Modernize demo application

- add linter config and fix golangci-lint warnings - rename module to match new repository location - use embedded resources for static assets, templates and translations - recommend mkcert in README - require at least Go 1.19 - update and tidy dependencies - update copyright information - improve Makefile, add lint and static asset targets
9 months ago · 25b101afae
parent f980c1acc3
commit 25b101afae
28 changed files with 1196 additions and 818 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,10 @@
-.idea/
 /*.pem
+/.idea/
 /demo-app
+/dist
+/resource_app.toml
 /sessions
 /static
-certs/
-resource_app.toml
+/ui/css/
+/ui/images/
+/ui/js/
--- a/.golangci.yml
+++ b/.golangci.yml
@ -0,0 +1,64 @@
+---
+output:
+  sort-results: true
+
+linters-settings:
+  goheader:
+    values:
+      const:
+        ORGANIZATION: CAcert Inc.
+    template: |-
+      Copyright {{ YEAR-RANGE }} {{ ORGANIZATION }}
+      SPDX-License-Identifier: Apache-2.0
+
+      Licensed under the Apache License, Version 2.0 (the "License");
+      you may not use this file except in compliance with the License.
+      You may obtain a copy of the License at
+
+          https://www.apache.org/licenses/LICENSE-2.0
+
+      Unless required by applicable law or agreed to in writing, software
+      distributed under the License is distributed on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+      See the License for the specific language governing permissions and
+      limitations under the License.
+  goimports:
+    local-prefixes: code.cacert.org/cacert/oidc-demo-app
+  misspell:
+    locale: "US"
+    ignore-words:
+      - CAcert
+
+linters:
+  disable-all: false
+  enable:
+    - bodyclose
+    - containedctx
+    - contextcheck
+    - cyclop
+    - decorder
+    - errorlint
+    - exportloopref
+    - forbidigo
+    - forcetypeassert
+    - gocognit
+    - goconst
+    - gocritic
+    - gofmt
+    - goheader
+    - goimports
+    - gomnd
+    - gosec
+    - lll
+    - makezero
+    - misspell
+    - nakedret
+    - nestif
+    - nlreturn
+    - nolintlint
+    - predeclared
+    - revive
+    - rowserrcheck
+    - sqlclosecheck
+    - wrapcheck
+    - wsl
--- a/34
+++ b/34
@ -1,24 +1,38 @@
-GOFILES = $(wildcard */*.go)
-TEMPLATES = $(wildcard templates/*.gohtml)
-TRANSLATIONS = $(wildcard active.*.toml)
+GOFILES = $(shell find -type f -name '*.go')
+TEMPLATES = $(wildcard ui/templates/*.gohtml)
+TRANSLATIONS = $(wildcard translations/active.*.toml)
+RESOURCES = ui/css ui/images ui/js

 all: demo-app

+ui/css: ../cacert_resources/static/css
+	cp -r ../cacert_resources/static/css ui/
+
+ui/js: ../cacert_resources/static/js
+	cp -r ../cacert_resources/static/js ui/
+
+ui/images: ../cacert_resources/static/images
+	cp -r ../cacert_resources/static/images ui/
+
 go.sum: go.mod
-	go mod tidy
+	go mod tidy -v

 translations: $(TRANSLATIONS) $(GOFILES)
-	goi18n extract .
-	goi18n merge active.*.toml
+	cd translations ; \
+	goi18n extract .. ; \
+	goi18n merge active.*.toml ; \
 	if translate.*.toml 2>/dev/null; then \
 		echo "missing translations"; \
 		goi18n merge active.*.toml translate.*.toml; \
 	fi

-demo-app: go.sum $(GOFILES) $(TEMPLATES) translations
-	go build -o $@ ./cmd/app.go
+lint: $(GOFILES)
+	golangci-lint run --verbose
+
+demo-app: go.sum $(GOFILES) $(TEMPLATES) translations $(RESOURCES)
+	CGO_ENABLED=0 go build -o $@ ./cmd/app

 clean:
-	rm -f demo-app
+	rm -rf demo-app ui/css ui/js ui/images

-.PHONY: all translations clean
+.PHONY: all translations clean lint
--- a/README.md
+++ b/README.md
@ -6,39 +6,22 @@ authenticate and authorize users.
 The code in this repository is licensed under the terms of the Apache License
 Version 2.0.

-Copyright © 2020-2022  Jan Dittberner
+Copyright © 2020-2023  Jan Dittberner

 ## Setup

 ### Certificates

-You need a set of certificates for the application. You can use the Test CA
-created by the ``setup_test_ca.sh`` script from the [CAcert developer
-setup](https://git.dittberner.info/jan/cacert-devsetup) repository like this:
-
-1. create signing requests
-
-   ```
-   mkdir certs
-   cd certs
-   openssl req -new -newkey rsa:3072 -nodes \
-       -keyout app.cacert.localhost.key \
-       -out app.cacert.localhost.csr.pem \
-       -subj /CN=app.cacert.localhost \
-       -addext subjectAltName=DNS:app.cacert.localhost
-   cp *.csr.pem $PATH_TO_DEVSETUP_TESTCA/
-   ```
-
-2. Use the CA to sign the certificates
-
-   ```
-   pushd $PATH_TO_DEVSETUP_TESTCA/
-   openssl ca -config ca.cnf -name class3_ca -extensions server_ext \
-       -in app.cacert.localhost.csr.pem \
-       -out app.cacert.localhost.crt.pem -days 365
-   popd
-   cp $PATH_TO_DEVSETUP_TESTCA/app.cacert.localhost.crt.pem .
-   ```
+You need a server certificate and corresponding private key to run `demo-app`.
+
+An easy way to generate server certificate and key for local testing is
+[`mkcert`](https://github.com/FiloSottile/mkcert/releases).
+
+Run `mkcert` to generate `app.cacert.localhost.pem` and `app.cacert.localhost-key.pem`:
+
+```shell
+mkcert -cert-file app.cacert.localhost
+```

 ### Configure the Demo Application

@ -53,7 +36,9 @@ openssl rand -base64 32
 You also need the client id and the client secret, that have been generated
 during the OIDC client setup described above.

-```
+Put the data into `resource_app.toml`:
+
+```ini
 [oidc]
 client-id = "<client id from hydra clients invocation>"
 client-secret = "<client secret from hydra clients invocation>"
@ -67,10 +52,10 @@ enc-key = "<32 bytes of base64 encoded data>"

 Now you can start the demo application:

-  ```
-  make
-  go run cmd/app.go
-  ```
+```shell
+make
+./demo-app
+```

 Visit https://app.cacert.localhost:4000/ in a Browser and you will be directed
 through the OpenID connect authorization code flow.
@ -88,23 +73,27 @@ go install github.com/nicksnyder/go-i18n/v2/goi18n

 To extract new messages from the code run

-```
-goi18n extract .
+```shell
+cd translations
+goi18n extract ..
 ```

 Then use

-```
+```shell
+cd translations
 goi18n merge active.*.toml
 ```

-to create TOML files for translation as `translate.<locale>.toml`. After
-translating the messages run
+to create TOML files for translation as `translate.<locale>.toml`.

-```
+After translating the messages run
+
+```shell
+cd translations
 goi18n merge active.*.toml translate.*.toml
 ```

 to merge the messages back into the active translation files. To add a new
 language you need to add the language code to the languages configuration
-option (default is defined in the configmap in cmd/app.go).
+option (default is defined in the configmap in `services/configuration.go`).
--- a/cmd/app/main.go
+++ b/cmd/app/main.go
@ -1,18 +1,18 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package main
@ -23,8 +23,8 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
 	"net/http"
+	"os"
 	"time"

 	"github.com/knadh/koanf"
@ -32,46 +32,63 @@ import (
 	"github.com/knadh/koanf/providers/confmap"
 	log "github.com/sirupsen/logrus"

-	"git.cacert.org/oidc_demo_app/handlers"
-	"git.cacert.org/oidc_demo_app/services"
+	"code.cacert.org/cacert/oidc-demo-app/ui"
+
+	"code.cacert.org/cacert/oidc-demo-app/handlers"
+	"code.cacert.org/cacert/oidc-demo-app/services"
+)
+
+const (
+	defaultReadTimeout  = 5 * time.Second
+	defaultWriteTimeout = 10 * time.Second
+	defaultIdleTimeout  = 15 * time.Second
+
+	sessionKeyLength     = 32
+	sessionAuthKeyLength = 64
 )

 func main() {
 	logger := log.New()
+
 	config, err := services.ConfigureApplication(
 		logger,
 		"RESOURCE_APP",
-		map[string]interface{}{
-			"server.port":        4000,
-			"server.name":        "app.cacert.localhost",
-			"server.key":         "certs/app.cacert.localhost.key",
-			"server.certificate": "certs/app.cacert.localhost.crt.pem",
-			"oidc.server":        "https://auth.cacert.localhost:4444/",
-			"session.path":       "sessions/app",
-			"i18n.languages":     []string{"en", "de"},
-		})
+		services.DefaultConfiguration,
+	)
 	if err != nil {
 		log.Fatalf("error loading configuration: %v", err)
 	}

 	oidcServer := config.MustString("oidc.server")
-	oidcClientId := config.MustString("oidc.client-id")
+	oidcClientID := config.MustString("oidc.client-id")
 	oidcClientSecret := config.MustString("oidc.client-secret")

-	ctx := context.Background()
-	ctx = services.InitI18n(ctx, logger, config.Strings("i18n.languages"))
-	services.AddMessages(ctx)
+	if level := config.String("log.level"); level != "" {
+		logLevel, err := log.ParseLevel(level)
+		if err != nil {
+			logger.WithError(err).Fatal("could not parse log level")
+		}
+
+		logger.SetLevel(logLevel)
+	}
+
+	bundle, catalog := services.InitI18n(logger, config.Strings("i18n.languages"))
+
+	services.AddMessages(catalog)

 	tlsClientConfig := &tls.Config{
 		MinVersion: tls.VersionTLS12,
 	}
+
 	if config.Exists("api-client.rootCAs") {
 		rootCAFile := config.MustString("api-client.rootCAs")
 		caCertPool := x509.NewCertPool()
-		pemBytes, err := ioutil.ReadFile(rootCAFile)
+
+		pemBytes, err := os.ReadFile(rootCAFile)
 		if err != nil {
 			log.Fatalf("could not read CA certificate file: %v", err)
 		}
+
 		caCertPool.AppendCertsFromPEM(pemBytes)
 		tlsClientConfig.RootCAs = caCertPool
 	}
@ -79,29 +96,31 @@ func main() {
 	apiTransport := &http.Transport{TLSClientConfig: tlsClientConfig}
 	apiClient := &http.Client{Transport: apiTransport}

-	if ctx, err = services.DiscoverOIDC(ctx, logger, &services.OidcParams{
+	oidcInfo, err := services.DiscoverOIDC(logger, &services.OidcParams{
 		OidcServer:       oidcServer,
-		OidcClientId:     oidcClientId,
+		OidcClientID:     oidcClientID,
 		OidcClientSecret: oidcClientSecret,
 		APIClient:        apiClient,
-	}); err != nil {
+	})
+	if err != nil {
 		log.Fatalf("OpenID Connect discovery failed: %s", err)
 	}

 	sessionPath, sessionAuthKey, sessionEncKey := configureSessionParameters(config)
 	services.InitSessionStore(logger, sessionPath, sessionAuthKey, sessionEncKey)

-	authMiddleware := handlers.Authenticate(ctx, logger, oidcClientId)
+	authMiddleware := handlers.Authenticate(logger, oidcInfo.OAuth2Config, oidcClientID)

-	serverAddr := fmt.Sprintf("%s:%d", config.String("server.name"), config.Int("server.port"))
+	publicURL := buildPublicURL(config.MustString("server.name"), config.MustInt("server.port"))

-	indexHandler, err := handlers.NewIndexHandler(ctx, serverAddr)
+	indexHandler, err := handlers.NewIndexHandler(bundle, catalog, ui.Templates, oidcInfo, publicURL)
 	if err != nil {
 		logger.Fatalf("could not initialize index handler: %v", err)
 	}
-	callbackHandler := handlers.NewCallbackHandler(ctx, logger)
+
+	callbackHandler := handlers.NewCallbackHandler(logger, oidcInfo.KeySet, oidcInfo.OAuth2Config)
 	afterLogoutHandler := handlers.NewAfterLogoutHandler(logger)
-	staticFiles := http.FileServer(http.Dir("static"))
+	staticFiles := http.FileServer(http.FS(ui.Static))

 	router := http.NewServeMux()
 	router.Handle("/", authMiddleware(indexHandler))
@ -112,18 +131,15 @@ func main() {
 	router.Handle("/css/", staticFiles)
 	router.Handle("/js/", staticFiles)

-	nextRequestId := func() string {
+	nextRequestID := func() string {
 		return fmt.Sprintf("%d", time.Now().UnixNano())
 	}

-	tracing := handlers.Tracing(nextRequestId)
+	tracing := handlers.Tracing(nextRequestID)
 	logging := handlers.Logging(logger)
 	hsts := handlers.EnableHSTS()
-	errorMiddleware, err := handlers.ErrorHandling(
-		ctx,
-		logger,
-		"templates",
-	)
+
+	errorMiddleware, err := handlers.ErrorHandling(logger, ui.Templates, bundle, catalog)
 	if err != nil {
 		logger.Fatalf("could not initialize request error handling: %v", err)
 	}
@ -132,36 +148,51 @@ func main() {
 		ServerName: config.String("server.name"),
 		MinVersion: tls.VersionTLS12,
 	}
+
 	server := &http.Server{
-		Addr:         serverAddr,
+		Addr:         fmt.Sprintf("%s:%d", config.String("server.bind_address"), config.Int("server.port")),
 		Handler:      tracing(logging(hsts(errorMiddleware(router)))),
-		ReadTimeout:  5 * time.Second,
-		WriteTimeout: 10 * time.Second,
-		IdleTimeout:  15 * time.Second,
+		ReadTimeout:  defaultReadTimeout,
+		WriteTimeout: defaultWriteTimeout,
+		IdleTimeout:  defaultIdleTimeout,
 		TLSConfig:    tlsConfig,
 	}

-	handlers.StartApplication(logger, ctx, server, config)
+	handlers.StartApplication(context.Background(), logger, server, publicURL, config)
+}
+
+func buildPublicURL(hostname string, port int) string {
+	const defaultHTTPSPort = 443
+
+	if port != defaultHTTPSPort {
+		return fmt.Sprintf("https://%s:%d", hostname, port)
+	}
+
+	return fmt.Sprintf("https://%s", hostname)
 }

 func configureSessionParameters(config *koanf.Koanf) (string, []byte, []byte) {
 	sessionPath := config.MustString("session.path")
+
 	sessionAuthKey, err := base64.StdEncoding.DecodeString(config.String("session.auth-key"))
 	if err != nil {
-		log.Fatalf("could not decode session auth key: %s", err)
+		log.WithError(err).Fatal("could not decode session auth key")
 	}
+
 	sessionEncKey, err := base64.StdEncoding.DecodeString(config.String("session.enc-key"))
 	if err != nil {
-		log.Fatalf("could not decode session encryption key: %s", err)
+		log.WithError(err).Fatal("could not decode session encryption key")
 	}

 	generated := false
-	if len(sessionAuthKey) != 64 {
-		sessionAuthKey = services.GenerateKey(64)
+
+	if len(sessionAuthKey) != sessionAuthKeyLength {
+		sessionAuthKey = services.GenerateKey(sessionAuthKeyLength)
 		generated = true
 	}
-	if len(sessionEncKey) != 32 {
-		sessionEncKey = services.GenerateKey(32)
+
+	if len(sessionEncKey) != sessionKeyLength {
+		sessionEncKey = services.GenerateKey(sessionKeyLength)
 		generated = true
 	}

@ -170,11 +201,14 @@ func configureSessionParameters(config *koanf.Koanf) (string, []byte, []byte) {
 			"session.auth-key": sessionAuthKey,
 			"session.enc-key":  sessionEncKey,
 		}, "."), nil)
+
 		tomlData, err := config.Marshal(toml.Parser())
 		if err != nil {
-			log.Fatalf("could not encode session config")
+			log.WithError(err).Fatal("could not encode session config")
 		}
+
 		log.Infof("put the following in your resource_app.toml:\n%s", string(tomlData))
 	}
+
 	return sessionPath, sessionAuthKey, sessionEncKey
 }
--- a/go.mod
+++ b/go.mod
@ -1,55 +1,38 @@
-module git.cacert.org/oidc_demo_app
+module code.cacert.org/cacert/oidc-demo-app

-go 1.17
+go 1.19

 require (
-	github.com/BurntSushi/toml v0.3.1
-	github.com/go-openapi/runtime v0.19.31
+	github.com/BurntSushi/toml v1.3.2
 	github.com/gorilla/sessions v1.2.1
-	github.com/knadh/koanf v1.2.3
-	github.com/lestrrat-go/jwx v1.2.6
-	github.com/nicksnyder/go-i18n/v2 v2.1.2
-	github.com/sirupsen/logrus v1.8.1
+	github.com/knadh/koanf v1.5.0
+	github.com/lestrrat-go/jwx v1.2.26
+	github.com/nicksnyder/go-i18n/v2 v2.2.1
+	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be
-	golang.org/x/text v0.3.3
+	golang.org/x/oauth2 v0.10.0
+	golang.org/x/text v0.11.0
 )

 require (
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d // indirect
-	github.com/fsnotify/fsnotify v1.4.9 // indirect
-	github.com/go-openapi/analysis v0.19.10 // indirect
-	github.com/go-openapi/errors v0.19.6 // indirect
-	github.com/go-openapi/jsonpointer v0.19.3 // indirect
-	github.com/go-openapi/jsonreference v0.19.3 // indirect
-	github.com/go-openapi/loads v0.19.5 // indirect
-	github.com/go-openapi/spec v0.19.8 // indirect
-	github.com/go-openapi/strfmt v0.19.5 // indirect
-	github.com/go-openapi/swag v0.19.9 // indirect
-	github.com/go-openapi/validate v0.19.10 // indirect
-	github.com/go-stack/stack v1.8.0 // indirect
-	github.com/goccy/go-json v0.7.6 // indirect
-	github.com/golang/protobuf v1.3.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/gorilla/securecookie v1.1.1 // indirect
 	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
-	github.com/lestrrat-go/blackmagic v1.0.0 // indirect
-	github.com/lestrrat-go/httpcc v1.0.0 // indirect
-	github.com/lestrrat-go/iter v1.0.1 // indirect
-	github.com/lestrrat-go/option v1.0.0 // indirect
-	github.com/mailru/easyjson v0.7.1 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.1 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/mapstructure v1.4.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pelletier/go-toml v1.7.0 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	go.mongodb.org/mongo-driver v1.3.4 // indirect
-	golang.org/x/crypto v0.0.0-20201217014255-9d1352758620 // indirect
-	golang.org/x/net v0.0.0-20201021035429-f5854403a974 // indirect
-	golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f // indirect
-	google.golang.org/appengine v1.4.0 // indirect
-	gopkg.in/yaml.v2 v2.3.0 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/net v0.12.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,156 +1,130 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
-github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
+github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/asaskevich/govalidator v0.0.0-20200108200545-475eaeb16496/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg=
-github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 h1:4daAzAu0S6Vi7/lbWECcX0j45yZReDZ56BQsrVBOEEY=
-github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg=
+github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/aws/aws-sdk-go-v2 v1.9.2/go.mod h1:cK/D0BBs0b/oWPIcX/Z/obahJK1TT7IPVjy53i/mX/4=
+github.com/aws/aws-sdk-go-v2/config v1.8.3/go.mod h1:4AEiLtAb8kLs7vgw2ZV3p2VZ1+hBavOc84hqxVNpCyw=
+github.com/aws/aws-sdk-go-v2/credentials v1.4.3/go.mod h1:FNNC6nQZQUuyhq5aE5c7ata8o9e4ECGmS4lAXC7o1mQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.6.0/go.mod h1:gqlclDEZp4aqJOancXK6TN24aKhT0W0Ae9MHk3wzTMM=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.2.4/go.mod h1:ZcBrrI3zBKlhGFNYWvju0I3TR93I7YIgAfy82Fh4lcQ=
+github.com/aws/aws-sdk-go-v2/service/appconfig v1.4.2/go.mod h1:FZ3HkCe+b10uFZZkFdvf98LHW21k49W8o8J366lqVKY=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.3.2/go.mod h1:72HRZDLMtmVQiLG2tLfQcaWLCssELvGl+Zf2WVxMmR8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.4.2/go.mod h1:NBvT9R1MEF+Ud6ApJKM0G+IkPchKS7p7c2YPKwHmBOk=
+github.com/aws/aws-sdk-go-v2/service/sts v1.7.2/go.mod h1:8EzeIqfWt2wWT4rJVu3f21TfrhJ8AEMzVybRNSb/b4g=
+github.com/aws/smithy-go v1.8.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d h1:1iy2qD6JEhHKKhUOA9IWs7mjco7lnw2qx8FsRI2wirE=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE=
-github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
+github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
-github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
-github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
+github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
+github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
-github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI=
-github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
-github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
-github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk=
-github.com/go-openapi/analysis v0.19.4/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk=
-github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU=
-github.com/go-openapi/analysis v0.19.10 h1:5BHISBAXOc/aJK25irLZnx2D3s6WyYaY9D4gmuz9fdE=
-github.com/go-openapi/analysis v0.19.10/go.mod h1:qmhS3VNFxBlquFJ0RGoDtylO9y4pgTAUNE9AEEMdlJQ=
-github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
-github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
-github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94=
-github.com/go-openapi/errors v0.19.3/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94=
-github.com/go-openapi/errors v0.19.6 h1:xZMThgv5SQ7SMbWtKFkCf9bBdvR2iEyw9k3zGZONuys=
-github.com/go-openapi/errors v0.19.6/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
-github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
-github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
-github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
-github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
-github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
-github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
-github.com/go-openapi/jsonreference v0.19.3 h1:5cxNfTy0UVC3X8JL5ymxzyoUZmo8iZb+jeTWn7tUa8o=
-github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
-github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs=
-github.com/go-openapi/loads v0.19.3/go.mod h1:YVfqhUCdahYwR3f3iiwQLhicVRvLlU/WO5WPaZvcvSI=
-github.com/go-openapi/loads v0.19.5 h1:jZVYWawIQiA1NBnHla28ktg6hrcfTHsCE+3QLVRBIls=
-github.com/go-openapi/loads v0.19.5/go.mod h1:dswLCAdonkRufe/gSUC3gN8nTSaB9uaS2es0x5/IbjY=
-github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA=
-github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64=
-github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4=
-github.com/go-openapi/runtime v0.19.15/go.mod h1:dhGWCTKRXlAfGnQG0ONViOZpjfg0m2gUt9nTQPQZuoo=
-github.com/go-openapi/runtime v0.19.31 h1:GX+MgBxN12s/tQiHNJpvHDIoZiEXAz6j6Rqg0oJcnpg=
-github.com/go-openapi/runtime v0.19.31/go.mod h1:BvrQtn6iVb2QmiVXRsFAm6ZCAZBpbVKFfN6QWCp582M=
-github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
-github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
-github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY=
-github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
-github.com/go-openapi/spec v0.19.6/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk=
-github.com/go-openapi/spec v0.19.8 h1:qAdZLh1r6QF/hI/gTq+TJTvsQUodZsM7KLqkAJdiJNg=
-github.com/go-openapi/spec v0.19.8/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk=
-github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
-github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
-github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY=
-github.com/go-openapi/strfmt v0.19.2/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU=
-github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU=
-github.com/go-openapi/strfmt v0.19.4/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk=
-github.com/go-openapi/strfmt v0.19.5 h1:0utjKrw+BAh8s57XE9Xz8DUBsVvPmRUB6styvl9wWIM=
-github.com/go-openapi/strfmt v0.19.5/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk=
-github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
-github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
-github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.7/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY=
-github.com/go-openapi/swag v0.19.9 h1:1IxuqvBUU3S2Bi4YC7tlP9SJF1gVpCvqN0T2Qof4azE=
-github.com/go-openapi/swag v0.19.9/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY=
-github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
-github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA=
-github.com/go-openapi/validate v0.19.3/go.mod h1:90Vh6jjkTn+OT1Eefm0ZixWNFjhtOH7vS9k0lo6zwJo=
-github.com/go-openapi/validate v0.19.10 h1:tG3SZ5DC5KF4cyt7nqLVcQXGj5A7mpaYkAcNPlDK+Yk=
-github.com/go-openapi/validate v0.19.10/go.mod h1:RKEZTUWDkxKQxN2jDT7ZnZi2bhZlbNMAuKvKB+IaGx8=
-github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
-github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0=
-github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY=
-github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg=
-github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI=
-github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI=
-github.com/gobuffalo/flect v0.1.0/go.mod h1:d2ehjJqGOH/Kjqcoz+F7jHTBbmDb38yXA598Hb50EGs=
-github.com/gobuffalo/flect v0.1.1/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI=
-github.com/gobuffalo/flect v0.1.3/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI=
-github.com/gobuffalo/genny v0.0.0-20190329151137-27723ad26ef9/go.mod h1:rWs4Z12d1Zbf19rlsn0nurr75KqhYp52EAGGxTbBhNk=
-github.com/gobuffalo/genny v0.0.0-20190403191548-3ca520ef0d9e/go.mod h1:80lIj3kVJWwOrXWWMRzzdhW3DsrdjILVil/SFKBzF28=
-github.com/gobuffalo/genny v0.1.0/go.mod h1:XidbUqzak3lHdS//TPu2OgiFB+51Ur5f7CSnXZ/JDvo=
-github.com/gobuffalo/genny v0.1.1/go.mod h1:5TExbEyY48pfunL4QSXxlDOmdsD44RRq4mVZ0Ex28Xk=
-github.com/gobuffalo/gitgen v0.0.0-20190315122116-cc086187d211/go.mod h1:vEHJk/E9DmhejeLeNt7UVvlSGv3ziL+djtTr3yyzcOw=
-github.com/gobuffalo/gogen v0.0.0-20190315121717-8f38393713f5/go.mod h1:V9QVDIxsgKNZs6L2IYiGR8datgMhB577vzTDqypH360=
-github.com/gobuffalo/gogen v0.1.0/go.mod h1:8NTelM5qd8RZ15VjQTFkAW6qOMx5wBbW4dSCS3BY8gg=
-github.com/gobuffalo/gogen v0.1.1/go.mod h1:y8iBtmHmGc4qa3urIyo1shvOD8JftTtfcKi+71xfDNE=
-github.com/gobuffalo/logger v0.0.0-20190315122211-86e12af44bc2/go.mod h1:QdxcLw541hSGtBnhUc4gaNIXRjiDppFGaDqzbrBd3v8=
-github.com/gobuffalo/mapi v1.0.1/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc=
-github.com/gobuffalo/mapi v1.0.2/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc=
-github.com/gobuffalo/packd v0.0.0-20190315124812-a385830c7fc0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4=
-github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4=
-github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ=
-github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0=
-github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
-github.com/goccy/go-json v0.7.6 h1:H0wq4jppBQ+9222sk5+hPLL25abZQiRuQ6YPnjO9c+A=
-github.com/goccy/go-json v0.7.6/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
+github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/hashicorp/consul/api v1.13.0/go.mod h1:ZlVrynguJKcYr54zGaDbaL3fOvKC9m72FhPvA8T35KQ=
+github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI=
 github.com/hashicorp/go-hclog v0.8.0/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
+github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
+github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
 github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn3cQptSMzBuY=
 github.com/hashicorp/go-retryablehttp v0.5.4/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
 github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
+github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
+github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
 github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
+github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
@ -158,51 +132,63 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
+github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc=
+github.com/hashicorp/memberlist v0.3.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE=
+github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4=
 github.com/hashicorp/vault/api v1.0.4/go.mod h1:gDcqh3WGcR1cpF5AJz/B1UFheUEneMoIospckxBxk6Q=
 github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
-github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/hjson/hjson-go/v4 v4.0.0 h1:wlm6IYYqHjOdXH1gHev4VoXCaW20HdQAGCxdOEEg2cs=
+github.com/hjson/hjson-go/v4 v4.0.0/go.mod h1:KaYt3bTw3zhBjYqnXkYywcYctk0A2nxeEFTse3rH13E=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
-github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4=
-github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA=
-github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
-github.com/klauspost/compress v1.9.5/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
-github.com/knadh/koanf v1.2.3 h1:2Rkr0YhhYk+4QEOm800Q3Pu0Wi87svTxM6uuEb4WhYw=
-github.com/knadh/koanf v1.2.3/go.mod h1:xpPTwMhsA/aaQLAilyCCqfpEiY1gpa160AiCuWHJUjY=
+github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/knadh/koanf v1.5.0 h1:q2TSd/3Pyc/5yP9ldIrSdIz26MCcyNQzW0pEAugLPNs=
+github.com/knadh/koanf v1.5.0/go.mod h1:Hgyjp4y8v44hpZtPzs7JZfRAW5AhN7KfZcwv1RYggDs=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A=
 github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y=
-github.com/lestrrat-go/blackmagic v1.0.0 h1:XzdxDbuQTz0RZZEmdU7cnQxUtFUzgCSPq8RCz4BxIi4=
-github.com/lestrrat-go/blackmagic v1.0.0/go.mod h1:TNgH//0vYSs8VXDCfkZLgIrVTTXQELZffUV0tz3MtdQ=
-github.com/lestrrat-go/codegen v1.0.1/go.mod h1:JhJw6OQAuPEfVKUCLItpaVLumDGWQznd1VaXrBk9TdM=
-github.com/lestrrat-go/httpcc v1.0.0 h1:FszVC6cKfDvBKcJv646+lkh4GydQg2Z29scgUfkOpYc=
-github.com/lestrrat-go/httpcc v1.0.0/go.mod h1:tGS/u00Vh5N6FHNkExqGGNId8e0Big+++0Gf8MBnAvE=
-github.com/lestrrat-go/iter v1.0.1 h1:q8faalr2dY6o8bV45uwrxq12bRa1ezKrB6oM9FUgN4A=
-github.com/lestrrat-go/iter v1.0.1/go.mod h1:zIdgO1mRKhn8l9vrZJZz9TUMMFbQbLeTsbqPDrJ/OJc=
-github.com/lestrrat-go/jwx v1.2.6 h1:XAgfuHaOB7fDZ/6WhVgl8K89af768dU+3Nx4DlTbLIk=
-github.com/lestrrat-go/jwx v1.2.6/go.mod h1:tJuGuAI3LC71IicTx82Mz1n3w9woAs2bYJZpkjJQ5aU=
-github.com/lestrrat-go/option v1.0.0 h1:WqAWL8kh8VcSoD6xjSH34/1m8yxluXQbDeKNfvFeEO4=
+github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80=
+github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
+github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
+github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
+github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
+github.com/lestrrat-go/jwx v1.2.26 h1:4iFo8FPRZGDYe1t19mQP0zTRqA7n8HnJ5lkIiDvJcB0=
+github.com/lestrrat-go/jwx v1.2.26/go.mod h1:MaiCdGbn3/cckbOFSCluJlJMmp9dmZm5hDuIkx8ftpQ=
 github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
-github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.1 h1:mdxE1MF9o53iCb2Ghj1VfWvh7ZOwHpnVG/xwXrV90U8=
-github.com/mailru/easyjson v0.7.1/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
-github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE=
-github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
+github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
+github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
+github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
+github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
+github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
@ -210,26 +196,28 @@ github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk
 github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.3.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag=
-github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
-github.com/nicksnyder/go-i18n/v2 v2.1.2 h1:QHYxcUJnGHBaq7XbvgunmZ2Pn0focXFqTD61CkH146c=
-github.com/nicksnyder/go-i18n/v2 v2.1.2/go.mod h1:d++QJC9ZVf7pa48qrsRWhMJ5pSHIPmS3OLqK1niyLxs=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/nicksnyder/go-i18n/v2 v2.2.1 h1:aOzRCdwsJuoExfZhoiXHy4bjruwCMdt5otbYojM/PaA=
+github.com/nicksnyder/go-i18n/v2 v2.2.1/go.mod h1:fF2++lPHlo+/kPaj3nB0uxtPwzlPm+BlgwGX7MkeGj0=
+github.com/npillmayer/nestext v0.1.3/go.mod h1:h2lrijH8jpicr25dFY+oAJLyzlya6jhnuG+zWp9L0Uk=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
-github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
-github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
+github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
-github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
-github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo=
-github.com/pelletier/go-toml v1.7.0 h1:7utD74fnzVc/cpcyy8sjrlFr5vYpypUixARcHIMIGuI=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
+github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
+github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@ -238,150 +226,240 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
+github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
+github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
+github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
+github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/rhnvrm/simples3 v0.6.1/go.mod h1:Y+3vYm2V7Y4VijFoJHHTrja6OgPrJ2cBti8dPGkC3sA=
-github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
-github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
-github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
-github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
-github.com/xdg/stringprep v0.0.0-20180714160509-73f8eece6fdc/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
-go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
-go.mongodb.org/mongo-driver v1.3.0/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE=
-go.mongodb.org/mongo-driver v1.3.4 h1:zs/dKNwX0gYUtzwrN9lLiR15hCO0nDwQj5xXx+vjCdE=
-go.mongodb.org/mongo-driver v1.3.4/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A=
+go.etcd.io/etcd/client/pkg/v3 v3.5.4/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
+go.etcd.io/etcd/client/v3 v3.5.4/go.mod h1:ZaRkVgBZC+L+dLCjTcF1hRXpgZXQPOvnA/Ak/gq3kiY=
+go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
-golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201217014255-9d1352758620 h1:3wPMTskHO3+O6jqTEXyFcsnuxMQOqYSaHsDxcbUXpqA=
-golang.org/x/crypto v0.0.0-20201217014255-9d1352758620/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974 h1:IX6qOQeG5uLjB/hjjwjedwfjND0hgjPMMyO1RoIXQNI=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be h1:vEDujvNQGv4jgYKudGeI/+DAX4Jffq6hpD55MmoEvKs=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
+golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8=
+golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190412183630-56d357773e84/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f h1:+Nyd8tzPX9R7BWHguqsrbFdRx3WQ/1ib8I44HXV5yTA=
+golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190329151228-23e29df326fe/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190416151739-9c9e1878f421/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190420181800-aa740d480789/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190531172133-b3315ee88b7d/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200918232735-d647fc253266/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
-golang.org/x/tools v0.0.0-20210114065538-d78b04bdf963/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
 google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
--- a/handlers/after_logout.go
+++ b/handlers/after_logout.go
@ -1,18 +1,18 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package handlers
@ -22,21 +22,24 @@ import (

 	"github.com/sirupsen/logrus"

-	"git.cacert.org/oidc_demo_app/services"
+	"code.cacert.org/cacert/oidc-demo-app/services"
 )

-type afterLogoutHandler struct {
+type AfterLogoutHandler struct {
 	logger *logrus.Logger
 }

-func (h *afterLogoutHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+func (h *AfterLogoutHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	session, err := services.GetSessionStore().Get(r, sessionName)
 	if err != nil {
 		h.logger.Errorf("could not get session: %v", err)
 		http.Error(w, err.Error(), http.StatusInternalServerError)
+
 		return
 	}
+
 	session.Options.MaxAge = -1
+
 	if err = session.Save(r, w); err != nil {
 		h.logger.Errorf("could not save session: %v", err)
 	}
@ -45,6 +48,6 @@ func (h *afterLogoutHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusFound)
 }

-func NewAfterLogoutHandler(logger *logrus.Logger) *afterLogoutHandler {
-	return &afterLogoutHandler{logger: logger}
+func NewAfterLogoutHandler(logger *logrus.Logger) *AfterLogoutHandler {
+	return &AfterLogoutHandler{logger: logger}
 }
--- a/handlers/common.go
+++ b/handlers/common.go
@ -1,26 +1,28 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

-     http://www.apache.org/licenses/LICENSE-2.0
+    https://www.apache.org/licenses/LICENSE-2.0

- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package handlers

 import (
 	"bytes"
-	"context"
 	"encoding/base64"
 	"encoding/json"
+	"errors"
+	"fmt"
 	"net/http"
 	"net/url"

@ -28,44 +30,59 @@ import (
 	"github.com/lestrrat-go/jwx/jwt"
 	"github.com/lestrrat-go/jwx/jwt/openid"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/oauth2"

-	"git.cacert.org/oidc_demo_app/models"
-	"git.cacert.org/oidc_demo_app/services"
+	"code.cacert.org/cacert/oidc-demo-app/models"
+	"code.cacert.org/cacert/oidc-demo-app/services"
 )

-const sessionName = "resource_session"
+const (
+	sessionName = "resource_session"

-func Authenticate(ctx context.Context, logger *log.Logger, clientId string) func(http.Handler) http.Handler {
+	oauth2RedirectStateLength = 8
+)
+
+func Authenticate(logger *log.Logger, oauth2Config *oauth2.Config, clientID string) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			session, err := services.GetSessionStore().Get(r, sessionName)
 			if err != nil {
 				http.Error(w, err.Error(), http.StatusInternalServerError)
+
 				return
 			}
-			if _, ok := session.Values[sessionKeyIdToken]; ok {
+
+			if _, ok := session.Values[sessionKeyIDToken]; ok {
 				next.ServeHTTP(w, r)
+
 				return
 			}
+
 			session.Values[sessionRedirectTarget] = r.URL.String()
+
 			if err = session.Save(r, w); err != nil {
 				http.Error(w, err.Error(), http.StatusInternalServerError)
+
 				return
 			}
-			var authUrl *url.URL
-			if authUrl, err = url.Parse(services.GetOAuth2Config(ctx).Endpoint.AuthURL); err != nil {
+
+			var authURL *url.URL
+
+			if authURL, err = url.Parse(oauth2Config.Endpoint.AuthURL); err != nil {
 				http.Error(w, err.Error(), http.StatusInternalServerError)
+
 				return
 			}
-			queryValues := authUrl.Query()
-			queryValues.Set("client_id", clientId)
+
+			queryValues := authURL.Query()
+			queryValues.Set("client_id", clientID)
 			queryValues.Set("response_type", "code")
 			queryValues.Set("scope", "openid offline_access profile email")
-			queryValues.Set("state", base64.URLEncoding.EncodeToString(services.GenerateKey(8)))
+			queryValues.Set("state", base64.URLEncoding.EncodeToString(services.GenerateKey(oauth2RedirectStateLength)))
 			queryValues.Set("claims", getRequestedClaims(logger))
-			authUrl.RawQuery = queryValues.Encode()
+			authURL.RawQuery = queryValues.Encode()

-			w.Header().Set("Location", authUrl.String())
+			w.Header().Set("Location", authURL.String())
 			w.WriteHeader(http.StatusFound)
 		})
 	}
@ -76,21 +93,32 @@ func getRequestedClaims(logger *log.Logger) string {
 	claims["userinfo"] = make(models.ClaimElement)
 	essentialItem := make(models.IndividualClaimRequest)
 	essentialItem["essential"] = true
-	claims["userinfo"]["https://cacert.localhost/groups"] = &essentialItem
+	claims["userinfo"]["https://auth.cacert.org/groups"] = &essentialItem

 	target := make([]byte, 0)
 	buf := bytes.NewBuffer(target)
 	enc := json.NewEncoder(buf)
+
 	if err := enc.Encode(claims); err != nil {
-		logger.Warnf("could not encode claims request parameter: %v", err)
+		logger.WithError(err).Warn("could not encode claims request parameter")
 	}
+
 	return buf.String()
 }

-func ParseIdToken(token string, keySet jwk.Set) (openid.Token, error) {
-	if parsedIdToken, err := jwt.ParseString(token, jwt.WithKeySet(keySet), jwt.WithToken(openid.New())); err != nil {
-		return nil, err
-	} else {
-		return parsedIdToken.(openid.Token), nil
+func ParseIDToken(token string, keySet jwk.Set) (openid.Token, error) {
+	var (
+		parsedIDToken jwt.Token
+		err           error
+	)
+
+	if parsedIDToken, err = jwt.ParseString(token, jwt.WithKeySet(keySet), jwt.WithToken(openid.New())); err != nil {
+		return nil, fmt.Errorf("could not parse ID token: %w", err)
+	}
+
+	if v, ok := parsedIDToken.(openid.Token); ok {
+		return v, nil
 	}
+
+	return nil, errors.New("ID token is no OpenID Connect Identity Token")
 }
--- a/handlers/errors.go
+++ b/handlers/errors.go
@ -1,31 +1,33 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package handlers

 import (
 	"context"
+	"fmt"
 	"html/template"
+	"io/fs"
 	"net/http"
-	"path"

-	"git.cacert.org/oidc_demo_app/services"
 	"github.com/nicksnyder/go-i18n/v2/i18n"
 	log "github.com/sirupsen/logrus"
+
+	"code.cacert.org/cacert/oidc-demo-app/services"
 )

 type errorKey int
@ -53,6 +55,7 @@ func (b *ErrorBucket) serveHTTP(w http.ResponseWriter, r *http.Request) {
 	if b.errorDetails != nil {
 		accept := r.Header.Get("Accept-Language")
 		localizer := i18n.NewLocalizer(b.bundle, accept)
+
 		err := b.templates.Lookup("base").Execute(w, map[string]interface{}{
 			"Title": b.messageCatalog.LookupMessage(
 				"ErrorTitle",
@ -62,7 +65,7 @@ func (b *ErrorBucket) serveHTTP(w http.ResponseWriter, r *http.Request) {
 			"details": b.errorDetails,
 		})
 		if err != nil {
-			log.Errorf("error rendering error template: %v", err)
+			log.WithError(err).Error("error rendering error template")
 			http.Error(
 				w,
 				http.StatusText(http.StatusInternalServerError),
@ -73,79 +76,89 @@ func (b *ErrorBucket) serveHTTP(w http.ResponseWriter, r *http.Request) {
 }

 func GetErrorBucket(r *http.Request) *ErrorBucket {
-	return r.Context().Value(errorBucketKey).(*ErrorBucket)
+	if v, ok := r.Context().Value(errorBucketKey).(*ErrorBucket); ok {
+		return v
+	}
+
+	return nil
 }

-// call this from your application's handler
+// AddError can be called from an application handler to add an error
 func (b *ErrorBucket) AddError(details *ErrorDetails) {
 	b.errorDetails = details
 }

 type errorResponseWriter struct {
 	http.ResponseWriter
-	ctx        context.Context
-	statusCode int
+	errorBucket *ErrorBucket
+	statusCode  int
 }

 func (w *errorResponseWriter) WriteHeader(code int) {
 	w.statusCode = code
-	if code >= 400 {
+
+	if code >= http.StatusBadRequest {
 		w.Header().Set("Content-Type", "text/html; charset=utf-8")
-		errorBucket := w.ctx.Value(errorBucketKey).(*ErrorBucket)
-		if errorBucket != nil && errorBucket.errorDetails == nil {
-			errorBucket.AddError(&ErrorDetails{
+
+		if w.errorBucket != nil && w.errorBucket.errorDetails == nil {
+			w.errorBucket.AddError(&ErrorDetails{
 				ErrorMessage: http.StatusText(code),
 			})
 		}
 	}
+
 	w.ResponseWriter.WriteHeader(code)
 }

 func (w *errorResponseWriter) Write(content []byte) (int, error) {
-	if w.statusCode > 400 {
-		errorBucket := w.ctx.Value(errorBucketKey).(*ErrorBucket)
-		if errorBucket != nil {
-			if errorBucket.errorDetails.ErrorDetails == nil {
-				errorBucket.errorDetails.ErrorDetails = make([]string, 0)
+	if w.statusCode > http.StatusBadRequest {
+		if w.errorBucket != nil {
+			if w.errorBucket.errorDetails.ErrorDetails == nil {
+				w.errorBucket.errorDetails.ErrorDetails = make([]string, 0)
 			}
-			errorBucket.errorDetails.ErrorDetails = append(
-				errorBucket.errorDetails.ErrorDetails, string(content),
+
+			w.errorBucket.errorDetails.ErrorDetails = append(
+				w.errorBucket.errorDetails.ErrorDetails, string(content),
 			)
+
 			return len(content), nil
 		}
 	}
-	return w.ResponseWriter.Write(content)
+
+	l, err := w.ResponseWriter.Write(content)
+	if err != nil {
+		return l, fmt.Errorf("could not write to response: %w", err)
+	}
+
+	return l, nil
 }

 func ErrorHandling(
-	handlerContext context.Context,
 	logger *log.Logger,
-	templateBaseDir string,
+	templateFS fs.FS,
+	bundle *i18n.Bundle,
+	messageCatalog *services.MessageCatalog,
 ) (func(http.Handler) http.Handler, error) {
-	errorTemplates, err := template.ParseFiles(
-		path.Join(templateBaseDir, "base.gohtml"),
-		path.Join(templateBaseDir, "errors.gohtml"),
+	errorTemplates, err := template.ParseFS(
+		templateFS,
+		"templates/base.gohtml",
+		"templates/errors.gohtml",
 	)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("could not parse templates: %w", err)
 	}
+
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			errorBucket := &ErrorBucket{
 				templates:      errorTemplates,
 				logger:         logger,
-				bundle:         services.GetI18nBundle(handlerContext),
-				messageCatalog: services.GetMessageCatalog(handlerContext),
-			}
-			ctx := context.WithValue(r.Context(), errorBucketKey, errorBucket)
-			interCeptingResponseWriter := &errorResponseWriter{
-				w,
-				ctx,
-				http.StatusOK,
+				bundle:         bundle,
+				messageCatalog: messageCatalog,
 			}
 			next.ServeHTTP(
-				interCeptingResponseWriter,
-				r.WithContext(ctx),
+				&errorResponseWriter{w, errorBucket, http.StatusOK},
+				r.WithContext(context.WithValue(r.Context(), errorBucketKey, errorBucket)),
 			)
 			errorBucket.serveHTTP(w, r)
 		})
--- a/handlers/index.go
+++ b/handlers/index.go
@ -1,113 +1,137 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package handlers

 import (
-	"context"
 	"fmt"
 	"html/template"
+	"io/fs"
 	"net/http"
 	"net/url"

 	"github.com/lestrrat-go/jwx/jwk"
 	"github.com/nicksnyder/go-i18n/v2/i18n"

-	"git.cacert.org/oidc_demo_app/services"
+	"code.cacert.org/cacert/oidc-demo-app/services"
 )

-type indexHandler struct {
+type IndexHandler struct {
 	bundle         *i18n.Bundle
 	indexTemplate  *template.Template
 	keySet         jwk.Set
-	logoutUrl      string
+	logoutURL      string
 	messageCatalog *services.MessageCatalog
-	serverAddr     string
+	publicURL      string
 }

-func (h *indexHandler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
+func (h *IndexHandler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 	if request.Method != http.MethodGet {
 		http.Error(writer, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
+
 		return
 	}
+
 	if request.URL.Path != "/" {
 		http.NotFound(writer, request)
+
 		return
 	}
+
 	accept := request.Header.Get("Accept-Language")
 	localizer := i18n.NewLocalizer(h.bundle, accept)
+
 	writer.WriteHeader(http.StatusOK)

 	session, err := services.GetSessionStore().Get(request, sessionName)
 	if err != nil {
 		http.Error(writer, err.Error(), http.StatusInternalServerError)
+
 		return
 	}

-	logoutUrl, err := url.Parse(h.logoutUrl)
+	logoutURL, err := url.Parse(h.logoutURL)
 	if err != nil {
 		http.Error(writer, err.Error(), http.StatusInternalServerError)
+
 		return
 	}
-	var idToken string
-	var ok bool
-	if idToken, ok = session.Values[sessionKeyIdToken].(string); ok {
-		logoutUrl.RawQuery = url.Values{
+
+	var (
+		idToken string
+		ok      bool
+	)
+
+	if idToken, ok = session.Values[sessionKeyIDToken].(string); ok {
+		logoutURL.RawQuery = url.Values{
 			"id_token_hint":            []string{idToken},
-			"post_logout_redirect_uri": []string{fmt.Sprintf("https://%s/after-logout", h.serverAddr)},
+			"post_logout_redirect_uri": []string{fmt.Sprintf("%s/after-logout", h.publicURL)},
 		}.Encode()
 	} else {
 		return
 	}

-	oidcToken, err := ParseIdToken(idToken, h.keySet)
+	oidcToken, err := ParseIDToken(idToken, h.keySet)
 	if err != nil {
 		http.Error(writer, err.Error(), http.StatusInternalServerError)
+
 		return
 	}

 	writer.Header().Add("Content-Type", "text/html")
+
+	msgLookup := h.messageCatalog.LookupMessage
+
 	err = h.indexTemplate.Lookup("base").Execute(writer, map[string]interface{}{
-		"Title": h.messageCatalog.LookupMessage("IndexTitle", nil, localizer),
-		"Greeting": h.messageCatalog.LookupMessage("IndexGreeting", map[string]interface{}{
+		"Title": msgLookup("IndexTitle", nil, localizer),
+		"Greeting": msgLookup("IndexGreeting", map[string]interface{}{
 			"User": oidcToken.Name(),
 		}, localizer),
-		"IntroductionText": h.messageCatalog.LookupMessage("IndexIntroductionText", nil, localizer),
-		"LogoutLabel":      h.messageCatalog.LookupMessage("LogoutLabel", nil, localizer),
-		"LogoutURL":        logoutUrl.String(),
+		"IntroductionText": msgLookup("IndexIntroductionText", nil, localizer),
+		"LogoutLabel":      msgLookup("LogoutLabel", nil, localizer),
+		"LogoutURL":        logoutURL.String(),
 	})
 	if err != nil {
 		http.Error(writer, err.Error(), http.StatusInternalServerError)
+
 		return
 	}
 }

-func NewIndexHandler(ctx context.Context, serverAddr string) (*indexHandler, error) {
-	indexTemplate, err := template.ParseFiles(
+func NewIndexHandler(
+	bundle *i18n.Bundle,
+	catalog *services.MessageCatalog,
+	templateFS fs.FS,
+	oidcInfo *services.OIDCInformation,
+	publicURL string,
+) (*IndexHandler, error) {
+	indexTemplate, err := template.ParseFS(
+		templateFS,
 		"templates/base.gohtml", "templates/index.gohtml")
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("could not parse templates: %w", err)
 	}
-	return &indexHandler{
-		bundle:         services.GetI18nBundle(ctx),
+
+	return &IndexHandler{
+		bundle:         bundle,
 		indexTemplate:  indexTemplate,
-		keySet:         services.GetJwkSet(ctx),
-		logoutUrl:      services.GetOidcConfig(ctx).EndSessionEndpoint,
-		messageCatalog: services.GetMessageCatalog(ctx),
-		serverAddr:     serverAddr,
+		keySet:         oidcInfo.KeySet,
+		logoutURL:      oidcInfo.OIDCConfiguration.EndSessionEndpoint,
+		messageCatalog: catalog,
+		publicURL:      publicURL,
 	}, nil
 }
--- a/handlers/observability.go
+++ b/handlers/observability.go
@ -1,24 +1,25 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package handlers

 import (
 	"context"
+	"fmt"
 	"net/http"
 	"sync/atomic"

@ -28,7 +29,7 @@ import (
 type key int

 const (
-	requestIdKey key = iota
+	keyRequestID key = iota
 )

 type statusCodeInterceptor struct {
@ -45,7 +46,12 @@ func (sci *statusCodeInterceptor) WriteHeader(code int) {
 func (sci *statusCodeInterceptor) Write(content []byte) (int, error) {
 	count, err := sci.ResponseWriter.Write(content)
 	sci.count += count
-	return count, err
+
+	if err != nil {
+		return count, fmt.Errorf("%w", err)
+	}
+
+	return count, nil
 }

 func Logging(logger *log.Logger) func(http.Handler) http.Handler {
@ -53,13 +59,14 @@ func Logging(logger *log.Logger) func(http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			interceptor := &statusCodeInterceptor{w, http.StatusOK, 0}
 			defer func() {
-				requestId, ok := r.Context().Value(requestIdKey).(string)
+				requestID, ok := r.Context().Value(keyRequestID).(string)
 				if !ok {
-					requestId = "unknown"
+					requestID = "unknown"
 				}
+
 				logger.Infof(
-					"%s %s \"%s %s\" %d %d \"%s\"",
-					requestId,
+					"[%s] %s \"%s %s\" %d %d \"%s\"",
+					requestID,
 					r.RemoteAddr,
 					r.Method,
 					r.URL.Path,
@ -73,16 +80,16 @@ func Logging(logger *log.Logger) func(http.Handler) http.Handler {
 	}
 }

-func Tracing(nextRequestId func() string) func(http.Handler) http.Handler {
+func Tracing(nextRequestID func() string) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			requestId := r.Header.Get("X-Request-Id")
-			if requestId == "" {
-				requestId = nextRequestId()
+			requestID := r.Header.Get("X-Request-Id")
+			if requestID == "" {
+				requestID = nextRequestID()
 			}
-			ctx := context.WithValue(r.Context(), requestIdKey, requestId)
-			w.Header().Set("X-Request-Id", requestId)
-			next.ServeHTTP(w, r.WithContext(ctx))
+
+			w.Header().Set("X-Request-Id", requestID)
+			next.ServeHTTP(w, r.WithContext(context.WithValue(r.Context(), keyRequestID, requestID)))
 		})
 	}
 }
@ -93,8 +100,10 @@ func NewHealthHandler() http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if atomic.LoadInt32(&Healthy) == 1 {
 			w.WriteHeader(http.StatusNoContent)
+
 			return
 		}
+
 		w.WriteHeader(http.StatusServiceUnavailable)
 	})
 }
--- a/handlers/oidc_callback.go
+++ b/handlers/oidc_callback.go
@ -1,137 +1,168 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package handlers

 import (
-	"context"
+	"fmt"
 	"net/http"

-	"github.com/go-openapi/runtime/client"
+	"github.com/gorilla/sessions"
 	"github.com/lestrrat-go/jwx/jwk"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"

-	"git.cacert.org/oidc_demo_app/services"
+	"code.cacert.org/cacert/oidc-demo-app/services"
 )

 const (
 	sessionKeyAccessToken = iota
 	sessionKeyRefreshToken
-	sessionKeyIdToken
+	sessionKeyIDToken
 	sessionRedirectTarget
 )

-type oidcCallbackHandler struct {
+type OidcCallbackHandler struct {
 	keySet       jwk.Set
 	logger       *log.Logger
 	oauth2Config *oauth2.Config
 }

-func (c *oidcCallbackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+func (c *OidcCallbackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		w.WriteHeader(http.StatusMethodNotAllowed)
+
 		return
 	}
+
 	if r.URL.Path != "/callback" {
 		http.NotFound(w, r)
+
 		return
 	}

 	errorText := r.URL.Query().Get("error")
 	errorDescription := r.URL.Query().Get("error_description")
-	if errorText != "" {
-		errorDetails := &ErrorDetails{
-			ErrorMessage: errorText,
-		}
-		if errorDescription != "" {
-			errorDetails.ErrorDetails = []string{errorDescription}
-		}
-		GetErrorBucket(r).AddError(errorDetails)
-		return
-	}
-
 	code := r.URL.Query().Get("code")

-	ctx := context.Background()
-	httpClient, err := client.TLSClient(client.TLSClientOptions{InsecureSkipVerify: true})
-	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
+	if c.handleCallbackError(errorText, errorDescription, r) {
+		return
+	}

-	tok, err := c.oauth2Config.Exchange(ctx, code)
+	tok, err := c.oauth2Config.Exchange(r.Context(), code)
 	if err != nil {
-		c.logger.Error(err)
+		c.logger.WithError(err).Error("could not perform token exchange")
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
 		return
 	}

 	session, err := services.GetSessionStore().Get(r, "resource_session")
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		c.logger.WithError(err).Error("could not get session store")
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
 		return
 	}

-	session.Values[sessionKeyAccessToken] = tok.AccessToken
-	session.Values[sessionKeyRefreshToken] = tok.RefreshToken
+	if err = c.storeTokens(session, tok); err != nil {
+		c.logger.WithError(err).Error("could not store token in session")

-	idToken := tok.Extra("id_token").(string)
-	session.Values[sessionKeyIdToken] = idToken
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)

-	if oidcToken, err := ParseIdToken(idToken, c.keySet); err != nil {
-		c.logger.Error(err)
-		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
-	} else {
-		c.logger.Debugf(`
-ID Token
-========
-
-Subject:          %s
-Audience:         %s
-Issued at:        %s
-Issued by:        %s
-Not valid before: %s
-Not valid after:  %s
-
-`,
-			oidcToken.Subject(),
-			oidcToken.Audience(),
-			oidcToken.IssuedAt(),
-			oidcToken.Issuer(),
-			oidcToken.NotBefore(),
-			oidcToken.Expiration(),
-		)
 	}

 	if err = session.Save(r, w); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		c.logger.WithError(err).Error("could not save session")
+
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
 	}
+
 	if redirectTarget, ok := session.Values[sessionRedirectTarget]; ok {
-		w.Header().Set("Location", redirectTarget.(string))
-	} else {
-		w.Header().Set("Location", "/")
+		if v, ok := redirectTarget.(string); ok {
+			w.Header().Set("Location", v)
+			w.WriteHeader(http.StatusFound)
+
+			return
+		}
 	}

+	w.Header().Set("Location", "/")
 	w.WriteHeader(http.StatusFound)
 }

-func NewCallbackHandler(ctx context.Context, logger *log.Logger) *oidcCallbackHandler {
-	return &oidcCallbackHandler{
-		keySet:       services.GetJwkSet(ctx),
+func (c *OidcCallbackHandler) handleCallbackError(errorText string, errorDescription string, r *http.Request) bool {
+	if errorText != "" {
+		errorDetails := &ErrorDetails{
+			ErrorMessage: errorText,
+		}
+
+		if errorDescription != "" {
+			errorDetails.ErrorDetails = []string{errorDescription}
+		}
+
+		GetErrorBucket(r).AddError(errorDetails)
+
+		return true
+	}
+
+	return false
+}
+
+func (c *OidcCallbackHandler) storeTokens(
+	session *sessions.Session,
+	tok *oauth2.Token,
+) error {
+	session.Values[sessionKeyAccessToken] = tok.AccessToken
+	session.Values[sessionKeyRefreshToken] = tok.RefreshToken
+
+	idTokenValue := tok.Extra("id_token")
+
+	idToken, ok := idTokenValue.(string)
+	if !ok {
+		return fmt.Errorf("ID token value %v is not a string", idTokenValue)
+	}
+
+	session.Values[sessionKeyIDToken] = idToken
+
+	oidcToken, err := ParseIDToken(idToken, c.keySet)
+	if err != nil {
+		return fmt.Errorf("could not parse ID token: %w", err)
+	}
+
+	c.logger.WithFields(log.Fields{
+		"sub":        oidcToken.Subject(),
+		"aud":        oidcToken.Audience(),
+		"issued_at":  oidcToken.IssuedAt(),
+		"iss":        oidcToken.Issuer(),
+		"not_before": oidcToken.NotBefore(),
+		"exp":        oidcToken.Expiration(),
+	}).Debug("receive OpenID Connect ID Token")
+
+	return nil
+}
+
+func NewCallbackHandler(logger *log.Logger, keySet jwk.Set, oauth2Config *oauth2.Config) *OidcCallbackHandler {
+	return &OidcCallbackHandler{
+		keySet:       keySet,
 		logger:       logger,
-		oauth2Config: services.GetOAuth2Config(ctx),
+		oauth2Config: oauth2Config,
 	}
 }
--- a/handlers/security.go
+++ b/handlers/security.go
@ -1,18 +1,18 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package handlers
@ -23,10 +23,12 @@ import (
 	"time"
 )

+const hstsMaxAge = time.Hour * 24 * 180
+
 func EnableHSTS() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.Header().Set("Strict-Transport-Security", fmt.Sprintf("max-age=%d", int((time.Hour*24*180).Seconds())))
+			w.Header().Set("Strict-Transport-Security", fmt.Sprintf("max-age=%d", int(hstsMaxAge.Seconds())))
 			next.ServeHTTP(w, r)
 		})
 	}
--- a/handlers/startup.go
+++ b/handlers/startup.go
@ -1,24 +1,25 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package handlers

 import (
 	"context"
+	"errors"
 	"net/http"
 	"os"
 	"os/signal"
@ -29,7 +30,13 @@ import (
 	"github.com/sirupsen/logrus"
 )

-func StartApplication(logger *logrus.Logger, ctx context.Context, server *http.Server, config *koanf.Koanf) {
+func StartApplication(
+	ctx context.Context,
+	logger *logrus.Logger,
+	server *http.Server,
+	publicURL string,
+	config *koanf.Koanf,
+) {
 	done := make(chan bool)
 	quit := make(chan os.Signal, 1)
 	signal.Notify(quit, os.Interrupt)
@ -39,21 +46,27 @@ func StartApplication(logger *logrus.Logger, ctx context.Context, server *http.S
 		logger.Infoln("Server is shutting down...")
 		atomic.StoreInt32(&Healthy, 0)

-		ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+		const shutdownWaitTime = 30 * time.Second
+
+		ctx, cancel := context.WithTimeout(ctx, shutdownWaitTime)
+
 		defer cancel()

 		server.SetKeepAlivesEnabled(false)
+
 		if err := server.Shutdown(ctx); err != nil {
 			logger.Fatalf("Could not gracefully shutdown the server: %v\n", err)
 		}
+
 		close(done)
 	}()

-	logger.Infof("Server is ready to handle requests at https://%s/", server.Addr)
+	logger.WithField("public_url", publicURL).Info("Server is ready to handle requests")
 	atomic.StoreInt32(&Healthy, 1)
+
 	if err := server.ListenAndServeTLS(
 		config.String("server.certificate"), config.String("server.key"),
-	); err != nil && err != http.ErrServerClosed {
+	); err != nil && !errors.Is(err, http.ErrServerClosed) {
 		logger.Fatalf("Could not listen on %s: %v\n", server.Addr, err)
 	}

--- a/models/oidc.go
+++ b/models/oidc.go
@ -1,28 +1,26 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

-/*
-This package contains data models.
-*/
+// Package models contains data models.
 package models

-// An individual claim request.
+// IndividualClaimRequest represents an individual OpenID Connect claim request.
 //
-// Specification
+// # Specification
 //
 // https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
 type IndividualClaimRequest map[string]interface{}
@ -32,14 +30,14 @@ type ClaimElement map[string]*IndividualClaimRequest

 // OIDCClaimsRequest the claims request parameter sent with the authorization request.
 //
-// Specification
+// # Specification
 //
 // https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
 type OIDCClaimsRequest map[string]ClaimElement

 // GetUserInfo extracts the userinfo claim element from the request.
 //
-// Specification
+// # Specification
 //
 // https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
 //
@ -56,12 +54,13 @@ func (r OIDCClaimsRequest) GetUserInfo() *ClaimElement {
 	if userInfo, ok := r["userinfo"]; ok {
 		return &userInfo
 	}
+
 	return nil
 }

 // GetIDToken extracts the id_token claim element from the request.
 //
-// Specification
+// # Specification
 //
 // https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
 //
@ -75,12 +74,13 @@ func (r OIDCClaimsRequest) GetIDToken() *ClaimElement {
 	if idToken, ok := r["id_token"]; ok {
 		return &idToken
 	}
+
 	return nil
 }

-// Checks whether the individual claim is an essential claim.
+// IsEssential checks whether the individual claim is an essential claim.
 //
-// Specification
+// # Specification
 //
 // https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
 //
@ -88,7 +88,7 @@ func (r OIDCClaimsRequest) GetIDToken() *ClaimElement {
 // value is true, this indicates that the Claim is an Essential Claim. For
 // instance, the Claim request:
 //
-//   "auth_time": {"essential": true}
+//	"auth_time": {"essential": true}
 //
 // can be used to specify that it is Essential to return an auth_time Claim
 // Value. If the value is false, it indicates that it is a Voluntary Claim.
@ -99,27 +99,30 @@ func (r OIDCClaimsRequest) GetIDToken() *ClaimElement {
 // specific task requested by the End-User.
 //
 // Note that even if the Claims are not available because the End-User did not
-// authorize their release or they are not present, the Authorization Server
+// authorize their release, or they are not present, the Authorization Server
 // MUST NOT generate an error when Claims are not returned, whether they are
 // Essential or Voluntary, unless otherwise specified in the description of
 // the specific claim.
 func (i IndividualClaimRequest) IsEssential() bool {
 	if essential, ok := i["essential"]; ok {
-		return essential.(bool)
+		if v, ok := essential.(bool); ok {
+			return v
+		}
 	}
+
 	return false
 }

-// Returns the wanted value for an individual claim request.
+// WantedValue returns the wanted value for an individual claim request.
 //
-// Specification
+// # Specification
 //
 // https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
 //
 // Requests that the Claim be returned with a particular value. For instance
 // the Claim request:
 //
-//   "sub": {"value": "248289761001"}
+//	"sub": {"value": "248289761001"}
 //
 // can be used to specify that the request apply to the End-User with Subject
 // Identifier 248289761001. The value of the value member MUST be a valid
@ -128,25 +131,27 @@ func (i IndividualClaimRequest) IsEssential() bool {
 // when requesting that Claim.
 func (i IndividualClaimRequest) WantedValue() *string {
 	if value, ok := i["value"]; ok {
-		valueString := value.(string)
-		return &valueString
+		if valueString, ok := value.(string); ok {
+			return &valueString
+		}
 	}
+
 	return nil
 }

-// Get the allowed values for an individual claim request that specifies
+// AllowedValues gets the allowed values for an individual claim request that specifies
 // a values field.
 //
-// Specification
+// # Specification
 //
 // https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
 //
 // Requests that the Claim be returned with one of a set of values, with the
 // values appearing in order of preference. For instance the Claim request:
 //
-//   "acr": {"essential": true,
-//           "values": ["urn:mace:incommon:iap:silver",
-//                      "urn:mace:incommon:iap:bronze"]}
+//	"acr": {"essential": true,
+//	        "values": ["urn:mace:incommon:iap:silver",
+//	                   "urn:mace:incommon:iap:bronze"]}
 //
 // specifies that it is Essential that the acr Claim be returned with either
 // the value urn:mace:incommon:iap:silver or urn:mace:incommon:iap:bronze.
@ -156,15 +161,18 @@ func (i IndividualClaimRequest) WantedValue() *string {
 // Claim.
 func (i IndividualClaimRequest) AllowedValues() []string {
 	if values, ok := i["values"]; ok {
-		return values.([]string)
+		if v, ok := values.([]string); ok {
+			return v
+		}
 	}
+
 	return nil
 }

 // OpenIDConfiguration contains the parts of the OpenID discovery information
 // that are relevant for us.
 //
-// Specifications
+// # Specifications
 //
 // https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
 //
@ -174,7 +182,7 @@ type OpenIDConfiguration struct {
 	AuthorizationEndpoint string   `json:"authorization_endpoint"`
 	TokenEndpoint         string   `json:"token_endpoint"`
 	UserInfoEndpoint      string   `json:"userinfo_endpoint"`
-	JwksUri               string   `json:"jwks_uri"`
+	JwksURI               string   `json:"jwks_uri"`
 	RegistrationEndpoint  string   `json:"registration_endpoint"`
 	ScopesSupported       []string `json:"scopes_supported"`
 	EndSessionEndpoint    string   `json:"end_session_endpoint"`
--- a/services/configuration.go
+++ b/services/configuration.go
@ -1,18 +1,18 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package services
@ -32,6 +32,19 @@ import (
 	"github.com/spf13/pflag"
 )

+const defaultServerPort = 4000
+
+var DefaultConfiguration = map[string]interface{}{
+	"server.bind_address": "",
+	"server.name":         "app.cacert.localhost",
+	"server.port":         defaultServerPort,
+	"server.key":          "certs/app.cacert.localhost.key",
+	"server.certificate":  "certs/app.cacert.localhost.crt.pem",
+	"oidc.server":         "https://auth.cacert.localhost:4444/",
+	"session.path":        "sessions/app",
+	"i18n.languages":      []string{"en", "de"},
+}
+
 func ConfigureApplication(
 	logger *logrus.Logger,
 	appName string,
@ -39,7 +52,8 @@ func ConfigureApplication(
 ) (*koanf.Koanf, error) {
 	f := pflag.NewFlagSet("config", pflag.ContinueOnError)
 	f.Usage = func() {
-		fmt.Println(f.FlagUsages())
+		logger.Info(f.FlagUsages())
+
 		os.Exit(0)
 	}
 	f.StringSlice(
@ -47,36 +61,42 @@ func ConfigureApplication(
 		[]string{fmt.Sprintf("%s.toml", strings.ToLower(appName))},
 		"path to one or more .toml files",
 	)
+
 	var err error

 	if err = f.Parse(os.Args[1:]); err != nil {
-		logger.Fatal(err)
+		logger.WithError(err).Fatal("could not parse command line arguments")
 	}

 	config := koanf.New(".")

 	_ = config.Load(confmap.Provider(defaultConfig, "."), nil)
+
 	cFiles, _ := f.GetStringSlice("conf")
 	for _, c := range cFiles {
-		if err := config.Load(file.Provider(c), toml.Parser()); err != nil {
-			logger.Fatalf("error loading config file: %s", err)
+		if err = config.Load(file.Provider(c), toml.Parser()); err != nil {
+			logger.WithError(err).WithField("file", c).Fatal("error loading configuration from file")
 		}
 	}
-	if err := config.Load(posflag.Provider(f, ".", config), nil); err != nil {
-		logger.Fatalf("error loading configuration: %s", err)
+
+	if err = config.Load(posflag.Provider(f, ".", config), nil); err != nil {
+		logger.WithError(err).Fatal("error loading configuration from command line")
 	}
-	if err := config.Load(
+
+	if err = config.Load(
 		file.Provider("resource_app.toml"),
 		toml.Parser(),
 	); err != nil && !os.IsNotExist(err) {
-		logrus.Fatalf("error loading config: %v", err)
+		logrus.WithError(err).Fatal("error loading configuration from resource_app.toml")
 	}
+
 	prefix := fmt.Sprintf("%s_", strings.ToUpper(appName))
-	if err := config.Load(env.Provider(prefix, ".", func(s string) string {
-		return strings.Replace(strings.ToLower(
-			strings.TrimPrefix(s, prefix)), "_", ".", -1)
+
+	if err = config.Load(env.Provider(prefix, ".", func(s string) string {
+		return strings.ReplaceAll(strings.ToLower(strings.TrimPrefix(s, prefix)), "_", ".")
 	}), nil); err != nil {
-		logrus.Fatalf("error loading config: %v", err)
+		logrus.WithError(err).Fatal("error loading configuration from environment")
 	}
-	return config, err
+
+	return config, nil
 }
--- a/services/i18n.go
+++ b/services/i18n.go
@ -1,34 +1,36 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package services

 import (
-	"context"
+	"errors"
 	"fmt"

 	"github.com/nicksnyder/go-i18n/v2/i18n"
 	"golang.org/x/text/language"

+	"code.cacert.org/cacert/oidc-demo-app/translations"
+
 	"github.com/BurntSushi/toml"
 	log "github.com/sirupsen/logrus"
 )

-func AddMessages(ctx context.Context) {
+func AddMessages(catalog *MessageCatalog) {
 	messages := make(map[string]*i18n.Message)
 	messages["IndexGreeting"] = &i18n.Message{
 		ID:    "IndexGreeting",
@ -47,15 +49,9 @@ func AddMessages(ctx context.Context) {
 		ID:    "IndexIntroductionText",
 		Other: "This is an authorization protected resource",
 	}
-	GetMessageCatalog(ctx).AddMessages(messages)
-}

-type contextKey int
-
-const (
-	ctxI18nBundle contextKey = iota
-	ctxI18nCatalog
-)
+	catalog.AddMessages(messages)
+}

 type MessageCatalog struct {
 	messages map[string]*i18n.Message
@ -68,17 +64,24 @@ func (m *MessageCatalog) AddMessages(messages map[string]*i18n.Message) {
 	}
 }

-func (m *MessageCatalog) LookupErrorMessage(tag string, field string, value interface{}, localizer *i18n.Localizer) string {
-	var message *i18n.Message
+func (m *MessageCatalog) LookupErrorMessage(
+	tag string,
+	field string,
+	value interface{},
+	localizer *i18n.Localizer,
+) string {
 	message, ok := m.messages[fmt.Sprintf("%s-%s", field, tag)]
 	if !ok {
 		m.logger.Infof("no specific error message %s-%s", field, tag)
+
 		message, ok = m.messages[tag]
 		if !ok {
 			m.logger.Infof("no specific error message %s", tag)
+
 			message, ok = m.messages["unknown"]
 			if !ok {
 				m.logger.Warnf("no default translation found")
+
 				return tag
 			}
 		}
@ -92,50 +95,71 @@ func (m *MessageCatalog) LookupErrorMessage(tag string, field string, value inte
 	})
 	if err != nil {
 		m.logger.Error(err)
+
 		return tag
 	}
+
 	return translation
 }

-func (m *MessageCatalog) LookupMessage(id string, templateData map[string]interface{}, localizer *i18n.Localizer) string {
+func (m *MessageCatalog) LookupMessage(
+	id string,
+	templateData map[string]interface{},
+	localizer *i18n.Localizer,
+) string {
 	if message, ok := m.messages[id]; ok {
 		translation, err := localizer.Localize(&i18n.LocalizeConfig{
 			DefaultMessage: message,
 			TemplateData:   templateData,
 		})
 		if err != nil {
-			switch err.(type) {
-			case *i18n.MessageNotFoundErr:
-				m.logger.Warnf("message %s not found: %v", id, err)
-				if translation != "" {
-					return translation
-				}
-				break
-			default:
-				m.logger.Error(err)
-			}
-			return id
+			return m.handleLocalizeError(id, translation, err)
 		}
+
 		return translation
+	}
+
+	m.logger.WithField("id", id).Warn("no translation found for id")
+
+	return id
+}
+
+func (m *MessageCatalog) handleLocalizeError(id string, translation string, err error) string {
+	var messageNotFound *i18n.MessageNotFoundErr
+
+	if errors.As(err, &messageNotFound) {
+		m.logger.WithError(err).WithField("message", id).Warn("message not found")
+
+		if translation != "" {
+			return translation
+		}
 	} else {
-		m.logger.Warnf("no translation found for %s", id)
-		return id
+		m.logger.WithError(err).WithField("message", id).Error("translation error")
 	}
+
+	return id
 }

-func InitI18n(ctx context.Context, logger *log.Logger, languages []string) context.Context {
+func InitI18n(logger *log.Logger, languages []string) (*i18n.Bundle, *MessageCatalog) {
 	bundle := i18n.NewBundle(language.English)
 	bundle.RegisterUnmarshalFunc("toml", toml.Unmarshal)
+
 	for _, lang := range languages {
-		_, err := bundle.LoadMessageFile(fmt.Sprintf("active.%s.toml", lang))
+		bundleName := fmt.Sprintf("active.%s.toml", lang)
+
+		bundleBytes, err := translations.Bundles.ReadFile(bundleName)
 		if err != nil {
-			logger.Warnln("message bundle de.toml not found")
+			logger.WithField("bundle", bundleName).Warn("message bundle not found")
+
+			continue
 		}
+
+		bundle.MustParseMessageFileBytes(bundleBytes, bundleName)
 	}
+
 	catalog := initMessageCatalog(logger)
-	ctx = context.WithValue(ctx, ctxI18nBundle, bundle)
-	ctx = context.WithValue(ctx, ctxI18nCatalog, catalog)
-	return ctx
+
+	return bundle, catalog
 }

 func initMessageCatalog(logger *log.Logger) *MessageCatalog {
@ -144,13 +168,6 @@ func initMessageCatalog(logger *log.Logger) *MessageCatalog {
 		ID:    "ErrorTitle",
 		Other: "An error has occurred",
 	}
-	return &MessageCatalog{messages: messages, logger: logger}
-}
-
-func GetI18nBundle(ctx context.Context) *i18n.Bundle {
-	return ctx.Value(ctxI18nBundle).(*i18n.Bundle)
-}

-func GetMessageCatalog(ctx context.Context) *MessageCatalog {
-	return ctx.Value(ctxI18nCatalog).(*MessageCatalog)
+	return &MessageCatalog{messages: messages, logger: logger}
 }
--- a/services/oidc.go
+++ b/services/oidc.go
@ -1,18 +1,18 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package services
@ -21,33 +21,33 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/url"
+	"time"

-	"git.cacert.org/oidc_demo_app/models"
 	"github.com/lestrrat-go/jwx/jwk"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
-)
-
-type oidcContextKey int

-// context keys
-const (
-	ctxOidcConfig oidcContextKey = iota
-	ctxOAuth2Config
-	ctxOidcJwks
+	"code.cacert.org/cacert/oidc-demo-app/models"
 )

-// Parameters for DiscoverOIDC
+// OidcParams defines the parameters for DiscoverOIDC
 type OidcParams struct {
 	OidcServer       string
-	OidcClientId     string
+	OidcClientID     string
 	OidcClientSecret string
 	APIClient        *http.Client
 }

-// Discover OpenID Connect parameters from the discovery endpoint and the
+type OIDCInformation struct {
+	KeySet            jwk.Set
+	OAuth2Config      *oauth2.Config
+	OIDCConfiguration *models.OpenIDConfiguration
+}
+
+// DiscoverOIDC gets OpenID Connect parameters from the discovery endpoint and the
 // JSON Web Key Set from the discovered jwksUri.
 //
 // The subset of values specified by models.OpenIDConfiguration is stored in
@ -57,41 +57,45 @@ type OidcParams struct {
 // retrieved by GetOAuth2Config.
 //
 // The JSON Web Key Set can be retrieved by GetJwkSet.
-func DiscoverOIDC(ctx context.Context, logger *log.Logger, params *OidcParams) (context.Context, error) {
-	var discoveryUrl *url.URL
-
-	discoveryUrl, err := url.Parse(params.OidcServer)
+func DiscoverOIDC(logger *log.Logger, params *OidcParams) (*OIDCInformation, error) {
+	discoveryURL, err := url.Parse(params.OidcServer)
 	if err != nil {
 		logger.Fatalf("could not parse oidc.server parameter value %s: %s", params.OidcServer, err)
 	} else {
-		discoveryUrl.Path = "/.well-known/openid-configuration"
+		discoveryURL.Path = "/.well-known/openid-configuration"
 	}

-	var body []byte
-	var req *http.Request
-	req, err = http.NewRequest(http.MethodGet, discoveryUrl.String(), bytes.NewBuffer(body))
+	var (
+		body []byte
+		req  *http.Request
+	)
+
+	req, err = http.NewRequest(http.MethodGet, discoveryURL.String(), bytes.NewBuffer(body))
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("could not create OIDC discovery request: %w", err)
 	}
+
 	req.Header = map[string][]string{
 		"Accept": {"application/json"},
 	}

 	resp, err := params.APIClient.Do(req)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("call to OIDC discovery endpoint failed: %w", err)
 	}

+	defer func() { _ = resp.Body.Close() }()
+
 	dec := json.NewDecoder(resp.Body)
 	discoveryResponse := &models.OpenIDConfiguration{}
+
 	err = dec.Decode(discoveryResponse)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("could not decode OIDC discovery response: %w", err)
 	}
-	ctx = context.WithValue(ctx, ctxOidcConfig, discoveryResponse)

 	oauth2Config := &oauth2.Config{
-		ClientID:     params.OidcClientId,
+		ClientID:     params.OidcClientID,
 		ClientSecret: params.OidcClientSecret,
 		Endpoint: oauth2.Endpoint{
 			AuthURL:  discoveryResponse.AuthorizationEndpoint,
@ -99,33 +103,21 @@ func DiscoverOIDC(ctx context.Context, logger *log.Logger, params *OidcParams) (
 		},
 		Scopes: []string{"openid", "offline"},
 	}
-	ctx = context.WithValue(ctx, ctxOAuth2Config, oauth2Config)
-	keySet, err := jwk.Fetch(ctx, discoveryResponse.JwksUri, jwk.WithHTTPClient(params.APIClient))
-	if err != nil {
-		log.Fatalf("could not fetch JWKs: %s", err)
-	}
-	ctx = context.WithValue(ctx, ctxOidcJwks, keySet)

-	return ctx, nil
-}
+	const jwkFetchTimeout = 10 * time.Second

-// Get the OpenID configuration from the context.
-//
-// DiscoverOIDC needs to be called before this is available.
-func GetOidcConfig(ctx context.Context) *models.OpenIDConfiguration {
-	return ctx.Value(ctxOidcConfig).(*models.OpenIDConfiguration)
-}
+	ctx, cancel := context.WithTimeout(context.Background(), jwkFetchTimeout)

-// Get the OAuth 2 configuration configuration from the context.
-//
-// DiscoverOIDC needs to be called before this is available.
-func GetOAuth2Config(ctx context.Context) *oauth2.Config {
-	return ctx.Value(ctxOAuth2Config).(*oauth2.Config)
-}
+	defer cancel()

-// Get the JSON Web Key set from the context.
-//
-// DiscoverOIDC needs to be called before this is available.
-func GetJwkSet(ctx context.Context) jwk.Set {
-	return ctx.Value(ctxOidcJwks).(jwk.Set)
+	keySet, err := jwk.Fetch(ctx, discoveryResponse.JwksURI, jwk.WithHTTPClient(params.APIClient))
+	if err != nil {
+		return nil, fmt.Errorf("could not fetch JWKs: %w", err)
+	}
+
+	return &OIDCInformation{
+		KeySet:            keySet,
+		OAuth2Config:      oauth2Config,
+		OIDCConfiguration: discoveryResponse,
+	}, nil
 }
--- a/services/security.go
+++ b/services/security.go
@ -1,18 +1,18 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package services
@ -25,12 +25,15 @@ import (

 func GenerateKey(length int) []byte {
 	key := make([]byte, length)
+
 	read, err := rand.Read(key)
 	if err != nil {
-		log.Fatalf("could not generate key: %s", err)
+		log.WithError(err).Fatal("could not generate key")
 	}
+
 	if read != length {
-		log.Fatalf("read %d bytes, expected %d bytes", read, length)
+		log.WithFields(log.Fields{"read": read, "expected": length}).Fatal("read unexpected number of bytes")
 	}
+
 	return key
 }
--- a/services/session.go
+++ b/services/session.go
@ -1,18 +1,18 @@
 /*
- Copyright 2020, 2021 Jan Dittberner
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0

+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+    https://www.apache.org/licenses/LICENSE-2.0

-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package services
@ -28,9 +28,10 @@ var store *sessions.FilesystemStore

 func InitSessionStore(logger *log.Logger, sessionPath string, keys ...[]byte) {
 	store = sessions.NewFilesystemStore(sessionPath, keys...)
+
 	if _, err := os.Stat(sessionPath); err != nil {
 		if os.IsNotExist(err) {
-			if err = os.MkdirAll(sessionPath, 0700); err != nil {
+			if err = os.MkdirAll(sessionPath, 0700); err != nil { //nolint:gomnd
 				logger.Fatalf("could not create session store directory: %s", err)
 			}
 		}
--- a/translations/active.de.toml
+++ b/translations/active.de.toml
--- a/translations/active.en.toml
+++ b/translations/active.en.toml
--- a/translations/translations.go
+++ b/translations/translations.go
@ -0,0 +1,23 @@
+/*
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package translations
+
+import "embed"
+
+//go:embed active.*.toml
+var Bundles embed.FS
--- a/ui/templates/base.gohtml
+++ b/ui/templates/base.gohtml
@ -32,7 +32,7 @@
    </main>
    <footer class="footer mt-auto py-3">
        <div class="container">
-            <span class="text-muted small">© 2020 <a href="https://www.cacert.org/">CAcert</a></span>
+            <span class="text-muted small">© 2020-2023 <a href="https://www.cacert.org/">CAcert</a></span>
        </div>
    </footer>
    <script type="text/javascript" src="/js/cacert.bundle.js"></script>
--- a/ui/templates/errors.gohtml
+++ b/ui/templates/errors.gohtml
--- a/ui/templates/index.gohtml
+++ b/ui/templates/index.gohtml
--- a/ui/ui.go
+++ b/ui/ui.go
@ -0,0 +1,26 @@
+/*
+Copyright 2020-2023 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ui
+
+import "embed"
+
+//go:embed templates/*
+var Templates embed.FS
+
+//go:embed css/* js/* images/*
+var Static embed.FS