feat(security): SSO/JWT authentication migration (Phase 1)

.github/workflows/e2e.yml

@@ -242,10 +242,80 @@ jobs:
         echo "Checking services..."
         kubectl get svc -n ambient-code
 
-    - name: Run Cypress E2E tests
+    - name: Run Cypress E2E tests (legacy auth)
       working-directory: e2e
       run: ./scripts/run-tests.sh
 
+    - name: Toggle SSO auth mode
+      run: |
+        # Verify Keycloak is healthy before toggling (backend needs it for OIDC discovery)
+        echo "Verifying Keycloak is ready..."
+        kubectl wait --for=condition=available --timeout=60s deployment/keycloak -n ambient-code
+
+        # Enable SSO on frontend
+        kubectl set env deployment/frontend -n ambient-code SSO_ENABLED=true NEXT_PUBLIC_SSO_ENABLED=true
+
+        # Enable SSO feature flag in Unleash
+        UNLEASH_ADMIN_TOKEN=$(kubectl get secret unleash-credentials -n ambient-code -o jsonpath='{.data.admin-api-token}' | base64 -d)
+        kubectl port-forward -n ambient-code svc/unleash 4242:4242 &
+        PF=$!
+        sleep 3
+        # Create flag if it doesn't exist, then enable
+        curl -sf -X POST "http://localhost:4242/api/admin/projects/default/features" \
+          -H "Authorization: $UNLEASH_ADMIN_TOKEN" \
+          -H "Content-Type: application/json" \
+          -d '{"name":"sso-authentication","type":"release"}' 2>/dev/null || true
+        curl -sf -X POST "http://localhost:4242/api/admin/projects/default/features/sso-authentication/environments/development/strategies" \
+          -H "Authorization: $UNLEASH_ADMIN_TOKEN" \
+          -H "Content-Type: application/json" \
+          -d '{"name":"default","parameters":{}}' 2>/dev/null || true
+        curl -sf -X POST "http://localhost:4242/api/admin/projects/default/features/sso-authentication/environments/development/on" \
+          -H "Authorization: $UNLEASH_ADMIN_TOKEN" 2>/dev/null || true
+        kill $PF 2>/dev/null || true
+
+        # Wait for frontend rollout
+        kubectl rollout status deployment/frontend -n ambient-code --timeout=60s
+
+        # Restart backend to pick up flag change faster
+        kubectl rollout restart deployment/backend-api -n ambient-code
+        kubectl rollout status deployment/backend-api -n ambient-code --timeout=60s
+
+        # Verify backend JWT validator initialized (OIDC discovery reached Keycloak)
+        echo "Verifying backend SSO initialization..."
+        for i in $(seq 1 15); do
+          if kubectl logs -n ambient-code -l app=backend-api --tail=50 2>/dev/null | grep -q "SSO: JWT validator initialized"; then
+            echo "Backend JWT validator initialized"
+            break
+          fi
+          if [ "$i" -eq 15 ]; then
+            echo "WARNING: Backend JWT validator may not have initialized"
+            kubectl logs -n ambient-code -l app=backend-api --tail=20 | grep -i sso || true
+          fi
+          sleep 2
+        done
+
+    - name: Run Cypress E2E tests (SSO auth)
+      working-directory: e2e
+      env:
+        E2E_USE_SSO: "true"
+      run: |
+        # Re-extract token using Keycloak client_credentials
+        ./scripts/extract-token.sh
+        # Verify frontend is healthy after SSO toggle before running tests
+        echo "Waiting for frontend to be ready with SSO..."
+        for i in $(seq 1 30); do
+          if curl -sf -o /dev/null http://localhost/api/version 2>/dev/null; then
+            echo "Frontend ready"
+            break
+          fi
+          if [ "$i" -eq 30 ]; then
+            echo "Frontend not ready after 60s"
+            kubectl logs -n ambient-code -l app=frontend --tail=20 || true
+            exit 1
+          fi
+          sleep 2
+        done
+        ./scripts/run-tests.sh
 
     - name: Upload test results
       if: failure()

CONTRIBUTING.md

@@ -395,18 +395,20 @@ make kind-up
 This command will:
 - Create Kind cluster (~30 seconds)
 - Deploy all components (backend, frontend, operator)
-- Set up ingress and port forwarding
+- Deploy Keycloak with a pre-configured dev realm
+- Set up port forwarding
 - Load container images
 
 The setup takes ~2 minutes on first run.
 
 #### Access the Application
 
 ```bash
-# Access at http://localhost:8080
+make kind-port-forward  # In another terminal
+# Open the frontend URL shown in the output
 ```
 
-Simple! Kind automatically sets up port forwarding to localhost.
+You'll be redirected to Keycloak for login. Use `developer` / `developer`.
 
 #### Stopping and Restarting
 

Makefile

@@ -3,7 +3,7 @@
 .PHONY: local-dev-token
 .PHONY: local-logs local-logs-backend local-logs-frontend local-logs-operator local-shell local-shell-frontend
 .PHONY: local-test local-test-dev local-test-quick test-all local-troubleshoot local-port-forward local-stop-port-forward
-.PHONY: push-all registry-login setup-hooks remove-hooks lint check-minikube check-kind check-kubectl check-local-context dev-bootstrap kind-rebuild kind-reload-backend kind-reload-frontend kind-reload-operator kind-status kind-login
+.PHONY: push-all registry-login setup-hooks remove-hooks lint check-minikube check-kind check-kubectl check-local-context dev-bootstrap kind-rebuild kind-reload-backend kind-reload-frontend kind-reload-operator kind-status kind-login kind-sso-toggle
 .PHONY: preflight-cluster preflight dev-env dev
 .PHONY: e2e-test e2e-setup e2e-clean deploy-langfuse-openshift
 .PHONY: unleash-port-forward unleash-status
@@ -1065,6 +1065,42 @@ kind-reload-operator: check-kind check-kubectl check-local-context ## Rebuild an
 	@kubectl rollout status deployment/agentic-operator -n $(NAMESPACE) --timeout=60s
 	@echo "$(COLOR_GREEN)✓$(COLOR_RESET) Operator reloaded"
 
+kind-sso-toggle: check-kubectl ## Toggle SSO auth on/off in Kind (affects both frontend and backend)
+	@UNLEASH_ADMIN_TOKEN=$$(kubectl get secret unleash-credentials -n $(NAMESPACE) -o jsonpath='{.data.admin-api-token}' | base64 -d); \
+	CURRENT=$$(kubectl get deployment frontend -n $(NAMESPACE) -o jsonpath='{.spec.template.spec.containers[0].env[?(@.name=="SSO_ENABLED")].value}' 2>/dev/null); \
+	if [ "$$CURRENT" = "true" ]; then \
+		echo "$(COLOR_BLUE)▶$(COLOR_RESET) Disabling SSO auth (switching to legacy mode)..."; \
+		kubectl set env deployment/frontend -n $(NAMESPACE) SSO_ENABLED=false NEXT_PUBLIC_SSO_ENABLED=false; \
+		kubectl port-forward -n $(NAMESPACE) svc/unleash 4242:4242 >/dev/null 2>&1 & PF=$$!; sleep 2; \
+		curl -sf -X POST "http://localhost:4242/api/admin/projects/default/features/sso-authentication/environments/development/off" \
+			-H "Authorization: $$UNLEASH_ADMIN_TOKEN" >/dev/null 2>&1 || true; \
+		kill $$PF 2>/dev/null; \
+		echo "$(COLOR_GREEN)✓$(COLOR_RESET) SSO disabled. Frontend will use OC_TOKEN/OAuth proxy headers."; \
+	else \
+		echo "$(COLOR_BLUE)▶$(COLOR_RESET) Enabling SSO auth (switching to Keycloak OIDC)..."; \
+		SSO_HOST="http://localhost:$(KIND_FWD_FRONTEND_PORT)"; \
+		kubectl set env deployment/frontend -n $(NAMESPACE) \
+			SSO_ENABLED=true NEXT_PUBLIC_SSO_ENABLED=true \
+			SSO_REDIRECT_URI="$$SSO_HOST/api/auth/sso/callback" \
+			SSO_PUBLIC_ISSUER_URL="$$SSO_HOST/sso/realms/ambient-code"; \
+		kubectl set env deployment/backend-api -n $(NAMESPACE) \
+			SSO_PUBLIC_ISSUER_URL="$$SSO_HOST/sso/realms/ambient-code"; \
+		kubectl set env deployment/keycloak -n $(NAMESPACE) \
+			KC_HOSTNAME="$$SSO_HOST/sso"; \
+		kubectl port-forward -n $(NAMESPACE) svc/unleash 4242:4242 >/dev/null 2>&1 & PF=$$!; sleep 2; \
+		curl -sf -X POST "http://localhost:4242/api/admin/projects/default/features/sso-authentication/environments/development/on" \
+			-H "Authorization: $$UNLEASH_ADMIN_TOKEN" >/dev/null 2>&1 || true; \
+		kill $$PF 2>/dev/null; \
+		echo "$(COLOR_GREEN)✓$(COLOR_RESET) SSO enabled at $$SSO_HOST"; \
+	fi
+	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Waiting for rollouts..."
+	@kubectl rollout status deployment/keycloak -n $(NAMESPACE) --timeout=120s >/dev/null 2>&1 || true
+	@kubectl rollout status deployment/frontend -n $(NAMESPACE) --timeout=60s >/dev/null 2>&1
+	@# Restart backend after Keycloak is ready (OIDC discovery needs Keycloak)
+	@kubectl rollout restart deployment/backend-api -n $(NAMESPACE) >/dev/null 2>&1 || true
+	@kubectl rollout status deployment/backend-api -n $(NAMESPACE) --timeout=60s >/dev/null 2>&1 || true
+	@echo "$(COLOR_GREEN)✓$(COLOR_RESET) Done. Restart port-forwards if needed: make kind-port-forward"
+
 kind-status: check-kind ## Show all kind clusters and their port assignments
 	@echo "$(COLOR_BOLD)Kind Cluster Status$(COLOR_RESET)"
 	@echo ""

components/backend/README.md

@@ -34,86 +34,50 @@ make run
 make dev
 ```
 
-### Migration from `DISABLE_AUTH` (removed)
+### Authentication
 
-Older dev flows sometimes relied on `DISABLE_AUTH=true` to bypass auth. That pattern is **removed**.
-The backend **never** bypasses authentication based on environment variables, and it **never** falls back to the backend’s in-cluster ServiceAccount for user-initiated operations.
+The backend supports two auth modes, controlled by the `sso-authentication` Unleash feature flag. This is an **infrastructure flag** — it is not visible in the workspace settings UI and is not user-configurable. It is enabled per-environment by the ops team during SSO migration.
 
-#### What changed
+**SSO mode (flag on):** The backend validates JWTs from Keycloak against the JWKS endpoint, extracts identity from OIDC claims (`email`, `preferred_username`, `groups`), and uses K8s impersonation for all API calls. API keys (K8s ServiceAccount tokens) are accepted via TokenReview fallback.
 
-- **Removed**: `DISABLE_AUTH`-based bypass (and similar env-var bypasses)
-- **Required**: All authenticated endpoints must receive a real Kubernetes/OpenShift token
+**Legacy mode (flag off):** The backend reads `X-Forwarded-Access-Token` or `Authorization: Bearer` headers and uses the raw token as the K8s bearer token (OAuth proxy flow).
 
-#### What to do in your local dev workflow
+In the Kind dev cluster, legacy mode is the default. Toggle SSO on/off with `make kind-sso-toggle` (affects both frontend and backend).
 
-1. **Stop setting** `DISABLE_AUTH=true` anywhere (shell profile, `.env`, compose, manifests).
-2. **Send a token** on requests:
-   - `Authorization: Bearer <token>` (preferred)
-   - `X-Forwarded-Access-Token: <token>` (when behind an auth proxy)
-3. If you get:
-   - **401**: token missing/invalid/malformed
-   - **403**: token valid but RBAC forbids the operation in that namespace
+#### Local development (Kind)
 
-#### Option A: OpenShift / CRC (recommended for this repo)
+`make kind-up` deploys Keycloak automatically. The backend is configured with:
+- `SSO_ISSUER_URL` — points to the in-cluster Keycloak
+- `SSO_AUDIENCE` — `ambient-frontend`
 
-```bash
-# Login and obtain a user token
-oc login ...
-export OC_TOKEN="$(oc whoami -t)"
-
-# Example request
-curl -H "Authorization: Bearer ${OC_TOKEN}" \
-  http://localhost:8080/health
-```
-
-#### Option B: kind (ServiceAccount token for local dev)
-
-Kubernetes v1.24+ supports `kubectl create token`:
-
-```bash
-export DEV_NS=ambient-code
-kubectl create namespace "${DEV_NS}" 2>/dev/null || true
-
-kubectl -n "${DEV_NS}" create serviceaccount backend-dev 2>/dev/null || true
-
-# Minimal example permissions (adjust as needed)
-kubectl -n "${DEV_NS}" create role backend-dev \
-  --verb=get,list,watch,create,update,patch,delete \
-  --resource=secrets,configmaps,services,pods,rolebindings 2>/dev/null || true
-
-kubectl -n "${DEV_NS}" create rolebinding backend-dev \
-  --role=backend-dev \
-  --serviceaccount="${DEV_NS}:backend-dev" 2>/dev/null || true
-
-export DEV_TOKEN="$(kubectl -n "${DEV_NS}" create token backend-dev)"
-
-curl -H "Authorization: Bearer ${DEV_TOKEN}" \
-  http://localhost:8080/health
-```
-
-If you’re on an older cluster that does **not** support `kubectl create token`, you can use a legacy Secret-backed token:
+To test backend endpoints directly with a Keycloak JWT:
 
 ```bash
-export DEV_NS=ambient-code
-kubectl -n "${DEV_NS}" create serviceaccount backend-dev 2>/dev/null || true
-
-SECRET_NAME="$(kubectl -n "${DEV_NS}" get sa backend-dev -o jsonpath='{.secrets[0].name}')"
-export DEV_TOKEN="$(kubectl -n "${DEV_NS}" get secret "${SECRET_NAME}" -o jsonpath='{.data.token}' | base64 -d)"
+# Get a JWT from Keycloak (from within the cluster)
+JWT=$(kubectl run -n ambient-code jwt-dev --rm -i --restart=Never --quiet \
+  --image=curlimages/curl -- sh -c \
+  ‘curl -sf -X POST http://keycloak-service:8080/realms/ambient-code/protocol/openid-connect/token \
+    -d client_id=ambient-frontend \
+    -d client_secret=dev-secret-do-not-use-in-prod \
+    -d grant_type=password \
+    -d username=developer \
+    -d password=developer \
+    -d scope=openid’ 2>/dev/null | jq -r ‘.access_token’)
+
+curl -H "Authorization: Bearer $JWT" http://localhost:12646/api/projects
 ```
 
-#### Calling project-scoped APIs (example)
+K8s ServiceAccount tokens also work (dual-path auth):
 
 ```bash
-export TOKEN="..."
-export PROJECT="my-project"
-
-curl -H "Authorization: Bearer ${TOKEN}" \
-  "http://localhost:8080/api/projects/${PROJECT}/agentic-sessions"
+TOKEN=$(kubectl get secret test-user-token -n ambient-code \
+  -o jsonpath=’{.data.token}’ | base64 -d)
+curl -H "Authorization: Bearer $TOKEN" http://localhost:12646/api/projects
 ```
 
 #### Unit tests note
 
-Unit tests **must not** use `DISABLE_AUTH`. Handler unit tests use:
+Unit tests use:
 
 - `go test -tags=test ./handlers`
 - `SetValidTestToken(...)` (see `components/backend/tests/test_utils/http_utils.go`)

components/backend/go.mod

@@ -13,6 +13,7 @@ require (
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
+	github.com/lestrrat-go/jwx/v2 v2.1.6
 	github.com/minio/minio-go/v7 v7.0.82
 	github.com/onsi/ginkgo/v2 v2.27.3
 	github.com/onsi/gomega v1.38.3
@@ -33,6 +34,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -65,6 +67,11 @@ require (
 	github.com/klauspost/cpuid/v2 v2.2.11 // indirect
 	github.com/launchdarkly/eventsource v1.10.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.3 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc v1.0.6 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
@@ -75,6 +82,7 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rs/xid v1.6.0 // indirect
+	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tidwall/gjson v1.18.0 // indirect

components/backend/go.sum

@@ -35,6 +35,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
@@ -187,6 +189,18 @@ github.com/launchdarkly/go-test-helpers/v3 v3.1.0 h1:E3bxJMzMoA+cJSF3xxtk2/chr1z
 github.com/launchdarkly/go-test-helpers/v3 v3.1.0/go.mod h1:Ake5+hZFS/DmIGKx/cizhn5W9pGA7pplcR7xCxWiLIo=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/lestrrat-go/blackmagic v1.0.3 h1:94HXkVLxkZO9vJI/w2u1T0DAoprShFd13xtnSINtDWs=
+github.com/lestrrat-go/blackmagic v1.0.3/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
+github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
+github.com/lestrrat-go/httprc v1.0.6 h1:qgmgIRhpvBqexMJjA/PmwSvhNk679oqD1RbovdCGW8k=
+github.com/lestrrat-go/httprc v1.0.6/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
+github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
+github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
+github.com/lestrrat-go/jwx/v2 v2.1.6 h1:hxM1gfDILk/l5ylers6BX/Eq1m/pnxe9NBwW6lVfecA=
+github.com/lestrrat-go/jwx/v2 v2.1.6/go.mod h1:Y722kU5r/8mV7fYDifjug0r8FK8mZdw0K0GpJw/l8pU=
+github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
+github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo=
@@ -226,6 +240,8 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
+github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
+github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
 github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -234,6 +250,7 @@ github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpE
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=