From 41591b57a76f7ae1fd47c053b249b34b690db85c Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sun, 14 Apr 2024 22:26:42 +0000 Subject: [PATCH 1/6] fix: Dockerfile to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-ALPINE315-BUSYBOX-2440607 - https://snyk.io/vuln/SNYK-ALPINE315-BUSYBOX-2440607 - https://snyk.io/vuln/SNYK-ALPINE315-OPENSSL-3314622 - https://snyk.io/vuln/SNYK-ALPINE315-OPENSSL-3314622 - https://snyk.io/vuln/SNYK-ALPINE315-ZLIB-2976173 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 909e2dd..84924ce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ RUN go mod download COPY . . RUN go build ./cmd/... -FROM alpine:3.15.0 +FROM alpine:3.16.9 CMD ["prom-authzed-proxy"] ENTRYPOINT ["prom-authzed-proxy"] COPY --from=builder /go/src/app/prom-authzed-proxy /usr/local/bin From 0a3af82e8631f8d0410d5121dada1f65ea1160e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?= Date: Mon, 15 Apr 2024 11:18:14 +0100 Subject: [PATCH 2/6] update golanci configuration - aligned with SpiceDB - remove deprecated linters - disable unused-parameter rule --- .golangci.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.golangci.yaml b/.golangci.yaml index bfa2c27..c31af3f 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -6,11 +6,14 @@ output: linters-settings: goimports: local-prefixes: "github.com/authzed/prom-authzed-proxy" + revive: + rules: + - name: "unused-parameter" + disabled: true linters: enable: - "bidichk" - "bodyclose" - - "deadcode" - "errcheck" - "errname" - "errorlint" @@ -20,7 +23,6 @@ linters: - "gosec" - "gosimple" - "govet" - - "ifshort" - "importas" - "ineffassign" - "makezero" @@ -30,12 +32,10 @@ linters: - "revive" - "rowserrcheck" - "staticcheck" - - "structcheck" - "stylecheck" - "tenv" - "typecheck" - "unconvert" - "unused" - - "varcheck" - "wastedassign" - "whitespace" From 78afef0ba4c44715fea8265ed72307364dbd259c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?= Date: Mon, 15 Apr 2024 11:21:05 +0100 Subject: [PATCH 3/6] enable Dependaot grouping and GitHub Action updates --- .github/dependabot.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0effb36..ed7d170 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,9 +7,22 @@ updates: interval: "monthly" labels: - "area/dependencies" + groups: + gomod: + patterns: ["*"] - package-ecosystem: "docker" directory: "/" schedule: interval: "monthly" labels: - "area/dependencies" + groups: + docker: + patterns: ["*"] + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + groups: + github-actions: + patterns: ["*"] From d4b34417b0548cddde2dc4f7917949cdad1c8494 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?= Date: Mon, 15 Apr 2024 11:24:17 +0100 Subject: [PATCH 4/6] align CLA GitHub Action with other Authzed repos --- .github/workflows/cla.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml index 395cd2d..cb29e48 100644 --- a/.github/workflows/cla.yaml +++ b/.github/workflows/cla.yaml @@ -15,3 +15,6 @@ jobs: runs-on: "ubuntu-latest" steps: - uses: "authzed/actions/cla-check@main" + with: + github_token: "${{ secrets.GITHUB_TOKEN }}" + cla_assistant_token: "${{ secrets.CLA_ASSISTANT_ACCESS_TOKEN }}" From 2dcdc3d1af340ccbe2b8a7c3b2d6b55a1a880264 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?= Date: Mon, 15 Apr 2024 11:38:57 +0100 Subject: [PATCH 5/6] improve tests resiliency --- cmd/prom-authzed-proxy/main_test.go | 82 ++++++++++++++--------------- 1 file changed, 41 insertions(+), 41 deletions(-) diff --git a/cmd/prom-authzed-proxy/main_test.go b/cmd/prom-authzed-proxy/main_test.go index 3fefefd..c73c849 100644 --- a/cmd/prom-authzed-proxy/main_test.go +++ b/cmd/prom-authzed-proxy/main_test.go @@ -28,7 +28,7 @@ type catchallHandler struct { t *testing.T } -func (ah catchallHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { +func (ah catchallHandler) ServeHTTP(w http.ResponseWriter, _ *http.Request) { w.Header().Set("Access-Control-Allow-Origin", "should never appear") w.Header().Add("Another-Header", "hiya") w.Header().Add("Another-Header", "hello") @@ -38,7 +38,9 @@ func (ah catchallHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { func TestMissingQueryParameter(t *testing.T) { _, serverURL := startForTesting(t) res := loadURL(t, "GET", fmt.Sprintf("%s/something", serverURL), "", map[string]string{}) - defer res.Body.Close() + defer func() { + require.NoError(t, res.Body.Close()) + }() require.Equal(t, 401, res.StatusCode) } @@ -47,7 +49,9 @@ func TestMissingAuthHeader(t *testing.T) { res := loadURL(t, "GET", fmt.Sprintf("%s/something", serverURL), "", map[string]string{ "dashboard": "foobar", }) - defer res.Body.Close() + defer func() { + require.NoError(t, res.Body.Close()) + }() require.Equal(t, 401, res.StatusCode) } @@ -56,7 +60,9 @@ func TestInvalidAuthHeader(t *testing.T) { res := loadURL(t, "GET", fmt.Sprintf("%s/something", serverURL), "Basic Foo", map[string]string{ "dashboard": "foobar", }) - defer res.Body.Close() + defer func() { + require.NoError(t, res.Body.Close()) + }() require.Equal(t, 401, res.StatusCode) } @@ -65,7 +71,9 @@ func TestInvalidToken(t *testing.T) { res := loadURL(t, "GET", fmt.Sprintf("%s/something", serverURL), "Bearer sometoken", map[string]string{ "dashboard": "foobar", }) - defer res.Body.Close() + defer func() { + require.NoError(t, res.Body.Close()) + }() require.Equal(t, 403, res.StatusCode) } @@ -103,7 +111,9 @@ func TestValidToken(t *testing.T) { res := loadURL(t, "GET", fmt.Sprintf("%s/something", serverURL), "Bearer sometoken", map[string]string{ "dashboard": "foobar", }) - defer res.Body.Close() + defer func() { + require.NoError(t, res.Body.Close()) + }() require.Equal(t, 418, res.StatusCode) // Ensure the ACAO was reset, but other headers are passed through. @@ -114,30 +124,30 @@ func TestValidToken(t *testing.T) { res = loadURL(t, "GET", fmt.Sprintf("%s/something", serverURL), "Bearer anothertoken", map[string]string{ "dashboard": "foobar", }) - defer res.Body.Close() + defer func() { + require.NoError(t, res.Body.Close()) + }() require.Equal(t, 403, res.StatusCode) // Check for another dashboard res = loadURL(t, "GET", fmt.Sprintf("%s/something", serverURL), "Bearer sometoken", map[string]string{ "dashboard": "anotherdashboard", }) - defer res.Body.Close() + defer func() { + require.NoError(t, res.Body.Close()) + }() require.Equal(t, 403, res.StatusCode) } func startForTesting(t *testing.T) (*authzedv1.Client, string) { - tester, err := newTester(zedTestServerContainer, 50051) + tester, err := newTester(t, zedTestServerContainer, 50051) require.NoError(t, err) t.Cleanup(tester.cleanup) mux := http.NewServeMux() mux.Handle("/", catchallHandler{t}) - var opts []grpc.DialOption - opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials())) - - client, err := authzedv1.NewClient(fmt.Sprintf("localhost:%s", tester.port), opts...) - require.NoError(t, err) + client := tester.client handler := proxyHandler( client, @@ -179,21 +189,19 @@ func loadURL(t *testing.T, method string, callURL string, authHeader string, par } type testHandle struct { - port string + client *authzedv1.Client cleanup func() } -const maxAttempts = 5 - -func newTester(containerOpts *dockertest.RunOptions, portNum uint16) (*testHandle, error) { +func newTester(t *testing.T, containerOpts *dockertest.RunOptions, portNum uint16) (*testHandle, error) { pool, err := dockertest.NewPool("") if err != nil { - return nil, fmt.Errorf("Could not connect to docker: %w", err) + return nil, fmt.Errorf("could not connect to docker: %w", err) } resource, err := pool.RunWithOptions(containerOpts) if err != nil { - return nil, fmt.Errorf("Could not start resource: %w", err) + return nil, fmt.Errorf("could not start resource: %w", err) } port := resource.GetPort(fmt.Sprintf("%d/tcp", portNum)) @@ -206,39 +214,31 @@ func newTester(containerOpts *dockertest.RunOptions, portNum uint16) (*testHandl } // Give the service time to boot. - counter := 0 - for { - time.Sleep(10 * time.Millisecond) + var client *authzedv1.Client + require.Eventually(t, func() bool { var opts []grpc.DialOption opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials())) // Create an Authzed client - client, err := authzedv1.NewClient(fmt.Sprintf("localhost:%s", port), opts...) + client, err = authzedv1.NewClient(fmt.Sprintf("localhost:%s", port), opts...) if err != nil { - return nil, fmt.Errorf("Could not create client: %w", err) + return false } // Write a basic schema. _, err = client.WriteSchema(context.Background(), &v1.WriteSchemaRequest{ Schema: `definition test/token {} -definition test/dashboard { - relation viewer: test/token - permission view = viewer -} -`, - }) - if err != nil { - counter++ - if counter > maxAttempts { - return nil, fmt.Errorf("Failed to start container: %w", err) + definition test/dashboard { + relation viewer: test/token + permission view = viewer } - continue - } + `, + }) - // Wait for schema to be available - time.Sleep(50 * time.Millisecond) - return &testHandle{port: port, cleanup: cleanup}, nil - } + return err == nil + }, 30*time.Second, 100*time.Millisecond) + + return &testHandle{client: client, cleanup: cleanup}, nil } From 69d44ca4d61568562e838dba19e7df1520825038 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?= Date: Mon, 15 Apr 2024 11:45:59 +0100 Subject: [PATCH 6/6] use chainguard images and update the builder image --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 84924ce..b240b7b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.18-alpine3.15 AS builder +FROM golang:1.22-alpine3.19 AS builder RUN apk add --no-cache git mercurial subversion @@ -10,8 +10,8 @@ RUN go mod download COPY . . RUN go build ./cmd/... -FROM alpine:3.16.9 +FROM cgr.dev/chainguard/static:latest CMD ["prom-authzed-proxy"] ENTRYPOINT ["prom-authzed-proxy"] COPY --from=builder /go/src/app/prom-authzed-proxy /usr/local/bin -RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf +