1117,8 +1098,6 @@ func TestGenerateHelmWithValuesDirectoryTraversalOutsideRepo(t *testing.T) { ValuesObject: &runtime.RawExtension{Raw: []byte(`cluster: {slaveCount: 2}`)}, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) assert.Error(t, err) assert.Contains(t, err.Error(), "is not allowed") @@ -1135,9 +1114,7 @@ func TestGenerateHelmWithValuesDirectoryTraversalOutsideRepo(t *testing.T) { ValueFiles: []string{"s3://my-bucket/my-chart-values.yaml"}, }, }, - HelmOptions: &argoappv1.HelmOptions{ValuesFileSchemes: []string{"s3"}}, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + HelmOptions: &argoappv1.HelmOptions{ValuesFileSchemes: []string{"s3"}}, }) assert.Error(t, err) assert.Contains(t, err.Error(), "s3://my-bucket/my-chart-values.yaml: no such file or directory") @@ -1176,8 +1153,6 @@ func TestGenerateHelmWithAbsoluteFileParameter(t *testing.T) { }}, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) assert.Error(t, err) } @@ -1204,8 +1179,6 @@ func TestGenerateHelmWithFileParameter(t *testing.T) { }}, }, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) assert.NoError(t, err) assert.Contains(t, res.Manifests[6], `"replicas":2`, "ValuesObject should override Values") @@ -1216,11 +1189,9 @@ func TestGenerateNullList(t *testing.T) { t.Run("null list", func(t *testing.T) { res1, err := service.GenerateManifest(context.Background(), &apiclient.ManifestRequest{ - Repo: &argoappv1.Repository{}, - ApplicationSource: &argoappv1.ApplicationSource{Path: "./testdata/null-list"}, - NoCache: true, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + Repo: &argoappv1.Repository{}, + ApplicationSource: &argoappv1.ApplicationSource{Path: "./testdata/null-list"}, + NoCache: true, }) assert.Nil(t, err) assert.Equal(t, len(res1.Manifests), 1) @@ -1229,11 +1200,9 @@ func TestGenerateNullList(t *testing.T) { t.Run("empty list", func(t *testing.T) { res1, err := service.GenerateManifest(context.Background(), &apiclient.ManifestRequest{ - Repo: &argoappv1.Repository{}, - ApplicationSource: &argoappv1.ApplicationSource{Path: "./testdata/empty-list"}, - NoCache: true, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + Repo: &argoappv1.Repository{}, + ApplicationSource: &argoappv1.ApplicationSource{Path: "./testdata/empty-list"}, + NoCache: true, }) assert.Nil(t, err) assert.Equal(t, len(res1.Manifests), 1) @@ -1242,11 +1211,9 @@ func TestGenerateNullList(t *testing.T) { t.Run("weird list", func(t *testing.T) { res1, err := service.GenerateManifest(context.Background(), &apiclient.ManifestRequest{ - Repo: &argoappv1.Repository{}, - ApplicationSource: &argoappv1.ApplicationSource{Path: "./testdata/weird-list"}, - NoCache: true, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + Repo: &argoappv1.Repository{}, + ApplicationSource: &argoappv1.ApplicationSource{Path: "./testdata/weird-list"}, + NoCache: true, }) assert.Nil(t, err) assert.Len(t, res1.Manifests, 2) @@ -1269,10 +1236,8 @@ func TestIdentifyAppSourceTypeByAppDirWithKustomizations(t *testing.T) { func TestGenerateFromUTF16(t *testing.T) { q := apiclient.ManifestRequest{ - Repo: &argoappv1.Repository{}, - ApplicationSource: &argoappv1.ApplicationSource{}, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + Repo: &argoappv1.Repository{}, + ApplicationSource: &argoappv1.ApplicationSource{}, } res1, err := GenerateManifests(context.Background(), "./testdata/utf-16", "/", "", &q, false, &git.NoopCredsStore{}, resource.MustParse("0"), nil) assert.Nil(t, err) @@ -1451,11 +1416,9 @@ func TestGetSignatureVerificationResult(t *testing.T) { src := argoappv1.ApplicationSource{Path: "."} q := apiclient.ManifestRequest{ - Repo: &argoappv1.Repository{}, - ApplicationSource: &src, - VerifySignature: true, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + Repo: &argoappv1.Repository{}, + ApplicationSource: &src, + VerifySignature: true, } res, err := service.GenerateManifest(context.Background(), &q) @@ -1467,8 +1430,7 @@ func TestGetSignatureVerificationResult(t *testing.T) { service := newServiceWithSignature("../../manifests/base") src := argoappv1.ApplicationSource{Path: "."} - q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, ProjectName: "something", - ProjectSourceRepos: []string{"*"}} + q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src} res, err := service.GenerateManifest(context.Background(), &q) assert.NoError(t, err) @@ -1479,8 +1441,7 @@ func TestGetSignatureVerificationResult(t *testing.T) { service := newService("../../manifests/base") src := argoappv1.ApplicationSource{Path: "."} - q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, VerifySignature: true, ProjectName: "something", - ProjectSourceRepos: []string{"*"}} + q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, VerifySignature: true} res, err := service.GenerateManifest(context.Background(), &q) assert.NoError(t, err) @@ -1491,8 +1452,7 @@ func TestGetSignatureVerificationResult(t *testing.T) { service := newService("../../manifests/base") src := argoappv1.ApplicationSource{Path: "."} - q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, VerifySignature: true, ProjectName: "something", - ProjectSourceRepos: []string{"*"}} + q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, VerifySignature: true} res, err := service.GenerateManifest(context.Background(), &q) assert.NoError(t, err) @@ -1505,6 +1465,7 @@ func Test_newEnv(t *testing.T) { &argoappv1.EnvEntry{Name: "ARGOCD_APP_NAME", Value: "my-app-name"}, &argoappv1.EnvEntry{Name: "ARGOCD_APP_NAMESPACE", Value: "my-namespace"}, &argoappv1.EnvEntry{Name: "ARGOCD_APP_REVISION", Value: "my-revision"}, + &argoappv1.EnvEntry{Name: "ARGOCD_APP_REVISION_SHORT", Value: "my-revi"}, &argoappv1.EnvEntry{Name: "ARGOCD_APP_SOURCE_REPO_URL", Value: "https://github.com/my-org/my-repo"}, &argoappv1.EnvEntry{Name: "ARGOCD_APP_SOURCE_PATH", Value: "my-path"}, &argoappv1.EnvEntry{Name: "ARGOCD_APP_SOURCE_TARGET_REVISION", Value: "my-target-revision"}, @@ -1651,8 +1612,6 @@ func TestGenerateManifestsWithAppParameterFile(t *testing.T) { ApplicationSource: &argoappv1.ApplicationSource{ Path: path, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) require.NoError(t, err) resourceByKindName := make(map[string]*unstructured.Unstructured) @@ -1682,8 +1641,6 @@ func TestGenerateManifestsWithAppParameterFile(t *testing.T) { ApplicationSource: &argoappv1.ApplicationSource{ Path: path, }, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, }) require.NoError(t, err) resourceByKindName := make(map[string]*unstructured.Unstructured) @@ -1713,9 +1670,7 @@ func TestGenerateManifestsWithAppParameterFile(t *testing.T) { ApplicationSource: &argoappv1.ApplicationSource{ Path: path, }, - AppName: "testapp", - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + AppName: "testapp", }) require.NoError(t, err) resourceByKindName := make(map[string]*unstructured.Unstructured) @@ -1745,9 +1700,7 @@ func TestGenerateManifestsWithAppParameterFile(t *testing.T) { ApplicationSource: &argoappv1.ApplicationSource{ Path: path, }, - AppName: "testapp2", - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + AppName: "testapp2", }) require.NoError(t, err) resourceByKindName := make(map[string]*unstructured.Unstructured) @@ -1777,11 +1730,9 @@ func TestGenerateManifestsWithAppParameterFile(t *testing.T) { } sourceCopy := source.DeepCopy() // make a copy in case GenerateManifest mutates it. _, err := service.GenerateManifest(context.Background(), &apiclient.ManifestRequest{ - Repo: &argoappv1.Repository{}, - ApplicationSource: sourceCopy, - AppName: "test", - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + Repo: &argoappv1.Repository{}, + ApplicationSource: sourceCopy, + AppName: "test", }) assert.NoError(t, err) res := &cache.CachedManifestResponse{} @@ -1815,9 +1766,7 @@ func TestGenerateManifestWithAnnotatedAndRegularGitTagHashes(t *testing.T) { ApplicationSource: &argoappv1.ApplicationSource{ TargetRevision: regularGitTagHash, }, - NoCache: true, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + NoCache: true, }, wantError: false, service: newServiceWithCommitSHA(".", regularGitTagHash), @@ -1831,9 +1780,7 @@ func TestGenerateManifestWithAnnotatedAndRegularGitTagHashes(t *testing.T) { ApplicationSource: &argoappv1.ApplicationSource{ TargetRevision: annotatedGitTaghash, }, - NoCache: true, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + NoCache: true, }, wantError: false, service: newServiceWithCommitSHA(".", annotatedGitTaghash), @@ -1847,9 +1794,7 @@ func TestGenerateManifestWithAnnotatedAndRegularGitTagHashes(t *testing.T) { ApplicationSource: &argoappv1.ApplicationSource{ TargetRevision: invalidGitTaghash, }, - NoCache: true, - ProjectName: "something", - ProjectSourceRepos: []string{"*"}, + NoCache: true, }, wantError: true, service: newServiceWithCommitSHA(".", invalidGitTaghash), @@ -2665,7 +2610,7 @@ func TestGetHelmRepos_OCIDependencies(t *testing.T) { assert.Equal(t, len(helmRepos), 1) assert.Equal(t, helmRepos[0].Username, "test") assert.Equal(t, helmRepos[0].EnableOci, true) - assert.Equal(t, helmRepos[0].Repo, "example.com") + assert.Equal(t, helmRepos[0].Repo, "example.com/myrepo") } func TestGetHelmRepo_NamedRepos(t *testing.T) { diff --git a/reposerver/repository/testdata/invalid-metadata/bad.yaml b/reposerver/repository/testdata/invalid-metadata/bad.yaml new file mode 100644 index 0000000000000..83f48a40dc334 --- /dev/null +++ b/reposerver/repository/testdata/invalid-metadata/bad.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: my-map-annotation + annotations: + invalid: true +stringData: + foo: bar +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: my-map-label + labels: + invalid: true +stringData: + foo: bar diff --git a/reposerver/repository/testdata/nil-metadata-accessors/nil-metadata-accessors.yaml b/reposerver/repository/testdata/nil-metadata-accessors/nil-metadata-accessors.yaml new file mode 100644 index 0000000000000..53979de769c01 --- /dev/null +++ b/reposerver/repository/testdata/nil-metadata-accessors/nil-metadata-accessors.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: my-map + annotations: + labels: +stringData: + foo: bar diff --git a/reposerver/repository/testdata/oci-dependencies/Chart.yaml b/reposerver/repository/testdata/oci-dependencies/Chart.yaml index 3b39781ed6257..1674ae17c5516 100644 --- a/reposerver/repository/testdata/oci-dependencies/Chart.yaml +++ b/reposerver/repository/testdata/oci-dependencies/Chart.yaml @@ -2,5 +2,5 @@ name: my-chart version: 1.1.0 dependencies: - name: my-dependency - repository: oci://example.com + repository: oci://example.com/myrepo version: '*' \ No newline at end of file diff --git a/resource_customizations/argoproj.io/CronWorkflow/actions/action_test.yaml b/resource_customizations/argoproj.io/CronWorkflow/actions/action_test.yaml index 4c7aa77ff127a..7fce1c3b36cf6 100644 --- a/resource_customizations/argoproj.io/CronWorkflow/actions/action_test.yaml +++ b/resource_customizations/argoproj.io/CronWorkflow/actions/action_test.yaml @@ -2,3 +2,6 @@ actionTests: - action: create-workflow inputPath: testdata/cronworkflow.yaml expectedOutputPath: testdata/workflow.yaml +- action: create-workflow + inputPath: testdata/cronworkflow-without-label.yaml + expectedOutputPath: testdata/workflow-without-label.yaml diff --git a/resource_customizations/argoproj.io/CronWorkflow/actions/create-workflow/action.lua b/resource_customizations/argoproj.io/CronWorkflow/actions/create-workflow/action.lua index 35f7a66b80413..85470525b60b2 100644 --- a/resource_customizations/argoproj.io/CronWorkflow/actions/create-workflow/action.lua +++ b/resource_customizations/argoproj.io/CronWorkflow/actions/create-workflow/action.lua @@ -50,7 +50,7 @@ if (obj.spec.workflowMetadata ~= nil) then end end workflow.metadata.labels["workflows.argoproj.io/cron-workflow"] = obj.metadata.name -if (obj.metadata.labels["workflows.argoproj.io/controller-instanceid"] ~= nil) then +if (obj.metadata.labels ~= nil and obj.metadata.labels["workflows.argoproj.io/controller-instanceid"] ~= nil) then workflow.metadata.labels["workflows.argoproj.io/controller-instanceid"] = obj.metadata.labels["workflows.argoproj.io/controller-instanceid"] end workflow.metadata.annotations["workflows.argoproj.io/scheduled-time"] = os.date("!%Y-%m-%dT%d:%H:%MZ") diff --git a/resource_customizations/argoproj.io/CronWorkflow/actions/discovery.lua b/resource_customizations/argoproj.io/CronWorkflow/actions/discovery.lua index 5e16c6c1c14d8..717386b29a691 100644 --- a/resource_customizations/argoproj.io/CronWorkflow/actions/discovery.lua +++ b/resource_customizations/argoproj.io/CronWorkflow/actions/discovery.lua @@ -1,3 +1,6 @@ actions = {} -actions["create-workflow"] = {} +actions["create-workflow"] = { + ["iconClass"] = "fa fa-fw fa-play", + ["displayName"] = "Create Workflow" +} return actions \ No newline at end of file diff --git a/resource_customizations/argoproj.io/CronWorkflow/actions/testdata/cronworkflow-without-label.yaml b/resource_customizations/argoproj.io/CronWorkflow/actions/testdata/cronworkflow-without-label.yaml new file mode 100644 index 0000000000000..a9f9e2ed8d5c0 --- /dev/null +++ b/resource_customizations/argoproj.io/CronWorkflow/actions/testdata/cronworkflow-without-label.yaml @@ -0,0 +1,31 @@ +apiVersion: argoproj.io/v1alpha1 +kind: CronWorkflow +metadata: + annotations: + cronworkflows.argoproj.io/last-used-schedule: CRON_TZ=America/Los_Angeles * * * * * + name: hello-world + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 4 + schedule: '* * * * *' + startingDeadlineSeconds: 0 + successfulJobsHistoryLimit: 4 + suspend: true + timezone: America/Los_Angeles + workflowSpec: + entrypoint: whalesay + templates: + - container: + args: + - "\U0001F553 hello world. Scheduled on: {{workflow.scheduledTime}}" + command: + - cowsay + image: 'docker/whalesay:latest' + name: whalesay + workflowMetadata: + labels: + example: test + annotations: + another-example: another-test + finalizers: [test-finalizer] diff --git a/resource_customizations/argoproj.io/CronWorkflow/actions/testdata/workflow-without-label.yaml b/resource_customizations/argoproj.io/CronWorkflow/actions/testdata/workflow-without-label.yaml new file mode 100644 index 0000000000000..1d20bc0d72a6a --- /dev/null +++ b/resource_customizations/argoproj.io/CronWorkflow/actions/testdata/workflow-without-label.yaml @@ -0,0 +1,26 @@ +- k8sOperation: create + unstructuredObj: + apiVersion: argoproj.io/v1alpha1 + kind: Workflow + metadata: + annotations: + another-example: another-test + labels: + example: test + name: hello-world-202306221736 + namespace: default + ownerReferences: + - apiVersion: argoproj.io/v1alpha1 + kind: CronWorkflow + name: hello-world + finalizers: [test-finalizer] + spec: + entrypoint: whalesay + templates: + - container: + args: + - "\U0001F553 hello world. Scheduled on: {{workflow.scheduledTime}}" + command: + - cowsay + image: 'docker/whalesay:latest' + name: whalesay diff --git a/resource_customizations/argoproj.io/WorkflowTemplate/actions/discovery.lua b/resource_customizations/argoproj.io/WorkflowTemplate/actions/discovery.lua index 5e16c6c1c14d8..717386b29a691 100644 --- a/resource_customizations/argoproj.io/WorkflowTemplate/actions/discovery.lua +++ b/resource_customizations/argoproj.io/WorkflowTemplate/actions/discovery.lua @@ -1,3 +1,6 @@ actions = {} -actions["create-workflow"] = {} +actions["create-workflow"] = { + ["iconClass"] = "fa fa-fw fa-play", + ["displayName"] = "Create Workflow" +} return actions \ No newline at end of file diff --git a/resource_customizations/batch/CronJob/actions/discovery.lua b/resource_customizations/batch/CronJob/actions/discovery.lua index f90293c1aa671..a8b0950181456 100644 --- a/resource_customizations/batch/CronJob/actions/discovery.lua +++ b/resource_customizations/batch/CronJob/actions/discovery.lua @@ -1,3 +1,6 @@ actions = {} -actions["create-job"] = {} +actions["create-job"] = { + ["iconClass"] = "fa fa-fw fa-play", + ["displayName"] = "Create Job" +} return actions \ No newline at end of file diff --git a/server/application/application.go b/server/application/application.go index 0a82be5f2f35c..a0323cde5bccc 100644 --- a/server/application/application.go +++ b/server/application/application.go @@ -50,7 +50,6 @@ import ( "github.com/argoproj/argo-cd/v2/util/db" "github.com/argoproj/argo-cd/v2/util/env" "github.com/argoproj/argo-cd/v2/util/git" - "github.com/argoproj/argo-cd/v2/util/glob" ioutil "github.com/argoproj/argo-cd/v2/util/io" "github.com/argoproj/argo-cd/v2/util/lua" "github.com/argoproj/argo-cd/v2/util/manifeststream" @@ -141,42 +140,88 @@ func NewServer( // getAppEnforceRBAC gets the Application with the given name in the given namespace. If no namespace is // specified, the Application is fetched from the default namespace (the one in which the API server is running). // -// If the Application does not exist, then we have no way of determining if the user would have had access to get that -// Application. Verifying access requires knowing the Application's name, namespace, and project. The user may specify, -// at minimum, the Application name. +// If the user does not provide a "project," then we have to be very careful how we respond. If an app with the given +// name exists, and the user has access to that app in the app's project, we return the app. If the app exists but the +// user does not have access, we return "permission denied." If the app does not exist, we return "permission denied" - +// if we responded with a 404, then the user could infer that the app exists when they get "permission denied." // -// So to prevent a malicious user from inferring the existence or absense of the Application or namespace, we respond -// "permission denied" if the Application does not exist. -func (s *Server) getAppEnforceRBAC(ctx context.Context, action, namespace, name string, getApp func() (*appv1.Application, error)) (*appv1.Application, error) { +// If the user does provide a "project," we can respond more specifically. If the user does not have access to the given +// app name in the given project, we return "permission denied." If the app exists, but the project is different from +func (s *Server) getAppEnforceRBAC(ctx context.Context, action, project, namespace, name string, getApp func() (*appv1.Application, error)) (*appv1.Application, error) { logCtx := log.WithFields(map[string]interface{}{ "application": name, "namespace": namespace, }) + if project != "" { + // The user has provided everything we need to perform an initial RBAC check. + givenRBACName := security.RBACName(s.ns, project, namespace, name) + if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, action, givenRBACName); err != nil { + logCtx.WithFields(map[string]interface{}{ + "project": project, + argocommon.SecurityField: argocommon.SecurityMedium, + }).Warnf("user tried to %s application which they do not have access to: %s", action, err) + // Do a GET on the app. This ensures that the timing of a "no access" response is the same as a "yes access, + // but the app is in a different project" response. We don't want the user inferring the existence of the + // app from response time. + _, _ = getApp() + return nil, permissionDeniedErr + } + } a, err := getApp() if err != nil { if apierr.IsNotFound(err) { + if project != "" { + // We know that the user was allowed to get the Application, but the Application does not exist. Return 404. + return nil, status.Errorf(codes.NotFound, apierr.NewNotFound(schema.GroupResource{Group: "argoproj.io", Resource: "applications"}, name).Error()) + } + // We don't know if the user was allowed to get the Application, and we don't want to leak information about + // the Application's existence. Return 403. logCtx.Warn("application does not exist") return nil, permissionDeniedErr } logCtx.Errorf("failed to get application: %s", err) return nil, permissionDeniedErr } + // Even if we performed an initial RBAC check (because the request was fully parameterized), we still need to + // perform a second RBAC check to ensure that the user has access to the actual Application's project (not just the + // project they specified in the request). if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, action, a.RBACName(s.ns)); err != nil { logCtx.WithFields(map[string]interface{}{ "project": a.Spec.Project, argocommon.SecurityField: argocommon.SecurityMedium, }).Warnf("user tried to %s application which they do not have access to: %s", action, err) + if project != "" { + // The user specified a project. We would have returned a 404 if the user had access to the app, but the app + // did not exist. So we have to return a 404 when the app does exist, but the user does not have access. + // Otherwise, they could infer that the app exists based on the error code. + return nil, status.Errorf(codes.NotFound, apierr.NewNotFound(schema.GroupResource{Group: "argoproj.io", Resource: "applications"}, name).Error()) + } + // The user didn't specify a project. We always return permission denied for both lack of access and lack of + // existence. return nil, permissionDeniedErr } + effectiveProject := "default" + if a.Spec.Project != "" { + effectiveProject = a.Spec.Project + } + if project != "" && effectiveProject != project { + logCtx.WithFields(map[string]interface{}{ + "project": a.Spec.Project, + argocommon.SecurityField: argocommon.SecurityMedium, + }).Warnf("user tried to %s application in project %s, but the application is in project %s", action, project, effectiveProject) + // The user has access to the app, but the app is in a different project. Return 404, meaning "app doesn't + // exist in that project". + return nil, status.Errorf(codes.NotFound, apierr.NewNotFound(schema.GroupResource{Group: "argoproj.io", Resource: "applications"}, name).Error()) + } return a, nil } // getApplicationEnforceRBACInformer uses an informer to get an Application. If the app does not exist, permission is // denied, or any other error occurs when getting the app, we return a permission denied error to obscure any sensitive // information. -func (s *Server) getApplicationEnforceRBACInformer(ctx context.Context, action, namespace, name string) (*appv1.Application, error) { +func (s *Server) getApplicationEnforceRBACInformer(ctx context.Context, action, project, namespace, name string) (*appv1.Application, error) { namespaceOrDefault := s.appNamespaceOrDefault(namespace) - return s.getAppEnforceRBAC(ctx, action, namespaceOrDefault, name, func() (*appv1.Application, error) { + return s.getAppEnforceRBAC(ctx, action, project, namespaceOrDefault, name, func() (*appv1.Application, error) { return s.appLister.Applications(namespaceOrDefault).Get(name) }) } @@ -184,9 +229,9 @@ func (s *Server) getApplicationEnforceRBACInformer(ctx context.Context, action, // getApplicationEnforceRBACClient uses a client to get an Application. If the app does not exist, permission is denied, // or any other error occurs when getting the app, we return a permission denied error to obscure any sensitive // information. -func (s *Server) getApplicationEnforceRBACClient(ctx context.Context, action, namespace, name, resourceVersion string) (*appv1.Application, error) { +func (s *Server) getApplicationEnforceRBACClient(ctx context.Context, action, project, namespace, name, resourceVersion string) (*appv1.Application, error) { namespaceOrDefault := s.appNamespaceOrDefault(namespace) - return s.getAppEnforceRBAC(ctx, action, namespaceOrDefault, name, func() (*appv1.Application, error) { + return s.getAppEnforceRBAC(ctx, action, project, namespaceOrDefault, name, func() (*appv1.Application, error) { return s.appclientset.ArgoprojV1alpha1().Applications(namespaceOrDefault).Get(ctx, name, metav1.GetOptions{ ResourceVersion: resourceVersion, }) @@ -225,7 +270,7 @@ func (s *Server) List(ctx context.Context, q *application.ApplicationQuery) (*ap for _, a := range filteredApps { // Skip any application that is neither in the control plane's namespace // nor in the list of enabled namespaces. - if a.Namespace != s.ns && !glob.MatchStringInList(s.enabledNamespaces, a.Namespace, false) { + if !s.isNamespaceEnabled(a.Namespace) { continue } if s.enf.Enforce(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)) { @@ -380,7 +425,7 @@ func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationMan if q.Name == nil || *q.Name == "" { return nil, fmt.Errorf("invalid request: application name is missing") } - a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetName()) + a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetName()) if err != nil { return nil, err } @@ -418,11 +463,6 @@ func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationMan return fmt.Errorf("error getting API resources: %w", err) } - proj, err := argo.GetAppProject(a, applisters.NewAppProjectLister(s.projInformer.GetIndexer()), s.ns, s.settingsMgr, s.db, ctx) - if err != nil { - return fmt.Errorf("error getting app project: %w", err) - } - manifestInfo, err = client.GenerateManifest(ctx, &apiclient.ManifestRequest{ Repo: repo, Revision: revision, @@ -438,8 +478,6 @@ func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationMan HelmOptions: helmOptions, TrackingMethod: string(argoutil.GetTrackingMethod(s.settingsMgr)), EnabledSourceTypes: enableGenerateManifests, - ProjectName: proj.Name, - ProjectSourceRepos: proj.Spec.SourceRepos, }) if err != nil { return fmt.Errorf("error generating manifests: %w", err) @@ -485,7 +523,7 @@ func (s *Server) GetManifestsWithFiles(stream application.ApplicationService_Get return fmt.Errorf("invalid request: application name is missing") } - a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, query.GetAppNamespace(), query.GetName()) + a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, query.GetProject(), query.GetAppNamespace(), query.GetName()) if err != nil { return err } @@ -515,12 +553,6 @@ func (s *Server) GetManifestsWithFiles(stream application.ApplicationService_Get } source := a.Spec.GetSource() - - proj, err := argo.GetAppProject(a, applisters.NewAppProjectLister(s.projInformer.GetIndexer()), s.ns, s.settingsMgr, s.db, ctx) - if err != nil { - return fmt.Errorf("error getting app project: %w", err) - } - req := &apiclient.ManifestRequest{ Repo: repo, Revision: source.TargetRevision, @@ -536,8 +568,6 @@ func (s *Server) GetManifestsWithFiles(stream application.ApplicationService_Get HelmOptions: helmOptions, TrackingMethod: string(argoutil.GetTrackingMethod(s.settingsMgr)), EnabledSourceTypes: enableGenerateManifests, - ProjectName: proj.Name, - ProjectSourceRepos: proj.Spec.SourceRepos, } repoStreamClient, err := client.GenerateManifestWithFiles(stream.Context()) @@ -591,10 +621,17 @@ func (s *Server) Get(ctx context.Context, q *application.ApplicationQuery) (*app appName := q.GetName() appNs := s.appNamespaceOrDefault(q.GetAppNamespace()) + project := "" + projects := getProjectsFromApplicationQuery(*q) + if len(projects) == 1 { + project = projects[0] + } else if len(projects) > 1 { + return nil, status.Errorf(codes.InvalidArgument, "multiple projects specified - the get endpoint accepts either zero or one project") + } // We must use a client Get instead of an informer Get, because it's common to call Get immediately // following a Watch (which is not yet powered by an informer), and the Get must reflect what was // previously seen by the client. - a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, appNs, appName, q.GetResourceVersion()) + a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, project, appNs, appName, q.GetResourceVersion()) if err != nil { return nil, err } @@ -677,7 +714,7 @@ func (s *Server) Get(ctx context.Context, q *application.ApplicationQuery) (*app // ListResourceEvents returns a list of event resources func (s *Server) ListResourceEvents(ctx context.Context, q *application.ApplicationResourceEventsQuery) (*v1.EventList, error) { - a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetName()) + a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetName()) if err != nil { return nil, err } @@ -739,11 +776,13 @@ func (s *Server) ListResourceEvents(ctx context.Context, q *application.Applicat return list, nil } -func (s *Server) validateAndUpdateApp(ctx context.Context, newApp *appv1.Application, merge bool, validate bool, action string) (*appv1.Application, error) { +// validateAndUpdateApp validates and updates the application. currentProject is the name of the project the app +// currently is under. If not specified, we assume that the app is under the project specified in the app spec. +func (s *Server) validateAndUpdateApp(ctx context.Context, newApp *appv1.Application, merge bool, validate bool, action string, currentProject string) (*appv1.Application, error) { s.projectLock.RLock(newApp.Spec.GetProject()) defer s.projectLock.RUnlock(newApp.Spec.GetProject()) - app, err := s.getApplicationEnforceRBACClient(ctx, action, newApp.Namespace, newApp.Name, "") + app, err := s.getApplicationEnforceRBACClient(ctx, action, currentProject, newApp.Namespace, newApp.Name, "") if err != nil { return nil, err } @@ -841,7 +880,7 @@ func (s *Server) updateApp(app *appv1.Application, newApp *appv1.Application, ct // Update updates an application func (s *Server) Update(ctx context.Context, q *application.ApplicationUpdateRequest) (*appv1.Application, error) { if q.GetApplication() == nil { - return nil, fmt.Errorf("error creating application: application is nil in request") + return nil, fmt.Errorf("error updating application: application is nil in request") } a := q.GetApplication() if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionUpdate, a.RBACName(s.ns)); err != nil { @@ -852,7 +891,7 @@ func (s *Server) Update(ctx context.Context, q *application.ApplicationUpdateReq if q.Validate != nil { validate = *q.Validate } - return s.validateAndUpdateApp(ctx, q.Application, false, validate, rbacpolicy.ActionUpdate) + return s.validateAndUpdateApp(ctx, q.Application, false, validate, rbacpolicy.ActionUpdate, q.GetProject()) } // UpdateSpec updates an application spec and filters out any invalid parameter overrides @@ -860,7 +899,7 @@ func (s *Server) UpdateSpec(ctx context.Context, q *application.ApplicationUpdat if q.GetSpec() == nil { return nil, fmt.Errorf("error updating application spec: spec is nil in request") } - a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionUpdate, q.GetAppNamespace(), q.GetName(), "") + a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionUpdate, q.GetProject(), q.GetAppNamespace(), q.GetName(), "") if err != nil { return nil, err } @@ -870,7 +909,7 @@ func (s *Server) UpdateSpec(ctx context.Context, q *application.ApplicationUpdat if q.Validate != nil { validate = *q.Validate } - a, err = s.validateAndUpdateApp(ctx, a, false, validate, rbacpolicy.ActionUpdate) + a, err = s.validateAndUpdateApp(ctx, a, false, validate, rbacpolicy.ActionUpdate, q.GetProject()) if err != nil { return nil, fmt.Errorf("error validating and updating app: %w", err) } @@ -879,7 +918,7 @@ func (s *Server) UpdateSpec(ctx context.Context, q *application.ApplicationUpdat // Patch patches an application func (s *Server) Patch(ctx context.Context, q *application.ApplicationPatchRequest) (*appv1.Application, error) { - app, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetName(), "") + app, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetName(), "") if err != nil { return nil, err } @@ -919,14 +958,14 @@ func (s *Server) Patch(ctx context.Context, q *application.ApplicationPatchReque if err != nil { return nil, fmt.Errorf("error unmarshaling patched app: %w", err) } - return s.validateAndUpdateApp(ctx, newApp, false, true, rbacpolicy.ActionUpdate) + return s.validateAndUpdateApp(ctx, newApp, false, true, rbacpolicy.ActionUpdate, q.GetProject()) } // Delete removes an application and all associated resources func (s *Server) Delete(ctx context.Context, q *application.ApplicationDeleteRequest) (*application.ApplicationResponse, error) { appName := q.GetName() appNs := s.appNamespaceOrDefault(q.GetAppNamespace()) - a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, appNs, appName, "") + a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, q.GetProject(), appNs, appName, "") if err != nil { return nil, err } @@ -986,6 +1025,31 @@ func (s *Server) Delete(ctx context.Context, q *application.ApplicationDeleteReq return &application.ApplicationResponse{}, nil } +func (s *Server) isApplicationPermitted(selector labels.Selector, minVersion int, claims any, appName, appNs string, projects map[string]bool, a appv1.Application) bool { + if len(projects) > 0 && !projects[a.Spec.GetProject()] { + return false + } + + if appVersion, err := strconv.Atoi(a.ResourceVersion); err == nil && appVersion < minVersion { + return false + } + matchedEvent := (appName == "" || (a.Name == appName && a.Namespace == appNs)) && selector.Matches(labels.Set(a.Labels)) + if !matchedEvent { + return false + } + + if !s.isNamespaceEnabled(a.Namespace) { + return false + } + + if !s.enf.Enforce(claims, rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)) { + // do not emit apps user does not have accessing + return false + } + + return true +} + func (s *Server) Watch(q *application.ApplicationQuery, ws application.ApplicationService_WatchServer) error { appName := q.GetName() appNs := s.appNamespaceOrDefault(q.GetAppNamespace()) @@ -1012,20 +1076,8 @@ func (s *Server) Watch(q *application.ApplicationQuery, ws application.Applicati // sendIfPermitted is a helper to send the application to the client's streaming channel if the // caller has RBAC privileges permissions to view it sendIfPermitted := func(a appv1.Application, eventType watch.EventType) { - if len(projects) > 0 && !projects[a.Spec.GetProject()] { - return - } - - if appVersion, err := strconv.Atoi(a.ResourceVersion); err == nil && appVersion < minVersion { - return - } - matchedEvent := (appName == "" || (a.Name == appName && a.Namespace == appNs)) && selector.Matches(labels.Set(a.Labels)) - if !matchedEvent { - return - } - - if !s.enf.Enforce(claims, rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)) { - // do not emit apps user does not have accessing + permitted := s.isApplicationPermitted(selector, minVersion, claims, appName, appNs, projects, a) + if !permitted { return } s.inferResourcesStatusHealth(&a) @@ -1108,7 +1160,6 @@ func (s *Server) validateAndNormalizeApp(ctx context.Context, app *appv1.Applica } var conditions []appv1.ApplicationCondition - if validate { conditions := make([]appv1.ApplicationCondition, 0) condition, err := argo.ValidateRepo(ctx, app, s.repoClientset, s.db, s.kubectl, proj, s.settingsMgr) @@ -1181,7 +1232,7 @@ func (s *Server) getAppResources(ctx context.Context, a *appv1.Application) (*ap } func (s *Server) getAppLiveResource(ctx context.Context, action string, q *application.ApplicationResourceRequest) (*appv1.ResourceNode, *rest.Config, *appv1.Application, error) { - a, err := s.getApplicationEnforceRBACInformer(ctx, action, q.GetAppNamespace(), q.GetName()) + a, err := s.getApplicationEnforceRBACInformer(ctx, action, q.GetProject(), q.GetAppNamespace(), q.GetName()) if err != nil { return nil, nil, nil, err } @@ -1248,6 +1299,7 @@ func (s *Server) PatchResource(ctx context.Context, q *application.ApplicationRe Kind: q.Kind, Version: q.Version, Group: q.Group, + Project: q.Project, } res, config, a, err := s.getAppLiveResource(ctx, rbacpolicy.ActionUpdate, resourceRequest) if err != nil { @@ -1290,6 +1342,7 @@ func (s *Server) DeleteResource(ctx context.Context, q *application.ApplicationR Kind: q.Kind, Version: q.Version, Group: q.Group, + Project: q.Project, } res, config, a, err := s.getAppLiveResource(ctx, rbacpolicy.ActionDelete, resourceRequest) if err != nil { @@ -1316,7 +1369,7 @@ func (s *Server) DeleteResource(ctx context.Context, q *application.ApplicationR } func (s *Server) ResourceTree(ctx context.Context, q *application.ResourcesQuery) (*appv1.ApplicationTree, error) { - a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetApplicationName()) + a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetApplicationName()) if err != nil { return nil, err } @@ -1325,7 +1378,7 @@ func (s *Server) ResourceTree(ctx context.Context, q *application.ResourcesQuery } func (s *Server) WatchResourceTree(q *application.ResourcesQuery, ws application.ApplicationService_WatchResourceTreeServer) error { - _, err := s.getApplicationEnforceRBACInformer(ws.Context(), rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetApplicationName()) + _, err := s.getApplicationEnforceRBACInformer(ws.Context(), rbacpolicy.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetApplicationName()) if err != nil { return err } @@ -1341,7 +1394,7 @@ func (s *Server) WatchResourceTree(q *application.ResourcesQuery, ws application } func (s *Server) RevisionMetadata(ctx context.Context, q *application.RevisionMetadataQuery) (*appv1.RevisionMetadata, error) { - a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetName()) + a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetName()) if err != nil { return nil, err } @@ -1371,17 +1424,12 @@ func (s *Server) RevisionMetadata(ctx context.Context, q *application.RevisionMe // RevisionChartDetails returns the helm chart metadata, as fetched from the reposerver func (s *Server) RevisionChartDetails(ctx context.Context, q *application.RevisionMetadataQuery) (*appv1.ChartDetails, error) { - appName := q.GetName() - appNs := s.appNamespaceOrDefault(q.GetAppNamespace()) - a, err := s.appLister.Applications(appNs).Get(appName) + a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetName()) if err != nil { - return nil, fmt.Errorf("error getting app by name: %w", err) - } - if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)); err != nil { - return nil, fmt.Errorf("error enforcing claims: %w", err) + return nil, err } if a.Spec.Source.Chart == "" { - return nil, fmt.Errorf("no chart found for application: %v", appName) + return nil, fmt.Errorf("no chart found for application: %v", a.QualifiedName()) } repo, err := s.db.GetRepository(ctx, a.Spec.Source.RepoURL) if err != nil { @@ -1407,7 +1455,7 @@ func isMatchingResource(q *application.ResourcesQuery, key kube.ResourceKey) boo } func (s *Server) ManagedResources(ctx context.Context, q *application.ResourcesQuery) (*application.ManagedResourcesResponse, error) { - a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetApplicationName()) + a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetApplicationName()) if err != nil { return nil, err } @@ -1422,7 +1470,7 @@ func (s *Server) ManagedResources(ctx context.Context, q *application.ResourcesQ res := &application.ManagedResourcesResponse{} for i := range items { item := items[i] - if isMatchingResource(q, kube.ResourceKey{Name: item.Name, Namespace: item.Namespace, Kind: item.Kind, Group: item.Group}) { + if !item.Hook && isMatchingResource(q, kube.ResourceKey{Name: item.Name, Namespace: item.Namespace, Kind: item.Kind, Group: item.Group}) { res.Items = append(res.Items, item) } } @@ -1464,7 +1512,7 @@ func (s *Server) PodLogs(q *application.ApplicationPodLogsQuery, ws application. } } - a, err := s.getApplicationEnforceRBACInformer(ws.Context(), rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetName()) + a, err := s.getApplicationEnforceRBACInformer(ws.Context(), rbacpolicy.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetName()) if err != nil { return err } @@ -1656,7 +1704,7 @@ func isTheSelectedOne(currentNode *appv1.ResourceNode, q *application.Applicatio // Sync syncs an application to its target state func (s *Server) Sync(ctx context.Context, syncReq *application.ApplicationSyncRequest) (*appv1.Application, error) { - a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, syncReq.GetAppNamespace(), syncReq.GetName(), "") + a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, syncReq.GetProject(), syncReq.GetAppNamespace(), syncReq.GetName(), "") if err != nil { return nil, err } @@ -1765,7 +1813,7 @@ func (s *Server) Sync(ctx context.Context, syncReq *application.ApplicationSyncR } func (s *Server) Rollback(ctx context.Context, rollbackReq *application.ApplicationRollbackRequest) (*appv1.Application, error) { - a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionSync, rollbackReq.GetAppNamespace(), rollbackReq.GetName(), "") + a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionSync, rollbackReq.GetProject(), rollbackReq.GetAppNamespace(), rollbackReq.GetName(), "") if err != nil { return nil, err } @@ -1824,7 +1872,7 @@ func (s *Server) Rollback(ctx context.Context, rollbackReq *application.Applicat } func (s *Server) ListLinks(ctx context.Context, req *application.ListAppLinksRequest) (*application.LinksResponse, error) { - a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, req.GetNamespace(), req.GetName(), "") + a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, req.GetProject(), req.GetNamespace(), req.GetName(), "") if err != nil { return nil, err } @@ -1978,7 +2026,7 @@ func (s *Server) resolveRevision(ctx context.Context, app *appv1.Application, sy func (s *Server) TerminateOperation(ctx context.Context, termOpReq *application.OperationTerminateRequest) (*application.OperationTerminateResponse, error) { appName := termOpReq.GetName() appNs := s.appNamespaceOrDefault(termOpReq.GetAppNamespace()) - a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionSync, appNs, appName, "") + a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionSync, termOpReq.GetProject(), appNs, appName, "") if err != nil { return nil, err } @@ -2051,7 +2099,7 @@ func (s *Server) ListResourceActions(ctx context.Context, q *application.Applica func (s *Server) getUnstructuredLiveResourceOrApp(ctx context.Context, rbacRequest string, q *application.ApplicationResourceRequest) (obj *unstructured.Unstructured, res *appv1.ResourceNode, app *appv1.Application, config *rest.Config, err error) { if q.GetKind() == applicationType.ApplicationKind && q.GetGroup() == applicationType.Group && q.GetName() == q.GetResourceName() { - app, err = s.getApplicationEnforceRBACInformer(ctx, rbacRequest, q.GetAppNamespace(), q.GetName()) + app, err = s.getApplicationEnforceRBACInformer(ctx, rbacRequest, q.GetProject(), q.GetAppNamespace(), q.GetName()) if err != nil { return nil, nil, nil, nil, err } @@ -2106,6 +2154,7 @@ func (s *Server) RunResourceAction(ctx context.Context, q *application.ResourceA Kind: q.Kind, Version: q.Version, Group: q.Group, + Project: q.Project, } actionRequest := fmt.Sprintf("%s/%s/%s/%s", rbacpolicy.ActionAction, q.GetGroup(), q.GetKind(), q.GetAction()) liveObj, res, a, config, err := s.getUnstructuredLiveResourceOrApp(ctx, actionRequest, resourceRequest) @@ -2314,7 +2363,7 @@ func splitStatusPatch(patch []byte) ([]byte, []byte, error) { } func (s *Server) GetApplicationSyncWindows(ctx context.Context, q *application.ApplicationSyncWindowsQuery) (*application.ApplicationSyncWindowsResponse, error) { - a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetName(), "") + a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, q.GetProject(), q.GetAppNamespace(), q.GetName(), "") if err != nil { return nil, err } diff --git a/server/application/application.proto b/server/application/application.proto index 7cb268d7d2a7d..53f161795902d 100644 --- a/server/application/application.proto +++ b/server/application/application.proto @@ -13,7 +13,11 @@ import "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1/generated.p import "github.com/argoproj/argo-cd/v2/reposerver/repository/repository.proto"; -// ApplicationQuery is a query for application resources +// ApplicationQuery is a query for application resources. When getting multiple applications, the "projects" field acts +// as a filter. When getting a single application, you may specify either zero or one project. If you specify zero +// projects, the application will be returned regardless of which project it belongs to (assuming you have access). If +// you specify one project, the application will only be returned if it exists and belongs to the specified project. +// Otherwise you will receive a 404. message ApplicationQuery { // the application's name optional string name = 1; @@ -46,6 +50,7 @@ message RevisionMetadataQuery{ required string revision = 2; // the application's namespace optional string appNamespace = 3; + optional string project = 4; } // ApplicationEventsQuery is a query for application resource events @@ -55,6 +60,7 @@ message ApplicationResourceEventsQuery { optional string resourceName = 3; optional string resourceUID = 4; optional string appNamespace = 5; + optional string project = 6; } // ManifestQuery is a query for manifest resources @@ -62,6 +68,7 @@ message ApplicationManifestQuery { required string name = 1; optional string revision = 2; optional string appNamespace = 3; + optional string project = 4; } message FileChunk { @@ -72,6 +79,7 @@ message ApplicationManifestQueryWithFiles { required string name = 1; required string checksum = 2; optional string appNamespace = 3; + optional string project = 4; } message ApplicationManifestQueryWithFilesWrapper { @@ -92,6 +100,7 @@ message ApplicationCreateRequest { message ApplicationUpdateRequest { required github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.Application application = 1; optional bool validate = 2; + optional string project = 3; } message ApplicationDeleteRequest { @@ -99,6 +108,7 @@ message ApplicationDeleteRequest { optional bool cascade = 2; optional string propagationPolicy = 3; optional string appNamespace = 4; + optional string project = 5; } message SyncOptions { @@ -118,6 +128,7 @@ message ApplicationSyncRequest { optional github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.RetryStrategy retryStrategy = 10; optional SyncOptions syncOptions = 11; optional string appNamespace = 12; + optional string project = 13; } // ApplicationUpdateSpecRequest is a request to update application spec @@ -126,6 +137,7 @@ message ApplicationUpdateSpecRequest { required github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.ApplicationSpec spec = 2; optional bool validate = 3; optional string appNamespace = 4; + optional string project = 5; } // ApplicationPatchRequest is a request to patch an application @@ -134,6 +146,7 @@ message ApplicationPatchRequest { required string patch = 2; required string patchType = 3; optional string appNamespace = 5; + optional string project = 6; } message ApplicationRollbackRequest { @@ -142,6 +155,7 @@ message ApplicationRollbackRequest { optional bool dryRun = 3; optional bool prune = 4; optional string appNamespace = 6; + optional string project = 7; } message ApplicationResourceRequest { @@ -152,6 +166,7 @@ message ApplicationResourceRequest { optional string group = 5; required string kind = 6; optional string appNamespace = 7; + optional string project = 8; } message ApplicationResourcePatchRequest { @@ -164,6 +179,7 @@ message ApplicationResourcePatchRequest { required string patch = 7; required string patchType = 8; optional string appNamespace = 9; + optional string project = 10; } message ApplicationResourceDeleteRequest { @@ -176,6 +192,7 @@ message ApplicationResourceDeleteRequest { optional bool force = 7; optional bool orphan = 8; optional string appNamespace = 9; + optional string project = 10; } message ResourceActionRunRequest { @@ -187,6 +204,7 @@ message ResourceActionRunRequest { required string kind = 6; required string action = 7; optional string appNamespace = 8; + optional string project = 9; } message ResourceActionsListResponse { @@ -213,6 +231,7 @@ message ApplicationPodLogsQuery { optional string resourceName = 13 ; optional bool previous = 14; optional string appNamespace = 15; + optional string project = 16; } message LogEntry { @@ -227,11 +246,13 @@ message LogEntry { message OperationTerminateRequest { required string name = 1; optional string appNamespace = 2; + optional string project = 3; } message ApplicationSyncWindowsQuery { required string name = 1; optional string appNamespace = 2; + optional string project = 3; } message ApplicationSyncWindowsResponse { @@ -260,6 +281,7 @@ message ResourcesQuery { optional string group = 5; optional string kind = 6; optional string appNamespace = 7; + optional string project = 8; } message ManagedResourcesResponse { @@ -280,6 +302,7 @@ message LinksResponse { message ListAppLinksRequest { required string name = 1; optional string namespace = 3; + optional string project = 4; } diff --git a/server/application/application_test.go b/server/application/application_test.go index 2dcefc121dfca..57b740a6f1ea4 100644 --- a/server/application/application_test.go +++ b/server/application/application_test.go @@ -10,6 +10,8 @@ import ( "testing" "time" + "k8s.io/apimachinery/pkg/labels" + "github.com/argoproj/gitops-engine/pkg/health" synccommon "github.com/argoproj/gitops-engine/pkg/sync/common" "github.com/argoproj/gitops-engine/pkg/utils/kube" @@ -88,14 +90,14 @@ func fakeAppList() *apiclient.AppList { } } -func fakeResolveRevesionResponse() *apiclient.ResolveRevisionResponse { +func fakeResolveRevisionResponse() *apiclient.ResolveRevisionResponse { return &apiclient.ResolveRevisionResponse{ Revision: "f9ba9e98119bf8c1176fbd65dbae26a71d044add", AmbiguousRevision: "HEAD (f9ba9e98119bf8c1176fbd65dbae26a71d044add)", } } -func fakeResolveRevesionResponseHelm() *apiclient.ResolveRevisionResponse { +func fakeResolveRevisionResponseHelm() *apiclient.ResolveRevisionResponse { return &apiclient.ResolveRevisionResponse{ Revision: "0.7.*", AmbiguousRevision: "0.7.* (0.7.2)", @@ -113,11 +115,12 @@ func fakeRepoServerClient(isHelm bool) *mocks.RepoServerServiceClient { mockWithFilesClient.On("Send", mock.Anything).Return(nil) mockWithFilesClient.On("CloseAndRecv").Return(&apiclient.ManifestResponse{}, nil) mockRepoServiceClient.On("GenerateManifestWithFiles", mock.Anything, mock.Anything).Return(mockWithFilesClient, nil) + mockRepoServiceClient.On("GetRevisionChartDetails", mock.Anything, mock.Anything).Return(&appsv1.ChartDetails{}, nil) if isHelm { - mockRepoServiceClient.On("ResolveRevision", mock.Anything, mock.Anything).Return(fakeResolveRevesionResponseHelm(), nil) + mockRepoServiceClient.On("ResolveRevision", mock.Anything, mock.Anything).Return(fakeResolveRevisionResponseHelm(), nil) } else { - mockRepoServiceClient.On("ResolveRevision", mock.Anything, mock.Anything).Return(fakeResolveRevesionResponse(), nil) + mockRepoServiceClient.On("ResolveRevision", mock.Anything, mock.Anything).Return(fakeResolveRevisionResponse(), nil) } return &mockRepoServiceClient @@ -568,6 +571,7 @@ type TestServerStream struct { ctx context.Context appName string headerSent bool + project string } func (t *TestServerStream) SetHeader(metadata.MD) error { @@ -602,6 +606,7 @@ func (t *TestServerStream) Recv() (*application.ApplicationManifestQueryWithFile return &application.ApplicationManifestQueryWithFilesWrapper{Part: &application.ApplicationManifestQueryWithFilesWrapper_Query{ Query: &application.ApplicationManifestQueryWithFiles{ Name: pointer.String(t.appName), + Project: pointer.String(t.project), Checksum: pointer.String(""), }, }}, nil @@ -722,8 +727,31 @@ func TestNoAppEnumeration(t *testing.T) { }, } }) + testHelmApp := newTestApp(func(app *appsv1.Application) { + app.Name = "test-helm" + app.Spec.Source.Path = "" + app.Spec.Source.Chart = "test" + app.Status.Resources = []appsv1.ResourceStatus{ + { + Group: deployment.GroupVersionKind().Group, + Kind: deployment.GroupVersionKind().Kind, + Version: deployment.GroupVersionKind().Version, + Name: deployment.Name, + Namespace: deployment.Namespace, + Status: "Synced", + }, + } + app.Status.History = []appsv1.RevisionHistory{ + { + ID: 0, + Source: appsv1.ApplicationSource{ + TargetRevision: "something-old", + }, + }, + } + }) testDeployment := kube.MustToUnstructured(&deployment) - appServer := newTestAppServerWithEnforcerConfigure(f, t, testApp, testDeployment) + appServer := newTestAppServerWithEnforcerConfigure(f, t, testApp, testHelmApp, testDeployment) noRoleCtx := context.Background() // nolint:staticcheck @@ -739,6 +767,9 @@ func TestNoAppEnumeration(t *testing.T) { // nolint:staticcheck _, err = appServer.Get(adminCtx, &application.ApplicationQuery{Name: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + // nolint:staticcheck + _, err = appServer.Get(adminCtx, &application.ApplicationQuery{Name: pointer.String("doest-not-exist"), Project: []string{"test"}}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("GetManifests", func(t *testing.T) { @@ -748,6 +779,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.GetManifests(adminCtx, &application.ApplicationManifestQuery{Name: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.GetManifests(adminCtx, &application.ApplicationManifestQuery{Name: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("ListResourceEvents", func(t *testing.T) { @@ -757,6 +790,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.ListResourceEvents(adminCtx, &application.ApplicationResourceEventsQuery{Name: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.ListResourceEvents(adminCtx, &application.ApplicationResourceEventsQuery{Name: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("UpdateSpec", func(t *testing.T) { @@ -775,6 +810,11 @@ func TestNoAppEnumeration(t *testing.T) { Source: &appsv1.ApplicationSource{RepoURL: "https://some-fake-source", Path: "."}, }}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.UpdateSpec(adminCtx, &application.ApplicationUpdateSpecRequest{Name: pointer.String("doest-not-exist"), Project: pointer.String("test"), Spec: &appsv1.ApplicationSpec{ + Destination: appsv1.ApplicationDestination{Namespace: "default", Server: "https://cluster-api.com"}, + Source: &appsv1.ApplicationSource{RepoURL: "https://some-fake-source", Path: "."}, + }}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("Patch", func(t *testing.T) { @@ -784,6 +824,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.Patch(adminCtx, &application.ApplicationPatchRequest{Name: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.Patch(adminCtx, &application.ApplicationPatchRequest{Name: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("GetResource", func(t *testing.T) { @@ -793,6 +835,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.GetResource(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("doest-not-exist"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.GetResource(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("doest-not-exist"), Project: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("PatchResource", func(t *testing.T) { @@ -804,6 +848,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.PatchResource(adminCtx, &application.ApplicationResourcePatchRequest{Name: pointer.String("doest-not-exist"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test"), Patch: pointer.String(`[{"op": "replace", "path": "/spec/replicas", "value": 3}]`)}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.PatchResource(adminCtx, &application.ApplicationResourcePatchRequest{Name: pointer.String("doest-not-exist"), Project: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test"), Patch: pointer.String(`[{"op": "replace", "path": "/spec/replicas", "value": 3}]`)}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("DeleteResource", func(t *testing.T) { @@ -813,6 +859,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.DeleteResource(adminCtx, &application.ApplicationResourceDeleteRequest{Name: pointer.String("doest-not-exist"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.DeleteResource(adminCtx, &application.ApplicationResourceDeleteRequest{Name: pointer.String("doest-not-exist"), Project: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("ResourceTree", func(t *testing.T) { @@ -822,6 +870,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.ResourceTree(adminCtx, &application.ResourcesQuery{ApplicationName: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.ResourceTree(adminCtx, &application.ResourcesQuery{ApplicationName: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("RevisionMetadata", func(t *testing.T) { @@ -831,6 +881,19 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.RevisionMetadata(adminCtx, &application.RevisionMetadataQuery{Name: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.RevisionMetadata(adminCtx, &application.RevisionMetadataQuery{Name: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") + }) + + t.Run("RevisionChartDetails", func(t *testing.T) { + _, err := appServer.RevisionChartDetails(adminCtx, &application.RevisionMetadataQuery{Name: pointer.String("test-helm")}) + assert.NoError(t, err) + _, err = appServer.RevisionChartDetails(noRoleCtx, &application.RevisionMetadataQuery{Name: pointer.String("test-helm")}) + assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.RevisionChartDetails(adminCtx, &application.RevisionMetadataQuery{Name: pointer.String("doest-not-exist")}) + assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.RevisionChartDetails(adminCtx, &application.RevisionMetadataQuery{Name: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("ManagedResources", func(t *testing.T) { @@ -840,6 +903,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.ManagedResources(adminCtx, &application.ResourcesQuery{ApplicationName: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.ManagedResources(adminCtx, &application.ResourcesQuery{ApplicationName: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("Sync", func(t *testing.T) { @@ -849,6 +914,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.Sync(adminCtx, &application.ApplicationSyncRequest{Name: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.Sync(adminCtx, &application.ApplicationSyncRequest{Name: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("TerminateOperation", func(t *testing.T) { @@ -861,6 +928,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.TerminateOperation(adminCtx, &application.OperationTerminateRequest{Name: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.TerminateOperation(adminCtx, &application.OperationTerminateRequest{Name: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("Rollback", func(t *testing.T) { @@ -871,6 +940,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.Rollback(adminCtx, &application.ApplicationRollbackRequest{Name: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.Rollback(adminCtx, &application.ApplicationRollbackRequest{Name: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("ListResourceActions", func(t *testing.T) { @@ -882,6 +953,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.ListResourceActions(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.ListResourceActions(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("RunResourceAction", func(t *testing.T) { @@ -893,6 +966,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.RunResourceAction(adminCtx, &application.ResourceActionRunRequest{Name: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.RunResourceAction(adminCtx, &application.ResourceActionRunRequest{Name: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("GetApplicationSyncWindows", func(t *testing.T) { @@ -902,6 +977,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.GetApplicationSyncWindows(adminCtx, &application.ApplicationSyncWindowsQuery{Name: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.GetApplicationSyncWindows(adminCtx, &application.ApplicationSyncWindowsQuery{Name: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("GetManifestsWithFiles", func(t *testing.T) { @@ -911,6 +988,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") err = appServer.GetManifestsWithFiles(&TestServerStream{ctx: adminCtx, appName: "does-not-exist"}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + err = appServer.GetManifestsWithFiles(&TestServerStream{ctx: adminCtx, appName: "does-not-exist", project: "test"}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"does-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("WatchResourceTree", func(t *testing.T) { @@ -920,6 +999,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") err = appServer.WatchResourceTree(&application.ResourcesQuery{ApplicationName: pointer.String("does-not-exist")}, &TestResourceTreeServer{ctx: adminCtx}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + err = appServer.WatchResourceTree(&application.ResourcesQuery{ApplicationName: pointer.String("does-not-exist"), Project: pointer.String("test")}, &TestResourceTreeServer{ctx: adminCtx}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"does-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("PodLogs", func(t *testing.T) { @@ -929,6 +1010,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") err = appServer.PodLogs(&application.ApplicationPodLogsQuery{Name: pointer.String("does-not-exist")}, &TestPodLogsServer{ctx: adminCtx}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + err = appServer.PodLogs(&application.ApplicationPodLogsQuery{Name: pointer.String("does-not-exist"), Project: pointer.String("test")}, &TestPodLogsServer{ctx: adminCtx}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"does-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("ListLinks", func(t *testing.T) { @@ -938,6 +1021,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.ListLinks(adminCtx, &application.ListAppLinksRequest{Name: pointer.String("does-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.ListLinks(adminCtx, &application.ListAppLinksRequest{Name: pointer.String("does-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"does-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) t.Run("ListResourceLinks", func(t *testing.T) { @@ -947,6 +1032,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.ListResourceLinks(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("does-not-exist"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.ListResourceLinks(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("does-not-exist"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"does-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) // Do this last so other stuff doesn't fail. @@ -957,6 +1044,8 @@ func TestNoAppEnumeration(t *testing.T) { assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") _, err = appServer.Delete(adminCtx, &application.ApplicationDeleteRequest{Name: pointer.String("doest-not-exist")}) assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence") + _, err = appServer.Delete(adminCtx, &application.ApplicationDeleteRequest{Name: pointer.String("doest-not-exist"), Project: pointer.String("test")}) + assert.Equal(t, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", err.Error(), "when the request specifies a project, we can return the standard k8s error message") }) } @@ -1616,7 +1705,7 @@ p, admin, applications, update, default/test-app, allow p, admin, applications, create, my-proj/test-app, allow `) _, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp}) - assert.Equal(t, status.Code(err), codes.PermissionDenied) + assert.Equal(t, codes.PermissionDenied, status.Code(err)) }) t.Run("cannot change projects without update privileges in old project", func(t *testing.T) { @@ -2202,3 +2291,55 @@ func TestRunOldStyleResourceAction(t *testing.T) { assert.NotNil(t, appResponse) }) } + +func TestIsApplicationPermitted(t *testing.T) { + t.Run("Incorrect project", func(t *testing.T) { + testApp := newTestApp() + appServer := newTestAppServer(t, testApp) + projects := map[string]bool{"test-app": false} + permitted := appServer.isApplicationPermitted(labels.Everything(), 0, nil, "test", "default", projects, *testApp) + assert.False(t, permitted) + }) + + t.Run("Version is incorrect", func(t *testing.T) { + testApp := newTestApp() + appServer := newTestAppServer(t, testApp) + minVersion := 100000 + testApp.ResourceVersion = strconv.Itoa(minVersion - 1) + permitted := appServer.isApplicationPermitted(labels.Everything(), minVersion, nil, "test", "default", nil, *testApp) + assert.False(t, permitted) + }) + + t.Run("Application name is incorrect", func(t *testing.T) { + testApp := newTestApp() + appServer := newTestAppServer(t, testApp) + appName := "test" + permitted := appServer.isApplicationPermitted(labels.Everything(), 0, nil, appName, "default", nil, *testApp) + assert.False(t, permitted) + }) + + t.Run("Application namespace is incorrect", func(t *testing.T) { + testApp := newTestApp() + appServer := newTestAppServer(t, testApp) + permitted := appServer.isApplicationPermitted(labels.Everything(), 0, nil, testApp.Name, "demo", nil, *testApp) + assert.False(t, permitted) + }) + + t.Run("Application is not part of enabled namespace", func(t *testing.T) { + testApp := newTestApp() + appServer := newTestAppServer(t, testApp) + appServer.ns = "server-ns" + appServer.enabledNamespaces = []string{"demo"} + permitted := appServer.isApplicationPermitted(labels.Everything(), 0, nil, testApp.Name, testApp.Namespace, nil, *testApp) + assert.False(t, permitted) + }) + + t.Run("Application is part of enabled namespace", func(t *testing.T) { + testApp := newTestApp() + appServer := newTestAppServer(t, testApp) + appServer.ns = "server-ns" + appServer.enabledNamespaces = []string{testApp.Namespace} + permitted := appServer.isApplicationPermitted(labels.Everything(), 0, nil, testApp.Name, testApp.Namespace, nil, *testApp) + assert.True(t, permitted) + }) +} diff --git a/server/deeplinks/deeplinks.go b/server/deeplinks/deeplinks.go index 057bffee3e870..301d9ad0b2fb0 100644 --- a/server/deeplinks/deeplinks.go +++ b/server/deeplinks/deeplinks.go @@ -5,18 +5,30 @@ import ( "fmt" "text/template" + "github.com/Masterminds/sprig/v3" "github.com/antonmedv/expr" - "github.com/argoproj/argo-cd/v2/pkg/apiclient/application" - "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" - "github.com/argoproj/argo-cd/v2/util/settings" "github.com/argoproj/gitops-engine/pkg/utils/kube" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/utils/pointer" + + "github.com/argoproj/argo-cd/v2/pkg/apiclient/application" + "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" + "github.com/argoproj/argo-cd/v2/util/settings" ) +var sprigFuncMap = sprig.GenericFuncMap() // a singleton for better performance + +func init() { + // Avoid allowing the user to learn things about the environment. + delete(sprigFuncMap, "env") + delete(sprigFuncMap, "expandenv") + delete(sprigFuncMap, "getHostByName") +} + const ( ResourceDeepLinkKey = "resource" AppDeepLinkKey = "application" + AppDeepLinkShortKey = "app" ClusterDeepLinkKey = "cluster" ProjectDeepLinkKey = "project" ) @@ -57,6 +69,7 @@ func CreateDeepLinksObject(resourceObj *unstructured.Unstructured, app *unstruct } if app != nil { deeplinkObj[AppDeepLinkKey] = app.Object + deeplinkObj[AppDeepLinkShortKey] = app.Object } if cluster != nil { deeplinkObj[ClusterDeepLinkKey] = cluster.Object @@ -71,7 +84,7 @@ func EvaluateDeepLinksResponse(obj map[string]interface{}, name string, links [] finalLinks := []*application.LinkInfo{} errors := []string{} for _, link := range links { - t, err := template.New("deep-link").Parse(link.URL) + t, err := template.New("deep-link").Funcs(sprigFuncMap).Parse(link.URL) if err != nil { errors = append(errors, fmt.Sprintf("failed to parse link template '%v', error=%v", link.URL, err.Error())) continue diff --git a/server/deeplinks/deeplinks_test.go b/server/deeplinks/deeplinks_test.go index 0f5c1cbc787fc..abebe691c29c1 100644 --- a/server/deeplinks/deeplinks_test.go +++ b/server/deeplinks/deeplinks_test.go @@ -5,15 +5,16 @@ import ( "strings" "testing" - "github.com/argoproj/argo-cd/v2/pkg/apiclient/application" - "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" - "github.com/argoproj/argo-cd/v2/util/settings" "github.com/argoproj/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/assert" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/utils/pointer" + + "github.com/argoproj/argo-cd/v2/pkg/apiclient/application" + "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" + "github.com/argoproj/argo-cd/v2/util/settings" ) type deepLinkTC struct { @@ -83,6 +84,22 @@ func TestDeepLinks(t *testing.T) { }}, error: []string{}, }, + { + appObj: appObj, + resourceObj: resourceObj, + projectObj: projectObj, + clusterObj: clusterObj, + inputLinks: []settings.DeepLink{{ + Title: "link", + URL: "http://example.com/{{ .app.metadata.name }}&{{ .resource.data.key }}&{{ index .project.spec.sourceRepos 0}}&{{ .cluster.name }}", + Condition: pointer.String(`app.metadata.name == "test" && project.metadata.name == "test-project"`), + }}, + outputLinks: []*application.LinkInfo{{ + Title: pointer.String("link"), + Url: pointer.String("http://example.com/test&value1&test-repo.git&test-cluster"), + }}, + error: []string{}, + }, { appObj: appObj, resourceObj: resourceObj, @@ -130,6 +147,22 @@ func TestDeepLinks(t *testing.T) { }}, error: []string{"link condition '1 + 1' evaluated to non-boolean value for resource test"}, }, + { + appObj: appObj, + resourceObj: resourceObj, + projectObj: projectObj, + clusterObj: clusterObj, + inputLinks: []settings.DeepLink{{ + Title: "link", + URL: "http://example.com/{{ .cluster.name | replace \"-\" \"_\" }}&{{ first .project.spec.sourceRepos }}", + Condition: pointer.String(`application.metadata.name == "test" && project.metadata.name == "test-project"`), + }}, + outputLinks: []*application.LinkInfo{{ + Title: pointer.String("link"), + Url: pointer.String("http://example.com/test_cluster&test-repo.git"), + }}, + error: []string{}, + }, } for _, tc := range testTable { diff --git a/server/extension/extension.go b/server/extension/extension.go index 69944d69ad00a..472d9ba3d6e16 100644 --- a/server/extension/extension.go +++ b/server/extension/extension.go @@ -12,16 +12,17 @@ import ( "strings" "time" - v1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" + "github.com/gorilla/mux" + log "github.com/sirupsen/logrus" + "sigs.k8s.io/yaml" + + "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" applisters "github.com/argoproj/argo-cd/v2/pkg/client/listers/application/v1alpha1" "github.com/argoproj/argo-cd/v2/server/rbacpolicy" "github.com/argoproj/argo-cd/v2/util/argo" "github.com/argoproj/argo-cd/v2/util/db" "github.com/argoproj/argo-cd/v2/util/security" "github.com/argoproj/argo-cd/v2/util/settings" - "github.com/gorilla/mux" - log "github.com/sirupsen/logrus" - "sigs.k8s.io/yaml" ) const ( @@ -44,6 +45,25 @@ const ( // Example: // Argocd-Project-Name: "default" HeaderArgoCDProjectName = "Argocd-Project-Name" + + // HeaderArgoCDTargetClusterURL defines the target cluster URL + // that the Argo CD application is associated with. This header + // will be populated by the extension proxy and passed to the + // configured backend service. If this header is passed by + // the client, its value will be overriden by the extension + // handler. + // + // Example: + // Argocd-Target-Cluster-URL: "https://kubernetes.default.svc.cluster.local" + HeaderArgoCDTargetClusterURL = "Argocd-Target-Cluster-URL" + + // HeaderArgoCDTargetClusterName defines the target cluster name + // that the Argo CD application is associated with. This header + // will be populated by the extension proxy and passed to the + // configured backend service. If this header is passed by + // the client, its value will be overriden by the extension + // handler. + HeaderArgoCDTargetClusterName = "Argocd-Target-Cluster-Name" ) // RequestResources defines the authorization scope for @@ -137,13 +157,33 @@ type ServiceConfig struct { // destination name to have requests properly forwarded to this // service URL. Cluster *ClusterConfig `json:"cluster,omitempty"` + + // Headers if provided, the headers list will be added on all + // outgoing requests for this service config. + Headers []Header `json:"headers"` +} + +// Header defines the header to be added in the proxy requests. +type Header struct { + // Name defines the name of the header. It is a mandatory field if + // a header is provided. + Name string `json:"name"` + // Value defines the value of the header. The actual value can be + // provided as verbatim or as a reference to an Argo CD secret key. + // In order to provide it as a reference, it is necessary to prefix + // it with a dollar sign. + // Example: + // value: '$some.argocd.secret.key' + // In the example above, the value will be replaced with the one from + // the argocd-secret with key 'some.argocd.secret.key'. + Value string `json:"value"` } type ClusterConfig struct { - // Server specifies the URL of the target cluster and must be set to the Kubernetes control plane API + // Server specifies the URL of the target cluster's Kubernetes control plane API. This must be set if Name is not set. Server string `json:"server"` - // Name is an alternate way of specifying the target cluster by its symbolic name + // Name is an alternate way of specifying the target cluster by its symbolic name. This must be set if Server is not set. Name string `json:"name"` } @@ -303,11 +343,23 @@ func proxyKey(extName, cName, cServer string) ProxyKey { } } -func parseAndValidateConfig(config string) (*ExtensionConfigs, error) { +func parseAndValidateConfig(s *settings.ArgoCDSettings) (*ExtensionConfigs, error) { + extConfigMap := map[string]interface{}{} + err := yaml.Unmarshal([]byte(s.ExtensionConfig), &extConfigMap) + if err != nil { + return nil, fmt.Errorf("invalid extension config: %s", err) + } + + parsedExtConfig := settings.ReplaceMapSecrets(extConfigMap, s.Secrets) + parsedExtConfigBytes, err := yaml.Marshal(parsedExtConfig) + if err != nil { + return nil, fmt.Errorf("error marshaling parsed extension config: %s", err) + } + configs := ExtensionConfigs{} - err := yaml.Unmarshal([]byte(config), &configs) + err = yaml.Unmarshal(parsedExtConfigBytes, &configs) if err != nil { - return nil, fmt.Errorf("invalid yaml: %s", err) + return nil, fmt.Errorf("invalid parsed extension config: %s", err) } err = validateConfigs(&configs) if err != nil { @@ -343,6 +395,16 @@ func validateConfigs(configs *ExtensionConfigs) error { return fmt.Errorf("cluster.name or cluster.server must be defined when cluster is provided in the configuration") } } + if len(svc.Headers) > 0 { + for _, header := range svc.Headers { + if header.Name == "" { + return fmt.Errorf("header.name must be defined when providing service headers in the configuration") + } + if header.Value == "" { + return fmt.Errorf("header.value must be defined when providing service headers in the configuration") + } + } + } } } return nil @@ -350,7 +412,7 @@ func validateConfigs(configs *ExtensionConfigs) error { // NewProxy will instantiate a new reverse proxy based on the provided // targetURL and config. -func NewProxy(targetURL string, config ProxyConfig) (*httputil.ReverseProxy, error) { +func NewProxy(targetURL string, headers []Header, config ProxyConfig) (*httputil.ReverseProxy, error) { url, err := url.Parse(targetURL) if err != nil { return nil, fmt.Errorf("failed to parse proxy URL: %s", err) @@ -362,6 +424,11 @@ func NewProxy(targetURL string, config ProxyConfig) (*httputil.ReverseProxy, err req.URL.Scheme = url.Scheme req.URL.Host = url.Host req.Header.Set("Host", url.Host) + req.Header.Del("Authorization") + req.Header.Del("Cookie") + for _, header := range headers { + req.Header.Set(header.Name, header.Value) + } }, } return proxy, nil @@ -403,16 +470,16 @@ func applyProxyConfigDefaults(c *ProxyConfig) { // router. func (m *Manager) RegisterHandlers(r *mux.Router) error { m.log.Info("Registering extension handlers...") - config, err := m.settings.Get() + settings, err := m.settings.Get() if err != nil { return fmt.Errorf("error getting settings: %s", err) } - if config.ExtensionConfig == "" { + if settings.ExtensionConfig == "" { return fmt.Errorf("No extensions configurations found") } - extConfigs, err := parseAndValidateConfig(config.ExtensionConfig) + extConfigs, err := parseAndValidateConfig(settings) if err != nil { return fmt.Errorf("error parsing extension config: %s", err) } @@ -467,7 +534,7 @@ func (m *Manager) registerExtensions(r *mux.Router, extConfigs *ExtensionConfigs registry := NewProxyRegistry() singleBackend := len(ext.Backend.Services) == 1 for _, service := range ext.Backend.Services { - proxy, err := NewProxy(service.URL, ext.Backend.ProxyConfig) + proxy, err := NewProxy(service.URL, service.Headers, ext.Backend.ProxyConfig) if err != nil { return fmt.Errorf("error creating proxy: %s", err) } @@ -580,17 +647,21 @@ func (m *Manager) CallExtension(extName string, registry ProxyRegistry) func(htt return } - sanitizeRequest(r, extName) + prepareRequest(r, extName, app) m.log.Debugf("proxing request for extension %q", extName) proxy.ServeHTTP(w, r) } } -// sanitizeRequest is reponsible for preparing and cleaning the given +// prepareRequest is reponsible for preparing and cleaning the given // request, removing sensitive information before forwarding it to the // proxy extension. -func sanitizeRequest(r *http.Request, extName string) { +func prepareRequest(r *http.Request, extName string, app *v1alpha1.Application) { r.URL.Path = strings.TrimPrefix(r.URL.Path, fmt.Sprintf("%s/%s", URLPrefix, extName)) - r.Header.Del("Cookie") - r.Header.Del("Authorization") + if app.Spec.Destination.Name != "" { + r.Header.Set(HeaderArgoCDTargetClusterName, app.Spec.Destination.Name) + } + if app.Spec.Destination.Server != "" { + r.Header.Set(HeaderArgoCDTargetClusterURL, app.Spec.Destination.Server) + } } diff --git a/server/extension/extension_test.go b/server/extension/extension_test.go index aafb0d29de4be..cb71f01a2148b 100644 --- a/server/extension/extension_test.go +++ b/server/extension/extension_test.go @@ -210,6 +210,14 @@ func TestRegisterHandlers(t *testing.T) { name: "invalid name", configYaml: getExtensionConfigInvalidName(), }, + { + name: "no header name", + configYaml: getExtensionConfigNoHeaderName(), + }, + { + name: "no header value", + configYaml: getExtensionConfigNoHeaderValue(), + }, } // when @@ -335,8 +343,13 @@ func TestExtensionsHandler(t *testing.T) { } withExtensionConfig := func(configYaml string, f *fixture) { + secrets := make(map[string]string) + secrets["extension.auth.header"] = "Bearer some-bearer-token" + secrets["extension.auth.header2"] = "Bearer another-bearer-token" + settings := &settings.ArgoCDSettings{ ExtensionConfig: configYaml, + Secrets: secrets, } f.settingsGetterMock.On("Get", mock.Anything).Return(settings, nil) } @@ -352,6 +365,9 @@ func TestExtensionsHandler(t *testing.T) { startBackendTestSrv := func(response string) *httptest.Server { return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + for k, v := range r.Header { + w.Header().Add(k, strings.Join(v, ",")) + } fmt.Fprintln(w, response) })) @@ -393,6 +409,9 @@ func TestExtensionsHandler(t *testing.T) { clusterName := "clusterName" clusterURL := "clusterURL" backendSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + for k, v := range r.Header { + w.Header().Add(k, strings.Join(v, ",")) + } fmt.Fprintln(w, backendResponse) })) defer backendSrv.Close() @@ -417,6 +436,8 @@ func TestExtensionsHandler(t *testing.T) { require.NoError(t, err) actual := strings.TrimSuffix(string(body), "\n") assert.Equal(t, backendResponse, actual) + assert.Equal(t, clusterURL, resp.Header.Get(extension.HeaderArgoCDTargetClusterURL)) + assert.Equal(t, "Bearer some-bearer-token", resp.Header.Get("Authorization")) }) t.Run("will route requests with 2 backends for the same extension successfully", func(t *testing.T) { // given @@ -466,6 +487,7 @@ func TestExtensionsHandler(t *testing.T) { require.NoError(t, err) actual := strings.TrimSuffix(string(body), "\n") assert.Equal(t, response1, actual) + assert.Equal(t, "Bearer some-bearer-token", resp1.Header.Get("Authorization")) require.NotNil(t, resp2) assert.Equal(t, http.StatusOK, resp2.StatusCode) @@ -473,6 +495,7 @@ func TestExtensionsHandler(t *testing.T) { require.NoError(t, err) actual = strings.TrimSuffix(string(body), "\n") assert.Equal(t, response2, actual) + assert.Equal(t, "Bearer another-bearer-token", resp2.Header.Get("Authorization")) }) t.Run("will return 401 if sub has no access to get application", func(t *testing.T) { // given @@ -637,6 +660,9 @@ extensions: backend: services: - url: %s + headers: + - name: Authorization + value: '$extension.auth.header' ` return fmt.Sprintf(cfg, name, url) } @@ -648,9 +674,15 @@ extensions: backend: services: - url: %s + headers: + - name: Authorization + value: '$extension.auth.header' cluster: name: %s - url: %s + headers: + - name: Authorization + value: '$extension.auth.header2' cluster: server: %s ` @@ -667,6 +699,9 @@ extensions: backend: services: - url: https://httpbin.org + headers: + - name: some-header + value: '$some.secret.ref' - name: some-backend backend: services: @@ -701,3 +736,27 @@ extensions: - cluster: some-cluster ` } + +func getExtensionConfigNoHeaderName() string { + return ` +extensions: +- name: some-extension + backend: + services: + - url: https://httpbin.org + headers: + - value: '$some.secret.key' +` +} + +func getExtensionConfigNoHeaderValue() string { + return ` +extensions: +- name: some-extension + backend: + services: + - url: https://httpbin.org + headers: + - name: some-header-name +` +} diff --git a/server/server.go b/server/server.go index f0f2df6680ad7..e7e3ffb351068 100644 --- a/server/server.go +++ b/server/server.go @@ -2,7 +2,6 @@ package server import ( "context" - netCtx "context" "crypto/tls" "errors" "fmt" @@ -25,6 +24,8 @@ import ( // nolint:staticcheck golang_proto "github.com/golang/protobuf/proto" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/selection" "github.com/argoproj/notifications-engine/pkg/api" "github.com/argoproj/pkg/sync" @@ -102,7 +103,6 @@ import ( "github.com/argoproj/argo-cd/v2/util/assets" cacheutil "github.com/argoproj/argo-cd/v2/util/cache" "github.com/argoproj/argo-cd/v2/util/db" - "github.com/argoproj/argo-cd/v2/util/dex" dexutil "github.com/argoproj/argo-cd/v2/util/dex" "github.com/argoproj/argo-cd/v2/util/env" errorsutil "github.com/argoproj/argo-cd/v2/util/errors" @@ -207,7 +207,7 @@ type ArgoCDServerOpts struct { MetricsHost string Namespace string DexServerAddr string - DexTLSConfig *dex.DexTLSConfig + DexTLSConfig *dexutil.DexTLSConfig BaseHRef string RootPath string KubeClientset kubernetes.Interface @@ -291,7 +291,9 @@ func NewServer(ctx context.Context, opts ArgoCDServerOpts) *ArgoCDServer { apiFactory := api.NewFactory(settings_notif.GetFactorySettings(argocdService, "argocd-notifications-secret", "argocd-notifications-cm"), opts.Namespace, secretInformer, configMapInformer) - return &ArgoCDServer{ + dbInstance := db.NewDB(opts.Namespace, settingsMgr, opts.KubeClientset) + + a := &ArgoCDServer{ ArgoCDServerOpts: opts, log: log.NewEntry(log.StandardLogger()), settings: settings, @@ -307,11 +309,19 @@ func NewServer(ctx context.Context, opts ArgoCDServerOpts) *ArgoCDServer { policyEnforcer: policyEnf, userStateStorage: userStateStorage, staticAssets: http.FS(staticFS), - db: db.NewDB(opts.Namespace, settingsMgr, opts.KubeClientset), + db: dbInstance, apiFactory: apiFactory, secretInformer: secretInformer, configMapInformer: configMapInformer, } + + err = a.logInClusterWarnings() + if err != nil { + // Just log. It's not critical. + log.Warnf("Failed to log in-cluster warnings: %v", err) + } + + return a } const ( @@ -358,6 +368,47 @@ func (l *Listeners) Close() error { return nil } +// logInClusterWarnings checks the in-cluster configuration and prints out any warnings. +func (a *ArgoCDServer) logInClusterWarnings() error { + labelSelector := labels.NewSelector() + req, err := labels.NewRequirement(common.LabelKeySecretType, selection.Equals, []string{common.LabelValueSecretTypeCluster}) + if err != nil { + return fmt.Errorf("failed to construct cluster-type label selector: %w", err) + } + labelSelector = labelSelector.Add(*req) + secretsLister, err := a.settingsMgr.GetSecretsLister() + if err != nil { + return fmt.Errorf("failed to get secrets lister: %w", err) + } + clusterSecrets, err := secretsLister.Secrets(a.ArgoCDServerOpts.Namespace).List(labelSelector) + if err != nil { + return fmt.Errorf("failed to list cluster secrets: %w", err) + } + var inClusterSecrets []string + for _, clusterSecret := range clusterSecrets { + cluster, err := db.SecretToCluster(clusterSecret) + if err != nil { + return fmt.Errorf("could not unmarshal cluster secret %q: %w", clusterSecret.Name, err) + } + if cluster.Server == v1alpha1.KubernetesInternalAPIServerAddr { + inClusterSecrets = append(inClusterSecrets, clusterSecret.Name) + } + } + if len(inClusterSecrets) > 0 { + // Don't make this call unless we actually have in-cluster secrets, to save time. + dbSettings, err := a.settingsMgr.GetSettings() + if err != nil { + return fmt.Errorf("could not get DB settings: %w", err) + } + if !dbSettings.InClusterEnabled { + for _, clusterName := range inClusterSecrets { + log.Warnf("cluster %q uses in-cluster server address but it's disabled in Argo CD settings", clusterName) + } + } + } + return nil +} + func startListener(host string, port int) (net.Listener, error) { var conn net.Listener var realErr error @@ -460,12 +511,12 @@ func (a *ArgoCDServer) Run(ctx context.Context, listeners *Listeners) { var httpL net.Listener var httpsL net.Listener if !a.useTLS() { - httpL = tcpm.Match(cmux.HTTP1Fast()) + httpL = tcpm.Match(cmux.HTTP1Fast("PATCH")) grpcL = tcpm.MatchWithWriters(cmux.HTTP2MatchHeaderFieldSendSettings("content-type", "application/grpc")) } else { // We first match on HTTP 1.1 methods. - httpL = tcpm.Match(cmux.HTTP1Fast()) + httpL = tcpm.Match(cmux.HTTP1Fast("PATCH")) // If not matched, we assume that its TLS. tlsl := tcpm.Match(cmux.Any()) @@ -480,7 +531,7 @@ func (a *ArgoCDServer) Run(ctx context.Context, listeners *Listeners) { // Now, we build another mux recursively to match HTTPS and gRPC. tlsm = cmux.New(tlsl) - httpsL = tlsm.Match(cmux.HTTP1Fast()) + httpsL = tlsm.Match(cmux.HTTP1Fast("PATCH")) grpcL = tlsm.MatchWithWriters(cmux.HTTP2MatchHeaderFieldSendSettings("content-type", "application/grpc")) } @@ -559,7 +610,7 @@ func (a *ArgoCDServer) watchSettings() { prevURL := a.settings.URL prevOIDCConfig := a.settings.OIDCConfig() - prevDexCfgBytes, err := dex.GenerateDexConfigYAML(a.settings, a.DexTLSConfig == nil || a.DexTLSConfig.DisableTLS) + prevDexCfgBytes, err := dexutil.GenerateDexConfigYAML(a.settings, a.DexTLSConfig == nil || a.DexTLSConfig.DisableTLS) errorsutil.CheckError(err) prevGitHubSecret := a.settings.WebhookGitHubSecret prevGitLabSecret := a.settings.WebhookGitLabSecret @@ -574,7 +625,7 @@ func (a *ArgoCDServer) watchSettings() { for { newSettings := <-updateCh a.settings = newSettings - newDexCfgBytes, err := dex.GenerateDexConfigYAML(a.settings, a.DexTLSConfig == nil || a.DexTLSConfig.DisableTLS) + newDexCfgBytes, err := dexutil.GenerateDexConfigYAML(a.settings, a.DexTLSConfig == nil || a.DexTLSConfig.DisableTLS) errorsutil.CheckError(err) if string(newDexCfgBytes) != string(prevDexCfgBytes) { log.Infof("dex config modified. restarting") @@ -692,7 +743,7 @@ func (a *ArgoCDServer) newGRPCServer() (*grpc.Server, application.AppResourceTre grpc_prometheus.StreamServerInterceptor, grpc_auth.StreamServerInterceptor(a.Authenticate), grpc_util.UserAgentStreamServerInterceptor(common.ArgoCDUserAgentName, clientConstraint), - grpc_util.PayloadStreamServerInterceptor(a.log, true, func(ctx netCtx.Context, fullMethodName string, servingObject interface{}) bool { + grpc_util.PayloadStreamServerInterceptor(a.log, true, func(ctx context.Context, fullMethodName string, servingObject interface{}) bool { return !sensitiveMethods[fullMethodName] }), grpc_util.ErrorCodeK8sStreamServerInterceptor(), @@ -706,7 +757,7 @@ func (a *ArgoCDServer) newGRPCServer() (*grpc.Server, application.AppResourceTre grpc_prometheus.UnaryServerInterceptor, grpc_auth.UnaryServerInterceptor(a.Authenticate), grpc_util.UserAgentUnaryServerInterceptor(common.ArgoCDUserAgentName, clientConstraint), - grpc_util.PayloadUnaryServerInterceptor(a.log, true, func(ctx netCtx.Context, fullMethodName string, servingObject interface{}) bool { + grpc_util.PayloadUnaryServerInterceptor(a.log, true, func(ctx context.Context, fullMethodName string, servingObject interface{}) bool { return !sensitiveMethods[fullMethodName] }), grpc_util.ErrorCodeK8sUnaryServerInterceptor(), diff --git a/test/container/Dockerfile b/test/container/Dockerfile index d6ae93e26884b..22b984dfa2633 100644 --- a/test/container/Dockerfile +++ b/test/container/Dockerfile @@ -8,7 +8,7 @@ RUN ln -s /usr/lib/$(uname -m)-linux-gnu /usr/lib/linux-gnu # Please make sure to also check the contained yarn version and update the references below when upgrading this image's version FROM docker.io/library/node:20.4.0@sha256:b3ca7d32f0c12291df6e45a914d4ee60011a3fce4a978df5e609e356a4a2cb88 as node -FROM docker.io/library/golang:1.20.5@sha256:4b1fc02d16fca272e5e6e6adc98396219b43ef663a377eef4a97e881d364393f as golang +FROM docker.io/library/golang:1.20.6@sha256:8e5a0067e6b387263a01d06b91ef1a983f90e9638564f6e25392fd2695f7ab6c as golang FROM docker.io/library/registry:2.8@sha256:41f413c22d6156587e2a51f3e80c09808b8c70e82be149b82b5e0196a88d49b4 as registry diff --git a/test/e2e/accounts_test.go b/test/e2e/accounts_test.go index f794dce7a56e9..54eba790af2c5 100644 --- a/test/e2e/accounts_test.go +++ b/test/e2e/accounts_test.go @@ -14,7 +14,6 @@ import ( "github.com/argoproj/argo-cd/v2/cmd/argocd/commands/headless" "github.com/argoproj/argo-cd/v2/pkg/apiclient/account" "github.com/argoproj/argo-cd/v2/pkg/apiclient/session" - "github.com/argoproj/argo-cd/v2/test/e2e/fixture" . "github.com/argoproj/argo-cd/v2/test/e2e/fixture" accountFixture "github.com/argoproj/argo-cd/v2/test/e2e/fixture/account" "github.com/argoproj/argo-cd/v2/util/io" @@ -77,7 +76,7 @@ func TestCanIGetLogsAllowSwitchOn(t *testing.T) { When(). Create(). Login(). - SetPermissions([]fixture.ACL{ + SetPermissions([]ACL{ { Resource: "logs", Action: "get", diff --git a/test/e2e/app_management_test.go b/test/e2e/app_management_test.go index 054d02407a100..00c5cbf549661 100644 --- a/test/e2e/app_management_test.go +++ b/test/e2e/app_management_test.go @@ -476,6 +476,24 @@ func TestDeleteAppResource(t *testing.T) { Expect(HealthIs(health.HealthStatusMissing)) } +// Fix for issue #2677, support PATCH in HTTP service +func TestPatchHttp(t *testing.T) { + ctx := Given(t) + + ctx. + Path(guestbookPath). + When(). + CreateApp(). + Sync(). + PatchAppHttp(`{"metadata": {"labels": { "test": "patch" }, "annotations": { "test": "patch" }}}`). + Then(). + And(func(app *Application) { + assert.Equal(t, "patch", app.Labels["test"]) + assert.Equal(t, "patch", app.Annotations["test"]) + }) + +} + // demonstrate that we cannot use a standard sync when an immutable field is changed, we must use "force" func TestImmutableChange(t *testing.T) { SkipOnEnv(t, "OPENSHIFT") diff --git a/test/e2e/applicationset_test.go b/test/e2e/applicationset_test.go index 7cabe65a5637b..80c406c1b62a3 100644 --- a/test/e2e/applicationset_test.go +++ b/test/e2e/applicationset_test.go @@ -1,7 +1,9 @@ package e2e import ( + "fmt" "io" + "net" "net/http" "net/http/httptest" "strings" @@ -15,9 +17,11 @@ import ( "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" "github.com/argoproj/argo-cd/v2/test/e2e/fixture" + . "github.com/argoproj/argo-cd/v2/test/e2e/fixture/applicationsets" "github.com/argoproj/argo-cd/v2/test/e2e/fixture/applicationsets/utils" . "github.com/argoproj/argo-cd/v2/util/errors" + "github.com/stretchr/testify/assert" "github.com/argoproj/argo-cd/v2/pkg/apis/application" ) @@ -1441,11 +1445,28 @@ func githubSCMMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) } } -func TestSimpleSCMProviderGenerator(t *testing.T) { +func testServerWithPort(t *testing.T, port int, handler http.Handler) *httptest.Server { // Use mocked API response to avoid rate-limiting. - ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + l, err := net.Listen("tcp", fmt.Sprintf("127.0.0.1:%d", port)) + if err != nil { + t.Error(fmt.Errorf("Unable to start server %w", err)) + } + + ts := httptest.NewUnstartedServer(handler) + + ts.Listener.Close() + ts.Listener = l + + return ts +} + +func TestSimpleSCMProviderGenerator(t *testing.T) { + + ts := testServerWithPort(t, 8341, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { githubSCMMockHandler(t)(w, r) })) + ts.Start() + defer ts.Close() expectedApp := argov1alpha1.Application{ TypeMeta: metav1.TypeMeta{ @@ -1518,10 +1539,11 @@ func TestSimpleSCMProviderGenerator(t *testing.T) { } func TestSimpleSCMProviderGeneratorGoTemplate(t *testing.T) { - // Use mocked API response to avoid rate-limiting. - ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + ts := testServerWithPort(t, 8342, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { githubSCMMockHandler(t)(w, r) })) + ts.Start() + defer ts.Close() expectedApp := argov1alpha1.Application{ TypeMeta: metav1.TypeMeta{ @@ -1594,6 +1616,84 @@ func TestSimpleSCMProviderGeneratorGoTemplate(t *testing.T) { }).Then().Expect(ApplicationsExist([]argov1alpha1.Application{expectedApp})) } +func TestSCMProviderGeneratorSCMProviderNotAllowed(t *testing.T) { + expectedApp := argov1alpha1.Application{ + TypeMeta: metav1.TypeMeta{ + Kind: application.ApplicationKind, + APIVersion: "argoproj.io/v1alpha1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "argo-cd-guestbook", + Namespace: fixture.TestNamespace(), + Finalizers: []string{"resources-finalizer.argocd.argoproj.io"}, + Labels: map[string]string{ + LabelKeyAppSetInstance: "simple-scm-provider-generator", + }, + }, + Spec: argov1alpha1.ApplicationSpec{ + Project: "default", + Source: &argov1alpha1.ApplicationSource{ + RepoURL: "git@github.com:argoproj/argo-cd.git", + TargetRevision: "master", + Path: "guestbook", + }, + Destination: argov1alpha1.ApplicationDestination{ + Server: "https://kubernetes.default.svc", + Namespace: "guestbook", + }, + }, + } + + // Because you can't &"". + repoMatch := "argo-cd" + + Given(t). + // Create an SCMProviderGenerator-based ApplicationSet + When().Create(v1alpha1.ApplicationSet{ObjectMeta: metav1.ObjectMeta{ + Name: "scm-provider-generator-scm-provider-not-allowed", + }, + Spec: v1alpha1.ApplicationSetSpec{ + GoTemplate: true, + Template: v1alpha1.ApplicationSetTemplate{ + ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{Name: "{{ .repository }}-guestbook"}, + Spec: argov1alpha1.ApplicationSpec{ + Project: "default", + Source: &argov1alpha1.ApplicationSource{ + RepoURL: "{{ .url }}", + TargetRevision: "{{ .branch }}", + Path: "guestbook", + }, + Destination: argov1alpha1.ApplicationDestination{ + Server: "https://kubernetes.default.svc", + Namespace: "guestbook", + }, + }, + }, + Generators: []v1alpha1.ApplicationSetGenerator{ + { + SCMProvider: &v1alpha1.SCMProviderGenerator{ + Github: &v1alpha1.SCMProviderGeneratorGithub{ + Organization: "argoproj", + API: "http://myservice.mynamespace.svc.cluster.local", + }, + Filters: []v1alpha1.SCMProviderGeneratorFilter{ + { + RepositoryMatch: &repoMatch, + }, + }, + }, + }, + }, + }, + }).Then().Expect(ApplicationsDoNotExist([]argov1alpha1.Application{expectedApp})). + And(func() { + // app should be listed + output, err := fixture.RunCli("appset", "get", "scm-provider-generator-scm-provider-not-allowed") + assert.NoError(t, err) + assert.Contains(t, output, "scm provider not allowed: http://myservice.mynamespace.svc.cluster.local") + }) +} + func TestCustomApplicationFinalizers(t *testing.T) { expectedApp := argov1alpha1.Application{ TypeMeta: metav1.TypeMeta{ @@ -1766,11 +1866,14 @@ func githubPullMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request } func TestSimplePullRequestGenerator(t *testing.T) { - // Use mocked API response to avoid rate-limiting. - ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + + ts := testServerWithPort(t, 8343, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { githubPullMockHandler(t)(w, r) })) + ts.Start() + defer ts.Close() + expectedApp := argov1alpha1.Application{ TypeMeta: metav1.TypeMeta{ Kind: application.ApplicationKind, @@ -1844,11 +1947,13 @@ func TestSimplePullRequestGenerator(t *testing.T) { } func TestSimplePullRequestGeneratorGoTemplate(t *testing.T) { - // Use mocked API response to avoid rate-limiting. - ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + ts := testServerWithPort(t, 8344, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { githubPullMockHandler(t)(w, r) })) + ts.Start() + defer ts.Close() + expectedApp := argov1alpha1.Application{ TypeMeta: metav1.TypeMeta{ Kind: application.ApplicationKind, @@ -1925,6 +2030,90 @@ func TestSimplePullRequestGeneratorGoTemplate(t *testing.T) { }).Then().Expect(ApplicationsExist([]argov1alpha1.Application{expectedApp})) } +func TestPullRequestGeneratorNotAllowedSCMProvider(t *testing.T) { + + expectedApp := argov1alpha1.Application{ + TypeMeta: metav1.TypeMeta{ + Kind: application.ApplicationKind, + APIVersion: "argoproj.io/v1alpha1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "guestbook-1", + Namespace: fixture.TestNamespace(), + Finalizers: []string{"resources-finalizer.argocd.argoproj.io"}, + Labels: map[string]string{ + "app": "preview", + LabelKeyAppSetInstance: "simple-pull-request-generator", + }, + }, + Spec: argov1alpha1.ApplicationSpec{ + Project: "default", + Source: &argov1alpha1.ApplicationSource{ + RepoURL: "git@github.com:applicationset-test-org/argocd-example-apps.git", + TargetRevision: "824a5c987fdfb2b0629e9dbf5f31636c69ba4772", + Path: "kustomize-guestbook", + Kustomize: &argov1alpha1.ApplicationSourceKustomize{ + NamePrefix: "guestbook-1", + }, + }, + Destination: argov1alpha1.ApplicationDestination{ + Server: "https://kubernetes.default.svc", + Namespace: "guestbook-pull-request", + }, + }, + } + + Given(t). + // Create an PullRequestGenerator-based ApplicationSet + When().Create(v1alpha1.ApplicationSet{ObjectMeta: metav1.ObjectMeta{ + Name: "pull-request-generator-not-allowed-scm", + }, + Spec: v1alpha1.ApplicationSetSpec{ + GoTemplate: true, + Template: v1alpha1.ApplicationSetTemplate{ + ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{ + Name: "guestbook-{{ .number }}", + Labels: map[string]string{"app": "{{index .labels 0}}"}}, + Spec: argov1alpha1.ApplicationSpec{ + Project: "default", + Source: &argov1alpha1.ApplicationSource{ + RepoURL: "git@github.com:applicationset-test-org/argocd-example-apps.git", + TargetRevision: "{{ .head_sha }}", + Path: "kustomize-guestbook", + Kustomize: &argov1alpha1.ApplicationSourceKustomize{ + NamePrefix: "guestbook-{{ .number }}", + }, + }, + Destination: argov1alpha1.ApplicationDestination{ + Server: "https://kubernetes.default.svc", + Namespace: "guestbook-{{ .branch }}", + }, + }, + }, + Generators: []v1alpha1.ApplicationSetGenerator{ + { + PullRequest: &v1alpha1.PullRequestGenerator{ + Github: &v1alpha1.PullRequestGeneratorGithub{ + API: "http://myservice.mynamespace.svc.cluster.local", + Owner: "applicationset-test-org", + Repo: "argocd-example-apps", + Labels: []string{ + "preview", + }, + }, + }, + }, + }, + }, + }).Then().Expect(ApplicationsDoNotExist([]argov1alpha1.Application{expectedApp})). + And(func() { + // app should be listed + output, err := fixture.RunCli("appset", "get", "pull-request-generator-not-allowed-scm") + assert.NoError(t, err) + assert.Contains(t, output, "failed to select pull request service provider: scm provider not allowed: http://myservice.mynamespace.svc.cluster.local") + }) +} + func TestGitGeneratorPrivateRepo(t *testing.T) { FailOnErr(fixture.RunCli("repo", "add", fixture.RepoURL(fixture.RepoURLTypeHTTPS), "--username", fixture.GitUsername, "--password", fixture.GitPassword, "--insecure-skip-server-verification")) generateExpectedApp := func(name string) argov1alpha1.Application { diff --git a/test/e2e/deployment_test.go b/test/e2e/deployment_test.go index 085ecee244ba2..20e79c2aff56c 100644 --- a/test/e2e/deployment_test.go +++ b/test/e2e/deployment_test.go @@ -1,12 +1,22 @@ package e2e import ( + "context" + "encoding/json" "fmt" + "os" "testing" + "time" "github.com/stretchr/testify/assert" + corev1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/tools/clientcmd" + "github.com/argoproj/argo-cd/v2/common" "github.com/argoproj/argo-cd/v2/util/argo" + "github.com/argoproj/argo-cd/v2/util/clusterauth" "github.com/argoproj/gitops-engine/pkg/health" . "github.com/argoproj/gitops-engine/pkg/sync/common" @@ -108,3 +118,304 @@ func TestDeploymentWithoutTrackingMode(t *testing.T) { `, ctx.AppName())) }) } + +// This test verifies that Argo CD can: +// A) Deploy to a cluster where the URL of the cluster contains a query parameter: e.g. https://(kubernetes-url):443/?context=some-val +// and +// B) Multiple users can deploy to the same K8s cluster, using above mechanism (but with different Argo CD Cluster Secrets, and different ServiceAccounts) +func TestDeployToKubernetesAPIURLWithQueryParameter(t *testing.T) { + + // We test with both a cluster-scoped, and a non-cluster scoped, Argo CD Cluster Secret. + clusterScopedParam := []bool{false, true} + for _, clusterScoped := range clusterScopedParam { + + EnsureCleanState(t) + + // Simulate two users, each with their own Argo CD cluster secret that can only deploy to their Namespace + users := []string{E2ETestPrefix + "user1", E2ETestPrefix + "user2"} + + for _, username := range users { + createNamespaceScopedUser(t, username, clusterScoped) + + GivenWithSameState(t). + Name("e2e-test-app-"+username). + Path("deployment"). + When(). + CreateWithNoNameSpace("--dest-namespace", username). + Sync(). + Then(). + Expect(OperationPhaseIs(OperationSucceeded)). + Expect(SyncStatusIs(SyncStatusCodeSynced)). + Expect(HealthIs(health.HealthStatusHealthy)) + } + + } + +} + +// This test verifies that Argo CD can: +// When multiple Argo CD cluster secrets used to deploy to the same cluster (using query parameters), that the ServiceAccount RBAC +// fully enforces user boundary. +// Our simulated user's ServiceAccounts should not be able to deploy into a namespace that is outside that SA's RBAC. +func TestArgoCDSupportsMultipleServiceAccountsWithDifferingRBACOnSameCluster(t *testing.T) { + + // We test with both a cluster-scoped, and a non-cluster scoped, Argo CD Cluster Secret. + clusterScopedParam := []bool{ /*false,*/ true} + + for _, clusterScoped := range clusterScopedParam { + + EnsureCleanState(t) + + // Simulate two users, each with their own Argo CD cluster secret that can only deploy to their Namespace + users := []string{E2ETestPrefix + "user1", E2ETestPrefix + "user2"} + + for _, username := range users { + createNamespaceScopedUser(t, username, clusterScoped) + } + + for idx, username := range users { + + // we should use user-a's serviceaccount to deploy to user-b's namespace, and vice versa + // - If everything as working as expected, this should fail. + otherUser := users[(idx+1)%len(users)] + + // e.g. Attempt to deploy to user1's namespace, with user2's cluster Secret. This should fail, as user2's cluster Secret does not have the requisite permissions. + consequences := GivenWithSameState(t). + Name("e2e-test-app-"+username). + DestName(E2ETestPrefix+"cluster-"+otherUser). + Path("deployment"). + When(). + CreateWithNoNameSpace("--dest-namespace", username).IgnoreErrors(). + Sync().Then() + + // The error message differs based on whether the Argo CD Cluster Secret is namespace-scoped or cluster-scoped, but the idea is the same: + // - Even when deploying to the same cluster using 2 separate ServiceAccounts, the RBAC of those ServiceAccounts should continue to fully enforce RBAC boundaries. + + if !clusterScoped { + consequences.Expect(Condition(ApplicationConditionComparisonError, "Namespace \""+username+"\" for Deployment \"nginx-deployment\" is not managed")) + } else { + consequences.Expect(OperationMessageContains("User \"system:serviceaccount:" + otherUser + ":" + otherUser + "-serviceaccount\" cannot create resource \"deployments\" in API group \"apps\" in the namespace \"" + username + "\"")) + } + } + + } +} + +// generateReadOnlyClusterRoleandBindingForServiceAccount creates a ClusterRole/Binding that allows a ServiceAccount in a given namespace to read all resources on a cluster. +// - This allows the ServiceAccount to be used within a cluster-scoped Argo CD Cluster Secret +func generateReadOnlyClusterRoleandBindingForServiceAccount(roleSuffix string, serviceAccountNS string) (rbacv1.ClusterRole, rbacv1.ClusterRoleBinding) { + + clusterRole := rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: E2ETestPrefix + "read-all-" + roleSuffix, + }, + Rules: []rbacv1.PolicyRule{{ + Verbs: []string{"get", "list", "watch"}, + Resources: []string{"*"}, + APIGroups: []string{"*"}, + }}, + } + + clusterRoleBinding := rbacv1.ClusterRoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: E2ETestPrefix + "read-all-" + roleSuffix, + }, + Subjects: []rbacv1.Subject{{ + Kind: rbacv1.ServiceAccountKind, + Namespace: serviceAccountNS, + Name: roleSuffix + "-serviceaccount", + }}, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "ClusterRole", + Name: clusterRole.Name, + }, + } + + return clusterRole, clusterRoleBinding +} + +// buildArgoCDClusterSecret build (but does not create) an Argo CD Cluster Secret object with the given values +func buildArgoCDClusterSecret(secretName, secretNamespace, clusterName, clusterServer, clusterConfigJSON, clusterResources, clusterNamespaces string) corev1.Secret { + res := corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: secretName, + Namespace: secretNamespace, + Labels: map[string]string{ + common.LabelKeySecretType: common.LabelValueSecretTypeCluster, + }, + }, + Data: map[string][]byte{ + "name": ([]byte)(clusterName), + "server": ([]byte)(clusterServer), + "config": ([]byte)(string(clusterConfigJSON)), + }, + } + + if clusterResources != "" { + res.Data["clusterResources"] = ([]byte)(clusterResources) + } + + if clusterNamespaces != "" { + res.Data["namespaces"] = ([]byte)(clusterNamespaces) + } + + return res +} + +// createNamespaceScopedUser +// - username = name of Namespace the simulated user is able to deploy to +// - clusterScopedSecrets = whether the Service Account is namespace-scoped or cluster-scoped. +func createNamespaceScopedUser(t *testing.T, username string, clusterScopedSecrets bool) { + + // Create a new Namespace for our simulated user + ns := corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: username, + }, + } + _, err := KubeClientset.CoreV1().Namespaces().Create(context.Background(), &ns, metav1.CreateOptions{}) + assert.Nil(t, err) + + // Create a ServiceAccount in that Namespace, which will be used for the Argo CD Cluster SEcret + serviceAccountName := username + "-serviceaccount" + err = clusterauth.CreateServiceAccount(KubeClientset, serviceAccountName, ns.Name) + assert.Nil(t, err) + + // Create a Role that allows the ServiceAccount to read/write all within the Namespace + role := rbacv1.Role{ + ObjectMeta: metav1.ObjectMeta{ + Name: E2ETestPrefix + "allow-all", + Namespace: ns.Name, + }, + Rules: []rbacv1.PolicyRule{{ + Verbs: []string{"*"}, + Resources: []string{"*"}, + APIGroups: []string{"*"}, + }}, + } + _, err = KubeClientset.RbacV1().Roles(role.Namespace).Create(context.Background(), &role, metav1.CreateOptions{}) + assert.Nil(t, err) + + // Bind the Role with the ServiceAccount in the Namespace + roleBinding := rbacv1.RoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: E2ETestPrefix + "allow-all-binding", + Namespace: ns.Name, + }, + Subjects: []rbacv1.Subject{{ + Kind: rbacv1.ServiceAccountKind, + Name: serviceAccountName, + Namespace: ns.Name, + }}, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", + Name: role.Name, + }, + } + _, err = KubeClientset.RbacV1().RoleBindings(roleBinding.Namespace).Create(context.Background(), &roleBinding, metav1.CreateOptions{}) + assert.Nil(t, err) + + // Retrieve the bearer token from the ServiceAccount + token, err := clusterauth.GetServiceAccountBearerToken(KubeClientset, ns.Name, serviceAccountName, time.Second*60) + assert.Nil(t, err) + assert.NotEmpty(t, token) + + // In order to test a cluster-scoped Argo CD Cluster Secret, we may optionally grant the ServiceAccount read-all permissions at cluster scope. + if clusterScopedSecrets { + clusterRole, clusterRoleBinding := generateReadOnlyClusterRoleandBindingForServiceAccount(username, username) + + _, err := KubeClientset.RbacV1().ClusterRoles().Create(context.Background(), &clusterRole, metav1.CreateOptions{}) + assert.Nil(t, err) + + _, err = KubeClientset.RbacV1().ClusterRoleBindings().Create(context.Background(), &clusterRoleBinding, metav1.CreateOptions{}) + assert.Nil(t, err) + + } + + // Build the Argo CD Cluster Secret by using the service account token, and extracting needed values from kube config + clusterSecretConfigJSON := ClusterConfig{ + BearerToken: token, + TLSClientConfig: TLSClientConfig{ + Insecure: true, + }, + } + + jsonStringBytes, err := json.Marshal(clusterSecretConfigJSON) + assert.Nil(t, err) + + _, apiURL, err := extractKubeConfigValues() + assert.Nil(t, err) + + clusterResourcesField := "" + namespacesField := "" + + if !clusterScopedSecrets { + clusterResourcesField = "false" + namespacesField = ns.Name + } + + // We create an Argo CD cluster Secret declaratively, using the K8s client, rather than via CLI, as the CLI doesn't currently + // support Kubernetes API server URLs with query parameters. + + secret := buildArgoCDClusterSecret("test-"+username, ArgoCDNamespace, E2ETestPrefix+"cluster-"+username, apiURL+"?user="+username, + string(jsonStringBytes), clusterResourcesField, namespacesField) + + // Finally, create the Cluster secret in the Argo CD E2E namespace + _, err = KubeClientset.CoreV1().Secrets(secret.Namespace).Create(context.Background(), &secret, metav1.CreateOptions{}) + assert.Nil(t, err) +} + +// extractKubeConfigValues returns contents of the local environment's kubeconfig, using standard path resolution mechanism. +// Returns: +// - contents of kubeconfig +// - server name (within the kubeconfig) +// - error +func extractKubeConfigValues() (string, string, error) { + + loadingRules := clientcmd.NewDefaultClientConfigLoadingRules() + + config, err := loadingRules.Load() + if err != nil { + return "", "", err + } + + context, ok := config.Contexts[config.CurrentContext] + if !ok || context == nil { + return "", "", fmt.Errorf("no context") + } + + cluster, ok := config.Clusters[context.Cluster] + if !ok || cluster == nil { + return "", "", fmt.Errorf("no cluster") + } + + var kubeConfigDefault string + + paths := loadingRules.Precedence + { + + // For all the kubeconfig paths, look for one that exists + for _, path := range paths { + _, err = os.Stat(path) + if err == nil { + // Success + kubeConfigDefault = path + break + } // Otherwise, continue. + + } + + if kubeConfigDefault == "" { + return "", "", fmt.Errorf("unable to retrieve kube config path") + } + } + + kubeConfigContents, err := os.ReadFile(kubeConfigDefault) + if err != nil { + return "", "", err + } + + return string(kubeConfigContents), cluster.Server, nil +} diff --git a/test/e2e/fixture/app/actions.go b/test/e2e/fixture/app/actions.go index c4e173ddf6336..5a2ca2748885a 100644 --- a/test/e2e/fixture/app/actions.go +++ b/test/e2e/fixture/app/actions.go @@ -1,12 +1,14 @@ package app import ( + "encoding/json" "fmt" "os" log "github.com/sirupsen/logrus" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + client "github.com/argoproj/argo-cd/v2/pkg/apiclient/application" . "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" "github.com/argoproj/argo-cd/v2/test/e2e/fixture" "github.com/argoproj/argo-cd/v2/util/errors" @@ -295,6 +297,28 @@ func (a *Actions) PatchApp(patch string) *Actions { return a } +func (a *Actions) PatchAppHttp(patch string) *Actions { + a.context.t.Helper() + var application Application + var patchType = "merge" + var appName = a.context.AppQualifiedName() + var appNamespace = a.context.AppNamespace() + patchRequest := &client.ApplicationPatchRequest{ + Name: &appName, + PatchType: &patchType, + Patch: &patch, + AppNamespace: &appNamespace, + } + jsonBytes, err := json.MarshalIndent(patchRequest, "", " ") + errors.CheckError(err) + err = fixture.DoHttpJsonRequest("PATCH", + fmt.Sprintf("/api/v1/applications/%v", appName), + &application, + jsonBytes...) + errors.CheckError(err) + return a +} + func (a *Actions) AppSet(flags ...string) *Actions { a.context.t.Helper() args := []string{"app", "set", a.context.AppQualifiedName()} diff --git a/test/e2e/fixture/cluster/actions.go b/test/e2e/fixture/cluster/actions.go index 3f047e8f9b03e..0613c9a22cf15 100644 --- a/test/e2e/fixture/cluster/actions.go +++ b/test/e2e/fixture/cluster/actions.go @@ -45,10 +45,10 @@ func (a *Actions) Create(args ...string) *Actions { Cluster: &v1alpha1.Cluster{ Server: a.context.server, Name: a.context.name, - Config: v1alpha1.ClusterConfig{}, + Config: v1alpha1.ClusterConfig{BearerToken: a.context.bearerToken}, ConnectionState: v1alpha1.ConnectionState{}, ServerVersion: "", - Namespaces: nil, + Namespaces: a.context.namespaces, RefreshRequestedAt: nil, Info: v1alpha1.ClusterInfo{}, Shard: nil, diff --git a/test/e2e/fixture/cluster/context.go b/test/e2e/fixture/cluster/context.go index 236be6a3a3913..bd0102f891d71 100644 --- a/test/e2e/fixture/cluster/context.go +++ b/test/e2e/fixture/cluster/context.go @@ -12,12 +12,13 @@ import ( type Context struct { t *testing.T // seconds - timeout int - name string - project string - server string - upsert bool - namespaces []string + timeout int + name string + project string + server string + upsert bool + namespaces []string + bearerToken string } func Given(t *testing.T) *Context { @@ -67,6 +68,11 @@ func (c *Context) Project(project string) *Context { return c } +func (c *Context) BearerToken(bearerToken string) *Context { + c.bearerToken = bearerToken + return c +} + func (c *Context) Upsert(upsert bool) *Context { c.upsert = upsert return c diff --git a/test/e2e/fixture/fixture.go b/test/e2e/fixture/fixture.go index 095b3e2f116be..d8d91f09436b0 100644 --- a/test/e2e/fixture/fixture.go +++ b/test/e2e/fixture/fixture.go @@ -58,6 +58,8 @@ const ( // cmp plugin sock file path PluginSockFilePath = "/app/config/plugin" + + E2ETestPrefix = "e2e-test-" ) const ( @@ -666,6 +668,33 @@ func EnsureCleanState(t *testing.T, opts ...TestOption) { FailOnErr(Run("", "kubectl", "create", "ns", DeploymentNamespace())) FailOnErr(Run("", "kubectl", "label", "ns", DeploymentNamespace(), TestingLabel+"=true")) + // delete old namespaces used by E2E tests + namespaces, err := KubeClientset.CoreV1().Namespaces().List(context.Background(), v1.ListOptions{}) + CheckError(err) + for _, namespace := range namespaces.Items { + if strings.HasPrefix(namespace.Name, E2ETestPrefix) { + FailOnErr(Run("", "kubectl", "delete", "ns", namespace.Name)) + } + } + + // delete old ClusterRoles that begin with "e2e-test-" prefix (E2ETestPrefix), which were created by tests + clusterRoles, err := KubeClientset.RbacV1().ClusterRoles().List(context.Background(), v1.ListOptions{}) + CheckError(err) + for _, clusterRole := range clusterRoles.Items { + if strings.HasPrefix(clusterRole.Name, E2ETestPrefix) { + FailOnErr(Run("", "kubectl", "delete", "clusterrole", clusterRole.Name)) + } + } + + // delete old ClusterRoleBindings that begin with "e2e-test-prefix", which were created by E2E tests + clusterRoleBindings, err := KubeClientset.RbacV1().ClusterRoleBindings().List(context.Background(), v1.ListOptions{}) + CheckError(err) + for _, clusterRoleBinding := range clusterRoleBindings.Items { + if strings.HasPrefix(clusterRoleBinding.Name, E2ETestPrefix) { + FailOnErr(Run("", "kubectl", "delete", "clusterrolebinding", clusterRoleBinding.Name)) + } + } + log.WithFields(log.Fields{"duration": time.Since(start), "name": t.Name(), "id": id, "username": "admin", "password": "password"}).Info("clean state") } diff --git a/test/e2e/helm_test.go b/test/e2e/helm_test.go index a8dc3a8332805..2aed6a6973b8f 100644 --- a/test/e2e/helm_test.go +++ b/test/e2e/helm_test.go @@ -20,7 +20,6 @@ import ( "github.com/argoproj/argo-cd/v2/test/e2e/fixture" . "github.com/argoproj/argo-cd/v2/test/e2e/fixture" . "github.com/argoproj/argo-cd/v2/test/e2e/fixture/app" - projectFixture "github.com/argoproj/argo-cd/v2/test/e2e/fixture/project" "github.com/argoproj/argo-cd/v2/test/e2e/fixture/repos" . "github.com/argoproj/argo-cd/v2/util/errors" "github.com/argoproj/argo-cd/v2/util/settings" @@ -401,45 +400,6 @@ func TestHelmWithMultipleDependencies(t *testing.T) { Expect(SyncStatusIs(SyncStatusCodeSynced)) } -func TestHelmWithMultipleDependenciesPermissionDenied(t *testing.T) { - SkipOnEnv(t, "HELM") - - projName := "argo-helm-project-denied" - projectFixture. - Given(t). - Name(projName). - Destination("*,*"). - When(). - Create(). - AddSource(RepoURL(RepoURLTypeFile)) - - expectedErr := fmt.Sprintf("helm repos localhost:5000/myrepo are not permitted in project '%s'", projName) - GivenWithSameState(t). - Project(projName). - Path("helm-oci-with-dependencies"). - CustomCACertAdded(). - HelmHTTPSCredentialsUserPassAdded(). - HelmPassCredentials(). - When(). - IgnoreErrors(). - CreateApp(). - Then(). - Expect(Error("", expectedErr)) - - expectedErr = fmt.Sprintf("helm repos https://localhost:9444/argo-e2e/testdata.git/helm-repo/local, https://localhost:9444/argo-e2e/testdata.git/helm-repo/local2 are not permitted in project '%s'", projName) - GivenWithSameState(t). - Project(projName). - Path("helm-with-multiple-dependencies"). - CustomCACertAdded(). - HelmHTTPSCredentialsUserPassAdded(). - HelmPassCredentials(). - When(). - IgnoreErrors(). - CreateApp(). - Then(). - Expect(Error("", expectedErr)) -} - func TestHelmWithDependenciesLegacyRepo(t *testing.T) { SkipOnEnv(t, "HELM") testHelmWithDependencies(t, "helm-with-dependencies", true) diff --git a/test/e2e/testdata/helm-with-multiple-dependencies/Chart.yaml b/test/e2e/testdata/helm-with-multiple-dependencies/Chart.yaml index f7f144d20e123..fc1982761746c 100644 --- a/test/e2e/testdata/helm-with-multiple-dependencies/Chart.yaml +++ b/test/e2e/testdata/helm-with-multiple-dependencies/Chart.yaml @@ -1,11 +1,7 @@ apiVersion: v2 -name: helm-with-multiple-dependencies +name: helm-with-dependencies version: v1.0.0 dependencies: - name: helm repository: "https://localhost:9444/argo-e2e/testdata.git/helm-repo/local" version: v1.0.0 - - name: helm - repository: "https://localhost:9444/argo-e2e/testdata.git/helm-repo/local2" - version: v1.0.0 - alias: helm2 \ No newline at end of file diff --git a/test/remote/Dockerfile b/test/remote/Dockerfile index effd69c9768af..9851825b58264 100644 --- a/test/remote/Dockerfile +++ b/test/remote/Dockerfile @@ -1,6 +1,6 @@ ARG BASE_IMAGE=docker.io/library/ubuntu:22.04 -FROM docker.io/library/golang:1.20.5@sha256:4b1fc02d16fca272e5e6e6adc98396219b43ef663a377eef4a97e881d364393f AS go +FROM docker.io/library/golang:1.20.6@sha256:8e5a0067e6b387263a01d06b91ef1a983f90e9638564f6e25392fd2695f7ab6c AS go RUN go install github.com/mattn/goreman@latest && \ go install github.com/kisielk/godepgraph@latest diff --git a/ui-test/Dockerfile b/ui-test/Dockerfile index 567917399b33b..9dae33e7255e1 100644 --- a/ui-test/Dockerfile +++ b/ui-test/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/library/node:20.4.0@sha256:b3ca7d32f0c12291df6e45a914d4ee60011a3fce4a978df5e609e356a4a2cb88 as node +FROM docker.io/library/node:20.5.0@sha256:32ec50b65ac9572eda92baa6004a04dbbfc8021ea806fa62d37336183cad04e6 as node RUN apt-get update && apt-get install --no-install-recommends -y \ software-properties-common diff --git a/ui/src/app/applications/components/application-create-panel/application-create-panel.tsx b/ui/src/app/applications/components/application-create-panel/application-create-panel.tsx index 224c3da5f279d..eef8c8ec32103 100644 --- a/ui/src/app/applications/components/application-create-panel/application-create-panel.tsx +++ b/ui/src/app/applications/components/application-create-panel/application-create-panel.tsx @@ -108,15 +108,24 @@ export const ApplicationCreatePanel = (props: { const [explicitPathType, setExplicitPathType] = React.useState<{path: string; type: models.AppSourceType}>(null); const [destFormat, setDestFormat] = React.useState('URL'); const [retry, setRetry] = React.useState(false); + const app = deepMerge(DEFAULT_APP, props.app || {}); + + React.useEffect(() => { + if (app?.spec?.destination?.name && app.spec.destination.name !== '') { + setDestFormat('NAME'); + } else { + setDestFormat('URL'); + } + }, []); function normalizeTypeFields(formApi: FormApi, type: models.AppSourceType) { - const app = formApi.getFormState().values; + const appToNormalize = formApi.getFormState().values; for (const item of appTypes) { if (item.type !== type) { - delete app.spec.source[item.field]; + delete appToNormalize.spec.source[item.field]; } } - formApi.setAllValues(app); + formApi.setAllValues(appToNormalize); } return ( @@ -132,16 +141,10 @@ export const ApplicationCreatePanel = (props: { }> {({projects, clusters, reposInfo}) => { const repos = reposInfo.map(info => info.repo).sort(); - const app = deepMerge(DEFAULT_APP, props.app || {}); const repoInfo = reposInfo.find(info => info.repo === app.spec.source.repoURL); if (repoInfo) { normalizeAppSource(app, repoInfo.type || 'git'); } - if (app?.spec?.destination?.name && app.spec.destination.name !== '') { - setDestFormat('NAME'); - } else { - setDestFormat('URL'); - } return (
      {(yamlMode && ( diff --git a/ui/src/app/applications/components/application-node-info/application-node-info.tsx b/ui/src/app/applications/components/application-node-info/application-node-info.tsx index 05c3dcae95ab3..18ff44e381c55 100644 --- a/ui/src/app/applications/components/application-node-info/application-node-info.tsx +++ b/ui/src/app/applications/components/application-node-info/application-node-info.tsx @@ -48,8 +48,8 @@ const RenderContainerState = (props: {container: any}) => { )} <> {' '} - It is {props.container?.started ? 'started' : 'not started'} and - {props.container?.ready ? ' ready.' : ' not ready.'} + It is {props.container?.started ? 'started' : 'not started'} + {status === 'Completed' ? '.' : props.container?.ready ? ' and ready.' : ' and not ready.'}
      {lastState && ( diff --git a/ui/src/app/applications/components/application-parameters/application-parameters.tsx b/ui/src/app/applications/components/application-parameters/application-parameters.tsx index f374678540189..27f292ff7d2e8 100644 --- a/ui/src/app/applications/components/application-parameters/application-parameters.tsx +++ b/ui/src/app/applications/components/application-parameters/application-parameters.tsx @@ -26,8 +26,6 @@ import {concatMaps} from '../../../shared/utils'; import {getAppDefaultSource} from '../utils'; import * as jsYaml from 'js-yaml'; -let isValuesRaw = false; - const TextWithMetadataField = ReactFormField((props: {metadata: {value: string}; fieldApi: FieldApi; className: string}) => { const { fieldApi: {getValue, setValue} @@ -128,17 +126,13 @@ export const ApplicationParameters = (props: { save?: (application: models.Application, query: {validate?: boolean}) => Promise; noReadonlyMode?: boolean; }) => { - const app = props.application; + const app = cloneDeep(props.application); const source = getAppDefaultSource(app); const [removedOverrides, setRemovedOverrides] = React.useState(new Array()); let attributes: EditablePanelItem[] = []; - let appValues: string; - if (source && source.helm && source.helm.values) { - isValuesRaw = typeof source.helm.values !== 'string'; // nolint - appValues = isValuesRaw ? jsYaml.safeDump(source.helm.values) : source.helm.values; - source.helm.values = appValues; - } + const isValuesObject = source?.helm?.valuesObject; + const helmValues = isValuesObject ? jsYaml.safeDump(source.helm.valuesObject) : source?.helm?.values; const [appParamsDeletedState, setAppParamsDeletedState] = React.useState([]); if (props.details.type === 'Kustomize' && props.details.kustomize) { @@ -225,16 +219,23 @@ export const ApplicationParameters = (props: { title: 'VALUES', view: source.helm && ( - 
      {appValues}
      + 
      {helmValues}
       ), - edit: (formApi: FormApi) => ( -
      - 
      -                        
-
      -
      - ) + edit: (formApi: FormApi) => { + // In case source.helm.valuesObject is set, set source.helm.values to its value + if (source.helm) { + source.helm.values = helmValues; + } + + return ( +
      + 
      +                            
+
      +
      + ); + } }); const paramsByName = new Map(); (props.details.helm.parameters || []).forEach(param => paramsByName.set(param.name, param)); @@ -527,8 +528,9 @@ export const ApplicationParameters = (props: { params = params.filter(param => !appParamsDeletedState.includes(param.name)); input.spec.source.plugin.parameters = params; } - if (input.spec.source.helm && input.spec.source.helm.values && isValuesRaw) { - input.spec.source.helm.values = jsYaml.safeLoad(input.spec.source.helm.values); // Load values as json + if (input.spec.source.helm && input.spec.source.helm.valuesObject) { + input.spec.source.helm.valuesObject = jsYaml.safeLoad(input.spec.source.helm.values); // Deserialize json + input.spec.source.helm.values = ''; } await props.save(input, {}); setRemovedOverrides(new Array()); diff --git a/ui/src/app/applications/components/application-resource-tree/application-resource-tree.tsx b/ui/src/app/applications/components/application-resource-tree/application-resource-tree.tsx index 96a8ea55b4f58..b5426ff1de2bf 100644 --- a/ui/src/app/applications/components/application-resource-tree/application-resource-tree.tsx +++ b/ui/src/app/applications/components/application-resource-tree/application-resource-tree.tsx @@ -179,7 +179,7 @@ function groupNodes(nodes: ResourceTreeNode[], graph: dagre.graphlib.Graph) { nodeIds.forEach((nodeId: string) => { const index = nodes.findIndex(node => nodeId === node.uid || nodeId === nodeKey(node)); const graphNode = graph.node(nodeId); - if (!graphNode.podGroup && index > -1) { + if (!graphNode?.podGroup && index > -1) { groupedNodeIds.push(nodeId); } else { podGroupIds.push(nodeId); @@ -935,22 +935,20 @@ export const ApplicationResourceTree = (props: ApplicationResourceTreeProps) => } }, [props.filters]); - const [defaultCompactView, setDefaultCompactView] = React.useState(false); + const podCount = nodes.filter(node => node.kind === 'Pod').length; React.useEffect(() => { const {podGroupCount, setShowCompactNodes, appContext} = props; - const podCount = nodes.filter(node => node.kind === 'Pod').length; - - if (!defaultCompactView && podCount > podGroupCount) { + if (podCount > podGroupCount) { setShowCompactNodes(true); - setDefaultCompactView(true); - appContext.apis.notifications.show({ content: `Since the number of pods has surpassed the threshold pod count of ${podGroupCount}, you will now be switched to the group node view. If you prefer the tree view, you can simply click on the Group Nodes toolbar button to deselect the current view.`, type: NotificationType.Success }); + } else { + props.setShowCompactNodes(false); } - }, [props.setShowCompactNodes, props.showCompactNodes, defaultCompactView]); + }, [podCount]); function filterGraph(app: models.Application, filteredIndicatorParent: string, graphNodesFilter: dagre.graphlib.Graph, predicate: (node: ResourceTreeNode) => boolean) { const appKey = appNodeKey(app); diff --git a/ui/src/app/applications/components/application-status-panel/application-status-panel.scss b/ui/src/app/applications/components/application-status-panel/application-status-panel.scss index 688be5aa727ea..9898db27d2ba6 100644 --- a/ui/src/app/applications/components/application-status-panel/application-status-panel.scss +++ b/ui/src/app/applications/components/application-status-panel/application-status-panel.scss @@ -70,6 +70,7 @@ } display: flex; flex-direction: column; + justify-content: flex-start; flex-shrink: 0; flex-grow: 0; @@ -134,7 +135,7 @@ &__item-value { display: flex; - align-items: flex-end; + align-items: center; margin-bottom: 0.5em; font-weight: 500; .fa { diff --git a/ui/src/app/applications/components/application-status-panel/application-status-panel.tsx b/ui/src/app/applications/components/application-status-panel/application-status-panel.tsx index 480e68622075d..c82252144849c 100644 --- a/ui/src/app/applications/components/application-status-panel/application-status-panel.tsx +++ b/ui/src/app/applications/components/application-status-panel/application-status-panel.tsx @@ -71,7 +71,7 @@ export const ApplicationStatusPanel = ({application, showDiff, showOperation, sh return (
      -
      {sectionLabel({title: 'APP HEALTH', helpContent: 'The health status of your app'})}
      +
      {sectionLabel({title: 'APP HEALTH', helpContent: 'The health status of your app'})}
        diff --git a/ui/src/app/applications/components/pod-logs-viewer/pod-logs-viewer.tsx b/ui/src/app/applications/components/pod-logs-viewer/pod-logs-viewer.tsx index 72629d306e902..2eaf8103fcb63 100644 --- a/ui/src/app/applications/components/pod-logs-viewer/pod-logs-viewer.tsx +++ b/ui/src/app/applications/components/pod-logs-viewer/pod-logs-viewer.tsx @@ -194,7 +194,7 @@ export const PodsLogsViewer = (props: PodLogsProps) => { void}) => ( - { + const v = parseInt(e.target.value, 10); + setSinceSeconds(!isNaN(v) ? v : null); + }}> diff --git a/ui/src/app/applications/components/utils.tsx b/ui/src/app/applications/components/utils.tsx index d096658bb7d8f..0df581ca0f291 100644 --- a/ui/src/app/applications/components/utils.tsx +++ b/ui/src/app/applications/components/utils.tsx @@ -402,8 +402,9 @@ function getResourceActionsMenuItems(resource: ResourceTreeNode, metadata: model return actions.map( action => ({ - title: action.name, + title: action.displayName ?? action.name, disabled: !!action.disabled, + iconClassName: action.iconClass, action: async () => { try { const confirmed = await apis.popup.confirm(`Execute '${action.name}' action?`, `Are you sure you want to execute '${action.name}' action?`); @@ -436,14 +437,14 @@ function getActionItems( ...((isRoot && [ { title: 'Sync', - iconClassName: 'fa fa-sync', + iconClassName: 'fa fa-fw fa-sync', action: () => showDeploy(nodeKey(resource), null, apis) } ]) || []), { title: 'Delete', - iconClassName: 'fa fa-times-circle', + iconClassName: 'fa fa-fw fa-times-circle', action: async () => { return deletePopup(apis, resource, application, appChanged); } @@ -452,7 +453,7 @@ function getActionItems( if (!isQuickStart) { items.unshift({ title: 'Details', - iconClassName: 'fa fa-info-circle', + iconClassName: 'fa fa-fw fa-info-circle', action: () => apis.navigation.goto('.', {node: nodeKey(resource)}) }); } @@ -460,7 +461,7 @@ function getActionItems( if (findChildPod(resource, tree)) { items.push({ title: 'Logs', - iconClassName: 'fa fa-align-left', + iconClassName: 'fa fa-fw fa-align-left', action: () => apis.navigation.goto('.', {node: nodeKey(resource), tab: 'logs'}, {replace: true}) }); } @@ -477,7 +478,7 @@ function getActionItems( return [ { title: 'Exec', - iconClassName: 'fa fa-terminal', + iconClassName: 'fa fa-fw fa-terminal', action: async () => apis.navigation.goto('.', {node: nodeKey(resource), tab: 'exec'}, {replace: true}) } as MenuItem ]; @@ -495,7 +496,7 @@ function getActionItems( link => ({ title: link.title, - iconClassName: `fa ${link.iconClass ? link.iconClass : 'fa-external-link'}`, + iconClassName: `fa fa-fw ${link.iconClass ? link.iconClass : 'fa-external-link'}`, action: () => window.open(link.url, '_blank'), tooltip: link.description } as MenuItem) diff --git a/ui/src/app/shared/components/revision.tsx b/ui/src/app/shared/components/revision.tsx index fe9c2046e2c04..ccc0e1afe5183 100644 --- a/ui/src/app/shared/components/revision.tsx +++ b/ui/src/app/shared/components/revision.tsx @@ -9,7 +9,7 @@ export const Revision = ({repoUrl, revision, path, isForPath, children}: {repoUr revision = revision || ''; const hasPath = path && path !== '.'; let url = revisionUrl(repoUrl, revision, hasPath); - if (hasPath) { + if (url !== null && hasPath) { url += '/' + path; } const content = children || (isSHA(revision) ? revision.substr(0, 7) : revision); diff --git a/ui/src/app/shared/components/version-info/version-info-panel.tsx b/ui/src/app/shared/components/version-info/version-info-panel.tsx index 3e36fd9105519..8622b762c8a5a 100644 --- a/ui/src/app/shared/components/version-info/version-info-panel.tsx +++ b/ui/src/app/shared/components/version-info/version-info-panel.tsx @@ -105,7 +105,7 @@ export class VersionPanel extends React.Component { - const stringifiedVersion = JSON.stringify(version, undefined, 4); + const stringifiedVersion = JSON.stringify(version, undefined, 4) + '\n'; try { await navigator.clipboard.writeText(stringifiedVersion); this.setState({copyState: 'success'}); diff --git a/ui/src/app/shared/models.ts b/ui/src/app/shared/models.ts index f7530028bfee6..ef0d47331c403 100644 --- a/ui/src/app/shared/models.ts +++ b/ui/src/app/shared/models.ts @@ -202,6 +202,7 @@ export interface ApplicationSource { export interface ApplicationSourceHelm { valueFiles: string[]; values?: string; + valuesObject?: any; parameters: HelmParameter[]; fileParameters: HelmFileParameter[]; } @@ -771,6 +772,8 @@ export interface ResourceAction { name: string; params: ResourceActionParam[]; disabled: boolean; + iconClass: string; + displayName: string; } export interface SyncWindowsState { diff --git a/ui/yarn.lock b/ui/yarn.lock index d82e6ea715563..9c46e7ca7093e 100644 --- a/ui/yarn.lock +++ b/ui/yarn.lock @@ -3367,7 +3367,7 @@ core-js-compat@^3.1.1: integrity sha512-Wp+BJVvwopjI+A1EFqm2dwUmWYXrvucmtIB2LgXn/Rb+gWPKYxtmb4GKHGKG/KGF1eK9jfjzT38DITbTOCX/SQ== dependencies: browserslist "^4.16.6" - semver "7.0.0" + semver "^7.3.5" core-js@^2.4.0: version "2.6.12" @@ -8465,34 +8465,22 @@ selfsigned@^2.0.0: dependencies: node-forge "^1" -semver@7.0.0: - version "7.0.0" - resolved "https://registry.yarnpkg.com/semver/-/semver-7.0.0.tgz#5f3ca35761e47e05b206c6daff2cf814f0316b8e" - integrity sha512-+GB6zVA9LWh6zovYQLALHwv5rb2PHGlJi3lfiqIHxR0uuwCgefcOJc59v9fv1w8GbStwxuuqqAjI9NMAOOgq1A== +semver@^6.0.0, semver@^6.3.0: + version "6.3.1" + resolved "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4" + integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA== -semver@7.x, semver@^7.3.2: - version "7.3.5" - resolved "https://registry.yarnpkg.com/semver/-/semver-7.3.5.tgz#0b621c879348d8998e4b0e4be94b3f12e6018ef7" - integrity sha512-PoeGJYh8HK4BTO/a9Tf6ZG3veo/A7ZVsYrSA6J8ny9nb3B1VrpkuN+z9OE5wfE5p6H4LchYZsegiQgbJD94ZFQ== +semver@7.x, semver@^7.3.2, semver@^7.3.5, semver@^7.3.8: + version "7.5.2" + resolved "https://registry.npmjs.org/semver/-/semver-7.5.2.tgz#5b851e66d1be07c1cdaf37dfc856f543325a2beb" + integrity sha512-SoftuTROv/cRjCze/scjGyiDtcUyxw1rgYQSZY7XTmtR5hX+dm76iDbTH8TkLPHCQmlbQVSSbNZCPM2hb0knnQ== dependencies: lru-cache "^6.0.0" semver@^5.3.0, semver@^5.4.1, semver@^5.5.0, semver@^5.6.0: - version "5.7.0" - resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.0.tgz#790a7cf6fea5459bac96110b29b60412dc8ff96b" - integrity sha512-Ya52jSX2u7QKghxeoFGpLwCtGlt7j0oY9DYb5apt9nPlJ42ID+ulTXESnt/qAQcoSERyZ5sl3LDIOw0nAn/5DA== - -semver@^6.0.0, semver@^6.3.0: - version "6.3.0" - resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.0.tgz#ee0a64c8af5e8ceea67687b133761e1becbd1d3d" - integrity sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw== - -semver@^7.3.8: - version "7.3.8" - resolved "https://registry.npmjs.org/semver/-/semver-7.3.8.tgz#07a78feafb3f7b32347d725e33de7e2a2df67798" - integrity sha512-NB1ctGL5rlHrPJtFDVIVzTyQylMLu9N9VICA6HSFJo8MCGVTMW6gfpicwKmmK/dAjTOrqu5l63JJOpDSrAis3A== - dependencies: - lru-cache "^6.0.0" + version "5.7.2" + resolved "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz#48d55db737c3287cd4835e17fa13feace1c41ef8" + integrity sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g== send@0.17.2: version "0.17.2" diff --git a/util/argo/argo.go b/util/argo/argo.go index a91b64a1e51d1..b32369ea70c48 100644 --- a/util/argo/argo.go +++ b/util/argo/argo.go @@ -419,7 +419,6 @@ func validateRepo(ctx context.Context, helmOptions, app.Name, app.Spec.Destination, - proj, sources, repoClient, cluster.ServerVersion, @@ -704,7 +703,6 @@ func verifyGenerateManifests( helmOptions *argoappv1.HelmOptions, name string, dest argoappv1.ApplicationDestination, - proj *argoappv1.AppProject, sources []argoappv1.ApplicationSource, repoClient apiclient.RepoServerServiceClient, kubeVersion string, @@ -771,8 +769,6 @@ func verifyGenerateManifests( NoRevisionCache: true, HasMultipleSources: hasMultipleSources, RefSources: refSources, - ProjectName: proj.Name, - ProjectSourceRepos: proj.Spec.SourceRepos, } req.Repo.CopyCredentialsFromRepo(repoRes) req.Repo.CopySettingsFrom(repoRes) @@ -856,7 +852,8 @@ func NormalizeApplicationSpec(spec *argoappv1.ApplicationSpec) *argoappv1.Applic for _, source := range spec.Sources { NormalizeSource(&source) } - } else { + } else if spec.Source != nil { + // In practice, spec.Source should never be nil. NormalizeSource(spec.Source) } return spec diff --git a/util/argo/diff/diff.go b/util/argo/diff/diff.go index 6f32084dadce3..9b104719c5616 100644 --- a/util/argo/diff/diff.go +++ b/util/argo/diff/diff.go @@ -5,11 +5,12 @@ import ( "github.com/go-logr/logr" + k8smanagedfields "k8s.io/apimachinery/pkg/util/managedfields" + "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" "github.com/argoproj/argo-cd/v2/util/argo" "github.com/argoproj/argo-cd/v2/util/argo/managedfields" appstatecache "github.com/argoproj/argo-cd/v2/util/cache/appstate" - k8smanagedfields "k8s.io/apimachinery/pkg/util/managedfields" "github.com/argoproj/gitops-engine/pkg/diff" "github.com/argoproj/gitops-engine/pkg/utils/kube" @@ -239,12 +240,12 @@ func StateDiff(live, config *unstructured.Unstructured, diffConfig DiffConfig) ( func StateDiffs(lives, configs []*unstructured.Unstructured, diffConfig DiffConfig) (*diff.DiffResultList, error) { normResults, err := preDiffNormalize(lives, configs, diffConfig) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to perform pre-diff normalization: %w", err) } diffNormalizer, err := newDiffNormalizer(diffConfig.Ignores(), diffConfig.Overrides()) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to create diff normalizer: %w", err) } diffOpts := []diff.Option{ @@ -261,9 +262,17 @@ func StateDiffs(lives, configs []*unstructured.Unstructured, diffConfig DiffConf useCache, cachedDiff := diffConfig.DiffFromCache(diffConfig.AppName()) if useCache && cachedDiff != nil { - return diffArrayCached(normResults.Targets, normResults.Lives, cachedDiff, diffOpts...) + cached, err := diffArrayCached(normResults.Targets, normResults.Lives, cachedDiff, diffOpts...) + if err != nil { + return nil, fmt.Errorf("failed to calculate diff from cache: %w", err) + } + return cached, nil + } + array, err := diff.DiffArray(normResults.Targets, normResults.Lives, diffOpts...) + if err != nil { + return nil, fmt.Errorf("failed to calculate diff: %w", err) } - return diff.DiffArray(normResults.Targets, normResults.Lives, diffOpts...) + return array, nil } func diffArrayCached(configArray []*unstructured.Unstructured, liveArray []*unstructured.Unstructured, cachedDiff []*v1alpha1.ResourceDiff, opts ...diff.Option) (*diff.DiffResultList, error) { diff --git a/util/db/cluster.go b/util/db/cluster.go index b505c693ee0fe..9b405a9cacd60 100644 --- a/util/db/cluster.go +++ b/util/db/cluster.go @@ -68,7 +68,7 @@ func (db *db) ListClusters(ctx context.Context) (*appv1.ClusterList, error) { inClusterEnabled := settings.InClusterEnabled hasInClusterCredentials := false for _, clusterSecret := range clusterSecrets { - cluster, err := secretToCluster(clusterSecret) + cluster, err := SecretToCluster(clusterSecret) if err != nil { log.Errorf("could not unmarshal cluster secret %s", clusterSecret.Name) continue @@ -77,8 +77,6 @@ func (db *db) ListClusters(ctx context.Context) (*appv1.ClusterList, error) { if inClusterEnabled { hasInClusterCredentials = true clusterList.Items = append(clusterList.Items, *cluster) - } else { - log.Errorf("failed to add cluster %q to cluster list: in-cluster server address is disabled in Argo CD settings", cluster.Name) } } else { clusterList.Items = append(clusterList.Items, *cluster) @@ -122,7 +120,7 @@ func (db *db) CreateCluster(ctx context.Context, c *appv1.Cluster) (*appv1.Clust return nil, err } - cluster, err := secretToCluster(clusterSecret) + cluster, err := SecretToCluster(clusterSecret) if err != nil { return nil, status.Errorf(codes.InvalidArgument, "could not unmarshal cluster secret %s", clusterSecret.Name) } @@ -150,7 +148,7 @@ func (db *db) WatchClusters(ctx context.Context, common.LabelValueSecretTypeCluster, func(secret *apiv1.Secret) { - cluster, err := secretToCluster(secret) + cluster, err := SecretToCluster(secret) if err != nil { log.Errorf("could not unmarshal cluster secret %s", secret.Name) return @@ -165,12 +163,12 @@ func (db *db) WatchClusters(ctx context.Context, }, func(oldSecret *apiv1.Secret, newSecret *apiv1.Secret) { - oldCluster, err := secretToCluster(oldSecret) + oldCluster, err := SecretToCluster(oldSecret) if err != nil { log.Errorf("could not unmarshal cluster secret %s", oldSecret.Name) return } - newCluster, err := secretToCluster(newSecret) + newCluster, err := SecretToCluster(newSecret) if err != nil { log.Errorf("could not unmarshal cluster secret %s", newSecret.Name) return @@ -220,7 +218,7 @@ func (db *db) GetCluster(_ context.Context, server string) (*appv1.Cluster, erro return nil, err } if len(res) > 0 { - return secretToCluster(res[0].(*apiv1.Secret)) + return SecretToCluster(res[0].(*apiv1.Secret)) } if server == appv1.KubernetesInternalAPIServerAddr { return db.getLocalCluster(), nil @@ -241,7 +239,7 @@ func (db *db) GetProjectClusters(ctx context.Context, project string) ([]*appv1. } var res []*appv1.Cluster for i := range secrets { - cluster, err := secretToCluster(secrets[i].(*apiv1.Secret)) + cluster, err := SecretToCluster(secrets[i].(*apiv1.Secret)) if err != nil { return nil, fmt.Errorf("failed to convert secret to cluster: %w", err) } @@ -295,7 +293,7 @@ func (db *db) UpdateCluster(ctx context.Context, c *appv1.Cluster) (*appv1.Clust if err != nil { return nil, err } - cluster, err := secretToCluster(clusterSecret) + cluster, err := SecretToCluster(clusterSecret) if err != nil { log.Errorf("could not unmarshal cluster secret %s", clusterSecret.Name) return nil, err @@ -362,8 +360,8 @@ func clusterToSecret(c *appv1.Cluster, secret *apiv1.Secret) error { return nil } -// secretToCluster converts a secret into a Cluster object -func secretToCluster(s *apiv1.Secret) (*appv1.Cluster, error) { +// SecretToCluster converts a secret into a Cluster object +func SecretToCluster(s *apiv1.Secret) (*appv1.Cluster, error) { var config appv1.ClusterConfig if len(s.Data["config"]) > 0 { err := json.Unmarshal(s.Data["config"], &config) diff --git a/util/db/cluster_test.go b/util/db/cluster_test.go index c3b273b4fe5ef..9d60a3073c3c2 100644 --- a/util/db/cluster_test.go +++ b/util/db/cluster_test.go @@ -43,7 +43,7 @@ func Test_secretToCluster(t *testing.T) { "config": []byte("{\"username\":\"foo\"}"), }, } - cluster, err := secretToCluster(secret) + cluster, err := SecretToCluster(secret) require.NoError(t, err) assert.Equal(t, *cluster, v1alpha1.Cluster{ Name: "test", @@ -89,7 +89,7 @@ func Test_secretToCluster_NoConfig(t *testing.T) { "server": []byte("http://mycluster"), }, } - cluster, err := secretToCluster(secret) + cluster, err := SecretToCluster(secret) assert.NoError(t, err) assert.Equal(t, *cluster, v1alpha1.Cluster{ Name: "test", @@ -111,7 +111,7 @@ func Test_secretToCluster_InvalidConfig(t *testing.T) { "config": []byte("{'tlsClientConfig':{'insecure':false}}"), }, } - cluster, err := secretToCluster(secret) + cluster, err := SecretToCluster(secret) require.Error(t, err) assert.Nil(t, cluster) } diff --git a/util/db/helmrepository.go b/util/db/helmrepository.go index 3755b10f974f5..8659e170d48ef 100644 --- a/util/db/helmrepository.go +++ b/util/db/helmrepository.go @@ -2,6 +2,7 @@ package db import ( "context" + "fmt" "strings" "google.golang.org/grpc/codes" @@ -43,24 +44,24 @@ func (db *db) getHelmRepo(repoURL string, helmRepositories []settings.HelmRepoCr return repo, err } -// ListHelmRepoURLs lists configured helm repositories +// ListHelmRepositories lists configured helm repositories func (db *db) ListHelmRepositories(ctx context.Context) ([]*v1alpha1.Repository, error) { helmRepositories, err := db.settingsMgr.GetHelmRepositories() if err != nil { - return nil, err + return nil, fmt.Errorf("failed to get list of Helm repositories from settings manager: %w", err) } result := make([]*v1alpha1.Repository, len(helmRepositories)) for i, helmRepoInfo := range helmRepositories { repo, err := db.getHelmRepo(helmRepoInfo.URL, helmRepositories) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to get Helm repository %q: %w", helmRepoInfo.URL, err) } result[i] = repo } repos, err := db.listRepositories(ctx, pointer.StringPtr("helm")) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to list Helm repositories: %w", err) } result = append(result, v1alpha1.Repositories(repos).Filter(func(r *v1alpha1.Repository) bool { return r.Type == "helm" && r.Name != "" diff --git a/util/db/repository.go b/util/db/repository.go index 8fbff4ffbe76f..552baa3a7a61e 100644 --- a/util/db/repository.go +++ b/util/db/repository.go @@ -78,11 +78,11 @@ func (db *db) CreateRepository(ctx context.Context, r *appsv1.Repository) (*apps func (db *db) GetRepository(ctx context.Context, repoURL string) (*appsv1.Repository, error) { repository, err := db.getRepository(ctx, repoURL) if err != nil { - return repository, err + return repository, fmt.Errorf("unable to get repository %q: %v", repoURL, err) } if err := db.enrichCredsToRepo(ctx, repository); err != nil { - return repository, err + return repository, fmt.Errorf("unable to enrich repository %q info with credentials: %v", repoURL, err) } return repository, err @@ -123,17 +123,25 @@ func (db *db) getRepository(ctx context.Context, repoURL string) (*appsv1.Reposi secretsBackend := db.repoBackend() exists, err := secretsBackend.RepositoryExists(ctx, repoURL) if err != nil { - return nil, err + return nil, fmt.Errorf("unable to check if repository %q exists from secrets backend: %v", repoURL, err) } else if exists { - return secretsBackend.GetRepository(ctx, repoURL) + repository, err := secretsBackend.GetRepository(ctx, repoURL) + if err != nil { + return nil, fmt.Errorf("unable to get repository %q from secrets backend: %v", repoURL, err) + } + return repository, nil } legacyBackend := db.legacyRepoBackend() exists, err = legacyBackend.RepositoryExists(ctx, repoURL) if err != nil { - return nil, err + return nil, fmt.Errorf("unable to check if repository %q exists from legacy backend: %v", repoURL, err) } else if exists { - return legacyBackend.GetRepository(ctx, repoURL) + repository, err := legacyBackend.GetRepository(ctx, repoURL) + if err != nil { + return nil, fmt.Errorf("unable to get repository %q from legacy backend: %v", repoURL, err) + } + return repository, nil } return &appsv1.Repository{Repo: repoURL}, nil @@ -229,17 +237,25 @@ func (db *db) GetRepositoryCredentials(ctx context.Context, repoURL string) (*ap secretsBackend := db.repoBackend() exists, err := secretsBackend.RepoCredsExists(ctx, repoURL) if err != nil { - return nil, err + return nil, fmt.Errorf("unable to check if repository credentials for %q exists from secrets backend: %w", repoURL, err) } else if exists { - return secretsBackend.GetRepoCreds(ctx, repoURL) + creds, err := secretsBackend.GetRepoCreds(ctx, repoURL) + if err != nil { + return nil, fmt.Errorf("unable to get repository credentials for %q from secrets backend: %w", repoURL, err) + } + return creds, nil } legacyBackend := db.legacyRepoBackend() exists, err = legacyBackend.RepoCredsExists(ctx, repoURL) if err != nil { - return nil, err + return nil, fmt.Errorf("unable to check if repository credentials for %q exists from legacy backend: %w", repoURL, err) } else if exists { - return legacyBackend.GetRepoCreds(ctx, repoURL) + creds, err := legacyBackend.GetRepoCreds(ctx, repoURL) + if err != nil { + return nil, fmt.Errorf("unable to get repository credentials for %q from legacy backend: %w", repoURL, err) + } + return creds, nil } return nil, nil @@ -252,12 +268,12 @@ func (db *db) GetAllHelmRepositoryCredentials(ctx context.Context) ([]*appsv1.Re secretRepoCreds, err := db.repoBackend().GetAllHelmRepoCreds(ctx) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to get all Helm repo creds: %w", err) } legacyRepoCreds, err := db.legacyRepoBackend().GetAllHelmRepoCreds(ctx) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to get all legacy Helm repo creds: %w", err) } return append(secretRepoCreds, legacyRepoCreds...), nil @@ -353,7 +369,7 @@ func (db *db) enrichCredsToRepo(ctx context.Context, repository *appsv1.Reposito repository.InheritedCreds = true } } else { - return err + return fmt.Errorf("failed to get repository credentials for %q: %w", repository.Repo, err) } } else { log.Debugf("%s has credentials", repository.Repo) diff --git a/util/db/repository_legacy.go b/util/db/repository_legacy.go index 0aee0cd336fa8..e25fe873c7511 100644 --- a/util/db/repository_legacy.go +++ b/util/db/repository_legacy.go @@ -1,9 +1,10 @@ package db import ( + "context" + "fmt" "strings" - "context" log "github.com/sirupsen/logrus" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -35,7 +36,7 @@ func (l *legacyRepositoryBackend) CreateRepository(ctx context.Context, r *appsv func (l *legacyRepositoryBackend) GetRepository(ctx context.Context, repoURL string) (*appsv1.Repository, error) { repository, err := l.tryGetRepository(repoURL) if err != nil { - return nil, err + return nil, fmt.Errorf("unable to get repository: %w", err) } return repository, nil } @@ -129,7 +130,7 @@ func (l *legacyRepositoryBackend) DeleteRepository(ctx context.Context, repoURL func (l *legacyRepositoryBackend) RepositoryExists(ctx context.Context, repoURL string) (bool, error) { repos, err := l.db.settingsMgr.GetRepositories() if err != nil { - return false, err + return false, fmt.Errorf("unable to get repositories: %w", err) } index := l.getRepositoryIndex(repos, repoURL) diff --git a/util/db/repository_secrets.go b/util/db/repository_secrets.go index 4bea20c7f6b3f..31152300b0b8b 100644 --- a/util/db/repository_secrets.go +++ b/util/db/repository_secrets.go @@ -171,7 +171,7 @@ func (s *secretsRepositoryBackend) RepositoryExists(ctx context.Context, repoURL return false, nil } - return false, err + return false, fmt.Errorf("failed to get repository secret for %q: %v", repoURL, err) } return secret != nil, nil @@ -457,7 +457,7 @@ func repoCredsToSecret(repoCreds *appsv1.RepoCreds, secret *corev1.Secret) { func (s *secretsRepositoryBackend) getRepositorySecret(repoURL string) (*corev1.Secret, error) { secrets, err := s.db.listSecretsByType(common.LabelValueSecretTypeRepository) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to list repository secrets: %w", err) } for _, secret := range secrets { diff --git a/util/dex/config.go b/util/dex/config.go index 6f09eb2c46080..44d853674b19b 100644 --- a/util/dex/config.go +++ b/util/dex/config.go @@ -115,7 +115,7 @@ func GenerateDexConfigYAML(argocdSettings *settings.ArgoCDSettings, disableTls b // https://dexidp.io/docs/connectors/ func needsRedirectURI(connectorType string) bool { switch connectorType { - case "oidc", "saml", "microsoft", "linkedin", "gitlab", "github", "bitbucket-cloud", "openshift": + case "oidc", "saml", "microsoft", "linkedin", "gitlab", "github", "bitbucket-cloud", "openshift", "gitea", "google", "oauth": return true } return false diff --git a/util/dex/dex_test.go b/util/dex/dex_test.go index ed7dc6bc6e45c..a993db3375cb7 100644 --- a/util/dex/dex_test.go +++ b/util/dex/dex_test.go @@ -270,7 +270,7 @@ func Test_GenerateDexConfig(t *testing.T) { }) t.Run("Redirect config", func(t *testing.T) { - types := []string{"oidc", "saml", "microsoft", "linkedin", "gitlab", "github", "bitbucket-cloud"} + types := []string{"oidc", "saml", "microsoft", "linkedin", "gitlab", "github", "bitbucket-cloud", "openshift", "gitea", "google", "oauth"} for _, c := range types { assert.True(t, needsRedirectURI(c)) } diff --git a/util/helm/client.go b/util/helm/client.go index cfd9ae84dc419..fcb1e665dffb6 100644 --- a/util/helm/client.go +++ b/util/helm/client.go @@ -425,8 +425,13 @@ func (c *nativeHelmChart) GetTags(chart string, noCache bool) (*TagsList, error) } ctx := context.Background() - err = repo.Tags(ctx, "", func(tagResult []string) error { - tags.Tags = append(tags.Tags, tagResult...) + err = repo.Tags(ctx, "", func(tagsResult []string) error { + for _, tag := range tagsResult { + // By convention: Change underscore (_) back to plus (+) to get valid SemVer + convertedTag := strings.ReplaceAll(tag, "_", "+") + tags.Tags = append(tags.Tags, convertedTag) + } + return nil }) diff --git a/util/helm/client_test.go b/util/helm/client_test.go index 67bb332a6007f..63b57b7fa5180 100644 --- a/util/helm/client_test.go +++ b/util/helm/client_test.go @@ -160,7 +160,14 @@ func TestGetTagsFromUrl(t *testing.T) { w.Header().Set("Link", fmt.Sprintf("; rel=next", r.Host, r.URL.Path)) responseTags.Tags = []string{"first"} } else { - responseTags.Tags = []string{"second"} + responseTags.Tags = []string{ + "second", + "2.8.0", + "2.8.0-prerelease", + "2.8.0_build", + "2.8.0-prerelease_build", + "2.8.0-prerelease.1_build.1234", + } } w.WriteHeader(http.StatusOK) err := json.NewEncoder(w).Encode(responseTags) @@ -173,6 +180,13 @@ func TestGetTagsFromUrl(t *testing.T) { tags, err := client.GetTags("mychart", true) assert.NoError(t, err) - assert.Equal(t, tags.Tags[0], "first") - assert.Equal(t, tags.Tags[1], "second") + assert.ElementsMatch(t, tags.Tags, []string{ + "first", + "second", + "2.8.0", + "2.8.0-prerelease", + "2.8.0+build", + "2.8.0-prerelease+build", + "2.8.0-prerelease.1+build.1234", + }) } diff --git a/util/helm/cmd.go b/util/helm/cmd.go index 4714d0fbe8807..f8240d555217e 100644 --- a/util/helm/cmd.go +++ b/util/helm/cmd.go @@ -1,12 +1,14 @@ package helm import ( + "errors" "fmt" "os" "os/exec" "path" "path/filepath" "regexp" + "strings" log "github.com/sirupsen/logrus" @@ -267,7 +269,8 @@ type TemplateOpts struct { } var ( - re = regexp.MustCompile(`([^\\]),`) + re = regexp.MustCompile(`([^\\]),`) + apiVersionsRemover = regexp.MustCompile(`(--api-versions [^ ]+ )+`) ) func cleanSetParameters(val string) string { @@ -310,7 +313,16 @@ func (c *Cmd) template(chartPath string, opts *TemplateOpts) (string, error) { args = append(args, "--include-crds") } - return c.run(args...) + out, err := c.run(args...) + if err != nil { + msg := err.Error() + if strings.Contains(msg, "--api-versions") { + log.Debug(msg) + msg = apiVersionsRemover.ReplaceAllString(msg, " ") + } + return "", errors.New(msg) + } + return out, nil } func (c *Cmd) Freestyle(args ...string) (string, error) { diff --git a/util/helm/cmd_test.go b/util/helm/cmd_test.go index d09b808908b87..772d32c78b8dd 100644 --- a/util/helm/cmd_test.go +++ b/util/helm/cmd_test.go @@ -23,6 +23,18 @@ func TestCmd_template_kubeVersion(t *testing.T) { assert.NotEmpty(t, s) } +func TestCmd_template_noApiVersionsInError(t *testing.T) { + cmd, err := NewCmdWithVersion(".", HelmV3, false, "") + assert.NoError(t, err) + _, err = cmd.template("testdata/chart-does-not-exist", &TemplateOpts{ + KubeVersion: "1.14", + APIVersions: []string{"foo", "bar"}, + }) + assert.Error(t, err) + assert.NotContains(t, err.Error(), "--api-version") + assert.ErrorContains(t, err, " ") +} + func TestNewCmd_helmV3(t *testing.T) { cmd, err := NewCmd(".", "v3", "") assert.NoError(t, err) diff --git a/util/io/files/tar.go b/util/io/files/tar.go index 91b743e0c4704..13973f732fe72 100644 --- a/util/io/files/tar.go +++ b/util/io/files/tar.go @@ -90,13 +90,12 @@ func Untgz(dstPath string, r io.Reader, maxSize int64, preserveFileMode bool) er return fmt.Errorf("illegal filepath in archive: %s", target) } - var mode os.FileMode = 0755 - if preserveFileMode { - mode = os.FileMode(header.Mode) - } - switch header.Typeflag { case tar.TypeDir: + var mode os.FileMode = 0755 + if preserveFileMode { + mode = os.FileMode(header.Mode) + } err := os.MkdirAll(target, mode) if err != nil { return fmt.Errorf("error creating nested folders: %w", err) @@ -118,6 +117,11 @@ func Untgz(dstPath string, r io.Reader, maxSize int64, preserveFileMode bool) er return fmt.Errorf("error creating symlink: %s", err) } case tar.TypeReg: + var mode os.FileMode = 0644 + if preserveFileMode { + mode = os.FileMode(header.Mode) + } + err := os.MkdirAll(filepath.Dir(target), 0755) if err != nil { return fmt.Errorf("error creating nested folders: %w", err) diff --git a/util/io/files/tar_test.go b/util/io/files/tar_test.go index 7c08246c72962..1817fa5ce9353 100644 --- a/util/io/files/tar_test.go +++ b/util/io/files/tar_test.go @@ -216,7 +216,7 @@ func TestUntgz(t *testing.T) { scriptFileInfo, err := os.Stat(path.Join(destDir, "script.sh")) require.NoError(t, err) - assert.Equal(t, os.FileMode(0755), scriptFileInfo.Mode()) + assert.Equal(t, os.FileMode(0644), scriptFileInfo.Mode()) }) } diff --git a/util/kube/kube.go b/util/kube/kube.go index 269d3372077a3..5ea4394b726f0 100644 --- a/util/kube/kube.go +++ b/util/kube/kube.go @@ -21,8 +21,7 @@ func IsValidResourceName(name string) bool { // SetAppInstanceLabel the recommended app.kubernetes.io/instance label against an unstructured object // Uses the legacy labeling if environment variable is set func SetAppInstanceLabel(target *unstructured.Unstructured, key, val string) error { - // Do not use target.GetLabels(), https://github.com/argoproj/argo-cd/issues/13730 - labels, _, err := unstructured.NestedStringMap(target.Object, "metadata", "labels") + labels, _, err := nestedNullableStringMap(target.Object, "metadata", "labels") if err != nil { return fmt.Errorf("failed to get labels from target object %s %s/%s: %w", target.GroupVersionKind().String(), target.GetNamespace(), target.GetName(), err) } @@ -101,11 +100,11 @@ func SetAppInstanceLabel(target *unstructured.Unstructured, key, val string) err // SetAppInstanceAnnotation the recommended app.kubernetes.io/instance annotation against an unstructured object // Uses the legacy labeling if environment variable is set func SetAppInstanceAnnotation(target *unstructured.Unstructured, key, val string) error { - // Do not use target.GetAnnotations(), https://github.com/argoproj/argo-cd/issues/13730 - annotations, _, err := unstructured.NestedStringMap(target.Object, "metadata", "annotations") + annotations, _, err := nestedNullableStringMap(target.Object, "metadata", "annotations") if err != nil { - return err + return fmt.Errorf("failed to get annotations from target object %s %s/%s: %w", target.GroupVersionKind().String(), target.GetNamespace(), target.GetName(), err) } + if annotations == nil { annotations = make(map[string]string) } @@ -116,10 +115,9 @@ func SetAppInstanceAnnotation(target *unstructured.Unstructured, key, val string // GetAppInstanceAnnotation returns the application instance name from annotation func GetAppInstanceAnnotation(un *unstructured.Unstructured, key string) (string, error) { - // Do not use target.GetAnnotations(), https://github.com/argoproj/argo-cd/issues/13730 - annotations, _, err := unstructured.NestedStringMap(un.Object, "metadata", "annotations") + annotations, _, err := nestedNullableStringMap(un.Object, "metadata", "annotations") if err != nil { - return "", err + return "", fmt.Errorf("failed to get annotations from target object %s %s/%s: %w", un.GroupVersionKind().String(), un.GetNamespace(), un.GetName(), err) } if annotations != nil { return annotations[key], nil @@ -129,8 +127,7 @@ func GetAppInstanceAnnotation(un *unstructured.Unstructured, key string) (string // GetAppInstanceLabel returns the application instance name from labels func GetAppInstanceLabel(un *unstructured.Unstructured, key string) (string, error) { - // Do not use target.GetLabels(), https://github.com/argoproj/argo-cd/issues/13730 - labels, _, err := unstructured.NestedStringMap(un.Object, "metadata", "labels") + labels, _, err := nestedNullableStringMap(un.Object, "metadata", "labels") if err != nil { return "", fmt.Errorf("failed to get labels for %s %s/%s: %w", un.GroupVersionKind().String(), un.GetNamespace(), un.GetName(), err) } @@ -142,8 +139,7 @@ func GetAppInstanceLabel(un *unstructured.Unstructured, key string) (string, err // RemoveLabel removes label with the specified name func RemoveLabel(un *unstructured.Unstructured, key string) error { - // Do not use target.GetLabels(), https://github.com/argoproj/argo-cd/issues/13730 - labels, _, err := unstructured.NestedStringMap(un.Object, "metadata", "labels") + labels, _, err := nestedNullableStringMap(un.Object, "metadata", "labels") if err != nil { return fmt.Errorf("failed to get labels for %s %s/%s: %w", un.GroupVersionKind().String(), un.GetNamespace(), un.GetName(), err) } @@ -164,3 +160,17 @@ func RemoveLabel(un *unstructured.Unstructured, key string) error { } return nil } + +// nestedNullableStringMap returns a copy of map[string]string value of a nested field. +// Returns false if value is not found and an error if not one of map[string]interface{} or nil, or contains non-string values in the map. +func nestedNullableStringMap(obj map[string]interface{}, fields ...string) (map[string]string, bool, error) { + var m map[string]string + val, found, err := unstructured.NestedFieldNoCopy(obj, fields...) + if err != nil { + return nil, found, err + } + if found && val != nil { + return unstructured.NestedStringMap(obj, fields...) + } + return m, found, err +} diff --git a/util/kube/kube_test.go b/util/kube/kube_test.go index 94fd0faeeef00..1bd00380d0b05 100644 --- a/util/kube/kube_test.go +++ b/util/kube/kube_test.go @@ -192,7 +192,7 @@ func TestSetAppInstanceAnnotationWithInvalidData(t *testing.T) { assert.Nil(t, err) err = SetAppInstanceAnnotation(&obj, common.LabelKeyAppInstance, "my-app") assert.Error(t, err) - assert.Equal(t, ".metadata.annotations accessor error: contains non-string key in the map: is of the type , expected string", err.Error()) + assert.Equal(t, "failed to get annotations from target object /v1, Kind=Service /my-service: .metadata.annotations accessor error: contains non-string key in the map: is of the type , expected string", err.Error()) } func TestGetAppInstanceAnnotation(t *testing.T) { @@ -218,7 +218,7 @@ func TestGetAppInstanceAnnotationWithInvalidData(t *testing.T) { _, err = GetAppInstanceAnnotation(&obj, "valid-annotation") assert.Error(t, err) - assert.Equal(t, ".metadata.annotations accessor error: contains non-string key in the map: is of the type , expected string", err.Error()) + assert.Equal(t, "failed to get annotations from target object /v1, Kind=Service /my-service: .metadata.annotations accessor error: contains non-string key in the map: is of the type , expected string", err.Error()) } func TestGetAppInstanceLabel(t *testing.T) { diff --git a/util/settings/settings.go b/util/settings/settings.go index c85ed3329361b..a9d49b78cd5df 100644 --- a/util/settings/settings.go +++ b/util/settings/settings.go @@ -766,7 +766,7 @@ func (mgr *SettingsManager) GetDeepLinks(deeplinkType string) ([]DeepLink, error func (mgr *SettingsManager) GetEnabledSourceTypes() (map[string]bool, error) { argoCDCM, err := mgr.getConfigMap() if err != nil { - return nil, err + return nil, fmt.Errorf("failed to get argo-cd config map: %w", err) } res := map[string]bool{} for sourceType := range sourceTypeToEnableGenerationKey { @@ -820,7 +820,7 @@ func (mgr *SettingsManager) GetIgnoreResourceUpdatesOverrides() (map[string]v1al func (mgr *SettingsManager) GetIsIgnoreResourceUpdatesEnabled() (bool, error) { argoCDCM, err := mgr.getConfigMap() if err != nil { - return false, err + return false, fmt.Errorf("error retrieving config map: %w", err) } if argoCDCM.Data[resourceIgnoreResourceUpdatesEnabledKey] == "" { @@ -834,7 +834,7 @@ func (mgr *SettingsManager) GetIsIgnoreResourceUpdatesEnabled() (bool, error) { func (mgr *SettingsManager) GetResourceOverrides() (map[string]v1alpha1.ResourceOverride, error) { argoCDCM, err := mgr.getConfigMap() if err != nil { - return nil, err + return nil, fmt.Errorf("error retrieving config map: %w", err) } resourceOverrides := map[string]v1alpha1.ResourceOverride{} if value, ok := argoCDCM.Data[resourceCustomizationsKey]; ok && value != "" { @@ -1009,7 +1009,7 @@ func (mgr *SettingsManager) GetResourceCompareOptions() (ArgoCDDiffOptions, erro func (mgr *SettingsManager) GetHelmSettings() (*v1alpha1.HelmOptions, error) { argoCDCM, err := mgr.getConfigMap() if err != nil { - return nil, err + return nil, fmt.Errorf("failed to get argo-cd config map: %v", err) } helmOptions := &v1alpha1.HelmOptions{} if value, ok := argoCDCM.Data[helmValuesFileSchemesKey]; ok { @@ -1045,7 +1045,7 @@ func (mgr *SettingsManager) GetKustomizeSettings() (*KustomizeSettings, error) { if strings.HasPrefix(k, kustomizeVersionKeyPrefix) { err = addKustomizeVersion(kustomizeVersionKeyPrefix, k, v, kustomizeVersionsMap) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to add kustomize version from %q: %w", k, err) } } @@ -1053,7 +1053,7 @@ func (mgr *SettingsManager) GetKustomizeSettings() (*KustomizeSettings, error) { if strings.HasPrefix(k, kustomizePathPrefixKey) { err = addKustomizeVersion(kustomizePathPrefixKey, k, v, kustomizeVersionsMap) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to add kustomize version from %q: %w", k, err) } } @@ -1088,14 +1088,14 @@ func addKustomizeVersion(prefix, name, path string, kvMap map[string]KustomizeVe func (mgr *SettingsManager) GetHelmRepositories() ([]HelmRepoCredentials, error) { argoCDCM, err := mgr.getConfigMap() if err != nil { - return nil, err + return nil, fmt.Errorf("error retrieving config map: %w", err) } helmRepositories := make([]HelmRepoCredentials, 0) helmRepositoriesStr := argoCDCM.Data[helmRepositoriesKey] if helmRepositoriesStr != "" { err := yaml.Unmarshal([]byte(helmRepositoriesStr), &helmRepositories) if err != nil { - return nil, err + return nil, fmt.Errorf("error unmarshalling helm repositories: %w", err) } } return helmRepositories, nil @@ -1113,7 +1113,7 @@ func (mgr *SettingsManager) GetRepositories() ([]Repository, error) { // Get the config map outside of the lock argoCDCM, err := mgr.getConfigMap() if err != nil { - return nil, err + return nil, fmt.Errorf("failed to get argo-cd config map: %w", err) } mgr.mutex.Lock() @@ -1123,7 +1123,7 @@ func (mgr *SettingsManager) GetRepositories() ([]Repository, error) { if repositoriesStr != "" { err := yaml.Unmarshal([]byte(repositoriesStr), &repositories) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to unmarshal repositories from config map key %q: %w", repositoriesKey, err) } } mgr.reposCache = repositories @@ -1173,7 +1173,7 @@ func (mgr *SettingsManager) GetRepositoryCredentials() ([]RepositoryCredentials, // Get the config map outside of the lock argoCDCM, err := mgr.getConfigMap() if err != nil { - return nil, err + return nil, fmt.Errorf("error retrieving config map: %w", err) } mgr.mutex.Lock() @@ -1194,7 +1194,7 @@ func (mgr *SettingsManager) GetRepositoryCredentials() ([]RepositoryCredentials, func (mgr *SettingsManager) GetGoogleAnalytics() (*GoogleAnalytics, error) { argoCDCM, err := mgr.getConfigMap() if err != nil { - return nil, err + return nil, fmt.Errorf("error retrieving config map: %w", err) } return &GoogleAnalytics{ TrackingID: argoCDCM.Data[gaTrackingID], @@ -1205,7 +1205,7 @@ func (mgr *SettingsManager) GetGoogleAnalytics() (*GoogleAnalytics, error) { func (mgr *SettingsManager) GetHelp() (*Help, error) { argoCDCM, err := mgr.getConfigMap() if err != nil { - return nil, err + return nil, fmt.Errorf("error retrieving config map: %w", err) } chatText, ok := argoCDCM.Data[helpChatText] if !ok { @@ -1504,7 +1504,7 @@ func (mgr *SettingsManager) updateSettingsFromSecret(settings *ArgoCDSettings, a // return values are nil, no external secret has been configured. func (mgr *SettingsManager) externalServerTLSCertificate() (*tls.Certificate, error) { var cert tls.Certificate - secret, err := mgr.clientset.CoreV1().Secrets(mgr.namespace).Get(mgr.ctx, externalServerTLSSecretName, metav1.GetOptions{}) + secret, err := mgr.secrets.Secrets(mgr.namespace).Get(externalServerTLSSecretName) if err != nil { if apierr.IsNotFound(err) { return nil, nil @@ -1957,7 +1957,7 @@ func (mgr *SettingsManager) InitializeSettings(insecureModeEnabled bool) (*ArgoC // set JWT signature signature, err := util.MakeSignature(32) if err != nil { - return nil, err + return nil, fmt.Errorf("error setting JWT signature: %w", err) } cdSettings.ServerSignature = signature log.Info("Initialized server signature") diff --git a/util/settings/settings_test.go b/util/settings/settings_test.go index b8fe3569300f9..07a2c268a6bd7 100644 --- a/util/settings/settings_test.go +++ b/util/settings/settings_test.go @@ -696,7 +696,7 @@ func TestSettingsManager_GetKustomizeBuildOptions(t *testing.T) { }) got, err := settingsManager.GetKustomizeSettings() - assert.EqualError(t, err, "found duplicate kustomize version: v3.2.1") + assert.ErrorContains(t, err, "found duplicate kustomize version: v3.2.1") assert.Empty(t, got) }) diff --git a/util/tls/tls.go b/util/tls/tls.go index d963eed55cee7..938c386d75618 100644 --- a/util/tls/tls.go +++ b/util/tls/tls.go @@ -309,7 +309,7 @@ func generatePEM(opts CertOptions) ([]byte, []byte, error) { func GenerateX509KeyPair(opts CertOptions) (*tls.Certificate, error) { certpem, keypem, err := generatePEM(opts) if err != nil { - return nil, err + return nil, fmt.Errorf("error generating X509 key pair: %w", err) } cert, err := tls.X509KeyPair(certpem, keypem) if err != nil { @@ -420,7 +420,7 @@ func CreateServerTLSConfig(tlsCertPath, tlsKeyPath string, hosts []string) (*tls IsCA: false, }) if err != nil { - return nil, err + return nil, fmt.Errorf("error generating X509 key pair: %w", err) } cert = c } else { diff --git a/util/tls/tls_test.go b/util/tls/tls_test.go index 69d8dc2e2e757..f103d035a964d 100644 --- a/util/tls/tls_test.go +++ b/util/tls/tls_test.go @@ -405,7 +405,7 @@ func getCert(pemCerts []byte) (*x509.Certificate, error) { certBytes := block.Bytes cert, err := x509.ParseCertificate(certBytes) if err != nil { - return nil, err + return nil, fmt.Errorf("error parsing certificate: %w", err) } return cert, nil } @@ -413,7 +413,7 @@ func getCert(pemCerts []byte) (*x509.Certificate, error) { func getCertFromFile(path string) (*x509.Certificate, error) { certBytes, err := os.ReadFile(path) if err != nil { - return nil, err + return nil, fmt.Errorf("error reading file: %w", err) } return getCert(certBytes) } diff --git a/util/webhook/webhook.go b/util/webhook/webhook.go index c47323f2cdbbb..ca4742e31a1f1 100644 --- a/util/webhook/webhook.go +++ b/util/webhook/webhook.go @@ -264,7 +264,8 @@ func (a *ArgoCDWebhookHandler) HandleEvent(payload interface{}) { for _, source := range app.Spec.GetSources() { if sourceRevisionHasChanged(source, revision, touchedHead) && sourceUsesURL(source, webURL, repoRegexp) { if appFilesHaveChanged(&app, changedFiles) { - _, err = argo.RefreshApp(appIf, app.ObjectMeta.Name, v1alpha1.RefreshTypeNormal) + namespacedAppInterface := a.appClientset.ArgoprojV1alpha1().Applications(app.ObjectMeta.Namespace) + _, err = argo.RefreshApp(namespacedAppInterface, app.ObjectMeta.Name, v1alpha1.RefreshTypeNormal) if err != nil { log.Warnf("Failed to refresh app '%s' for controller reprocessing: %v", app.ObjectMeta.Name, err) continue diff --git a/util/webhook/webhook_test.go b/util/webhook/webhook_test.go index 899c3ecb73203..cf11162febc6c 100644 --- a/util/webhook/webhook_test.go +++ b/util/webhook/webhook_test.go @@ -5,6 +5,7 @@ import ( "encoding/json" "fmt" "io" + "k8s.io/apimachinery/pkg/types" "net/http" "net/http/httptest" "os" @@ -149,10 +150,10 @@ func TestGitHubCommitEvent_MultiSource_Refresh(t *testing.T) { func TestGitHubCommitEvent_AppsInOtherNamespaces(t *testing.T) { hook := test.NewGlobal() - patchedApps := make([]string, 0, 3) + patchedApps := make([]types.NamespacedName, 0, 3) reaction := func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) { patchAction := action.(kubetesting.PatchAction) - patchedApps = append(patchedApps, patchAction.GetName()) + patchedApps = append(patchedApps, types.NamespacedName{Name: patchAction.GetName(), Namespace: patchAction.GetNamespace()}) return true, nil, nil } @@ -231,10 +232,10 @@ func TestGitHubCommitEvent_AppsInOtherNamespaces(t *testing.T) { assert.Contains(t, logMessages, "Requested app 'app-to-refresh-in-globbed-namespace' refresh") assert.NotContains(t, logMessages, "Requested app 'app-to-ignore' refresh") - assert.Contains(t, patchedApps, "app-to-refresh-in-default-namespace") - assert.Contains(t, patchedApps, "app-to-refresh-in-exact-match-namespace") - assert.Contains(t, patchedApps, "app-to-refresh-in-globbed-namespace") - assert.NotContains(t, patchedApps, "app-to-ignore") + assert.Contains(t, patchedApps, types.NamespacedName{Name: "app-to-refresh-in-default-namespace", Namespace: "argocd"}) + assert.Contains(t, patchedApps, types.NamespacedName{Name: "app-to-refresh-in-exact-match-namespace", Namespace: "end-to-end-tests"}) + assert.Contains(t, patchedApps, types.NamespacedName{Name: "app-to-refresh-in-globbed-namespace", Namespace: "app-team-two"}) + assert.NotContains(t, patchedApps, types.NamespacedName{Name: "app-to-ignore", Namespace: "kube-system"}) assert.Len(t, patchedApps, 3) hook.Reset()