chore: merge upstream

CHANGELOG.md

@@ -3,6 +3,12 @@
 This format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v1.30.1](https://github.com/flipt-io/flipt/releases/tag/v1.30.1) - 2023-11-06
+
+### Fixed
+
+- Exclude health check from auth (#2350)
+
 ## [v1.30.0](https://github.com/flipt-io/flipt/releases/tag/v1.30.0) - 2023-10-31
 
 ### Added

README.md

@@ -16,9 +16,6 @@
     <a href="https://github.com/flipt-io/flipt/releases">
         <img src="https://img.shields.io/github/release/flipt-io/flipt.svg?style=flat" alt="Releases" />
     </a>
-    <a href="https://github.com/flipt-io/flipt/actions">
-        <img src="https://github.com/flipt-io/flipt/actions/workflows/test.yml/badge.svg" alt="Build Status" />
-    </a>
     <a href="https://github.com/flipt-io/flipt/blob/main/LICENSE">
         <img src="https://img.shields.io/github/license/flipt-io/flipt.svg" alt="GPL 3.0" />
     </a>
@@ -28,21 +25,18 @@
     <a href="https://goreportcard.com/report/github.com/flipt-io/flipt">
         <img src="https://goreportcard.com/badge/github.com/flipt-io/flipt" alt="Go Report Card" />
     </a>
-    <a href="https://bestpractices.coreinfrastructure.org/projects/3498">
-        <img src="https://bestpractices.coreinfrastructure.org/projects/3498/badge">
-    </a>
     <a href="https://github.com/avelino/awesome-go">
         <img src="https://awesome.re/mentioned-badge.svg" alt="Mentioned in Awesome Go" />
     </a>
-    <a href="https://magefile.org">
-        <img src="https://magefile.org/badge.svg" alt="Built with Mage" />
-    </a>
-    <a href="https://discord.gg/kRhEqG2TEZ">
+    <a href="https://flipt.io/discord">
         <img alt="Discord" src="https://img.shields.io/discord/960634591000014878?color=%238440f1&label=Discord&logo=discord&logoColor=%238440f1&style=flat">
     </a>
     <a href="https://features.flipt.io/roadmap">
         <img alt="Public Roadmap" src="https://img.shields.io/badge/roadmap-public-violet">
     </a>
+    <a href="https://twitter.com/flipt_io">
+        <img src="https://img.shields.io/twitter/follow/flipt_io?label=Follow" alt="Flipt Twitter" />
+    </a>
 </div>
 
 <div align="center">
@@ -319,6 +313,11 @@ No contribution is too small, whether it be bug reports/fixes, feature requests,
 
 Check out our [public roadmap](https://volta.net/embed/eyJzdGF0dXNlcyI6WyJ0cmlhZ2UiLCJiYWNrbG9nIiwidG9kbyIsImluX3Byb2dyZXNzIiwiaW5fcmV2aWV3IiwiZG9uZSIsInJlbGVhc2VkIiwiY2FuY2VsbGVkIl0sImZpbHRlcnMiOnt9LCJvd25lciI6ImZsaXB0LWlvIiwibmFtZSI6ImZsaXB0In0=) to see what we're working on and where you can help.
 
+Not sure how to get started? You can:
+
+- [Book a free, non-pressure pairing session/code walkthrough](https://calendly.com/flipt-mark/30) with one of our teammates!
+- Join our [Discord](https://www.flipt.io/discord), and ask any questions there
+
 <br clear="both"/>
 
 ## Contributors ✨

build/testing/integration/api/api.go

@@ -4,19 +4,28 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"testing"
 
 	"github.com/gofrs/uuid"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"go.flipt.io/flipt/build/testing/integration"
 	"go.flipt.io/flipt/rpc/flipt"
 	"go.flipt.io/flipt/rpc/flipt/evaluation"
 	sdk "go.flipt.io/flipt/sdk/go"
 	"google.golang.org/protobuf/testing/protocmp"
 )
 
-func API(t *testing.T, ctx context.Context, client sdk.SDK, namespace string, authenticated bool) {
+func API(t *testing.T, ctx context.Context, client sdk.SDK, opts integration.TestOpts) {
+	var (
+		namespace     = opts.Namespace
+		authenticated = opts.Authenticated
+		addr          = opts.Addr
+		protocol      = opts.Protocol
+	)
+
 	t.Run("Namespaces", func(t *testing.T) {
 		if !namespaceIsDefault(namespace) {
 			t.Log(`Create namespace.`)
@@ -1375,6 +1384,19 @@ func API(t *testing.T, ctx context.Context, client sdk.SDK, namespace string, au
 			require.NoError(t, err)
 		})
 	})
+
+	t.Run("Healthcheck", func(t *testing.T) {
+		if protocol == "grpc" {
+			t.Skip("TODO: we do not support healthcheck test for grpc yet")
+		}
+		t.Run("HTTP", func(t *testing.T) {
+			resp, err := http.Get(fmt.Sprintf("%s/health", addr))
+			require.NoError(t, err)
+
+			assert.Equal(t, "application/json", resp.Header.Get("Content-Type"))
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+		})
+	})
 }
 
 func namespaceIsDefault(ns string) bool {

build/testing/integration/api/api_test.go

@@ -10,13 +10,13 @@ import (
 )
 
 func TestAPI(t *testing.T) {
-	integration.Harness(t, func(t *testing.T, sdk sdk.SDK, namespace string, authentication bool) {
+	integration.Harness(t, func(t *testing.T, sdk sdk.SDK, opts integration.TestOpts) {
 		ctx := context.Background()
 
-		api.API(t, ctx, sdk, namespace, authentication)
+		api.API(t, ctx, sdk, opts)
 
 		// run extra tests in authenticated context
-		if authentication {
+		if opts.Authenticated {
 			api.Authenticated(t, sdk)
 		}
 	})

build/testing/integration/integration.go

@@ -20,7 +20,14 @@ var (
 	fliptNamespace = flag.String("flipt-namespace", "", "Namespace used to scope API calls.")
 )
 
-func Harness(t *testing.T, fn func(t *testing.T, sdk sdk.SDK, ns string, authenticated bool)) {
+type TestOpts struct {
+	Addr          string
+	Protocol      string
+	Namespace     string
+	Authenticated bool
+}
+
+func Harness(t *testing.T, fn func(t *testing.T, sdk sdk.SDK, opts TestOpts)) {
 	var transport sdk.Transport
 
 	protocol, host, _ := strings.Cut(*fliptAddr, "://")
@@ -54,6 +61,11 @@ func Harness(t *testing.T, fn func(t *testing.T, sdk sdk.SDK, ns string, authent
 
 	name := fmt.Sprintf("[Protocol %q; Namespace %q; Authentication %v]", protocol, namespace, authentication)
 	t.Run(name, func(t *testing.T) {
-		fn(t, sdk.New(transport, opts...), namespace, authentication)
+		fn(t, sdk.New(transport, opts...), TestOpts{
+			Protocol:      protocol,
+			Addr:          *fliptAddr,
+			Namespace:     namespace,
+			Authenticated: authentication},
+		)
 	})
 }

build/testing/integration/readonly/readonly_test.go

@@ -17,8 +17,13 @@ import (
 // folder has been loaded into the target instance being tested.
 // It then exercises a bunch of read operations via the provided SDK in the target namespace.
 func TestReadOnly(t *testing.T) {
-	integration.Harness(t, func(t *testing.T, sdk sdk.SDK, namespace string, authenticated bool) {
-		ctx := context.Background()
+	integration.Harness(t, func(t *testing.T, sdk sdk.SDK, opts integration.TestOpts) {
+		var (
+			ctx           = context.Background()
+			namespace     = opts.Namespace
+			authenticated = opts.Authenticated
+		)
+
 		ns, err := sdk.Flipt().GetNamespace(ctx, &flipt.GetNamespaceRequest{
 			Key: namespace,
 		})

examples/authentication/README.md

@@ -8,3 +8,4 @@ For more information on how to secure your Flipt instance and setup authenticati
 
 * [Reverse Proxy Authentication](proxy/README.md)
 * [OIDC Authentication with Dex](dex/README.md)
+* [Static Token Authentication](token/README.md)

examples/authentication/dex/docker-compose.yml

@@ -3,11 +3,11 @@ version: "3"
 services:
   dex:
     image: dexidp/dex:latest
-    command: dex serve /etc/dex/config.yaml
+    command: dex serve /etc/dex/config.yml
     ports:
       - "5556:5556"
     volumes:
-      - ./dex-config.yaml:/etc/dex/config.yaml
+      - ./dex-config.yml:/etc/dex/config.yml
     networks:
       - flipt_network
 
@@ -17,7 +17,7 @@ services:
     ports:
       - "8080:8080"
     volumes:
-      - ./config.yaml:/etc/flipt/config/default.yml
+      - ./config.yml:/etc/flipt/config/default.yml
     environment:
       - FLIPT_LOG_LEVEL=debug
       - FLIPT_META_TELEMETRY_ENABLED=false

examples/authentication/token/README.md

@@ -0,0 +1,51 @@
+# Static Token Authentication Example
+
+This example shows how you can secure your Flipt instance with a static bootstrap token: <https://www.flipt.io/docs/configuration/authentication#method-static-token>
+
+**Note:** You will not be able to use the Flipt UI with this example as it does not support static token authentication. 
+See the [Dex example](../dex/README.md) to see how to configure Flipt to use OIDC for authentication and enable the UI.
+
+## Requirements
+
+To run this example application you'll need:
+
+* [Docker](https://docs.docker.com/install/)
+* [docker-compose](https://docs.docker.com/compose/install/)
+
+## Running the Example
+
+1. Run `docker-compose up` from this directory
+1. Try to get a list of flags without authenticating using the REST API:
+
+    ```shell
+    ❯ curl -v http://localhost:8080/api/v1/flags
+
+    > GET /api/v1/flags HTTP/1.1
+    > Host: localhost:8080
+    > Accept: */*
+    >
+    < HTTP/1.1 401 Unauthorized
+    < Content-Type: text/plain; charset=utf-8
+    ```
+
+1. You should get a **401 Unauthorized** response as no authentication was present on the request
+1. Try again, providing the bootstrap token `secret`, specified in the [docker-compose.yml](docker-compose.yml) file:
+
+    ```shell
+    ~ » curl -v  -H 'Authorization: Bearer secret' http://localhost:8080/api/v1/flags
+
+    > GET /api/v1/flags HTTP/1.1
+    > Host: localhost:8080
+    > Accept: */*
+    > Authorization: Bearer secret
+    >
+    < HTTP/1.1 200 OK
+    < Content-Type: application/json
+    < Grpc-Metadata-Content-Type: application/grpc
+    < X-Content-Type-Options: nosniff
+    < Content-Length: 46
+    <
+    {"flags":[],"nextPageToken":"","totalCount":0}
+    ```
+
+1. This time the request succeeds and a **200 OK** response is returned

examples/authentication/token/config.yml

@@ -0,0 +1,17 @@
+log:
+  level: DEBUG
+
+db:
+  url: file:/var/opt/flipt/flipt.db
+
+authentication:
+  required: true
+  methods:
+    token:
+      enabled: true
+      bootstrap:
+        token: "secret"
+        expiration: 24h
+      cleanup:
+        interval: 2h
+        grace_period: 48h

examples/authentication/token/docker-compose.yml

@@ -0,0 +1,18 @@
+version: "3"
+
+services:
+  flipt:
+    image: flipt/flipt:latest
+    command: ["./flipt", "--force-migrate"]
+    ports:
+      - "8080:8080"
+    volumes:
+      - ./config.yml:/etc/flipt/config/default.yml
+    environment:
+      - FLIPT_LOG_LEVEL=debug
+      - FLIPT_META_TELEMETRY_ENABLED=false
+    networks:
+      - flipt_network
+
+networks:
+  flipt_network:

go.mod

@@ -8,9 +8,9 @@ require (
 	github.com/MakeNowJust/heredoc v1.0.0
 	github.com/Masterminds/squirrel v1.5.4
 	github.com/XSAM/otelsql v0.26.0
-	github.com/aws/aws-sdk-go-v2 v1.21.2
+	github.com/aws/aws-sdk-go-v2 v1.22.1
 	github.com/aws/aws-sdk-go-v2/config v1.19.1
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.42.0
 	github.com/blang/semver/v4 v4.0.0
 	github.com/cenkalti/backoff/v4 v4.2.1
 	github.com/coreos/go-oidc/v3 v3.7.0
@@ -27,7 +27,7 @@ require (
 	github.com/golang-migrate/migrate/v4 v4.16.2
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-github/v32 v32.1.0
-	github.com/gorilla/csrf v1.7.1
+	github.com/gorilla/csrf v1.7.2
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0
@@ -37,13 +37,13 @@ require (
 	github.com/lib/pq v1.10.9
 	github.com/libsql/libsql-client-go v0.0.0-20230917132930-48c310b27e7b
 	github.com/magefile/mage v1.15.0
-	github.com/mattn/go-sqlite3 v1.14.17
+	github.com/mattn/go-sqlite3 v1.14.18
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/prometheus/client_golang v1.17.0
-	github.com/redis/go-redis/v9 v9.2.1
+	github.com/redis/go-redis/v9 v9.3.0
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.8.0
 	github.com/spf13/viper v1.17.0
 	github.com/stretchr/testify v1.8.4
 	github.com/testcontainers/testcontainers-go v0.26.0
@@ -88,21 +88,21 @@ require (
 	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
 	github.com/acomagu/bufpipe v1.0.4 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.0 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.13.43 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.1 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.1 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 // indirect
-	github.com/aws/smithy-go v1.15.0 // indirect
+	github.com/aws/smithy-go v1.16.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
@@ -113,7 +113,7 @@ require (
 	github.com/containerd/containerd v1.7.7 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
@@ -132,7 +132,7 @@ require (
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.3.1 // indirect
-	github.com/gorilla/securecookie v1.1.1 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
 	github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect