vendor: update buildkit to master@cbfd4023383d

Signed-off-by: Justin Chadwell <me@jedevc.com>

vendor/github.com/moby/buildkit/session/auth/auth.proto

@@ -5,10 +5,10 @@ package moby.filesync.v1;
 option go_package = "auth";
 
 service Auth{
-  rpc Credentials(CredentialsRequest) returns (CredentialsResponse);
-  rpc FetchToken(FetchTokenRequest) returns (FetchTokenResponse);
-  rpc GetTokenAuthority(GetTokenAuthorityRequest) returns (GetTokenAuthorityResponse);
-  rpc VerifyTokenAuthority(VerifyTokenAuthorityRequest) returns (VerifyTokenAuthorityResponse);
+	rpc Credentials(CredentialsRequest) returns (CredentialsResponse);
+	rpc FetchToken(FetchTokenRequest) returns (FetchTokenResponse);
+	rpc GetTokenAuthority(GetTokenAuthorityRequest) returns (GetTokenAuthorityResponse);
+	rpc VerifyTokenAuthority(VerifyTokenAuthorityRequest) returns (VerifyTokenAuthorityResponse);
 }
 
 message CredentialsRequest {

vendor/github.com/moby/buildkit/session/auth/authprovider/authconfig.go

@@ -0,0 +1,11 @@
+package authprovider
+
+type AuthTLSConfig struct {
+	RootCAs  []string
+	KeyPairs []TLSKeyPair
+}
+
+type TLSKeyPair struct {
+	Key         string
+	Certificate string
+}

vendor/github.com/moby/buildkit/session/auth/authprovider/authprovider.go

@@ -5,9 +5,11 @@ import (
 	"crypto/ed25519"
 	"crypto/hmac"
 	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
-	"net/http"
 	"os"
+	"runtime"
 	"strconv"
 	"strings"
 	"sync"
@@ -18,6 +20,7 @@ import (
 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/cli/config/types"
+	http "github.com/hashicorp/go-cleanhttp"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/session/auth"
 	"github.com/moby/buildkit/util/progress/progresswriter"
@@ -32,12 +35,13 @@ const defaultExpiration = 60
 const dockerHubConfigfileKey = "https://index.docker.io/v1/"
 const dockerHubRegistryHost = "registry-1.docker.io"
 
-func NewDockerAuthProvider(cfg *configfile.ConfigFile) session.Attachable {
+func NewDockerAuthProvider(cfg *configfile.ConfigFile, tlsConfigs map[string]*AuthTLSConfig) session.Attachable {
 	return &authProvider{
 		authConfigCache: map[string]*types.AuthConfig{},
 		config:          cfg,
 		seeds:           &tokenSeeds{dir: config.Dir()},
 		loggerCache:     map[string]struct{}{},
+		tlsConfigs:      tlsConfigs,
 	}
 }
 
@@ -47,6 +51,7 @@ type authProvider struct {
 	seeds           *tokenSeeds
 	logger          progresswriter.Logger
 	loggerCache     map[string]struct{}
+	tlsConfigs      map[string]*AuthTLSConfig
 
 	// The need for this mutex is not well understood.
 	// Without it, the docker cli on OS X hangs when
@@ -89,6 +94,13 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ
 		Secret:   creds.Secret,
 	}
 
+	var httpClient = http.DefaultClient()
+	if tc, err := ap.tlsConfig(req.Host); err == nil && tc != nil {
+		transport := http.DefaultTransport()
+		transport.TLSClientConfig = tc
+		httpClient.Transport = transport
+	}
+
 	if creds.Secret != "" {
 		done := func(progresswriter.SubLogger) error {
 			return err
@@ -103,7 +115,7 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ
 		}
 		ap.mu.Unlock()
 		// credential information is provided, use oauth POST endpoint
-		resp, err := authutil.FetchTokenWithOAuth(ctx, http.DefaultClient, nil, "buildkit-client", to)
+		resp, err := authutil.FetchTokenWithOAuth(ctx, httpClient, nil, "buildkit-client", to)
 		if err != nil {
 			var errStatus remoteserrors.ErrUnexpectedStatus
 			if errors.As(err, &errStatus) {
@@ -111,7 +123,7 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ
 				// As of September 2017, GCR is known to return 404.
 				// As of February 2018, JFrog Artifactory is known to return 401.
 				if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 {
-					resp, err := authutil.FetchToken(ctx, http.DefaultClient, nil, to)
+					resp, err := authutil.FetchToken(ctx, httpClient, nil, to)
 					if err != nil {
 						return nil, err
 					}
@@ -123,13 +135,52 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ
 		return toTokenResponse(resp.AccessToken, resp.IssuedAt, resp.ExpiresIn), nil
 	}
 	// do request anonymously
-	resp, err := authutil.FetchToken(ctx, http.DefaultClient, nil, to)
+	resp, err := authutil.FetchToken(ctx, httpClient, nil, to)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to fetch anonymous token")
 	}
 	return toTokenResponse(resp.Token, resp.IssuedAt, resp.ExpiresIn), nil
 }
 
+func (ap *authProvider) tlsConfig(host string) (*tls.Config, error) {
+	if ap.tlsConfigs == nil {
+		return nil, nil
+	}
+	c, ok := ap.tlsConfigs[host]
+	if !ok {
+		return nil, nil
+	}
+	tc := &tls.Config{}
+	if len(c.RootCAs) > 0 {
+		systemPool, err := x509.SystemCertPool()
+		if err != nil {
+			if runtime.GOOS == "windows" {
+				systemPool = x509.NewCertPool()
+			} else {
+				return nil, errors.Wrapf(err, "unable to get system cert pool")
+			}
+		}
+		tc.RootCAs = systemPool
+	}
+
+	for _, p := range c.RootCAs {
+		dt, err := os.ReadFile(p)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to read %s", p)
+		}
+		tc.RootCAs.AppendCertsFromPEM(dt)
+	}
+
+	for _, kp := range c.KeyPairs {
+		cert, err := tls.LoadX509KeyPair(kp.Certificate, kp.Key)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to load keypair for %s", kp.Certificate)
+		}
+		tc.Certificates = append(tc.Certificates, cert)
+	}
+	return tc, nil
+}
+
 func (ap *authProvider) credentials(host string) (*auth.CredentialsResponse, error) {
 	ac, err := ap.getAuthConfig(host)
 	if err != nil {
@@ -152,7 +203,7 @@ func (ap *authProvider) Credentials(ctx context.Context, req *auth.CredentialsRe
 		defer ap.mu.Unlock()
 		_, ok := ap.loggerCache[req.Host]
 		ap.loggerCache[req.Host] = struct{}{}
-		if !ok {
+		if !ok && ap.logger != nil {
 			return resp, progresswriter.Wrap(fmt.Sprintf("[auth] sharing credentials for %s", req.Host), ap.logger, func(progresswriter.SubLogger) error {
 				return err
 			})

vendor/github.com/moby/buildkit/session/filesync/filesync.go

@@ -11,6 +11,7 @@ import (
 	"unicode"
 
 	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/util/bklog"
 	"github.com/pkg/errors"
 	"github.com/tonistiigi/fsutil"
 	fstypes "github.com/tonistiigi/fsutil/types"
@@ -277,7 +278,7 @@ func (sp *fsSyncTarget) DiffCopy(stream FileSend_DiffCopyServer) (err error) {
 	}
 	defer func() {
 		err1 := wc.Close()
-		if err != nil {
+		if err == nil {
 			err = err1
 		}
 	}()
@@ -308,9 +309,16 @@ func CopyFileWriter(ctx context.Context, md map[string]string, c session.Caller)
 
 	client := NewFileSendClient(c.Conn())
 
-	opts := make(map[string][]string, len(md))
+	opts, ok := metadata.FromOutgoingContext(ctx)
+	if !ok {
+		opts = make(map[string][]string, len(md))
+	}
 	for k, v := range md {
-		opts[keyExporterMetaPrefix+k] = []string{v}
+		k := keyExporterMetaPrefix + k
+		if existingVal, ok := opts[k]; ok {
+			bklog.G(ctx).Warnf("overwriting grpc metadata key %q from value %+v to %+v", k, existingVal, v)
+		}
+		opts[k] = []string{v}
 	}
 
 	ctx = metadata.NewOutgoingContext(ctx, opts)
@@ -351,13 +359,13 @@ func decodeOpts(opts map[string][]string) map[string][]string {
 	md := make(map[string][]string, len(opts))
 	for k, v := range opts {
 		out := make([]string, len(v))
-		var isDecoded bool
+		var isEncoded bool
 		if v, ok := opts[k+"-encoded"]; ok && len(v) > 0 {
 			if b, _ := strconv.ParseBool(v[0]); b {
-				isDecoded = true
+				isEncoded = true
 			}
 		}
-		if isDecoded {
+		if isEncoded {
 			for i, s := range v {
 				out[i], _ = url.QueryUnescape(s)
 			}
@@ -373,13 +381,14 @@ func decodeOpts(opts map[string][]string) map[string][]string {
 // is backwards compatible and avoids encoding ASCII characters.
 func encodeStringForHeader(inputs []string) ([]string, bool) {
 	var encode bool
+loop:
 	for _, input := range inputs {
 		for _, runeVal := range input {
 			// Only encode non-ASCII characters, and characters that have special
 			// meaning during decoding.
 			if runeVal > unicode.MaxASCII {
 				encode = true
-				break
+				break loop
 			}
 		}
 	}

vendor/github.com/moby/buildkit/session/filesync/filesync.proto

@@ -7,15 +7,14 @@ option go_package = "filesync";
 import "github.com/tonistiigi/fsutil/types/wire.proto";
 
 service FileSync{
-  rpc DiffCopy(stream fsutil.types.Packet) returns (stream fsutil.types.Packet);
-  rpc TarStream(stream fsutil.types.Packet) returns (stream fsutil.types.Packet);
+	rpc DiffCopy(stream fsutil.types.Packet) returns (stream fsutil.types.Packet);
+	rpc TarStream(stream fsutil.types.Packet) returns (stream fsutil.types.Packet);
 }
 
 service FileSend{
-  rpc DiffCopy(stream BytesMessage) returns (stream BytesMessage);
+	rpc DiffCopy(stream BytesMessage) returns (stream BytesMessage);
 }
 
-
 // BytesMessage contains a chunk of byte data
 message BytesMessage{
 	bytes data = 1;

vendor/github.com/moby/buildkit/session/secrets/secrets.proto

@@ -5,7 +5,7 @@ package moby.buildkit.secrets.v1;
 option go_package = "secrets";
 
 service Secrets{
-  rpc GetSecret(GetSecretRequest) returns (GetSecretResponse);
+	rpc GetSecret(GetSecretRequest) returns (GetSecretResponse);
 }