From b00226cf07666736a478d76c686599982a8ec421 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 31 Mar 2023 19:02:15 +0000
Subject: [PATCH] Bump github.com/spiffe/go-spiffe/v2 from 2.1.3 to 2.1.4

Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.1.3 to 2.1.4.
- [Release notes](https://github.com/spiffe/go-spiffe/releases)
- [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md)
- [Commits](https://github.com/spiffe/go-spiffe/compare/v2.1.3...v2.1.4)

---
updated-dependencies:
- dependency-name: github.com/spiffe/go-spiffe/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod                                        |  2 +-
 go.sum                                        |  4 ++--
 .../spiffe/go-spiffe/v2/svid/jwtsvid/svid.go  |  3 +++
 .../spiffe/go-spiffe/v2/svid/x509svid/svid.go |  4 ++++
 .../spiffe/go-spiffe/v2/workloadapi/client.go | 23 +++++++++++++++++--
 vendor/modules.txt                            |  2 +-
 6 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 5db53a158c4..2d617d6005a 100644
--- a/go.mod
+++ b/go.mod
@@ -19,7 +19,7 @@ require (
 	github.com/opencontainers/image-spec v1.1.0-rc2
 	github.com/pkg/errors v0.9.1
 	github.com/sigstore/sigstore v1.6.0
-	github.com/spiffe/go-spiffe/v2 v2.1.3
+	github.com/spiffe/go-spiffe/v2 v2.1.4
 	github.com/spiffe/spire-api-sdk v1.6.1
 	github.com/tektoncd/plumbing v0.0.0-20220817140952-3da8ce01aeeb
 	go.opencensus.io v0.24.0
diff --git a/go.sum b/go.sum
index 56f5e4e9b58..dcfbe24de87 100644
--- a/go.sum
+++ b/go.sum
@@ -1026,8 +1026,8 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
-github.com/spiffe/go-spiffe/v2 v2.1.3 h1:P5L9Ixo5eqJiHnktAU0UD/6UfHsQs7yAtc8a/FFUi9M=
-github.com/spiffe/go-spiffe/v2 v2.1.3/go.mod h1:eVDqm9xFvyqao6C+eQensb9ZPkyNEeaUbqbBpOhBnNk=
+github.com/spiffe/go-spiffe/v2 v2.1.4 h1:Z31Ycaf2Z5DF38sQGmp+iGKjBhBlSzfAq68bfy67Mxw=
+github.com/spiffe/go-spiffe/v2 v2.1.4/go.mod h1:eVDqm9xFvyqao6C+eQensb9ZPkyNEeaUbqbBpOhBnNk=
 github.com/spiffe/spire-api-sdk v1.6.1 h1:f6bty0MKzmX8C3Pbsw8aeQRykBUF3p7GSsFHcn/iSUI=
 github.com/spiffe/spire-api-sdk v1.6.1/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI=
 github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/svid/jwtsvid/svid.go b/vendor/github.com/spiffe/go-spiffe/v2/svid/jwtsvid/svid.go
index a9c5e6e44ea..ddbfac34f74 100644
--- a/vendor/github.com/spiffe/go-spiffe/v2/svid/jwtsvid/svid.go
+++ b/vendor/github.com/spiffe/go-spiffe/v2/svid/jwtsvid/svid.go
@@ -28,6 +28,9 @@ type SVID struct {
 	Expiry time.Time
 	// Claims is the parsed claims from token
 	Claims map[string]interface{}
+	// Hint is an operator-specified string used to provide guidance on how this
+	// identity should be used by a workload when more than one SVID is returned.
+	Hint string
 
 	// token is the serialized JWT token
 	token string
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/svid/x509svid/svid.go b/vendor/github.com/spiffe/go-spiffe/v2/svid/x509svid/svid.go
index 5fecffe8fb8..4ac51dae68e 100644
--- a/vendor/github.com/spiffe/go-spiffe/v2/svid/x509svid/svid.go
+++ b/vendor/github.com/spiffe/go-spiffe/v2/svid/x509svid/svid.go
@@ -26,6 +26,10 @@ type SVID struct {
 
 	// PrivateKey is the private key for the X509-SVID.
 	PrivateKey crypto.Signer
+
+	// Hint is an operator-specified string used to provide guidance on how this
+	// identity should be used by a workload when more than one SVID is returned.
+	Hint string
 }
 
 // Load loads the X509-SVID from PEM encoded files on disk. certFile and
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/client.go b/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/client.go
index 3328a98fb20..7a9685cf36d 100644
--- a/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/client.go
+++ b/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/client.go
@@ -426,7 +426,7 @@ func parseX509Context(resp *workload.X509SVIDResponse) (*X509Context, error) {
 
 // parseX509SVIDs parses one or all of the SVIDs in the response. If firstOnly
 // is true, then only the first SVID in the response is parsed and returned.
-// Otherwise all SVIDs are parsed and returned.
+// Otherwise, all SVIDs are parsed and returned.
 func parseX509SVIDs(resp *workload.X509SVIDResponse, firstOnly bool) ([]*x509svid.SVID, error) {
 	n := len(resp.Svids)
 	if n == 0 {
@@ -436,10 +436,20 @@ func parseX509SVIDs(resp *workload.X509SVIDResponse, firstOnly bool) ([]*x509svi
 		n = 1
 	}
 
+	hints := make(map[string]struct{}, n)
 	svids := make([]*x509svid.SVID, 0, n)
 	for i := 0; i < n; i++ {
 		svid := resp.Svids[i]
+		// In the event of more than one X509SVID message with the same hint value set, then the first message in the
+		// list SHOULD be selected.
+		if _, ok := hints[svid.Hint]; ok && svid.Hint != "" {
+			continue
+		}
+
+		hints[svid.Hint] = struct{}{}
+
 		s, err := x509svid.ParseRaw(svid.X509Svid, svid.X509SvidKey)
+		s.Hint = svid.Hint
 		if err != nil {
 			return nil, err
 		}
@@ -506,7 +516,7 @@ func parseX509BundlesResponse(resp *workload.X509BundlesResponse) (*x509bundle.S
 
 // parseJWTSVIDs parses one or all of the SVIDs in the response. If firstOnly
 // is true, then only the first SVID in the response is parsed and returned.
-// Otherwise all SVIDs are parsed and returned.
+// Otherwise, all SVIDs are parsed and returned.
 func parseJWTSVIDs(resp *workload.JWTSVIDResponse, audience []string, firstOnly bool) ([]*jwtsvid.SVID, error) {
 	n := len(resp.Svids)
 	if n == 0 {
@@ -516,10 +526,19 @@ func parseJWTSVIDs(resp *workload.JWTSVIDResponse, audience []string, firstOnly
 		n = 1
 	}
 
+	hints := make(map[string]struct{}, n)
 	svids := make([]*jwtsvid.SVID, 0, n)
 	for i := 0; i < n; i++ {
 		svid := resp.Svids[i]
+		// In the event of more than one X509SVID message with the same hint value set, then the first message in the
+		// list SHOULD be selected.
+		if _, ok := hints[svid.Hint]; ok && svid.Hint != "" {
+			continue
+		}
+		hints[svid.Hint] = struct{}{}
+
 		s, err := jwtsvid.ParseInsecure(svid.Svid, audience)
+		s.Hint = svid.Hint
 		if err != nil {
 			return nil, err
 		}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 04422e3bd4f..850628aabf2 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -717,7 +717,7 @@ github.com/skeema/knownhosts
 # github.com/spf13/pflag v1.0.5
 ## explicit; go 1.12
 github.com/spf13/pflag
-# github.com/spiffe/go-spiffe/v2 v2.1.3
+# github.com/spiffe/go-spiffe/v2 v2.1.4
 ## explicit; go 1.17
 github.com/spiffe/go-spiffe/v2/bundle/jwtbundle
 github.com/spiffe/go-spiffe/v2/bundle/spiffebundle