42Crunch SDK (#987)

* initial commit for 42Crunch SDK

Signed-off-by: jasmingacic <jasmin.gacic@gmail.com>

* renamed CRUNCH42 -> CRUNCH42_TOKEN

Signed-off-by: jasmingacic <jasmin.gacic@gmail.com>

* Create API

Signed-off-by: jasmingacic <jasmin.gacic@gmail.com>

* added security policy to x-kusk

Signed-off-by: jasmingacic <jasmin.gacic@gmail.com>

* PR remarks

Signed-off-by: jasmingacic <jasmin.gacic@gmail.com>

* final run at 42Crunch

Signed-off-by: jasmingacic <jasmin.gacic@gmail.com>

* added constant for 42Crunch secret

Signed-off-by: jasmingacic <jasmin.gacic@gmail.com>

* Makefile revert

Signed-off-by: jasmingacic <jasmin.gacic@gmail.com>

* Added 42Crunch guide

Signed-off-by: jasmingacic <jasmin.gacic@gmail.com>

* added 42crunch to the sidebar

Signed-off-by: jasmingacic <jasmin.gacic@gmail.com>

* added 42crunch to the sidebar

Signed-off-by: jasmingacic <jasmin.gacic@gmail.com>

* added description of what 42Crunch does

Signed-off-by: jasmingacic <jasmin.gacic@gmail.com>

Signed-off-by: jasmingacic <jasmin.gacic@gmail.com>

Makefile

@@ -165,7 +165,7 @@ docker-build: ## Build docker image with the manager.
 		--file ./build/manager/Dockerfile \
 		.
 	minikube image --profile kgw load kubeshop/kusk-gateway:$(shell git describe --tags $(shell git rev-list --tags --max-count=1))
-
+	
 ##@ Deployment
 
 ifndef ignore-not-found

docs/docs/guides/security/42crunch.md

@@ -0,0 +1,84 @@
+# `42Crunch`
+
+Automatically run security and vulnerabilities scan on your OpenAPI definition. 
+
+
+
+## 42Crunch Reference
+
+| Name                 | Description                                                               | Type    | Required |
+| :------------------- | ------------------------------------------------------------------------- |---------|----------|
+| `security.42crunch` | Enables 42Crunch scan assesment | object    | true     |
+| `security.42crunch.token` | Object holding API Token for 42Crunch | object    | true     |
+| `security.42crunch.token.name` | Name of the kubernetes secret  | string    | true     |
+| `security.42crunch.token.namespace` | Namespace of the kubernetes secret  | string    | true     |
+
+## Example Configuration
+
+A minimal example of the configuration for this filter is:
+
+```yaml title=crunch42.yaml"
+openapi: 3.0.0
+info:
+  title: simple-api
+  version: 0.1.0
+x-kusk:
+  cors:
+    origins:
+      - "*"
+    methods:
+      - GET
+      - POST
+  upstream:
+    service:
+      name: hello-world-svc
+      namespace: default
+      port: 8080
+  security:
+    42crunch:
+      token:
+        name: demo-secret
+        namespace: default
+paths:
+  /hello:
+    get:
+      responses:
+        "200":
+          description: A simple hello world!
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  message:
+                    type: string
+              example:
+                message: Hello from a mocked response!
+
+```
+
+1. Create a 42Crunch account https://platform.42crunch.com/login.
+2. Get 42Crunch API token https://platform.42crunch.com/settings/tokens
+3. Store the token in a Kubernetes secret
+
+```bash
+$ export 42CRUNCH_TOKEN=[your_api_token] 
+$ echo $42CRUNCH_TOKEN | base64 
+bXk0MmNydW5jaHRva2VuCg==
+```
+Copy the output and paste it under `CRUNCH42_TOKEN` property of the secret
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: demo-secret
+  namespace: default
+type: Opaque
+data:
+  CRUNCH42_TOKEN: bXk0MmNydW5jaHRva2VuCg==
+```
+
+4. Run `kubectl apply -f openapi.yaml` (use the example above)
+5. Log in into [42Crunch](https://platform.42crunch.com/login) and look for the API collection named simple-api and within it there will be your API with all security scans ran.
+

docs/sidebars.js

@@ -74,7 +74,15 @@ const sidebars = {
         "guides/cert-manager",
         "guides/troubleshooting",
         "guides/observability",
+        {
+          type: "category",
+          label: "Security",
+          items: [
+            "guides/security/42crunch",
+          ],
+        },
       ],
+
     },
     {
       type: "category",

go.mod

@@ -179,4 +179,5 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/cli-runtime v0.25.0
+	moul.io/http2curl v1.0.0
 )

go.sum

@@ -1338,6 +1338,8 @@ k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4=
 k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+moul.io/http2curl v1.0.0 h1:6XwpyZOYsgZJrU8exnG87ncVkU1FVCcTRpwzOkTDUi8=
+moul.io/http2curl v1.0.0/go.mod h1:f6cULg+e4Md/oW1cYmwW4IWQOVl2lGbmCNGOHvzX2kE=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

internal/controllers/parser.go

@@ -23,6 +23,7 @@
 package controllers
 
 import (
+	"context"
 	"fmt"
 	"strconv"
 	"strings"
@@ -48,9 +49,11 @@ import (
 	"github.com/kubeshop/kusk-gateway/internal/envoy/config"
 	"github.com/kubeshop/kusk-gateway/internal/envoy/cors"
 	"github.com/kubeshop/kusk-gateway/internal/envoy/types"
+	"github.com/kubeshop/kusk-gateway/internal/k8sutils"
 	"github.com/kubeshop/kusk-gateway/internal/mocking"
 	"github.com/kubeshop/kusk-gateway/internal/services"
 	"github.com/kubeshop/kusk-gateway/internal/validation"
+	crunch "github.com/kubeshop/kusk-gateway/pkg/crunch42"
 	"github.com/kubeshop/kusk-gateway/pkg/options"
 	parseSpec "github.com/kubeshop/kusk-gateway/pkg/spec"
 )
@@ -480,6 +483,23 @@ func UpdateConfigFromAPIOpts(
 		}
 	}
 
+	if opts.Security != nil && opts.Security.Crunch42 != nil {
+		secret, err := k8sutils.GetSecret(context.Background(), kubernetesClient, opts.Security.Crunch42.Token.Name, opts.Security.Crunch42.Token.Namespace)
+		if err != nil {
+			return err
+		}
+
+		crunchClient, err := crunch.NewClient(string(secret.Data[crunch.Crunch42Token]), nil)
+		if err != nil {
+			return err
+		}
+
+		if err := crunchClient.ProcessKusk(name, spec); err != nil {
+			return err
+		}
+
+	}
+
 	// update the validation proxy in the end
 	if len(proxiedServices) > 0 {
 		proxiedServicesArray := make([]*validation.Service, 0, len(proxiedServices))

internal/envoy/auth/oauth2_filter.go

@@ -119,7 +119,7 @@ func NewFilterHTTPOAuth2(oauth2Options *options.OAuth2, args *ParseAuthArguments
 		clientSecret = string(secret.Data["client_secret"])
 	}
 
-	logger.Info("auth.NewFilterHTTPOAuth2: set client_secret", "client_secret", clientSecret)
+	_ = clientSecret
 
 	tokenSecret := &envoy_extensions_transport_sockets_tls_v3.SdsSecretConfig{
 		Name: "token",

internal/k8sutils/utils.go

@@ -29,6 +29,7 @@ import (
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -87,3 +88,12 @@ func GetDeploymentsByLabels(ctx context.Context, client clientPkg.Client, labels
 
 	return deployList.Items, nil
 }
+
+func GetSecret(ctx context.Context, client clientPkg.Client, name, namespace string) (*v1.Secret, error) {
+	sec := &v1.Secret{}
+	if err := client.Get(ctx, clientPkg.ObjectKey{Name: name, Namespace: namespace}, sec); err != nil {
+		return nil, err
+	}
+
+	return sec, nil
+}