Update containers/buildah v1.24.1

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

vendor/github.com/docker/go-connections/nat/nat.go

@@ -8,11 +8,6 @@ import (
 	"strings"
 )
 
-const (
-	// portSpecTemplate is the expected format for port specifications
-	portSpecTemplate = "ip:hostPort:containerPort"
-)
-
 // PortBinding represents a binding between a Host IP address and a Host Port
 type PortBinding struct {
 	// HostIP is the host IP Address
@@ -158,30 +153,33 @@ type PortMapping struct {
 func splitParts(rawport string) (string, string, string) {
 	parts := strings.Split(rawport, ":")
 	n := len(parts)
-	containerport := parts[n-1]
+	containerPort := parts[n-1]
 
 	switch n {
 	case 1:
-		return "", "", containerport
+		return "", "", containerPort
 	case 2:
-		return "", parts[0], containerport
+		return "", parts[0], containerPort
 	case 3:
-		return parts[0], parts[1], containerport
+		return parts[0], parts[1], containerPort
 	default:
-		return strings.Join(parts[:n-2], ":"), parts[n-2], containerport
+		return strings.Join(parts[:n-2], ":"), parts[n-2], containerPort
 	}
 }
 
 // ParsePortSpec parses a port specification string into a slice of PortMappings
 func ParsePortSpec(rawPort string) ([]PortMapping, error) {
 	var proto string
-	rawIP, hostPort, containerPort := splitParts(rawPort)
+	ip, hostPort, containerPort := splitParts(rawPort)
 	proto, containerPort = SplitProtoPort(containerPort)
 
-	// Strip [] from IPV6 addresses
-	ip, _, err := net.SplitHostPort(rawIP + ":")
-	if err != nil {
-		return nil, fmt.Errorf("Invalid ip address %v: %s", rawIP, err)
+	if ip != "" && ip[0] == '[' {
+		// Strip [] from IPV6 addresses
+		rawIP, _, err := net.SplitHostPort(ip + ":")
+		if err != nil {
+			return nil, fmt.Errorf("Invalid ip address %v: %s", ip, err)
+		}
+		ip = rawIP
 	}
 	if ip != "" && net.ParseIP(ip) == nil {
 		return nil, fmt.Errorf("Invalid ip address: %s", ip)

vendor/github.com/docker/go-connections/nat/sort.go

@@ -43,7 +43,7 @@ type portMapSorter []portMapEntry
 func (s portMapSorter) Len() int      { return len(s) }
 func (s portMapSorter) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
 
-// sort the port so that the order is:
+// Less sorts the port so that the order is:
 // 1. port with larger specified bindings
 // 2. larger port
 // 3. port with tcp protocol
@@ -58,7 +58,7 @@ func (s portMapSorter) Less(i, j int) bool {
 func SortPortMap(ports []Port, bindings PortMap) {
 	s := portMapSorter{}
 	for _, p := range ports {
-		if binding, ok := bindings[p]; ok {
+		if binding, ok := bindings[p]; ok && len(binding) > 0 {
 			for _, b := range binding {
 				s = append(s, portMapEntry{port: p, binding: b})
 			}

vendor/github.com/docker/go-connections/sockets/proxy.go

@@ -2,11 +2,8 @@ package sockets
 
 import (
 	"net"
-	"net/url"
 	"os"
 	"strings"
-
-	"golang.org/x/net/proxy"
 )
 
 // GetProxyEnv allows access to the uppercase and the lowercase forms of
@@ -20,32 +17,12 @@ func GetProxyEnv(key string) string {
 	return proxyValue
 }
 
-// DialerFromEnvironment takes in a "direct" *net.Dialer and returns a
-// proxy.Dialer which will route the connections through the proxy using the
-// given dialer.
-func DialerFromEnvironment(direct *net.Dialer) (proxy.Dialer, error) {
-	allProxy := GetProxyEnv("all_proxy")
-	if len(allProxy) == 0 {
-		return direct, nil
-	}
-
-	proxyURL, err := url.Parse(allProxy)
-	if err != nil {
-		return direct, err
-	}
-
-	proxyFromURL, err := proxy.FromURL(proxyURL, direct)
-	if err != nil {
-		return direct, err
-	}
-
-	noProxy := GetProxyEnv("no_proxy")
-	if len(noProxy) == 0 {
-		return proxyFromURL, nil
-	}
-
-	perHost := proxy.NewPerHost(proxyFromURL, direct)
-	perHost.AddFromString(noProxy)
-
-	return perHost, nil
+// DialerFromEnvironment was previously used to configure a net.Dialer to route
+// connections through a SOCKS proxy.
+// DEPRECATED: SOCKS proxies are now supported by configuring only
+// http.Transport.Proxy, and no longer require changing http.Transport.Dial.
+// Therefore, only sockets.ConfigureTransport() needs to be called, and any
+// sockets.DialerFromEnvironment() calls can be dropped.
+func DialerFromEnvironment(direct *net.Dialer) (*net.Dialer, error) {
+	return direct, nil
 }

vendor/github.com/docker/go-connections/sockets/sockets.go

@@ -3,14 +3,9 @@ package sockets
 
 import (
 	"errors"
-	"net"
 	"net/http"
-	"time"
 )
 
-// Why 32? See https://github.com/docker/docker/pull/8035.
-const defaultTimeout = 32 * time.Second
-
 // ErrProtocolNotAvailable is returned when a given transport protocol is not provided by the operating system.
 var ErrProtocolNotAvailable = errors.New("protocol not available")
 
@@ -26,13 +21,6 @@ func ConfigureTransport(tr *http.Transport, proto, addr string) error {
 		return configureNpipeTransport(tr, proto, addr)
 	default:
 		tr.Proxy = http.ProxyFromEnvironment
-		dialer, err := DialerFromEnvironment(&net.Dialer{
-			Timeout: defaultTimeout,
-		})
-		if err != nil {
-			return err
-		}
-		tr.Dial = dialer.Dial
 	}
 	return nil
 }

vendor/github.com/docker/go-connections/sockets/sockets_unix.go

@@ -3,6 +3,7 @@
 package sockets
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"net/http"
@@ -10,7 +11,10 @@ import (
 	"time"
 )
 
-const maxUnixSocketPathSize = len(syscall.RawSockaddrUnix{}.Path)
+const (
+	defaultTimeout        = 10 * time.Second
+	maxUnixSocketPathSize = len(syscall.RawSockaddrUnix{}.Path)
+)
 
 func configureUnixTransport(tr *http.Transport, proto, addr string) error {
 	if len(addr) > maxUnixSocketPathSize {
@@ -18,8 +22,11 @@ func configureUnixTransport(tr *http.Transport, proto, addr string) error {
 	}
 	// No need for compression in local communications.
 	tr.DisableCompression = true
-	tr.Dial = func(_, _ string) (net.Conn, error) {
-		return net.DialTimeout(proto, addr, defaultTimeout)
+	dialer := &net.Dialer{
+		Timeout: defaultTimeout,
+	}
+	tr.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {
+		return dialer.DialContext(ctx, proto, addr)
 	}
 	return nil
 }

vendor/github.com/docker/go-connections/sockets/sockets_windows.go

@@ -1,6 +1,7 @@
 package sockets
 
 import (
+	"context"
 	"net"
 	"net/http"
 	"time"
@@ -15,8 +16,8 @@ func configureUnixTransport(tr *http.Transport, proto, addr string) error {
 func configureNpipeTransport(tr *http.Transport, proto, addr string) error {
 	// No need for compression in local communications.
 	tr.DisableCompression = true
-	tr.Dial = func(_, _ string) (net.Conn, error) {
-		return DialPipe(addr, defaultTimeout)
+	tr.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {
+		return winio.DialPipeContext(ctx, addr)
 	}
 	return nil
 }

vendor/github.com/docker/go-connections/sockets/unix_socket.go

@@ -1,5 +1,51 @@
 // +build !windows
 
+/*
+Package sockets is a simple unix domain socket wrapper.
+
+Usage
+
+For example:
+
+	import(
+		"fmt"
+		"net"
+		"os"
+		"github.com/docker/go-connections/sockets"
+	)
+
+	func main() {
+		l, err := sockets.NewUnixSocketWithOpts("/path/to/sockets",
+			sockets.WithChown(0,0),sockets.WithChmod(0660))
+		if err != nil {
+			panic(err)
+		}
+		echoStr := "hello"
+
+		go func() {
+			for {
+				conn, err := l.Accept()
+				if err != nil {
+					return
+				}
+				conn.Write([]byte(echoStr))
+				conn.Close()
+			}
+		}()
+
+		conn, err := net.Dial("unix", path)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		buf := make([]byte, 5)
+		if _, err := conn.Read(buf); err != nil {
+			panic(err)
+		} else if string(buf) != echoStr {
+			panic(fmt.Errorf("Msg may lost"))
+		}
+	}
+*/
 package sockets
 
 import (
@@ -8,25 +54,73 @@ import (
 	"syscall"
 )
 
-// NewUnixSocket creates a unix socket with the specified path and group.
-func NewUnixSocket(path string, gid int) (net.Listener, error) {
+// SockOption sets up socket file's creating option
+type SockOption func(string) error
+
+// WithChown modifies the socket file's uid and gid
+func WithChown(uid, gid int) SockOption {
+	return func(path string) error {
+		if err := os.Chown(path, uid, gid); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+// WithChmod modifies socket file's access mode.
+func WithChmod(mask os.FileMode) SockOption {
+	return func(path string) error {
+		if err := os.Chmod(path, mask); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+// NewUnixSocketWithOpts creates a unix socket with the specified options.
+// By default, socket permissions are 0000 (i.e.: no access for anyone); pass
+// WithChmod() and WithChown() to set the desired ownership and permissions.
+//
+// This function temporarily changes the system's "umask" to 0777 to work around
+// a race condition between creating the socket and setting its permissions. While
+// this should only be for a short duration, it may affect other processes that
+// create files/directories during that period.
+func NewUnixSocketWithOpts(path string, opts ...SockOption) (net.Listener, error) {
 	if err := syscall.Unlink(path); err != nil && !os.IsNotExist(err) {
 		return nil, err
 	}
-	mask := syscall.Umask(0777)
-	defer syscall.Umask(mask)
 
+	// net.Listen does not allow for permissions to be set. As a result, when
+	// specifying custom permissions ("WithChmod()"), there is a short time
+	// between creating the socket and applying the permissions, during which
+	// the socket permissions are Less restrictive than desired.
+	//
+	// To work around this limitation of net.Listen(), we temporarily set the
+	// umask to 0777, which forces the socket to be created with 000 permissions
+	// (i.e.: no access for anyone). After that, WithChmod() must be used to set
+	// the desired permissions.
+	//
+	// We don't use "defer" here, to reset the umask to its original value as soon
+	// as possible. Ideally we'd be able to detect if WithChmod() was passed as
+	// an option, and skip changing umask if default permissions are used.
+	origUmask := syscall.Umask(0777)
 	l, err := net.Listen("unix", path)
+	syscall.Umask(origUmask)
 	if err != nil {
 		return nil, err
 	}
-	if err := os.Chown(path, 0, gid); err != nil {
-		l.Close()
-		return nil, err
-	}
-	if err := os.Chmod(path, 0660); err != nil {
-		l.Close()
-		return nil, err
+
+	for _, op := range opts {
+		if err := op(path); err != nil {
+			_ = l.Close()
+			return nil, err
+		}
 	}
+
 	return l, nil
 }
+
+// NewUnixSocket creates a unix socket with the specified path and group.
+func NewUnixSocket(path string, gid int) (net.Listener, error) {
+	return NewUnixSocketWithOpts(path, WithChown(0, gid), WithChmod(0660))
+}

vendor/github.com/docker/go-connections/tlsconfig/config.go

@@ -53,18 +53,9 @@ var acceptedCBCCiphers = []uint16{
 // known weak algorithms removed.
 var DefaultServerAcceptedCiphers = append(clientCipherSuites, acceptedCBCCiphers...)
 
-// allTLSVersions lists all the TLS versions and is used by the code that validates
-// a uint16 value as a TLS version.
-var allTLSVersions = map[uint16]struct{}{
-	tls.VersionSSL30: {},
-	tls.VersionTLS10: {},
-	tls.VersionTLS11: {},
-	tls.VersionTLS12: {},
-}
-
 // ServerDefault returns a secure-enough TLS configuration for the server TLS configuration.
 func ServerDefault(ops ...func(*tls.Config)) *tls.Config {
-	tlsconfig := &tls.Config{
+	tlsConfig := &tls.Config{
 		// Avoid fallback by default to SSL protocols < TLS1.2
 		MinVersion:               tls.VersionTLS12,
 		PreferServerCipherSuites: true,
@@ -72,25 +63,25 @@ func ServerDefault(ops ...func(*tls.Config)) *tls.Config {
 	}
 
 	for _, op := range ops {
-		op(tlsconfig)
+		op(tlsConfig)
 	}
 
-	return tlsconfig
+	return tlsConfig
 }
 
 // ClientDefault returns a secure-enough TLS configuration for the client TLS configuration.
 func ClientDefault(ops ...func(*tls.Config)) *tls.Config {
-	tlsconfig := &tls.Config{
+	tlsConfig := &tls.Config{
 		// Prefer TLS1.2 as the client minimum
 		MinVersion:   tls.VersionTLS12,
 		CipherSuites: clientCipherSuites,
 	}
 
 	for _, op := range ops {
-		op(tlsconfig)
+		op(tlsConfig)
 	}
 
-	return tlsconfig
+	return tlsConfig
 }
 
 // certPool returns an X.509 certificate pool from `caFile`, the certificate file.
@@ -108,11 +99,11 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
 			return nil, fmt.Errorf("failed to read system certificates: %v", err)
 		}
 	}
-	pem, err := ioutil.ReadFile(caFile)
+	pemData, err := ioutil.ReadFile(caFile)
 	if err != nil {
 		return nil, fmt.Errorf("could not read CA certificate %q: %v", caFile, err)
 	}
-	if !certPool.AppendCertsFromPEM(pem) {
+	if !certPool.AppendCertsFromPEM(pemData) {
 		return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)
 	}
 	return certPool, nil
@@ -141,7 +132,7 @@ func adjustMinVersion(options Options, config *tls.Config) error {
 }
 
 // IsErrEncryptedKey returns true if the 'err' is an error of incorrect
-// password when tryin to decrypt a TLS private key
+// password when trying to decrypt a TLS private key
 func IsErrEncryptedKey(err error) bool {
 	return errors.Cause(err) == x509.IncorrectPasswordError
 }
@@ -157,8 +148,8 @@ func getPrivateKey(keyBytes []byte, passphrase string) ([]byte, error) {
 	}
 
 	var err error
-	if x509.IsEncryptedPEMBlock(pemBlock) {
-		keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(passphrase))
+	if x509.IsEncryptedPEMBlock(pemBlock) { //nolint:staticcheck // Ignore SA1019 (IsEncryptedPEMBlock is deprecated)
+		keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(passphrase)) //nolint:staticcheck // Ignore SA1019 (DecryptPEMBlock is deprecated)
 		if err != nil {
 			return nil, errors.Wrap(err, "private key is encrypted, but could not decrypt it")
 		}

vendor/github.com/docker/go-connections/tlsconfig/versions_go113.go

@@ -0,0 +1,16 @@
+// +build go1.13
+
+package tlsconfig
+
+import (
+	"crypto/tls"
+)
+
+// allTLSVersions lists all the TLS versions and is used by the code that validates
+// a uint16 value as a TLS version.
+var allTLSVersions = map[uint16]struct{}{
+	tls.VersionTLS10: {},
+	tls.VersionTLS11: {},
+	tls.VersionTLS12: {},
+	tls.VersionTLS13: {},
+}

vendor/github.com/docker/go-connections/tlsconfig/versions_other.go

@@ -0,0 +1,15 @@
+// +build !go1.13
+
+package tlsconfig
+
+import (
+	"crypto/tls"
+)
+
+// allTLSVersions lists all the TLS versions and is used by the code that validates
+// a uint16 value as a TLS version.
+var allTLSVersions = map[uint16]struct{}{
+	tls.VersionTLS10: {},
+	tls.VersionTLS11: {},
+	tls.VersionTLS12: {},
+}