Merge branch 'main' into docs/provider-spec-updates

Author: aepfli

.gitignore

@@ -3,6 +3,7 @@ __debug_bin
 .vscode
 dist/
 .idea
+.cursor
 *.pem
 # ignore generated code
 pkg/eval/flagd-definitions.json

LICENSE

@@ -187,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright OpenFeature Maintainers
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

core/go.mod

@@ -33,10 +33,11 @@ require (
 	go.uber.org/mock v0.5.2
 	go.uber.org/zap v1.27.0
 	gocloud.dev v0.42.0
-	golang.org/x/crypto v0.39.0
+	golang.org/x/crypto v0.45.0
 	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac
-	golang.org/x/mod v0.25.0
-	golang.org/x/sync v0.15.0
+	golang.org/x/mod v0.29.0
+	golang.org/x/oauth2 v0.30.0
+	golang.org/x/sync v0.18.0
 	google.golang.org/grpc v1.73.0
 	google.golang.org/protobuf v1.36.6
 	gopkg.in/yaml.v3 v3.0.1
@@ -142,11 +143,10 @@ require (
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.7.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect

core/go.sum

@@ -372,6 +372,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
 golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
 golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac h1:l5+whBCLH3iH2ZNHYLbAe58bo7yrN4mVcnkHDYz5vvs=
 golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac/go.mod h1:hH+7mtFmImwwcMvScyxUhjuVHR3HGaDPMn9rMSUUbxo=
@@ -386,6 +388,8 @@ golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
 golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -403,6 +407,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
 golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
@@ -417,6 +423,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -432,6 +440,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -440,6 +450,8 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
 golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -449,6 +461,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
 golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

core/pkg/sync/builder/syncbuilder_test.go

@@ -216,11 +216,6 @@ func Test_SyncsFromFromConfig(t *testing.T) {
 						CertPath:   "/tmp/ca.cert",
 						Selector:   "source=database",
 					},
-					{
-						URI:         "https://host:port",
-						Provider:    syncProviderHTTP,
-						BearerToken: "token",
-					},
 					{
 						URI:        "https://host:port",
 						Provider:   syncProviderHTTP,
@@ -251,7 +246,6 @@ func Test_SyncsFromFromConfig(t *testing.T) {
 			wantSyncs: []sync.ISync{
 				&grpc.Sync{},
 				&http.Sync{},
-				&http.Sync{},
 				&file.Sync{},
 				&kubernetes.Sync{},
 				&blob.Sync{},

core/pkg/sync/builder/utils.go

@@ -22,11 +22,6 @@ func ParseSources(sourcesFlag string) ([]sync.SourceConfig, error) {
 		if sp.Provider == "" {
 			return syncProvidersParsed, errors.New("sync provider argument parse: provider is a required field")
 		}
-		if sp.AuthHeader != "" && sp.BearerToken != "" {
-			return syncProvidersParsed, errors.New(
-				"sync provider argument parse: both authHeader and bearerToken are defined, only one is allowed at a time",
-			)
-		}
 	}
 	return syncProvidersParsed, nil
 }

core/pkg/sync/builder/utils_test.go

@@ -26,7 +26,7 @@ func TestParseSource(t *testing.T) {
 		"multiple-syncs": {
 			in: `[
 					{"uri":"config/samples/example_flags.json","provider":"file"},
-					{"uri":"http://test.com","provider":"http","bearerToken":":)"},
+					{"uri":"http://test.com","provider":"http","authHeader":"Bearer :)"},
 					{"uri":"host:port","provider":"grpc"},
 					{"uri":"default/my-crd","provider":"kubernetes"},
 					{"uri":"gs://bucket-name/path/to/file","provider":"gcs"},
@@ -42,7 +42,7 @@ func TestParseSource(t *testing.T) {
 				{
 					URI:         "http://test.com",
 					Provider:    syncProviderHTTP,
-					BearerToken: ":)",
+					AuthHeader: "Bearer :)",
 				},
 				{
 					URI:      "host:port",
@@ -69,8 +69,6 @@ func TestParseSource(t *testing.T) {
 		"multiple-syncs-with-options": {
 			in: `[
 				{"uri":"config/samples/example_flags.json","provider":"file"},
-				{"uri":"http://my-flag-source.json","provider":"http","bearerToken":"bearer-dji34ld2l"},
-				{"uri":"https://secure-remote","provider":"http","bearerToken":"bearer-dji34ld2l"},
 				{"uri":"https://secure-remote","provider":"http","authHeader":"Bearer bearer-dji34ld2l"},
 				{"uri":"https://secure-remote","provider":"http","authHeader":"Basic dXNlcjpwYXNz"},
 				{"uri":"http://site.com","provider":"http","interval":77 },
@@ -84,16 +82,6 @@ func TestParseSource(t *testing.T) {
 					URI:      "config/samples/example_flags.json",
 					Provider: syncProviderFile,
 				},
-				{
-					URI:         "http://my-flag-source.json",
-					Provider:    syncProviderHTTP,
-					BearerToken: "bearer-dji34ld2l",
-				},
-				{
-					URI:         "https://secure-remote",
-					Provider:    syncProviderHTTP,
-					BearerToken: "bearer-dji34ld2l",
-				},
 				{
 					URI:        "https://secure-remote",
 					Provider:   syncProviderHTTP,
@@ -127,22 +115,6 @@ func TestParseSource(t *testing.T) {
 				},
 			},
 		},
-		"multiple-auth-options": {
-			in: `[
-				{"uri":"https://secure-remote","provider":"http","authHeader":"Bearer bearer-dji34ld2l","bearerToken":"bearer-dji34ld2l"}
-			]`,
-			expectErr: true,
-			out: []sync.SourceConfig{
-				{
-					URI:         "https://secure-remote",
-					Provider:    syncProviderHTTP,
-					AuthHeader:  "Bearer bearer-dji34ld2l",
-					BearerToken: "bearer-dji34ld2l",
-					TLS:         false,
-					Interval:    0,
-				},
-			},
-		},
 		"empty": {
 			in:        `[]`,
 			expectErr: false,

core/pkg/sync/http/http_sync.go

@@ -29,7 +29,6 @@ type Sync struct {
 	cron        Cron
 	lastBodySHA string
 	logger      *logger.Logger
-	bearerToken string
 	authHeader  string
 	interval    uint32
 	ready       bool
@@ -107,9 +106,6 @@ func (hs *Sync) ReSync(ctx context.Context, dataSync chan<- sync.DataSync) error
 }
 
 func (hs *Sync) Init(_ context.Context) error {
-	if hs.bearerToken != "" {
-		hs.logger.Warn("Deprecation Alert: bearerToken option is deprecated, please use authHeader instead")
-	}
 	return nil
 }
 
@@ -176,9 +172,6 @@ func (hs *Sync) fetchBody(ctx context.Context, fetchAll bool) (string, bool, err
 
 	if hs.authHeader != "" {
 		req.Header.Set("Authorization", hs.authHeader)
-	} else if hs.bearerToken != "" {
-		bearer := fmt.Sprintf("Bearer %s", hs.bearerToken)
-		req.Header.Set("Authorization", bearer)
 	}
 
 	if hs.eTag != "" && !fetchAll {
@@ -299,7 +292,6 @@ func NewHTTP(config sync.SourceConfig, logger *logger.Logger) *Sync {
 			zap.String("component", "sync"),
 			zap.String("sync", "http"),
 		),
-		bearerToken:     config.BearerToken,
 		authHeader:      config.AuthHeader,
 		interval:        interval,
 		cron:            cron.New(),

core/pkg/sync/http/http_sync_test.go

@@ -125,7 +125,6 @@ func TestHTTPSync_Fetch(t *testing.T) {
 	tests := map[string]struct {
 		setup          func(t *testing.T, client *syncmock.MockClient)
 		uri            string
-		bearerToken    string
 		authHeader     string
 		eTagHeader     string
 		lastBodySHA    string
@@ -181,37 +180,6 @@ func TestHTTPSync_Fetch(t *testing.T) {
 				}
 			},
 		},
-		"authorization with bearerToken": {
-			setup: func(t *testing.T, client *syncmock.MockClient) {
-				expectedToken := "bearer-1234"
-				client.EXPECT().Do(gomock.Any()).DoAndReturn(func(req *http.Request) (*http.Response, error) {
-					actualAuthHeader := req.Header.Get("Authorization")
-					if actualAuthHeader != "Bearer "+expectedToken {
-						t.Fatalf("expected Authorization header to be 'Bearer %s', got %s", expectedToken, actualAuthHeader)
-					}
-					return &http.Response{
-						Header:     buildHeaders(map[string][]string{"Content-Type": {"application/json"}}),
-						Body:       io.NopCloser(strings.NewReader("test response")),
-						StatusCode: http.StatusOK,
-					}, nil
-				})
-			},
-			uri:         "http://localhost",
-			bearerToken: "bearer-1234",
-			lastBodySHA: "",
-			handleResponse: func(t *testing.T, httpSync Sync, _ string, err error) {
-				if err != nil {
-					t.Fatalf("fetch: %v", err)
-				}
-
-				expectedLastBodySHA := "UjeJHtCU_wb7OHK-tbPoHycw0TqlHzkWJmH4y6cqg50="
-				if httpSync.lastBodySHA != expectedLastBodySHA {
-					t.Errorf(
-						"expected last body sha to be: '%s', got: '%s'", expectedLastBodySHA, httpSync.lastBodySHA,
-					)
-				}
-			},
-		},
 		"authorization with authHeader": {
 			setup: func(t *testing.T, client *syncmock.MockClient) {
 				expectedHeader := "Basic dXNlcjpwYXNz"
@@ -348,7 +316,6 @@ func TestHTTPSync_Fetch(t *testing.T) {
 			httpSync := Sync{
 				uri:         tt.uri,
 				client:      mockClient,
-				bearerToken: tt.bearerToken,
 				authHeader:  tt.authHeader,
 				lastBodySHA: tt.lastBodySHA,
 				logger:      logger.NewLogger(nil, false),
@@ -361,30 +328,6 @@ func TestHTTPSync_Fetch(t *testing.T) {
 	}
 }
 
-func TestSync_Init(t *testing.T) {
-	tests := []struct {
-		name        string
-		bearerToken string
-	}{
-		{"with bearerToken", "bearer-1234"},
-		{"without bearerToken", ""},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			httpSync := Sync{
-				bearerToken: tt.bearerToken,
-				logger:      logger.NewLogger(nil, false),
-			}
-
-			if err := httpSync.Init(context.Background()); err != nil {
-				t.Errorf("Init() error = %v", err)
-			}
-		})
-	}
-
-}
-
 func TestHTTPSync_Resync(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	source := "http://localhost"
@@ -393,7 +336,6 @@ func TestHTTPSync_Resync(t *testing.T) {
 	tests := map[string]struct {
 		setup             func(t *testing.T, client *syncmock.MockClient)
 		uri               string
-		bearerToken       string
 		lastBodySHA       string
 		handleResponse    func(*testing.T, Sync, string, error)
 		wantErr           bool
@@ -448,7 +390,6 @@ func TestHTTPSync_Resync(t *testing.T) {
 			httpSync := Sync{
 				uri:         tt.uri,
 				client:      mockClient,
-				bearerToken: tt.bearerToken,
 				lastBodySHA: tt.lastBodySHA,
 				logger:      logger.NewLogger(nil, false),
 			}
@@ -617,7 +558,7 @@ func TestHTTPSync_OAuth(t *testing.T) {
 			l := logger.NewLogger(nil, false)
 			s := NewHTTP(sync.SourceConfig{
 				URI:         ts.URL,
-				BearerToken: "it_should_be_replaced_by_oauth",
+				AuthHeader: "Bearer it_should_be_replaced_by_oauth",
 				OAuth: &sync.OAuthCredentialHandler{
 					ClientID:     clientID,
 					ClientSecret: clientSecret,
@@ -710,7 +651,7 @@ func TestHTTPSync_OAuthFolderSecrets(t *testing.T) {
 	l := logger.NewLogger(nil, false)
 	s := NewHTTP(sync.SourceConfig{
 		URI:         ts.URL + flagsPath,
-		BearerToken: "it_should_be_replaced_by_oauth",
+		AuthHeader: "Bearer it_should_be_replaced_by_oauth",
 		OAuth: &sync.OAuthCredentialHandler{
 			ClientID:     clientID,
 			ClientSecret: clientSecret,

core/pkg/sync/isync.go

@@ -39,7 +39,6 @@ type SourceConfig struct {
 	URI      string `json:"uri"`
 	Provider string `json:"provider"`
 
-	BearerToken string `json:"bearerToken,omitempty"`
 	AuthHeader  string `json:"authHeader,omitempty"`
 	CertPath    string `json:"certPath,omitempty"`
 	TLS         bool   `json:"tls,omitempty"`