Renovate: Update External dependencies (major)

.github/workflows/ci.yaml

@@ -28,7 +28,7 @@ jobs:
       - name: Build all binaries
         run: make build-all
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v6
         with:
           version: latest
   test:

go.mod

@@ -4,7 +4,7 @@ go 1.22
 
 require (
 	github.com/databus23/goslo.policy v0.0.0-20210929125152-81bf2876dbdb
-	github.com/gophercloud/gophercloud v1.14.0
+	github.com/gophercloud/gophercloud/v2 v2.1.0
 	github.com/gorilla/mux v1.8.1
 	github.com/h2non/gock v1.2.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible

go.sum

@@ -43,8 +43,8 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gophercloud/gophercloud v1.14.0 h1:Bt9zQDhPrbd4qX7EILGmy+i7GP35cc+AAL2+wIJpUE8=
-github.com/gophercloud/gophercloud v1.14.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM=
+github.com/gophercloud/gophercloud/v2 v2.1.0 h1:91p6c+uMckXyx39nSIYjDirDBnPVFQq0q1njLNPX+NY=
+github.com/gophercloud/gophercloud/v2 v2.1.0/go.mod h1:f2hMRC7Kakbv5vM7wSGHrIPZh6JZR60GVHryJlF/K44=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248=
@@ -142,30 +142,22 @@ go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
 go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
 golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 h1:kx6Ds3MlpiUHKj7syVnbp57++8WpuKPcR5yjLBjvLEA=
 golang.org/x/exp v0.0.0-20240823005443-9b4947da3948/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
 golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
 golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
 golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
 golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
 golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
 golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

main.go

@@ -20,9 +20,30 @@
 package main
 
 import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
 	"github.com/sapcc/maia/pkg/cmd"
 )
 
 func main() {
-	cmd.Execute()
+	// Create a base context
+	ctx := context.Background()
+
+	// Create a context that can be canceled
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	// Set up signal handling
+	sigChan := make(chan os.Signal, 1)
+	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		<-sigChan
+		cancel()
+	}()
+
+	// Execute the root command with the context
+	cmd.ExecuteWithContext(ctx)
 }

pkg/api/api_test.go

@@ -27,7 +27,7 @@ import (
 	"errors"
 
 	policy "github.com/databus23/goslo.policy"
-	"github.com/gophercloud/gophercloud/openstack/identity/v3/tokens"
+	"github.com/gophercloud/gophercloud/v2/openstack/identity/v3/tokens"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/spf13/viper"
 	"go.uber.org/mock/gomock"
@@ -75,40 +75,40 @@ func setupTest(t *testing.T, controller *gomock.Controller) (router http.Handler
 
 func expectAuthByProjectID(keystoneMock *keystone.MockDriver) {
 	httpReqMatcher := test.HTTPRequestMatcher{InjectHeader: projectHeader}
-	authCall := keystoneMock.EXPECT().AuthenticateRequest(httpReqMatcher, false).Return(projectContext, nil)
-	keystoneMock.EXPECT().ChildProjects(projectContext.Auth["project_id"]).Return([]string{}, nil).After(authCall)
+	authCall := keystoneMock.EXPECT().AuthenticateRequest(test.MatchContext(), httpReqMatcher, false).Return(projectContext, nil)
+	keystoneMock.EXPECT().ChildProjects(test.MatchContext(), projectContext.Auth["project_id"]).Return([]string{}, nil).After(authCall)
 }
 
 func expectAuthByDomainName(keystoneMock *keystone.MockDriver) {
 	httpReqMatcher := test.HTTPRequestMatcher{InjectHeader: domainHeader}
-	keystoneMock.EXPECT().AuthenticateRequest(httpReqMatcher, false).Return(domainContext, nil)
+	keystoneMock.EXPECT().AuthenticateRequest(test.MatchContext(), httpReqMatcher, false).Return(domainContext, nil)
 }
 
 func expectAuthWithChildren(keystoneMock *keystone.MockDriver) {
 	httpReqMatcher := test.HTTPRequestMatcher{InjectHeader: projectHeader}
-	authCall := keystoneMock.EXPECT().AuthenticateRequest(httpReqMatcher, false).Return(projectContext, nil)
-	keystoneMock.EXPECT().ChildProjects(projectContext.Auth["project_id"]).Return([]string{"67890"}, nil).After(authCall)
+	authCall := keystoneMock.EXPECT().AuthenticateRequest(test.MatchContext(), httpReqMatcher, false).Return(projectContext, nil)
+	keystoneMock.EXPECT().ChildProjects(test.MatchContext(), projectContext.Auth["project_id"]).Return([]string{"67890"}, nil).After(authCall)
 }
 
 func expectAuthByDefaults(keystoneMock *keystone.MockDriver) {
 	httpReqMatcher := test.HTTPRequestMatcher{InjectHeader: projectHeader}
-	authCall := keystoneMock.EXPECT().AuthenticateRequest(httpReqMatcher, true).Return(projectContext, nil)
-	keystoneMock.EXPECT().UserProjects(projectContext.Auth["user_id"]).Return([]tokens.Scope{{ProjectID: projectContext.Auth["project_id"], DomainID: projectContext.Auth["project_domain_id"]}}, nil).After(authCall)
+	authCall := keystoneMock.EXPECT().AuthenticateRequest(test.MatchContext(), httpReqMatcher, true).Return(projectContext, nil)
+	keystoneMock.EXPECT().UserProjects(test.MatchContext(), projectContext.Auth["user_id"]).Return([]tokens.Scope{{ProjectID: projectContext.Auth["project_id"], DomainID: projectContext.Auth["project_domain_id"]}}, nil).After(authCall)
 }
 
 func expectAuthAndFail(keystoneMock *keystone.MockDriver) {
 	httpReqMatcher := test.HTTPRequestMatcher{InjectHeader: projectHeader}
-	keystoneMock.EXPECT().AuthenticateRequest(httpReqMatcher, false).Return(nil, keystone.NewAuthenticationError(keystone.StatusWrongCredentials, "negativetesterror"))
+	keystoneMock.EXPECT().AuthenticateRequest(test.MatchContext(), httpReqMatcher, false).Return(nil, keystone.NewAuthenticationError(keystone.StatusWrongCredentials, "negativetesterror"))
 }
 
 func expectPlainBasicAuthAndFail(keystoneMock *keystone.MockDriver) {
 	httpReqMatcher := test.HTTPRequestMatcher{InjectHeader: projectHeader}
-	keystoneMock.EXPECT().AuthenticateRequest(httpReqMatcher, true).Return(nil, keystone.NewAuthenticationError(keystone.StatusWrongCredentials, "negativetesterror"))
+	keystoneMock.EXPECT().AuthenticateRequest(test.MatchContext(), httpReqMatcher, true).Return(nil, keystone.NewAuthenticationError(keystone.StatusWrongCredentials, "negativetesterror"))
 }
 
 func expectAuthAndDenyAuthorization(keystoneMock *keystone.MockDriver) {
 	httpReqMatcher := test.HTTPRequestMatcher{InjectHeader: projectHeader}
-	keystoneMock.EXPECT().AuthenticateRequest(httpReqMatcher, false).Return(projectInsufficientRolesContext, nil)
+	keystoneMock.EXPECT().AuthenticateRequest(test.MatchContext(), httpReqMatcher, false).Return(projectInsufficientRolesContext, nil)
 }
 
 // HTTP based tests

pkg/api/server.go

@@ -20,6 +20,7 @@
 package api
 
 import (
+	"context"
 	"errors"
 	"net/http"
 	"net/url"
@@ -45,7 +46,7 @@ var storageInstance storage.Driver
 var keystoneInstance keystone.Driver
 
 // Server initializes and starts the API server, hooking it up to the API router
-func Server() error {
+func Server(ctx context.Context) error {
 	prometheusAPIURL := viper.GetString("maia.prometheus_url")
 	if prometheusAPIURL == "" {
 		panic(errors.New("prometheus endpoint not configured (maia.prometheus_url / MAIA_PROMETHEUS_URL)"))

pkg/api/util.go

@@ -156,8 +156,9 @@ func ReturnPromError(w http.ResponseWriter, err error, code int) {
 }
 
 func scopeToLabelConstraint(req *http.Request, keystoneDriver keystone.Driver) (string, []string) { //nolint:gocritic
+	ctx := req.Context()
 	if projectID := req.Header.Get("X-Project-Id"); projectID != "" {
-		children, err := keystoneDriver.ChildProjects(projectID)
+		children, err := keystoneDriver.ChildProjects(ctx, projectID)
 		if err != nil {
 			panic(err)
 		}
@@ -251,7 +252,8 @@ func authorizeRules(w http.ResponseWriter, req *http.Request, guessScope bool, r
 	}
 
 	// 2. authenticate
-	context, err := keystoneInstance.AuthenticateRequest(req, guessScope)
+	ctx := req.Context()
+	policyContext, err := keystoneInstance.AuthenticateRequest(ctx, req, guessScope)
 	if err != nil {
 		code := err.StatusCode()
 		httpCode := http.StatusUnauthorized
@@ -297,7 +299,7 @@ func authorizeRules(w http.ResponseWriter, req *http.Request, guessScope bool, r
 	// 3. authorize
 	pe := policyEngine()
 	for _, rule := range rules {
-		if pe.Enforce(rule, *context) {
+		if pe.Enforce(rule, *policyContext) {
 			matchedRules = append(matchedRules, rule)
 		}
 	}

pkg/cmd/client.go

@@ -20,6 +20,7 @@
 package cmd
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -31,7 +32,7 @@ import (
 	"text/template"
 	"time"
 
-	"github.com/gophercloud/gophercloud"
+	"github.com/gophercloud/gophercloud/v2"
 	"github.com/prometheus/common/model"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -70,7 +71,7 @@ func recoverAll() {
 	}
 }
 
-func fetchToken() {
+func fetchToken(ctx context.Context) {
 	if scopedDomain != "" {
 		auth.Scope.DomainName = scopedDomain
 	}
@@ -162,26 +163,27 @@ func fetchToken() {
 	}
 
 	// finally ... authenticate with keystone
-	context, url, err := keystoneInstance().Authenticate(auth)
+	policyContext, url, err := keystoneInstance().Authenticate(ctx, auth)
 	if err != nil {
 		panic(err)
 	}
 	// keep the token and use the URL from the catalog (unless set explicitly)
-	auth.TokenID = context.Auth["token"]
+	auth.TokenID = policyContext.Auth["token"]
 	if maiaURL == "" {
 		maiaURL = url
 	}
 }
 
 // storageInstance creates a new Prometheus driver instance lazily
 func storageInstance() storage.Driver {
+	ctx := context.Background()
 	if storageDriver == nil {
 		switch {
 		case promURL != "":
 			storageDriver = storage.NewPrometheusDriver(promURL, map[string]string{})
 		case auth.IdentityEndpoint != "":
 			// authenticate and set maiaURL if missing
-			fetchToken()
+			fetchToken(ctx)
 			storageDriver = storage.NewPrometheusDriver(maiaURL, map[string]string{"X-Auth-Token": auth.TokenID})
 		default:
 			panic(errors.New("either --os-auth-url or --prometheus-url need to be specified"))

pkg/cmd/cmd_test.go

@@ -20,13 +20,14 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"testing"
 	"time"
 
 	policy "github.com/databus23/goslo.policy"
-	"github.com/gophercloud/gophercloud"
+	"github.com/gophercloud/gophercloud/v2"
 	"go.uber.org/mock/gomock"
 
 	"github.com/sapcc/maia/pkg/keystone"
@@ -78,12 +79,13 @@ func setupTest(controller *gomock.Controller) (keystoneDriver *keystone.MockDriv
 }
 
 func expectAuth(keystoneMock *keystone.MockDriver) {
-	keystoneMock.EXPECT().Authenticate(gophercloud.AuthOptions{IdentityEndpoint: auth.IdentityEndpoint, Username: auth.Username, UserID: auth.UserID,
+	ctx := context.Background()
+	keystoneMock.EXPECT().Authenticate(ctx, gophercloud.AuthOptions{IdentityEndpoint: auth.IdentityEndpoint, Username: auth.Username, UserID: auth.UserID,
 		Password: auth.Password, DomainName: auth.DomainName, Scope: auth.Scope}).Return(&policy.Context{Request: map[string]string{"username": auth.Username,
 		"password": auth.Password, "user_domain_name": "domainname", "project_id": auth.Scope.ProjectID},
 		Auth: map[string]string{"project_id": auth.Scope.ProjectID}, Roles: []string{"monitoring_viewer"}}, "http://localhost:9091", nil)
 	// call this explicitly since the mocked storage does not
-	fetchToken()
+	fetchToken(ctx)
 }
 
 // HTTP based tests
@@ -450,6 +452,7 @@ func Test_Auth(t *testing.T) {
 
 func authentication(tokenid, authtype, username, userid, password, appcredid, appcredname, appcredsecret string) (paniced bool) {
 	paniced = false
+	ctx := context.Background()
 
 	defer func() {
 		if r := recover(); r != nil {
@@ -501,7 +504,7 @@ func authentication(tokenid, authtype, username, userid, password, appcredid, ap
 	// create dummy keystone and storage mock
 	keystoneMock := keystone.NewMockDriver(ctrl)
 	setKeystoneInstance(keystoneMock)
-	keystoneMock.EXPECT().Authenticate(expectedAuth).Return(&policy.Context{
+	keystoneMock.EXPECT().Authenticate(ctx, expectedAuth).Return(&policy.Context{
 		Request: map[string]string{
 			"user_id":                       auth.UserID,
 			"project_id":                    "12345",
@@ -512,7 +515,7 @@ func authentication(tokenid, authtype, username, userid, password, appcredid, ap
 		Auth:  map[string]string{"project_id": auth.Scope.ProjectID},
 		Roles: []string{"monitoring_viewer"},
 	}, "http://localhost:9091", nil)
-	fetchToken()
+	fetchToken(ctx)
 
 	return paniced
 }

pkg/cmd/root.go

@@ -20,6 +20,7 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"os"
 
@@ -51,8 +52,19 @@ var RootCmd = &cobra.Command{
 // Execute adds all child commands to the root command sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
 func Execute() {
-	if err := RootCmd.Execute(); err != nil {
-		fmt.Fprint(os.Stderr, err)
+	ExecuteWithContext(context.Background())
+}
+
+// ExecuteWithContext is similar to Execute but takes a context
+func ExecuteWithContext(ctx context.Context) {
+	// Add the context to the root command
+	RootCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
+		// You can use the context here if needed
+		cmd.SetContext(ctx)
+	}
+
+	if err := RootCmd.ExecuteContext(ctx); err != nil {
+		fmt.Fprintln(os.Stderr, err)
 		os.Exit(-1)
 	}
 }

pkg/cmd/serve.go

@@ -35,6 +35,8 @@ var serveCmd = &cobra.Command{
 	Short: "Start the Maia service",
 	Long:  "Run the Maia service against a Prometheus backend collecting the metrics.",
 	RunE: func(cmd *cobra.Command, args []string) (ret error) {
+		ctx := cmd.Context()
+
 		// transform panics with error params into errors
 		defer func() {
 			if r := recover(); r != nil {
@@ -43,7 +45,7 @@ var serveCmd = &cobra.Command{
 		}()
 
 		// just run the server
-		err := api.Server()
+		err := api.Server(ctx)
 		if err != nil {
 			return err
 		}

pkg/keystone/interface.go

@@ -20,12 +20,13 @@
 package keystone
 
 import (
+	"context"
 	"fmt"
 	"net/http"
 
 	policy "github.com/databus23/goslo.policy"
-	"github.com/gophercloud/gophercloud"
-	"github.com/gophercloud/gophercloud/openstack/identity/v3/tokens"
+	"github.com/gophercloud/gophercloud/v2"
+	"github.com/gophercloud/gophercloud/v2/openstack/identity/v3/tokens"
 	"github.com/spf13/viper"
 )
 
@@ -79,17 +80,17 @@ type Driver interface {
 	// After successful authentication, additional context information is added to the request header
 	// In addition a Context object is returned for policy evaluation.
 	// When guessScope is set to true, the method will try to find a suitible project when the scope is not defined (basic auth. only)
-	AuthenticateRequest(req *http.Request, guessScope bool) (*policy.Context, AuthenticationError)
+	AuthenticateRequest(ctx context.Context, req *http.Request, guessScope bool) (*policy.Context, AuthenticationError)
 
 	// Authenticate authenticates a user using the provided authOptions.
 	// It returns a context for policy evaluation and the public endpoint retrieved from the service catalog
-	Authenticate(options gophercloud.AuthOptions) (*policy.Context, string, AuthenticationError)
+	Authenticate(ctx context.Context, options gophercloud.AuthOptions) (*policy.Context, string, AuthenticationError)
 
 	// ChildProjects returns the IDs of all child-projects of the project denoted by projectID
-	ChildProjects(projectID string) ([]string, error)
+	ChildProjects(ctx context.Context, projectID string) ([]string, error)
 
 	// UserProjects returns the project IDs and name of all projects where the current user has a monitoring role
-	UserProjects(userID string) ([]tokens.Scope, error)
+	UserProjects(ctx context.Context, userID string) ([]tokens.Scope, error)
 
 	// ServiceURL returns the service's global catalog entry
 	// The result is empty when called from a client