Use mcdsl/terminal for all password prompts
Replace direct golang.org/x/term calls with mcdsl/terminal.ReadPassword across mciasctl (6 sites), mciasgrpcctl (1 site), and mciasdb (1 site). Aligns with the new CLI security standard in engineering-standards.md. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
28
vendor/google.golang.org/grpc/credentials/credentials.go
generated
vendored
28
vendor/google.golang.org/grpc/credentials/credentials.go
generated
vendored
@@ -44,8 +44,7 @@ type PerRPCCredentials interface {
|
||||
// A54). uri is the URI of the entry point for the request. When supported
|
||||
// by the underlying implementation, ctx can be used for timeout and
|
||||
// cancellation. Additionally, RequestInfo data will be available via ctx
|
||||
// to this call. TODO(zhaoq): Define the set of the qualified keys instead
|
||||
// of leaving it as an arbitrary string.
|
||||
// to this call.
|
||||
GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
|
||||
// RequireTransportSecurity indicates whether the credentials requires
|
||||
// transport security.
|
||||
@@ -96,10 +95,11 @@ func (c CommonAuthInfo) GetCommonAuthInfo() CommonAuthInfo {
|
||||
return c
|
||||
}
|
||||
|
||||
// ProtocolInfo provides information regarding the gRPC wire protocol version,
|
||||
// security protocol, security protocol version in use, server name, etc.
|
||||
// ProtocolInfo provides static information regarding transport credentials.
|
||||
type ProtocolInfo struct {
|
||||
// ProtocolVersion is the gRPC wire protocol version.
|
||||
//
|
||||
// Deprecated: this is unused by gRPC.
|
||||
ProtocolVersion string
|
||||
// SecurityProtocol is the security protocol in use.
|
||||
SecurityProtocol string
|
||||
@@ -109,7 +109,16 @@ type ProtocolInfo struct {
|
||||
//
|
||||
// Deprecated: please use Peer.AuthInfo.
|
||||
SecurityVersion string
|
||||
// ServerName is the user-configured server name.
|
||||
// ServerName is the user-configured server name. If set, this overrides
|
||||
// the default :authority header used for all RPCs on the channel using the
|
||||
// containing credentials, unless grpc.WithAuthority is set on the channel,
|
||||
// in which case that setting will take precedence.
|
||||
//
|
||||
// This must be a valid `:authority` header according to
|
||||
// [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2).
|
||||
//
|
||||
// Deprecated: Users should use grpc.WithAuthority to override the authority
|
||||
// on a channel instead of configuring the credentials.
|
||||
ServerName string
|
||||
}
|
||||
|
||||
@@ -173,12 +182,17 @@ type TransportCredentials interface {
|
||||
// Clone makes a copy of this TransportCredentials.
|
||||
Clone() TransportCredentials
|
||||
// OverrideServerName specifies the value used for the following:
|
||||
//
|
||||
// - verifying the hostname on the returned certificates
|
||||
// - as SNI in the client's handshake to support virtual hosting
|
||||
// - as the value for `:authority` header at stream creation time
|
||||
//
|
||||
// Deprecated: use grpc.WithAuthority instead. Will be supported
|
||||
// throughout 1.x.
|
||||
// The provided string should be a valid `:authority` header according to
|
||||
// [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2).
|
||||
//
|
||||
// Deprecated: this method is unused by gRPC. Users should use
|
||||
// grpc.WithAuthority to override the authority on a channel instead of
|
||||
// configuring the credentials.
|
||||
OverrideServerName(string) error
|
||||
}
|
||||
|
||||
|
||||
36
vendor/google.golang.org/grpc/credentials/tls.go
generated
vendored
36
vendor/google.golang.org/grpc/credentials/tls.go
generated
vendored
@@ -56,9 +56,13 @@ func (t TLSInfo) AuthType() string {
|
||||
// non-nil error if the validation fails.
|
||||
func (t TLSInfo) ValidateAuthority(authority string) error {
|
||||
var errs []error
|
||||
host, _, err := net.SplitHostPort(authority)
|
||||
if err != nil {
|
||||
host = authority
|
||||
}
|
||||
for _, cert := range t.State.PeerCertificates {
|
||||
var err error
|
||||
if err = cert.VerifyHostname(authority); err == nil {
|
||||
if err = cert.VerifyHostname(host); err == nil {
|
||||
return nil
|
||||
}
|
||||
errs = append(errs, err)
|
||||
@@ -110,14 +114,14 @@ func (c tlsCreds) Info() ProtocolInfo {
|
||||
func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (_ net.Conn, _ AuthInfo, err error) {
|
||||
// use local cfg to avoid clobbering ServerName if using multiple endpoints
|
||||
cfg := credinternal.CloneTLSConfig(c.config)
|
||||
if cfg.ServerName == "" {
|
||||
serverName, _, err := net.SplitHostPort(authority)
|
||||
if err != nil {
|
||||
// If the authority had no host port or if the authority cannot be parsed, use it as-is.
|
||||
serverName = authority
|
||||
}
|
||||
cfg.ServerName = serverName
|
||||
|
||||
serverName, _, err := net.SplitHostPort(authority)
|
||||
if err != nil {
|
||||
// If the authority had no host port or if the authority cannot be parsed, use it as-is.
|
||||
serverName = authority
|
||||
}
|
||||
cfg.ServerName = serverName
|
||||
|
||||
conn := tls.Client(rawConn, cfg)
|
||||
errChannel := make(chan error, 1)
|
||||
go func() {
|
||||
@@ -259,9 +263,11 @@ func applyDefaults(c *tls.Config) *tls.Config {
|
||||
// certificates to establish the identity of the client need to be included in
|
||||
// the credentials (eg: for mTLS), use NewTLS instead, where a complete
|
||||
// tls.Config can be specified.
|
||||
// serverNameOverride is for testing only. If set to a non empty string,
|
||||
// it will override the virtual host name of authority (e.g. :authority header
|
||||
// field) in requests.
|
||||
//
|
||||
// serverNameOverride is for testing only. If set to a non empty string, it will
|
||||
// override the virtual host name of authority (e.g. :authority header field) in
|
||||
// requests. Users should use grpc.WithAuthority passed to grpc.NewClient to
|
||||
// override the authority of the client instead.
|
||||
func NewClientTLSFromCert(cp *x509.CertPool, serverNameOverride string) TransportCredentials {
|
||||
return NewTLS(&tls.Config{ServerName: serverNameOverride, RootCAs: cp})
|
||||
}
|
||||
@@ -271,9 +277,11 @@ func NewClientTLSFromCert(cp *x509.CertPool, serverNameOverride string) Transpor
|
||||
// certificates to establish the identity of the client need to be included in
|
||||
// the credentials (eg: for mTLS), use NewTLS instead, where a complete
|
||||
// tls.Config can be specified.
|
||||
// serverNameOverride is for testing only. If set to a non empty string,
|
||||
// it will override the virtual host name of authority (e.g. :authority header
|
||||
// field) in requests.
|
||||
//
|
||||
// serverNameOverride is for testing only. If set to a non empty string, it will
|
||||
// override the virtual host name of authority (e.g. :authority header field) in
|
||||
// requests. Users should use grpc.WithAuthority passed to grpc.NewClient to
|
||||
// override the authority of the client instead.
|
||||
func NewClientTLSFromFile(certFile, serverNameOverride string) (TransportCredentials, error) {
|
||||
b, err := os.ReadFile(certFile)
|
||||
if err != nil {
|
||||
|
||||
Reference in New Issue
Block a user