From 5168c6be20bf987f32e2518ca473b6122cc30f9f Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 25 Oct 2024 15:03:54 +0300 Subject: [PATCH] import grafana-10.2.6-7.el10 --- .gitignore | 3 + .grafana.metadata | 3 + ...li-script-with-distro-specific-paths.patch | 66 + SOURCES/0002-add-manpages.patch | 161 ++ .../0003-update-default-configuration.patch | 72 + ...4-remove-unused-backend-dependencies.patch | 62 + .../0005-remove-unused-frontend-crypto.patch | 333 +++ ...skip-marketplace-plugin-install-test.patch | 21 + SOURCES/0007-redact-weak-ciphers.patch | 30 + SOURCES/0008-replace-faulty-slices-sort.patch | 40 + ...appers-and-systemd-with-distro-paths.patch | 76 + SOURCES/0010-remove-bcrypt-references.patch | 108 + ...-vendor-patch-removed-backend-crypto.patch | 2134 +++++++++++++++++ .../1002-vendor-use-pbkdf2-from-OpenSSL.patch | 135 ++ .../1003-vendor-skip-goldenfiles-tests.patch | 18 + .../1004-vendor-Redacted-Url-in-logs.patch | 51 + SOURCES/build_frontend.sh | 20 + SOURCES/create_bundles.sh | 104 + SOURCES/create_bundles_in_container.sh | 24 + SOURCES/grafana.fc | 25 + SOURCES/grafana.if | 141 ++ SOURCES/grafana.sysusers | 2 + SOURCES/grafana.te | 207 ++ SOURCES/list_bundled_nodejs_packages.py | 72 + SPECS/grafana.spec | 1397 +++++++++++ 25 files changed, 5305 insertions(+) create mode 100644 .gitignore create mode 100644 .grafana.metadata create mode 100644 SOURCES/0001-update-grafana-cli-script-with-distro-specific-paths.patch create mode 100644 SOURCES/0002-add-manpages.patch create mode 100644 SOURCES/0003-update-default-configuration.patch create mode 100644 SOURCES/0004-remove-unused-backend-dependencies.patch create mode 100644 SOURCES/0005-remove-unused-frontend-crypto.patch create mode 100644 SOURCES/0006-skip-marketplace-plugin-install-test.patch create mode 100644 SOURCES/0007-redact-weak-ciphers.patch create mode 100644 SOURCES/0008-replace-faulty-slices-sort.patch create mode 100644 SOURCES/0009-update-wrappers-and-systemd-with-distro-paths.patch create mode 100644 SOURCES/0010-remove-bcrypt-references.patch create mode 100644 SOURCES/1001-vendor-patch-removed-backend-crypto.patch create mode 100644 SOURCES/1002-vendor-use-pbkdf2-from-OpenSSL.patch create mode 100644 SOURCES/1003-vendor-skip-goldenfiles-tests.patch create mode 100644 SOURCES/1004-vendor-Redacted-Url-in-logs.patch create mode 100755 SOURCES/build_frontend.sh create mode 100755 SOURCES/create_bundles.sh create mode 100755 SOURCES/create_bundles_in_container.sh create mode 100644 SOURCES/grafana.fc create mode 100644 SOURCES/grafana.if create mode 100644 SOURCES/grafana.sysusers create mode 100644 SOURCES/grafana.te create mode 100755 SOURCES/list_bundled_nodejs_packages.py create mode 100644 SPECS/grafana.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a6dbaab --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +SOURCES/grafana-10.2.6.tar.gz +SOURCES/grafana-vendor-10.2.6-2.tar.xz +SOURCES/grafana-webpack-10.2.6-2.tar.gz diff --git a/.grafana.metadata b/.grafana.metadata new file mode 100644 index 0000000..518f49a --- /dev/null +++ b/.grafana.metadata @@ -0,0 +1,3 @@ +5c65a9460e0d0ecff29e397b5889b4167f046142 SOURCES/grafana-10.2.6.tar.gz +1dbd3823c3004d7127fab43b82a0ca9e988922dc SOURCES/grafana-vendor-10.2.6-2.tar.xz +7229d7721cd93d95fde2a306ae775876053a05b0 SOURCES/grafana-webpack-10.2.6-2.tar.gz diff --git a/SOURCES/0001-update-grafana-cli-script-with-distro-specific-paths.patch b/SOURCES/0001-update-grafana-cli-script-with-distro-specific-paths.patch new file mode 100644 index 0000000..837d0ff --- /dev/null +++ b/SOURCES/0001-update-grafana-cli-script-with-distro-specific-paths.patch @@ -0,0 +1,66 @@ +From 1e47ea7adc316e2df3d0081c2c0ebe75ddd6bda0 Mon Sep 17 00:00:00 2001 +From: Andreas Gerstmayr +Date: Wed, 22 Jun 2022 16:57:52 +0200 +Subject: [PATCH] update grafana-cli script with distro-specific paths and + switch to grafana user + + +diff --git a/packaging/wrappers/grafana-cli b/packaging/wrappers/grafana-cli +index 7c6c46aef9..945714642b 100755 +--- a/packaging/wrappers/grafana-cli ++++ b/packaging/wrappers/grafana-cli +@@ -5,7 +5,7 @@ + # the system-wide Grafana configuration that was bundled with the package as we + # use the binary. + +-DEFAULT=/etc/default/grafana ++DEFAULT=/etc/sysconfig/grafana-server + + GRAFANA_HOME="${GRAFANA_HOME:-/usr/share/grafana}" + +@@ -13,11 +13,12 @@ CONF_DIR=/etc/grafana + DATA_DIR=/var/lib/grafana + PLUGINS_DIR=/var/lib/grafana/plugins + LOG_DIR=/var/log/grafana ++LIBEXEC_DIR=/usr/libexec/grafana + + CONF_FILE=$CONF_DIR/grafana.ini + PROVISIONING_CFG_DIR=$CONF_DIR/provisioning + +-EXECUTABLE="$GRAFANA_HOME/bin/grafana" ++EXECUTABLE=$LIBEXEC_DIR/grafana-cli + + if [ ! -x $EXECUTABLE ]; then + echo "$EXECUTABLE not installed or not executable" +@@ -29,14 +30,23 @@ if [ -f "$DEFAULT" ]; then + . "$DEFAULT" + fi + +-OPTS="--homepath=${GRAFANA_HOME} \ +- --config=${CONF_FILE} \ +- --pluginsDir=${PLUGINS_DIR} \ +- --configOverrides='cfg:default.paths.provisioning=$PROVISIONING_CFG_DIR \ +- cfg:default.paths.data=${DATA_DIR} \ +- cfg:default.paths.logs=${LOG_DIR} \ +- cfg:default.paths.plugins=${PLUGINS_DIR}'" ++OPTS=("--homepath=${GRAFANA_HOME}" ++ "--config=${CONF_FILE}" ++ "--pluginsDir=${PLUGINS_DIR}" ++ "--configOverrides=cfg:default.paths.provisioning=$PROVISIONING_CFG_DIR \ ++ cfg:default.paths.data=${DATA_DIR} \ ++ cfg:default.paths.logs=${LOG_DIR} \ ++ cfg:default.paths.plugins=${PLUGINS_DIR}") + + CMD=cli + +-eval $EXECUTABLE "$CMD" "$OPTS" "$@" ++if [ "$(id -u)" -eq 0 -o "$(id -g)" -eq 0 ]; then ++ cd "${GRAFANA_HOME}" ++ exec runuser -u "${GRAFANA_USER}" -- "$EXECUTABLE" "${OPTS[@]}" "$@" ++elif [ "$(id -u -n)" = "${GRAFANA_USER}" ]; then ++ cd "${GRAFANA_HOME}" ++ exec "$EXECUTABLE" "${OPTS[@]}" "$@" ++else ++ echo "$0: please run this script as user \"${GRAFANA_USER}\" or root." ++ exit 5 ++fi diff --git a/SOURCES/0002-add-manpages.patch b/SOURCES/0002-add-manpages.patch new file mode 100644 index 0000000..a059e0a --- /dev/null +++ b/SOURCES/0002-add-manpages.patch @@ -0,0 +1,161 @@ +From 5b6c18f715808f99c32550fc3b670fc5bf600f72 Mon Sep 17 00:00:00 2001 +From: Andreas Gerstmayr +Date: Wed, 22 Jun 2022 17:01:09 +0200 +Subject: [PATCH] add manpages + + +diff --git a/docs/man/man1/grafana-cli.1 b/docs/man/man1/grafana-cli.1 +new file mode 100644 +index 0000000000..39c0d5cee0 +--- /dev/null ++++ b/docs/man/man1/grafana-cli.1 +@@ -0,0 +1,63 @@ ++.TH GRAFANA "1" "September 2022" "Grafana cli version 9.0.9" "User Commands" ++.SH NAME ++grafana-cli \- command line administration for the Grafana metrics dashboard and graph editor ++.SH DESCRIPTION ++.SS "NAME:" ++.IP ++grafana-cli ++.SS "USAGE:" ++.IP ++\fBgrafana\-cli\fP [\fIglobal options\fP] \fIcommand\fP [\fIcommand options\fP] [\fIarguments\fP...] ++.SS "COMMANDS:" ++.TP ++plugins ++Manage plugins for grafana ++.TP ++admin ++Grafana admin commands ++.TP ++cue ++Cue validation commands ++.TP ++help, h ++Shows a list of commands or help for one command ++.SS "GLOBAL OPTIONS:" ++.TP ++\fB\-\-pluginsDir\fR value ++path to the grafana plugin directory (default: "/var/lib/grafana/plugins") [$GF_PLUGIN_DIR] ++.TP ++\fB\-\-repo\fR value ++url to the plugin repository (default: "https://grafana.com/api/plugins") [$GF_PLUGIN_REPO] ++.TP ++\fB\-\-pluginUrl\fR value ++Full url to the plugin zip file instead of downloading the plugin from grafana.com/api [$GF_PLUGIN_URL] ++.TP ++\fB\-\-insecure\fR ++Skip TLS verification (insecure) (default: false) ++.TP ++\fB\-\-debug\fR ++Enable debug logging (default: false) ++.TP ++\fB\-\-configOverrides\fR value ++Configuration options to override defaults as a string. e.g. cfg:default.paths.log=/dev/null ++.TP ++\fB\-\-homepath\fR value ++Path to Grafana install/home path, defaults to working directory ++.TP ++\fB\-\-config\fR value ++Path to config file ++.TP ++\fB\-\-help\fR, \fB\-h\fR ++show help ++.TP ++\fB\-\-version\fR, \fB\-v\fR ++print the version ++.SH "SEE ALSO" ++Additional documentation for ++.B grafana-cli ++is available on-line at ++.BR http://docs.grafana.org/administration/cli/ . ++The full documentation for ++.B Grafana ++is available on-line at ++.BR http://docs.grafana.org/ . +diff --git a/docs/man/man1/grafana-server.1 b/docs/man/man1/grafana-server.1 +new file mode 100644 +index 0000000000..683a2369cc +--- /dev/null ++++ b/docs/man/man1/grafana-server.1 +@@ -0,0 +1,80 @@ ++.TH VERSION "1" "September 2022" "Version 9.0.9" "User Commands" ++.SH NAME ++grafana-server \- back-end server for the Grafana metrics dashboard and graph editor ++.SH DESCRIPTION ++.B grafana-server ++is the back-end server for the Grafana metrics dashboard and graph editor. ++The ++.B grafana-server ++program should not normally be run from the command line, ++except when testing or for development purposes. ++Rather it should be managed by ++.BR systemd . ++After installing Grafana, the systemd service should be enabled and started as follows: ++.P ++.in 1i ++.B systemctl daemon-reload ++.br ++.B systemctl enable grafana-server.service ++.br ++.B systemctl start grafana-server.service ++.in ++.P ++.SH OPTIONS ++The ++.B grafana-server ++configuration is specified in ++.BR /etc/grafana/grafana.ini ++and is well documented with comments. ++The command-line options listed below override options of ++the same (or similar) name in the configuration file. ++.P ++.HP ++\fB\-config\fR string ++.IP ++path to config file ++.HP ++\fB\-homepath\fR string ++.IP ++path to grafana install/home path, defaults to working directory ++.HP ++\fB\-packaging\fR string ++.IP ++describes the way Grafana was installed (default "unknown") ++.HP ++\fB\-pidfile\fR string ++.IP ++path to pid file ++.HP ++\fB\-profile\fR ++.IP ++Turn on pprof profiling ++.HP ++\fB\-profile\-addr\fR string ++.IP ++Define custom address for profiling (default "localhost") ++.HP ++\fB\-profile\-port\fR uint ++.IP ++Define custom port for profiling (default 6060) ++.HP ++\fB\-tracing\fR ++.IP ++Turn on tracing ++.HP ++\fB\-tracing\-file\fR string ++.IP ++Define tracing output file (default "trace.out") ++.TP ++\fB\-v\fR ++.IP ++prints current version and exits ++.TP ++\fB\-vv\fR ++.IP ++prints current version, all dependencies and exits ++.SH "SEE ALSO" ++The full documentation for ++.B Grafana ++is available on-line at ++.BR http://docs.grafana.org/ . diff --git a/SOURCES/0003-update-default-configuration.patch b/SOURCES/0003-update-default-configuration.patch new file mode 100644 index 0000000..a0c961a --- /dev/null +++ b/SOURCES/0003-update-default-configuration.patch @@ -0,0 +1,72 @@ +From 026c4f235fd3bfc741304a5e12e13bd1c7b85eac Mon Sep 17 00:00:00 2001 +From: Andreas Gerstmayr +Date: Wed, 22 Jun 2022 17:05:48 +0200 +Subject: [PATCH] update default configuration + + +diff --git a/conf/defaults.ini b/conf/defaults.ini +index 9f7cf4a90b..e1e5468bfa 100644 +--- a/conf/defaults.ini ++++ b/conf/defaults.ini +@@ -240,7 +240,7 @@ user_agent = + # No ip addresses are being tracked, only simple counters to track + # running instances, dashboard and error counts. It is very helpful to us. + # Change this option to false to disable reporting. +-reporting_enabled = true ++reporting_enabled = false + + # The name of the distributor of the Grafana instance. Ex hosted-grafana, grafana-labs + reporting_distributor = grafana-labs +@@ -249,8 +249,8 @@ reporting_distributor = grafana-labs + # for new versions of grafana. The check is used + # in some UI views to notify that a grafana update exists. + # This option does not cause any auto updates, nor send any information +-# only a GET request to https://grafana.com/api/grafana/versions/stable to get the latest version. +-check_for_updates = true ++# only a GET request to https://raw.githubusercontent.com/grafana/grafana/main/latest.json to get the latest version. ++check_for_updates = false + + # Set to false to disable all checks to https://grafana.com + # for new versions of plugins. The check is used +diff --git a/conf/sample.ini b/conf/sample.ini +index 916de769f9..2f270d4940 100644 +--- a/conf/sample.ini ++++ b/conf/sample.ini +@@ -247,7 +247,7 @@ + # No ip addresses are being tracked, only simple counters to track + # running instances, dashboard and error counts. It is very helpful to us. + # Change this option to false to disable reporting. +-;reporting_enabled = true ++;reporting_enabled = false + + # The name of the distributor of the Grafana instance. Ex hosted-grafana, grafana-labs + ;reporting_distributor = grafana-labs +@@ -256,8 +256,8 @@ + # for new versions of grafana. The check is used + # in some UI views to notify that a grafana update exists. + # This option does not cause any auto updates, nor send any information +-# only a GET request to https://grafana.com/api/grafana/versions/stable to get the latest version. +-;check_for_updates = true ++# only a GET request to https://raw.githubusercontent.com/grafana/grafana/main/latest.json to get the latest version. ++;check_for_updates = false + + # Set to false to disable all checks to https://grafana.com + # for new versions of plugins. The check is used +@@ -427,7 +427,7 @@ + + # Minimum dashboard refresh interval. When set, this will restrict users to set the refresh interval of a dashboard lower than given interval. Per default this is 5 seconds. + # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m. +-;min_refresh_interval = 5s ++min_refresh_interval = 1s + + # Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json" + ;default_home_dashboard_path = +@@ -1411,7 +1411,7 @@ + ;enable_alpha = false + ;app_tls_skip_verify_insecure = false + # Enter a comma-separated list of plugin identifiers to identify plugins to load even if they are unsigned. Plugins with modified signatures are never loaded. +-;allow_loading_unsigned_plugins = ++allow_loading_unsigned_plugins = performancecopilot-pcp-app,pcp-redis-datasource,pcp-vector-datasource,pcp-bpftrace-datasource,pcp-flamegraph-panel,pcp-breadcrumbs-panel,pcp-troubleshooting-panel,performancecopilot-redis-datasource,performancecopilot-vector-datasource,performancecopilot-bpftrace-datasource,performancecopilot-flamegraph-panel,performancecopilot-breadcrumbs-panel,performancecopilot-troubleshooting-panel + # Enable or disable installing / uninstalling / updating plugins directly from within Grafana. + ;plugin_admin_enabled = false + ;plugin_admin_external_manage_enabled = false diff --git a/SOURCES/0004-remove-unused-backend-dependencies.patch b/SOURCES/0004-remove-unused-backend-dependencies.patch new file mode 100644 index 0000000..1569748 --- /dev/null +++ b/SOURCES/0004-remove-unused-backend-dependencies.patch @@ -0,0 +1,62 @@ +From 076177ff583b8e6d92948e0a4ddde0e8992d09a3 Mon Sep 17 00:00:00 2001 +From: Andreas Gerstmayr +Date: Wed, 22 Jun 2022 17:18:56 +0200 +Subject: [PATCH] remove unused backend dependencies + +saml and gofpdf are not used in the OSS edition of Grafana +after editing `pkg/extensions/main.go`, run `go mod tidy` + +diff --git a/go.mod b/go.mod +index fcbc09da5e..82fdf39842 100644 +--- a/go.mod ++++ b/go.mod +@@ -45,7 +45,6 @@ require ( + github.com/blang/semver/v4 v4.0.0 // @grafana/grafana-release-guild + github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b // @grafana/backend-platform + github.com/centrifugal/centrifuge v0.30.2 // @grafana/grafana-app-platform-squad +- github.com/crewjam/saml v0.4.13 // @grafana/grafana-authnz-team + github.com/fatih/color v1.15.0 // @grafana/backend-platform + github.com/gchaincl/sqlhooks v1.3.0 // @grafana/backend-platform + github.com/go-ldap/ldap/v3 v3.4.4 // @grafana/grafana-authnz-team +@@ -187,7 +186,6 @@ require ( + github.com/josharian/intern v1.0.0 // indirect + github.com/jpillora/backoff v1.0.0 // indirect + github.com/mailru/easyjson v0.7.7 // indirect +- github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect + github.com/mattetti/filebuffer v1.0.1 // indirect + github.com/mattn/go-runewidth v0.0.13 // indirect + github.com/miekg/dns v1.1.51 // indirect +diff --git a/go.sum b/go.sum +index d05dfb55fd..b160387abe 100644 +--- a/go.sum ++++ b/go.sum +@@ -1826,8 +1826,6 @@ github.com/grafana/pyroscope/api v0.3.0/go.mod h1:JggA80ToAAUACYGfwL49XoFk5aN5ec + github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd/go.mod h1:M5qHK+eWfAv8VR/265dIuEpL3fNfeC21tXXp9itM24A= + github.com/grafana/regexp v0.0.0-20221123153739-15dc172cd2db h1:7aN5cccjIqCLTzedH7MZzRZt5/lsAHch6Z3L2ZGn5FA= + github.com/grafana/regexp v0.0.0-20221123153739-15dc172cd2db/go.mod h1:M5qHK+eWfAv8VR/265dIuEpL3fNfeC21tXXp9itM24A= +-github.com/grafana/saml v0.4.15-0.20231025143828-a6c0e9b86a4c h1:1pHLC1ZTz7N5QI3jzCs5sqmVvAKe+JwGnpp9lQ+iUjY= +-github.com/grafana/saml v0.4.15-0.20231025143828-a6c0e9b86a4c/go.mod h1:S4+611dxnKt8z/ulbvaJzcgSHsuhjVc1QHNTcr1R7Fw= + github.com/grafana/sqlds/v2 v2.3.10 h1:HWKhE0vR6LoEiE+Is8CSZOgaB//D1yqb2ntkass9Fd4= + github.com/grafana/sqlds/v2 v2.3.10/go.mod h1:c6ibxnxRVGxV/0YkEgvy7QpQH/lyifFyV7K/14xvdIs= + github.com/grafana/tempo v1.5.1-0.20230524121406-1dc1bfe7085b h1:mDlkqgTEJuK7vjPG44f3ZMtId5AAYLWHvBVbiGqIOOQ= +@@ -2222,8 +2220,6 @@ github.com/markbates/sigtx v1.0.0/go.mod h1:QF1Hv6Ic6Ca6W+T+DL0Y/ypborFKyvUY9Hmu + github.com/markbates/willie v1.0.9/go.mod h1:fsrFVWl91+gXpx/6dv715j7i11fYPfZ9ZGfH0DQzY7w= + github.com/matryer/is v1.4.0 h1:sosSmIWwkYITGrxZ25ULNDeKiMNzFSr4V/eqBQP0PeE= + github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU= +-github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU= +-github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To= + github.com/mattetti/filebuffer v1.0.1 h1:gG7pyfnSIZCxdoKq+cPa8T0hhYtD9NxCdI4D7PTjRLM= + github.com/mattetti/filebuffer v1.0.1/go.mod h1:YdMURNDOttIiruleeVr6f56OrMc+MydEnTcXwtkxNVs= + github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +diff --git a/pkg/extensions/main.go b/pkg/extensions/main.go +index 327e208221..426aad2a21 100644 +--- a/pkg/extensions/main.go ++++ b/pkg/extensions/main.go +@@ -11,7 +11,6 @@ import ( + _ "github.com/beevik/etree" + _ "github.com/blugelabs/bluge" + _ "github.com/blugelabs/bluge_segment_api" +- _ "github.com/crewjam/saml" + _ "github.com/go-jose/go-jose/v3" + _ "github.com/gobwas/glob" + _ "github.com/googleapis/gax-go/v2" diff --git a/SOURCES/0005-remove-unused-frontend-crypto.patch b/SOURCES/0005-remove-unused-frontend-crypto.patch new file mode 100644 index 0000000..268eadb --- /dev/null +++ b/SOURCES/0005-remove-unused-frontend-crypto.patch @@ -0,0 +1,333 @@ +From ddd615152004e0bc5985a574c05d31778351dfa3 Mon Sep 17 00:00:00 2001 +From: Andreas Gerstmayr +Date: Wed, 22 Jun 2022 17:36:47 +0200 +Subject: [PATCH] remove unused frontend crypto + +update `package.json` and then run `yarn install` to update the +`yarn.lock` lockfile + +diff --git a/package.json b/package.json +index 38deb6d7de..aad5e88bf0 100644 +--- a/package.json ++++ b/package.json +@@ -425,6 +425,9 @@ + "resolutions": { + "underscore": "1.13.6", + "@types/slate": "0.47.11", ++ "crypto-browserify": "https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz", ++ "selfsigned": "https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz", ++ "http-signature": "https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz", + "ngtemplate-loader/loader-utils": "^2.0.0", + "semver@~7.0.0": "7.5.4", + "semver@7.3.4": "7.5.4", +diff --git a/yarn.lock b/yarn.lock +index bf22ba52a1..1552ddc052 100644 +--- a/yarn.lock ++++ b/yarn.lock +@@ -10935,22 +10935,6 @@ __metadata: + languageName: node + linkType: hard + +-"asn1@npm:~0.2.3": +- version: 0.2.6 +- resolution: "asn1@npm:0.2.6" +- dependencies: +- safer-buffer: "npm:~2.1.0" +- checksum: cf629291fee6c1a6f530549939433ebf32200d7849f38b810ff26ee74235e845c0c12b2ed0f1607ac17383d19b219b69cefa009b920dab57924c5c544e495078 +- languageName: node +- linkType: hard +- +-"assert-plus@npm:1.0.0, assert-plus@npm:^1.0.0": +- version: 1.0.0 +- resolution: "assert-plus@npm:1.0.0" +- checksum: f4f991ae2df849cc678b1afba52d512a7cbf0d09613ba111e72255409ff9158550c775162a47b12d015d1b82b3c273e8e25df0e4783d3ddb008a293486d00a07 +- languageName: node +- linkType: hard +- + "assert@npm:2.0.0, assert@npm:^2.0.0": + version: 2.0.0 + resolution: "assert@npm:2.0.0" +@@ -11427,15 +11411,6 @@ __metadata: + languageName: node + linkType: hard + +-"bcrypt-pbkdf@npm:^1.0.0": +- version: 1.0.2 +- resolution: "bcrypt-pbkdf@npm:1.0.2" +- dependencies: +- tweetnacl: "npm:^0.14.3" +- checksum: 13a4cde058250dbf1fa77a4f1b9a07d32ae2e3b9e28e88a0c7a1827835bc3482f3e478c4a0cfd4da6ff0c46dae07da1061123a995372b32cc563d9975f975404 +- languageName: node +- linkType: hard +- + "before-after-hook@npm:^2.2.0": + version: 2.2.2 + resolution: "before-after-hook@npm:2.2.2" +@@ -12929,13 +12904,6 @@ __metadata: + languageName: node + linkType: hard + +-"core-util-is@npm:1.0.2": +- version: 1.0.2 +- resolution: "core-util-is@npm:1.0.2" +- checksum: d0f7587346b44a1fe6c269267e037dd34b4787191e473c3e685f507229d88561c40eb18872fabfff02977301815d474300b7bfbd15396c13c5377393f7e87ec3 +- languageName: node +- linkType: hard +- + "core-util-is@npm:~1.0.0": + version: 1.0.3 + resolution: "core-util-is@npm:1.0.3" +@@ -13857,15 +13825,6 @@ __metadata: + languageName: node + linkType: hard + +-"dashdash@npm:^1.12.0": +- version: 1.14.1 +- resolution: "dashdash@npm:1.14.1" +- dependencies: +- assert-plus: "npm:^1.0.0" +- checksum: 137b287fa021201ce100cef772c8eeeaaafdd2aa7282864022acf3b873021e54cb809e9c060fa164840bf54ff72d00d6e2d8da1ee5a86d7200eeefa1123a8f7f +- languageName: node +- linkType: hard +- + "data-urls@npm:^3.0.2": + version: 3.0.2 + resolution: "data-urls@npm:3.0.2" +@@ -14573,16 +14532,6 @@ __metadata: + languageName: node + linkType: hard + +-"ecc-jsbn@npm:~0.1.1": +- version: 0.1.2 +- resolution: "ecc-jsbn@npm:0.1.2" +- dependencies: +- jsbn: "npm:~0.1.0" +- safer-buffer: "npm:^2.1.0" +- checksum: d43591f2396196266e186e6d6928038cc11c76c3699a912cb9c13757060f7bbc7f17f47c4cb16168cdeacffc7965aef021142577e646fb3cb88810c15173eb57 +- languageName: node +- linkType: hard +- + "ee-first@npm:1.1.1": + version: 1.1.1 + resolution: "ee-first@npm:1.1.1" +@@ -15991,20 +15940,6 @@ __metadata: + languageName: node + linkType: hard + +-"extsprintf@npm:1.3.0": +- version: 1.3.0 +- resolution: "extsprintf@npm:1.3.0" +- checksum: 26967d6c7ecbfb5bc5b7a6c43503dc5fafd9454802037e9fa1665e41f615da4ff5918bd6cb871a3beabed01a31eca1ccd0bdfb41231f50ad50d405a430f78377 +- languageName: node +- linkType: hard +- +-"extsprintf@npm:^1.2.0": +- version: 1.4.1 +- resolution: "extsprintf@npm:1.4.1" +- checksum: bfd6d55f3c0c04d826fe0213264b383c03f32825af6b1ff777f3f2dc49467e599361993568d75b7b19a8ea1bb08c8e7cd8c3d87d179ced91bb0dcf81ca6938e0 +- languageName: node +- linkType: hard +- + "fast-deep-equal@npm:^3.1.1, fast-deep-equal@npm:^3.1.3": + version: 3.1.3 + resolution: "fast-deep-equal@npm:3.1.3" +@@ -16916,15 +16851,6 @@ __metadata: + languageName: node + linkType: hard + +-"getpass@npm:^0.1.1": +- version: 0.1.7 +- resolution: "getpass@npm:0.1.7" +- dependencies: +- assert-plus: "npm:^1.0.0" +- checksum: ab18d55661db264e3eac6012c2d3daeafaab7a501c035ae0ccb193c3c23e9849c6e29b6ac762b9c2adae460266f925d55a3a2a3a3c8b94be2f222df94d70c046 +- languageName: node +- linkType: hard +- + "giget@npm:^1.0.0": + version: 1.1.2 + resolution: "giget@npm:1.1.2" +@@ -18263,25 +18189,10 @@ __metadata: + languageName: node + linkType: hard + +-"http-signature@npm:~1.2.0": +- version: 1.2.0 +- resolution: "http-signature@npm:1.2.0" +- dependencies: +- assert-plus: "npm:^1.0.0" +- jsprim: "npm:^1.2.2" +- sshpk: "npm:^1.7.0" +- checksum: 2ff7112e6b0d8f08b382dfe705078c655501f2ddd76cf589d108445a9dd388a0a9be928c37108261519a7f53e6bbd1651048d74057b804807cce1ec49e87a95b +- languageName: node +- linkType: hard +- +-"http-signature@npm:~1.3.6": +- version: 1.3.6 +- resolution: "http-signature@npm:1.3.6" +- dependencies: +- assert-plus: "npm:^1.0.0" +- jsprim: "npm:^2.0.2" +- sshpk: "npm:^1.14.1" +- checksum: 5f08e0c82174999da97114facb0d0d47e268d60b6fc10f92cb87b99d5ccccd36f79b9508c29dda0b4f4e3a1b2f7bcaf847e68ecd5da2f1fc465fcd1d054b7884 ++"http-signature@https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz": ++ version: 1.1.3 ++ resolution: "http-signature@https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz" ++ checksum: 78b64605540e2d25bede2d74ec9e7740ab9a466c9a562ae3a8ccc7e07e26e601a013859c94adf890679403cd337b9690f598d64bc4fbc1d2eaa2f27241ca08a1 + languageName: node + linkType: hard + +@@ -20609,13 +20520,6 @@ __metadata: + languageName: node + linkType: hard + +-"jsbn@npm:~0.1.0": +- version: 0.1.1 +- resolution: "jsbn@npm:0.1.1" +- checksum: 5450133242845100e694f0ef9175f44c012691a9b770b2571e677314e6f70600abb10777cdfc9a0c6a9f2ac6d134577403633de73e2fcd0f97875a67744e2d14 +- languageName: node +- linkType: hard +- + "jscodeshift@npm:^0.14.0": + version: 0.14.0 + resolution: "jscodeshift@npm:0.14.0" +@@ -20767,13 +20671,6 @@ __metadata: + languageName: node + linkType: hard + +-"json-schema@npm:0.4.0": +- version: 0.4.0 +- resolution: "json-schema@npm:0.4.0" +- checksum: 8b3b64eff4a807dc2a3045b104ed1b9335cd8d57aa74c58718f07f0f48b8baa3293b00af4dcfbdc9144c3aafea1e97982cc27cc8e150fc5d93c540649507a458 +- languageName: node +- linkType: hard +- + "json-source-map@npm:0.6.1": + version: 0.6.1 + resolution: "json-source-map@npm:0.6.1" +@@ -20886,30 +20783,6 @@ __metadata: + languageName: node + linkType: hard + +-"jsprim@npm:^1.2.2": +- version: 1.4.2 +- resolution: "jsprim@npm:1.4.2" +- dependencies: +- assert-plus: "npm:1.0.0" +- extsprintf: "npm:1.3.0" +- json-schema: "npm:0.4.0" +- verror: "npm:1.10.0" +- checksum: df2bf234eab1b5078d01bcbff3553d50a243f7b5c10a169745efeda6344d62798bd1d85bcca6a8446f3b5d0495e989db45f9de8dae219f0f9796e70e0c776089 +- languageName: node +- linkType: hard +- +-"jsprim@npm:^2.0.2": +- version: 2.0.2 +- resolution: "jsprim@npm:2.0.2" +- dependencies: +- assert-plus: "npm:1.0.0" +- extsprintf: "npm:1.3.0" +- json-schema: "npm:0.4.0" +- verror: "npm:1.10.0" +- checksum: fcfca5b55f83e1b8be5f932c71754bd37afd2611f81685abd05689e8ce718a91155ff7bd5b94c65ce483a787b5c43c6d0c18c1d2259fca5bb61a3f8ea2e29c0a +- languageName: node +- linkType: hard +- + "jsurl@npm:^0.1.5": + version: 0.1.5 + resolution: "jsurl@npm:0.1.5" +@@ -22734,7 +22607,7 @@ __metadata: + languageName: node + linkType: hard + +-"node-forge@npm:^1, node-forge@npm:^1.3.1": ++"node-forge@npm:^1.3.1": + version: 1.3.1 + resolution: "node-forge@npm:1.3.1" + checksum: 05bab6868633bf9ad4c3b1dd50ec501c22ffd69f556cdf169a00998ca1d03e8107a6032ba013852f202035372021b845603aeccd7dfcb58cdb7430013b3daa8d +@@ -27151,7 +27024,7 @@ __metadata: + languageName: node + linkType: hard + +-"safer-buffer@npm:>= 2.1.2 < 3, safer-buffer@npm:>= 2.1.2 < 3.0.0, safer-buffer@npm:^2.0.2, safer-buffer@npm:^2.1.0, safer-buffer@npm:~2.1.0": ++"safer-buffer@npm:>= 2.1.2 < 3, safer-buffer@npm:>= 2.1.2 < 3.0.0": + version: 2.1.2 + resolution: "safer-buffer@npm:2.1.2" + checksum: 7eaf7a0cf37cc27b42fb3ef6a9b1df6e93a1c6d98c6c6702b02fe262d5fcbd89db63320793b99b21cb5348097d0a53de81bd5f4e8b86e20cc9412e3f1cfb4e83 +@@ -27282,12 +27155,10 @@ __metadata: + languageName: node + linkType: hard + +-"selfsigned@npm:^2.1.1": +- version: 2.1.1 +- resolution: "selfsigned@npm:2.1.1" +- dependencies: +- node-forge: "npm:^1" +- checksum: 6005206e0d005448274aceceaded5195b944f67a42b72d212a6169d2e5f4bdc87c15a3fe45732c544db8c7175702091aaf95403ad6632585294a6ec8cca63638 ++"selfsigned@https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz": ++ version: 1.1.3 ++ resolution: "selfsigned@https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz" ++ checksum: 4988a0dbdf123fb808194a6198f5951e2df711de6fd967d72a8876baccaa23d5c260efb8f1dbfbc5bf1f852e81f897ad09267908977ab94862867ef971a3d48d + languageName: node + linkType: hard + +@@ -28053,27 +27924,6 @@ __metadata: + languageName: node + linkType: hard + +-"sshpk@npm:^1.14.1, sshpk@npm:^1.7.0": +- version: 1.17.0 +- resolution: "sshpk@npm:1.17.0" +- dependencies: +- asn1: "npm:~0.2.3" +- assert-plus: "npm:^1.0.0" +- bcrypt-pbkdf: "npm:^1.0.0" +- dashdash: "npm:^1.12.0" +- ecc-jsbn: "npm:~0.1.1" +- getpass: "npm:^0.1.1" +- jsbn: "npm:~0.1.0" +- safer-buffer: "npm:^2.0.2" +- tweetnacl: "npm:~0.14.0" +- bin: +- sshpk-conv: bin/sshpk-conv +- sshpk-sign: bin/sshpk-sign +- sshpk-verify: bin/sshpk-verify +- checksum: 668c2a279a6ce66fd739ce5684e37927dd75427cc020c828a208f85890a4c400705d4ba09f32fa44efca894339dc6931941664f6f6ba36dfa543de6d006cbe9c +- languageName: node +- linkType: hard +- + "ssri@npm:^10.0.0, ssri@npm:^10.0.1": + version: 10.0.5 + resolution: "ssri@npm:10.0.5" +@@ -29479,13 +29329,6 @@ __metadata: + languageName: node + linkType: hard + +-"tweetnacl@npm:^0.14.3, tweetnacl@npm:~0.14.0": +- version: 0.14.5 +- resolution: "tweetnacl@npm:0.14.5" +- checksum: 04ee27901cde46c1c0a64b9584e04c96c5fe45b38c0d74930710751ea991408b405747d01dfae72f80fc158137018aea94f9c38c651cb9c318f0861a310c3679 +- languageName: node +- linkType: hard +- + "type-check@npm:^0.4.0, type-check@npm:~0.4.0": + version: 0.4.0 + resolution: "type-check@npm:0.4.0" +@@ -30199,17 +30042,6 @@ __metadata: + languageName: node + linkType: soft + +-"verror@npm:1.10.0": +- version: 1.10.0 +- resolution: "verror@npm:1.10.0" +- dependencies: +- assert-plus: "npm:^1.0.0" +- core-util-is: "npm:1.0.2" +- extsprintf: "npm:^1.2.0" +- checksum: da548149dd9c130a8a2587c9ee71ea30128d1526925707e2d01ed9c5c45c9e9f86733c66a328247cdd5f7c1516fb25b0f959ba754bfbe15072aa99ff96468a29 +- languageName: node +- linkType: hard +- + "vinyl-fs@npm:^3.0.2": + version: 3.0.3 + resolution: "vinyl-fs@npm:3.0.3" diff --git a/SOURCES/0006-skip-marketplace-plugin-install-test.patch b/SOURCES/0006-skip-marketplace-plugin-install-test.patch new file mode 100644 index 0000000..3180726 --- /dev/null +++ b/SOURCES/0006-skip-marketplace-plugin-install-test.patch @@ -0,0 +1,21 @@ +From ed8a438d72a667844ae07804491b568ad2f5dcdd Mon Sep 17 00:00:00 2001 +From: Andreas Gerstmayr +Date: Thu, 23 Jun 2022 17:00:46 +0200 +Subject: [PATCH] skip marketplace plugin install test + +This test (tries to) install a plugin from the Grafana marketplace. +Network connectivity is disabled in the build environment for security +reasons, therefore we need to disable this test. + +diff --git a/pkg/tests/api/plugins/api_plugins_test.go b/pkg/tests/api/plugins/api_plugins_test.go +index 4fc2295ed8..a326c40b04 100644 +--- a/pkg/tests/api/plugins/api_plugins_test.go ++++ b/pkg/tests/api/plugins/api_plugins_test.go +@@ -71,6 +71,7 @@ func TestIntegrationPlugins(t *testing.T) { + }) + + t.Run("Request is not forbidden if from an admin", func(t *testing.T) { ++ t.Skip("this test requires connectivity to the Grafana plugin marketplace (fetching metadata)") + statusCode, body := makePostRequest(t, grafanaAPIURL(usernameAdmin, grafanaListedAddr, "plugins/test/install")) + + assert.Equal(t, 404, statusCode) diff --git a/SOURCES/0007-redact-weak-ciphers.patch b/SOURCES/0007-redact-weak-ciphers.patch new file mode 100644 index 0000000..1b7148a --- /dev/null +++ b/SOURCES/0007-redact-weak-ciphers.patch @@ -0,0 +1,30 @@ +From 7ac26d6beb2175f0d6001ca0df322ce610401cce Mon Sep 17 00:00:00 2001 +From: Stan Cox +Date: Wed, 22 Jun 2022 17:05:48 +0200 +Subject: [PATCH] redact weak ciphers + + +diff --git a/pkg/api/http_server.go b/pkg/api/http_server.go +index da04044683..8a29270d4d 100644 +--- a/pkg/api/http_server.go ++++ b/pkg/api/http_server.go +@@ -820,13 +820,13 @@ func (hs *HTTPServer) getDefaultCiphers(tlsVersion uint16, protocol string) []ui + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, +- tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, ++ // tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, +- tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, +- tls.TLS_RSA_WITH_AES_128_GCM_SHA256, +- tls.TLS_RSA_WITH_AES_256_GCM_SHA384, +- tls.TLS_RSA_WITH_AES_128_CBC_SHA, +- tls.TLS_RSA_WITH_AES_256_CBC_SHA, ++ // tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, ++ // tls.TLS_RSA_WITH_AES_128_GCM_SHA256, ++ // tls.TLS_RSA_WITH_AES_256_GCM_SHA384, ++ // tls.TLS_RSA_WITH_AES_128_CBC_SHA, ++ // tls.TLS_RSA_WITH_AES_256_CBC_SHA, + } + } + if protocol == "h2" { diff --git a/SOURCES/0008-replace-faulty-slices-sort.patch b/SOURCES/0008-replace-faulty-slices-sort.patch new file mode 100644 index 0000000..b9cea8c --- /dev/null +++ b/SOURCES/0008-replace-faulty-slices-sort.patch @@ -0,0 +1,40 @@ +From 3f45f26993ed94837001bb9760d7859e7a057649 Mon Sep 17 00:00:00 2001 +From: Sam Feifer +Date: Fri, 1 Mar 2024 15:00:55 -0500 +Subject: [PATCH] replace faulty slices sort + + +diff --git a/pkg/services/sqlstore/migrator/dialect.go b/pkg/services/sqlstore/migrator/dialect.go +index 183b619de8..da21edeafa 100644 +--- a/pkg/services/sqlstore/migrator/dialect.go ++++ b/pkg/services/sqlstore/migrator/dialect.go +@@ -368,7 +368,8 @@ func (b *BaseDialect) InsertQuery(tableName string, row map[string]any) (string, + for col := range row { + keys = append(keys, col) + } +- slices.Sort[string](keys) ++ slices.Sort(keys) ++ //slices.Sort[string](keys) + + // build query and values + for _, col := range keys { +@@ -398,7 +399,8 @@ func (b *BaseDialect) UpdateQuery(tableName string, row map[string]any, where ma + for col := range row { + keys = append(keys, col) + } +- slices.Sort[string](keys) ++ slices.Sort(keys) ++ //slices.Sort[string](keys) + + // build update query and values + for _, col := range keys { +@@ -411,7 +413,8 @@ func (b *BaseDialect) UpdateQuery(tableName string, row map[string]any, where ma + for col := range where { + keys = append(keys, col) + } +- slices.Sort[string](keys) ++ slices.Sort(keys) ++ //slices.Sort[string](keys) + + // build where clause and values + for _, col := range keys { diff --git a/SOURCES/0009-update-wrappers-and-systemd-with-distro-paths.patch b/SOURCES/0009-update-wrappers-and-systemd-with-distro-paths.patch new file mode 100644 index 0000000..5331ddf --- /dev/null +++ b/SOURCES/0009-update-wrappers-and-systemd-with-distro-paths.patch @@ -0,0 +1,76 @@ +From 5fe02f961e67af04907dc57beda42456128ab1c8 Mon Sep 17 00:00:00 2001 +From: Sam Feifer +Date: Fri, 1 Mar 2024 15:05:24 -0500 +Subject: [PATCH] update wrappers and systemd with distro paths + + +diff --git a/packaging/rpm/systemd/grafana-server.service b/packaging/rpm/systemd/grafana-server.service +index e3adc3f469..b2e4aced06 100644 +--- a/packaging/rpm/systemd/grafana-server.service ++++ b/packaging/rpm/systemd/grafana-server.service +@@ -14,7 +14,7 @@ Restart=on-failure + WorkingDirectory=/usr/share/grafana + RuntimeDirectory=grafana + RuntimeDirectoryMode=0750 +-ExecStart=/usr/share/grafana/bin/grafana server \ ++ExecStart=/usr/sbin/grafana server \ + --config=${CONF_FILE} \ + --pidfile=${PID_FILE_DIR}/grafana-server.pid \ + --packaging=rpm \ +diff --git a/packaging/wrappers/grafana b/packaging/wrappers/grafana +index 86e0fc9faa..5c88bae4c3 100755 +--- a/packaging/wrappers/grafana ++++ b/packaging/wrappers/grafana +@@ -5,7 +5,7 @@ + # the system-wide Grafana configuration that was bundled with the package as we + # use the binary. + +-DEFAULT=/etc/default/grafana ++DEFAULT=/etc/sysconfig/grafana-server + + GRAFANA_HOME="${GRAFANA_HOME:-/usr/share/grafana}" + +@@ -13,11 +13,12 @@ CONF_DIR=/etc/grafana + DATA_DIR=/var/lib/grafana + PLUGINS_DIR=/var/lib/grafana/plugins + LOG_DIR=/var/log/grafana +++LIBEXEC_DIR=/usr/libexec/grafana + + CONF_FILE=$CONF_DIR/grafana.ini + PROVISIONING_CFG_DIR=$CONF_DIR/provisioning + +-EXECUTABLE="$GRAFANA_HOME/bin/grafana" +++EXECUTABLE=$LIBEXEC_DIR/grafana + + if [ ! -x $EXECUTABLE ]; then + echo "$EXECUTABLE not installed or not executable" +@@ -46,4 +47,13 @@ if [ "$CMD" = cli ]; then + --pluginsDir=${PLUGINS_DIR}" + fi + +-eval $EXECUTABLE "$CMD" "$OPTS" "$@" ++if [ "$(id -u)" -eq 0 -o "$(id -g)" -eq 0 ]; then ++ cd "${GRAFANA_HOME}" ++ exec runuser -u "${GRAFANA_USER}" -- "$EXECUTABLE" "$CMD" "${OPTS[@]}" "$@" ++elif [ "$(id -u -n)" = "${GRAFANA_USER}" ]; then ++ cd "${GRAFANA_HOME}" ++ exec "$EXECUTABLE" "$CMD" "${OPTS[@]}" "$@" ++else ++ echo "$0: please run this script as user \"${GRAFANA_USER}\" or root." ++ exit 5 ++fi +\ No newline at end of file +diff --git a/packaging/wrappers/grafana-server b/packaging/wrappers/grafana-server +index 466b0d7c69..6be356f562 100755 +--- a/packaging/wrappers/grafana-server ++++ b/packaging/wrappers/grafana-server +@@ -7,7 +7,8 @@ + + GRAFANA_HOME="${GRAFANA_HOME:-/usr/share/grafana}" + +-EXECUTABLE="$GRAFANA_HOME/bin/grafana" ++LIBEXEC_DIR=/usr/libexec/grafana ++EXECUTABLE=$LIBEXEC_DIR/grafana + + if [ ! -x $EXECUTABLE ]; then + echo "$EXECUTABLE not installed or not executable" diff --git a/SOURCES/0010-remove-bcrypt-references.patch b/SOURCES/0010-remove-bcrypt-references.patch new file mode 100644 index 0000000..d617c85 --- /dev/null +++ b/SOURCES/0010-remove-bcrypt-references.patch @@ -0,0 +1,108 @@ +From eb711315d4c8a81ff52984293758a47372c21b8d Mon Sep 17 00:00:00 2001 +From: Sam Feifer +Date: Fri, 1 Mar 2024 15:07:22 -0500 +Subject: [PATCH] remove bcrypt references + + +diff --git a/pkg/services/extsvcauth/oauthserver/oasimpl/service.go b/pkg/services/extsvcauth/oauthserver/oasimpl/service.go +index 8c5a90248d..43f6d11e08 100644 +--- a/pkg/services/extsvcauth/oauthserver/oasimpl/service.go ++++ b/pkg/services/extsvcauth/oauthserver/oasimpl/service.go +@@ -19,7 +19,6 @@ import ( + "github.com/ory/fosite/compose" + "github.com/ory/fosite/storage" + "github.com/ory/fosite/token/jwt" +- "golang.org/x/crypto/bcrypt" + + "github.com/grafana/grafana/pkg/api/routing" + "github.com/grafana/grafana/pkg/bus" +@@ -235,88 +234,7 @@ func (s *OAuth2ServiceImpl) RemoveExternalService(ctx context.Context, name stri + // it ensures that the associated service account has the correct permissions. + // Database consistency is not guaranteed, consider changing this in the future. + func (s *OAuth2ServiceImpl) SaveExternalService(ctx context.Context, registration *extsvcauth.ExternalServiceRegistration) (*extsvcauth.ExternalService, error) { +- if registration == nil { +- s.logger.Warn("RegisterExternalService called without registration") +- return nil, nil +- } +- slug := registration.Name +- s.logger.Info("Registering external service", "external service", slug) +- +- // Check if the client already exists in store +- client, errFetchExtSvc := s.sqlstore.GetExternalServiceByName(ctx, slug) +- if errFetchExtSvc != nil && !errors.Is(errFetchExtSvc, oauthserver.ErrClientNotFound) { +- s.logger.Error("Error fetching service", "external service", slug, "error", errFetchExtSvc) +- return nil, errFetchExtSvc +- } +- // Otherwise, create a new client +- if client == nil { +- s.logger.Debug("External service does not yet exist", "external service", slug) +- client = &oauthserver.OAuthExternalService{ +- Name: slug, +- ServiceAccountID: oauthserver.NoServiceAccountID, +- Audiences: s.cfg.AppURL, +- } +- } +- +- // Parse registration form to compute required permissions for the client +- client.SelfPermissions, client.ImpersonatePermissions = s.handleRegistrationPermissions(registration) +- +- if registration.OAuthProviderCfg == nil { +- return nil, errors.New("missing oauth provider configuration") +- } +- +- if registration.OAuthProviderCfg.RedirectURI != nil { +- client.RedirectURI = *registration.OAuthProviderCfg.RedirectURI +- } +- +- var errGenCred error +- client.ClientID, client.Secret, errGenCred = s.genCredentials() +- if errGenCred != nil { +- s.logger.Error("Error generating credentials", "client", client.LogID(), "error", errGenCred) +- return nil, errGenCred +- } +- +- grantTypes := s.computeGrantTypes(registration.Self.Enabled, registration.Impersonation.Enabled) +- client.GrantTypes = strings.Join(grantTypes, ",") +- +- // Handle key options +- s.logger.Debug("Handle key options") +- keys, err := s.handleKeyOptions(ctx, registration.OAuthProviderCfg.Key) +- if err != nil { +- s.logger.Error("Error handling key options", "client", client.LogID(), "error", err) +- return nil, err +- } +- if keys != nil { +- client.PublicPem = []byte(keys.PublicPem) +- } +- dto := client.ToExternalService(keys) +- +- hashedSecret, err := bcrypt.GenerateFromPassword([]byte(client.Secret), bcrypt.DefaultCost) +- if err != nil { +- s.logger.Error("Error hashing secret", "client", client.LogID(), "error", err) +- return nil, err +- } +- client.Secret = string(hashedSecret) +- +- s.logger.Debug("Save service account") +- saID, errSaveServiceAccount := s.saService.ManageExtSvcAccount(ctx, &serviceaccounts.ManageExtSvcAccountCmd{ +- ExtSvcSlug: slugify.Slugify(client.Name), +- Enabled: registration.Self.Enabled, +- OrgID: oauthserver.TmpOrgID, +- Permissions: client.SelfPermissions, +- }) +- if errSaveServiceAccount != nil { +- return nil, errSaveServiceAccount +- } +- client.ServiceAccountID = saID +- +- err = s.sqlstore.SaveExternalService(ctx, client) +- if err != nil { +- s.logger.Error("Error saving external service", "client", client.LogID(), "error", err) +- return nil, err +- } +- s.logger.Debug("Registered", "client", client.LogID()) +- return dto, nil ++ panic("bcrypt cipher not available") + } + + // randString generates a a cryptographically secure random string of n bytes diff --git a/SOURCES/1001-vendor-patch-removed-backend-crypto.patch b/SOURCES/1001-vendor-patch-removed-backend-crypto.patch new file mode 100644 index 0000000..82707ca --- /dev/null +++ b/SOURCES/1001-vendor-patch-removed-backend-crypto.patch @@ -0,0 +1,2134 @@ +patch removed backend crypto + +the `Makefile` removed a few files containing (unused) crypto +algorithms from the vendor tarball, which are not used in Grafana. +This patch removes all references to the deleted files. + +diff --git a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go +new file mode 100644 +index 0000000000..871e612a61 +--- /dev/null ++++ b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go +@@ -0,0 +1,25 @@ ++package elgamal ++ ++import ( ++ "io" ++ "math/big" ++) ++ ++// PublicKey represents an ElGamal public key. ++type PublicKey struct { ++ G, P, Y *big.Int ++} ++ ++// PrivateKey represents an ElGamal private key. ++type PrivateKey struct { ++ PublicKey ++ X *big.Int ++} ++ ++func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err error) { ++ panic("ElGamal encryption not available") ++} ++ ++func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) { ++ panic("ElGamal encryption not available") ++} +diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/handler.go b/vendor/github.com/prometheus/exporter-toolkit/web/handler.go +index c607a16..11dbc3c 100644 +--- a/vendor/github.com/prometheus/exporter-toolkit/web/handler.go ++++ b/vendor/github.com/prometheus/exporter-toolkit/web/handler.go +@@ -16,14 +16,11 @@ + package web + + import ( +- "encoding/hex" + "fmt" + "net/http" +- "strings" + "sync" + + "github.com/go-kit/log" +- "golang.org/x/crypto/bcrypt" + ) + + // extraHTTPHeaders is a map of HTTP headers that can be added to HTTP +@@ -37,22 +34,6 @@ var extraHTTPHeaders = map[string][]string{ + "Content-Security-Policy": nil, + } + +-func validateUsers(configPath string) error { +- c, err := getConfig(configPath) +- if err != nil { +- return err +- } +- +- for _, p := range c.Users { +- _, err = bcrypt.Cost([]byte(p)) +- if err != nil { +- return err +- } +- } +- +- return nil +-} +- + // validateHeaderConfig checks that the provided header configuration is correct. + // It does not check the validity of all the values, only the ones which are + // well-defined enumerations. +@@ -84,60 +65,3 @@ type webHandler struct { + // only once in parallel as this is CPU intensive. + bcryptMtx sync.Mutex + } +- +-func (u *webHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { +- c, err := getConfig(u.tlsConfigPath) +- if err != nil { +- u.logger.Log("msg", "Unable to parse configuration", "err", err) +- http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) +- return +- } +- +- // Configure http headers. +- for k, v := range c.HTTPConfig.Header { +- w.Header().Set(k, v) +- } +- +- if len(c.Users) == 0 { +- u.handler.ServeHTTP(w, r) +- return +- } +- +- user, pass, auth := r.BasicAuth() +- if auth { +- hashedPassword, validUser := c.Users[user] +- +- if !validUser { +- // The user is not found. Use a fixed password hash to +- // prevent user enumeration by timing requests. +- // This is a bcrypt-hashed version of "fakepassword". +- hashedPassword = "$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSi" +- } +- +- cacheKey := strings.Join( +- []string{ +- hex.EncodeToString([]byte(user)), +- hex.EncodeToString([]byte(hashedPassword)), +- hex.EncodeToString([]byte(pass)), +- }, ":") +- authOk, ok := u.cache.get(cacheKey) +- +- if !ok { +- // This user, hashedPassword, password is not cached. +- u.bcryptMtx.Lock() +- err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass)) +- u.bcryptMtx.Unlock() +- +- authOk = validUser && err == nil +- u.cache.set(cacheKey, authOk) +- } +- +- if authOk && validUser { +- u.handler.ServeHTTP(w, r) +- return +- } +- } +- +- w.Header().Set("WWW-Authenticate", "Basic") +- http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) +-} +diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go b/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go +index 61383bc..7f71298 100644 +--- a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go ++++ b/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go +@@ -18,16 +18,10 @@ import ( + "crypto/x509" + "errors" + "fmt" +- "net" +- "net/http" + "os" + "path/filepath" + +- "github.com/coreos/go-systemd/v22/activation" +- "github.com/go-kit/log" +- "github.com/go-kit/log/level" + config_util "github.com/prometheus/common/config" +- "golang.org/x/sync/errgroup" + "gopkg.in/yaml.v2" + ) + +@@ -263,132 +257,16 @@ func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) { + + // ServeMultiple starts the server on the given listeners. The FlagConfig is + // also passed on to Serve. +-func ServeMultiple(listeners []net.Listener, server *http.Server, flags *FlagConfig, logger log.Logger) error { +- errs := new(errgroup.Group) +- for _, l := range listeners { +- l := l +- errs.Go(func() error { +- return Serve(l, server, flags, logger) +- }) +- } +- return errs.Wait() +-} + + // ListenAndServe starts the server on addresses given in WebListenAddresses in + // the FlagConfig or instead uses systemd socket activated listeners if + // WebSystemdSocket in the FlagConfig is true. The FlagConfig is also passed on + // to ServeMultiple. +-func ListenAndServe(server *http.Server, flags *FlagConfig, logger log.Logger) error { +- if flags.WebSystemdSocket == nil && (flags.WebListenAddresses == nil || len(*flags.WebListenAddresses) == 0) { +- return ErrNoListeners +- } +- +- if flags.WebSystemdSocket != nil && *flags.WebSystemdSocket { +- level.Info(logger).Log("msg", "Listening on systemd activated listeners instead of port listeners.") +- listeners, err := activation.Listeners() +- if err != nil { +- return err +- } +- if len(listeners) < 1 { +- return errors.New("no socket activation file descriptors found") +- } +- return ServeMultiple(listeners, server, flags, logger) +- } +- +- listeners := make([]net.Listener, 0, len(*flags.WebListenAddresses)) +- for _, address := range *flags.WebListenAddresses { +- listener, err := net.Listen("tcp", address) +- if err != nil { +- return err +- } +- defer listener.Close() +- listeners = append(listeners, listener) +- } +- return ServeMultiple(listeners, server, flags, logger) +-} + + // Server starts the server on the given listener. Based on the file path + // WebConfigFile in the FlagConfig, TLS or basic auth could be enabled. +-func Serve(l net.Listener, server *http.Server, flags *FlagConfig, logger log.Logger) error { +- level.Info(logger).Log("msg", "Listening on", "address", l.Addr().String()) +- tlsConfigPath := *flags.WebConfigFile +- if tlsConfigPath == "" { +- level.Info(logger).Log("msg", "TLS is disabled.", "http2", false, "address", l.Addr().String()) +- return server.Serve(l) +- } +- +- if err := validateUsers(tlsConfigPath); err != nil { +- return err +- } +- +- // Setup basic authentication. +- var handler http.Handler = http.DefaultServeMux +- if server.Handler != nil { +- handler = server.Handler +- } +- +- c, err := getConfig(tlsConfigPath) +- if err != nil { +- return err +- } +- +- server.Handler = &webHandler{ +- tlsConfigPath: tlsConfigPath, +- logger: logger, +- handler: handler, +- cache: newCache(), +- } +- +- config, err := ConfigToTLSConfig(&c.TLSConfig) +- switch err { +- case nil: +- if !c.HTTPConfig.HTTP2 { +- server.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler)) +- } +- // Valid TLS config. +- level.Info(logger).Log("msg", "TLS is enabled.", "http2", c.HTTPConfig.HTTP2, "address", l.Addr().String()) +- case errNoTLSConfig: +- // No TLS config, back to plain HTTP. +- level.Info(logger).Log("msg", "TLS is disabled.", "http2", false, "address", l.Addr().String()) +- return server.Serve(l) +- default: +- // Invalid TLS config. +- return err +- } +- +- server.TLSConfig = config +- +- // Set the GetConfigForClient method of the HTTPS server so that the config +- // and certs are reloaded on new connections. +- server.TLSConfig.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) { +- config, err := getTLSConfig(tlsConfigPath) +- if err != nil { +- return nil, err +- } +- config.NextProtos = server.TLSConfig.NextProtos +- return config, nil +- } +- return server.ServeTLS(l, "", "") +-} + + // Validate configuration file by reading the configuration and the certificates. +-func Validate(tlsConfigPath string) error { +- if tlsConfigPath == "" { +- return nil +- } +- if err := validateUsers(tlsConfigPath); err != nil { +- return err +- } +- c, err := getConfig(tlsConfigPath) +- if err != nil { +- return err +- } +- _, err = ConfigToTLSConfig(&c.TLSConfig) +- if err == errNoTLSConfig { +- return nil +- } +- return err +-} + + type Cipher uint16 + +@@ -472,11 +350,3 @@ func (tv *TLSVersion) MarshalYAML() (interface{}, error) { + } + return fmt.Sprintf("%v", tv), nil + } +- +-// Listen starts the server on the given address. Based on the file +-// tlsConfigPath, TLS or basic auth could be enabled. +-// +-// Deprecated: Use ListenAndServe instead. +-func Listen(server *http.Server, flags *FlagConfig, logger log.Logger) error { +- return ListenAndServe(server, flags, logger) +-} +diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go +index 5760cff..0c87736 100644 +--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go ++++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go +@@ -8,8 +8,6 @@ import ( + "crypto/aes" + "crypto/cipher" + "crypto/des" +- +- "golang.org/x/crypto/cast5" + ) + + // Cipher is an official symmetric key cipher algorithm. See RFC 4880, +@@ -38,7 +36,6 @@ const ( + // http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-13 + var CipherById = map[uint8]Cipher{ + TripleDES.Id(): TripleDES, +- CAST5.Id(): CAST5, + AES128.Id(): AES128, + AES192.Id(): AES192, + AES256.Id(): AES256, +@@ -53,7 +50,6 @@ func (sk CipherFunction) Id() uint8 { + + var keySizeByID = map[uint8]int{ + TripleDES.Id(): 24, +- CAST5.Id(): cast5.KeySize, + AES128.Id(): 16, + AES192.Id(): 24, + AES256.Id(): 32, +@@ -65,7 +61,7 @@ func (cipher CipherFunction) KeySize() int { + case TripleDES: + return 24 + case CAST5: +- return cast5.KeySize ++ panic("cast5 cipher not available") + case AES128: + return 16 + case AES192: +@@ -82,7 +78,7 @@ func (cipher CipherFunction) BlockSize() int { + case TripleDES: + return des.BlockSize + case CAST5: +- return 8 ++ panic("cast5 cipher not available") + case AES128, AES192, AES256: + return 16 + } +@@ -96,7 +92,7 @@ func (cipher CipherFunction) New(key []byte) (block cipher.Block) { + case TripleDES: + block, err = des.NewTripleDESCipher(key) + case CAST5: +- block, err = cast5.NewCipher(key) ++ panic("cast5 cipher not available") + case AES128, AES192, AES256: + block, err = aes.NewCipher(key) + } +diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go +index a436959..420df86 100644 +--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go ++++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go +@@ -15,7 +15,6 @@ import ( + + "github.com/ProtonMail/go-crypto/openpgp/errors" + "github.com/ProtonMail/go-crypto/openpgp/internal/algorithm" +- "golang.org/x/crypto/argon2" + ) + + type Mode uint8 +@@ -27,7 +26,6 @@ const ( + SimpleS2K Mode = 0 + SaltedS2K Mode = 1 + IteratedSaltedS2K Mode = 3 +- Argon2S2K Mode = 4 + GnuS2K Mode = 101 + ) + +@@ -87,10 +85,10 @@ func decodeCount(c uint8) int { + // encodeMemory converts the Argon2 "memory" in the range parallelism*8 to + // 2**31, inclusive, to an encoded memory. The return value is the + // octet that is actually stored in the GPG file. encodeMemory panics +-// if is not in the above range ++// if is not in the above range + // See OpenPGP crypto refresh Section 3.7.1.4. + func encodeMemory(memory uint32, parallelism uint8) uint8 { +- if memory < (8 * uint32(parallelism)) || memory > uint32(2147483648) { ++ if memory < (8*uint32(parallelism)) || memory > uint32(2147483648) { + panic("Memory argument memory is outside the required range") + } + +@@ -174,33 +172,20 @@ func Iterated(out []byte, h hash.Hash, in []byte, salt []byte, count int) { + + // Argon2 writes to out the key derived from the password (in) with the Argon2 + // function (the crypto refresh, section 3.7.1.4) +-func Argon2(out []byte, in []byte, salt []byte, passes uint8, paralellism uint8, memoryExp uint8) { +- key := argon2.IDKey(in, salt, uint32(passes), decodeMemory(memoryExp), paralellism, uint32(len(out))) +- copy(out[:], key) +-} + + // Generate generates valid parameters from given configuration. + // It will enforce the Iterated and Salted or Argon2 S2K method. + func Generate(rand io.Reader, c *Config) (*Params, error) { + var params *Params +- if c != nil && c.Mode() == Argon2S2K { +- // handle Argon2 case +- argonConfig := c.Argon2() +- params = &Params{ +- mode: Argon2S2K, +- passes: argonConfig.Passes(), +- parallelism: argonConfig.Parallelism(), +- memoryExp: argonConfig.EncodedMemory(), +- } +- } else if c != nil && c.PassphraseIsHighEntropy && c.Mode() == SaltedS2K { // Allow SaltedS2K if PassphraseIsHighEntropy ++ if c != nil && c.PassphraseIsHighEntropy && c.Mode() == SaltedS2K { // Allow SaltedS2K if PassphraseIsHighEntropy + hashId, ok := algorithm.HashToHashId(c.hash()) + if !ok { + return nil, errors.UnsupportedError("no such hash") + } + + params = &Params{ +- mode: SaltedS2K, +- hashId: hashId, ++ mode: SaltedS2K, ++ hashId: hashId, + } + } else { // Enforce IteratedSaltedS2K method otherwise + hashId, ok := algorithm.HashToHashId(c.hash()) +@@ -211,7 +196,7 @@ func Generate(rand io.Reader, c *Config) (*Params, error) { + c.S2KMode = IteratedSaltedS2K + } + params = &Params{ +- mode: IteratedSaltedS2K, ++ mode: IteratedSaltedS2K, + hashId: hashId, + countByte: c.EncodedCount(), + } +@@ -274,16 +259,6 @@ func ParseIntoParams(r io.Reader) (params *Params, err error) { + copy(params.salt(), buf[1:9]) + params.countByte = buf[9] + return params, nil +- case Argon2S2K: +- _, err = io.ReadFull(r, buf[:Argon2SaltSize+3]) +- if err != nil { +- return nil, err +- } +- copy(params.salt(), buf[:Argon2SaltSize]) +- params.passes = buf[Argon2SaltSize] +- params.parallelism = buf[Argon2SaltSize+1] +- params.memoryExp = buf[Argon2SaltSize+2] +- return params, nil + case GnuS2K: + // This is a GNU extension. See + // https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;h=fe55ae16ab4e26d8356dc574c9e8bc935e71aef1;hb=23191d7851eae2217ecdac6484349849a24fd94a#l1109 +@@ -306,9 +281,10 @@ func (params *Params) Dummy() bool { + + func (params *Params) salt() []byte { + switch params.mode { +- case SaltedS2K, IteratedSaltedS2K: return params.saltBytes[:8] +- case Argon2S2K: return params.saltBytes[:Argon2SaltSize] +- default: return nil ++ case SaltedS2K, IteratedSaltedS2K: ++ return params.saltBytes[:8] ++ default: ++ return nil + } + } + +@@ -317,15 +293,13 @@ func (params *Params) Function() (f func(out, in []byte), err error) { + return nil, errors.ErrDummyPrivateKey("dummy key found") + } + var hashObj crypto.Hash +- if params.mode != Argon2S2K { +- var ok bool +- hashObj, ok = algorithm.HashIdToHashWithSha1(params.hashId) +- if !ok { +- return nil, errors.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(params.hashId))) +- } +- if !hashObj.Available() { +- return nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hashObj))) +- } ++ var ok bool ++ hashObj, ok = algorithm.HashIdToHashWithSha1(params.hashId) ++ if !ok { ++ return nil, errors.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(params.hashId))) ++ } ++ if !hashObj.Available() { ++ return nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hashObj))) + } + + switch params.mode { +@@ -346,11 +320,6 @@ func (params *Params) Function() (f func(out, in []byte), err error) { + Iterated(out, hashObj.New(), in, params.salt(), decodeCount(params.countByte)) + } + +- return f, nil +- case Argon2S2K: +- f := func(out, in []byte) { +- Argon2(out, in, params.salt(), params.passes, params.parallelism, params.memoryExp) +- } + return f, nil + } + +@@ -361,10 +330,8 @@ func (params *Params) Serialize(w io.Writer) (err error) { + if _, err = w.Write([]byte{uint8(params.mode)}); err != nil { + return + } +- if params.mode != Argon2S2K { +- if _, err = w.Write([]byte{params.hashId}); err != nil { +- return +- } ++ if _, err = w.Write([]byte{params.hashId}); err != nil { ++ return + } + if params.Dummy() { + _, err = w.Write(append([]byte("GNU"), 1)) +@@ -377,9 +344,6 @@ func (params *Params) Serialize(w io.Writer) (err error) { + if params.mode == IteratedSaltedS2K { + _, err = w.Write([]byte{params.countByte}) + } +- if params.mode == Argon2S2K { +- _, err = w.Write([]byte{params.passes, params.parallelism, params.memoryExp}) +- } + } + return + } +diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go +index e96252c..42ddccf 100644 +--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go ++++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go +@@ -5,12 +5,9 @@ + package packet + + import ( +- "crypto/cipher" +- "crypto/sha256" + "io" + + "github.com/ProtonMail/go-crypto/openpgp/errors" +- "golang.org/x/crypto/hkdf" + ) + + // parseAead parses a V2 SEIPD packet (AEAD) as specified in +@@ -62,95 +59,11 @@ func (se *SymmetricallyEncrypted) associatedData() []byte { + // decryptAead decrypts a V2 SEIPD packet (AEAD) as specified in + // https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.13.2 + func (se *SymmetricallyEncrypted) decryptAead(inputKey []byte) (io.ReadCloser, error) { +- aead, nonce := getSymmetricallyEncryptedAeadInstance(se.Cipher, se.Mode, inputKey, se.Salt[:], se.associatedData()) +- +- // Carry the first tagLen bytes +- tagLen := se.Mode.TagLength() +- peekedBytes := make([]byte, tagLen) +- n, err := io.ReadFull(se.Contents, peekedBytes) +- if n < tagLen || (err != nil && err != io.EOF) { +- return nil, errors.StructuralError("not enough data to decrypt:" + err.Error()) +- } +- +- return &aeadDecrypter{ +- aeadCrypter: aeadCrypter{ +- aead: aead, +- chunkSize: decodeAEADChunkSize(se.ChunkSizeByte), +- initialNonce: nonce, +- associatedData: se.associatedData(), +- chunkIndex: make([]byte, 8), +- packetTag: packetTypeSymmetricallyEncryptedIntegrityProtected, +- }, +- reader: se.Contents, +- peekedBytes: peekedBytes, +- }, nil ++ panic("hkdf cipher not available") + } + + // serializeSymmetricallyEncryptedAead encrypts to a writer a V2 SEIPD packet (AEAD) as specified in + // https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.13.2 + func serializeSymmetricallyEncryptedAead(ciphertext io.WriteCloser, cipherSuite CipherSuite, chunkSizeByte byte, rand io.Reader, inputKey []byte) (Contents io.WriteCloser, err error) { +- // cipherFunc must have block size 16 to use AEAD +- if cipherSuite.Cipher.blockSize() != 16 { +- return nil, errors.InvalidArgumentError("invalid aead cipher function") +- } +- +- if cipherSuite.Cipher.KeySize() != len(inputKey) { +- return nil, errors.InvalidArgumentError("error in aead serialization: bad key length") +- } +- +- // Data for en/decryption: tag, version, cipher, aead mode, chunk size +- prefix := []byte{ +- 0xD2, +- symmetricallyEncryptedVersionAead, +- byte(cipherSuite.Cipher), +- byte(cipherSuite.Mode), +- chunkSizeByte, +- } +- +- // Write header (that correspond to prefix except first byte) +- n, err := ciphertext.Write(prefix[1:]) +- if err != nil || n < 4 { +- return nil, err +- } +- +- // Random salt +- salt := make([]byte, aeadSaltSize) +- if _, err := rand.Read(salt); err != nil { +- return nil, err +- } +- +- if _, err := ciphertext.Write(salt); err != nil { +- return nil, err +- } +- +- aead, nonce := getSymmetricallyEncryptedAeadInstance(cipherSuite.Cipher, cipherSuite.Mode, inputKey, salt, prefix) +- +- return &aeadEncrypter{ +- aeadCrypter: aeadCrypter{ +- aead: aead, +- chunkSize: decodeAEADChunkSize(chunkSizeByte), +- associatedData: prefix, +- chunkIndex: make([]byte, 8), +- initialNonce: nonce, +- packetTag: packetTypeSymmetricallyEncryptedIntegrityProtected, +- }, +- writer: ciphertext, +- }, nil +-} +- +-func getSymmetricallyEncryptedAeadInstance(c CipherFunction, mode AEADMode, inputKey, salt, associatedData []byte) (aead cipher.AEAD, nonce []byte) { +- hkdfReader := hkdf.New(sha256.New, inputKey, salt, associatedData) +- +- encryptionKey := make([]byte, c.KeySize()) +- _, _ = readFull(hkdfReader, encryptionKey) +- +- // Last 64 bits of nonce are the counter +- nonce = make([]byte, mode.IvLength()-8) +- +- _, _ = readFull(hkdfReader, nonce) +- +- blockCipher := c.new(encryptionKey) +- aead = mode.new(blockCipher) +- +- return ++ panic("hkdf cipher not available") + } +diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/read.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/read.go +index 8499c73..eaffe19 100644 +--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/read.go ++++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/read.go +@@ -17,7 +17,6 @@ import ( + "github.com/ProtonMail/go-crypto/openpgp/errors" + "github.com/ProtonMail/go-crypto/openpgp/internal/algorithm" + "github.com/ProtonMail/go-crypto/openpgp/packet" +- _ "golang.org/x/crypto/sha3" + ) + + // SignatureType is the armor type for a PGP signature. +diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/chachapoly.go b/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/chachapoly.go +index 214df4c..f049462 100644 +--- a/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/chachapoly.go ++++ b/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/chachapoly.go +@@ -20,9 +20,6 @@ package aeadcrypter + + import ( + "crypto/cipher" +- "fmt" +- +- "golang.org/x/crypto/chacha20poly1305" + ) + + // Supported key size in bytes. +@@ -39,14 +36,7 @@ type chachapoly struct { + // NewChachaPoly creates a Chacha-Poly crypter instance. Note that the key must + // be Chacha20Poly1305KeySize bytes in length. + func NewChachaPoly(key []byte) (S2AAEADCrypter, error) { +- if len(key) != Chacha20Poly1305KeySize { +- return nil, fmt.Errorf("%d bytes, given: %d", Chacha20Poly1305KeySize, len(key)) +- } +- c, err := chacha20poly1305.New(key) +- if err != nil { +- return nil, err +- } +- return &chachapoly{aead: c}, nil ++ panic("chachap20poly1305 cipher not available") + } + + // Encrypt is the encryption function. dst can contain bytes at the beginning of +diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/halfconn.go b/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/halfconn.go +index dff99ff..052f645 100644 +--- a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/halfconn.go ++++ b/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/halfconn.go +@@ -26,7 +26,6 @@ import ( + + s2apb "github.com/google/s2a-go/internal/proto/common_go_proto" + "github.com/google/s2a-go/internal/record/internal/aeadcrypter" +- "golang.org/x/crypto/cryptobyte" + ) + + // The constants below were taken from Section 7.2 and 7.3 in +@@ -175,19 +174,5 @@ func (hc *S2AHalfConnection) maskedNonce(sequence uint64) []byte { + // deriveSecret implements the Derive-Secret function, as specified in + // https://tools.ietf.org/html/rfc8446#section-7.1. + func (hc *S2AHalfConnection) deriveSecret(secret, label []byte, length int) ([]byte, error) { +- var hkdfLabel cryptobyte.Builder +- hkdfLabel.AddUint16(uint16(length)) +- hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(label) +- }) +- // Append an empty `Context` field to the label, as specified in the RFC. +- // The half connection does not use the `Context` field. +- hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte("")) +- }) +- hkdfLabelBytes, err := hkdfLabel.Bytes() +- if err != nil { +- return nil, fmt.Errorf("deriveSecret failed: %v", err) +- } +- return hc.expander.expand(secret, hkdfLabelBytes, length) ++ panic("cryptobyte cipher not available") + } +diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/expander.go b/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/expander.go +index e05f2c3..f46c3a9 100644 +--- a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/expander.go ++++ b/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/expander.go +@@ -19,10 +19,7 @@ + package halfconn + + import ( +- "fmt" + "hash" +- +- "golang.org/x/crypto/hkdf" + ) + + // hkdfExpander is the interface for the HKDF expansion function; see +@@ -47,13 +44,5 @@ func newDefaultHKDFExpander(h func() hash.Hash) hkdfExpander { + } + + func (d *defaultHKDFExpander) expand(secret, label []byte, length int) ([]byte, error) { +- outBuf := make([]byte, length) +- n, err := hkdf.Expand(d.h, secret, label).Read(outBuf) +- if err != nil { +- return nil, fmt.Errorf("hkdf.Expand.Read failed with error: %v", err) +- } +- if n < length { +- return nil, fmt.Errorf("hkdf.Expand.Read returned unexpected length, got %d, want %d", n, length) +- } +- return outBuf, nil ++ panic("hkdf cipher not available") + } +diff --git a/vendor/github.com/Masterminds/sprig/v3/crypto.go b/vendor/github.com/Masterminds/sprig/v3/crypto.go +index 13a5cd5..a92eaec 100644 +--- a/vendor/github.com/Masterminds/sprig/v3/crypto.go ++++ b/vendor/github.com/Masterminds/sprig/v3/crypto.go +@@ -9,7 +9,6 @@ import ( + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" +- "crypto/hmac" + "crypto/rand" + "crypto/rsa" + "crypto/sha1" +@@ -18,7 +17,6 @@ import ( + "crypto/x509/pkix" + "encoding/asn1" + "encoding/base64" +- "encoding/binary" + "encoding/hex" + "encoding/pem" + "errors" +@@ -32,8 +30,6 @@ import ( + "strings" + + "github.com/google/uuid" +- bcrypt_lib "golang.org/x/crypto/bcrypt" +- "golang.org/x/crypto/scrypt" + ) + + func sha256sum(input string) string { +@@ -52,12 +48,7 @@ func adler32sum(input string) string { + } + + func bcrypt(input string) string { +- hash, err := bcrypt_lib.GenerateFromPassword([]byte(input), bcrypt_lib.DefaultCost) +- if err != nil { +- return fmt.Sprintf("failed to encrypt string with bcrypt: %s", err) +- } +- +- return string(hash) ++ panic("bcrypt cipher not available") + } + + func htpasswd(username string, password string) string { +@@ -108,40 +99,7 @@ var templateCharacters = map[byte]string{ + } + + func derivePassword(counter uint32, passwordType, password, user, site string) string { +- var templates = passwordTypeTemplates[passwordType] +- if templates == nil { +- return fmt.Sprintf("cannot find password template %s", passwordType) +- } +- +- var buffer bytes.Buffer +- buffer.WriteString(masterPasswordSeed) +- binary.Write(&buffer, binary.BigEndian, uint32(len(user))) +- buffer.WriteString(user) +- +- salt := buffer.Bytes() +- key, err := scrypt.Key([]byte(password), salt, 32768, 8, 2, 64) +- if err != nil { +- return fmt.Sprintf("failed to derive password: %s", err) +- } +- +- buffer.Truncate(len(masterPasswordSeed)) +- binary.Write(&buffer, binary.BigEndian, uint32(len(site))) +- buffer.WriteString(site) +- binary.Write(&buffer, binary.BigEndian, counter) +- +- var hmacv = hmac.New(sha256.New, key) +- hmacv.Write(buffer.Bytes()) +- var seed = hmacv.Sum(nil) +- var temp = templates[int(seed[0])%len(templates)] +- +- buffer.Truncate(0) +- for i, element := range temp { +- passChars := templateCharacters[element] +- passChar := passChars[int(seed[i+1])%len(passChars)] +- buffer.WriteByte(passChar) +- } +- +- return buffer.String() ++ panic("scrypt cipher not available") + } + + func generatePrivateKey(typ string) string { +diff --git a/vendor/github.com/microsoft/go-mssqldb/integratedauth/ntlm/ntlm.go b/vendor/github.com/microsoft/go-mssqldb/integratedauth/ntlm/ntlm.go +index d95032f..f5cbe66 100644 +--- a/vendor/github.com/microsoft/go-mssqldb/integratedauth/ntlm/ntlm.go ++++ b/vendor/github.com/microsoft/go-mssqldb/integratedauth/ntlm/ntlm.go +@@ -16,7 +16,6 @@ import ( + "github.com/microsoft/go-mssqldb/msdsn" + + //lint:ignore SA1019 MD4 is used by legacy NTLM +- "golang.org/x/crypto/md4" + ) + + const ( +@@ -162,10 +161,7 @@ func lmResponse(challenge [8]byte, password string) [24]byte { + } + + func ntlmHash(password string) (hash [21]byte) { +- h := md4.New() +- h.Write(utf16le(password)) +- h.Sum(hash[:0]) +- return ++ panic("md4 cipher not available") + } + + func ntResponse(challenge [8]byte, password string) [24]byte { +@@ -194,12 +190,7 @@ func ntlmSessionResponse(clientNonce [8]byte, serverChallenge [8]byte, password + } + + func ntlmHashNoPadding(val string) []byte { +- hash := make([]byte, 16) +- h := md4.New() +- h.Write(utf16le(val)) +- h.Sum(hash[:0]) +- +- return hash ++ panic("md4 cipher not available") + } + + func hmacMD5(passwordHash, data []byte) []byte { +diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go +index 804eba899e..221306e7dc 100644 +--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go ++++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go +@@ -16,7 +16,6 @@ import ( + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" + "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential" +- "golang.org/x/crypto/pkcs12" + ) + + const credNameCert = "ClientCertificateCredential" +@@ -158,15 +157,7 @@ func loadPEMCert(certData []byte) ([]*pem.Block, error) { + } + + func loadPKCS12Cert(certData []byte, password string) ([]*pem.Block, error) { +- blocks, err := pkcs12.ToPEM(certData, password) +- if err != nil { +- return nil, err +- } +- if len(blocks) == 0 { +- // not mentioning PKCS12 in this message because we end up here when certData is garbage +- return nil, errors.New("didn't find any certificate content") +- } +- return blocks, err ++ panic("pkcs12 cipher not available") + } + + var _ azcore.TokenCredential = (*ClientCertificateCredential)(nil) +diff --git a/vendor/github.com/Azure/go-autorest/autorest/adal/persist.go b/vendor/github.com/Azure/go-autorest/autorest/adal/persist.go +index 2a974a3..1ea6648 100644 +--- a/vendor/github.com/Azure/go-autorest/autorest/adal/persist.go ++++ b/vendor/github.com/Azure/go-autorest/autorest/adal/persist.go +@@ -23,8 +23,6 @@ import ( + "io/ioutil" + "os" + "path/filepath" +- +- "golang.org/x/crypto/pkcs12" + ) + + var ( +@@ -90,46 +88,5 @@ func SaveToken(path string, mode os.FileMode, token Token) error { + // private key or an error is returned. + // If the private key is not password protected pass the empty string for password. + func DecodePfxCertificateData(pfxData []byte, password string) (*x509.Certificate, *rsa.PrivateKey, error) { +- blocks, err := pkcs12.ToPEM(pfxData, password) +- if err != nil { +- return nil, nil, err +- } +- // first extract the private key +- var priv *rsa.PrivateKey +- for _, block := range blocks { +- if block.Type == "PRIVATE KEY" { +- priv, err = x509.ParsePKCS1PrivateKey(block.Bytes) +- if err != nil { +- return nil, nil, err +- } +- break +- } +- } +- if priv == nil { +- return nil, nil, ErrMissingPrivateKey +- } +- // now find the certificate with the matching public key of our private key +- var cert *x509.Certificate +- for _, block := range blocks { +- if block.Type == "CERTIFICATE" { +- pcert, err := x509.ParseCertificate(block.Bytes) +- if err != nil { +- return nil, nil, err +- } +- certKey, ok := pcert.PublicKey.(*rsa.PublicKey) +- if !ok { +- // keep looking +- continue +- } +- if priv.E == certKey.E && priv.N.Cmp(certKey.N) == 0 { +- // found a match +- cert = pcert +- break +- } +- } +- } +- if cert == nil { +- return nil, nil, ErrMissingCertificate +- } +- return cert, priv, nil ++ panic("pkcs12 cipher not available") + } +diff --git a/vendor/github.com/Azure/go-ntlmssp/nlmp.go b/vendor/github.com/Azure/go-ntlmssp/nlmp.go +index 1e65abe..0ef2301 100644 +--- a/vendor/github.com/Azure/go-ntlmssp/nlmp.go ++++ b/vendor/github.com/Azure/go-ntlmssp/nlmp.go +@@ -10,7 +10,6 @@ package ntlmssp + import ( + "crypto/hmac" + "crypto/md5" +- "golang.org/x/crypto/md4" + "strings" + ) + +@@ -19,9 +18,7 @@ func getNtlmV2Hash(password, username, target string) []byte { + } + + func getNtlmHash(password string) []byte { +- hash := md4.New() +- hash.Write(toUnicode(password)) +- return hash.Sum(nil) ++ panic("md4 cipher not available") + } + + func computeNtlmV2Response(ntlmV2Hash, serverChallenge, clientChallenge, +diff --git a/vendor/github.com/ory/fosite/hash_bcrypt.go b/vendor/github.com/ory/fosite/hash_bcrypt.go +index 44b8fcb..4a75d24 100644 +--- a/vendor/github.com/ory/fosite/hash_bcrypt.go ++++ b/vendor/github.com/ory/fosite/hash_bcrypt.go +@@ -5,10 +5,6 @@ package fosite + + import ( + "context" +- +- "github.com/ory/x/errorsx" +- +- "golang.org/x/crypto/bcrypt" + ) + + const DefaultBCryptWorkFactor = 12 +@@ -21,20 +17,9 @@ type BCrypt struct { + } + + func (b *BCrypt) Hash(ctx context.Context, data []byte) ([]byte, error) { +- wf := b.Config.GetBCryptCost(ctx) +- if wf == 0 { +- wf = DefaultBCryptWorkFactor +- } +- s, err := bcrypt.GenerateFromPassword(data, wf) +- if err != nil { +- return nil, errorsx.WithStack(err) +- } +- return s, nil ++ panic("bcrypt ciper not available") + } + + func (b *BCrypt) Compare(ctx context.Context, hash, data []byte) error { +- if err := bcrypt.CompareHashAndPassword(hash, data); err != nil { +- return errorsx.WithStack(err) +- } +- return nil ++ panic("bcrypt cipher not available") + } +diff --git a/vendor/filippo.io/age/internal/stream/stream.go b/vendor/filippo.io/age/internal/stream/stream.go +index 7cf02c4..29f4f44 100644 +--- a/vendor/filippo.io/age/internal/stream/stream.go ++++ b/vendor/filippo.io/age/internal/stream/stream.go +@@ -10,9 +10,6 @@ import ( + "errors" + "fmt" + "io" +- +- "golang.org/x/crypto/chacha20poly1305" +- "golang.org/x/crypto/poly1305" + ) + + const ChunkSize = 64 * 1024 +@@ -25,23 +22,16 @@ type Reader struct { + buf [encChunkSize]byte + + err error +- nonce [chacha20poly1305.NonceSize]byte ++ nonce []byte + } + + const ( +- encChunkSize = ChunkSize + poly1305.TagSize ++ encChunkSize = ChunkSize + lastChunkFlag = 0x01 + ) + + func NewReader(key []byte, src io.Reader) (*Reader, error) { +- aead, err := chacha20poly1305.New(key) +- if err != nil { +- return nil, err +- } +- return &Reader{ +- a: aead, +- src: src, +- }, nil ++ panic("chacha20poly1305 cipher not available") + } + + func (r *Reader) Read(p []byte) (int, error) { +@@ -87,64 +77,20 @@ func (r *Reader) Read(p []byte) (int, error) { + // in r.unread. last is true if the chunk was marked as the end of the message. + // readChunk must not be called again after returning a last chunk or an error. + func (r *Reader) readChunk() (last bool, err error) { +- if len(r.unread) != 0 { +- panic("stream: internal error: readChunk called with dirty buffer") +- } ++ panic("poly1305 cipher not available") + +- in := r.buf[:] +- n, err := io.ReadFull(r.src, in) +- switch { +- case err == io.EOF: +- // A message can't end without a marked chunk. This message is truncated. +- return false, io.ErrUnexpectedEOF +- case err == io.ErrUnexpectedEOF: +- // The last chunk can be short, but not empty unless it's the first and +- // only chunk. +- if !nonceIsZero(&r.nonce) && n == r.a.Overhead() { +- return false, errors.New("last chunk is empty, try age v1.0.0, and please consider reporting this") +- } +- in = in[:n] +- last = true +- setLastChunkFlag(&r.nonce) +- case err != nil: +- return false, err +- } +- +- outBuf := make([]byte, 0, ChunkSize) +- out, err := r.a.Open(outBuf, r.nonce[:], in, nil) +- if err != nil && !last { +- // Check if this was a full-length final chunk. +- last = true +- setLastChunkFlag(&r.nonce) +- out, err = r.a.Open(outBuf, r.nonce[:], in, nil) +- } +- if err != nil { +- return false, errors.New("failed to decrypt and authenticate payload chunk") +- } +- +- incNonce(&r.nonce) +- r.unread = r.buf[:copy(r.buf[:], out)] +- return last, nil + } + +-func incNonce(nonce *[chacha20poly1305.NonceSize]byte) { +- for i := len(nonce) - 2; i >= 0; i-- { +- nonce[i]++ +- if nonce[i] != 0 { +- break +- } else if i == 0 { +- // The counter is 88 bits, this is unreachable. +- panic("stream: chunk counter wrapped around") +- } +- } ++func incNonce(nonce *[]byte) { ++ panic("chacha20poly1305 cipher not available") + } + +-func setLastChunkFlag(nonce *[chacha20poly1305.NonceSize]byte) { +- nonce[len(nonce)-1] = lastChunkFlag ++func setLastChunkFlag(nonce *[]byte) { ++ panic("chacha20poly1305 cipher not available") + } + +-func nonceIsZero(nonce *[chacha20poly1305.NonceSize]byte) bool { +- return *nonce == [chacha20poly1305.NonceSize]byte{} ++func nonceIsZero(nonce *[]byte) bool { ++ panic("chacha20poly1305 cipher not available") + } + + type Writer struct { +@@ -152,47 +98,17 @@ type Writer struct { + dst io.Writer + unwritten []byte // backed by buf + buf [encChunkSize]byte +- nonce [chacha20poly1305.NonceSize]byte ++ nonce []byte + err error + } + + func NewWriter(key []byte, dst io.Writer) (*Writer, error) { +- aead, err := chacha20poly1305.New(key) +- if err != nil { +- return nil, err +- } +- w := &Writer{ +- a: aead, +- dst: dst, +- } +- w.unwritten = w.buf[:0] +- return w, nil ++ panic("chacha20poly1305 cipher not available") ++ + } + + func (w *Writer) Write(p []byte) (n int, err error) { +- // TODO: consider refactoring with a bytes.Buffer. +- if w.err != nil { +- return 0, w.err +- } +- if len(p) == 0 { +- return 0, nil +- } +- +- total := len(p) +- for len(p) > 0 { +- freeBuf := w.buf[len(w.unwritten):ChunkSize] +- n := copy(freeBuf, p) +- p = p[n:] +- w.unwritten = w.unwritten[:len(w.unwritten)+n] +- +- if len(w.unwritten) == ChunkSize && len(p) > 0 { +- if err := w.flushChunk(notLastChunk); err != nil { +- w.err = err +- return 0, err +- } +- } +- } +- return total, nil ++ panic("chacha20poly1305 cipher not available") + } + + // Close flushes the last chunk. It does not close the underlying Writer. +@@ -216,16 +132,5 @@ const ( + ) + + func (w *Writer) flushChunk(last bool) error { +- if !last && len(w.unwritten) != ChunkSize { +- panic("stream: internal error: flush called with partial chunk") +- } +- +- if last { +- setLastChunkFlag(&w.nonce) +- } +- buf := w.a.Seal(w.buf[:0], w.nonce[:], w.unwritten, nil) +- _, err := w.dst.Write(buf) +- w.unwritten = w.buf[:0] +- incNonce(&w.nonce) +- return err ++ panic("chacha20poly1305 cipher not available") + } +diff --git a/vendor/filippo.io/age/primitives.go b/vendor/filippo.io/age/primitives.go +index 804b019..2ee760f 100644 +--- a/vendor/filippo.io/age/primitives.go ++++ b/vendor/filippo.io/age/primitives.go +@@ -5,29 +5,14 @@ + package age + + import ( +- "crypto/hmac" +- "crypto/sha256" + "errors" +- "io" + + "filippo.io/age/internal/format" +- "golang.org/x/crypto/chacha20poly1305" +- "golang.org/x/crypto/hkdf" + ) + + // aeadEncrypt encrypts a message with a one-time key. + func aeadEncrypt(key, plaintext []byte) ([]byte, error) { +- aead, err := chacha20poly1305.New(key) +- if err != nil { +- return nil, err +- } +- // The nonce is fixed because this function is only used in places where the +- // spec guarantees each key is only used once (by deriving it from values +- // that include fresh randomness), allowing us to save the overhead. +- // For the code that encrypts the actual payload, look at the +- // filippo.io/age/internal/stream package. +- nonce := make([]byte, chacha20poly1305.NonceSize) +- return aead.Seal(nil, nonce, plaintext, nil), nil ++ panic("chacha20poly1305 cipher not available") + } + + var errIncorrectCiphertextSize = errors.New("encrypted value has unexpected length") +@@ -38,35 +23,13 @@ var errIncorrectCiphertextSize = errors.New("encrypted value has unexpected leng + // can be crafted that decrypts successfully under multiple keys. Short + // ciphertexts can only target two keys, which has limited impact. + func aeadDecrypt(key []byte, size int, ciphertext []byte) ([]byte, error) { +- aead, err := chacha20poly1305.New(key) +- if err != nil { +- return nil, err +- } +- if len(ciphertext) != size+aead.Overhead() { +- return nil, errIncorrectCiphertextSize +- } +- nonce := make([]byte, chacha20poly1305.NonceSize) +- return aead.Open(nil, nonce, ciphertext, nil) ++ panic("chacha20poly1305 cipher not available") + } + + func headerMAC(fileKey []byte, hdr *format.Header) ([]byte, error) { +- h := hkdf.New(sha256.New, fileKey, nil, []byte("header")) +- hmacKey := make([]byte, 32) +- if _, err := io.ReadFull(h, hmacKey); err != nil { +- return nil, err +- } +- hh := hmac.New(sha256.New, hmacKey) +- if err := hdr.MarshalWithoutMAC(hh); err != nil { +- return nil, err +- } +- return hh.Sum(nil), nil ++ panic("hkdf cipher not available") + } + + func streamKey(fileKey, nonce []byte) []byte { +- h := hkdf.New(sha256.New, fileKey, nonce, []byte("payload")) +- streamKey := make([]byte, chacha20poly1305.KeySize) +- if _, err := io.ReadFull(h, streamKey); err != nil { +- panic("age: internal error: failed to read from HKDF: " + err.Error()) +- } +- return streamKey ++ panic("chacha20poly1305 cipher not available") + } +diff --git a/vendor/filippo.io/age/scrypt.go b/vendor/filippo.io/age/scrypt.go +index 1346ad1..a97e385 100644 +--- a/vendor/filippo.io/age/scrypt.go ++++ b/vendor/filippo.io/age/scrypt.go +@@ -5,15 +5,8 @@ + package age + + import ( +- "crypto/rand" + "errors" +- "fmt" + "regexp" +- "strconv" +- +- "filippo.io/age/internal/format" +- "golang.org/x/crypto/chacha20poly1305" +- "golang.org/x/crypto/scrypt" + ) + + const scryptLabel = "age-encryption.org/v1/scrypt" +@@ -61,30 +54,7 @@ func (r *ScryptRecipient) SetWorkFactor(logN int) { + const scryptSaltSize = 16 + + func (r *ScryptRecipient) Wrap(fileKey []byte) ([]*Stanza, error) { +- salt := make([]byte, scryptSaltSize) +- if _, err := rand.Read(salt[:]); err != nil { +- return nil, err +- } +- +- logN := r.workFactor +- l := &Stanza{ +- Type: "scrypt", +- Args: []string{format.EncodeToString(salt), strconv.Itoa(logN)}, +- } +- +- salt = append([]byte(scryptLabel), salt...) +- k, err := scrypt.Key(r.password, salt, 1< i.maxWorkFactor { +- return nil, fmt.Errorf("scrypt work factor too large: %v", logN) +- } +- if logN <= 0 { // unreachable +- return nil, fmt.Errorf("invalid scrypt work factor: %v", logN) +- } +- +- salt = append([]byte(scryptLabel), salt...) +- k, err := scrypt.Key(i.password, salt, 1< 32 { +- return "", errors.New("square/go-jose: invalid elliptic key (too large)") +- } +- return fmt.Sprintf(edThumbprintTemplate, crv, +- newFixedSizeBuffer(ed, 32).base64()), nil +-} +- + // Thumbprint computes the JWK Thumbprint of a key using the + // indicated hash algorithm. + func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) { + var input string + var err error + switch key := k.Key.(type) { +- case ed25519.PublicKey: +- input, err = edThumbprintInput(key) + case *ecdsa.PublicKey: + input, err = ecThumbprintInput(key.Curve, key.X, key.Y) + case *ecdsa.PrivateKey: +@@ -381,8 +356,6 @@ func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) { + input, err = rsaThumbprintInput(key.N, key.E) + case *rsa.PrivateKey: + input, err = rsaThumbprintInput(key.N, key.E) +- case ed25519.PrivateKey: +- input, err = edThumbprintInput(ed25519.PublicKey(key[32:])) + default: + return nil, fmt.Errorf("square/go-jose: unknown key type '%s'", reflect.TypeOf(key)) + } +@@ -399,7 +372,7 @@ func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) { + // IsPublic returns true if the JWK represents a public key (not symmetric, not private). + func (k *JSONWebKey) IsPublic() bool { + switch k.Key.(type) { +- case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey: ++ case *ecdsa.PublicKey, *rsa.PublicKey: + return true + default: + return false +@@ -417,8 +390,6 @@ func (k *JSONWebKey) Public() JSONWebKey { + ret.Key = key.Public() + case *rsa.PrivateKey: + ret.Key = key.Public() +- case ed25519.PrivateKey: +- ret.Key = key.Public() + default: + return JSONWebKey{} // returning invalid key + } +@@ -447,14 +418,6 @@ func (k *JSONWebKey) Valid() bool { + if key.N == nil || key.E == 0 || key.D == nil || len(key.Primes) < 2 { + return false + } +- case ed25519.PublicKey: +- if len(key) != 32 { +- return false +- } +- case ed25519.PrivateKey: +- if len(key) != 64 { +- return false +- } + default: + return false + } +@@ -472,14 +435,6 @@ func (key rawJSONWebKey) rsaPublicKey() (*rsa.PublicKey, error) { + }, nil + } + +-func fromEdPublicKey(pub ed25519.PublicKey) *rawJSONWebKey { +- return &rawJSONWebKey{ +- Kty: "OKP", +- Crv: "Ed25519", +- X: newBuffer(pub), +- } +-} +- + func fromRsaPublicKey(pub *rsa.PublicKey) *rawJSONWebKey { + return &rawJSONWebKey{ + Kty: "RSA", +@@ -559,36 +514,6 @@ func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) { + return key, nil + } + +-func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) { +- var missing []string +- switch { +- case key.D == nil: +- missing = append(missing, "D") +- case key.X == nil: +- missing = append(missing, "X") +- } +- +- if len(missing) > 0 { +- return nil, fmt.Errorf("square/go-jose: invalid Ed25519 private key, missing %s value(s)", strings.Join(missing, ", ")) +- } +- +- privateKey := make([]byte, ed25519.PrivateKeySize) +- copy(privateKey[0:32], key.D.bytes()) +- copy(privateKey[32:], key.X.bytes()) +- rv := ed25519.PrivateKey(privateKey) +- return rv, nil +-} +- +-func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) { +- if key.X == nil { +- return nil, fmt.Errorf("square/go-jose: invalid Ed key, missing x value") +- } +- publicKey := make([]byte, ed25519.PublicKeySize) +- copy(publicKey[0:32], key.X.bytes()) +- rv := ed25519.PublicKey(publicKey) +- return rv, nil +-} +- + func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) { + var missing []string + switch { +@@ -634,13 +559,6 @@ func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) { + return rv, err + } + +-func fromEdPrivateKey(ed ed25519.PrivateKey) (*rawJSONWebKey, error) { +- raw := fromEdPublicKey(ed25519.PublicKey(ed[32:])) +- +- raw.D = newBuffer(ed[0:32]) +- return raw, nil +-} +- + func fromRsaPrivateKey(rsa *rsa.PrivateKey) (*rawJSONWebKey, error) { + if len(rsa.Primes) != 2 { + return nil, ErrUnsupportedKeyType +diff --git a/vendor/gopkg.in/square/go-jose.v2/signing.go b/vendor/gopkg.in/square/go-jose.v2/signing.go +index bad820c..8065475 100644 +--- a/vendor/gopkg.in/square/go-jose.v2/signing.go ++++ b/vendor/gopkg.in/square/go-jose.v2/signing.go +@@ -24,8 +24,6 @@ import ( + "errors" + "fmt" + +- "golang.org/x/crypto/ed25519" +- + "gopkg.in/square/go-jose.v2/json" + ) + +@@ -154,10 +152,6 @@ func NewMultiSigner(sigs []SigningKey, opts *SignerOptions) (Signer, error) { + // newVerifier creates a verifier based on the key type + func newVerifier(verificationKey interface{}) (payloadVerifier, error) { + switch verificationKey := verificationKey.(type) { +- case ed25519.PublicKey: +- return &edEncrypterVerifier{ +- publicKey: verificationKey, +- }, nil + case *rsa.PublicKey: + return &rsaEncrypterVerifier{ + publicKey: verificationKey, +@@ -193,8 +187,6 @@ func (ctx *genericSigner) addRecipient(alg SignatureAlgorithm, signingKey interf + + func makeJWSRecipient(alg SignatureAlgorithm, signingKey interface{}) (recipientSigInfo, error) { + switch signingKey := signingKey.(type) { +- case ed25519.PrivateKey: +- return newEd25519Signer(alg, signingKey) + case *rsa.PrivateKey: + return newRSASigner(alg, signingKey) + case *ecdsa.PrivateKey: +diff --git a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go +index 4bb18ee8..a3342a76 100644 +--- a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go ++++ b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go +@@ -23,14 +23,11 @@ import ( + "crypto/cipher" + "crypto/rand" + "encoding/base64" +- "fmt" + "time" + + "k8s.io/apiserver/pkg/storage/value" + "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics" + "k8s.io/utils/lru" +- +- "golang.org/x/crypto/cryptobyte" + ) + + func init() { +@@ -82,75 +79,12 @@ func NewEnvelopeTransformer(envelopeService Service, cacheSize int, baseTransfor + + // TransformFromStorage decrypts data encrypted by this transformer using envelope encryption. + func (t *envelopeTransformer) TransformFromStorage(ctx context.Context, data []byte, dataCtx value.Context) ([]byte, bool, error) { +- metrics.RecordArrival(metrics.FromStorageLabel, time.Now()) +- +- // Read the 16 bit length-of-DEK encoded at the start of the encrypted DEK. 16 bits can +- // represent a maximum key length of 65536 bytes. We are using a 256 bit key, whose +- // length cannot fit in 8 bits (1 byte). Thus, we use 16 bits (2 bytes) to store the length. +- var encKey cryptobyte.String +- s := cryptobyte.String(data) +- if ok := s.ReadUint16LengthPrefixed(&encKey); !ok { +- return nil, false, fmt.Errorf("invalid data encountered by envelope transformer: failed to read uint16 length prefixed data") +- } +- +- encData := []byte(s) +- +- // Look up the decrypted DEK from cache or Envelope. +- transformer := t.getTransformer(encKey) +- if transformer == nil { +- if t.cacheEnabled { +- value.RecordCacheMiss() +- } +- key, err := t.envelopeService.Decrypt(encKey) +- if err != nil { +- // Do NOT wrap this err using fmt.Errorf() or similar functions +- // because this gRPC status error has useful error code when +- // record the metric. +- return nil, false, err +- } +- +- transformer, err = t.addTransformer(encKey, key) +- if err != nil { +- return nil, false, err +- } +- } +- +- return transformer.TransformFromStorage(ctx, encData, dataCtx) ++ panic("cryptobyte cipher not available") + } + + // TransformToStorage encrypts data to be written to disk using envelope encryption. + func (t *envelopeTransformer) TransformToStorage(ctx context.Context, data []byte, dataCtx value.Context) ([]byte, error) { +- metrics.RecordArrival(metrics.ToStorageLabel, time.Now()) +- newKey, err := generateKey(32) +- if err != nil { +- return nil, err +- } +- +- encKey, err := t.envelopeService.Encrypt(newKey) +- if err != nil { +- // Do NOT wrap this err using fmt.Errorf() or similar functions +- // because this gRPC status error has useful error code when +- // record the metric. +- return nil, err +- } +- +- transformer, err := t.addTransformer(encKey, newKey) +- if err != nil { +- return nil, err +- } +- +- result, err := transformer.TransformToStorage(ctx, data, dataCtx) +- if err != nil { +- return nil, err +- } +- // Append the length of the encrypted DEK as the first 2 bytes. +- b := cryptobyte.NewBuilder(nil) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte(encKey)) +- }) +- b.AddBytes(result) +- +- return b.Bytes() ++ panic("cryptobyte cipher not available") + } + + var _ value.Transformer = &envelopeTransformer{} +diff --git a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/aes/aes_extended_nonce.go b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/aes/aes_extended_nonce.go +index cf8f3930..de4d145f 100644 +--- a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/aes/aes_extended_nonce.go ++++ b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/aes/aes_extended_nonce.go +@@ -20,14 +20,10 @@ import ( + "bytes" + "context" + "crypto/aes" +- "crypto/sha256" + "errors" + "fmt" +- "io" + "time" + +- "golang.org/x/crypto/hkdf" +- + "k8s.io/apiserver/pkg/storage/value" + "k8s.io/utils/clock" + ) +@@ -132,14 +128,7 @@ func (e *extendedNonceGCM) derivedKeyTransformer(info []byte, dataCtx value.Cont + } + + func (e *extendedNonceGCM) sha256KDFExpandOnly(info []byte) ([]byte, error) { +- kdf := hkdf.Expand(sha256.New, e.seed, info) +- +- derivedKey := make([]byte, derivedKeySizeExtendedNonceGCM) +- if _, err := io.ReadFull(kdf, derivedKey); err != nil { +- return nil, fmt.Errorf("failed to read a derived key from KDF: %w", err) +- } +- +- return derivedKey, nil ++ panic("hkdf cipher not available") + } + + func newGCMTransformerWithInfo(key, info []byte) (*transformerWithInfo, error) { + +diff --git a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go +index 45d5db58..db3bd2f9 100644 +--- a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go ++++ b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go +@@ -23,12 +23,10 @@ import ( + "crypto/cipher" + "crypto/sha256" + "fmt" +- "sort" + "time" + "unsafe" + + "github.com/gogo/protobuf/proto" +- "golang.org/x/crypto/cryptobyte" + + utilerrors "k8s.io/apimachinery/pkg/util/errors" + "k8s.io/apimachinery/pkg/util/uuid" +@@ -418,41 +416,7 @@ func getRequestInfoFromContext(ctx context.Context) *genericapirequest.RequestIn + // a. annotation key + // b. annotation value + func generateCacheKey(encryptedDEKSourceType kmstypes.EncryptedDEKSourceType, encryptedDEKSource []byte, keyID string, annotations map[string][]byte) ([]byte, error) { +- // TODO(aramase): use sync pool buffer to avoid allocations +- b := cryptobyte.NewBuilder(nil) +- b.AddUint32(uint32(encryptedDEKSourceType)) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(encryptedDEKSource) +- }) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(toBytes(keyID)) +- }) +- if len(annotations) == 0 { +- return b.Bytes() +- } +- +- // add the length of annotations to the cache key +- b.AddUint32(uint32(len(annotations))) +- +- // Sort the annotations by key. +- keys := make([]string, 0, len(annotations)) +- for k := range annotations { +- k := k +- keys = append(keys, k) +- } +- sort.Strings(keys) +- for _, k := range keys { +- // The maximum size of annotations is annotationsMaxSize (32 kB) so we can safely +- // assume that the length of the key and value will fit in a uint16. +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(toBytes(k)) +- }) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(annotations[k]) +- }) +- } +- +- return b.Bytes() ++ panic("cryptobyte cipher not available") + } + + // toBytes performs unholy acts to avoid allocations + +diff --git a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox.go b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox.go +index 9aec8acd..d0a19c71 100644 +--- a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox.go ++++ b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox.go +@@ -19,10 +19,6 @@ package secretbox + + import ( + "context" +- "crypto/rand" +- "fmt" +- +- "golang.org/x/crypto/nacl/secretbox" + + "k8s.io/apiserver/pkg/storage/value" + ) +@@ -43,28 +39,9 @@ func NewSecretboxTransformer(key [32]byte) value.Transformer { + } + + func (t *secretboxTransformer) TransformFromStorage(ctx context.Context, data []byte, dataCtx value.Context) ([]byte, bool, error) { +- if len(data) < (secretbox.Overhead + nonceSize) { +- return nil, false, fmt.Errorf("the stored data was shorter than the required size") +- } +- var nonce [nonceSize]byte +- copy(nonce[:], data[:nonceSize]) +- data = data[nonceSize:] +- out := make([]byte, 0, len(data)-secretbox.Overhead) +- result, ok := secretbox.Open(out, data, &nonce, &t.key) +- if !ok { +- return nil, false, fmt.Errorf("output array was not large enough for encryption") +- } +- return result, false, nil ++ panic("nacl cipher not available") + } + + func (t *secretboxTransformer) TransformToStorage(ctx context.Context, data []byte, dataCtx value.Context) ([]byte, error) { +- var nonce [nonceSize]byte +- n, err := rand.Read(nonce[:]) +- if err != nil { +- return nil, err +- } +- if n != nonceSize { +- return nil, fmt.Errorf("unable to read sufficient random bytes") +- } +- return secretbox.Seal(nonce[:], data, &nonce, &t.key), nil ++ panic("nacl cipher not available") + } + +diff --git a/vendor/k8s.io/apiserver/pkg/server/config.go b/vendor/k8s.io/apiserver/pkg/server/config.go +index d678f52d..da4abbae 100644 +--- a/vendor/k8s.io/apiserver/pkg/server/config.go ++++ b/vendor/k8s.io/apiserver/pkg/server/config.go +@@ -18,8 +18,6 @@ package server + + import ( + "context" +- "crypto/sha256" +- "encoding/base32" + "fmt" + "net" + "net/http" +@@ -34,7 +32,6 @@ import ( + + jsonpatch "github.com/evanphx/json-patch" + "github.com/google/uuid" +- "golang.org/x/crypto/cryptobyte" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +@@ -374,29 +371,7 @@ func NewConfig(codecs serializer.CodecFactory) *Config { + defaultHealthChecks := []healthz.HealthChecker{healthz.PingHealthz, healthz.LogHealthz} + var id string + if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.APIServerIdentity) { +- hostname, err := hostnameFunc() +- if err != nil { +- klog.Fatalf("error getting hostname for apiserver identity: %v", err) +- } +- +- // Since the hash needs to be unique across each kube-apiserver and aggregated apiservers, +- // the hash used for the identity should include both the hostname and the identity value. +- // TODO: receive the identity value as a parameter once the apiserver identity lease controller +- // post start hook is moved to generic apiserver. +- b := cryptobyte.NewBuilder(nil) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte(hostname)) +- }) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte("kube-apiserver")) +- }) +- hashData, err := b.Bytes() +- if err != nil { +- klog.Fatalf("error building hash data for apiserver identity: %v", err) +- } +- +- hash := sha256.Sum256(hashData) +- id = "apiserver-" + strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(hash[:16])) ++ panic("cryptobyte cipher not available") + } + lifecycleSignals := newLifecycleSignals() diff --git a/SOURCES/1002-vendor-use-pbkdf2-from-OpenSSL.patch b/SOURCES/1002-vendor-use-pbkdf2-from-OpenSSL.patch new file mode 100644 index 0000000..ad92fb1 --- /dev/null +++ b/SOURCES/1002-vendor-use-pbkdf2-from-OpenSSL.patch @@ -0,0 +1,135 @@ +use pbkdf2 from OpenSSL if FIPS mode is enabled + +This patch modifies the x/crypto/pbkdf2 function to use OpenSSL +if FIPS mode is enabled. +DEFINEFUNC is from /usr/lib/golang/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h + +diff --git a/vendor/golang.org/x/crypto/internal/boring/boring.go b/vendor/golang.org/x/crypto/internal/boring/boring.go +new file mode 100644 +index 0000000000..5a06918832 +--- /dev/null ++++ b/vendor/golang.org/x/crypto/internal/boring/boring.go +@@ -0,0 +1,74 @@ ++// Copyright 2017 The Go Authors. All rights reserved. ++// Copyright 2021 Red Hat. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// +build linux ++// +build !android ++// +build !no_openssl ++// +build !cmd_go_bootstrap ++// +build !msan ++ ++package boring ++ ++// #include "/usr/lib/golang/src/vendor/github.com/golang-fips/openssl/v2/goopenssl.h" ++// #cgo LDFLAGS: -ldl ++import "C" ++import ( ++ "bytes" ++ "crypto/sha1" ++ "crypto/sha256" ++ "hash" ++ "unsafe" ++) ++ ++var ( ++ emptySha1 = sha1.Sum([]byte{}) ++ emptySha256 = sha256.Sum256([]byte{}) ++) ++ ++func hashToMD(h hash.Hash) C.GO_EVP_MD_PTR { ++ emptyHash := h.Sum([]byte{}) ++ ++ switch { ++ case bytes.Equal(emptyHash, emptySha1[:]): ++ return C.go_openssl_EVP_sha1() ++ case bytes.Equal(emptyHash, emptySha256[:]): ++ return C.go_openssl_EVP_sha256() ++ } ++ return nil ++} ++ ++// charptr returns the address of the underlying array in b, ++// being careful not to panic when b has zero length. ++func charptr(b []byte) *C.char { ++ if len(b) == 0 { ++ return nil ++ } ++ return (*C.char)(unsafe.Pointer(&b[0])) ++} ++ ++// ucharptr returns the address of the underlying array in b, ++// being careful not to panic when b has zero length. ++func ucharptr(b []byte) *C.uchar { ++ if len(b) == 0 { ++ return nil ++ } ++ return (*C.uchar)(unsafe.Pointer(&b[0])) ++} ++ ++func Pbkdf2Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { ++ // println("[debug] using pbkdf2 from OpenSSL") ++ ch := h() ++ md := hashToMD(ch) ++ if md == nil { ++ return nil ++ } ++ ++ out := make([]byte, keyLen) ++ ok := C.go_openssl_PKCS5_PBKDF2_HMAC(charptr(password), C.int(len(password)), ucharptr(salt), C.int(len(salt)), C.int(iter), md, C.int(keyLen), ucharptr(out)) ++ if ok != 1 { ++ panic("boringcrypto: PKCS5_PBKDF2_HMAC failed") ++ } ++ return out ++} +diff --git a/vendor/golang.org/x/crypto/internal/boring/notboring.go b/vendor/golang.org/x/crypto/internal/boring/notboring.go +new file mode 100644 +index 0000000000..e244fb5663 +--- /dev/null ++++ b/vendor/golang.org/x/crypto/internal/boring/notboring.go +@@ -0,0 +1,16 @@ ++// Copyright 2017 The Go Authors. All rights reserved. ++// Copyright 2021 Red Hat. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// +build !linux !cgo android cmd_go_bootstrap msan no_openssl ++ ++package boring ++ ++import ( ++ "hash" ++) ++ ++func Pbkdf2Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { ++ panic("boringcrypto: not available") ++} +diff --git a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go +index 593f653008..799a611f94 100644 +--- a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go ++++ b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go +@@ -19,8 +19,11 @@ pbkdf2.Key. + package pbkdf2 // import "golang.org/x/crypto/pbkdf2" + + import ( ++ "crypto/boring" + "crypto/hmac" + "hash" ++ ++ xboring "golang.org/x/crypto/internal/boring" + ) + + // Key derives a key from the password, salt and iteration count, returning a +@@ -40,6 +43,10 @@ import ( + // Using a higher iteration count will increase the cost of an exhaustive + // search but will also make derivation proportionally slower. + func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { ++ if boring.Enabled() { ++ return xboring.Pbkdf2Key(password, salt, iter, keyLen, h) ++ } ++ + prf := hmac.New(h, password) + hashLen := prf.Size() + numBlocks := (keyLen + hashLen - 1) / hashLen diff --git a/SOURCES/1003-vendor-skip-goldenfiles-tests.patch b/SOURCES/1003-vendor-skip-goldenfiles-tests.patch new file mode 100644 index 0000000..8f18c0e --- /dev/null +++ b/SOURCES/1003-vendor-skip-goldenfiles-tests.patch @@ -0,0 +1,18 @@ +skip goldenfiles tests + +The golden files include memory dumps from a x86_64 machine. +Integers are stored as little endian on x86, but as big endian on s390x, +therefore loading this memory dump fails on s390x. + +diff --git a/vendor/github.com/grafana/grafana-plugin-sdk-go/experimental/golden_response_checker.go b/vendor/github.com/grafana/grafana-plugin-sdk-go/experimental/golden_response_checker.go +index 320f40f3bd..20f5fa4f46 100644 +--- a/vendor/github.com/grafana/grafana-plugin-sdk-go/experimental/golden_response_checker.go ++++ b/vendor/github.com/grafana/grafana-plugin-sdk-go/experimental/golden_response_checker.go +@@ -203,6 +203,7 @@ func CheckGoldenJSONFrame(t *testing.T, dir string, name string, f *data.Frame, + // CheckGoldenJSONResponse will verify that the stored JSON file matches the given backend.DataResponse. + func CheckGoldenJSONResponse(t *testing.T, dir string, name string, dr *backend.DataResponse, updateFile bool) { + t.Helper() ++ t.Skip("skipping test: x86_64 memory dump is not compatible with other architectures") + fpath := path.Join(dir, name+".jsonc") + + expected, err := readGoldenJSONFile(fpath) diff --git a/SOURCES/1004-vendor-Redacted-Url-in-logs.patch b/SOURCES/1004-vendor-Redacted-Url-in-logs.patch new file mode 100644 index 0000000..9ac5827 --- /dev/null +++ b/SOURCES/1004-vendor-Redacted-Url-in-logs.patch @@ -0,0 +1,51 @@ +diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go +index f40d241..765a828 100644 +--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go ++++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go +@@ -584,9 +584,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if logger != nil { + switch v := logger.(type) { + case LeveledLogger: +- v.Debug("performing request", "method", req.Method, "url", req.URL) ++ v.Debug("performing request", "method", req.Method, "url", req.URL.Redacted()) + case Logger: +- v.Printf("[DEBUG] %s %s", req.Method, req.URL) ++ v.Printf("[DEBUG] %s %s", req.Method, req.URL.Redacted()) + } + } + +@@ -641,9 +641,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + if err != nil { + switch v := logger.(type) { + case LeveledLogger: +- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL) ++ v.Error("request failed", "error", err, "method", req.Method, "url", req.URL.Redacted()) + case Logger: +- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err) ++ v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL.Redacted(), err) + } + } else { + // Call this here to maintain the behavior of logging all requests, +@@ -679,7 +679,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + + wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) + if logger != nil { +- desc := fmt.Sprintf("%s %s", req.Method, req.URL) ++ desc := fmt.Sprintf("%s %s", req.Method, req.URL.Redacted()) + if resp != nil { + desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode) + } +@@ -735,11 +735,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) { + // communicate why + if err == nil { + return nil, fmt.Errorf("%s %s giving up after %d attempt(s)", +- req.Method, req.URL, attempt) ++ req.Method, req.URL.Redacted(), attempt) + } + + return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w", +- req.Method, req.URL, attempt, err) ++ req.Method, req.URL.Redacted(), attempt, err) + } + + // Try to read the response body so we can reuse this connection. diff --git a/SOURCES/build_frontend.sh b/SOURCES/build_frontend.sh new file mode 100755 index 0000000..1117e80 --- /dev/null +++ b/SOURCES/build_frontend.sh @@ -0,0 +1,20 @@ +#!/bin/bash -eu + +# Webpack needs more than the default 4GB RAM +export NODE_OPTIONS="${NODE_OPTIONS:-} --max_old_space_size=6144" + +# Build the frontend +yarn run build + +# Build the bundled plugins +mkdir plugins-bundled/external +yarn run plugins:build-bundled +for plugin in plugins-bundled/internal/input-datasource; do + mv $plugin $plugin.tmp + mv $plugin.tmp/dist $plugin + rm -rf $plugin.tmp +done +rm plugins-bundled/README.md plugins-bundled/.gitignore plugins-bundled/external.json + +# Fix permissions (webpack sometimes outputs files with mode = 666 due to reasons unknown (race condition/umask issue afaics)) +chmod -R g-w,o-w public/build plugins-bundled diff --git a/SOURCES/create_bundles.sh b/SOURCES/create_bundles.sh new file mode 100755 index 0000000..feb9994 --- /dev/null +++ b/SOURCES/create_bundles.sh @@ -0,0 +1,104 @@ +#!/bin/bash -eux +VERSION=$(rpm --specfile ./*.spec --qf '%{VERSION}\n' | head -1) +RELEASE=$(rpm --specfile ./*.spec --qf '%{RELEASE}\n' | head -1 | cut -d. -f1) +CHANGELOGTIME=$(rpm --specfile ./*.spec --qf '%{CHANGELOGTIME}\n' | head -1) +SOURCE_DATE_EPOCH=$((CHANGELOGTIME - CHANGELOGTIME % 86400)) + +SOURCE_DIR=grafana-$VERSION +SOURCE_TAR=grafana-$VERSION.tar.gz +VENDOR_TAR=grafana-vendor-$VERSION-$RELEASE.tar.xz +WEBPACK_TAR=grafana-webpack-$VERSION-$RELEASE.tar.gz + + +## Download and extract source tarball +spectool -g grafana.spec +rm -rf "${SOURCE_DIR}" +tar xf "${SOURCE_TAR}" + + +## Create vendor bundle +pushd "${SOURCE_DIR}" + +# Vendor Go dependencies +patch -p1 --fuzz=0 < ../0004-remove-unused-backend-dependencies.patch +go mod vendor + +# Generate Go files +make gen-go + +# Remove unused crypto +rm -r vendor/golang.org/x/crypto/bcrypt +rm -r vendor/golang.org/x/crypto/blowfish +rm -r vendor/golang.org/x/crypto/cast5 +rm -r vendor/golang.org/x/crypto/acme +rm -r vendor/golang.org/x/crypto/argon2 +rm -r vendor/golang.org/x/crypto/blake2b +rm -r vendor/golang.org/x/crypto/chacha20 +rm -r vendor/golang.org/x/crypto/chacha20poly1305 +rm -r vendor/golang.org/x/crypto/cryptobyte +rm -r vendor/golang.org/x/crypto/curve25519 +rm -r vendor/golang.org/x/crypto/ed25519 +rm -r vendor/golang.org/x/crypto/hkdf +rm -r vendor/golang.org/x/crypto/internal +rm -r vendor/golang.org/x/crypto/md4 +rm -r vendor/golang.org/x/crypto/nacl +rm -r vendor/golang.org/x/crypto/openpgp +rm -r vendor/golang.org/x/crypto/pkcs12 +rm -r vendor/golang.org/x/crypto/poly1305 +rm -r vendor/golang.org/x/crypto/salsa20 +rm -r vendor/golang.org/x/crypto/scrypt +rm -r vendor/golang.org/x/crypto/sha3 + +# Remove unused code under apsl licenses +rm -r vendor/modernc.org/libc +rm -r vendor/modernc.org/sqlite + +# List bundled dependencies +awk '$2 ~ /^v/ && $4 != "indirect" {print "Provides: bundled(golang(" $1 ")) = " substr($2, 2)}' go.mod | \ + sed -E 's/=(.*)-(.*)-(.*)/=\1-\2.\3/g' > "../${VENDOR_TAR}.manifest" + +# Vendor Node.js dependencies +patch -p1 --fuzz=0 < ../0005-remove-unused-frontend-crypto.patch +export HUSKY=0 +yarn install --frozen-lockfile + +# Remove files with licensing issues +find .yarn -name 'node-notifier' -prune -exec rm -r {} \; +find .yarn -name 'nodemon' -prune -exec rm -r {} \; + +# List bundled dependencies +../list_bundled_nodejs_packages.py . >> "../${VENDOR_TAR}.manifest" + +popd + +# Create tarball +# shellcheck disable=SC2046 +XZ_OPT=-9 tar \ + --sort=name \ + --mtime="@${SOURCE_DATE_EPOCH}" --clamp-mtime \ + --owner=0 --group=0 --numeric-owner \ + -cJf "${VENDOR_TAR}" \ + "${SOURCE_DIR}/vendor" \ + $(find "${SOURCE_DIR}" -type f -name wire_gen.go | LC_ALL=C sort) \ + "${SOURCE_DIR}/.pnp.cjs" \ + "${SOURCE_DIR}/.yarn/cache" \ + "${SOURCE_DIR}/.yarn/unplugged" + + +## Create webpack +pushd "${SOURCE_DIR}" +../build_frontend.sh +popd + +# Create tarball +tar \ + --sort=name \ + --mtime="@${SOURCE_DATE_EPOCH}" --clamp-mtime \ + --owner=0 --group=0 --numeric-owner \ + -czf "${WEBPACK_TAR}" \ + "${SOURCE_DIR}/plugins-bundled" \ + "${SOURCE_DIR}/public/build" \ + "${SOURCE_DIR}/public/img" \ + "${SOURCE_DIR}/public/lib" \ + "${SOURCE_DIR}/public/locales" \ + "${SOURCE_DIR}/public/views" diff --git a/SOURCES/create_bundles_in_container.sh b/SOURCES/create_bundles_in_container.sh new file mode 100755 index 0000000..216efab --- /dev/null +++ b/SOURCES/create_bundles_in_container.sh @@ -0,0 +1,24 @@ +#!/bin/bash -eu +# +# create vendor and webpack bundles inside a container (for reproducibility) +# using a Go cache: +# ./create_bundles_in_container.sh --security-opt label=disable -v $(pwd)/.gocache:/root/go +# + +cat <policy for grafana + +######################################## +## +## Execute grafana_exec_t in the grafana domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`grafana_domtrans',` + gen_require(` + type grafana_t, grafana_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, grafana_exec_t, grafana_t) +') + +######################################## +## +## Allow domain to name_connect to grafana port. Default :3000 +## +## +## +## Domain allowed access +## +## +# +interface(`connect_grafana_port',` + gen_require(` + class tcp_socket name_connect; + type grafana_port_t; + ') + + allow $1 grafana_port_t:tcp_socket name_connect; +') + +####################################### +## +## Read grafana database. +## +## +## +## Domain allowed access. +## +## +# +interface(`grafana_read_db',` + gen_require(` + type grafana_db_t; + ') + + files_search_var_lib($1) + search_dirs_pattern($1, grafana_var_lib_t, grafana_var_lib_t) + read_files_pattern($1, grafana_db_t, grafana_db_t) +') + +###################################### +## +## Execute grafana in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`grafana_exec',` + gen_require(` + type grafana_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, grafana_exec_t) +') +######################################## +## +## Execute grafana server in the grafana domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`grafana_systemctl',` + gen_require(` + type grafana_t; + type grafana_unit_file_t; + ') + + systemd_exec_systemctl($1) + systemd_read_fifo_file_passwd_run($1) + allow $1 grafana_unit_file_t:file read_file_perms; + allow $1 grafana_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, grafana_t) +') + + +######################################## +## +## All of the rules required to administrate +## an grafana environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`grafana_admin',` + gen_require(` + type grafana_t; + type grafana_unit_file_t; + ') + + allow $1 grafana_t:process { signal_perms }; + ps_process_pattern($1, grafana_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 grafana_t:process ptrace; + ') + + grafana_systemctl($1) + admin_pattern($1, grafana_unit_file_t) + allow $1 grafana_unit_file_t:service all_service_perms; + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/SOURCES/grafana.sysusers b/SOURCES/grafana.sysusers new file mode 100644 index 0000000..7c4a4d5 --- /dev/null +++ b/SOURCES/grafana.sysusers @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory +u grafana - "Grafana user account" /usr/share/grafana diff --git a/SOURCES/grafana.te b/SOURCES/grafana.te new file mode 100644 index 0000000..d25174e --- /dev/null +++ b/SOURCES/grafana.te @@ -0,0 +1,207 @@ +policy_module(grafana, 1.0.4) + +######################################## +# +# Declarations +# +#permissive grafana_t; + +## +##

+## Allow grafana to be used with a reverse proxy +##

+##
+gen_tunable(grafana_can_reverse_proxy, false) + +## +##

+## Allow grafana to connect to elasticsearch's default tcp port of 9200 +##

+##
+gen_tunable(grafana_can_tcp_connect_elasticsearch_port, false) + +## +##

+## Allow grafana to connect to mysql's default tcp port of 3306 +##

+##
+gen_tunable(grafana_can_tcp_connect_mysql_port, false) + +## +##

+## Allow grafana to connect to postgresql's default tcp port of 5432 +##

+##
+gen_tunable(grafana_can_tcp_connect_postgresql_port, false) + +## +##

+## Allow grafana to connect to prometheus' default tcp port of 9090 +##

+##
+gen_tunable(grafana_can_tcp_connect_prometheus_port, false) + + +type grafana_t; +type grafana_exec_t; +init_daemon_domain(grafana_t, grafana_exec_t) +init_nnp_daemon_domain(grafana_t) + +type grafana_unit_file_t; +systemd_unit_file(grafana_unit_file_t) + +type grafana_conf_t; +files_config_file(grafana_conf_t) + +type grafana_db_t; +files_config_file(grafana_db_t) + +type grafana_tmp_t; +files_tmp_file(grafana_tmp_t) + +type grafana_tmpfs_t; +files_tmpfs_file(grafana_tmpfs_t) + +type grafana_log_t; +logging_log_file(grafana_log_t) + +type grafana_var_run_t; +files_pid_file(grafana_var_run_t) + +type grafana_var_lib_t; +files_type(grafana_var_lib_t) + +type grafana_port_t; +corenet_port(grafana_port_t) + +type grafana_pcp_exec_t; +corecmd_executable_file(grafana_pcp_exec_t) +can_exec(grafana_t, grafana_pcp_exec_t) + +# Ports 32768-60999 (pcp port is 44322) +corenet_tcp_connect_all_ephemeral_ports(grafana_t) +grafana_exec(grafana_t) + +######################################## +# +# grafana local policy +# +allow grafana_t self:tcp_socket create_stream_socket_perms; +allow grafana_t self:udp_socket create_stream_socket_perms; +allow grafana_t self:unix_dgram_socket create_socket_perms; + +allow grafana_t grafana_port_t:tcp_socket { name_bind name_connect }; + +allow grafana_t self:unix_stream_socket connectto; + +allow grafana_t self:netlink_route_socket { create bind getattr nlmsg_read }; + +optional_policy(` + require { + type smtp_port_t; + class tcp_socket { name_connect }; + } + allow grafana_t smtp_port_t:tcp_socket name_connect; +') + +optional_policy(` + require { + type usr_t; + class file { execute execute_no_trans }; + } + allow grafana_t usr_t:file { execute execute_no_trans }; +') + +optional_policy(` + require { + type postgresql_t; + type postgresql_var_run_t; + class unix_stream_socket { connectto }; + class sock_file { write }; + } + allow grafana_t postgresql_t:unix_stream_socket connectto; + allow grafana_t postgresql_var_run_t:sock_file write; +') + +optional_policy(` + require { + type proc_net_t; + class lnk_file { read }; + } + allow grafana_t proc_net_t:lnk_file read; +') + +manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t) +manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t) + +manage_dirs_pattern(grafana_t, grafana_db_t, grafana_db_t) +manage_files_pattern(grafana_t, grafana_db_t, grafana_db_t) + +manage_dirs_pattern(grafana_t, grafana_tmp_t, grafana_tmp_t) +manage_files_pattern(grafana_t, grafana_tmp_t, grafana_tmp_t) +manage_sock_files_pattern(grafana_t, grafana_tmp_t, grafana_tmp_t) +files_tmp_filetrans(grafana_t, grafana_tmp_t, { dir file sock_file }) + +manage_dirs_pattern(grafana_t, grafana_tmpfs_t, grafana_tmpfs_t) +manage_files_pattern(grafana_t, grafana_tmpfs_t, grafana_tmpfs_t) +fs_tmpfs_filetrans(grafana_t, grafana_tmpfs_t, {dir file}) + +manage_dirs_pattern(grafana_t, grafana_log_t, grafana_log_t) +manage_files_pattern(grafana_t, grafana_log_t, grafana_log_t) +logging_log_filetrans(grafana_t, grafana_log_t, { dir file }) + +manage_dirs_pattern(grafana_t, grafana_var_run_t, grafana_var_run_t) +manage_files_pattern(grafana_t, grafana_var_run_t, grafana_var_run_t) +files_pid_filetrans(grafana_t, grafana_var_run_t, { dir file }) + +manage_dirs_pattern(grafana_t, grafana_var_lib_t, grafana_var_lib_t) +manage_files_pattern(grafana_t, grafana_var_lib_t, grafana_var_lib_t) +manage_lnk_files_pattern(grafana_t, grafana_var_lib_t, grafana_var_lib_t) +files_var_lib_filetrans(grafana_t, grafana_var_lib_t, { dir file }) + + +corenet_tcp_connect_http_port(grafana_t) +corenet_tcp_bind_generic_node(grafana_t) + +kernel_dgram_send(grafana_t) +kernel_read_net_sysctls(grafana_t) +kernel_read_system_state(grafana_t) + +auth_read_passwd(grafana_t) + +dev_read_sysfs(grafana_t) + +sysnet_read_config(grafana_t) + +logging_send_syslog_msg(grafana_t) + +miscfiles_read_generic_certs(grafana_t) + +tunable_policy(`grafana_can_reverse_proxy',` + gen_require(` + type httpd_t; + ') + + connect_grafana_port(httpd_t) # Reverse proxy support + corenet_tcp_connect_http_port(grafana_t) +') + +tunable_policy(`grafana_can_tcp_connect_elasticsearch_port',` # Elasticsearch default tcp port 9200 + corenet_tcp_connect_wap_wsp_port(grafana_t) +') + +tunable_policy(`grafana_can_tcp_connect_mysql_port',` # Mysql default tcp port 3306 + corenet_tcp_connect_mysqld_port(grafana_t) +') + +tunable_policy(`grafana_can_tcp_connect_postgresql_port',` # Postgresql default tcp port 5432 + corenet_tcp_connect_postgresql_port(grafana_t) +') + +tunable_policy(`grafana_can_tcp_connect_prometheus_port',` # Prometheus default tcp port 9090 + corenet_tcp_connect_websm_port(grafana_t) +') + +optional_policy(` + systemd_private_tmp(grafana_tmp_t) +') diff --git a/SOURCES/list_bundled_nodejs_packages.py b/SOURCES/list_bundled_nodejs_packages.py new file mode 100755 index 0000000..0636632 --- /dev/null +++ b/SOURCES/list_bundled_nodejs_packages.py @@ -0,0 +1,72 @@ +#!/usr/bin/env python3 +# +# generates Provides: bundled(npm(...)) = ... lines for each declared dependency and devDependency of package.json +# +import os +import sys +import json +import yaml +from packaging import version + + +def scan_package_json(package_dir): + for root, dirs, files in os.walk(package_dir, topdown=True): + dirs[:] = [d for d in dirs if d not in ["node_modules", "vendor"]] + if "package.json" in files: + yield os.path.join(root, "package.json") + + +def read_declared_pkgs(package_json_path): + with open(package_json_path) as f: + package_json = json.load(f) + return list(package_json.get("dependencies", {}).keys()) + list( + package_json.get("devDependencies", {}).keys() + ) + + +def read_installed_pkgs(yarn_lock_path): + bad_version_strings = ['0.0.0-use.local', '7.0.1-patch.1'] + with open(yarn_lock_path) as f: + lockfile = yaml.safe_load(f) + for pkg_decl, meta in lockfile.items(): + for pkg in pkg_decl.split(", "): + if ":" not in pkg: + continue + pkg_name = pkg[: pkg.index("@", 1)] + pkg_version = meta["version"] + if pkg_version not in bad_version_strings: + yield (pkg_name, pkg_version) + + +def list_provides(declared_pkgs, installed_pkgs): + for declared_pkg in declared_pkgs: + # there can be multiple versions installed of one package (transitive dependencies) + # but rpm doesn't support Provides: with a single package and multiple versions + # so let's declare the oldest version here + versions = [ + version.parse(pkg_version) + for pkg_name, pkg_version in installed_pkgs + if pkg_name == declared_pkg + ] + + if not versions: + print(f"warning: {declared_pkg} missing in yarn.lock", file=sys.stderr) + continue + + oldest_version = sorted(versions)[0] + yield f"Provides: bundled(npm({declared_pkg})) = {oldest_version}" + + +if __name__ == "__main__": + if len(sys.argv) != 2: + print(f"usage: {sys.argv[0]} package-X.Y.Z/", file=sys.stdout) + sys.exit(1) + + package_dir = sys.argv[1] + declared_pkgs = set() + for package_json_path in scan_package_json(package_dir): + declared_pkgs.update(read_declared_pkgs(package_json_path)) + installed_pkgs = list(read_installed_pkgs(f"{package_dir}/yarn.lock")) + provides = list_provides(declared_pkgs, installed_pkgs) + for provide in sorted(provides): + print(provide) diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec new file mode 100644 index 0000000..66fb343 --- /dev/null +++ b/SPECS/grafana.spec @@ -0,0 +1,1397 @@ +# Specify if the frontend will be compiled as part of the build or +# is attached as a webpack tarball (in case of an unsuitable nodejs version on the build system) +%define compile_frontend 0 + +%if 0%{?rhel} +%define enable_fips_mode 1 +%else +%define enable_fips_mode 0 +%endif + +%global grafana_arches %{lua: go_arches = {} + for arch in rpm.expand("%{go_arches}"):gmatch("%S+") do + go_arches[arch] = 1 + end + for arch in rpm.expand("%{nodejs_arches}"):gmatch("%S+") do + if go_arches[arch] then + print(arch .. " ") + end +end} + +%global gomodulesmode GO111MODULE=auto +%global gotestflags %{gotestflags} -tags=integration + +%global selinux_variants mls targeted + +Name: grafana +Version: 10.2.6 +Release: 7%{?dist} +Summary: Metrics dashboard and graph editor +License: AGPL-3.0-only +URL: https://grafana.org + +# Source0 contains the tagged upstream sources +Source0: https://github.com/grafana/grafana/archive/v%{version}/%{name}-%{version}.tar.gz + +# Source1 contains the bundled Go and Node.js dependencies +# Note: In case there were no changes to this tarball, the NVR of this tarball +# lags behind the NVR of this package. +Source1: grafana-vendor-%{version}-2.tar.xz + +%if %{compile_frontend} == 0 +# Source2 contains the precompiled frontend +# Note: In case there were no changes to this tarball, the NVR of this tarball +# lags behind the NVR of this package. +Source2: grafana-webpack-%{version}-2.tar.gz +%endif + +# Source3 contains the systemd-sysusers configuration +Source3: grafana.sysusers + +# Source4 contains the script to create the vendor and webpack bundles +Source4: create_bundles.sh + +# Source5 contains the script to build the frontend +Source5: build_frontend.sh + +# Source6 contains the script to generate the list of bundled nodejs packages +Source6: list_bundled_nodejs_packages.py + +# Source7 contains the script to create the vendor and webpack bundles in a container +Source7: create_bundles_in_container.sh + +# Source8 - Source10 contain the grafana-selinux policy +Source8: grafana.te +Source9: grafana.fc +Source10: grafana.if + +# Patches affecting the source tarball +Patch1: 0001-update-grafana-cli-script-with-distro-specific-paths.patch +Patch2: 0002-add-manpages.patch +Patch3: 0003-update-default-configuration.patch +Patch4: 0004-remove-unused-backend-dependencies.patch +Patch5: 0005-remove-unused-frontend-crypto.patch +Patch6: 0006-skip-marketplace-plugin-install-test.patch +Patch7: 0007-redact-weak-ciphers.patch +Patch8: 0008-replace-faulty-slices-sort.patch +Patch9: 0009-update-wrappers-and-systemd-with-distro-paths.patch +Patch10: 0010-remove-bcrypt-references.patch + +# Patches affecting the vendor tarball +Patch1001: 1001-vendor-patch-removed-backend-crypto.patch +Patch1002: 1002-vendor-use-pbkdf2-from-OpenSSL.patch +Patch1003: 1003-vendor-skip-goldenfiles-tests.patch +Patch1004: 1004-vendor-Redacted-Url-in-logs.patch + +# Intersection of go_arches and nodejs_arches +ExclusiveArch: %{grafana_arches} + +BuildRequires: systemd +BuildRequires: systemd-rpm-macros +BuildRequires: golang >= 1.17 +BuildRequires: go-srpm-macros +BuildRequires: go-rpm-macros + +%if %{compile_frontend} +BuildRequires: nodejs >= 1:16 +BuildRequires: yarnpkg +%endif + +%if %{enable_fips_mode} +BuildRequires: openssl-devel +%endif + +%global GRAFANA_USER %{name} +%global GRAFANA_GROUP %{name} + +# grafana-server service daemon uses systemd +%{?systemd_requires} +Requires(pre): shadow-utils + +# Grafana queries the mime database (through mime.TypeByExtension, in a unit test and at runtime) +BuildRequires: shared-mime-info +Requires: shared-mime-info + +%if 0%{?fedora} >= 35 || 0%{?rhel} >= 8 +# This ensures that the grafana-selinux package and all its dependencies are +# not pulled into containers and other systems that do not use SELinux +Requires: (grafana-selinux = %{version}-%{release} if selinux-policy-targeted) +%else +Requires: grafana-selinux = %{version}-%{release} +%endif + +%if 0%{?fedora} || 0%{?rhel} > 7 +Recommends: grafana-pcp +%endif + +Obsoletes: grafana-cloudwatch < 7.3.6-1 +Obsoletes: grafana-elasticsearch < 7.3.6-1 +Obsoletes: grafana-azure-monitor < 7.3.6-1 +Obsoletes: grafana-graphite < 7.3.6-1 +Obsoletes: grafana-influxdb < 7.3.6-1 +Obsoletes: grafana-loki < 7.3.6-1 +Obsoletes: grafana-mssql < 7.3.6-1 +Obsoletes: grafana-mysql < 7.3.6-1 +Obsoletes: grafana-opentsdb < 7.3.6-1 +Obsoletes: grafana-postgres < 7.3.6-1 +Obsoletes: grafana-prometheus < 7.3.6-1 +Obsoletes: grafana-stackdriver < 7.3.6-1 +Provides: grafana-cloudwatch = 7.3.6-1 +Provides: grafana-elasticsearch = 7.3.6-1 +Provides: grafana-azure-monitor = 7.3.6-1 +Provides: grafana-graphite = 7.3.6-1 +Provides: grafana-influxdb = 7.3.6-1 +Provides: grafana-loki = 7.3.6-1 +Provides: grafana-mssql = 7.3.6-1 +Provides: grafana-mysql = 7.3.6-1 +Provides: grafana-opentsdb = 7.3.6-1 +Provides: grafana-postgres = 7.3.6-1 +Provides: grafana-prometheus = 7.3.6-1 +Provides: grafana-stackdriver = 7.3.6-1 + +# vendored golang and node.js build dependencies +# this is for security purposes, if nodejs-foo ever needs an update, +# affected packages can be easily identified. +# Note: generated by the Makefile (see README.md) +Provides: bundled(golang(cloud.google.com/go/storage)) = 1.30.1 +Provides: bundled(golang(cuelang.org/go)) = 0.6.0-0.dev +Provides: bundled(golang(github.com/Azure/azure-sdk-for-go)) = 65.0.0+incompatible +Provides: bundled(golang(github.com/Azure/go-autorest/autorest)) = 0.11.28 +Provides: bundled(golang(github.com/BurntSushi/toml)) = 1.3.2 +Provides: bundled(golang(github.com/Masterminds/semver)) = 1.5.0 +Provides: bundled(golang(github.com/VividCortex/mysqlerr)) = 0.0.0-20170204212430.6c6b55f8796f +Provides: bundled(golang(github.com/aws/aws-sdk-go)) = 1.44.325 +Provides: bundled(golang(github.com/beevik/etree)) = 1.2.0 +Provides: bundled(golang(github.com/benbjohnson/clock)) = 1.3.5 +Provides: bundled(golang(github.com/blang/semver/v4)) = 4.0.0 +Provides: bundled(golang(github.com/bradfitz/gomemcache)) = 0.0.0-20190913173617.a41fca850d0b +Provides: bundled(golang(github.com/centrifugal/centrifuge)) = 0.30.2 +Provides: bundled(golang(github.com/fatih/color)) = 1.15.0 +Provides: bundled(golang(github.com/gchaincl/sqlhooks)) = 1.3.0 +Provides: bundled(golang(github.com/go-ldap/ldap/v3)) = 3.4.4 +Provides: bundled(golang(github.com/go-openapi/strfmt)) = 0.21.7 +Provides: bundled(golang(github.com/go-redis/redis/v8)) = 8.11.5 +Provides: bundled(golang(github.com/go-sourcemap/sourcemap)) = 2.1.3+incompatible +Provides: bundled(golang(github.com/go-sql-driver/mysql)) = 1.7.1 +Provides: bundled(golang(github.com/go-stack/stack)) = 1.8.1 +Provides: bundled(golang(github.com/gobwas/glob)) = 0.2.3 +Provides: bundled(golang(github.com/gogo/protobuf)) = 1.3.2 +Provides: bundled(golang(github.com/golang/mock)) = 1.6.0 +Provides: bundled(golang(github.com/golang/snappy)) = 0.0.4 +Provides: bundled(golang(github.com/google/go-cmp)) = 0.6.0 +Provides: bundled(golang(github.com/google/uuid)) = 1.4.0 +Provides: bundled(golang(github.com/google/wire)) = 0.5.0 +Provides: bundled(golang(github.com/gorilla/websocket)) = 1.5.0 +Provides: bundled(golang(github.com/grafana/alerting)) = 0.0.0-20231101090315.bf12694896a8 +Provides: bundled(golang(github.com/grafana/cuetsy)) = 0.1.11 +Provides: bundled(golang(github.com/grafana/grafana-aws-sdk)) = 0.19.1 +Provides: bundled(golang(github.com/grafana/grafana-azure-sdk-go)) = 1.9.0 +Provides: bundled(golang(github.com/grafana/grafana-plugin-sdk-go)) = 0.196.0 +Provides: bundled(golang(github.com/grpc-ecosystem/go-grpc-middleware)) = 1.4.0 +Provides: bundled(golang(github.com/hashicorp/go-hclog)) = 1.5.0 +Provides: bundled(golang(github.com/hashicorp/go-plugin)) = 1.6.0 +Provides: bundled(golang(github.com/hashicorp/go-version)) = 1.6.0 +Provides: bundled(golang(github.com/hashicorp/hcl/v2)) = 2.17.0 +Provides: bundled(golang(github.com/influxdata/influxdb-client-go/v2)) = 2.12.3 +Provides: bundled(golang(github.com/influxdata/line-protocol)) = 0.0.0-20210311194329.9aa0e372d097 +Provides: bundled(golang(github.com/jmespath/go-jmespath)) = 0.4.0 +Provides: bundled(golang(github.com/json-iterator/go)) = 1.1.12 +Provides: bundled(golang(github.com/lib/pq)) = 1.10.9 +Provides: bundled(golang(github.com/linkedin/goavro/v2)) = 2.10.0 +Provides: bundled(golang(github.com/m3db/prometheus_remote_client_golang)) = 0.4.4 +Provides: bundled(golang(github.com/magefile/mage)) = 1.15.0 +Provides: bundled(golang(github.com/mattn/go-isatty)) = 0.0.18 +Provides: bundled(golang(github.com/mattn/go-sqlite3)) = 1.14.19 +Provides: bundled(golang(github.com/matttproud/golang_protobuf_extensions)) = 1.0.4 +Provides: bundled(golang(github.com/mwitkow/go-conntrack)) = 0.0.0-20190716064945.2f068394615f +Provides: bundled(golang(github.com/patrickmn/go-cache)) = 2.1.0+incompatible +Provides: bundled(golang(github.com/prometheus/alertmanager)) = 0.25.0 +Provides: bundled(golang(github.com/prometheus/client_golang)) = 1.17.0 +Provides: bundled(golang(github.com/prometheus/client_model)) = 0.5.0 +Provides: bundled(golang(github.com/prometheus/common)) = 0.45.0 +Provides: bundled(golang(github.com/prometheus/prometheus)) = 1.8.2-0.20221021121301.51a44e6657c3 +Provides: bundled(golang(github.com/robfig/cron/v3)) = 3.0.1 +Provides: bundled(golang(github.com/russellhaering/goxmldsig)) = 1.4.0 +Provides: bundled(golang(github.com/stretchr/testify)) = 1.8.4 +Provides: bundled(golang(github.com/teris-io/shortid)) = 0.0.0-20171029131806.771a37caa5cf +Provides: bundled(golang(github.com/ua-parser/uap-go)) = 0.0.0-20211112212520.00c877edfe0f +Provides: bundled(golang(github.com/urfave/cli/v2)) = 2.25.0 +Provides: bundled(golang(github.com/vectordotdev/go-datemath)) = 0.1.1-0.20220323213446.f3954d0b18ae +Provides: bundled(golang(github.com/yalue/merged_fs)) = 1.2.2 +Provides: bundled(golang(github.com/yudai/gojsondiff)) = 1.0.0 +Provides: bundled(golang(go.opentelemetry.io/collector/pdata)) = 1.0.0-rc8 +Provides: bundled(golang(go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace)) = 0.46.1 +Provides: bundled(golang(go.opentelemetry.io/otel/exporters/jaeger)) = 1.10.0 +Provides: bundled(golang(go.opentelemetry.io/otel/sdk)) = 1.21.0 +Provides: bundled(golang(go.opentelemetry.io/otel/trace)) = 1.21.0 +Provides: bundled(golang(golang.org/x/crypto)) = 0.17.0 +Provides: bundled(golang(golang.org/x/exp)) = 0.0.0-20230321023759.10a507213a29 +Provides: bundled(golang(golang.org/x/net)) = 0.19.0 +Provides: bundled(golang(golang.org/x/oauth2)) = 0.15.0 +Provides: bundled(golang(golang.org/x/sync)) = 0.4.0 +Provides: bundled(golang(golang.org/x/time)) = 0.3.0 +Provides: bundled(golang(golang.org/x/tools)) = 0.13.0 +Provides: bundled(golang(gonum.org/v1/gonum)) = 0.12.0 +Provides: bundled(golang(google.golang.org/api)) = 0.148.0 +Provides: bundled(golang(google.golang.org/grpc)) = 1.59.0 +Provides: bundled(golang(google.golang.org/protobuf)) = 1.31.0 +Provides: bundled(golang(gopkg.in/ini.v1)) = 1.67.0 +Provides: bundled(golang(gopkg.in/mail.v2)) = 2.3.1 +Provides: bundled(golang(gopkg.in/yaml.v3)) = 3.0.1 +Provides: bundled(golang(xorm.io/builder)) = 0.3.6 +Provides: bundled(golang(xorm.io/core)) = 0.7.3 +Provides: bundled(golang(xorm.io/xorm)) = 0.8.2 +Provides: bundled(golang(github.com/andybalholm/brotli)) = 1.0.4 +Provides: bundled(golang(github.com/go-kit/log)) = 0.2.1 +Provides: bundled(golang(github.com/go-openapi/loads)) = 0.21.2 +Provides: bundled(golang(github.com/go-openapi/runtime)) = 0.26.0 +Provides: bundled(golang(github.com/golang-jwt/jwt/v4)) = 4.5.0 +Provides: bundled(golang(github.com/golang/protobuf)) = 1.5.3 +Provides: bundled(golang(github.com/googleapis/gax-go/v2)) = 2.12.0 +Provides: bundled(golang(github.com/gorilla/mux)) = 1.8.0 +Provides: bundled(golang(github.com/grafana/grafana-google-sdk-go)) = 0.1.0 +Provides: bundled(golang(github.com/hashicorp/go-multierror)) = 1.1.1 +Provides: bundled(golang(github.com/modern-go/reflect2)) = 1.0.2 +Provides: bundled(golang(github.com/olekukonko/tablewriter)) = 0.0.5 +Provides: bundled(golang(go.uber.org/atomic)) = 1.11.0 +Provides: bundled(golang(golang.org/x/text)) = 0.14.0 +Provides: bundled(golang(google.golang.org/genproto)) = 0.0.0-20231012201019.e917dd12ba7a +Provides: bundled(golang(cloud.google.com/go/kms)) = 1.15.2 +Provides: bundled(golang(github.com/Azure/azure-sdk-for-go/sdk/azidentity)) = 1.3.0 +Provides: bundled(golang(github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys)) = 0.9.0 +Provides: bundled(golang(github.com/Azure/azure-storage-blob-go)) = 0.15.0 +Provides: bundled(golang(github.com/Azure/go-autorest/autorest/adal)) = 0.9.22 +Provides: bundled(golang(github.com/armon/go-radix)) = 1.0.0 +Provides: bundled(golang(github.com/blugelabs/bluge)) = 0.1.9 +Provides: bundled(golang(github.com/blugelabs/bluge_segment_api)) = 0.2.0 +Provides: bundled(golang(github.com/bufbuild/connect-go)) = 1.10.0 +Provides: bundled(golang(github.com/dlmiddlecote/sqlstats)) = 1.0.2 +Provides: bundled(golang(github.com/drone/drone-cli)) = 1.6.1 +Provides: bundled(golang(github.com/getkin/kin-openapi)) = 0.120.0 +Provides: bundled(golang(github.com/golang-migrate/migrate/v4)) = 4.7.0 +Provides: bundled(golang(github.com/google/go-github)) = 17.0.0+incompatible +Provides: bundled(golang(github.com/google/go-github/v45)) = 45.2.0 +Provides: bundled(golang(github.com/grafana/codejen)) = 0.0.3 +Provides: bundled(golang(github.com/grafana/dskit)) = 0.0.0-20230706162620.5081d8ed53e6 +Provides: bundled(golang(github.com/huandu/xstrings)) = 1.3.1 +Provides: bundled(golang(github.com/jmoiron/sqlx)) = 1.3.5 +Provides: bundled(golang(github.com/matryer/is)) = 1.4.0 +Provides: bundled(golang(github.com/urfave/cli)) = 1.22.14 +Provides: bundled(golang(go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc)) = 0.46.1 +Provides: bundled(golang(go.opentelemetry.io/contrib/propagators/jaeger)) = 1.21.1 +Provides: bundled(golang(go.opentelemetry.io/otel/exporters/otlp/otlptrace)) = 1.21.0 +Provides: bundled(golang(go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc)) = 1.21.0 +Provides: bundled(golang(gocloud.dev)) = 0.25.0 +Provides: bundled(golang(buf.build/gen/go/parca-dev/parca/bufbuild/connect-go)) = 1.4.1-20221222094228.8b1d3d0f62e6.1 +Provides: bundled(golang(buf.build/gen/go/parca-dev/parca/protocolbuffers/go)) = 1.28.1-20221222094228.8b1d3d0f62e6.4 +Provides: bundled(golang(github.com/Masterminds/semver/v3)) = 3.1.1 +Provides: bundled(golang(github.com/alicebob/miniredis/v2)) = 2.30.1 +Provides: bundled(golang(github.com/dave/dst)) = 0.27.2 +Provides: bundled(golang(github.com/go-jose/go-jose/v3)) = 3.0.1 +Provides: bundled(golang(github.com/grafana/dataplane/examples)) = 0.0.1 +Provides: bundled(golang(github.com/grafana/dataplane/sdata)) = 0.0.6 +Provides: bundled(golang(github.com/grafana/kindsys)) = 0.0.0-20230508162304.452481b63482 +Provides: bundled(golang(github.com/grafana/tempo)) = 1.5.1-0.20230524121406.1dc1bfe7085b +Provides: bundled(golang(github.com/grafana/thema)) = 0.0.0-20230712153715.375c1b45f3ed +Provides: bundled(golang(github.com/microsoft/go-mssqldb)) = 1.5.0 +Provides: bundled(golang(github.com/ory/fosite)) = 0.44.1-0.20230317114349.45a6785cc54f +Provides: bundled(golang(github.com/redis/go-redis/v9)) = 9.0.2 +Provides: bundled(golang(github.com/weaveworks/common)) = 0.0.0-20230511094633.334485600903 +Provides: bundled(golang(github.com/xeipuuv/gojsonpointer)) = 0.0.0-20180127040702.4e3ac2762d5f +Provides: bundled(golang(go.opentelemetry.io/contrib/samplers/jaegerremote)) = 0.15.1 +Provides: bundled(golang(golang.org/x/mod)) = 0.12.0 +Provides: bundled(golang(gopkg.in/square/go-jose.v2)) = 2.6.0 +Provides: bundled(golang(k8s.io/utils)) = 0.0.0-20230406110748.d93618cff8a2 +Provides: bundled(golang(github.com/spf13/cobra)) = 1.7.0 +Provides: bundled(golang(go.opentelemetry.io/otel)) = 1.21.0 +Provides: bundled(golang(k8s.io/apimachinery)) = 0.28.3 +Provides: bundled(golang(k8s.io/apiserver)) = 0.28.3 +Provides: bundled(golang(k8s.io/client-go)) = 0.28.3 +Provides: bundled(golang(k8s.io/component-base)) = 0.28.3 +Provides: bundled(golang(k8s.io/klog/v2)) = 2.100.1 +Provides: bundled(golang(k8s.io/kube-openapi)) = 0.0.0-20230717233707.2695361300d9 +Provides: bundled(golang(github.com/bwmarrin/snowflake)) = 0.3.0 +Provides: bundled(golang(github.com/mitchellh/mapstructure)) = 1.5.0 +Provides: bundled(golang(sigs.k8s.io/yaml)) = 1.3.0 +Provides: bundled(golang(filippo.io/age)) = 1.1.1 +Provides: bundled(golang(github.com/Masterminds/sprig/v3)) = 3.2.2 +Provides: bundled(golang(github.com/ProtonMail/go-crypto)) = 0.0.0-20230828082145.3c4c8a2d2371 +Provides: bundled(golang(github.com/docker/docker)) = 23.0.4+incompatible +Provides: bundled(golang(github.com/go-logr/logr)) = 1.3.0 +Provides: bundled(golang(github.com/hmarr/codeowners)) = 1.1.2 +Provides: bundled(golang(github.com/wk8/go-ordered-map)) = 1.0.0 +Provides: bundled(golang(github.com/xlab/treeprint)) = 1.2.0 +Provides: bundled(npm(@babel/core)) = 7.23.2 +Provides: bundled(npm(@babel/plugin-proposal-class-properties)) = 7.18.6 +Provides: bundled(npm(@babel/plugin-proposal-nullish-coalescing-operator)) = 7.18.6 +Provides: bundled(npm(@babel/plugin-proposal-object-rest-spread)) = 7.20.7 +Provides: bundled(npm(@babel/plugin-proposal-optional-chaining)) = 7.21.0 +Provides: bundled(npm(@babel/plugin-syntax-dynamic-import)) = 7.8.3 +Provides: bundled(npm(@babel/plugin-transform-react-constant-elements)) = 7.22.5 +Provides: bundled(npm(@babel/plugin-transform-runtime)) = 7.23.2 +Provides: bundled(npm(@babel/plugin-transform-typescript)) = 7.22.9 +Provides: bundled(npm(@babel/preset-env)) = 7.23.2 +Provides: bundled(npm(@babel/preset-react)) = 7.22.5 +Provides: bundled(npm(@babel/preset-typescript)) = 7.23.2 +Provides: bundled(npm(@babel/runtime)) = 7.23.2 +Provides: bundled(npm(@betterer/betterer)) = 5.4.0 +Provides: bundled(npm(@betterer/cli)) = 5.4.0 +Provides: bundled(npm(@betterer/eslint)) = 5.4.0 +Provides: bundled(npm(@betterer/regexp)) = 5.4.0 +Provides: bundled(npm(@braintree/sanitize-url)) = 6.0.2 +Provides: bundled(npm(@cypress/webpack-preprocessor)) = 5.17.1 +Provides: bundled(npm(@daybrush/utils)) = 1.13.0 +Provides: bundled(npm(@emotion/css)) = 11.11.2 +Provides: bundled(npm(@emotion/eslint-plugin)) = 11.11.0 +Provides: bundled(npm(@emotion/react)) = 11.11.1 +Provides: bundled(npm(@fingerprintjs/fingerprintjs)) = 3.4.2 +Provides: bundled(npm(@glideapps/glide-data-grid)) = 5.2.1 +Provides: bundled(npm(@grafana/aws-sdk)) = 0.3.1 +Provides: bundled(npm(@grafana/e2e-selectors)) = 10.0.2 +Provides: bundled(npm(@grafana/eslint-config)) = 6.0.1 +Provides: bundled(npm(@grafana/experimental)) = 1.7.0 +Provides: bundled(npm(@grafana/faro-core)) = 1.2.1 +Provides: bundled(npm(@grafana/faro-web-sdk)) = 1.2.1 +Provides: bundled(npm(@grafana/google-sdk)) = 0.1.1 +Provides: bundled(npm(@grafana/lezer-logql)) = 0.2.2 +Provides: bundled(npm(@grafana/lezer-traceql)) = 0.0.11 +Provides: bundled(npm(@grafana/monaco-logql)) = 0.0.7 +Provides: bundled(npm(@grafana/scenes)) = 1.27.0 +Provides: bundled(npm(@grafana/tsconfig)) = 1.2.0rc1 +Provides: bundled(npm(@kusto/monaco-kusto)) = 7.7.0 +Provides: bundled(npm(@leeoniya/ufuzzy)) = 1.0.8 +Provides: bundled(npm(@lezer/common)) = 1.0.2 +Provides: bundled(npm(@lezer/highlight)) = 1.1.3 +Provides: bundled(npm(@lezer/lr)) = 1.3.3 +Provides: bundled(npm(@locker/near-membrane-dom)) = 0.13.3 +Provides: bundled(npm(@locker/near-membrane-shared)) = 0.13.3 +Provides: bundled(npm(@locker/near-membrane-shared-dom)) = 0.13.3 +Provides: bundled(npm(@mochajs/json-file-reporter)) = 1.3.0 +Provides: bundled(npm(@monaco-editor/react)) = 4.6.0 +Provides: bundled(npm(@opentelemetry/api)) = 1.6.0 +Provides: bundled(npm(@opentelemetry/exporter-collector)) = 0.25.0 +Provides: bundled(npm(@opentelemetry/semantic-conventions)) = 0.25.0 +Provides: bundled(npm(@pmmmwh/react-refresh-webpack-plugin)) = 0.5.10 +Provides: bundled(npm(@popperjs/core)) = 2.11.8 +Provides: bundled(npm(@prometheus-io/lezer-promql)) = 0.37.0 +Provides: bundled(npm(@react-aria/button)) = 3.8.0 +Provides: bundled(npm(@react-aria/dialog)) = 3.5.3 +Provides: bundled(npm(@react-aria/focus)) = 3.13.0 +Provides: bundled(npm(@react-aria/interactions)) = 3.16.0 +Provides: bundled(npm(@react-aria/menu)) = 3.10.0 +Provides: bundled(npm(@react-aria/overlays)) = 3.15.0 +Provides: bundled(npm(@react-aria/utils)) = 3.18.0 +Provides: bundled(npm(@react-awesome-query-builder/core)) = 6.4.1 +Provides: bundled(npm(@react-awesome-query-builder/ui)) = 6.4.1 +Provides: bundled(npm(@react-stately/collections)) = 3.9.0 +Provides: bundled(npm(@react-stately/menu)) = 3.5.3 +Provides: bundled(npm(@react-stately/tree)) = 3.7.0 +Provides: bundled(npm(@react-types/button)) = 3.9.0 +Provides: bundled(npm(@react-types/menu)) = 3.9.2 +Provides: bundled(npm(@react-types/overlays)) = 3.8.0 +Provides: bundled(npm(@react-types/shared)) = 3.21.0 +Provides: bundled(npm(@reduxjs/toolkit)) = 1.9.5 +Provides: bundled(npm(@remix-run/router)) = 1.5.0 +Provides: bundled(npm(@rollup/plugin-commonjs)) = 25.0.2 +Provides: bundled(npm(@rollup/plugin-json)) = 6.0.0 +Provides: bundled(npm(@rollup/plugin-node-resolve)) = 15.2.3 +Provides: bundled(npm(@storybook/addon-a11y)) = 7.4.5 +Provides: bundled(npm(@storybook/addon-actions)) = 7.4.5 +Provides: bundled(npm(@storybook/addon-docs)) = 7.4.5 +Provides: bundled(npm(@storybook/addon-essentials)) = 7.4.5 +Provides: bundled(npm(@storybook/addon-storysource)) = 7.4.5 +Provides: bundled(npm(@storybook/api)) = 7.4.5 +Provides: bundled(npm(@storybook/blocks)) = 7.4.5 +Provides: bundled(npm(@storybook/client-api)) = 7.4.5 +Provides: bundled(npm(@storybook/components)) = 7.4.5 +Provides: bundled(npm(@storybook/core-events)) = 7.4.5 +Provides: bundled(npm(@storybook/mdx2-csf)) = 1.1.0 +Provides: bundled(npm(@storybook/preset-scss)) = 1.0.3 +Provides: bundled(npm(@storybook/react)) = 7.4.5 +Provides: bundled(npm(@storybook/react-webpack5)) = 7.4.5 +Provides: bundled(npm(@storybook/theming)) = 7.4.5 +Provides: bundled(npm(@swc/core)) = 1.3.38 +Provides: bundled(npm(@swc/helpers)) = 0.4.14 +Provides: bundled(npm(@testing-library/dom)) = 9.3.3 +Provides: bundled(npm(@testing-library/jest-dom)) = 6.1.2 +Provides: bundled(npm(@testing-library/react)) = 14.0.0 +Provides: bundled(npm(@testing-library/react-hooks)) = 8.0.1 +Provides: bundled(npm(@testing-library/user-event)) = 14.5.1 +Provides: bundled(npm(@types/angular)) = 1.8.5 +Provides: bundled(npm(@types/angular-route)) = 1.7.3 +Provides: bundled(npm(@types/chance)) = 1.1.3 +Provides: bundled(npm(@types/chrome-remote-interface)) = 0.31.10 +Provides: bundled(npm(@types/common-tags)) = 1.8.1 +Provides: bundled(npm(@types/d3)) = 7.4.0 +Provides: bundled(npm(@types/d3-force)) = 3.0.4 +Provides: bundled(npm(@types/d3-interpolate)) = 3.0.1 +Provides: bundled(npm(@types/d3-scale-chromatic)) = 3.0.0 +Provides: bundled(npm(@types/debounce-promise)) = 3.1.6 +Provides: bundled(npm(@types/diff)) = 5.0.5 +Provides: bundled(npm(@types/dompurify)) = 2.4.0 +Provides: bundled(npm(@types/eslint)) = 8.44.0 +Provides: bundled(npm(@types/file-saver)) = 2.0.5 +Provides: bundled(npm(@types/glob)) = 7.2.0 +Provides: bundled(npm(@types/google.analytics)) = 0.0.42 +Provides: bundled(npm(@types/gtag.js)) = 0.0.12 +Provides: bundled(npm(@types/history)) = 4.7.11 +Provides: bundled(npm(@types/hoist-non-react-statics)) = 3.3.1 +Provides: bundled(npm(@types/is-hotkey)) = 0.1.7 +Provides: bundled(npm(@types/jest)) = 26.0.15 +Provides: bundled(npm(@types/jquery)) = 3.5.16 +Provides: bundled(npm(@types/js-yaml)) = 4.0.5 +Provides: bundled(npm(@types/jsurl)) = 1.2.30 +Provides: bundled(npm(@types/lodash)) = 4.14.195 +Provides: bundled(npm(@types/logfmt)) = 1.2.3 +Provides: bundled(npm(@types/lucene)) = 2.1.4 +Provides: bundled(npm(@types/marked)) = 5.0.1 +Provides: bundled(npm(@types/mock-raf)) = 1.0.3 +Provides: bundled(npm(@types/mousetrap)) = 1.6.11 +Provides: bundled(npm(@types/node)) = 14.18.36 +Provides: bundled(npm(@types/node-forge)) = 1.3.2 +Provides: bundled(npm(@types/ol-ext)) = 3.2.0 +Provides: bundled(npm(@types/papaparse)) = 5.3.7 +Provides: bundled(npm(@types/pluralize)) = 0.0.30 +Provides: bundled(npm(@types/prismjs)) = 1.26.0 +Provides: bundled(npm(@types/react)) = 18.0.28 +Provides: bundled(npm(@types/react-beautiful-dnd)) = 13.1.4 +Provides: bundled(npm(@types/react-calendar)) = 3.9.0 +Provides: bundled(npm(@types/react-color)) = 3.0.6 +Provides: bundled(npm(@types/react-dom)) = 18.2.7 +Provides: bundled(npm(@types/react-grid-layout)) = 1.3.2 +Provides: bundled(npm(@types/react-highlight-words)) = 0.16.4 +Provides: bundled(npm(@types/react-resizable)) = 3.0.4 +Provides: bundled(npm(@types/react-router-dom)) = 5.3.3 +Provides: bundled(npm(@types/react-table)) = 7.7.14 +Provides: bundled(npm(@types/react-test-renderer)) = 18.0.0 +Provides: bundled(npm(@types/react-transition-group)) = 4.4.6 +Provides: bundled(npm(@types/react-virtualized-auto-sizer)) = 1.0.1 +Provides: bundled(npm(@types/react-window)) = 1.8.5 +Provides: bundled(npm(@types/react-window-infinite-loader)) = 1.0.6 +Provides: bundled(npm(@types/redux-mock-store)) = 1.0.3 +Provides: bundled(npm(@types/semver)) = 7.5.0 +Provides: bundled(npm(@types/slate)) = 0.47.11 +Provides: bundled(npm(@types/slate-plain-serializer)) = 0.7.2 +Provides: bundled(npm(@types/slate-react)) = 0.22.9 +Provides: bundled(npm(@types/string-hash)) = 1.1.1 +Provides: bundled(npm(@types/systemjs)) = 6.13.1 +Provides: bundled(npm(@types/testing-library__jest-dom)) = 5.14.8 +Provides: bundled(npm(@types/tinycolor2)) = 1.4.3 +Provides: bundled(npm(@types/trusted-types)) = 2.0.3 +Provides: bundled(npm(@types/uuid)) = 8.3.4 +Provides: bundled(npm(@types/webpack-assets-manifest)) = 5.1.4 +Provides: bundled(npm(@types/webpack-env)) = 1.18.1 +Provides: bundled(npm(@types/yargs)) = 15.0.14 +Provides: bundled(npm(@typescript-eslint/eslint-plugin)) = 5.42.0 +Provides: bundled(npm(@typescript-eslint/parser)) = 5.42.0 +Provides: bundled(npm(@typescript-eslint/types)) = 5.42.0 +Provides: bundled(npm(@typescript-eslint/utils)) = 5.42.0 +Provides: bundled(npm(@visx/event)) = 3.3.0 +Provides: bundled(npm(@visx/gradient)) = 3.3.0 +Provides: bundled(npm(@visx/group)) = 3.3.0 +Provides: bundled(npm(@visx/scale)) = 3.3.0 +Provides: bundled(npm(@visx/shape)) = 3.3.0 +Provides: bundled(npm(@visx/tooltip)) = 3.3.0 +Provides: bundled(npm(@welldone-software/why-did-you-render)) = 7.0.1 +Provides: bundled(npm(angular)) = 1.8.3 +Provides: bundled(npm(angular-bindonce)) = 0.3.1 +Provides: bundled(npm(angular-route)) = 1.8.3 +Provides: bundled(npm(angular-sanitize)) = 1.8.3 +Provides: bundled(npm(ansicolor)) = 1.1.100 +Provides: bundled(npm(autoprefixer)) = 10.4.14 +Provides: bundled(npm(babel-jest)) = 29.6.4 +Provides: bundled(npm(babel-loader)) = 9.1.3 +Provides: bundled(npm(babel-plugin-angularjs-annotate)) = 0.10.0 +Provides: bundled(npm(babel-plugin-macros)) = 2.8.0 +Provides: bundled(npm(baron)) = 3.0.3 +Provides: bundled(npm(blink-diff)) = 1.0.13 +Provides: bundled(npm(blob-polyfill)) = 7.0.20220408 +Provides: bundled(npm(brace)) = 0.11.1 +Provides: bundled(npm(browserslist)) = 4.22.0 +Provides: bundled(npm(calculate-size)) = 1.1.1 +Provides: bundled(npm(centrifuge)) = 4.0.1 +Provides: bundled(npm(chance)) = 1.1.11 +Provides: bundled(npm(chrome-remote-interface)) = 0.33.0 +Provides: bundled(npm(classnames)) = 2.3.2 +Provides: bundled(npm(codeowners)) = 5.1.1 +Provides: bundled(npm(combokeys)) = 3.0.1 +Provides: bundled(npm(comlink)) = 4.4.1 +Provides: bundled(npm(commander)) = 2.11.0 +Provides: bundled(npm(common-tags)) = 1.8.2 +Provides: bundled(npm(copy-webpack-plugin)) = 11.0.0 +Provides: bundled(npm(core-js)) = 2.6.12 +Provides: bundled(npm(css-loader)) = 6.8.1 +Provides: bundled(npm(css-minimizer-webpack-plugin)) = 5.0.1 +Provides: bundled(npm(csstype)) = 2.6.18 +Provides: bundled(npm(cypress)) = 9.5.1 +Provides: bundled(npm(cypress-file-upload)) = 5.0.8 +Provides: bundled(npm(d3)) = 7.8.5 +Provides: bundled(npm(d3-force)) = 3.0.0 +Provides: bundled(npm(d3-interpolate)) = 3.0.1 +Provides: bundled(npm(d3-scale-chromatic)) = 3.0.0 +Provides: bundled(npm(dangerously-set-html-content)) = 1.0.9 +Provides: bundled(npm(date-fns)) = 2.30.0 +Provides: bundled(npm(debounce-promise)) = 3.1.2 +Provides: bundled(npm(devtools-protocol)) = 0.0.927104 +Provides: bundled(npm(diff)) = 4.0.2 +Provides: bundled(npm(dompurify)) = 2.4.5 +Provides: bundled(npm(emotion)) = 10.0.27 +Provides: bundled(npm(esbuild)) = 0.17.19 +Provides: bundled(npm(esbuild-loader)) = 3.0.1 +Provides: bundled(npm(esbuild-plugin-browserslist)) = 0.8.1 +Provides: bundled(npm(eslint)) = 8.42.0 +Provides: bundled(npm(eslint-config-prettier)) = 8.8.0 +Provides: bundled(npm(eslint-plugin-import)) = 2.27.5 +Provides: bundled(npm(eslint-plugin-jest)) = 27.6.0 +Provides: bundled(npm(eslint-plugin-jsdoc)) = 46.2.6 +Provides: bundled(npm(eslint-plugin-jsx-a11y)) = 6.7.1 +Provides: bundled(npm(eslint-plugin-lodash)) = 7.4.0 +Provides: bundled(npm(eslint-plugin-react)) = 7.32.2 +Provides: bundled(npm(eslint-plugin-react-hooks)) = 4.6.0 +Provides: bundled(npm(eslint-webpack-plugin)) = 4.0.0 +Provides: bundled(npm(eventemitter3)) = 4.0.7 +Provides: bundled(npm(execa)) = 4.1.0 +Provides: bundled(npm(expose-loader)) = 4.1.0 +Provides: bundled(npm(fast-deep-equal)) = 3.1.3 +Provides: bundled(npm(fast-json-patch)) = 3.1.1 +Provides: bundled(npm(fast_array_intersect)) = 1.1.0 +Provides: bundled(npm(file-saver)) = 2.0.5 +Provides: bundled(npm(fork-ts-checker-webpack-plugin)) = 8.0.0 +Provides: bundled(npm(framework-utils)) = 1.1.0 +Provides: bundled(npm(glob)) = 7.1.4 +Provides: bundled(npm(history)) = 4.10.1 +Provides: bundled(npm(hoist-non-react-statics)) = 3.3.2 +Provides: bundled(npm(html-loader)) = 4.2.0 +Provides: bundled(npm(html-webpack-plugin)) = 5.5.3 +Provides: bundled(npm(http-server)) = 14.1.1 +Provides: bundled(npm(i18next)) = 21.9.2 +Provides: bundled(npm(i18next-browser-languagedetector)) = 7.0.2 +Provides: bundled(npm(i18next-parser)) = 6.6.0 +Provides: bundled(npm(immer)) = 9.0.21 +Provides: bundled(npm(immutable)) = 3.8.2 +Provides: bundled(npm(is-hotkey)) = 0.1.4 +Provides: bundled(npm(jest)) = 29.3.1 +Provides: bundled(npm(jest-canvas-mock)) = 2.5.2 +Provides: bundled(npm(jest-date-mock)) = 1.0.8 +Provides: bundled(npm(jest-environment-jsdom)) = 29.3.1 +Provides: bundled(npm(jest-fail-on-console)) = 3.1.1 +Provides: bundled(npm(jest-junit)) = 16.0.0 +Provides: bundled(npm(jest-matcher-utils)) = 29.6.4 +Provides: bundled(npm(jquery)) = 3.7.0 +Provides: bundled(npm(js-yaml)) = 3.14.1 +Provides: bundled(npm(json-markup)) = 1.1.4 +Provides: bundled(npm(json-source-map)) = 0.6.1 +Provides: bundled(npm(jsurl)) = 0.1.5 +Provides: bundled(npm(kbar)) = 0.1.0b44 +Provides: bundled(npm(lerna)) = 7.4.1 +Provides: bundled(npm(lodash)) = 4.17.21 +Provides: bundled(npm(logfmt)) = 1.3.2 +Provides: bundled(npm(lru-cache)) = 5.1.1 +Provides: bundled(npm(lru-memoize)) = 1.1.0 +Provides: bundled(npm(lucene)) = 2.1.1 +Provides: bundled(npm(marked)) = 5.1.1 +Provides: bundled(npm(marked-mangle)) = 1.1.0 +Provides: bundled(npm(memoize-one)) = 4.0.3 +Provides: bundled(npm(micro-memoize)) = 4.1.2 +Provides: bundled(npm(mini-css-extract-plugin)) = 2.7.6 +Provides: bundled(npm(ml-regression-polynomial)) = 3.0.0 +Provides: bundled(npm(ml-regression-simple-linear)) = 3.0.0 +Provides: bundled(npm(mocha)) = 10.2.0 +Provides: bundled(npm(mock-raf)) = 1.0.1 +Provides: bundled(npm(moment)) = 2.29.4 +Provides: bundled(npm(moment-timezone)) = 0.5.43 +Provides: bundled(npm(monaco-editor)) = 0.34.0 +Provides: bundled(npm(monaco-promql)) = 1.7.4 +Provides: bundled(npm(mousetrap)) = 1.6.5 +Provides: bundled(npm(mousetrap-global-bind)) = 1.1.0 +Provides: bundled(npm(moveable)) = 0.43.1 +Provides: bundled(npm(msw)) = 1.3.2 +Provides: bundled(npm(mutationobserver-shim)) = 0.3.7 +Provides: bundled(npm(ngtemplate-loader)) = 2.1.0 +Provides: bundled(npm(node-forge)) = 1.3.1 +Provides: bundled(npm(node-notifier)) = 10.0.1 +Provides: bundled(npm(ol)) = 7.4.0 +Provides: bundled(npm(ol-ext)) = 4.0.10 +Provides: bundled(npm(papaparse)) = 5.4.1 +Provides: bundled(npm(pluralize)) = 8.0.0 +Provides: bundled(npm(postcss)) = 8.4.31 +Provides: bundled(npm(postcss-loader)) = 7.3.3 +Provides: bundled(npm(postcss-reporter)) = 7.0.5 +Provides: bundled(npm(postcss-scss)) = 4.0.6 +Provides: bundled(npm(prettier)) = 2.8.7 +Provides: bundled(npm(prismjs)) = 1.27.0 +Provides: bundled(npm(process)) = 0.11.10 +Provides: bundled(npm(prop-types)) = 15.8.1 +Provides: bundled(npm(pseudoizer)) = 0.1.0 +Provides: bundled(npm(rc-cascader)) = 3.20.0 +Provides: bundled(npm(rc-drawer)) = 6.5.2 +Provides: bundled(npm(rc-slider)) = 10.3.1 +Provides: bundled(npm(rc-time-picker)) = 3.7.3 +Provides: bundled(npm(rc-tooltip)) = 6.1.1 +Provides: bundled(npm(rc-tree)) = 5.8.0 +Provides: bundled(npm(re-resizable)) = 6.9.9 +Provides: bundled(npm(react)) = 18.2.0 +Provides: bundled(npm(react-beautiful-dnd)) = 13.1.1 +Provides: bundled(npm(react-calendar)) = 4.6.0 +Provides: bundled(npm(react-colorful)) = 5.6.1 +Provides: bundled(npm(react-custom-scrollbars-2)) = 4.5.0 +Provides: bundled(npm(react-diff-viewer)) = 3.1.1 +Provides: bundled(npm(react-dom)) = 18.2.0 +Provides: bundled(npm(react-draggable)) = 4.4.5 +Provides: bundled(npm(react-dropzone)) = 14.2.3 +Provides: bundled(npm(react-grid-layout)) = 1.3.4 +Provides: bundled(npm(react-highlight-words)) = 0.20.0 +Provides: bundled(npm(react-hook-form)) = 7.5.3 +Provides: bundled(npm(react-i18next)) = 12.0.0 +Provides: bundled(npm(react-inlinesvg)) = 3.0.2 +Provides: bundled(npm(react-loading-skeleton)) = 3.3.1 +Provides: bundled(npm(react-moveable)) = 0.46.1 +Provides: bundled(npm(react-popper)) = 2.3.0 +Provides: bundled(npm(react-popper-tooltip)) = 4.4.2 +Provides: bundled(npm(react-redux)) = 7.2.8 +Provides: bundled(npm(react-refresh)) = 0.11.0 +Provides: bundled(npm(react-resizable)) = 3.0.5 +Provides: bundled(npm(react-responsive-carousel)) = 3.2.23 +Provides: bundled(npm(react-router-dom)) = 5.3.3 +Provides: bundled(npm(react-router-dom-v5-compat)) = 6.10.0 +Provides: bundled(npm(react-select)) = 5.7.4 +Provides: bundled(npm(react-select-event)) = 5.5.1 +Provides: bundled(npm(react-simple-compat)) = 1.2.3 +Provides: bundled(npm(react-split-pane)) = 0.1.92 +Provides: bundled(npm(react-table)) = 7.8.0 +Provides: bundled(npm(react-test-renderer)) = 18.2.0 +Provides: bundled(npm(react-transition-group)) = 4.4.5 +Provides: bundled(npm(react-use)) = 17.4.0 +Provides: bundled(npm(react-virtual)) = 2.10.4 +Provides: bundled(npm(react-virtualized-auto-sizer)) = 1.0.7 +Provides: bundled(npm(react-window)) = 1.8.9 +Provides: bundled(npm(react-window-infinite-loader)) = 1.0.9 +Provides: bundled(npm(redux)) = 4.2.1 +Provides: bundled(npm(redux-mock-store)) = 1.5.4 +Provides: bundled(npm(redux-thunk)) = 2.4.2 +Provides: bundled(npm(regenerator-runtime)) = 0.11.1 +Provides: bundled(npm(replace-in-file-webpack-plugin)) = 1.0.6 +Provides: bundled(npm(reselect)) = 4.1.8 +Provides: bundled(npm(resolve-bin)) = 1.0.1 +Provides: bundled(npm(rimraf)) = 2.6.3 +Provides: bundled(npm(rollup)) = 2.79.1 +Provides: bundled(npm(rollup-plugin-copy)) = 3.5.0 +Provides: bundled(npm(rollup-plugin-dts)) = 5.3.0 +Provides: bundled(npm(rollup-plugin-esbuild)) = 5.0.0 +Provides: bundled(npm(rollup-plugin-node-externals)) = 5.0.2 +Provides: bundled(npm(rollup-plugin-sourcemaps)) = 0.6.3 +Provides: bundled(npm(rollup-plugin-terser)) = 7.0.2 +Provides: bundled(npm(rudder-sdk-js)) = 2.43.0 +Provides: bundled(npm(rxjs)) = 7.8.1 +Provides: bundled(npm(sass)) = 1.69.4 +Provides: bundled(npm(sass-loader)) = 13.3.2 +Provides: bundled(npm(selecto)) = 1.26.0 +Provides: bundled(npm(semver)) = 5.7.2 +Provides: bundled(npm(slate)) = 0.47.9 +Provides: bundled(npm(slate-plain-serializer)) = 0.7.13 +Provides: bundled(npm(slate-react)) = 0.22.10 +Provides: bundled(npm(sql-formatter-plus)) = 1.3.6 +Provides: bundled(npm(storybook)) = 7.4.5 +Provides: bundled(npm(storybook-addon-turbo-build)) = 2.0.1 +Provides: bundled(npm(storybook-dark-mode)) = 3.0.1 +Provides: bundled(npm(string-hash)) = 1.1.3 +Provides: bundled(npm(style-loader)) = 3.3.3 +Provides: bundled(npm(stylelint)) = 15.11.0 +Provides: bundled(npm(stylelint-config-prettier)) = 9.0.5 +Provides: bundled(npm(stylelint-config-sass-guidelines)) = 10.0.0 +Provides: bundled(npm(swc-loader)) = 0.2.3 +Provides: bundled(npm(symbol-observable)) = 4.0.0 +Provides: bundled(npm(systemjs)) = 6.14.2 +Provides: bundled(npm(systemjs-cjs-extra)) = 0.2.0 +Provides: bundled(npm(terser-webpack-plugin)) = 5.3.9 +Provides: bundled(npm(testing-library-selector)) = 0.3.1 +Provides: bundled(npm(tether-drop)) = 1.5.0 +Provides: bundled(npm(tinycolor2)) = 1.6.0 +Provides: bundled(npm(tracelib)) = 1.0.1 +Provides: bundled(npm(ts-jest)) = 29.0.5 +Provides: bundled(npm(ts-loader)) = 8.4.0 +Provides: bundled(npm(ts-node)) = 10.9.1 +Provides: bundled(npm(tslib)) = 1.14.1 +Provides: bundled(npm(tween-functions)) = 1.2.0 +Provides: bundled(npm(typescript)) = 4.8.4 +Provides: bundled(npm(uplot)) = 1.6.27 +Provides: bundled(npm(uuid)) = 3.4.0 +Provides: bundled(npm(visjs-network)) = 4.25.0 +Provides: bundled(npm(webpack)) = 5.76.0 +Provides: bundled(npm(webpack-assets-manifest)) = 5.1.0 +Provides: bundled(npm(webpack-bundle-analyzer)) = 4.9.0 +Provides: bundled(npm(webpack-cli)) = 5.1.4 +Provides: bundled(npm(webpack-dev-server)) = 4.15.1 +Provides: bundled(npm(webpack-manifest-plugin)) = 5.0.0 +Provides: bundled(npm(webpack-merge)) = 5.9.0 +Provides: bundled(npm(whatwg-fetch)) = 3.6.2 +Provides: bundled(npm(xlsx)) = 0.19.1 +Provides: bundled(npm(xss)) = 1.0.14 +Provides: bundled(npm(yaml)) = 1.10.2 +Provides: bundled(npm(yargs)) = 16.2.0 + + +%description +Grafana is an open source, feature rich metrics dashboard and graph editor for +Graphite, InfluxDB & OpenTSDB. + +# SELinux package +%package selinux +Summary: SELinux policy module supporting grafana +BuildRequires: checkpolicy, selinux-policy-devel, selinux-policy-targeted +%if "%{_selinux_policy_version}" != "" +Requires: selinux-policy >= %{_selinux_policy_version} +%endif +Requires: %{name} = %{version}-%{release} +Requires: selinux-policy-targeted +Requires(post): /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, grafana +Requires(postun): /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, /sbin/service, grafana + +%description selinux +SELinux policy module supporting grafana + +%prep +%setup -q -T -D -b 0 +%setup -q -T -D -b 1 +%if %{compile_frontend} == 0 +# remove bundled plugins source, otherwise they'll get merged +# with the compiled bundled plugins when extracting the webpack +rm -r plugins-bundled +%setup -q -T -D -b 2 +%endif + +# SELinux policy +mkdir SELinux +cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux + +%patch -P 1 -p1 +%patch -P 2 -p1 +%patch -P 3 -p1 +%patch -P 4 -p1 +%patch -P 5 -p1 +%patch -P 6 -p1 +%patch -P 7 -p1 +%patch -P 8 -p1 +%patch -P 9 -p1 +%patch -P 10 -p1 + +%patch -P 1001 -p1 +%if %{enable_fips_mode} +%patch -P 1002 -p1 +%endif +%ifarch s390x i686 armv7hl +%patch -P 1003 -p1 +%endif +%patch -P 1004 -p1 + + +%build +# Build the frontend +%if %{compile_frontend} +%{SOURCE5} +%endif + +# Build the backend + +# see grafana-X.Y.Z/pkg/build/cmd.go +export LDFLAGS="-X main.version=%{version} -X main.buildstamp=${SOURCE_DATE_EPOCH}" +%if %{enable_fips_mode} +export GOEXPERIMENT=boringcrypto +%endif +for cmd in grafana grafana-cli grafana-server; do + %gobuild -o %{_builddir}/bin/${cmd} ./pkg/cmd/${cmd} +done + +# SELinux policy +cd SELinux +for selinuxvariant in %{selinux_variants} +do + make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile + mv grafana.pp grafana.pp.${selinuxvariant} + make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean +done +cd - + + +%install +# dirs, shared files, public html, webpack +install -d %{buildroot}%{_sbindir} +install -d %{buildroot}%{_datadir}/%{name} +install -d %{buildroot}%{_libexecdir}/%{name} +cp -a conf public plugins-bundled %{buildroot}%{_datadir}/%{name} +rm -f %{buildroot}%{_datadir}/%{name}/public/img/icons/.gitignore +rm -f %{buildroot}%{_datadir}/%{name}/public/lib/.gitignore + +# wrappers +install -p -m 755 packaging/wrappers/grafana-cli %{buildroot}%{_sbindir}/%{name}-cli +install -p -m 755 packaging/wrappers/grafana %{buildroot}%{_sbindir}/%{name} +install -p -m 755 packaging/wrappers/grafana-server %{buildroot}%{_sbindir}/%{name}-server + +# binaries +install -p -m 755 %{_builddir}/bin/%{name}-server %{buildroot}%{_sbindir} +install -p -m 755 %{_builddir}/bin/%{name}-cli %{buildroot}%{_libexecdir}/%{name} +install -p -m 755 %{_builddir}/bin/%{name} %{buildroot}%{_sbindir} +install -p -m 755 %{_builddir}/bin/%{name} %{buildroot}%{_libexecdir}/%{name} + +# man pages +install -d %{buildroot}%{_mandir}/man1 +install -p -m 644 docs/man/man1/* %{buildroot}%{_mandir}/man1 + +# config dirs +install -d %{buildroot}%{_sysconfdir}/%{name} +install -d %{buildroot}%{_sysconfdir}/%{name}/provisioning +install -d %{buildroot}%{_sysconfdir}/%{name}/provisioning/access-control +install -d %{buildroot}%{_sysconfdir}/%{name}/provisioning/dashboards +install -d %{buildroot}%{_sysconfdir}/%{name}/provisioning/datasources +install -d %{buildroot}%{_sysconfdir}/%{name}/provisioning/notifiers +install -d %{buildroot}%{_sysconfdir}/%{name}/provisioning/plugins +install -d %{buildroot}%{_sysconfdir}/sysconfig + +# config defaults +install -p -m 640 conf/sample.ini %{buildroot}%{_sysconfdir}/%{name}/grafana.ini +install -p -m 640 conf/ldap.toml %{buildroot}%{_sysconfdir}/%{name}/ldap.toml +install -p -m 644 conf/defaults.ini %{buildroot}%{_datadir}/%{name}/conf/defaults.ini +install -p -m 644 conf/sample.ini %{buildroot}%{_datadir}/%{name}/conf/sample.ini +install -p -m 644 packaging/rpm/sysconfig/grafana-server \ + %{buildroot}%{_sysconfdir}/sysconfig/grafana-server + +# config database directory and plugins +install -d -m 750 %{buildroot}%{_sharedstatedir}/%{name} +install -d -m 755 %{buildroot}%{_sharedstatedir}/%{name}/plugins + +# log directory +install -d %{buildroot}%{_localstatedir}/log/%{name} + +# systemd service files +install -d %{buildroot}%{_unitdir} # only needed for manual rpmbuilds +install -p -m 644 packaging/rpm/systemd/grafana-server.service \ + %{buildroot}%{_unitdir} + +# daemon run pid file config for using tmpfs +install -d %{buildroot}%{_tmpfilesdir} +echo "d %{_rundir}/%{name} 0755 %{GRAFANA_USER} %{GRAFANA_GROUP} -" \ + > %{buildroot}%{_tmpfilesdir}/%{name}.conf + +# systemd-sysusers configuration +install -p -m 644 -D %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}.conf + +# SELinux policy +cd SELinux +for selinuxvariant in %{selinux_variants} +do + install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant} + install -p -m 644 grafana.pp.${selinuxvariant} \ + %{buildroot}%{_datadir}/selinux/${selinuxvariant}/grafana.pp +done +cd - + +%pre +%sysusers_create_compat %{SOURCE3} + +%preun +%systemd_preun grafana-server.service + +%post +%systemd_post grafana-server.service +# create grafana.db with secure permissions on new installations +# otherwise grafana-server is creating grafana.db on first start +# with world-readable permissions, which may leak encrypted datasource +# passwords to all users (if the secret_key in grafana.ini was not changed) + +# https://bugzilla.redhat.com/show_bug.cgi?id=1805472 +if [ "$1" = 1 ] && [ ! -f %{_sharedstatedir}/%{name}/grafana.db ]; then + touch %{_sharedstatedir}/%{name}/grafana.db +fi + +# apply secure permissions to grafana.db if it exists +# (may not exist on upgrades, because users can choose between sqlite/mysql/postgres) +if [ -f %{_sharedstatedir}/%{name}/grafana.db ]; then + chown %{GRAFANA_USER}:%{GRAFANA_GROUP} %{_sharedstatedir}/%{name}/grafana.db + chmod 640 %{_sharedstatedir}/%{name}/grafana.db +fi + +# required for upgrades +chmod 640 %{_sysconfdir}/%{name}/grafana.ini +chmod 640 %{_sysconfdir}/%{name}/ldap.toml + +%postun +%systemd_postun_with_restart grafana-server.service + + +%check +# Test frontend +%if %{compile_frontend} +yarn run jest +%endif + +# Test backend + +# in setting_test.go there is a unit test which checks if 10 days are 240 hours +# which is usually true except if the daylight saving time change falls into the last 10 days, then it's either 239 or 241 hours... +# let's set the time zone to a time zone without daylight saving time +export TZ=GMT +%if %{enable_fips_mode} +export GOEXPERIMENT=boringcrypto +%endif + +# comment out temporarily while intermittent ngalert tests are investigated +# % gotest ./pkg/... + +# %if %{enable_fips_mode} +# OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption +# %endif + +%files +# binaries and wrappers +%{_sbindir}/%{name}-server +%{_sbindir}/%{name}-cli +%{_sbindir}/%{name} +%{_libexecdir}/%{name} + +# config files +%config(noreplace) %{_sysconfdir}/sysconfig/grafana-server +%dir %{_sysconfdir}/%{name} +%attr(0755, root, %{GRAFANA_GROUP}) %dir %{_sysconfdir}/%{name}/provisioning +%attr(0755, root, %{GRAFANA_GROUP}) %dir %{_sysconfdir}/%{name}/provisioning/access-control +%attr(0755, root, %{GRAFANA_GROUP}) %dir %{_sysconfdir}/%{name}/provisioning/dashboards +%attr(0750, root, %{GRAFANA_GROUP}) %dir %{_sysconfdir}/%{name}/provisioning/datasources +%attr(0755, root, %{GRAFANA_GROUP}) %dir %{_sysconfdir}/%{name}/provisioning/notifiers +%attr(0755, root, %{GRAFANA_GROUP}) %dir %{_sysconfdir}/%{name}/provisioning/plugins +%attr(0640, root, %{GRAFANA_GROUP}) %config(noreplace) %{_sysconfdir}/%{name}/grafana.ini +%attr(0640, root, %{GRAFANA_GROUP}) %config(noreplace) %{_sysconfdir}/%{name}/ldap.toml + +# config database directory and plugins +%attr(0750, %{GRAFANA_USER}, %{GRAFANA_GROUP}) %dir %{_sharedstatedir}/%{name} +%attr(-, %{GRAFANA_USER}, %{GRAFANA_GROUP}) %dir %{_sharedstatedir}/%{name}/plugins + +# shared directory and all files therein +%{_datadir}/%{name} + +# systemd service file +%{_unitdir}/grafana-server.service + +# Grafana configuration to dynamically create /run/grafana/grafana.pid on tmpfs +%{_tmpfilesdir}/%{name}.conf + +# systemd-sysusers configuration file +%{_sysusersdir}/%{name}.conf + +# log directory - grafana.log is created by grafana-server, and it does it's own log rotation +%attr(0755, %{GRAFANA_USER}, %{GRAFANA_GROUP}) %dir %{_localstatedir}/log/%{name} + +# man pages for grafana binaries +%{_mandir}/man1/%{name}-server.1* +%{_mandir}/man1/%{name}-cli.1* + +# other docs and license +%license LICENSE LICENSING.md NOTICE.md +%doc CHANGELOG.md CODE_OF_CONDUCT.md CONTRIBUTING.md GOVERNANCE.md HALL_OF_FAME.md ISSUE_TRIAGE.md MAINTAINERS.md +%doc README.md ROADMAP.md SECURITY.md SUPPORT.md UPGRADING_DEPENDENCIES.md WORKFLOW.md + +# SELinux policy +%post selinux +for selinuxvariant in %{selinux_variants} +do + /usr/sbin/semodule -s ${selinuxvariant} -i \ + %{_datadir}/selinux/${selinuxvariant}/grafana.pp &> /dev/null || : +done +/sbin/restorecon -RvF /usr/sbin/grafana* &> /dev/null || : +/sbin/restorecon -RvF /etc/grafana &> /dev/null || : +/sbin/restorecon -RvF /var/log/grafana &> /dev/null || : +/sbin/restorecon -RvF /var/lib/grafana &> /dev/null || : +/sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || : +/usr/sbin/semanage port -a -t grafana_port_t -p tcp 3000 &> /dev/null || : + +%postun selinux +if [ $1 -eq 0 ] ; then +/usr/sbin/semanage port -d -p tcp 3000 &> /dev/null || : + for selinuxvariant in %{selinux_variants} + do + /usr/sbin/semodule -s ${selinuxvariant} -r grafana &> /dev/null || : + done + /sbin/restorecon -RvF /usr/sbin/grafana* &> /dev/null || : + /sbin/restorecon -RvF /etc/grafana &> /dev/null || : + /sbin/restorecon -RvF /var/log/grafana &> /dev/null || : + /sbin/restorecon -RvF /var/lib/grafana &> /dev/null || : + /sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || : +fi + +%files selinux +%defattr(-,root,root,0755) +%doc SELinux/* +%{_datadir}/selinux/*/grafana.pp + +%changelog +* Fri Oct 25 2024 MSVSphere Packaging Team - 10.2.6-7 +- Rebuilt for MSVSphere 10 + +* Tue Oct 8 2024 Sam Feifer - 10.2.6-7 +- Resolves: RHEL-57874 + +* Tue Jul 16 2024 Sam Feifer - 10.2.6-6 +- Resolves: RHEL-44887 + +* Tue Jul 9 2024 Sam Feifer - 10.2.6-5 +- Resolves: RHEL-35909 +- Resolves: RHEL-43354 +- Resolves: RHEL-43138 + +* Mon Jun 24 2024 Troy Dawson - 10.2.6-4 +- Bump release for June 2024 mass rebuild + +* Tue May 7 2024 Sam Feifer - 10.2.6-3 +- Rebase to grafana 10.2.6 + +* Sun Feb 11 2024 Maxwell G - 9.2.10-18 +- Rebuild for golang 1.22.0 + +* Wed Jan 31 2024 Sam Feifer 9.2.10-17 +- Allows for postgreSQL datasource in selinux policy +- grafana-cli wrapper script now allows for the gid to be 0 + +* Wed Jan 24 2024 Fedora Release Engineering - 9.2.10-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sat Jan 20 2024 Fedora Release Engineering - 9.2.10-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Dec 18 2023 Sam Feifer 9.2.10-14 +- Fixes postgresql AVC denials + +* Fri Dec 15 2023 Sam Feifer 9.2.10-13 +- Fixes coredump issue introduced by selinux +- Patches out call to panic when trying to walk "/" directory + +* Thu Nov 30 2023 Sam Feifer - 9.2.10-12 +- Fix another set of AVC denials found testing only on some architectures + +* Mon Nov 20 2023 Sam Feifer - 9.2.10-11 +- Fix additional AVC denial found when testing on certain architectures + +* Wed Nov 15 2023 Sam Feifer - 9.2.10-10 +- Fix additional AVC denial found when testing + +* Wed Nov 15 2023 Sam Feifer - 9.2.10-9 +- Fix AVC denials found when testing +- Stop commented out gotest macro from expanding + +* Thu Nov 9 2023 Sam Feifer - 9.2.10-8 +- Hide relabeling messages from selinux when installing/uninstalling + +* Wed Nov 8 2023 Sam Feifer - 9.2.10-7 +- Include the selinux policy in the main package rather than a separate package + +* Thu Oct 5 2023 Sam Feifer - 9.2.10-6 +- Added 0010-skip-tests +- Resolves problematic tests when building + +* Thu Sep 28 2023 Sam Feifer - 9.2.10-5 +- Add SELinux policy for grafana + +* Sat Jul 22 2023 Carl George - 9.2.10-4 +- resolve CVE-2023-3128 grafana: Remove Email Lookup from oauth integrations + +* Thu Jul 20 2023 Fedora Release Engineering - 9.2.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu May 18 2023 Stan Cox 9.2.10-2 +- Update to 9.2.10 + +* Mon May 15 2023 Stan Cox 9.2.10-1 +- Update to 9.2.10 + +* Thu Jan 19 2023 Fedora Release Engineering - 9.0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Sep 21 2022 Andreas Gerstmayr 9.0.9-1 +- update to 9.0.9 tagged upstream community sources, see CHANGELOG +- resolve CVE-2022-35957 grafana: Escalation from admin to server admin when auth proxy is used (rhbz#2128565) + +* Thu Sep 15 2022 Andreas Gerstmayr 9.0.8-1 +- update to 9.0.8 tagged upstream community sources, see CHANGELOG +- do not list /usr/share/grafana/conf twice +- drop makefile in favor of create_bundles.sh script +- sync provides/obsoletes with CentOS versions +- drop husky patch + +* Wed Jul 27 2022 Andreas Gerstmayr 9.0.5-1 +- update to 9.0.5 tagged upstream community sources, see CHANGELOG (rhbz#2107413) +- run integration tests in check phase +- remove conditional around go-rpm-macros +- resolve CVE-2022-31107 grafana: OAuth account takeover (rhbz#2107435) +- resolve CVE-2022-31097 grafana: stored XSS vulnerability (rhbz#2107436) + +* Thu Jul 21 2022 Fedora Release Engineering - 9.0.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jul 14 2022 Andreas Gerstmayr 9.0.2-3 +- fix quoting in grafana-cli wrapper script (rhbz#2107046) + +* Wed Jul 13 2022 Andreas Gerstmayr 9.0.2-2 +- use systemd-sysusers to create the Grafana user and group + +* Thu Jul 07 2022 Andreas Gerstmayr 9.0.2-1 +- update to 9.0.2 tagged upstream community sources, see CHANGELOG + +* Wed Jun 29 2022 Andreas Gerstmayr 8.5.6-1 +- update to 8.5.6 tagged upstream community sources, see CHANGELOG +- updated license to AGPLv3 +- place commented sample config file in /etc/grafana/grafana.ini +- enable Go modules in build process +- adapt Node.js bundling to yarn v3 and Zero Install feature + +* Sun Jun 19 2022 Robert-André Mauchin - 7.5.15-3 +- Rebuilt for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327, CVE-2022-27191, + CVE-2022-29526, CVE-2022-30629 + +* Mon Apr 11 2022 Andreas Gerstmayr 7.5.15-2 +- use clamp-mtime when generating the vendor and webpack tarballs, + to preserve past timestamps but still keep reproducibility +- round tarball mtime timestamp to midnight, to match SOURCE_DATE_EPOCH + +* Fri Apr 08 2022 Andreas Gerstmayr 7.5.15-1 +- update to 7.5.15 tagged upstream community sources, see CHANGELOG +- resolve CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources +- resolve CVE-2022-21702 grafana: XSS vulnerability in data source handling +- resolve CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation +- resolve CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure +- resolve CVE-2021-23648 sanitize-url: XSS +- resolve CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter +- declare Node.js dependencies of subpackages +- make vendor and webpack tarballs reproducible + +* Fri Jan 28 2022 Andreas Gerstmayr 7.5.13-1 +- update to 7.5.13 tagged upstream community sources, see CHANGELOG +- support Go 1.18 + +* Thu Jan 20 2022 Fedora Release Engineering - 7.5.11-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Jan 18 2022 Andreas Gerstmayr 7.5.11-3 +- use HMAC-SHA-256 instead of SHA-1 to generate password reset tokens +- update FIPS tests in check phase + +* Thu Dec 16 2021 Andreas Gerstmayr 7.5.11-2 +- resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache +- resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files + +* Mon Oct 11 2021 Andreas Gerstmayr 7.5.11-1 +- update to 7.5.11 tagged upstream community sources, see CHANGELOG +- resolve CVE-2021-39226 + +* Thu Sep 30 2021 Andreas Gerstmayr 7.5.10-1 +- update to 7.5.10 tagged upstream community sources, see CHANGELOG + +* Mon Aug 16 2021 Andreas Gerstmayr 7.5.9-4 +- rebuild to resolve CVE-2021-34558 + +* Thu Jul 22 2021 Fedora Release Engineering - 7.5.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu Jul 08 2021 Andreas Gerstmayr 7.5.9-2 +- remove unused dependency property-information +- always include FIPS patch in SRPM + +* Fri Jun 25 2021 Andreas Gerstmayr 7.5.9-1 +- update to 7.5.9 tagged upstream community sources, see CHANGELOG + +* Mon Jun 21 2021 Andreas Gerstmayr 7.5.8-1 +- update to 7.5.8 tagged upstream community sources, see CHANGELOG +- remove unused dependencies selfsigned, http-signature and gofpdf + +* Fri Jun 11 2021 Andreas Gerstmayr 7.5.7-2 +- remove unused cryptographic implementations +- use cryptographic functions from OpenSSL if FIPS mode is enabled + +* Tue May 25 2021 Andreas Gerstmayr 7.5.7-1 +- update to 7.5.7 tagged upstream community sources, see CHANGELOG + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 7.3.6-4 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Tue Jan 26 2021 Fedora Release Engineering - 7.3.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Jan 22 2021 Andreas Gerstmayr 7.3.6-2 +- change working dir to $GRAFANA_HOME in grafana-cli wrapper (fixes Red Hat BZ #1916083) +- add pcp-redis-datasource to allow_loading_unsigned_plugins config option + +* Mon Dec 21 2020 Andreas Gerstmayr 7.3.6-1 +- update to 7.3.6 tagged upstream community sources, see CHANGELOG +- remove dependency on SAML (not supported in the open source version of Grafana) + +* Wed Nov 25 2020 Andreas Gerstmayr 7.3.4-1 +- update to 7.3.4 tagged upstream community sources, see CHANGELOG + +* Tue Nov 10 2020 Andreas Gerstmayr 7.3.1-1 +- update to 7.3.1 tagged upstream community sources, see CHANGELOG +- optionally bundle node.js dependencies and build and test frontend as part of the specfile +- change default provisioning path to /etc/grafana/provisioning (changed in version 7.1.1-1) +- resolve https://bugzilla.redhat.com/show_bug.cgi?id=1843170 + +* Sat Aug 01 2020 Fedora Release Engineering - 7.1.1-2 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jul 30 2020 Andreas Gerstmayr 7.1.1-1 +- update to 7.1.1 tagged upstream community sources, see CHANGELOG +- merge all datasources into main grafana package +- bundle golang dependencies + +* Tue Jul 28 2020 Fedora Release Engineering - 6.7.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jun 05 2020 Andreas Gerstmayr 6.7.4-1 +- update to 6.7.4 tagged upstream community sources, see CHANGELOG +- security fix for CVE-2020-13379 + +* Tue Apr 28 2020 Andreas Gerstmayr 6.7.3-1 +- update to 6.7.3 tagged upstream community sources, see CHANGELOG +- add scripts to list Go dependencies and bundled npmjs dependencies +- set Grafana version in Grafana UI and grafana-cli --version +- declare README.md as documentation of datasource plugins +- create grafana.db on first installation (fixes RH BZ #1805472) +- change permissions of /var/lib/grafana to 750 (CVE-2020-12458) +- change permissions of /var/lib/grafana/grafana.db to 640 and + user/group grafana:grafana (CVE-2020-12458) +- change permissions of grafana.ini and ldap.toml to 640 (CVE-2020-12459) + +* Wed Feb 26 2020 Mark Goodwin 6.6.2-1 +- added patch0 to set the version string correctly +- removed patch 004-xerrors.patch, it's now upstream +- added several patches for golang vendored vrs build dep differences +- added patch to move grafana-cli binary to libexec dir +- update to 6.6.2 tagged upstream community sources, see CHANGELOG + +* Wed Nov 20 2019 Mark Goodwin 6.3.6-1 +- add weak depenency on grafana-pcp +- add patch to mute shellcheck SC1090 for grafana-cli +- update to 6.3.6 upstream community sources, see CHANGELOG + +* Thu Sep 05 2019 Mark Goodwin 6.3.5-1 +- drop uaparser patch now it's upstream +- add xerrors patch, see https://github.com/golang/go/issues/32246 +- use vendor sources on rawhide until modules are fully supported +- update to latest upstream community sources, see CHANGELOG + +* Fri Aug 30 2019 Mark Goodwin 6.3.4-1 +- include fix for CVE-2019-15043 +- add patch for uaparser on 32bit systems +- update to latest upstream community sources, see CHANGELOG + +* Wed Jul 31 2019 Mark Goodwin 6.2.5-1 +- update to latest upstream community sources, see CHANGELOG + +* Thu Jul 25 2019 Fedora Release Engineering - 6.2.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Jun 07 2019 Mark Goodwin 6.2.2-1 +- split out some datasource plugins to sub-packages +- update to latest upstream community sources, see CHANGELOG + +* Wed Jun 05 2019 Mark Goodwin 6.2.1-1 +- update to latest upstream community sources, see CHANGELOG + +* Fri May 24 2019 Mark Goodwin 6.2.0-1 +- update to latest upstream community sources +- drop a couple of patches + +* Wed May 08 2019 Mark Goodwin 6.1.6-2 +- add conditional unbundle_vendor_sources macro + +* Tue Apr 30 2019 Mark Goodwin 6.1.6-1 +- update to latest upstream stable release 6.1.6, see CHANGELOG +- includes jQuery 3.4.0 security update + +* Wed Apr 24 2019 Mark Goodwin 6.1.4-1 +- update to latest upstream stable release 6.1.4, see CHANGELOG +- use gobuild and gochecks macros, eliminate arch symlinks +- re-enable grafana-debugsource package +- fix GRAFANA_GROUP typo +- fix more modes for brp-mangle-shebangs +- vendor source unbundling now done in prep after patches +- remove all rhel and fedora conditional guff + +* Tue Apr 16 2019 Mark Goodwin 6.1.3-1 +- update to latest upstream stable release 6.1.3, see CHANGELOG +- unbundle all vendor sources, replace with BuildRequires, see + the long list of blocker BZs linked to BZ#1670656 +- BuildRequires go-plugin >= v1.0.0 for grpc_broker (thanks eclipseo) +- tweak make_webpack to no longer use grunt, switch to prod build +- add ExclusiveArch lua script (thanks quantum.analyst) +- move db directory and plugins to /var/lib/grafana +- split out into 6 patches, ready for upstream PRs +- add check to run go tests for gating checks + +* Thu Apr 04 2019 Mark Goodwin 6.1.0-1 +- update to latest upstream stable release 6.1.0, see CHANGELOG + +* Thu Mar 21 2019 Mark Goodwin 6.0.2-1 +- bump to latest upstream stable release 6.0.2-1 +- unbundle almost all remaining vendor code, see linked blockers in BZ#1670656 + +* Fri Mar 15 2019 Mark Goodwin 6.0.1-3 +- bump to latest upstream stable release 6.0.1-1 + +* Thu Mar 14 2019 Mark Goodwin 6.0.1-2 +- unbundle and add BuildRequires for golang-github-rainycape-unidecode-devel + +* Thu Mar 07 2019 Mark Goodwin 6.0.1-1 +- update to v6.0.1 upstream sources, tweak distro config, re-do patch +- simplify make_webpack.sh script (Elliott Sales de Andrade) +- vendor/github.com/go-ldap is now gone, so don't unbundle it + +* Thu Mar 07 2019 Mark Goodwin 5.4.3-11 +- tweak after latest feedback, bump to 5.4.3-11 (BZ 1670656) +- build debuginfo package again +- unbundle BuildRequires for golang-github-hashicorp-version-devel +- remove some unneeded development files +- remove macros from changelog and other rpmlint tweaks + +* Fri Feb 22 2019 Mark Goodwin 5.4.3-10 +- tweak spec for available and unavailable (bundled) golang packages + +* Wed Feb 20 2019 Xavier Bachelot 5.4.3-9 +- Remove extraneous slash (cosmetic) +- Create directories just before moving stuff in them +- Truncate long lines +- Group all golang stuff +- Simplify BuildRequires/bundled Provides +- Sort BuildRequires/bundled Provides +- Fix bundled go packages Provides + +* Fri Feb 15 2019 Mark Goodwin 5.4.3-8 +- add BuildRequires (and unbundle) vendor sources available in Fedora +- declare Provides for remaining (bundled) vendor go sources +- do not attempt to unbundle anything on RHEL < 7 or Fedora < 28 + +* Thu Feb 07 2019 Mark Goodwin 5.4.3-7 +- further refinement for spec doc section from Xavier Bachelot +- disable debug_package to avoid empty debugsourcefiles.list + +* Wed Feb 06 2019 Mark Goodwin 5.4.3-6 +- further refinement following review by Xavier Bachelot + +* Tue Feb 05 2019 Mark Goodwin 5.4.3-5 +- further refinement following review by Xavier Bachelot + +* Fri Feb 01 2019 Mark Goodwin 5.4.3-4 +- further spec updates after packaging review +- reworked post-install scriplets + +* Thu Jan 31 2019 Mark Goodwin 5.4.3-3 +- tweak FHS patch, update spec after packaging review + +* Wed Jan 30 2019 Mark Goodwin 5.4.3-2 +- add patch to be standard FHS compliant, remove phantomjs +- update to v5.4.3 upstream community sources + +* Wed Jan 09 2019 Mark Goodwin 5.4.2-1 +- update to v5.4.2 upstream community sources + +* Thu Oct 18 2018 Mark Goodwin 5.3.1-1 +- update to v5.3.1 upstream community sources + +* Tue Oct 02 2018 Mark Goodwin 5.2.5-1 +- native RPM spec build with current tagged v5.2.5 sources