diff --git a/go.mod b/go.mod index 590d74d4..5925bf20 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.25.2 require ( github.com/SAP/go-hdb v1.14.5 - github.com/conductorone/baton-sdk v0.6.7 + github.com/conductorone/baton-sdk v0.6.8 github.com/elliotchance/phpserialize v1.4.0 github.com/ennyjfrick/ruleguard-logfatal v0.0.2 github.com/go-sql-driver/mysql v1.9.2 diff --git a/go.sum b/go.sum index 4974ce6b..e57f0b93 100644 --- a/go.sum +++ b/go.sum @@ -78,8 +78,8 @@ github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyY github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/conductorone/baton-sdk v0.6.7 h1:RlKSCo6+JIRovkqoJLFmRKBK/lijELpXvUtKdftUYMY= -github.com/conductorone/baton-sdk v0.6.7/go.mod h1:9S5feBOuIJxlNdGmkv3ObkCNHbVyOHr6foNrIrk+d4Y= +github.com/conductorone/baton-sdk v0.6.8 h1:lX+rTzdvyw468qjPDV86QscXR82S4B+du6sfdNUxwTw= +github.com/conductorone/baton-sdk v0.6.8/go.mod h1:9S5feBOuIJxlNdGmkv3ObkCNHbVyOHr6foNrIrk+d4Y= github.com/conductorone/dpop v0.2.4 h1:PaiDOX1gAIXtOJPxXf08GsGkpCuT/iECEjSJzLpi0zU= github.com/conductorone/dpop v0.2.4/go.mod h1:gyo8TtzB9SCFCsjsICH4IaLZ7y64CcrDXMOPBwfq/3s= github.com/conductorone/dpop/integrations/dpop_grpc v0.2.4 h1:lYxYi9/WTSL9sE96CO0QF2BY3kehs8dTTApI134TGCA= diff --git a/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/file.go b/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/file.go index 89d420ae..b4f9d72a 100644 --- a/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/file.go +++ b/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/file.go @@ -11,6 +11,8 @@ import ( "github.com/klauspost/compress/zstd" "go.uber.org/zap" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" ) func loadC1z(filePath string, tmpDir string, opts ...DecoderOption) (string, error) { @@ -59,7 +61,7 @@ func loadC1z(filePath string, tmpDir string, opts ...DecoderOption) (string, err func saveC1z(dbFilePath string, outputFilePath string, encoderConcurrency int) error { if outputFilePath == "" { - return errors.New("c1z: output file path not configured") + return status.Errorf(codes.InvalidArgument, "c1z: output file path not configured") } dbFile, err := os.Open(dbFilePath) diff --git a/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/manager/local/local.go b/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/manager/local/local.go index 6ccbdd9c..3f319079 100644 --- a/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/manager/local/local.go +++ b/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/manager/local/local.go @@ -59,10 +59,36 @@ func (l *localManager) copyFileToTmp(ctx context.Context) error { } defer f.Close() - _, err = io.Copy(tmp, f) + // Get source file size for verification + sourceStat, err := f.Stat() + if err != nil { + return fmt.Errorf("failed to stat source file: %w", err) + } + expectedSize := sourceStat.Size() + + written, err := io.Copy(tmp, f) if err != nil { return err } + + // CRITICAL: Sync to ensure all data is written before file is used. + // This is especially important on ZFS ARC where writes may be cached + // and reads can happen before buffers are flushed to disk. + if err := tmp.Sync(); err != nil { + return fmt.Errorf("failed to sync temp file: %w", err) + } + + // Verify file size matches what we wrote (defensive check) + stat, err := tmp.Stat() + if err != nil { + return fmt.Errorf("failed to stat temp file: %w", err) + } + if stat.Size() != written { + return fmt.Errorf("file size mismatch: wrote %d bytes but file is %d bytes", written, stat.Size()) + } + if written != expectedSize { + return fmt.Errorf("copy size mismatch: expected %d bytes from source but copied %d bytes", expectedSize, written) + } } return nil @@ -147,6 +173,12 @@ func (l *localManager) SaveC1Z(ctx context.Context) error { return err } + // CRITICAL: Sync to ensure data is written before function returns. + // This is especially important on ZFS ARC where writes may be cached. + if err := dstFile.Sync(); err != nil { + return fmt.Errorf("failed to sync destination file: %w", err) + } + log.Debug( "successfully saved c1z locally", zap.String("file_path", l.filePath), diff --git a/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/manager/s3/s3.go b/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/manager/s3/s3.go index 385b1bc4..2660b953 100644 --- a/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/manager/s3/s3.go +++ b/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/manager/s3/s3.go @@ -53,11 +53,30 @@ func (s *s3Manager) copyToTempFile(ctx context.Context, r io.Reader) error { s.tmpFile = f.Name() if r != nil { - _, err = io.Copy(f, r) + written, err := io.Copy(f, r) if err != nil { _ = f.Close() return err } + + // CRITICAL: Sync to ensure all data is written before file is used. + // This is especially important on ZFS ARC where writes may be cached + // and reads can happen before buffers are flushed to disk. + if err := f.Sync(); err != nil { + _ = f.Close() + return fmt.Errorf("failed to sync temp file: %w", err) + } + + // Verify file size matches what we wrote (defensive check) + stat, err := f.Stat() + if err != nil { + _ = f.Close() + return fmt.Errorf("failed to stat temp file: %w", err) + } + if stat.Size() != written { + _ = f.Close() + return fmt.Errorf("file size mismatch: wrote %d bytes but file is %d bytes", written, stat.Size()) + } } return nil diff --git a/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/sync_runs.go b/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/sync_runs.go index c3c42e93..cadf9a50 100644 --- a/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/sync_runs.go +++ b/vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/sync_runs.go @@ -472,6 +472,12 @@ func (c *C1File) StartOrResumeSync(ctx context.Context, syncType connectorstore. return c.currentSyncID, true, nil } +// SetSyncID sets the current sync ID. This is only intended for testing. +func (c *C1File) SetSyncID(_ context.Context, syncID string) error { + c.currentSyncID = syncID + return nil +} + func (c *C1File) StartNewSync(ctx context.Context, syncType connectorstore.SyncType, parentSyncID string) (string, error) { ctx, span := tracer.Start(ctx, "C1File.StartNewSync") defer span.End() diff --git a/vendor/github.com/conductorone/baton-sdk/pkg/sdk/version.go b/vendor/github.com/conductorone/baton-sdk/pkg/sdk/version.go index 8cbf4b79..c1262c0a 100644 --- a/vendor/github.com/conductorone/baton-sdk/pkg/sdk/version.go +++ b/vendor/github.com/conductorone/baton-sdk/pkg/sdk/version.go @@ -1,3 +1,3 @@ package sdk -const Version = "v0.6.6" +const Version = "v0.6.7" diff --git a/vendor/github.com/conductorone/baton-sdk/pkg/uhttp/wrapper.go b/vendor/github.com/conductorone/baton-sdk/pkg/uhttp/wrapper.go index 6befc8bb..3a8d4d27 100644 --- a/vendor/github.com/conductorone/baton-sdk/pkg/uhttp/wrapper.go +++ b/vendor/github.com/conductorone/baton-sdk/pkg/uhttp/wrapper.go @@ -476,6 +476,16 @@ func (c *BaseHttpClient) Do(req *http.Request, options ...DoOption) (*http.Respo return resp, errors.Join(optErrs...) } +var sensitiveStrings = []string{ + "api-key", + "auth", + "cookie", + "proxy-authorization", + "set-cookie", + "x-forwarded-for", + "x-forwarded-proto", +} + func RedactSensitiveHeaders(h http.Header) http.Header { if h == nil { return nil @@ -484,12 +494,10 @@ func RedactSensitiveHeaders(h http.Header) http.Header { for k, v := range h { sensitive := false headerKey := strings.ToLower(k) - if strings.HasPrefix(headerKey, "auth") { - sensitive = true - } else { - switch headerKey { - case "set-cookie", "cookie", "x-auth-token", "x-api-key", "x-auth-user", "proxy-authorization": + for _, sensitiveString := range sensitiveStrings { + if strings.Contains(headerKey, sensitiveString) { sensitive = true + break } } diff --git a/vendor/modules.txt b/vendor/modules.txt index 91373b08..051570b9 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -178,7 +178,7 @@ github.com/benbjohnson/clock # github.com/cenkalti/backoff/v4 v4.3.0 ## explicit; go 1.18 github.com/cenkalti/backoff/v4 -# github.com/conductorone/baton-sdk v0.6.7 +# github.com/conductorone/baton-sdk v0.6.8 ## explicit; go 1.25.2 github.com/conductorone/baton-sdk/internal/connector github.com/conductorone/baton-sdk/pb/c1/c1z/v1