Update to Go 1.23.3 (#28920)

* Update to Go 1.23.3

 - Update to latest major version of Go 1.23.3 from 1.22.8.
 - Update github.com/sasha-s/go-deadlock to address deadlock timer
   issue we were seeing.
 - Fix one of our tests to only reset the member variable we change
   instead of the entire Opts parameter to avoid a data race during
   testing.

* Add workaround for MSSQL TLS certificate container issue

.go-version

@@ -1 +1 @@
-1.22.8
+1.23.3

changelog/_go-ver-1190.txt

@@ -1,3 +1,3 @@
 ``release-note:change
-core: Bump Go version to 1.22.8.
+core: Bump Go version to 1.23.3.
 ```

go.mod

@@ -10,7 +10,7 @@ module github.com/hashicorp/vault
 // semantic related to Go module handling), this comment should be updated to explain that.
 //
 // Whenever this value gets updated, sdk/go.mod should be updated to the same value.
-go 1.22.5
+go 1.23.3
 
 replace github.com/hashicorp/vault/api => ./api
 
@@ -193,7 +193,7 @@ require (
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/ryanuber/columnize v2.1.2+incompatible
 	github.com/ryanuber/go-glob v1.0.0
-	github.com/sasha-s/go-deadlock v0.2.0
+	github.com/sasha-s/go-deadlock v0.3.5
 	github.com/sethvargo/go-limiter v0.7.1
 	github.com/shirou/gopsutil/v3 v3.22.6
 	github.com/stretchr/testify v1.9.0
@@ -475,7 +475,7 @@ require (
 	github.com/oracle/oci-go-sdk/v59 v59.0.0 // indirect
 	github.com/oracle/oci-go-sdk/v60 v60.0.0 // indirect
 	github.com/packethost/packngo v0.1.1-0.20180711074735-b9cb5096f54c // indirect
-	github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
+	github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7 // indirect
 	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pierrec/lz4/v4 v4.1.18 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect

go.sum

@@ -1959,8 +1959,8 @@ github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaR
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 h1:q2e307iGHPdTGp0hoxKjt1H5pDo6utceo3dQVK3I5XQ=
-github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5/go.mod h1:jvVRKCrJTQWu0XVbaOlby/2lO20uSCHEMzzplHXte1o=
+github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7 h1:Dx7Ovyv/SFnMFw3fD4oEoeorXc6saIiQ23LrGLth0Gw=
+github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
 github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY=
 github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
 github.com/phpdave11/gofpdi v1.0.13/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
@@ -2050,8 +2050,8 @@ github.com/ryanuber/columnize v2.1.2+incompatible h1:C89EOx/XBWwIXl8wm8OPJBd7kPF
 github.com/ryanuber/columnize v2.1.2+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/sasha-s/go-deadlock v0.2.0 h1:lMqc+fUb7RrFS3gQLtoQsJ7/6TV/pAIFvBsqX73DK8Y=
-github.com/sasha-s/go-deadlock v0.2.0/go.mod h1:StQn567HiB1fF2yJ44N9au7wOhrPS3iZqiDbRupzT10=
+github.com/sasha-s/go-deadlock v0.3.5 h1:tNCOEEDG6tBqrNDOX35j/7hL5FcFViG6awUGROb2NsU=
+github.com/sasha-s/go-deadlock v0.3.5/go.mod h1:bugP6EGbdGYObIlx7pUZtWqlvo8k9H6vCBBsiChJQ5U=
 github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sean-/conswriter v0.0.0-20180208195008-f5ae3917a627/go.mod h1:7zjs06qF79/FKAJpBvFx3P8Ww4UTIMAe+lpNXDHziac=

helper/testhelpers/mssql/mssqlhelper.go

@@ -12,7 +12,9 @@ import (
 	"runtime"
 	"strings"
 	"testing"
+	"time"
 
+	"github.com/hashicorp/vault/helper/testhelpers"
 	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
 	"github.com/hashicorp/vault/sdk/helper/docker"
 )
@@ -35,14 +37,34 @@ func PrepareMSSQLTestContainer(t *testing.T) (cleanup func(), retURL string) {
 
 	logger := corehelpers.NewTestLogger(t)
 
-	var err error
-	for i := 0; i < numRetries; i++ {
-		var svc *docker.Service
-		var runner *docker.Runner
-		runner, err = docker.NewServiceRunner(docker.RunOptions{
+	// Workaround for https://github.com/microsoft/mssql-docker/issues/895 and us temporary seeing
+	// tls: failed to parse certificate from server: x509: negative serial number in test case failures.
+	containerfile := `
+FROM mcr.microsoft.com/mssql/server:2022-latest
+USER root
+ENV MSDIR=/var/opt/mssql
+RUN mkdir -p $MSDIR \
+    && openssl req -x509 -nodes -newkey rsa:2048 -subj '/CN=mssql' -addext "subjectAltName = DNS:mssql" -keyout $MSDIR/mssql.key -out $MSDIR/mssql.pem -days 1 \
+	&& chmod 400 $MSDIR/mssql.key \
+	&& chmod 400 $MSDIR/mssql.pem \
+    && chown -R mssql $MSDIR
+
+RUN echo "[network]" > $MSDIR/mssql.conf \
+	&& echo "tlscert = $MSDIR/mssql.pem" >> $MSDIR/mssql.conf \
+	&& echo "tlskey = $MSDIR/mssql.key" >> $MSDIR/mssql.conf \ 
+	&& echo "tlsprotocols = 1.2" >> $MSDIR/mssql.conf \ 
+	&& echo "forceencryption = 1" >> $MSDIR/mssql.conf 
+
+USER mssql
+`
+	bCtx := docker.NewBuildContext()
+	imageName := "mssql-workaround-895"
+	imageTag := "latest"
+
+	runner, err := docker.NewServiceRunner(docker.RunOptions{
 		ContainerName: "sqlserver",
-			ImageRepo:     "mcr.microsoft.com/mssql/server",
-			ImageTag:      "2022-latest",
+		ImageRepo:     imageName,
+		ImageTag:      imageTag,
 		Env:           []string{"ACCEPT_EULA=Y", "SA_PASSWORD=" + mssqlPassword},
 		Ports:         []string{"1433/tcp"},
 		LogConsumer: func(s string) {
@@ -50,10 +72,27 @@ func PrepareMSSQLTestContainer(t *testing.T) (cleanup func(), retURL string) {
 		},
 	})
 	if err != nil {
-			logger.Error("failed creating new service runner", "error", err.Error())
-			continue
+		t.Fatalf("Could not provision docker service runner: %s", err)
 	}
 
+	// Sometimes we see timeouts and issues pulling the zlint code from GitHub
+	testhelpers.RetryUntil(t, 30*time.Second, func() error {
+		output, err := runner.BuildImage(context.Background(), containerfile, bCtx,
+			docker.BuildRemove(true),
+			docker.BuildForceRemove(true),
+			docker.BuildPullParent(true),
+			docker.BuildTags([]string{imageName + ":" + imageTag}))
+		if err != nil {
+			return fmt.Errorf("could not build new mssql image: %w", err)
+		}
+
+		t.Logf("Image build output: %v", string(output))
+		return nil
+	})
+
+	for i := 0; i < numRetries; i++ {
+		var svc *docker.Service
+
 		svc, err = runner.StartService(context.Background(), connectMSSQL)
 		if err == nil {
 			return svc.Cleanup, svc.Config.URL().String()

sdk/go.mod

@@ -1,6 +1,6 @@
 module github.com/hashicorp/vault/sdk
 
-go 1.22
+go 1.23.0
 
 require (
 	cloud.google.com/go/cloudsqlconn v1.4.3

vault/core_test.go

@@ -3400,15 +3400,11 @@ func TestDefaultDeadlock(t *testing.T) {
 	InduceDeadlock(t, testCore, 0)
 }
 
-func RestoreDeadlockOpts() func() {
-	opts := deadlock.Opts
-	return func() {
-		deadlock.Opts = opts
-	}
-}
-
 func InduceDeadlock(t *testing.T, vaultcore *Core, expected uint32) {
-	defer RestoreDeadlockOpts()()
+	priorDeadlockFunc := deadlock.Opts.OnPotentialDeadlock
+	defer func() {
+		deadlock.Opts.OnPotentialDeadlock = priorDeadlockFunc
+	}()
 	var deadlocks uint32
 	deadlock.Opts.OnPotentialDeadlock = func() {
 		atomic.AddUint32(&deadlocks, 1)