go.mod, vendor: update (#3358)

* go.mod, vendor: remove unnecessary dependencies

Commands:
1. go mod tidy
2. go mod vendor

* go.mod, vendor: update cloud.google.com/go

Commands:
1. go get -u cloud.google.com/go
2. go mod tidy
3. go mod vendor

* go.mod, vendor: update cloud.google.com/*

Commands:
1. go get -u cloud.google.com/storage cloud.google.com/logging
2. go mod tidy
3. go mod vendor

* go.mod, .golangci.yml, vendor: update *lint*

Commands:
1. go get -u golang.org/x/tools github.com/golangci/golangci-lint@v1.47.0
2. go mod tidy
3. go mod vendor
4. edit .golangci.yml to suppress new errors (resolved in the same PR later)

* all: fix lint errors

hash.go: copy() recommended by gosimple
parse.go: ent is never nil
verifier.go: signal.Notify() with unbuffered channel is bad. Have no idea why.

* .golangci.yml: adjust godot rules

check-all is deprecated, but still work
if you're hesitating too - I'll remove this commit

2 files changed, 223 insertions, 0 deletions

diff --git a/vendor/github.com/googleapis/enterprise-certificate-proxy/client/client.go b/vendor/github.com/googleapis/enterprise-certificate-proxy/client/client.go
new file mode 100644
index 000000000..81f54d5ef
--- /dev/null
+++ b/vendor/github.com/googleapis/enterprise-certificate-proxy/client/client.go
@@ -0,0 +1,151 @@
+// Copyright 2022 Google LLC.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+//
+// Client is a cross-platform client for the signer binary (a.k.a."EnterpriseCertSigner").
+// The signer binary is OS-specific, but exposes a standard set of APIs for the client to use.
+package client
+
+import (
+	"crypto"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/gob"
+	"fmt"
+	"io"
+	"net/rpc"
+	"os"
+	"os/exec"
+
+	"github.com/googleapis/enterprise-certificate-proxy/client/util"
+)
+
+const signAPI = "EnterpriseCertSigner.Sign"
+const certificateChainAPI = "EnterpriseCertSigner.CertificateChain"
+const publicKeyAPI = "EnterpriseCertSigner.Public"
+
+// A Connection wraps a pair of unidirectional streams as an io.ReadWriteCloser.
+type Connection struct {
+	io.ReadCloser
+	io.WriteCloser
+}
+
+// Close closes c's underlying ReadCloser and WriteCloser.
+func (c *Connection) Close() error {
+	rerr := c.ReadCloser.Close()
+	werr := c.WriteCloser.Close()
+	if rerr != nil {
+		return rerr
+	}
+	return werr
+}
+
+func init() {
+	gob.Register(crypto.SHA256)
+	gob.Register(&rsa.PSSOptions{})
+}
+
+// SignArgs contains arguments to a crypto Signer.Sign method.
+type SignArgs struct {
+	Digest []byte            // The content to sign.
+	Opts   crypto.SignerOpts // Options for signing, such as Hash identifier.
+}
+
+// Key implements credential.Credential by holding the executed signer subprocess.
+type Key struct {
+	cmd       *exec.Cmd        // Pointer to the signer subprocess.
+	client    *rpc.Client      // Pointer to the rpc client that communicates with the signer subprocess.
+	publicKey crypto.PublicKey // Public key of loaded certificate.
+	chain     [][]byte         // Certificate chain of loaded certificate.
+}
+
+// CertificateChain returns the credential as a raw X509 cert chain. This contains the public key.
+func (k *Key) CertificateChain() [][]byte {
+	return k.chain
+}
+
+// Close closes the RPC connection and kills the signer subprocess.
+// Call this to free up resources when the Key object is no longer needed.
+func (k *Key) Close() error {
+	if err := k.client.Close(); err != nil {
+		return fmt.Errorf("failed to close RPC connection: %w", err)
+	}
+	if err := k.cmd.Process.Kill(); err != nil {
+		return fmt.Errorf("failed to kill signer process: %w", err)
+	}
+	if err := k.cmd.Wait(); err.Error() != "signal: killed" {
+		return fmt.Errorf("signer process was not killed: %w", err)
+	}
+	return nil
+}
+
+// Public returns the public key for this Key.
+func (k *Key) Public() crypto.PublicKey {
+	return k.publicKey
+}
+
+// Sign signs a message by encrypting a message digest, using the specified signer options.
+func (k *Key) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signed []byte, err error) {
+	err = k.client.Call(signAPI, SignArgs{Digest: digest, Opts: opts}, &signed)
+	return
+}
+
+// Cred spawns a signer subprocess that listens on stdin/stdout to perform certificate
+// related operations, including signing messages with the private key.
+//
+// The signer binary path is read from the specified configFilePath, if provided.
+// Otherwise, use the default config file path.
+//
+// The config file also specifies which certificate the signer should use.
+func Cred(configFilePath string) (*Key, error) {
+	if configFilePath == "" {
+		configFilePath = util.GetDefaultConfigFilePath()
+	}
+	enterpriseCertSignerPath, err := util.LoadSignerBinaryPath(configFilePath)
+	if err != nil {
+		return nil, err
+	}
+	k := &Key{
+		cmd: exec.Command(enterpriseCertSignerPath, configFilePath),
+	}
+
+	// Redirect errors from subprocess to parent process.
+	k.cmd.Stderr = os.Stderr
+
+	// RPC client will communicate with subprocess over stdin/stdout.
+	kin, err := k.cmd.StdinPipe()
+	if err != nil {
+		return nil, err
+	}
+	kout, err := k.cmd.StdoutPipe()
+	if err != nil {
+		return nil, err
+	}
+	k.client = rpc.NewClient(&Connection{kout, kin})
+
+	if err := k.cmd.Start(); err != nil {
+		return nil, fmt.Errorf("starting enterprise cert signer subprocess: %w", err)
+	}
+
+	if err := k.client.Call(certificateChainAPI, struct{}{}, &k.chain); err != nil {
+		return nil, fmt.Errorf("failed to retrieve certificate chain: %w", err)
+	}
+
+	var publicKeyBytes []byte
+	if err := k.client.Call(publicKeyAPI, struct{}{}, &publicKeyBytes); err != nil {
+		return nil, fmt.Errorf("failed to retrieve public key: %w", err)
+	}
+
+	publicKey, err := x509.ParsePKIXPublicKey(publicKeyBytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse public key: %w", err)
+	}
+
+	var ok bool
+	k.publicKey, ok = publicKey.(crypto.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("invalid public key type: %T", publicKey)
+	}
+
+	return k, nil
+}
diff --git a/vendor/github.com/googleapis/enterprise-certificate-proxy/client/util/util.go b/vendor/github.com/googleapis/enterprise-certificate-proxy/client/util/util.go
new file mode 100644
index 000000000..6b5f2806e
--- /dev/null
+++ b/vendor/github.com/googleapis/enterprise-certificate-proxy/client/util/util.go
@@ -0,0 +1,72 @@
+// Package util provides helper functions for the client.
+package util
+
+import (
+	"encoding/json"
+	"errors"
+	"io/ioutil"
+	"os"
+	"os/user"
+	"path/filepath"
+	"runtime"
+)
+
+const configFileName = "enterprise_certificate_config.json"
+
+// EnterpriseCertificateConfig contains parameters for initializing signer.
+type EnterpriseCertificateConfig struct {
+	Libs Libs `json:"libs"`
+}
+
+// Libs specifies the locations of helper libraries.
+type Libs struct {
+	SignerBinary string `json:"signer_binary"`
+}
+
+// LoadSignerBinaryPath retrieves the path of the signer binary from the config file.
+func LoadSignerBinaryPath(configFilePath string) (path string, err error) {
+	jsonFile, err := os.Open(configFilePath)
+	if err != nil {
+		return "", err
+	}
+
+	byteValue, err := ioutil.ReadAll(jsonFile)
+	if err != nil {
+		return "", err
+	}
+	var config EnterpriseCertificateConfig
+	err = json.Unmarshal(byteValue, &config)
+	if err != nil {
+		return "", err
+	}
+	signerBinaryPath := config.Libs.SignerBinary
+	if signerBinaryPath == "" {
+		return "", errors.New("Signer binary path is missing.")
+	}
+	return signerBinaryPath, nil
+}
+
+func guessHomeDir() string {
+	// Prefer $HOME over user.Current due to glibc bug: golang.org/issue/13470
+	if v := os.Getenv("HOME"); v != "" {
+		return v
+	}
+	// Else, fall back to user.Current:
+	if u, err := user.Current(); err == nil {
+		return u.HomeDir
+	}
+	return ""
+}
+
+func getDefaultConfigFileDirectory() (directory string) {
+	if runtime.GOOS == "windows" {
+		return filepath.Join(os.Getenv("APPDATA"), "gcloud")
+	} else {
+		return filepath.Join(guessHomeDir(), ".config/gcloud")
+	}
+}
+
+// GetDefaultConfigFilePath returns the default path of the enterprise certificate config file created by gCloud.
+func GetDefaultConfigFilePath() (path string) {
+	return filepath.Join(getDefaultConfigFileDirectory(), configFileName)
+}