Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[extension/bearertokenauth] use constant time comparison #34516

Merged
merged 2 commits into from
Aug 8, 2024

Conversation

codeboten
Copy link
Contributor

  • clarify error message in case of missing header
  • don't use implementation code to verify expectations in tests
  • format header value ahead of time, rather than on every use, to avoid allocations
  • consistently synchronise access to header value for both client and server authenticators (now using sync/atomic.Value rather than RWMutex)

- clarify error message in case of missing header
- don't use implementation code to verify expectations in tests
- format header value ahead of time, rather than on every use,
  to avoid allocations
- consistently synchronise access to header value for both client and
  server authenticators (now using sync/atomic.Value rather than RWMutex)
@codeboten codeboten requested a review from jpkrohling as a code owner August 8, 2024 15:06
@codeboten codeboten requested a review from a team August 8, 2024 15:06
@github-actions github-actions bot requested a review from frzifus August 8, 2024 15:07
@arminru arminru changed the title [extension/bearertokenauth] minor improvements [extension/bearertokenauth] use constant time comparison Aug 8, 2024
Signed-off-by: Alex Boten <223565+codeboten@users.noreply.github.com>
@codeboten codeboten merged commit c9bd3ef into open-telemetry:main Aug 8, 2024
154 checks passed
@codeboten codeboten deleted the codeboten/bearerauth-patch branch August 8, 2024 15:24
@github-actions github-actions bot added this to the next release milestone Aug 8, 2024
dmathieu referenced this pull request in open-telemetry/opentelemetry-go Aug 19, 2024
…o v0.107.0 (#5710)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
|
[otel/opentelemetry-collector-contrib](https://togithub.com/open-telemetry/opentelemetry-collector-releases)
| minor | `0.106.1` -> `0.107.0` |

---

### Release Notes

<details>
<summary>open-telemetry/opentelemetry-collector-releases
(otel/opentelemetry-collector-contrib)</summary>

###
[`v0.107.0`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.107.0)

[Compare
Source](https://togithub.com/open-telemetry/opentelemetry-collector-releases/compare/v0.106.1...v0.107.0)

Check the [v0.107.0 contrib
changelog](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/releases/tag/v0.107.0)
and the [v0.107.0 core
changelog](https://togithub.com/open-telemetry/opentelemetry-collector/releases/tag/v0.107.0)
for changelogs on specific components.

This release fixes CVE-2024-42368 on the bearerauthtokenextension
([https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/pull/34516)).

##### Changelog

-
[`6bb8682`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/6bb86822416b97ed8be442477ad2e95cb33a0970)
Prepare 0.107.0 release
([#&#8203;636](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/636))
-
[`9fe2ba4`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/9fe2ba421e19bce91e7f8ecf15985e4016dd0dba)
Bump sigstore/cosign-installer from 3.5.0 to 3.6.0
([#&#8203;634](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/634))
-
[`b7cb307`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/b7cb307fb354aba7624faf20887f59c2859ea6e2)
Bump actions/upload-artifact from 4.3.4 to 4.3.6
([#&#8203;635](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/635))
-
[`cd2dacc`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/cd2dacc22b2bb72df2c3524e4f1bc44297984aab)
Migrate ocb binary release to opentelemetry-collector-releases
([#&#8203;608](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/608))
-
[`73a756f`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/73a756f723721dd5c9a21beae765670609ba40a0)
fix linux package dependencies
([#&#8203;620](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/620))
-
[`5342205`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/534220564ca848bb4df1cae60a145740d22a19c1)
Add /bin/sh dependency to linux packages
([#&#8203;617](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/617))
-
[`efc0813`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/efc081348fd3da9c7b5617dcaaf41641f42db3dd)
\[chore] move package tests from contrib repo to this repo
([#&#8203;604](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/604))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job
log](https://developer.mend.io/github/open-telemetry/opentelemetry-go).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yNi4xIiwidXBkYXRlZEluVmVyIjoiMzguMjYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiU2tpcCBDaGFuZ2Vsb2ciLCJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
XSAM referenced this pull request in XSAM/otelsql Aug 27, 2024
)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
|
[otel/opentelemetry-collector-contrib](https://togithub.com/open-telemetry/opentelemetry-collector-releases)
| minor | `0.105.0` -> `0.108.0` |

---

### Release Notes

<details>
<summary>open-telemetry/opentelemetry-collector-releases
(otel/opentelemetry-collector-contrib)</summary>

###
[`v0.108.0`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0)

Check the [v0.108.0 contrib
changelog](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/releases/tag/v0.108.0)
and the [v0.108.0 core
changelog](https://togithub.com/open-telemetry/opentelemetry-collector/releases/tag/v0.108.0)
for changelogs on specific components.

#### Changelog

-
[`bef563e`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/bef563ebb0f3a73fb8681d4ca4178ddf244042b6)
\[chore] prepare v0.108.0 release
([#&#8203;650](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/650))
-
[`9f7aa60`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/9f7aa60ccb871bab6e5ad76e3a4c4a31e7f25370)
contrib: add deltatocumulative
([#&#8203;647](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/647))
-
[`d86f03d`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/d86f03d6116e1753adc4ff1ab1f327d19263226d)
Bump anchore/sbom-action from 0.17.1 to 0.17.2
([#&#8203;648](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/648))
-
[`ae09f1c`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/ae09f1c95ff57be3507678da85fb9ddac8eb540e)
add geoip processor to contrib
([#&#8203;646](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/646))
-
[`cd82e6f`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/cd82e6fd703ac4733ab8800d177d08452de990e6)
Remove ballast extension
([#&#8203;607](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/607))
-
[`2bafff8`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/2bafff863f53630ba01b0cb809e1dac965b492eb)
Bump docker/setup-buildx-action from 3.5.0 to 3.6.1
([#&#8203;628](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/628))
-
[`45130cf`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/45130cf417eea3228a299d92a44165b1198282cd)
Bump anchore/sbom-action from 0.17.0 to 0.17.1
([#&#8203;644](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/644))
-
[`5bbfb51`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/5bbfb51ebc9861b72c40476f9ecda8a9ed0bca92)
Bump github.com/goreleaser/goreleaser-pro/v2 from 2.1.0-pro to 2.2.0-pro
([#&#8203;645](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/645))
-
[`fbe9653`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/fbe96534081a5ea85bc16ccd558f96cd24658c9f)
Bump to Go 1.23 for all builds
([#&#8203;638](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/638))
-
[`9c8c699`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/9c8c699de1a756c7b99a1188f8db68bb6540116e)
Update .goreleaser.yml
([#&#8203;643](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/643))
-
[`de92512`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/de92512197c429960163d486b55825ef778a1761)
Jackgopack4/go1.23 ci fix
([#&#8203;641](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/641))
-
[`4c7310f`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/4c7310fe699387ea5cce55f393a6ac806339165e)
Fix goreleaser ci
([#&#8203;640](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/640))

###
[`v0.107.0`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.107.0)

[Compare
Source](https://togithub.com/open-telemetry/opentelemetry-collector-releases/compare/v0.106.1...v0.107.0)

Check the [v0.107.0 contrib
changelog](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/releases/tag/v0.107.0)
and the [v0.107.0 core
changelog](https://togithub.com/open-telemetry/opentelemetry-collector/releases/tag/v0.107.0)
for changelogs on specific components.

This release fixes CVE-2024-42368 on the bearerauthtokenextension
([https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/pull/34516)).

##### Changelog

-
[`6bb8682`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/6bb86822416b97ed8be442477ad2e95cb33a0970)
Prepare 0.107.0 release
([#&#8203;636](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/636))
-
[`9fe2ba4`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/9fe2ba421e19bce91e7f8ecf15985e4016dd0dba)
Bump sigstore/cosign-installer from 3.5.0 to 3.6.0
([#&#8203;634](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/634))
-
[`b7cb307`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/b7cb307fb354aba7624faf20887f59c2859ea6e2)
Bump actions/upload-artifact from 4.3.4 to 4.3.6
([#&#8203;635](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/635))
-
[`cd2dacc`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/cd2dacc22b2bb72df2c3524e4f1bc44297984aab)
Migrate ocb binary release to opentelemetry-collector-releases
([#&#8203;608](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/608))
-
[`73a756f`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/73a756f723721dd5c9a21beae765670609ba40a0)
fix linux package dependencies
([#&#8203;620](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/620))
-
[`5342205`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/534220564ca848bb4df1cae60a145740d22a19c1)
Add /bin/sh dependency to linux packages
([#&#8203;617](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/617))
-
[`efc0813`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/efc081348fd3da9c7b5617dcaaf41641f42db3dd)
\[chore] move package tests from contrib repo to this repo
([#&#8203;604](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/604))

###
[`v0.106.1`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.106.1)

[Compare
Source](https://togithub.com/open-telemetry/opentelemetry-collector-releases/compare/v0.106.0...v0.106.1)

Check the [v0.106.1 contrib
changelog](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/releases/tag/v0.106.1)
and the [v0.106.1 core
changelog](https://togithub.com/open-telemetry/opentelemetry-collector/releases/tag/v0.106.1)
for changelogs on specific components.

##### Changelog

-
[`ee3f3cc`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/ee3f3cc8039fad89c962cd34f0d2b8b4babfa40d)
Prepare release v0.106.1
([#&#8203;619](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/619))

###
[`v0.106.0`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.106.0)

[Compare
Source](https://togithub.com/open-telemetry/opentelemetry-collector-releases/compare/v0.105.0...v0.106.0)

Check the [v0.106.0 contrib
changelog](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/releases/tag/v0.106.0)
and the [v0.106.0 core
changelog](https://togithub.com/open-telemetry/opentelemetry-collector/releases/tag/v0.106.0)
for changelogs on specific components.

##### Changelog

-
[`1e67d14`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/1e67d14d30857b5306c7ff4c1091648eaf1497cc)
Prepare release v0.106.0
([#&#8203;615](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/615))
-
[`a13cff5`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/a13cff51c124c20a8d423683f90a633298b5fe9e)
fix some broken conditionals in pipelines
([#&#8203;610](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/610))
-
[`34bc10d`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/34bc10d950b71a0d42bf71d84d340e4b388849b8)
Bump docker/setup-buildx-action from 3.4.0 to 3.5.0
([#&#8203;612](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/612))
-
[`c75880c`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/c75880c15b99f58decb99f8f93901a4a2c6f6ebf)
Bump docker/setup-qemu-action from 3.1.0 to 3.2.0
([#&#8203;613](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/613))
-
[`10e46e7`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/10e46e74de356add246bf3c52b7c59d5159624ef)
Bump docker/login-action from 3.2.0 to 3.3.0
([#&#8203;614](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/614))
-
[`3148572`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/3148572998c8f343960da3d727fca0834e406593)
update remaining goreleaser usages to v2
([#&#8203;609](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/609))
-
[`4d6e084`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/4d6e08471090ceecbf5ef0bbfc5ec70cae23f42d)
Bump anchore/sbom-action from 0.16.1 to 0.17.0
([#&#8203;605](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/605))
-
[`19d291d`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/19d291d72811b3b8623ccd2296b78a44f0212fca)
Update go to 1.22
([#&#8203;600](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/600))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job log](https://developer.mend.io/github/XSAM/otelsql).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM4LjI2LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
f7o pushed a commit to f7o/opentelemetry-collector-contrib that referenced this pull request Sep 12, 2024
…try#34516)

- clarify error message in case of missing header
- don't use implementation code to verify expectations in tests
- format header value ahead of time, rather than on every use, to avoid
allocations
- consistently synchronise access to header value for both client and
server authenticators (now using sync/atomic.Value rather than RWMutex)

---------

Signed-off-by: Alex Boten <223565+codeboten@users.noreply.github.com>
Co-authored-by: Andrew Wilkins <axw@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants