Merge branch 'master' into herman/allow-deny

authority/authority.go

@@ -327,6 +327,21 @@ func (a *Authority) init() error {
 		}
 	}
 
+	// Initialize linkedca client if necessary. On a linked RA, the issuer
+	// configuration might come from majordomo.
+	var linkedcaClient *linkedCaClient
+	if a.config.AuthorityConfig.EnableAdmin && a.linkedCAToken != "" && a.adminDB == nil {
+		linkedcaClient, err = newLinkedCAClient(a.linkedCAToken)
+		if err != nil {
+			return err
+		}
+		// If authorityId is configured make sure it matches the one in the token
+		if id := a.config.AuthorityConfig.AuthorityID; id != "" && !strings.EqualFold(id, linkedcaClient.authorityID) {
+			return errors.New("error initializing linkedca: token authority and configured authority do not match")
+		}
+		linkedcaClient.Run()
+	}
+
 	// Initialize the X.509 CA Service if it has not been set in the options.
 	if a.x509CAService == nil {
 		var options casapi.Options
@@ -334,6 +349,22 @@ func (a *Authority) init() error {
 			options = *a.config.AuthorityConfig.Options
 		}
 
+		// Configure linked RA
+		if linkedcaClient != nil && options.CertificateAuthority == "" {
+			conf, err := linkedcaClient.GetConfiguration(context.Background())
+			if err != nil {
+				return err
+			}
+			if conf.RaConfig != nil {
+				options.CertificateAuthority = conf.RaConfig.CaUrl
+				options.CertificateAuthorityFingerprint = conf.RaConfig.Fingerprint
+				options.CertificateIssuer = &casapi.CertificateIssuer{
+					Type:        conf.RaConfig.Provisioner.Type.String(),
+					Provisioner: conf.RaConfig.Provisioner.Name,
+				}
+			}
+		}
+
 		// Set the issuer password if passed in the flags.
 		if options.CertificateIssuer != nil && a.issuerPassword != nil {
 			options.CertificateIssuer.Password = string(a.issuerPassword)
@@ -553,24 +584,13 @@ func (a *Authority) init() error {
 		// Initialize step-ca Admin Database if it's not already initialized using
 		// WithAdminDB.
 		if a.adminDB == nil {
-			if a.linkedCAToken == "" {
-				// Check if AuthConfig already exists
+			if linkedcaClient != nil {
+				a.adminDB = linkedcaClient
+			} else {
 				a.adminDB, err = adminDBNosql.New(a.db.(nosql.DB), admin.DefaultAuthorityID)
 				if err != nil {
 					return err
 				}
-			} else {
-				// Use the linkedca client as the admindb.
-				client, err := newLinkedCAClient(a.linkedCAToken)
-				if err != nil {
-					return err
-				}
-				// If authorityId is configured make sure it matches the one in the token
-				if id := a.config.AuthorityConfig.AuthorityID; id != "" && !strings.EqualFold(id, client.authorityID) {
-					return errors.New("error initializing linkedca: token authority and configured authority do not match")
-				}
-				client.Run()
-				a.adminDB = client
 			}
 		}
 

authority/authorize_test.go

@@ -491,7 +491,7 @@ func TestAuthority_authorizeSign(t *testing.T) {
 				}
 			} else {
 				if assert.Nil(t, tc.err) {
-					assert.Len(t, 8, got) // number of provisioner.SignOptions returned
+					assert.Equals(t, 9, len(got)) // number of provisioner.SignOptions returned
 				}
 			}
 		})

authority/linkedca.go

@@ -26,6 +26,7 @@ import (
 	"go.step.sm/linkedca"
 
 	"github.com/smallstep/certificates/authority/admin"
+	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 )
 
@@ -157,13 +158,21 @@ func (c *linkedCaClient) GetProvisioner(ctx context.Context, id string) (*linked
 }
 
 func (c *linkedCaClient) GetProvisioners(ctx context.Context) ([]*linkedca.Provisioner, error) {
+	resp, err := c.GetConfiguration(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return resp.Provisioners, nil
+}
+
+func (c *linkedCaClient) GetConfiguration(ctx context.Context) (*linkedca.ConfigurationResponse, error) {
 	resp, err := c.client.GetConfiguration(ctx, &linkedca.ConfigurationRequest{
 		AuthorityId: c.authorityID,
 	})
 	if err != nil {
-		return nil, errors.Wrap(err, "error getting provisioners")
+		return nil, errors.Wrap(err, "error getting configuration")
 	}
-	return resp.Provisioners, nil
+	return resp, nil
 }
 
 func (c *linkedCaClient) UpdateProvisioner(ctx context.Context, prov *linkedca.Provisioner) error {
@@ -210,11 +219,9 @@ func (c *linkedCaClient) GetAdmin(ctx context.Context, id string) (*linkedca.Adm
 }
 
 func (c *linkedCaClient) GetAdmins(ctx context.Context) ([]*linkedca.Admin, error) {
-	resp, err := c.client.GetConfiguration(ctx, &linkedca.ConfigurationRequest{
-		AuthorityId: c.authorityID,
-	})
+	resp, err := c.GetConfiguration(ctx)
 	if err != nil {
-		return nil, errors.Wrap(err, "error getting admins")
+		return nil, err
 	}
 	return resp.Admins, nil
 }
@@ -234,12 +241,13 @@ func (c *linkedCaClient) DeleteAdmin(ctx context.Context, id string) error {
 	return errors.Wrap(err, "error deleting admin")
 }
 
-func (c *linkedCaClient) StoreCertificateChain(fullchain ...*x509.Certificate) error {
+func (c *linkedCaClient) StoreCertificateChain(prov provisioner.Interface, fullchain ...*x509.Certificate) error {
 	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
 	_, err := c.client.PostCertificate(ctx, &linkedca.CertificateRequest{
 		PemCertificate:      serializeCertificateChain(fullchain[0]),
 		PemCertificateChain: serializeCertificateChain(fullchain[1:]...),
+		Provisioner:         createProvisionerIdentity(prov),
 	})
 	return errors.Wrap(err, "error posting certificate")
 }
@@ -332,6 +340,17 @@ func (c *linkedCaClient) DeleteAuthorityPolicy(ctx context.Context) error {
 	return errors.New("not implemented yet")
 }
 
+func createProvisionerIdentity(prov provisioner.Interface) *linkedca.ProvisionerIdentity {
+	if prov == nil {
+		return nil
+	}
+	return &linkedca.ProvisionerIdentity{
+		Id:   prov.GetID(),
+		Type: linkedca.Provisioner_Type(prov.GetType()),
+		Name: prov.GetName(),
+	}
+}
+
 func serializeCertificate(crt *x509.Certificate) string {
 	if crt == nil {
 		return ""

authority/provisioner/acme_test.go

@@ -179,6 +179,7 @@ func TestACME_AuthorizeSign(t *testing.T) {
 					assert.Len(t, 6, opts) // number of SignOptions returned
 					for _, o := range opts {
 						switch v := o.(type) {
+						case *ACME:
 						case *provisionerExtensionOption:
 							assert.Equals(t, v.Type, TypeACME)
 							assert.Equals(t, v.Name, tc.p.GetName())

authority/provisioner/aws.go

@@ -480,6 +480,7 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	}
 
 	return append(so,
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID),

authority/provisioner/aws_test.go

@@ -642,11 +642,11 @@ func TestAWS_AuthorizeSign(t *testing.T) {
 		code    int
 		wantErr bool
 	}{
-		{"ok", p1, args{t1, "foo.local"}, 7, http.StatusOK, false},
-		{"ok", p2, args{t2, "instance-id"}, 11, http.StatusOK, false},
-		{"ok", p2, args{t2Hostname, "ip-127-0-0-1.us-west-1.compute.internal"}, 11, http.StatusOK, false},
-		{"ok", p2, args{t2PrivateIP, "127.0.0.1"}, 11, http.StatusOK, false},
-		{"ok", p1, args{t4, "instance-id"}, 7, http.StatusOK, false},
+		{"ok", p1, args{t1, "foo.local"}, 8, http.StatusOK, false},
+		{"ok", p2, args{t2, "instance-id"}, 12, http.StatusOK, false},
+		{"ok", p2, args{t2Hostname, "ip-127-0-0-1.us-west-1.compute.internal"}, 12, http.StatusOK, false},
+		{"ok", p2, args{t2PrivateIP, "127.0.0.1"}, 12, http.StatusOK, false},
+		{"ok", p1, args{t4, "instance-id"}, 8, http.StatusOK, false},
 		{"fail account", p3, args{token: t3}, 0, http.StatusUnauthorized, true},
 		{"fail token", p1, args{token: "token"}, 0, http.StatusUnauthorized, true},
 		{"fail subject", p1, args{token: failSubject}, 0, http.StatusUnauthorized, true},
@@ -673,9 +673,10 @@ func TestAWS_AuthorizeSign(t *testing.T) {
 				assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
 				assert.Equals(t, sc.StatusCode(), tt.code)
 			default:
-				assert.Len(t, tt.wantLen, got)
+				assert.Equals(t, tt.wantLen, len(got))
 				for _, o := range got {
 					switch v := o.(type) {
+					case *AWS:
 					case certificateOptionsFunc:
 					case *provisionerExtensionOption:
 						assert.Equals(t, v.Type, TypeAWS)

authority/provisioner/azure.go

@@ -367,6 +367,7 @@ func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
 	}
 
 	return append(so,
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeAzure, p.Name, p.TenantID),

authority/provisioner/azure_test.go

@@ -474,11 +474,11 @@ func TestAzure_AuthorizeSign(t *testing.T) {
 		code    int
 		wantErr bool
 	}{
-		{"ok", p1, args{t1}, 6, http.StatusOK, false},
-		{"ok", p2, args{t2}, 11, http.StatusOK, false},
-		{"ok", p1, args{t11}, 6, http.StatusOK, false},
-		{"ok", p5, args{t5}, 6, http.StatusOK, false},
-		{"ok", p7, args{t7}, 6, http.StatusOK, false},
+		{"ok", p1, args{t1}, 7, http.StatusOK, false},
+		{"ok", p2, args{t2}, 12, http.StatusOK, false},
+		{"ok", p1, args{t11}, 7, http.StatusOK, false},
+		{"ok", p5, args{t5}, 7, http.StatusOK, false},
+		{"ok", p7, args{t7}, 7, http.StatusOK, false},
 		{"fail tenant", p3, args{t3}, 0, http.StatusUnauthorized, true},
 		{"fail resource group", p4, args{t4}, 0, http.StatusUnauthorized, true},
 		{"fail subscription", p6, args{t6}, 0, http.StatusUnauthorized, true},
@@ -502,9 +502,10 @@ func TestAzure_AuthorizeSign(t *testing.T) {
 				assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
 				assert.Equals(t, sc.StatusCode(), tt.code)
 			default:
-				assert.Len(t, tt.wantLen, got)
+				assert.Equals(t, tt.wantLen, len(got))
 				for _, o := range got {
 					switch v := o.(type) {
+					case *Azure:
 					case certificateOptionsFunc:
 					case *provisionerExtensionOption:
 						assert.Equals(t, v.Type, TypeAzure)

authority/provisioner/gcp.go

@@ -275,6 +275,7 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	}
 
 	return append(so,
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeGCP, p.Name, claims.Subject, "InstanceID", ce.InstanceID, "InstanceName", ce.InstanceName),

authority/provisioner/gcp_test.go

@@ -516,9 +516,9 @@ func TestGCP_AuthorizeSign(t *testing.T) {
 		code    int
 		wantErr bool
 	}{
-		{"ok", p1, args{t1}, 6, http.StatusOK, false},
-		{"ok", p2, args{t2}, 11, http.StatusOK, false},
-		{"ok", p3, args{t3}, 6, http.StatusOK, false},
+		{"ok", p1, args{t1}, 7, http.StatusOK, false},
+		{"ok", p2, args{t2}, 12, http.StatusOK, false},
+		{"ok", p3, args{t3}, 7, http.StatusOK, false},
 		{"fail token", p1, args{"token"}, 0, http.StatusUnauthorized, true},
 		{"fail key", p1, args{failKey}, 0, http.StatusUnauthorized, true},
 		{"fail iss", p1, args{failIss}, 0, http.StatusUnauthorized, true},
@@ -545,9 +545,10 @@ func TestGCP_AuthorizeSign(t *testing.T) {
 				assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
 				assert.Equals(t, sc.StatusCode(), tt.code)
 			default:
-				assert.Len(t, tt.wantLen, got)
+				assert.Equals(t, tt.wantLen, len(got))
 				for _, o := range got {
 					switch v := o.(type) {
+					case *GCP:
 					case certificateOptionsFunc:
 					case *provisionerExtensionOption:
 						assert.Equals(t, v.Type, TypeGCP)

authority/provisioner/jwk.go

@@ -192,6 +192,7 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	}
 
 	return []SignOption{
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID),

authority/provisioner/jwk_test.go

@@ -297,9 +297,10 @@ func TestJWK_AuthorizeSign(t *testing.T) {
 				}
 			} else {
 				if assert.NotNil(t, got) {
-					assert.Len(t, 8, got)
+					assert.Equals(t, 9, len(got))
 					for _, o := range got {
 						switch v := o.(type) {
+						case *JWK:
 						case certificateOptionsFunc:
 						case *provisionerExtensionOption:
 							assert.Equals(t, v.Type, TypeJWK)

authority/provisioner/k8sSA.go

@@ -253,6 +253,7 @@ func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
 	}
 
 	return []SignOption{
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeK8sSA, p.Name, ""),

authority/provisioner/k8sSA_test.go

@@ -282,6 +282,7 @@ func TestK8sSA_AuthorizeSign(t *testing.T) {
 					if assert.NotNil(t, opts) {
 						for _, o := range opts {
 							switch v := o.(type) {
+							case *K8sSA:
 							case certificateOptionsFunc:
 							case *provisionerExtensionOption:
 								assert.Equals(t, v.Type, TypeK8sSA)
@@ -300,7 +301,7 @@ func TestK8sSA_AuthorizeSign(t *testing.T) {
 								assert.FatalError(t, fmt.Errorf("unexpected sign option of type %T", v))
 							}
 						}
-						assert.Len(t, 6, opts)
+						assert.Equals(t, 7, len(opts))
 					}
 				}
 			}

authority/provisioner/nebula.go

@@ -157,6 +157,7 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
 	}
 
 	return []SignOption{
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeNebula, p.Name, ""),

authority/provisioner/noop.go

@@ -38,7 +38,7 @@ func (p *noop) Init(config Config) error {
 }
 
 func (p *noop) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
-	return []SignOption{}, nil
+	return []SignOption{p}, nil
 }
 
 func (p *noop) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error {

authority/provisioner/noop_test.go

@@ -24,6 +24,6 @@ func Test_noop(t *testing.T) {
 
 	ctx := NewContextWithMethod(context.Background(), SignMethod)
 	sigOptions, err := p.AuthorizeSign(ctx, "foo")
-	assert.Equals(t, []SignOption{}, sigOptions)
+	assert.Equals(t, []SignOption{&p}, sigOptions)
 	assert.Equals(t, nil, err)
 }

authority/provisioner/oidc.go

@@ -366,6 +366,7 @@ func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
 	}
 
 	return []SignOption{
+		o,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID),

authority/provisioner/oidc_test.go

@@ -323,9 +323,10 @@ func TestOIDC_AuthorizeSign(t *testing.T) {
 				assert.Equals(t, sc.StatusCode(), tt.code)
 				assert.Nil(t, got)
 			} else if assert.NotNil(t, got) {
-				assert.Len(t, 6, got)
+				assert.Equals(t, 7, len(got))
 				for _, o := range got {
 					switch v := o.(type) {
+					case *OIDC:
 					case certificateOptionsFunc:
 					case *provisionerExtensionOption:
 						assert.Equals(t, v.Type, TypeOIDC)

authority/provisioner/scep.go

@@ -127,6 +127,7 @@ func (s *SCEP) Init(config Config) (err error) {
 // on the resulting certificate.
 func (s *SCEP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	return []SignOption{
+		s,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeSCEP, s.Name, ""),
 		newForceCNOption(s.ForceCN),

authority/provisioner/x5c.go

@@ -239,6 +239,7 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	}
 
 	return []SignOption{
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeX5C, p.Name, ""),

authority/provisioner/x5c_test.go

@@ -468,9 +468,10 @@ func TestX5C_AuthorizeSign(t *testing.T) {
 			} else {
 				if assert.Nil(t, tc.err) {
 					if assert.NotNil(t, opts) {
-						assert.Len(t, 8, opts)
+						assert.Equals(t, 9, len(opts))
 						for _, o := range opts {
 							switch v := o.(type) {
+							case *X5C:
 							case certificateOptionsFunc:
 							case *provisionerExtensionOption:
 								assert.Equals(t, v.Type, TypeX5C)

authority/tls.go

@@ -89,8 +89,13 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
 	// Set backdate with the configured value
 	signOpts.Backdate = a.config.AuthorityConfig.Backdate.Duration
 
+	var prov provisioner.Interface
 	for _, op := range extraOpts {
 		switch k := op.(type) {
+		// Capture current provisioner
+		case provisioner.Interface:
+			prov = k
+
 		// Adds new options to NewCertificate
 		case provisioner.CertificateOptions:
 			certOptions = append(certOptions, k.Options(signOpts)...)
@@ -220,7 +225,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
 	}
 
 	fullchain := append([]*x509.Certificate{resp.Certificate}, resp.CertificateChain...)
-	if err = a.storeCertificate(fullchain); err != nil {
+	if err = a.storeCertificate(prov, fullchain); err != nil {
 		if err != db.ErrNotImplemented {
 			return nil, errs.Wrap(http.StatusInternalServerError, err,
 				"authority.Sign; error storing certificate in db", opts...)
@@ -368,19 +373,28 @@ func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x5
 // TODO: at some point we should replace the db.AuthDB interface to implement
 // `StoreCertificate(...*x509.Certificate) error` instead of just
 // `StoreCertificate(*x509.Certificate) error`.
-func (a *Authority) storeCertificate(fullchain []*x509.Certificate) error {
+func (a *Authority) storeCertificate(prov provisioner.Interface, fullchain []*x509.Certificate) error {
+	type linkedChainStorer interface {
+		StoreCertificateChain(provisioner.Interface, ...*x509.Certificate) error
+	}
 	type certificateChainStorer interface {
 		StoreCertificateChain(...*x509.Certificate) error
 	}
 	// Store certificate in linkedca
-	if s, ok := a.adminDB.(certificateChainStorer); ok {
+	switch s := a.adminDB.(type) {
+	case linkedChainStorer:
+		return s.StoreCertificateChain(prov, fullchain...)
+	case certificateChainStorer:
 		return s.StoreCertificateChain(fullchain...)
 	}
+
 	// Store certificate in local db
-	if s, ok := a.db.(certificateChainStorer); ok {
+	switch s := a.db.(type) {
+	case certificateChainStorer:
 		return s.StoreCertificateChain(fullchain...)
+	default:
+		return a.db.StoreCertificate(fullchain[0])
 	}
-	return a.db.StoreCertificate(fullchain[0])
 }
 
 // storeRenewedCertificate allows to use an extension of the db.AuthDB interface

go.sum

@@ -711,12 +711,6 @@ go.step.sm/cli-utils v0.7.0/go.mod h1:Ur6bqA/yl636kCUJbp30J7Unv5JJ226eW2KqXPDwF/
 go.step.sm/crypto v0.9.0/go.mod h1:+CYG05Mek1YDqi5WK0ERc6cOpKly2i/a5aZmU1sfGj0=
 go.step.sm/crypto v0.16.1 h1:4mnZk21cSxyMGxsEpJwZKKvJvDu1PN09UVrWWFNUBdk=
 go.step.sm/crypto v0.16.1/go.mod h1:3G0yQr5lQqfEG0CMYz8apC/qMtjLRQlzflL2AxkcN+g=
-go.step.sm/linkedca v0.11.0 h1:jkG5XDQz9VSz2PH+cGjDvJTwiIziN0SWExTnicWpb8o=
-go.step.sm/linkedca v0.11.0/go.mod h1:5uTRjozEGSPAZal9xJqlaD38cvJcLe3o1VAFVjqcORo=
-go.step.sm/linkedca v0.12.0 h1:FA18uJO5P6W2pklcezMs+w+N3dVbpKEE1LP9HLsJgg4=
-go.step.sm/linkedca v0.12.0/go.mod h1:W59ucS4vFpuR0g4PtkGbbtXAwxbDEnNCg+ovkej1ANM=
-go.step.sm/linkedca v0.12.1-0.20220331143637-69bee7065785 h1:14HYoAd9P7DNpf8OkXq4OWTzEq5E6iX4hNkYu/NH4Wo=
-go.step.sm/linkedca v0.12.1-0.20220331143637-69bee7065785/go.mod h1:W59ucS4vFpuR0g4PtkGbbtXAwxbDEnNCg+ovkej1ANM=
 go.step.sm/linkedca v0.12.1-0.20220405095509-878e3e5f78a3 h1:CIq0rMhfcV3oDRT0h4de2GVpRQnBnLJTTVIdc0eFjUg=
 go.step.sm/linkedca v0.12.1-0.20220405095509-878e3e5f78a3/go.mod h1:W59ucS4vFpuR0g4PtkGbbtXAwxbDEnNCg+ovkej1ANM=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@@ -837,10 +831,7 @@ golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211020060615-d418f374d309/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220325170049-de3da57026de h1:pZB1TWnKi+o4bENlbzAgLrEbY4RMYmUIRobMcSmfeYc=
-golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220403103023-749bd193bc2b h1:vI32FkLJNAWtGD4BwkThwEy6XS7ZLLMHkSkYfF8M0W0=
 golang.org/x/net v0.0.0-20220403103023-749bd193bc2b/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -954,10 +945,7 @@ golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220209214540-3681064d5158 h1:rm+CHSpPEEW2IsXUib1ThaHIjuBVZjxNgSKmBLFfD4c=
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220330033206-e17cdc41300f h1:rlezHXNlxYWvBCzNses9Dlc7nGFaNMJeqLolcmQSSZY=
-golang.org/x/sys v0.0.0-20220330033206-e17cdc41300f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220405052023-b1e9470b6e64 h1:D1v9ucDTYBtbz5vNuBbAhIMAGhQhJ6Ym5ah3maMVNX4=
 golang.org/x/sys v0.0.0-20220405052023-b1e9470b6e64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
@@ -1158,10 +1146,7 @@ google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ6
 google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf h1:SVYXkUz2yZS9FWb2Gm8ivSlbNQzL2Z/NpPKE3RG2jWk=
 google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220329172620-7be39ac1afc7 h1:HOL66YCI20JvN2hVk6o2YIp9i/3RvzVUz82PqNr7fXw=
-google.golang.org/genproto v0.0.0-20220329172620-7be39ac1afc7/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220401170504-314d38edb7de h1:9Ti5SG2U4cAcluryUo/sFay3TQKoxiFMfaT0pbizU7k=
 google.golang.org/genproto v0.0.0-20220401170504-314d38edb7de/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
@@ -1195,7 +1180,6 @@ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.44.0 h1:weqSxi/TMs1SqFRMHCtBgXRs8k3X39QIDEZ0pRcttUg=
 google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc v1.45.0 h1:NEpgUqV3Z+ZjkqMsxMg11IaDrXY4RY6CQukSGK0uI1M=
 google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
@@ -1212,7 +1196,6 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=