chore: bump deps and ac version (#1394)

* chore: bump deps and ac version

* chore: address nr-auth v0.0.7 breaking changes

* chore: update license notices file

* fix test

* chore: remove unneeded TODO

---------

Co-authored-by: David Sánchez <[email protected]>

Author: gsanchezgavier

Cargo.lock

@@ -1779,6 +1779,13 @@ Distributed under the following license(s):
 * MIT
 * Apache-2.0
 
+## rcgen <https://crates.io/crates/rcgen>
+
+Distributed under the following license(s):
+
+* MIT
+* Apache-2.0
+
 ## redox_syscall <https://crates.io/crates/redox_syscall>
 
 Distributed under the following license(s):
@@ -2673,6 +2680,13 @@ Distributed under the following license(s):
 * MIT
 * Apache-2.0
 
+## yasna <https://crates.io/crates/yasna>
+
+Distributed under the following license(s):
+
+* MIT
+* Apache-2.0
+
 ## yoke <https://crates.io/crates/yoke>
 
 Distributed under the following license(s):

THIRD_PARTY_NOTICES.md

@@ -1,7 +1,7 @@
 [package]
 name = "newrelic_agent_control"
 description = "New Relic Agent Control Limited Preview"
-version = "0.39.0"
+version = "0.40.0"
 authors.workspace = true
 edition.workspace = true
 rust-version.workspace = true
@@ -36,8 +36,8 @@ chrono = { workspace = true }
 base64 = { version = "0.22.1" }
 # New Relic dependencies (private external repos)
 # IMPORTANT: GitHub deployment keys are used to access these repos on the CI/CD pipelines
-nr-auth = { git = "https://github.com/newrelic/newrelic-auth-rs.git", tag = "0.0.4" }
-opamp-client = { git = "https://github.com/newrelic/newrelic-opamp-rs.git", tag = "0.0.33" }
+nr-auth = { git = "https://github.com/newrelic/newrelic-auth-rs.git", tag = "0.0.8" }
+opamp-client = { git = "https://github.com/newrelic/newrelic-opamp-rs.git", tag = "0.0.34" }
 # local dependencies
 fs = { path = "../fs" }
 wrapper_with_default = { path = "../wrapper_with_default" }
@@ -91,7 +91,7 @@ jsonwebtoken = { workspace = true }
 fs = { path = "../fs", features = ["mocks"] }
 tokio = { version = "1.44.0", features = ["rt-multi-thread", "macros"] }
 fake = { version = "4.0.0", features = ["derive", "http"] }
-prost = "0.13.5"
+prost = "0.14"
 # Alpha version needed to test proxy the feature, it is safe because it is only used as dev-dependency
 httpmock = { version = "0.8.0-alpha.1", features = ["proxy"] }
 serial_test = "3.2.0"

agent-control/Cargo.toml

@@ -1,16 +1,17 @@
 use std::path::PathBuf;
 
+use http::Uri;
 use nr_auth::ClientID;
 use serde::Deserialize;
-use url::Url;
 
 use crate::agent_control::defaults::AUTH_PRIVATE_KEY_FILE_NAME;
 
 /// Authorization configuration used by the OpAmp connection to NewRelic.
 #[derive(Debug, Deserialize, PartialEq, Clone)]
 pub struct AuthConfig {
     /// Endpoint to obtain the access token presenting the client id and secret.
-    pub token_url: Url,
+    #[serde(with = "http_serde::uri")]
+    pub token_url: Uri,
     /// Auth client id associated with the provided key.
     pub client_id: ClientID,
     /// Method to sign the client secret used to retrieve the access token.
@@ -51,7 +52,7 @@ impl LocalConfig {
 mod tests {
     use std::{path::PathBuf, str::FromStr};
 
-    use url::Url;
+    use http::Uri;
 
     use crate::opamp::auth::config::{AuthConfig, LocalConfig, ProviderConfig};
 
@@ -80,7 +81,7 @@ private_key_path: "path/to/key"
                 ),
                 expected: AuthConfig {
                     client_id: "fake".into(),
-                    token_url: Url::from_str("http://fake.com/oauth2/v1/token").unwrap(),
+                    token_url: Uri::from_str("http://fake.com/oauth2/v1/token").unwrap(),
                     provider: Some(ProviderConfig::Local(LocalConfig {
                         private_key_path: PathBuf::from("path/to/key"),
                     })),
@@ -96,7 +97,7 @@ client_id: "fake"
                 ),
                 expected: AuthConfig {
                     client_id: "fake".into(),
-                    token_url: Url::from_str("http://fake.com/oauth2/v1/token").unwrap(),
+                    token_url: Uri::from_str("http://fake.com/oauth2/v1/token").unwrap(),
                     provider: None,
                     retries: 0u8,
                 },
@@ -111,7 +112,7 @@ retries: 3
                 ),
                 expected: AuthConfig {
                     client_id: "fake".into(),
-                    token_url: Url::from_str("http://fake.com/oauth2/v1/token").unwrap(),
+                    token_url: Uri::from_str("http://fake.com/oauth2/v1/token").unwrap(),
                     provider: None,
                     retries: 3u8,
                 },

agent-control/src/opamp/auth/config.rs

@@ -27,7 +27,7 @@ pub enum TokenRetrieverImplError {
 }
 
 // Just an alias to make the code more readable
-type TokenRetrieverHttp = TokenRetrieverWithCache<HttpAuthenticator<HttpClient>>;
+type TokenRetrieverHttp = TokenRetrieverWithCache<HttpAuthenticator<HttpClient>, JwtSignerImpl>;
 
 /// Enumerates all implementations for `TokenRetriever` for static dispatching reasons.
 #[allow(clippy::large_enum_variant)]
@@ -75,7 +75,7 @@ impl TokenRetrieverImpl {
         let authenticator = HttpAuthenticator::new(client, ac.token_url.clone());
 
         Ok(Self::HttpTR(
-            TokenRetrieverHttp::new(ac.client_id, jwt_signer, authenticator)
+            TokenRetrieverHttp::new_with_jwt_signer(ac.client_id, authenticator, jwt_signer)
                 .with_retries(ac.retries),
         ))
     }

agent-control/src/opamp/auth/token_retriever.rs

@@ -25,7 +25,8 @@ use std::time::Duration;
 fn k8s_cli_local_and_remote_updates() {
     let mut k8s_env = block_on(K8sEnv::new());
     let namespace = block_on(k8s_env.test_namespace());
-    let k8s_client = Arc::new(SyncK8sClient::try_new(tokio_runtime(), namespace.clone()).unwrap());
+    let k8s_client =
+        Arc::new(SyncK8sClient::try_from_namespace(tokio_runtime(), namespace.clone()).unwrap());
 
     create_simple_values_secret(
         k8s_env.client.clone(),

agent-control/tests/k8s/agent_control_cli/upgrade_local_vs_remote.rs

@@ -5,14 +5,15 @@ use httpmock::Method::POST;
 use httpmock::{MockServer, When};
 use jsonwebtoken::{Algorithm, DecodingKey, Validation};
 use newrelic_agent_control::agent_control::defaults::AGENT_CONTROL_CONFIG_FILENAME;
-use nr_auth::authenticator::{Request, Response};
+use nr_auth::authenticator::{AuthCredential, TokenRetrievalRequest, TokenRetrievalResponse};
 use nr_auth::jwt::claims::Claims;
-use nr_auth::token_retriever::DEFAULT_AUDIENCE;
 use predicates::prelude::predicate;
 use std::path::PathBuf;
 use std::time::Duration;
 use tempfile::TempDir;
 
+const DEFAULT_AUDIENCE: &str = "https://www.newrelic.com/";
+
 #[test]
 #[ignore = "requires root"]
 fn test_auth_local_provider_as_root() {
@@ -199,7 +200,7 @@ fn auth_server(token: String) -> MockServer {
             .header(CONTENT_TYPE.as_str(), "application/json")
             .and(is_authorized);
         then.json_body(
-            serde_json::to_value(Response {
+            serde_json::to_value(TokenRetrievalResponse {
                 access_token: token,
                 token_type: "bearer".to_string(),
                 expires_in: 10,
@@ -213,17 +214,24 @@ fn auth_server(token: String) -> MockServer {
 
 fn is_authorized(when: When) -> When {
     when.is_true(|req| {
-        let request: Request = serde_json::from_slice(req.body_ref()).unwrap();
+        let request: TokenRetrievalRequest = serde_json::from_slice(req.body_ref()).unwrap();
 
         // Validation
         let mut validation = Validation::new(Algorithm::RS256);
         validation.sub = Some(request.client_id.to_owned());
         validation.set_audience(&[DEFAULT_AUDIENCE]);
         validation.set_required_spec_claims(&["exp", "sub", "aud"]);
 
+        let AuthCredential::ClientAssertion {
+            client_assertion, ..
+        } = &request.credential
+        else {
+            return false;
+        };
+
         // Decode the signed token
         jsonwebtoken::decode::<Claims>(
-            &request.client_assertion,
+            client_assertion,
             &DecodingKey::from_rsa_pem(RS256_PUBLIC_KEY.as_bytes()).unwrap(),
             &validation,
         )