Update godeps

vendor/github.com/coreos/etcd/clientv3/balancer.go

@@ -45,6 +45,8 @@ type simpleBalancer struct {
 	// pinAddr is the currently pinned address; set to the empty string on
 	// intialization and shutdown.
 	pinAddr string
+
+	closed bool
 }
 
 func newSimpleBalancer(eps []string) *simpleBalancer {
@@ -74,15 +76,25 @@ func (b *simpleBalancer) ConnectNotify() <-chan struct{} {
 
 func (b *simpleBalancer) Up(addr grpc.Address) func(error) {
 	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	// gRPC might call Up after it called Close. We add this check
+	// to "fix" it up at application layer. Or our simplerBalancer
+	// might panic since b.upc is closed.
+	if b.closed {
+		return func(err error) {}
+	}
+
 	if len(b.upEps) == 0 {
 		// notify waiting Get()s and pin first connected address
 		close(b.upc)
 		b.pinAddr = addr.Addr
 	}
 	b.upEps[addr.Addr] = struct{}{}
-	b.mu.Unlock()
+
 	// notify client that a connection is up
 	b.readyOnce.Do(func() { close(b.readyc) })
+
 	return func(err error) {
 		b.mu.Lock()
 		delete(b.upEps, addr.Addr)
@@ -128,13 +140,19 @@ func (b *simpleBalancer) Notify() <-chan []grpc.Address { return b.notifyCh }
 
 func (b *simpleBalancer) Close() error {
 	b.mu.Lock()
+	defer b.mu.Unlock()
+	// In case gRPC calls close twice. TODO: remove the checking
+	// when we are sure that gRPC wont call close twice.
+	if b.closed {
+		return nil
+	}
+	b.closed = true
 	close(b.notifyCh)
 	// terminate all waiting Get()s
 	b.pinAddr = ""
 	if len(b.upEps) == 0 {
 		close(b.upc)
 	}
-	b.mu.Unlock()
 	return nil
 }
 

vendor/github.com/coreos/etcd/clientv3/watch.go

@@ -669,6 +669,10 @@ func (w *watchGrpcStream) resumeWatchers(wc pb.Watch_WatchClient) error {
 	w.mu.RUnlock()
 
 	for _, ws := range streams {
+		// drain recvc so no old WatchResponses (e.g., Created messages)
+		// are processed while resuming
+		ws.drain()
+
 		// pause serveStream
 		ws.resumec <- -1
 
@@ -701,6 +705,17 @@ func (w *watchGrpcStream) resumeWatchers(wc pb.Watch_WatchClient) error {
 	return nil
 }
 
+// drain removes all buffered WatchResponses from the stream's receive channel.
+func (ws *watcherStream) drain() {
+	for {
+		select {
+		case <-ws.recvc:
+		default:
+			return
+		}
+	}
+}
+
 // toPB converts an internal watch request structure to its protobuf messagefunc (wr *watchRequest)
 func (wr *watchRequest) toPB() *pb.WatchRequest {
 	req := &pb.WatchCreateRequest{

vendor/github.com/coreos/etcd/pkg/fileutil/dir_unix.go

@@ -0,0 +1,22 @@
+// Copyright 2016 The etcd Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build !windows
+
+package fileutil
+
+import "os"
+
+// OpenDir opens a directory for syncing.
+func OpenDir(path string) (*os.File, error) { return os.Open(path) }

vendor/github.com/coreos/etcd/pkg/fileutil/dir_windows.go

@@ -0,0 +1,46 @@
+// Copyright 2016 The etcd Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build windows
+
+package fileutil
+
+import (
+	"os"
+	"syscall"
+)
+
+// OpenDir opens a directory in windows with write access for syncing.
+func OpenDir(path string) (*os.File, error) {
+	fd, err := openDir(path)
+	if err != nil {
+		return nil, err
+	}
+	return os.NewFile(uintptr(fd), path), nil
+}
+
+func openDir(path string) (fd syscall.Handle, err error) {
+	if len(path) == 0 {
+		return syscall.InvalidHandle, syscall.ERROR_FILE_NOT_FOUND
+	}
+	pathp, err := syscall.UTF16PtrFromString(path)
+	if err != nil {
+		return syscall.InvalidHandle, err
+	}
+	access := uint32(syscall.GENERIC_READ | syscall.GENERIC_WRITE)
+	sharemode := uint32(syscall.FILE_SHARE_READ | syscall.FILE_SHARE_WRITE)
+	createmode := uint32(syscall.OPEN_EXISTING)
+	fl := uint32(syscall.FILE_FLAG_BACKUP_SEMANTICS)
+	return syscall.CreateFile(pathp, access, sharemode, nil, createmode, fl, 0)
+}

vendor/github.com/coreos/etcd/pkg/fileutil/fileutil.go

@@ -96,3 +96,26 @@ func Exist(name string) bool {
 	_, err := os.Stat(name)
 	return err == nil
 }
+
+// ZeroToEnd zeros a file starting from SEEK_CUR to its SEEK_END. May temporarily
+// shorten the length of the file.
+func ZeroToEnd(f *os.File) error {
+	// TODO: support FALLOC_FL_ZERO_RANGE
+	off, err := f.Seek(0, os.SEEK_CUR)
+	if err != nil {
+		return err
+	}
+	lenf, lerr := f.Seek(0, os.SEEK_END)
+	if lerr != nil {
+		return lerr
+	}
+	if err = f.Truncate(off); err != nil {
+		return err
+	}
+	// make sure blocks remain allocated
+	if err = Preallocate(f, lenf, true); err != nil {
+		return err
+	}
+	_, err = f.Seek(off, os.SEEK_SET)
+	return err
+}

vendor/github.com/coreos/go-oidc/http/http.go

@@ -4,18 +4,13 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"errors"
+	"log"
 	"net/http"
 	"net/url"
 	"path"
 	"strconv"
 	"strings"
 	"time"
-
-	"github.com/coreos/pkg/capnslog"
-)
-
-var (
-	log = capnslog.NewPackageLogger("github.com/coreos/go-oidc", "http")
 )
 
 func WriteError(w http.ResponseWriter, code int, msg string) {
@@ -26,7 +21,9 @@ func WriteError(w http.ResponseWriter, code int, msg string) {
 	}
 	b, err := json.Marshal(e)
 	if err != nil {
-		log.Errorf("Failed marshaling %#v to JSON: %v", e, err)
+		log.Printf("go-oidc: failed to marshal %#v: %v", e, err)
+		code = http.StatusInternalServerError
+		b = []byte(`{"error":"server_error"}`)
 	}
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(code)

vendor/github.com/coreos/go-oidc/http/middleware.go

@@ -1,14 +0,0 @@
-package http
-
-import (
-	"net/http"
-)
-
-type LoggingMiddleware struct {
-	Next http.Handler
-}
-
-func (l *LoggingMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	log.Infof("HTTP %s %v", r.Method, r.URL)
-	l.Next.ServeHTTP(w, r)
-}

vendor/github.com/coreos/go-oidc/key/key.go

@@ -3,9 +3,9 @@ package key
 import (
 	"crypto/rand"
 	"crypto/rsa"
-	"encoding/base64"
+	"encoding/hex"
 	"encoding/json"
-	"math/big"
+	"io"
 	"time"
 
 	"github.com/coreos/go-oidc/jose"
@@ -139,15 +139,15 @@ func GeneratePrivateKey() (*PrivateKey, error) {
 	if err != nil {
 		return nil, err
 	}
+	keyID := make([]byte, 20)
+	if _, err := io.ReadFull(rand.Reader, keyID); err != nil {
+		return nil, err
+	}
 
 	k := PrivateKey{
-		KeyID:      base64BigInt(pk.PublicKey.N),
+		KeyID:      hex.EncodeToString(keyID),
 		PrivateKey: pk,
 	}
 
 	return &k, nil
 }
-
-func base64BigInt(b *big.Int) string {
-	return base64.URLEncoding.EncodeToString(b.Bytes())
-}

vendor/github.com/coreos/go-oidc/key/rotate.go

@@ -2,16 +2,14 @@ package key
 
 import (
 	"errors"
+	"log"
 	"time"
 
-	"github.com/coreos/pkg/capnslog"
 	ptime "github.com/coreos/pkg/timeutil"
 	"github.com/jonboulle/clockwork"
 )
 
 var (
-	log = capnslog.NewPackageLogger("github.com/coreos/go-oidc", "key")
-
 	ErrorPrivateKeysExpired = errors.New("private keys have expired")
 )
 
@@ -67,7 +65,6 @@ func (r *PrivateKeyRotator) privateKeySet() (*PrivateKeySet, error) {
 func (r *PrivateKeyRotator) nextRotation() (time.Duration, error) {
 	pks, err := r.privateKeySet()
 	if err == ErrorNoKeys {
-		log.Infof("No keys in private key set; must rotate immediately")
 		return 0, nil
 	}
 	if err != nil {
@@ -94,17 +91,15 @@ func (r *PrivateKeyRotator) Run() chan struct{} {
 	attempt := func() {
 		k, err := r.generateKey()
 		if err != nil {
-			log.Errorf("Failed generating signing key: %v", err)
+			log.Printf("go-oidc: failed generating signing key: %v", err)
 			return
 		}
 
 		exp := r.expiresAt()
 		if err := rotatePrivateKeys(r.repo, k, r.keep, exp); err != nil {
-			log.Errorf("Failed key rotation: %v", err)
+			log.Printf("go-oidc: key rotation failed: %v", err)
 			return
 		}
-
-		log.Infof("Rotated signing keys: id=%s expiresAt=%s", k.ID(), exp)
 	}
 
 	stop := make(chan struct{})
@@ -118,11 +113,10 @@ func (r *PrivateKeyRotator) Run() chan struct{} {
 					break
 				}
 				sleep = ptime.ExpBackoff(sleep, time.Minute)
-				log.Errorf("error getting nextRotation, retrying in %v: %v", sleep, err)
+				log.Printf("go-oidc: error getting nextRotation, retrying in %v: %v", sleep, err)
 				time.Sleep(sleep)
 			}
 
-			log.Infof("will rotate keys in %v", nextRotation)
 			select {
 			case <-r.clock.After(nextRotation):
 				attempt()

vendor/github.com/coreos/go-oidc/key/sync.go

@@ -2,6 +2,7 @@ package key
 
 import (
 	"errors"
+	"log"
 	"time"
 
 	"github.com/jonboulle/clockwork"
@@ -38,15 +39,14 @@ func (s *KeySetSyncer) Run() chan struct{} {
 					next = timeutil.ExpBackoff(next, time.Minute)
 				}
 				if exp == 0 {
-					log.Errorf("Synced to already expired key set, retrying in %v: %v", next, err)
+					log.Printf("Synced to already expired key set, retrying in %v: %v", next, err)
 
 				} else {
-					log.Errorf("Failed syncing key set, retrying in %v: %v", next, err)
+					log.Printf("Failed syncing key set, retrying in %v: %v", next, err)
 				}
 			} else {
 				failing = false
 				next = exp / 2
-				log.Infof("Synced key set, checking again in %v", next)
 			}
 
 			select {

vendor/github.com/coreos/go-oidc/oauth2/oauth2.go

@@ -332,16 +332,16 @@ func parseTokenResponse(resp *http.Response) (result TokenResponse, err error) {
 		result.Scope = vals.Get("scope")
 	} else {
 		var r struct {
-			AccessToken  string `json:"access_token"`
-			TokenType    string `json:"token_type"`
-			IDToken      string `json:"id_token"`
-			RefreshToken string `json:"refresh_token"`
-			Scope        string `json:"scope"`
-			State        string `json:"state"`
-			ExpiresIn    int    `json:"expires_in"`
-			Expires      int    `json:"expires"`
-			Error        string `json:"error"`
-			Desc         string `json:"error_description"`
+			AccessToken  string      `json:"access_token"`
+			TokenType    string      `json:"token_type"`
+			IDToken      string      `json:"id_token"`
+			RefreshToken string      `json:"refresh_token"`
+			Scope        string      `json:"scope"`
+			State        string      `json:"state"`
+			ExpiresIn    json.Number `json:"expires_in"` // Azure AD returns string
+			Expires      int         `json:"expires"`
+			Error        string      `json:"error"`
+			Desc         string      `json:"error_description"`
 		}
 		if err = json.Unmarshal(body, &r); err != nil {
 			return
@@ -355,10 +355,10 @@ func parseTokenResponse(resp *http.Response) (result TokenResponse, err error) {
 		result.IDToken = r.IDToken
 		result.RefreshToken = r.RefreshToken
 		result.Scope = r.Scope
-		if r.ExpiresIn == 0 {
+		if expiresIn, err := r.ExpiresIn.Int64(); err != nil {
 			result.Expires = r.Expires
 		} else {
-			result.Expires = r.ExpiresIn
+			result.Expires = int(expiresIn)
 		}
 	}
 	return

vendor/github.com/coreos/go-oidc/oidc/provider.go

@@ -4,13 +4,13 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"log"
 	"net/http"
 	"net/url"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/coreos/pkg/capnslog"
 	"github.com/coreos/pkg/timeutil"
 	"github.com/jonboulle/clockwork"
 
@@ -18,10 +18,6 @@ import (
 	"github.com/coreos/go-oidc/oauth2"
 )
 
-var (
-	log = capnslog.NewPackageLogger("github.com/coreos/go-oidc", "http")
-)
-
 const (
 	// Subject Identifier types defined by the OIDC spec. Specifies if the provider
 	// should provide the same sub claim value to all clients (public) or a unique
@@ -69,6 +65,8 @@ type ProviderConfig struct {
 	UserInfoEndpoint     *url.URL
 	KeysEndpoint         *url.URL // Required
 	RegistrationEndpoint *url.URL
+	EndSessionEndpoint   *url.URL
+	CheckSessionIFrame   *url.URL
 
 	// Servers MAY choose not to advertise some supported scope values even when this
 	// parameter is used, although those defined in OpenID Core SHOULD be listed, if supported.
@@ -170,6 +168,8 @@ type encodableProviderConfig struct {
 	UserInfoEndpoint     string `json:"userinfo_endpoint,omitempty"`
 	KeysEndpoint         string `json:"jwks_uri"`
 	RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
+	EndSessionEndpoint   string `json:"end_session_endpoint,omitempty"`
+	CheckSessionIFrame   string `json:"check_session_iframe,omitempty"`
 
 	// Use 'omitempty' for all slices as per OIDC spec:
 	// "Claims that return multiple values are represented as JSON arrays.
@@ -219,6 +219,8 @@ func (cfg ProviderConfig) toEncodableStruct() encodableProviderConfig {
 		UserInfoEndpoint:                           uriToString(cfg.UserInfoEndpoint),
 		KeysEndpoint:                               uriToString(cfg.KeysEndpoint),
 		RegistrationEndpoint:                       uriToString(cfg.RegistrationEndpoint),
+		EndSessionEndpoint:                         uriToString(cfg.EndSessionEndpoint),
+		CheckSessionIFrame:                         uriToString(cfg.CheckSessionIFrame),
 		ScopesSupported:                            cfg.ScopesSupported,
 		ResponseTypesSupported:                     cfg.ResponseTypesSupported,
 		ResponseModesSupported:                     cfg.ResponseModesSupported,
@@ -260,6 +262,8 @@ func (e encodableProviderConfig) toStruct() (ProviderConfig, error) {
 		UserInfoEndpoint:                           p.parseURI(e.UserInfoEndpoint, "userinfo_endpoint"),
 		KeysEndpoint:                               p.parseURI(e.KeysEndpoint, "jwks_uri"),
 		RegistrationEndpoint:                       p.parseURI(e.RegistrationEndpoint, "registration_endpoint"),
+		EndSessionEndpoint:                         p.parseURI(e.EndSessionEndpoint, "end_session_endpoint"),
+		CheckSessionIFrame:                         p.parseURI(e.CheckSessionIFrame, "check_session_iframe"),
 		ScopesSupported:                            e.ScopesSupported,
 		ResponseTypesSupported:                     e.ResponseTypesSupported,
 		ResponseModesSupported:                     e.ResponseModesSupported,
@@ -364,6 +368,8 @@ func (p ProviderConfig) Valid() error {
 		{p.UserInfoEndpoint, "userinfo_endpoint", false},
 		{p.KeysEndpoint, "jwks_uri", true},
 		{p.RegistrationEndpoint, "registration_endpoint", false},
+		{p.EndSessionEndpoint, "end_session_endpoint", false},
+		{p.CheckSessionIFrame, "check_session_iframe", false},
 		{p.ServiceDocs, "service_documentation", false},
 		{p.Policy, "op_policy_uri", false},
 		{p.TermsOfService, "op_tos_uri", false},
@@ -537,8 +543,6 @@ func (s *ProviderConfigSyncer) sync() (time.Duration, error) {
 		s.initialSyncDone = true
 	}
 
-	log.Infof("Updating provider config: config=%#v", cfg)
-
 	return nextSyncAfter(cfg.ExpiresAt, s.clock), nil
 }
 
@@ -561,10 +565,9 @@ func (n *pcsStepNext) step(fn pcsStepFunc) (next pcsStepper) {
 	ttl, err := fn()
 	if err == nil {
 		next = &pcsStepNext{aft: ttl}
-		log.Debugf("Synced provider config, next attempt in %v", next.after())
 	} else {
 		next = &pcsStepRetry{aft: time.Second}
-		log.Errorf("Provider config sync failed, retrying in %v: %v", next.after(), err)
+		log.Printf("go-oidc: provider config sync falied, retyring in %v: %v", next.after(), err)
 	}
 	return
 }
@@ -581,10 +584,9 @@ func (r *pcsStepRetry) step(fn pcsStepFunc) (next pcsStepper) {
 	ttl, err := fn()
 	if err == nil {
 		next = &pcsStepNext{aft: ttl}
-		log.Infof("Provider config sync no longer failing")
 	} else {
 		next = &pcsStepRetry{aft: timeutil.ExpBackoff(r.aft, time.Minute)}
-		log.Errorf("Provider config sync still failing, retrying in %v: %v", next.after(), err)
+		log.Printf("go-oidc: provider config sync falied, retyring in %v: %v", next.after(), err)
 	}
 	return
 }

vendor/github.com/coreos/go-oidc/oidc/verification.go

@@ -161,11 +161,18 @@ func NewJWTVerifier(issuer, clientID string, syncFunc func() error, keysFunc fun
 }
 
 func (v *JWTVerifier) Verify(jwt jose.JWT) error {
+	// Verify claims before verifying the signature. This is an optimization to throw out
+	// tokens we know are invalid without undergoing an expensive signature check and
+	// possibly a re-sync event.
+	if err := VerifyClaims(jwt, v.issuer, v.clientID); err != nil {
+		return fmt.Errorf("oidc: JWT claims invalid: %v", err)
+	}
+
 	ok, err := VerifySignature(jwt, v.keysFunc())
-	if ok {
-		goto SignatureVerified
-	} else if err != nil {
+	if err != nil {
 		return fmt.Errorf("oidc: JWT signature verification failed: %v", err)
+	} else if ok {
+		return nil
 	}
 
 	if err = v.syncFunc(); err != nil {
@@ -179,10 +186,5 @@ func (v *JWTVerifier) Verify(jwt jose.JWT) error {
 		return errors.New("oidc: unable to verify JWT signature: no matching keys")
 	}
 
-SignatureVerified:
-	if err := VerifyClaims(jwt, v.issuer, v.clientID); err != nil {
-		return fmt.Errorf("oidc: JWT claims invalid: %v", err)
-	}
-
 	return nil
 }