fix(deps): update module google.golang.org/api to v0.269.0 (main) (#21014)

Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
2026-03-13 09:33:58 +08:00 · 2026-03-02 13:32:56 -03:00
parent 025b62b0ec
commit d1f08ff4d8
8 changed files with 80 additions and 30 deletions
--- a/go.mod
+++ b/go.mod
@@ -104,7 +104,7 @@ require (
 	golang.org/x/sync v0.19.0
 	golang.org/x/sys v0.41.0
 	golang.org/x/time v0.14.0
-	google.golang.org/api v0.268.0
+	google.golang.org/api v0.269.0
 	google.golang.org/grpc v1.79.1
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -173,7 +173,7 @@ require (

 require (
 	cel.dev/expr v0.25.1 // indirect
-	cloud.google.com/go/auth v0.18.1 // indirect
+	cloud.google.com/go/auth v0.18.2 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/monitoring v1.24.3 // indirect
 	filippo.io/edwards25519 v1.2.0 // indirect
@@ -426,7 +426,7 @@ require (
 	github.com/google/go-querystring v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20260202012954-cb029daf43ef // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.12 // indirect
 	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
 	github.com/grafana/pyroscope-go/godeltaprof v0.1.9 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -17,8 +17,8 @@ cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOY
 cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
 cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
 cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
-cloud.google.com/go/auth v0.18.1 h1:IwTEx92GFUo2pJ6Qea0EU3zYvKnTAeRCODxfA/G5UWs=
-cloud.google.com/go/auth v0.18.1/go.mod h1:GfTYoS9G3CWpRA3Va9doKN9mjPGRS+v41jmZAhBzbrA=
+cloud.google.com/go/auth v0.18.2 h1:+Nbt5Ev0xEqxlNjd6c+yYUeosQ5TtEUaNcN/3FozlaM=
+cloud.google.com/go/auth v0.18.2/go.mod h1:xD+oY7gcahcu7G2SG2DsBerfFxgPAJz17zz2joOFF3M=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
@@ -642,8 +642,8 @@ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.11 h1:vAe81Msw+8tKUxi2Dqh/NZMz7475yUvmRIkXr4oN2ao=
-github.com/googleapis/enterprise-certificate-proxy v0.3.11/go.mod h1:RFV7MUdlb7AgEq2v7FmMCfeSMCllAzWxFgRdusoGks8=
+github.com/googleapis/enterprise-certificate-proxy v0.3.12 h1:Fg+zsqzYEs1ZnvmcztTYxhgCBsx3eEhEwQ1W/lHq/sQ=
+github.com/googleapis/enterprise-certificate-proxy v0.3.12/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gax-go/v2 v2.17.0 h1:RksgfBpxqff0EZkDWYuz9q/uWsTVz+kf43LsZ1J6SMc=
@@ -1616,8 +1616,8 @@ google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0M
 google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
 google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
 google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.268.0 h1:hgA3aS4lt9rpF5RCCkX0Q2l7DvHgvlb53y4T4u6iKkA=
-google.golang.org/api v0.268.0/go.mod h1:HXMyMH496wz+dAJwD/GkAPLd3ZL33Kh0zEG32eNvy9w=
+google.golang.org/api v0.269.0 h1:qDrTOxKUQ/P0MveH6a7vZ+DNHxJQjtGm/uvdbdGXCQg=
+google.golang.org/api v0.269.0/go.mod h1:N8Wpcu23Tlccl0zSHEkcAZQKDLdquxK+l9r2LkwAauE=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
--- a/vendor/cloud.google.com/go/auth/CHANGES.md
+++ b/vendor/cloud.google.com/go/auth/CHANGES.md
@@ -1,5 +1,11 @@
 # Changes

+## [0.18.2](https://github.com/googleapis/google-cloud-go/releases/tag/auth%2Fv0.18.2) (2026-02-13)
+
+### Bug Fixes
+
+* fixes gdch credentials logic (#13741) ([f82cda5](https://github.com/googleapis/google-cloud-go/commit/f82cda58bd9885b7b8a9d8b15126f5a1e0add0dc))
+
 ## [0.18.1](https://github.com/googleapis/google-cloud-go/releases/tag/auth%2Fv0.18.1) (2026-01-21)

 ### Bug Fixes
--- a/vendor/cloud.google.com/go/auth/credentials/internal/gdch/gdch.go
+++ b/vendor/cloud.google.com/go/auth/credentials/internal/gdch/gdch.go
@@ -15,6 +15,7 @@
 package gdch

 import (
+	"bytes"
 	"context"
 	"crypto"
 	"crypto/tls"
@@ -24,9 +25,7 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
-	"net/url"
 	"os"
-	"strings"
 	"time"

 	"cloud.google.com/go/auth"
@@ -121,27 +120,34 @@ func (g gdchProvider) Token(ctx context.Context) (*auth.Token, error) {
 		Exp: exp.Unix(),
 	}
 	h := jwt.Header{
-		Algorithm: jwt.HeaderAlgRSA256,
+		Algorithm: jwt.HeaderAlgES256,
 		Type:      jwt.HeaderType,
-		KeyID:     string(g.pkID),
+		KeyID:     g.pkID,
 	}
 	payload, err := jwt.EncodeJWS(&h, &claims, g.signer)
 	if err != nil {
 		return nil, err
 	}
-	v := url.Values{}
-	v.Set("grant_type", GrantType)
-	v.Set("audience", g.aud)
-	v.Set("requested_token_type", requestTokenType)
-	v.Set("subject_token", payload)
-	v.Set("subject_token_type", subjectTokenType)

-	req, err := http.NewRequestWithContext(ctx, "POST", g.tokenURL, strings.NewReader(v.Encode()))
+	v := map[string]string{
+		"grant_type":           GrantType,
+		"audience":             g.aud,
+		"requested_token_type": requestTokenType,
+		"subject_token":        payload,
+		"subject_token_type":   subjectTokenType,
+	}
+
+	r, err := json.Marshal(v)
+	if err != nil {
+		return nil, fmt.Errorf("credentials: cannot marshal token request: %w", err)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, "POST", g.tokenURL, bytes.NewReader(r))
 	if err != nil {
 		return nil, err
 	}
-	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-	g.logger.DebugContext(ctx, "gdch token request", "request", internallog.HTTPRequest(req, []byte(v.Encode())))
+	req.Header.Set("Content-Type", "application/json")
+	g.logger.DebugContext(ctx, "gdch token request", "request", internallog.HTTPRequest(req, r))
 	resp, body, err := internal.DoRequest(g.client, req)
 	if err != nil {
 		return nil, fmt.Errorf("credentials: cannot fetch token: %w", err)
@@ -188,4 +194,5 @@ func addCertToTransport(hc *http.Client, certPool *x509.CertPool) {
 	trans.TLSClientConfig = &tls.Config{
 		RootCAs: certPool,
 	}
+	hc.Transport = trans
 }
--- a/vendor/cloud.google.com/go/auth/internal/jwt/jwt.go
+++ b/vendor/cloud.google.com/go/auth/internal/jwt/jwt.go
@@ -17,13 +17,16 @@ package jwt
 import (
 	"bytes"
 	"crypto"
+	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
+	"encoding/asn1"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"math/big"
 	"strings"
 	"time"
 )
@@ -35,6 +38,8 @@ const (
 	HeaderAlgES256 = "ES256"
 	// HeaderType is the standard [Header.Type].
 	HeaderType = "JWT"
+	// ES256 key size
+	es256KeySize = 32
 )

 // Header represents a JWT header.
@@ -127,6 +132,22 @@ func EncodeJWS(header *Header, c *Claims, signer crypto.Signer) (string, error)
 	if err != nil {
 		return "", err
 	}
+
+	if header.Algorithm == HeaderAlgES256 {
+		var ecSig struct {
+			R, S *big.Int
+		}
+		if _, err := asn1.Unmarshal(sig, &ecSig); err != nil {
+			return "", err
+		}
+
+		rawSig := make([]byte, es256KeySize*2)
+
+		ecSig.R.FillBytes(rawSig[:es256KeySize])
+		ecSig.S.FillBytes(rawSig[es256KeySize:])
+
+		sig = rawSig
+	}
 	return fmt.Sprintf("%s.%s", ss, base64.RawURLEncoding.EncodeToString(sig)), nil
 }

@@ -153,7 +174,7 @@ func DecodeJWS(payload string) (*Claims, error) {

 // VerifyJWS tests whether the provided JWT token's signature was produced by
 // the private key associated with the provided public key.
-func VerifyJWS(token string, key *rsa.PublicKey) error {
+func VerifyJWS(token string, key crypto.PublicKey) error {
 	parts := strings.Split(token, ".")
 	if len(parts) != 3 {
 		return errors.New("jwt: invalid token received, token must have 3 parts")
@@ -167,5 +188,21 @@ func VerifyJWS(token string, key *rsa.PublicKey) error {

 	h := sha256.New()
 	h.Write([]byte(signedContent))
-	return rsa.VerifyPKCS1v15(key, crypto.SHA256, h.Sum(nil), signatureString)
+	hashed := h.Sum(nil)
+
+	switch pub := key.(type) {
+	case *rsa.PublicKey:
+		return rsa.VerifyPKCS1v15(pub, crypto.SHA256, hashed, signatureString)
+	case *ecdsa.PublicKey:
+		if len(signatureString) != 2*32 {
+			return fmt.Errorf("jwt: ecdsa signature size should be 64 bytes, got %d", len(signatureString))
+		}
+		r := new(big.Int).SetBytes(signatureString[:32])
+		s := new(big.Int).SetBytes(signatureString[32:])
+		if !ecdsa.Verify(pub, hashed, r, s) {
+			return errors.New("jwt: ecdsa signature verification failed")
+		}
+		return nil
+	}
+	return fmt.Errorf("jwt: unsupported public key type: %T", key)
 }
--- a/vendor/cloud.google.com/go/auth/internal/version.go
+++ b/vendor/cloud.google.com/go/auth/internal/version.go
@@ -17,4 +17,4 @@
 package internal

 // Version is the current tagged release of the library.
-const Version = "0.18.1"
+const Version = "0.18.2"
--- a/vendor/google.golang.org/api/internal/version.go
+++ b/vendor/google.golang.org/api/internal/version.go
@@ -5,4 +5,4 @@
 package internal

 // Version is the current tagged release of the library.
-const Version = "0.268.0"
+const Version = "0.269.0"
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -11,7 +11,7 @@ cloud.google.com/go/internal/optional
 cloud.google.com/go/internal/pubsub
 cloud.google.com/go/internal/trace
 cloud.google.com/go/internal/version
-# cloud.google.com/go/auth v0.18.1
+# cloud.google.com/go/auth v0.18.2
 ## explicit; go 1.24.0
 cloud.google.com/go/auth
 cloud.google.com/go/auth/credentials
@@ -1176,8 +1176,8 @@ github.com/google/s2a-go/stream
 # github.com/google/uuid v1.6.0
 ## explicit
 github.com/google/uuid
-# github.com/googleapis/enterprise-certificate-proxy v0.3.11
-## explicit; go 1.24.0
+# github.com/googleapis/enterprise-certificate-proxy v0.3.12
+## explicit; go 1.24.11
 github.com/googleapis/enterprise-certificate-proxy/client
 github.com/googleapis/enterprise-certificate-proxy/client/util
 # github.com/googleapis/gax-go/v2 v2.17.0
@@ -2647,7 +2647,7 @@ golang.org/x/tools/txtar
 ## explicit; go 1.18
 golang.org/x/xerrors
 golang.org/x/xerrors/internal
-# google.golang.org/api v0.268.0
+# google.golang.org/api v0.269.0
 ## explicit; go 1.25.0
 google.golang.org/api/cloudresourcemanager/v1
 google.golang.org/api/compute/v1