From 8465591bc57ade121350bfe4d7ced1f12e2d7cc6 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Mon, 17 Apr 2023 14:26:32 +0900 Subject: [PATCH 01/29] feat: add maintainer jekim --- .gitignore | 4 ++++ MAINTAINERS | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.gitignore b/.gitignore index 88e622f..f8e7aba 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,10 @@ *.so *.dylib +# IDE +.idea* +.vscode* + # Test binary, build with `go test -c` *.test diff --git a/MAINTAINERS b/MAINTAINERS index 82e37cd..1e8926f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -17,3 +17,7 @@ # Seitaro Suno # Yahoo Japan Corporation # @ssunorz + +# Jeongwoo Kim +# Yahoo Japan Corporation +# @mlajkim \ No newline at end of file From cf9d3b3cecf1ff5869113a4fd716f16ed1aa7041 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Mon, 17 Apr 2023 14:27:54 +0900 Subject: [PATCH 02/29] fix: indent --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 1e8926f..a555451 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -20,4 +20,4 @@ # Jeongwoo Kim # Yahoo Japan Corporation -# @mlajkim \ No newline at end of file +# @mlajkim From 733bf7b102ed480d723fd3df3aa0fc20e9d40751 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Mon, 17 Apr 2023 16:48:39 +0900 Subject: [PATCH 03/29] fix: vulnerabilities in logic --- config/config.go | 15 ++++++++++----- config/config_test.go | 31 +++++++++++++++++++++++++++++-- 2 files changed, 39 insertions(+), 7 deletions(-) diff --git a/config/config.go b/config/config.go index f8a5faa..4ddb861 100755 --- a/config/config.go +++ b/config/config.go @@ -29,7 +29,12 @@ import ( const ( // currentVersion represents the configuration version. - currentVersion = "v2.0.0" + currentVersion string = "v2.0.0" + // Choose the delimiter that RequestInfo's verb, namespace, API Group, Resource and Name CANNOT use. + // i.e) If end user can set its resource name with hyphens, we cannot use hyphen as delimiter. + // This will wrongfully grant access to privileged actions like DELETE or POST + // for resources with hyphens in their names when minimum access rights such as GET is given. + delimiter string = "," ) // Config represents an application configuration content (config.yaml). @@ -256,11 +261,11 @@ type RequestInfo struct { once *sync.Once } -// Serialize returns RequestInfo in string format. -// 1. replacedAPIGroup = replace `. => _` in r.APIGroup -// 2. output format: `${r.Verb}-${r.Namespace}-${replacedAPIGroup}-${r.Resource}-${r.Name}` +// Returns RequestInfo in string, separated by the delimiter. +// API Group's periods will be replaced with underscores. func (r *RequestInfo) Serialize() string { - return strings.Join([]string{r.Verb, r.Namespace, strings.Replace(r.APIGroup, ".", "_", -1), r.Resource, r.Name}, "-") + apiGroupWithoutPeriods := strings.Replace(r.APIGroup, ".", "_", -1) + return strings.Join([]string{r.Verb, r.Namespace, apiGroupWithoutPeriods, r.Resource, r.Name}, delimiter) } // Match checks if the given RequestInfo matches with the regular expression in this RequestInfo. diff --git a/config/config_test.go b/config/config_test.go index 563599c..dda5061 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -46,7 +46,7 @@ func Test_requestInfo_Serialize(t *testing.T) { Name: "dummyName", }, }, - want: "dummyVerb-dummyNamespace-dummyAPIGroup-dummyResource-dummyName", + want: "dummyVerb,dummyNamespace,dummyAPIGroup,dummyResource,dummyName", }, { name: "Check serialize with replace API group", @@ -59,7 +59,7 @@ func Test_requestInfo_Serialize(t *testing.T) { Name: "dummyName", }, }, - want: "dummyVerb-dummyNamespace-dummy_APIGroup-dummyResource-dummyName", + want: "dummyVerb,dummyNamespace,dummy_APIGroup,dummyResource,dummyName", }, } for _, tt := range tests { @@ -195,6 +195,33 @@ func Test_requestInfo_Match(t *testing.T) { }, want: true, }, + { + name: "Check if hyphen is not used for delimiter", + fields: fields{ + req: RequestInfo{ + Verb: "get", + Namespace: "kube-system", + APIGroup: "garm", + Resource: "pods", + Name: "*", + + /*reg: func() *regexp.Regexp { + reg, _ := regexp.Compile("dummy") + return reg + }(),*/ + }, + }, + args: args{ + req: RequestInfo{ + Verb: "create", + Namespace: "kube-system", + APIGroup: "garm", + Resource: "pods", + Name: "get-kube-system-garm-pods-test", + }, + }, + want: false, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { From a168acb4e57a162c2ba9fa4cfc3bc8481cef9181 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Tue, 18 Apr 2023 13:55:57 +0900 Subject: [PATCH 04/29] refactor: redundant ok bool var --- service/resolver.go | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/service/resolver.go b/service/resolver.go index a785578..00f2131 100755 --- a/service/resolver.go +++ b/service/resolver.go @@ -311,29 +311,28 @@ func (r *resolve) TrimResource(res string) string { // returns false, only if inside blacklist // i.e. return (in whitelist || not in blacklist) func (r *resolve) IsAllowed(verb, namespace, apiGroup, resource, name string) bool { - var ok bool for _, white := range r.cfg.WhiteList { - ok = white.Match(config.RequestInfo{ + if white.Match(config.RequestInfo{ Verb: verb, Namespace: namespace, APIGroup: apiGroup, Resource: resource, Name: name, - }) - if ok { + }) { + // TODO: Write a log here return true } } for _, black := range r.cfg.BlackList { - ok = black.Match(config.RequestInfo{ + if black.Match(config.RequestInfo{ Verb: verb, Namespace: namespace, APIGroup: apiGroup, Resource: resource, Name: name, - }) - if ok { + }) { + // TODO: Write a log here return false } } From b684e0045ae4bfe9cd2f07ff862737897f16386a Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Tue, 18 Apr 2023 14:36:11 +0900 Subject: [PATCH 05/29] feat: buildRobustRegex() --- config/config.go | 24 +++++++++++++++++- config/config_test.go | 57 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+), 1 deletion(-) diff --git a/config/config.go b/config/config.go index 4ddb861..5d27181 100755 --- a/config/config.go +++ b/config/config.go @@ -268,6 +268,28 @@ func (r *RequestInfo) Serialize() string { return strings.Join([]string{r.Verb, r.Namespace, apiGroupWithoutPeriods, r.Resource, r.Name}, delimiter) } +func buildRobustRegex(glob string) string { + var sb strings.Builder + sb.WriteString("^") + for _, c := range glob { + switch c { + case '*': + sb.WriteString(".*") + case '?': + // TODO: Check required. I do not think ? should become dot here. Should be escaped? + sb.WriteString(".") + // escape regex special characters + case '^', '$', '|', '[', ']', '+', '\\', '(', ')', '{', '}': + sb.WriteString("\\") + fallthrough + default: + sb.WriteRune(c) + } + } + sb.WriteString("$") + return strings.Replace(sb.String(), "..*", ".*", -1) +} + // Match checks if the given RequestInfo matches with the regular expression in this RequestInfo. // 1. r.Serialize() // 2. replace `* => .*` @@ -278,7 +300,7 @@ func (r *RequestInfo) Match(req RequestInfo) bool { r.once = new(sync.Once) } r.once.Do(func() { - r.reg = regexp.MustCompile(strings.Replace(strings.Replace(r.Serialize(), "*", ".*", -1), "..*", ".*", -1)) + r.reg = regexp.MustCompile(buildRobustRegex(r.Serialize())) }) return r.reg.Copy().MatchString(req.Serialize()) diff --git a/config/config_test.go b/config/config_test.go index dda5061..67fdccc 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -571,3 +571,60 @@ func TestCheckPrefixAndSuffix(t *testing.T) { }) } } + +func Test_patternFromGlob(t *testing.T) { + type args struct { + glob string + } + tests := []struct { + name string + args args + want string + }{ + { + name: "Test patternFromGlob with *", + args: args{ + glob: "*", + }, + want: "^.*$", + }, + { + name: "Test patternFromGlob with *.*", + args: args{ + glob: "*.*", + }, + want: "^.*.*$", + }, + // Test question mark + { + name: "Test patternFromGlob with ?", + args: args{ + glob: "?", + }, + want: "^.$", + }, + // Test every regex here: '^', '$', '|', '[', ']', '+', '\\', '(', ')', '{', '}' + { + name: "Test patternFromGlob with ^$|[]+\\(){}", + args: args{ + glob: "^$|[]+\\(){}", + }, + want: "^\\^\\$\\|\\[\\]\\+\\\\\\(\\)\\{\\}$", + }, + // Test plain text + { + name: "Test patternFromGlob with plain text", + args: args{ + glob: "plain text", + }, + want: "^plain text$", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := buildRobustRegex(tt.args.glob); got != tt.want { + t.Errorf("buildRobustRegex() = %v, want %v", got, tt.want) + } + }) + } +} From 801bbfdb2b50802caa7c88f897bd4cea8ce73a96 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Tue, 18 Apr 2023 15:14:57 +0900 Subject: [PATCH 06/29] feat: logger with some refactors --- service/resolver.go | 35 +++++++++++++++-------------------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/service/resolver.go b/service/resolver.go index 00f2131..16eb151 100755 --- a/service/resolver.go +++ b/service/resolver.go @@ -18,6 +18,7 @@ package service import ( "strings" + "fmt" "github.com/AthenZ/garm/v2/config" ) @@ -311,28 +312,24 @@ func (r *resolve) TrimResource(res string) string { // returns false, only if inside blacklist // i.e. return (in whitelist || not in blacklist) func (r *resolve) IsAllowed(verb, namespace, apiGroup, resource, name string) bool { + ri := config.RequestInfo{ + Verb: verb, + Namespace: namespace, + APIGroup: apiGroup, + Resource: resource, + Name: name, + } + for _, white := range r.cfg.WhiteList { - if white.Match(config.RequestInfo{ - Verb: verb, - Namespace: namespace, - APIGroup: apiGroup, - Resource: resource, - Name: name, - }) { - // TODO: Write a log here + if white.Match(ri) { + fmt.Printf("👍 Passed with \"%s\" matches \"%s\"", white.Serialize(), ri.Serialize()) return true } } for _, black := range r.cfg.BlackList { - if black.Match(config.RequestInfo{ - Verb: verb, - Namespace: namespace, - APIGroup: apiGroup, - Resource: resource, - Name: name, - }) { - // TODO: Write a log here + if black.Match(ri) { + fmt.Printf("❌ Explicitly denied with \"%s\" matches %s", black.Serialize(), ri.Serialize()) return false } } @@ -342,16 +339,14 @@ func (r *resolve) IsAllowed(verb, namespace, apiGroup, resource, name string) bo // IsAdminAccess returns true, if any admin access in config match func (r *resolve) IsAdminAccess(verb, namespace, apiGroup, resource, name string) bool { - var ok bool for _, admin := range r.cfg.AdminAccessList { - ok = admin.Match(config.RequestInfo{ + if admin.Match(config.RequestInfo{ Verb: verb, Namespace: namespace, APIGroup: apiGroup, Resource: resource, Name: name, - }) - if ok { + }) { return true } } From 2691845c345c0ab65838b976eee8f22b570f27e0 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Tue, 18 Apr 2023 18:02:49 +0900 Subject: [PATCH 07/29] feat: install github.com/AthenZ/athenz-authorizer/v5 --- go.mod | 28 +++++++++++++++++++++------- go.sum | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 510e266..a7bd5ba 100644 --- a/go.mod +++ b/go.mod @@ -9,8 +9,8 @@ replace ( ) require ( - github.com/AthenZ/athenz v1.11.23 - github.com/kpango/glg v1.6.14 + github.com/AthenZ/athenz v1.11.26 + github.com/kpango/glg v1.6.15 github.com/pkg/errors v0.9.1 github.com/yahoo/k8s-athenz-webhook v0.1.5-0.20230310225932-073f1a05c41a gopkg.in/yaml.v2 v2.4.0 @@ -18,26 +18,40 @@ require ( ) require ( + github.com/AthenZ/athenz-authorizer/v5 v5.5.1 // indirect github.com/ardielle/ardielle-go v1.5.2 // indirect github.com/davecgh/go-spew v1.1.1 // indirect + github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect github.com/go-logr/logr v1.2.3 // indirect github.com/goccy/go-json v0.10.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/kpango/fastime v1.1.6 // indirect + github.com/klauspost/cpuid/v2 v2.2.4 // indirect + github.com/kpango/fastime v1.1.9 // indirect + github.com/kpango/gache v1.2.8 // indirect + github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect + github.com/lestrrat-go/blackmagic v1.0.1 // indirect + github.com/lestrrat-go/httpcc v1.0.1 // indirect + github.com/lestrrat-go/iter v1.0.2 // indirect + github.com/lestrrat-go/jwx v1.2.25 // indirect + github.com/lestrrat-go/option v1.0.1 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect github.com/yahoo/athenz v1.9.31 // indirect github.com/yahoo/k8s-athenz-syncer v0.1.8 // indirect - golang.org/x/net v0.7.0 // indirect + github.com/zeebo/xxh3 v1.0.2 // indirect + golang.org/x/crypto v0.8.0 // indirect + golang.org/x/net v0.9.0 // indirect golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect - golang.org/x/sys v0.5.0 // indirect - golang.org/x/term v0.5.0 // indirect - golang.org/x/text v0.7.0 // indirect + golang.org/x/sync v0.1.0 // indirect + golang.org/x/sys v0.7.0 // indirect + golang.org/x/term v0.7.0 // indirect + golang.org/x/text v0.9.0 // indirect golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.28.1 // indirect diff --git a/go.sum b/go.sum index 4284518..5d8a60b 100644 --- a/go.sum +++ b/go.sum @@ -33,6 +33,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/AthenZ/athenz v1.11.23 h1:Iqw46nJHVhDXcnVbXvtl7b7s9tU8xkWHALJ0IKXfOcg= github.com/AthenZ/athenz v1.11.23/go.mod h1:d2da1Gn5JLLrV48feSAKYJAJ2xCQPESvHpN5hnseB10= +github.com/AthenZ/athenz-authorizer/v5 v5.5.1 h1:okVP8IVuYnQaJG8CfSOwDbyTKyVRBhL0ldZ5XZBpMNg= +github.com/AthenZ/athenz-authorizer/v5 v5.5.1/go.mod h1:Y4AYjbSeqaK6KdOjfGDbk1yvlVJ4Fm37+3ujnthE/1M= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= @@ -58,6 +60,10 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dimfeld/httptreemux v5.0.1+incompatible h1:Qj3gVcDNoOthBAqftuD596rm4wg/adLLz5xh5CmpiCA= github.com/dimfeld/httptreemux v5.0.1+incompatible/go.mod h1:rbUlSV+CCpv/SuqUTP/8Bk2O3LyUV436/yaRGkhP6Z0= @@ -102,10 +108,14 @@ github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5F github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= +github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU= github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= +github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= +github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -194,17 +204,40 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/cpuid/v2 v2.2.4 h1:acbojRNwl3o09bUq+yDCtZFc1aiwaAAxtcn8YkZXnvk= +github.com/klauspost/cpuid/v2 v2.2.4/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kpango/fastime v1.1.6 h1:lAw1Tiwnlbsx1xZs6W9eM7/8niwabknewbmLkh/yTVo= github.com/kpango/fastime v1.1.6/go.mod h1:tTNDbIo5qL6D7g5vh2YbkyUbOVP2kD/we3rSjN22PMY= +github.com/kpango/fastime v1.1.9 h1:xVQHcqyPt5M69DyFH7g1EPRns1YQNap9d5eLhl/Jy84= +github.com/kpango/fastime v1.1.9/go.mod h1:vyD7FnUn08zxY4b/QFBZVG+9EWMYsNl+QF0uE46urD4= +github.com/kpango/gache v1.2.8 h1:+OjREOmuWO4qrJksDhzWJq80o9iwHiezdVmMR1jtCG0= +github.com/kpango/gache v1.2.8/go.mod h1:UyBo0IoPFDSJypK2haDXeV6PwHEmBcXQA0BLuOYEvWg= github.com/kpango/glg v1.6.14 h1:Ss3ZvTQ23blUCDYizSAijiFTZsgGeYr/lanUGgQ10rY= github.com/kpango/glg v1.6.14/go.mod h1:2djk7Zr4zKIYPHlORH8tJVlhCEh+XXW8W4K3qJyNXMI= +github.com/kpango/glg v1.6.15 h1:nw0xSxpSyrDIWHeb3dvnE08PW+SCbK+aYFETT75IeLA= +github.com/kpango/glg v1.6.15/go.mod h1:cmsc7Yeu8AS3wHLmN7bhwENXOpxfq+QoqxCIk2FneRk= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A= +github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y= +github.com/lestrrat-go/blackmagic v1.0.0/go.mod h1:TNgH//0vYSs8VXDCfkZLgIrVTTXQELZffUV0tz3MtdQ= +github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80= +github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU= +github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= +github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= +github.com/lestrrat-go/iter v1.0.1/go.mod h1:zIdgO1mRKhn8l9vrZJZz9TUMMFbQbLeTsbqPDrJ/OJc= +github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= +github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= +github.com/lestrrat-go/jwx v1.2.25 h1:tAx93jN2SdPvFn08fHNAhqFJazn5mBBOB8Zli0g0otA= +github.com/lestrrat-go/jwx v1.2.25/go.mod h1:zoNuZymNl5lgdcu6P7K6ie2QRll5HVfF4xwxBBK1NxY= +github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= +github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= +github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= @@ -273,6 +306,7 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= @@ -290,6 +324,8 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0= +github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -303,7 +339,10 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= +golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ= +golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -357,6 +396,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -395,26 +436,34 @@ golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU= +golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ= +golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From d6cc8e9e9c0f9022d5325612943b76faf8e60797 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 19 Apr 2023 10:37:01 +0900 Subject: [PATCH 08/29] feat: escape removed --- config/config.go | 1 - 1 file changed, 1 deletion(-) diff --git a/config/config.go b/config/config.go index 5d27181..d367b8b 100755 --- a/config/config.go +++ b/config/config.go @@ -276,7 +276,6 @@ func buildRobustRegex(glob string) string { case '*': sb.WriteString(".*") case '?': - // TODO: Check required. I do not think ? should become dot here. Should be escaped? sb.WriteString(".") // escape regex special characters case '^', '$', '|', '[', ']', '+', '\\', '(', ')', '{', '}': From 24e2168a78966b936a578280cbfd62925e9b07f6 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 19 Apr 2023 13:49:56 +0900 Subject: [PATCH 09/29] fix: logger with escape --- service/resolver.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/service/resolver.go b/service/resolver.go index 16eb151..fe94008 100755 --- a/service/resolver.go +++ b/service/resolver.go @@ -322,14 +322,14 @@ func (r *resolve) IsAllowed(verb, namespace, apiGroup, resource, name string) bo for _, white := range r.cfg.WhiteList { if white.Match(ri) { - fmt.Printf("👍 Passed with \"%s\" matches \"%s\"", white.Serialize(), ri.Serialize()) + fmt.Printf("👍 Passed with \"%s\" matches \"%s\"\n", white.Serialize(), ri.Serialize()) return true } } for _, black := range r.cfg.BlackList { if black.Match(ri) { - fmt.Printf("❌ Explicitly denied with \"%s\" matches %s", black.Serialize(), ri.Serialize()) + fmt.Printf("❌ Explicitly denied with \"%s\" matches %s\n", black.Serialize(), ri.Serialize()) return false } } From daf511339279ffa877c303d208b194ff1a1f38c6 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 19 Apr 2023 14:22:37 +0900 Subject: [PATCH 10/29] feat: apply assertion of athenz-authorizer --- config/config.go | 15 +++++++++++---- config/config_test.go | 2 +- service/resolver.go | 6 +++--- service/resolver_test.go | 4 ++-- 4 files changed, 17 insertions(+), 10 deletions(-) diff --git a/config/config.go b/config/config.go index d367b8b..f4e75d6 100755 --- a/config/config.go +++ b/config/config.go @@ -21,6 +21,8 @@ import ( "regexp" "strings" "sync" + "github.com/kpango/glg" + assertion "github.com/AthenZ/athenz-authorizer/v5/policy" "github.com/pkg/errors" webhook "github.com/yahoo/k8s-athenz-webhook" @@ -264,8 +266,7 @@ type RequestInfo struct { // Returns RequestInfo in string, separated by the delimiter. // API Group's periods will be replaced with underscores. func (r *RequestInfo) Serialize() string { - apiGroupWithoutPeriods := strings.Replace(r.APIGroup, ".", "_", -1) - return strings.Join([]string{r.Verb, r.Namespace, apiGroupWithoutPeriods, r.Resource, r.Name}, delimiter) + return strings.Join([]string{r.Verb, r.Namespace, r.APIGroup, r.Resource, r.Name}, delimiter) } func buildRobustRegex(glob string) string { @@ -299,10 +300,16 @@ func (r *RequestInfo) Match(req RequestInfo) bool { r.once = new(sync.Once) } r.once.Do(func() { - r.reg = regexp.MustCompile(buildRobustRegex(r.Serialize())) + ass, err := assertion.NewAssertion("", ":"+r.Serialize(), "") + if err != nil { + glg.Error(err) + r.reg = regexp.MustCompile("") + } else { + r.reg = ass.ResourceRegexp + } }) - return r.reg.Copy().MatchString(req.Serialize()) + return r.reg.Copy().MatchString(strings.ToLower(req.Serialize())) } // New returns the decoded configuration YAML file as *Config struct. Returns non-nil error if any. diff --git a/config/config_test.go b/config/config_test.go index 67fdccc..3fe5ed7 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -59,7 +59,7 @@ func Test_requestInfo_Serialize(t *testing.T) { Name: "dummyName", }, }, - want: "dummyVerb,dummyNamespace,dummy_APIGroup,dummyResource,dummyName", + want: "dummyVerb,dummyNamespace,dummy.APIGroup,dummyResource,dummyName", }, } for _, tt := range tests { diff --git a/service/resolver.go b/service/resolver.go index fe94008..4818595 100755 --- a/service/resolver.go +++ b/service/resolver.go @@ -18,7 +18,7 @@ package service import ( "strings" - "fmt" + "github.com/kpango/glg" "github.com/AthenZ/garm/v2/config" ) @@ -322,14 +322,14 @@ func (r *resolve) IsAllowed(verb, namespace, apiGroup, resource, name string) bo for _, white := range r.cfg.WhiteList { if white.Match(ri) { - fmt.Printf("👍 Passed with \"%s\" matches \"%s\"\n", white.Serialize(), ri.Serialize()) + glg.Info("👍 Passed with \"%s\" matches \"%s\"\n", white.Serialize(), ri.Serialize()) return true } } for _, black := range r.cfg.BlackList { if black.Match(ri) { - fmt.Printf("❌ Explicitly denied with \"%s\" matches %s\n", black.Serialize(), ri.Serialize()) + glg.Info("❌ Explicitly denied with \"%s\" matches %s\n", black.Serialize(), ri.Serialize()) return false } } diff --git a/service/resolver_test.go b/service/resolver_test.go index 3f60574..cf32280 100644 --- a/service/resolver_test.go +++ b/service/resolver_test.go @@ -1469,7 +1469,7 @@ func Test_resolve_IsAdminAccess(t *testing.T) { Verb: "verb-461", Namespace: "namespace-462", APIGroup: "apiGroup-463", - Resource: "resource-.*", + Resource: "resource-*", Name: "name-465", }, }, @@ -1526,7 +1526,7 @@ func Test_resolve_IsAdminAccess(t *testing.T) { args: args{ verb: "verb-509", namespace: "namespace-510", - apiGroup: "apiGroup-_______________", + apiGroup: "apiGroup-._______________", resource: "resource-512", name: "name-513", }, From 1bb1444773391fc3ee72030fabc5c916e2f0bb6a Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 19 Apr 2023 16:46:30 +0900 Subject: [PATCH 11/29] fix: test strings --- config/config.go | 21 --------------- config/config_test.go | 57 ---------------------------------------- service/resolver_test.go | 4 +-- 3 files changed, 2 insertions(+), 80 deletions(-) diff --git a/config/config.go b/config/config.go index f4e75d6..e758dc8 100755 --- a/config/config.go +++ b/config/config.go @@ -269,27 +269,6 @@ func (r *RequestInfo) Serialize() string { return strings.Join([]string{r.Verb, r.Namespace, r.APIGroup, r.Resource, r.Name}, delimiter) } -func buildRobustRegex(glob string) string { - var sb strings.Builder - sb.WriteString("^") - for _, c := range glob { - switch c { - case '*': - sb.WriteString(".*") - case '?': - sb.WriteString(".") - // escape regex special characters - case '^', '$', '|', '[', ']', '+', '\\', '(', ')', '{', '}': - sb.WriteString("\\") - fallthrough - default: - sb.WriteRune(c) - } - } - sb.WriteString("$") - return strings.Replace(sb.String(), "..*", ".*", -1) -} - // Match checks if the given RequestInfo matches with the regular expression in this RequestInfo. // 1. r.Serialize() // 2. replace `* => .*` diff --git a/config/config_test.go b/config/config_test.go index 3fe5ed7..b5660b7 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -571,60 +571,3 @@ func TestCheckPrefixAndSuffix(t *testing.T) { }) } } - -func Test_patternFromGlob(t *testing.T) { - type args struct { - glob string - } - tests := []struct { - name string - args args - want string - }{ - { - name: "Test patternFromGlob with *", - args: args{ - glob: "*", - }, - want: "^.*$", - }, - { - name: "Test patternFromGlob with *.*", - args: args{ - glob: "*.*", - }, - want: "^.*.*$", - }, - // Test question mark - { - name: "Test patternFromGlob with ?", - args: args{ - glob: "?", - }, - want: "^.$", - }, - // Test every regex here: '^', '$', '|', '[', ']', '+', '\\', '(', ')', '{', '}' - { - name: "Test patternFromGlob with ^$|[]+\\(){}", - args: args{ - glob: "^$|[]+\\(){}", - }, - want: "^\\^\\$\\|\\[\\]\\+\\\\\\(\\)\\{\\}$", - }, - // Test plain text - { - name: "Test patternFromGlob with plain text", - args: args{ - glob: "plain text", - }, - want: "^plain text$", - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := buildRobustRegex(tt.args.glob); got != tt.want { - t.Errorf("buildRobustRegex() = %v, want %v", got, tt.want) - } - }) - } -} diff --git a/service/resolver_test.go b/service/resolver_test.go index cf32280..b4caf5f 100644 --- a/service/resolver_test.go +++ b/service/resolver_test.go @@ -1461,7 +1461,7 @@ func Test_resolve_IsAdminAccess(t *testing.T) { want: true, }, { - name: "Check resolve IsAdminAccess regex match", + name: "Check with asterisk for resource", fields: fields{ cfg: config.Platform{ AdminAccessList: []*config.RequestInfo{ @@ -1509,7 +1509,7 @@ func Test_resolve_IsAdminAccess(t *testing.T) { want: false, }, { - name: "Check resolve IsAdminAccess regex match success after APIGroup replace", + name: "Check period in APIGroup gets escaped successfully", fields: fields{ cfg: config.Platform{ AdminAccessList: []*config.RequestInfo{ From fc462f3c6025d90726c24f60cbbc63e14c5f0fc2 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 19 Apr 2023 16:52:14 +0900 Subject: [PATCH 12/29] fix: go 1.18 -> 1.20 --- Dockerfile | 2 +- go.mod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 39c0fe6..0c4ef77 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.18-alpine AS base +FROM golang:1.20-alpine AS base RUN set -eux \ && apk --no-cache add ca-certificates \ diff --git a/go.mod b/go.mod index a7bd5ba..b21347d 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/AthenZ/garm/v2 -go 1.18 +go 1.20 replace ( github.com/AthenZ/athenz => github.com/AthenZ/athenz v1.11.23 From 747b118e0815baf0e3d7e4a382592e4c98a2b228 Mon Sep 17 00:00:00 2001 From: Windz Date: Wed, 19 Apr 2023 17:54:43 +0900 Subject: [PATCH 13/29] remove upx (#14) Signed-off-by: wfan --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0c4ef77..7850e30 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM golang:1.20-alpine AS base RUN set -eux \ && apk --no-cache add ca-certificates \ - && apk --no-cache add --virtual build-dependencies cmake g++ make unzip curl upx git + && apk --no-cache add --virtual build-dependencies cmake g++ make unzip curl git WORKDIR ${GOPATH}/src/github.com/AthenZ/garm @@ -30,7 +30,7 @@ RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \ GOARCH=$(go env GOARCH) \ GO111MODULE=on \ go build -ldflags "-s -w -linkmode 'external' -extldflags '-static -fPIC -m64 -pthread -std=c++11 -lstdc++' -X 'main.Version=${APP_VERSION} at ${BUILD_TIME} by ${GO_VERSION}'" -a -tags "cgo netgo" -installsuffix "cgo netgo" -o "${APP_NAME}" \ - && upx --best -o "/usr/bin/${APP_NAME}" "${APP_NAME}" + && mv "${APP_NAME}" "/usr/bin/${APP_NAME}" RUN apk del build-dependencies --purge \ && rm -rf "${GOPATH}" @@ -50,7 +50,7 @@ COPY --from=builder /etc/passwd /etc/passwd COPY --from=builder /usr/bin/${APP_NAME} /go/bin/${APP_NAME} # Copy user COPY --from=builder /etc/passwd /etc/passwd -USER ${APP_NAME} +# USER ${APP_NAME} HEALTHCHECK NONE ENTRYPOINT ["/go/bin/garm"] From aba05ed2bb52e23b01508bb2fc9d87c447672cb6 Mon Sep 17 00:00:00 2001 From: Windz Date: Wed, 19 Apr 2023 18:25:41 +0900 Subject: [PATCH 14/29] test setcap (#15) Signed-off-by: wfan --- .github/workflows/docker-build-publish.yaml | 2 +- Dockerfile | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 1bd75dd..50e2366 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -137,7 +137,7 @@ jobs: echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \ jq -r . echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \ - jq -r .cis_docker_benchmark_violation_report[].violations[] | \ + jq -r '.cis_docker_benchmark_violation_report[] | select(true) | .violations[]' | \ wc -l | \ xargs -I% test 0 -eq % diff --git a/Dockerfile b/Dockerfile index 7850e30..e712844 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM golang:1.20-alpine AS base RUN set -eux \ && apk --no-cache add ca-certificates \ - && apk --no-cache add --virtual build-dependencies cmake g++ make unzip curl git + && apk --no-cache add --virtual build-dependencies cmake g++ make unzip curl git libcap WORKDIR ${GOPATH}/src/github.com/AthenZ/garm @@ -32,6 +32,9 @@ RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \ go build -ldflags "-s -w -linkmode 'external' -extldflags '-static -fPIC -m64 -pthread -std=c++11 -lstdc++' -X 'main.Version=${APP_VERSION} at ${BUILD_TIME} by ${GO_VERSION}'" -a -tags "cgo netgo" -installsuffix "cgo netgo" -o "${APP_NAME}" \ && mv "${APP_NAME}" "/usr/bin/${APP_NAME}" +# allow well-known port binding +RUN setcap 'cap_net_bind_service=+ep' "/usr/bin/${APP_NAME}" + RUN apk del build-dependencies --purge \ && rm -rf "${GOPATH}" @@ -50,7 +53,7 @@ COPY --from=builder /etc/passwd /etc/passwd COPY --from=builder /usr/bin/${APP_NAME} /go/bin/${APP_NAME} # Copy user COPY --from=builder /etc/passwd /etc/passwd -# USER ${APP_NAME} +USER ${APP_NAME} HEALTHCHECK NONE ENTRYPOINT ["/go/bin/garm"] From 10c52a702c8d2d3a93105b3c4edf97248200228b Mon Sep 17 00:00:00 2001 From: wfan Date: Wed, 19 Apr 2023 19:04:14 +0900 Subject: [PATCH 15/29] fix check cmd Signed-off-by: wfan --- .github/workflows/docker-build-publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 50e2366..25a42cc 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -226,4 +226,4 @@ jobs: name: Test Docker image id: test_docker run: | - docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --version + docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} -version From bd0b04ae70cc21662ec13305d02d68c39780d1eb Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 19 Apr 2023 19:26:23 +0900 Subject: [PATCH 16/29] fix: log message --- service/resolver.go | 4 ++-- service/resource_mapper.go | 2 +- service/resource_mapper_test.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/service/resolver.go b/service/resolver.go index 4818595..a5f9870 100755 --- a/service/resolver.go +++ b/service/resolver.go @@ -322,14 +322,14 @@ func (r *resolve) IsAllowed(verb, namespace, apiGroup, resource, name string) bo for _, white := range r.cfg.WhiteList { if white.Match(ri) { - glg.Info("👍 Passed with \"%s\" matches \"%s\"\n", white.Serialize(), ri.Serialize()) + glg.Debug("👍 Passed with \"%s\" matches \"%s\"\n", white.Serialize(), ri.Serialize()) return true } } for _, black := range r.cfg.BlackList { if black.Match(ri) { - glg.Info("❌ Explicitly denied with \"%s\" matches %s\n", black.Serialize(), ri.Serialize()) + glg.Debug("❌ Explicitly denied with \"%s\" matches %s\n", black.Serialize(), ri.Serialize()) return false } } diff --git a/service/resource_mapper.go b/service/resource_mapper.go index 9428828..30cf9d6 100755 --- a/service/resource_mapper.go +++ b/service/resource_mapper.go @@ -95,7 +95,7 @@ func (m *resourceMapper) MapResource(ctx context.Context, spec authz.SubjectAcce case !m.res.IsAllowed(verb, namespace, group, resource, name): // Not Allowed return "", nil, fmt.Errorf( - "----%s's request is not allowed----\nVerb:\t%s\nNamespaceb:\t%s\nAPI Group:\t%s\nResource:\t%s\nResource Name:\t%s\n", + "❌ %s's request is explicitly denied by the blacklist!\nVerb:\t%s\nNamespaceb:\t%s\nAPI Group:\t%s\nResource:\t%s\nResource Name:\t%s\n", identity, verb, namespace, group, resource, name) case m.res.IsAdminAccess(verb, namespace, group, resource, name): return identity, m.createAdminAccessCheck( diff --git a/service/resource_mapper_test.go b/service/resource_mapper_test.go index 8c8ea12..01999cb 100644 --- a/service/resource_mapper_test.go +++ b/service/resource_mapper_test.go @@ -438,7 +438,7 @@ func Test_resourceMapper_MapResource(t *testing.T) { wantIdentity: "", wantAthenzAccessChecks: nil, wantError: fmt.Errorf( - "----user-322's request is not allowed----\nVerb:\tverb-317\nNamespaceb:\tnamespace-316\nAPI Group:\tgroup-320\nResource:\tresource-318.sub-resource-319\nResource Name:\tname-315\n"), + "❌ user-322's request is explicitly denied by the blacklist!\nVerb:\tverb-317\nNamespaceb:\tnamespace-316\nAPI Group:\tgroup-320\nResource:\tresource-318.sub-resource-319\nResource Name:\tname-315\n"), }, } for _, tt := range tests { From 800d01573668d405941d31d47eb3709c1e73592d Mon Sep 17 00:00:00 2001 From: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Date: Thu, 20 Apr 2023 15:47:44 +0900 Subject: [PATCH 17/29] feat: WindzCHUK advice applied Co-authored-by: Windz Signed-off-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> --- config/config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/config_test.go b/config/config_test.go index b5660b7..99368b7 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -196,7 +196,7 @@ func Test_requestInfo_Match(t *testing.T) { want: true, }, { - name: "Check if hyphen is not used for delimiter", + name: "Check malicious resource name not match", fields: fields{ req: RequestInfo{ Verb: "get", From e6e2ebc9114cc73dfb7b5edda52826eb16bca5b9 Mon Sep 17 00:00:00 2001 From: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Date: Thu, 20 Apr 2023 15:48:00 +0900 Subject: [PATCH 18/29] feat: WindzCHUK advice applied Co-authored-by: Windz Signed-off-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> --- config/config.go | 1 + 1 file changed, 1 insertion(+) diff --git a/config/config.go b/config/config.go index e758dc8..1db50aa 100755 --- a/config/config.go +++ b/config/config.go @@ -32,6 +32,7 @@ import ( const ( // currentVersion represents the configuration version. currentVersion string = "v2.0.0" + // delimiter represents delimiter used to serialize RequestInfo. Must NOT use valid characters allowed in the all the fields of RequestInfo. // Choose the delimiter that RequestInfo's verb, namespace, API Group, Resource and Name CANNOT use. // i.e) If end user can set its resource name with hyphens, we cannot use hyphen as delimiter. // This will wrongfully grant access to privileged actions like DELETE or POST From 78ed811bfe91f50e1d088ec22f0e6b01cc93aa1b Mon Sep 17 00:00:00 2001 From: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Date: Thu, 20 Apr 2023 15:48:40 +0900 Subject: [PATCH 19/29] feat: WindzCHUK advice applied Co-authored-by: Windz Signed-off-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index b21347d..5722fa6 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/AthenZ/garm/v2 go 1.20 replace ( - github.com/AthenZ/athenz => github.com/AthenZ/athenz v1.11.23 + github.com/AthenZ/athenz => github.com/AthenZ/athenz v1.11.26 golang.org/x/net => golang.org/x/net v0.7.0 k8s.io/client-go => k8s.io/client-go v0.26.0 ) From 325c17b309b9db94fe1ca66b91ccf4b9d87968c7 Mon Sep 17 00:00:00 2001 From: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Date: Thu, 20 Apr 2023 15:48:51 +0900 Subject: [PATCH 20/29] feat: WindzCHUK advice applied Co-authored-by: Windz Signed-off-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> --- config/config.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/config.go b/config/config.go index 1db50aa..b9f7407 100755 --- a/config/config.go +++ b/config/config.go @@ -264,8 +264,7 @@ type RequestInfo struct { once *sync.Once } -// Returns RequestInfo in string, separated by the delimiter. -// API Group's periods will be replaced with underscores. +// Serialize returns RequestInfo in string, separated by the delimiter. func (r *RequestInfo) Serialize() string { return strings.Join([]string{r.Verb, r.Namespace, r.APIGroup, r.Resource, r.Name}, delimiter) } From 95756d75624de1b39d9080ffe387c350228747e9 Mon Sep 17 00:00:00 2001 From: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Date: Thu, 20 Apr 2023 15:49:03 +0900 Subject: [PATCH 21/29] feat: WindzCHUK advice applied Co-authored-by: Windz Signed-off-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> --- config/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/config.go b/config/config.go index b9f7407..4ba5fb2 100755 --- a/config/config.go +++ b/config/config.go @@ -281,7 +281,7 @@ func (r *RequestInfo) Match(req RequestInfo) bool { r.once.Do(func() { ass, err := assertion.NewAssertion("", ":"+r.Serialize(), "") if err != nil { - glg.Error(err) + glg.Error(errors.Wrap(err, "regex creation error: invalid blacklist/whitelist config")) r.reg = regexp.MustCompile("") } else { r.reg = ass.ResourceRegexp From dff0a1eb9e3b26e0f42d3fff73ba91396ba2ecdd Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 20 Apr 2023 15:50:59 +0900 Subject: [PATCH 22/29] refactor: redundant comments removed --- config/config_test.go | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/config/config_test.go b/config/config_test.go index 99368b7..c968a5a 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -95,11 +95,6 @@ func Test_requestInfo_Match(t *testing.T) { APIGroup: "dummyAPIGroup", Resource: "dummyResource", Name: "dummyName", - - /*reg: func() *regexp.Regexp { - reg, _ := regexp.Compile("dummy") - return reg - }(),*/ }, }, args: args{ @@ -122,11 +117,6 @@ func Test_requestInfo_Match(t *testing.T) { APIGroup: "dummyAPIGroup", Resource: "dummyResource", Name: "dummyName", - - /*reg: func() *regexp.Regexp { - reg, _ := regexp.Compile("dummy") - return reg - }(),*/ }, }, args: args{ @@ -149,11 +139,6 @@ func Test_requestInfo_Match(t *testing.T) { APIGroup: "dummyAPIGroup", Resource: "dummyResource", Name: "*", - - /*reg: func() *regexp.Regexp { - reg, _ := regexp.Compile("dummy") - return reg - }(),*/ }, }, args: args{ @@ -177,11 +162,6 @@ func Test_requestInfo_Match(t *testing.T) { APIGroup: "dummyAPIGroup", Resource: "*", Name: "*", - - /*reg: func() *regexp.Regexp { - reg, _ := regexp.Compile("dummy") - return reg - }(),*/ }, }, args: args{ @@ -204,11 +184,6 @@ func Test_requestInfo_Match(t *testing.T) { APIGroup: "garm", Resource: "pods", Name: "*", - - /*reg: func() *regexp.Regexp { - reg, _ := regexp.Compile("dummy") - return reg - }(),*/ }, }, args: args{ From 06d6ac1514db269abed3aadb01a474a4fd2b3179 Mon Sep 17 00:00:00 2001 From: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Date: Thu, 20 Apr 2023 15:51:39 +0900 Subject: [PATCH 23/29] feat: apply given comment from wfan Co-authored-by: Windz Signed-off-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> --- service/resolver.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/service/resolver.go b/service/resolver.go index a5f9870..fa9768d 100755 --- a/service/resolver.go +++ b/service/resolver.go @@ -322,7 +322,7 @@ func (r *resolve) IsAllowed(verb, namespace, apiGroup, resource, name string) bo for _, white := range r.cfg.WhiteList { if white.Match(ri) { - glg.Debug("👍 Passed with \"%s\" matches \"%s\"\n", white.Serialize(), ri.Serialize()) + glg.Debugf("⏩ Excluded from blacklist with whitelist \"%v\" matches \"%v\"\n", white, ri) return true } } From 7844449e0add076dc60fa1b5a5e966d21de89565 Mon Sep 17 00:00:00 2001 From: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Date: Thu, 20 Apr 2023 15:51:49 +0900 Subject: [PATCH 24/29] feat: apply given comment from wfan Co-authored-by: Windz Signed-off-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> --- service/resolver_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/service/resolver_test.go b/service/resolver_test.go index b4caf5f..338fd04 100644 --- a/service/resolver_test.go +++ b/service/resolver_test.go @@ -1461,7 +1461,7 @@ func Test_resolve_IsAdminAccess(t *testing.T) { want: true, }, { - name: "Check with asterisk for resource", + name: "Check resource with asterisk", fields: fields{ cfg: config.Platform{ AdminAccessList: []*config.RequestInfo{ From 1e3ab8dae42138aaf728f879e86aa5aee6c0ce13 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 20 Apr 2023 16:03:49 +0900 Subject: [PATCH 25/29] fix: message --- go.mod | 11 +-------- go.sum | 42 ++++----------------------------- service/resource_mapper.go | 2 +- service/resource_mapper_test.go | 2 +- 4 files changed, 7 insertions(+), 50 deletions(-) diff --git a/go.mod b/go.mod index 5722fa6..62f9470 100644 --- a/go.mod +++ b/go.mod @@ -10,6 +10,7 @@ replace ( require ( github.com/AthenZ/athenz v1.11.26 + github.com/AthenZ/athenz-authorizer/v5 v5.5.1 github.com/kpango/glg v1.6.15 github.com/pkg/errors v0.9.1 github.com/yahoo/k8s-athenz-webhook v0.1.5-0.20230310225932-073f1a05c41a @@ -18,14 +19,11 @@ require ( ) require ( - github.com/AthenZ/athenz-authorizer/v5 v5.5.1 // indirect github.com/ardielle/ardielle-go v1.5.2 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect github.com/go-logr/logr v1.2.3 // indirect github.com/goccy/go-json v0.10.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect @@ -33,19 +31,12 @@ require ( github.com/klauspost/cpuid/v2 v2.2.4 // indirect github.com/kpango/fastime v1.1.9 // indirect github.com/kpango/gache v1.2.8 // indirect - github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect - github.com/lestrrat-go/blackmagic v1.0.1 // indirect - github.com/lestrrat-go/httpcc v1.0.1 // indirect - github.com/lestrrat-go/iter v1.0.2 // indirect - github.com/lestrrat-go/jwx v1.2.25 // indirect - github.com/lestrrat-go/option v1.0.1 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect github.com/yahoo/athenz v1.9.31 // indirect github.com/yahoo/k8s-athenz-syncer v0.1.8 // indirect github.com/zeebo/xxh3 v1.0.2 // indirect - golang.org/x/crypto v0.8.0 // indirect golang.org/x/net v0.9.0 // indirect golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect golang.org/x/sync v0.1.0 // indirect diff --git a/go.sum b/go.sum index 5d8a60b..c34ce90 100644 --- a/go.sum +++ b/go.sum @@ -31,8 +31,8 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/AthenZ/athenz v1.11.23 h1:Iqw46nJHVhDXcnVbXvtl7b7s9tU8xkWHALJ0IKXfOcg= -github.com/AthenZ/athenz v1.11.23/go.mod h1:d2da1Gn5JLLrV48feSAKYJAJ2xCQPESvHpN5hnseB10= +github.com/AthenZ/athenz v1.11.26 h1:j6AZhjT2DuR/ZN3OQm5XW3ri6TS4Wf97ePcFcqBy/f0= +github.com/AthenZ/athenz v1.11.26/go.mod h1:hz8WrHkj4KOOaejllzTJIoXBCtptWV279CtEAUDuxis= github.com/AthenZ/athenz-authorizer/v5 v5.5.1 h1:okVP8IVuYnQaJG8CfSOwDbyTKyVRBhL0ldZ5XZBpMNg= github.com/AthenZ/athenz-authorizer/v5 v5.5.1/go.mod h1:Y4AYjbSeqaK6KdOjfGDbk1yvlVJ4Fm37+3ujnthE/1M= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= @@ -60,10 +60,6 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc= -github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE= -github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs= -github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dimfeld/httptreemux v5.0.1+incompatible h1:Qj3gVcDNoOthBAqftuD596rm4wg/adLLz5xh5CmpiCA= github.com/dimfeld/httptreemux v5.0.1+incompatible/go.mod h1:rbUlSV+CCpv/SuqUTP/8Bk2O3LyUV436/yaRGkhP6Z0= @@ -108,14 +104,10 @@ github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5F github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= -github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU= github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= -github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -207,14 +199,10 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o github.com/klauspost/cpuid/v2 v2.2.4 h1:acbojRNwl3o09bUq+yDCtZFc1aiwaAAxtcn8YkZXnvk= github.com/klauspost/cpuid/v2 v2.2.4/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kpango/fastime v1.1.6 h1:lAw1Tiwnlbsx1xZs6W9eM7/8niwabknewbmLkh/yTVo= -github.com/kpango/fastime v1.1.6/go.mod h1:tTNDbIo5qL6D7g5vh2YbkyUbOVP2kD/we3rSjN22PMY= github.com/kpango/fastime v1.1.9 h1:xVQHcqyPt5M69DyFH7g1EPRns1YQNap9d5eLhl/Jy84= github.com/kpango/fastime v1.1.9/go.mod h1:vyD7FnUn08zxY4b/QFBZVG+9EWMYsNl+QF0uE46urD4= github.com/kpango/gache v1.2.8 h1:+OjREOmuWO4qrJksDhzWJq80o9iwHiezdVmMR1jtCG0= github.com/kpango/gache v1.2.8/go.mod h1:UyBo0IoPFDSJypK2haDXeV6PwHEmBcXQA0BLuOYEvWg= -github.com/kpango/glg v1.6.14 h1:Ss3ZvTQ23blUCDYizSAijiFTZsgGeYr/lanUGgQ10rY= -github.com/kpango/glg v1.6.14/go.mod h1:2djk7Zr4zKIYPHlORH8tJVlhCEh+XXW8W4K3qJyNXMI= github.com/kpango/glg v1.6.15 h1:nw0xSxpSyrDIWHeb3dvnE08PW+SCbK+aYFETT75IeLA= github.com/kpango/glg v1.6.15/go.mod h1:cmsc7Yeu8AS3wHLmN7bhwENXOpxfq+QoqxCIk2FneRk= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -223,21 +211,6 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A= -github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y= -github.com/lestrrat-go/blackmagic v1.0.0/go.mod h1:TNgH//0vYSs8VXDCfkZLgIrVTTXQELZffUV0tz3MtdQ= -github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80= -github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU= -github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= -github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= -github.com/lestrrat-go/iter v1.0.1/go.mod h1:zIdgO1mRKhn8l9vrZJZz9TUMMFbQbLeTsbqPDrJ/OJc= -github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= -github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= -github.com/lestrrat-go/jwx v1.2.25 h1:tAx93jN2SdPvFn08fHNAhqFJazn5mBBOB8Zli0g0otA= -github.com/lestrrat-go/jwx v1.2.25/go.mod h1:zoNuZymNl5lgdcu6P7K6ie2QRll5HVfF4xwxBBK1NxY= -github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= -github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= -github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= @@ -306,7 +279,6 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= @@ -324,6 +296,7 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ= github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= @@ -333,16 +306,13 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= -go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY= +go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= -golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ= -golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -440,14 +410,12 @@ golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU= golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= -golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ= golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= @@ -456,11 +424,9 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= diff --git a/service/resource_mapper.go b/service/resource_mapper.go index 30cf9d6..80ccc12 100755 --- a/service/resource_mapper.go +++ b/service/resource_mapper.go @@ -95,7 +95,7 @@ func (m *resourceMapper) MapResource(ctx context.Context, spec authz.SubjectAcce case !m.res.IsAllowed(verb, namespace, group, resource, name): // Not Allowed return "", nil, fmt.Errorf( - "❌ %s's request is explicitly denied by the blacklist!\nVerb:\t%s\nNamespaceb:\t%s\nAPI Group:\t%s\nResource:\t%s\nResource Name:\t%s\n", + "❌ %s's request is explicitly denied by the blacklist! Verb: \"%s\", Namespace: \"%s\", API Group: \"%s\", Resource: \"%s\", Resource Name: \"%s\"", identity, verb, namespace, group, resource, name) case m.res.IsAdminAccess(verb, namespace, group, resource, name): return identity, m.createAdminAccessCheck( diff --git a/service/resource_mapper_test.go b/service/resource_mapper_test.go index 01999cb..46198f2 100644 --- a/service/resource_mapper_test.go +++ b/service/resource_mapper_test.go @@ -438,7 +438,7 @@ func Test_resourceMapper_MapResource(t *testing.T) { wantIdentity: "", wantAthenzAccessChecks: nil, wantError: fmt.Errorf( - "❌ user-322's request is explicitly denied by the blacklist!\nVerb:\tverb-317\nNamespaceb:\tnamespace-316\nAPI Group:\tgroup-320\nResource:\tresource-318.sub-resource-319\nResource Name:\tname-315\n"), + "❌ user-322's request is explicitly denied by the blacklist! Verb: \"verb-317\", Namespace: \"namespace-316\", API Group: \"group-320\", Resource: \"resource-318.sub-resource-319\", Resource Name: \"name-315\""), }, } for _, tt := range tests { From 72113d106287c8cb7d4593e20e2e7304450a9081 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 20 Apr 2023 16:06:04 +0900 Subject: [PATCH 26/29] fix: message --- service/resolver.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/service/resolver.go b/service/resolver.go index fa9768d..78e3af4 100755 --- a/service/resolver.go +++ b/service/resolver.go @@ -329,7 +329,7 @@ func (r *resolve) IsAllowed(verb, namespace, apiGroup, resource, name string) bo for _, black := range r.cfg.BlackList { if black.Match(ri) { - glg.Debug("❌ Explicitly denied with \"%s\" matches %s\n", black.Serialize(), ri.Serialize()) + glg.Debugf("❌ Explicitly denied by blacklist with blacklist \"%s\" matches \"%s\"\n", black, ri) return false } } From 5cc24384edbabd86dcfae4729337baf7a1024d56 Mon Sep 17 00:00:00 2001 From: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Date: Thu, 20 Apr 2023 16:07:55 +0900 Subject: [PATCH 27/29] feat: WindzCHUK advice applied Co-authored-by: Windz Signed-off-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> --- config/config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/config_test.go b/config/config_test.go index c968a5a..bb40c23 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -49,7 +49,7 @@ func Test_requestInfo_Serialize(t *testing.T) { want: "dummyVerb,dummyNamespace,dummyAPIGroup,dummyResource,dummyName", }, { - name: "Check serialize with replace API group", + name: "Check serialize with API group containing period", fields: fields{ req: RequestInfo{ Verb: "dummyVerb", From 40a26e62defee0aa2c713624b463f7d3ffa8c554 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 20 Apr 2023 16:13:20 +0900 Subject: [PATCH 28/29] fix: debug logger --- service/resolver.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/service/resolver.go b/service/resolver.go index 78e3af4..1e5ed8b 100755 --- a/service/resolver.go +++ b/service/resolver.go @@ -322,14 +322,14 @@ func (r *resolve) IsAllowed(verb, namespace, apiGroup, resource, name string) bo for _, white := range r.cfg.WhiteList { if white.Match(ri) { - glg.Debugf("⏩ Excluded from blacklist with whitelist \"%v\" matches \"%v\"\n", white, ri) + glg.Debug("⏩ Excluded from blacklist with whitelist \"%v\" matches \"%v\"\n", white, ri) return true } } for _, black := range r.cfg.BlackList { if black.Match(ri) { - glg.Debugf("❌ Explicitly denied by blacklist with blacklist \"%s\" matches \"%s\"\n", black, ri) + glg.Debug("❌ Explicitly denied by blacklist with blacklist \"%s\" matches \"%s\"\n", black, ri) return false } } From 8e500eaf391ef35d3e4c26455978bf0a377c2ef1 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Thu, 20 Apr 2023 16:45:36 +0900 Subject: [PATCH 29/29] feat: use Debugf --- service/resolver.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/service/resolver.go b/service/resolver.go index 1e5ed8b..9f0e8de 100755 --- a/service/resolver.go +++ b/service/resolver.go @@ -322,14 +322,14 @@ func (r *resolve) IsAllowed(verb, namespace, apiGroup, resource, name string) bo for _, white := range r.cfg.WhiteList { if white.Match(ri) { - glg.Debug("⏩ Excluded from blacklist with whitelist \"%v\" matches \"%v\"\n", white, ri) + glg.Debugf("⏩ Excluded from blacklist with whitelist \"%v\" matches \"%v\"\n", white, ri) return true } } for _, black := range r.cfg.BlackList { if black.Match(ri) { - glg.Debug("❌ Explicitly denied by blacklist with blacklist \"%s\" matches \"%s\"\n", black, ri) + glg.Debugf("❌ Explicitly denied by blacklist with blacklist \"%v\" matches \"%v\"\n", black, ri) return false } }