backport of commit d5408c8

.changelog/16263.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Upgrade to use Go 1.20.1. 
+This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`.
+```

.circleci/config.yml

@@ -21,12 +21,12 @@ references:
     GIT_COMMITTER_NAME: circleci-consul
     S3_ARTIFACT_BUCKET: consul-dev-artifacts-v2
     BASH_ENV: .circleci/bash_env.sh
-    GO_VERSION: 1.19.4
+    GO_VERSION: 1.20.1
   envoy-versions: &supported_envoy_versions
-    - &default_envoy_version "1.22.7"
-    - "1.23.4"
-    - "1.24.2"
-    - "1.25.1"
+    - &default_envoy_version "1.21.5"
+    - "1.22.5"
+    - "1.23.2"
+    - "1.24.0"
   nomad-versions: &supported_nomad_versions
     - &default_nomad_version "1.3.3"
     - "1.2.10"
@@ -39,7 +39,7 @@ references:
   images:
     # When updating the Go version, remember to also update the versions in the
     # workflows section for go-test-lib jobs.
-    go: &GOLANG_IMAGE docker.mirror.hashicorp.services/cimg/go:1.19.4
+    go: &GOLANG_IMAGE docker.mirror.hashicorp.services/cimg/go:1.20.1
     ember: &EMBER_IMAGE docker.mirror.hashicorp.services/circleci/node:14-browsers
     ubuntu: &UBUNTU_CI_IMAGE ubuntu-2004:202201-02
   cache:
@@ -613,7 +613,7 @@ jobs:
       - run: *notify-slack-failure
   nomad-integration-test: &NOMAD_TESTS
     docker:
-      - image: docker.mirror.hashicorp.services/cimg/go:1.19
+      - image: docker.mirror.hashicorp.services/cimg/go:1.20
     parameters:
       nomad-version:
         type: enum
@@ -1110,34 +1110,34 @@ workflows:
       - go-test-lib:
           name: "go-test-envoyextensions"
           path: envoyextensions
-          go-version: "1.19"
+          go-version: "1.20"
           requires: [dev-build]
           <<: *filter-ignore-non-go-branches
       - go-test-lib:
           name: "go-test-troubleshoot"
           path: troubleshoot
-          go-version: "1.19"
+          go-version: "1.20"
           requires: [dev-build]
           <<: *filter-ignore-non-go-branches
       - go-test-lib:
-          name: "go-test-api go1.18"
+          name: "go-test-api go1.19"
           path: api
-          go-version: "1.18"
+          go-version: "1.19"
           requires: [dev-build]
       - go-test-lib:
-          name: "go-test-api go1.19"
+          name: "go-test-api go1.20"
           path: api
-          go-version: "1.19"
+          go-version: "1.20"
           requires: [dev-build]
       - go-test-lib:
-          name: "go-test-sdk go1.18"
+          name: "go-test-sdk go1.19"
           path: sdk
-          go-version: "1.18"
+          go-version: "1.19"
           <<: *filter-ignore-non-go-branches
       - go-test-lib:
-          name: "go-test-sdk go1.19"
+          name: "go-test-sdk go1.20"
           path: sdk
-          go-version: "1.19"
+          go-version: "1.20"
           <<: *filter-ignore-non-go-branches
       - go-test-race: *filter-ignore-non-go-branches
       - go-test-32bit: *filter-ignore-non-go-branches

.github/workflows/build.yml

@@ -79,15 +79,15 @@ jobs:
     strategy:
       matrix:
         include:
-          - {go: "1.19.4", goos: "linux", goarch: "386"}
-          - {go: "1.19.4", goos: "linux", goarch: "amd64"}
-          - {go: "1.19.4", goos: "linux", goarch: "arm"}
-          - {go: "1.19.4", goos: "linux", goarch: "arm64"}
-          - {go: "1.19.4", goos: "freebsd", goarch: "386"}
-          - {go: "1.19.4", goos: "freebsd", goarch: "amd64"}
-          - {go: "1.19.4", goos: "windows", goarch: "386"}
-          - {go: "1.19.4", goos: "windows", goarch: "amd64"}
-          - {go: "1.19.4", goos: "solaris", goarch: "amd64"}
+          - {go: "1.20.1", goos: "linux", goarch: "386"}
+          - {go: "1.20.1", goos: "linux", goarch: "amd64"}
+          - {go: "1.20.1", goos: "linux", goarch: "arm"}
+          - {go: "1.20.1", goos: "linux", goarch: "arm64"}
+          - {go: "1.20.1", goos: "freebsd", goarch: "386"}
+          - {go: "1.20.1", goos: "freebsd", goarch: "amd64"}
+          - {go: "1.20.1", goos: "windows", goarch: "386"}
+          - {go: "1.20.1", goos: "windows", goarch: "amd64"}
+          - {go: "1.20.1", goos: "solaris", goarch: "amd64"}
       fail-fast: true
 
     name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build
@@ -176,7 +176,7 @@ jobs:
       matrix:
         goos: [ darwin ]
         goarch: [ "amd64", "arm64" ]
-        go: [ "1.19.4" ]
+        go: [ "1.20.1" ]
       fail-fast: true
 
     name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build

.github/workflows/nightly-test-1.15.x.yaml → .github/workflows/nightly-test-1.11.x.yaml

@@ -1,13 +1,13 @@
-name: Nightly Test 1.15.x
+name: Nightly Test 1.11.x
 on:
   schedule:
     - cron: '0 4 * * *'
   workflow_dispatch: {}
 
 env:
   EMBER_PARTITION_TOTAL: 4      # Has to be changed in tandem with the matrix.partition
-  BRANCH: "release/1.15.x"
-  BRANCH_NAME: "release/1.15.x" # Used for naming artifacts
+  BRANCH: "release/1.11.x"
+  BRANCH_NAME: "release-1.11.x" # Used for naming artifacts
 
 jobs:
   frontend-test-workspace-node:

GNUmakefile

@@ -7,11 +7,11 @@ SHELL = bash
 # These version variables can either be a valid string for "go install <module>@<version>"
 # or the string @DEV to imply use what is currently installed locally.
 ###
-GOLANGCI_LINT_VERSION='v1.50.1'
-MOCKERY_VERSION='v2.15.0'
+GOLANGCI_LINT_VERSION='v1.51.1'
+MOCKERY_VERSION='v2.20.0'
 BUF_VERSION='v1.4.0'
 PROTOC_GEN_GO_GRPC_VERSION="v1.2.0"
-MOG_VERSION='v0.3.0'
+MOG_VERSION='v0.4.0'
 PROTOC_GO_INJECT_TAG_VERSION='v1.3.0'
 PROTOC_GEN_GO_BINARY_VERSION="v0.1.0"
 DEEP_COPY_VERSION='bc3f5aa5735d8a54961580a3a24422c308c831c2'

agent/agent_test.go

@@ -4,12 +4,13 @@ import (
 	"bytes"
 	"context"
 	"crypto/md5"
+	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"math/rand"
+	mathrand "math/rand"
 	"net"
 	"net/http"
 	"net/http/httptest"
@@ -752,7 +753,7 @@ func testAgent_AddServices_AliasUpdateCheckNotReverted(t *testing.T, extraHCL st
 
 func test_createAlias(t *testing.T, agent *TestAgent, chk *structs.CheckType, expectedResult string) func(r *retry.R) {
 	t.Helper()
-	serviceNum := rand.Int()
+	serviceNum := mathrand.Int()
 	srv := &structs.NodeService{
 		Service: fmt.Sprintf("serviceAlias-%d", serviceNum),
 		Tags:    []string{"tag1"},

agent/consul/auto_config_endpoint_test.go

@@ -3,12 +3,11 @@ package consul
 import (
 	"bytes"
 	"crypto"
-	crand "crypto/rand"
+	"crypto/rand"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
-	"math/rand"
 	"net"
 	"net/url"
 	"os"
@@ -884,7 +883,7 @@ func TestAutoConfig_parseAutoConfigCSR(t *testing.T) {
 	// customizations to allow for better unit testing.
 	createCSR := func(tmpl *x509.CertificateRequest, privateKey crypto.Signer) (string, error) {
 		connect.HackSANExtensionForCSR(tmpl)
-		bs, err := x509.CreateCertificateRequest(crand.Reader, tmpl, privateKey)
+		bs, err := x509.CreateCertificateRequest(rand.Reader, tmpl, privateKey)
 		require.NoError(t, err)
 		var csrBuf bytes.Buffer
 		err = pem.Encode(&csrBuf, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: bs})

agent/consul/discoverychain/gateway.go

@@ -17,6 +17,7 @@ type GatewayChainSynthesizer struct {
 	trustDomain       string
 	suffix            string
 	gateway           *structs.APIGatewayConfigEntry
+	hostname          string
 	matchesByHostname map[string][]hostnameMatch
 	tcpRoutes         []structs.TCPRouteConfigEntry
 }
@@ -44,17 +45,17 @@ func (l *GatewayChainSynthesizer) AddTCPRoute(route structs.TCPRouteConfigEntry)
 	l.tcpRoutes = append(l.tcpRoutes, route)
 }
 
+// SetHostname sets the base hostname for a listener that this is being synthesized for
+func (l *GatewayChainSynthesizer) SetHostname(hostname string) {
+	l.hostname = hostname
+}
+
 // AddHTTPRoute takes a new route and flattens its rule matches out per hostname.
 // This is required since a single route can specify multiple hostnames, and a
 // single hostname can be specified in multiple routes. Routing for a given
 // hostname must behave based on the aggregate of all rules that apply to it.
 func (l *GatewayChainSynthesizer) AddHTTPRoute(route structs.HTTPRouteConfigEntry) {
-	hostnames := route.Hostnames
-	if len(route.Hostnames) == 0 {
-		// add a wildcard if there are no explicit hostnames set
-		hostnames = append(hostnames, "*")
-	}
-
+	hostnames := route.FilteredHostnames(l.hostname)
 	for _, host := range hostnames {
 		matches, ok := l.matchesByHostname[host]
 		if !ok {

agent/consul/discoverychain/gateway_test.go

@@ -459,6 +459,7 @@ func TestGatewayChainSynthesizer_AddHTTPRoute(t *testing.T) {
 
 			gatewayChainSynthesizer := NewGatewayChainSynthesizer(datacenter, "domain", "suffix", gateway)
 
+			gatewayChainSynthesizer.SetHostname("*")
 			gatewayChainSynthesizer.AddHTTPRoute(tc.route)
 
 			require.Equal(t, tc.expectedMatchesByHostname, gatewayChainSynthesizer.matchesByHostname)
@@ -621,6 +622,8 @@ func TestGatewayChainSynthesizer_Synthesize(t *testing.T) {
 
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
+			tc.synthesizer.SetHostname("*")
+
 			for _, tcpRoute := range tc.tcpRoutes {
 				tc.synthesizer.AddTCPRoute(*tcpRoute)
 			}

agent/consul/gateways/controller_gateways.go

@@ -701,6 +701,14 @@ func (g *gatewayMeta) bindRoute(listener *structs.APIGatewayListener, bound *str
 		return false, nil
 	}
 
+	if route, ok := route.(*structs.HTTPRouteConfigEntry); ok {
+		// check our hostnames
+		hostnames := route.FilteredHostnames(listener.GetHostname())
+		if len(hostnames) == 0 {
+			return false, fmt.Errorf("failed to bind route to gateway %s: listener %s is does not have any hostnames that match the route", route.GetName(), g.Gateway.Name)
+		}
+	}
+
 	if listener.Protocol == route.GetProtocol() && bound.BindRoute(structs.ResourceReference{
 		Kind:           route.GetKind(),
 		Name:           route.GetName(),

agent/consul/internal_endpoint_test.go

@@ -1,9 +1,9 @@
 package consul
 
 import (
+	"crypto/rand"
 	"encoding/base64"
 	"fmt"
-	"math/rand"
 	"os"
 	"strings"
 	"testing"

agent/consul/leader_peering_test.go

@@ -478,15 +478,15 @@ func TestLeader_PeeringSync_FailsForTLSError(t *testing.T) {
 	t.Run("server-name-validation", func(t *testing.T) {
 		testLeader_PeeringSync_failsForTLSError(t, func(token *structs.PeeringToken) {
 			token.ServerName = "wrong.name"
-		}, `transport: authentication handshake failed: x509: certificate is valid for server.dc1.peering.11111111-2222-3333-4444-555555555555.consul, not wrong.name`)
+		}, `transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is valid for server.dc1.peering.11111111-2222-3333-4444-555555555555.consul, not wrong.name`)
 	})
 	t.Run("bad-ca-roots", func(t *testing.T) {
 		wrongRoot, err := os.ReadFile("../../test/client_certs/rootca.crt")
 		require.NoError(t, err)
 
 		testLeader_PeeringSync_failsForTLSError(t, func(token *structs.PeeringToken) {
 			token.CA = []string{string(wrongRoot)}
-		}, `transport: authentication handshake failed: x509: certificate signed by unknown authority`)
+		}, `transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority`)
 	})
 }
 

agent/consul/state/acl_test.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
-	"github.com/hashicorp/consul/lib"
 	"github.com/hashicorp/consul/proto/pbacl"
 )
 
@@ -3570,7 +3569,6 @@ func TestStateStore_ACLPolicies_Snapshot_Restore(t *testing.T) {
 }
 
 func TestTokenPoliciesIndex(t *testing.T) {
-	lib.SeedMathRand()
 
 	idIndex := &memdb.IndexSchema{
 		Name:         "id",

agent/coordinate_endpoint_test.go

@@ -40,9 +40,9 @@ func TestCoordinate_Disabled_Response(t *testing.T) {
 			req, _ := http.NewRequest("PUT", "/should/not/care", nil)
 			resp := httptest.NewRecorder()
 			obj, err := tt(resp, req)
-			if err, ok := err.(HTTPError); ok {
-				if err.StatusCode != 401 {
-					t.Fatalf("expected status 401 but got %d", err.StatusCode)
+			if httpErr, ok := err.(HTTPError); ok {
+				if httpErr.StatusCode != 401 {
+					t.Fatalf("expected status 401 but got %d", httpErr.StatusCode)
 				}
 			} else {
 				t.Fatalf("expected HTTP error but got %v", err)

agent/grpc-external/limiter/limiter_test.go

@@ -8,12 +8,8 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/require"
-
-	"github.com/hashicorp/consul/lib"
 )
 
-func init() { lib.SeedMathRand() }
-
 func TestSessionLimiter(t *testing.T) {
 	lim := NewSessionLimiter()
 

agent/prepared_query_endpoint_test.go

@@ -13,9 +13,10 @@ import (
 
 	"github.com/hashicorp/consul/testrpc"
 
+	"github.com/stretchr/testify/require"
+
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/types"
-	"github.com/stretchr/testify/require"
 )
 
 // MockPreparedQuery is a fake endpoint that we inject into the Consul server
@@ -628,9 +629,9 @@ func TestPreparedQuery_Execute(t *testing.T) {
 		req, _ := http.NewRequest("GET", "/v1/query/not-there/execute", body)
 		resp := httptest.NewRecorder()
 		_, err := a.srv.PreparedQuerySpecific(resp, req)
-		if err, ok := err.(HTTPError); ok {
-			if err.StatusCode != 404 {
-				t.Fatalf("expected status 404 but got %d", err.StatusCode)
+		if httpErr, ok := err.(HTTPError); ok {
+			if httpErr.StatusCode != 404 {
+				t.Fatalf("expected status 404 but got %d", httpErr.StatusCode)
 			}
 		} else {
 			t.Fatalf("expected HTTP error but got %v", err)
@@ -768,9 +769,9 @@ func TestPreparedQuery_Explain(t *testing.T) {
 		req, _ := http.NewRequest("GET", "/v1/query/not-there/explain", body)
 		resp := httptest.NewRecorder()
 		_, err := a.srv.PreparedQuerySpecific(resp, req)
-		if err, ok := err.(HTTPError); ok {
-			if err.StatusCode != 404 {
-				t.Fatalf("expected status 404 but got %d", err.StatusCode)
+		if httpErr, ok := err.(HTTPError); ok {
+			if httpErr.StatusCode != 404 {
+				t.Fatalf("expected status 404 but got %d", httpErr.StatusCode)
 			}
 		} else {
 			t.Fatalf("expected HTTP error but got %v", err)
@@ -862,9 +863,9 @@ func TestPreparedQuery_Get(t *testing.T) {
 		req, _ := http.NewRequest("GET", "/v1/query/f004177f-2c28-83b7-4229-eacc25fe55d1", body)
 		resp := httptest.NewRecorder()
 		_, err := a.srv.PreparedQuerySpecific(resp, req)
-		if err, ok := err.(HTTPError); ok {
-			if err.StatusCode != 404 {
-				t.Fatalf("expected status 404 but got %d", err.StatusCode)
+		if httpErr, ok := err.(HTTPError); ok {
+			if httpErr.StatusCode != 404 {
+				t.Fatalf("expected status 404 but got %d", httpErr.StatusCode)
 			}
 		} else {
 			t.Fatalf("expected HTTP error but got %v", err)