-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Well known attributes #428
Conversation
b7fd536
to
707709f
Compare
|
GitGuardian id | Secret | Commit | Filename | |
---|---|---|---|---|
8273841 | Bearer Token | d758e6c | pkg/service/auth_pipeline_test.go | View secret |
8273841 | Bearer Token | 30e4743 | pkg/service/auth_pipeline_test.go | View secret |
8273841 | Bearer Token | 80fa4fa | pkg/service/auth_pipeline_test.go | View secret |
8273841 | Bearer Token | 80fa4fa | pkg/service/auth_pipeline_test.go | View secret |
8273841 | Bearer Token | 30e4743 | pkg/service/auth_pipeline_test.go | View secret |
8273841 | Bearer Token | 18c9da2 | pkg/service/auth_pipeline_test.go | View secret |
8273841 | Bearer Token | 18c9da2 | pkg/service/auth_pipeline_test.go | View secret |
8273841 | Bearer Token | 18c9da2 | pkg/service/auth_pipeline_test.go | View secret |
8273841 | Bearer Token | 18c9da2 | pkg/service/auth_pipeline_test.go | View secret |
8273841 | Bearer Token | 18c9da2 | pkg/service/auth_pipeline_test.go | View secret |
8273841 | Bearer Token | 18c9da2 | pkg/service/auth_pipeline_test.go | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Our GitHub checks need improvements? Share your feedbacks!
2d578f3
to
03ae362
Compare
cb23f9d
to
a13bf50
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still some polishing to do, but progressing well, @didierofrivia.
This is from the logs of the Authorino instance for the following AuthConfig:
apiVersion: authorino.kuadrant.io/v1beta2
kind: AuthConfig
metadata:
name: talker-api-protection
spec:
hosts:
- talker-api-authorino.127.0.0.1.nip.io
when:
- selector: request.path
operator: eq
value: /protected
authentication:
"friends":
apiKey:
selector:
matchLabels:
group: friends
credentials:
authorizationHeader:
prefix: APIKEY
When I curl the protected service:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x13d9af0]
goroutine 469 [running]:
net/url.(*URL).Port(...)
/usr/lib/golang/src/net/url/url.go:1152
github.com/kuadrant/authorino/pkg/service.newSourceAttributes(0x40000a97c0)
/usr/src/authorino/pkg/service/well_known_attributes.go:167 +0x70
github.com/kuadrant/authorino/pkg/service.NewWellKnownAttributes(0x40000a97c0, 0x0?)
/usr/src/authorino/pkg/service/well_known_attributes.go:134 +0x30
github.com/kuadrant/authorino/pkg/service.NewAuthorizationJSON(0x40009afbc0, 0x4000724c18?)
/usr/src/authorino/pkg/service/auth_pipeline.go:612 +0x28
github.com/kuadrant/authorino/pkg/service.(*AuthPipeline).GetAuthorizationJSON(0x4000169b00)
/usr/src/authorino/pkg/service/auth_pipeline.go:577 +0x520
github.com/kuadrant/authorino/pkg/service.(*AuthPipeline).evaluateConditions(0x2c5eb60?, {0x40009ae060, 0x1, 0x13d36c0?})
/usr/src/authorino/pkg/service/auth_pipeline.go:378 +0x28
github.com/kuadrant/authorino/pkg/service.(*AuthPipeline).Evaluate(0x4000169b00)
/usr/src/authorino/pkg/service/auth_pipeline.go:453 +0x74
github.com/kuadrant/authorino/pkg/service.(*AuthService).Check(0x40001b3e60, {0x1c56610, 0x4000714570}, 0x40009afbc0)
/usr/src/authorino/pkg/service/auth.go:284 +0x57c
github.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler.func1({0x1c56610, 0x4000714570}, {0x17999e0?, 0x40009afbc0})
/usr/src/authorino/vendor/github.com/envoyproxy/go-control-plane/envoy/service/auth/v3/external_auth.pb.go:699 +0x74
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.UnaryServerInterceptor.func1({0x1c56610, 0x40009afb90}, {0x17999e0, 0x40009afbc0}, 0x400039f700, 0x4000519d58)
/usr/src/authorino/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go:342 +0x3d4
google.golang.org/grpc.getChainUnaryHandler.func1({0x1c56610, 0x40009afb90}, {0x17999e0, 0x40009afbc0})
/usr/src/authorino/vendor/google.golang.org/grpc/server.go:1164 +0xa0
github.com/grpc-ecosystem/go-grpc-prometheus.(*ServerMetrics).UnaryServerInterceptor.func1({0x1c56610, 0x40009afb90}, {0x17999e0, 0x40009afbc0}, 0x400039f700?, 0x40004d3200)
/usr/src/authorino/vendor/github.com/grpc-ecosystem/go-grpc-prometheus/server_metrics.go:107 +0x74
google.golang.org/grpc.chainUnaryInterceptors.func1({0x1c56610, 0x40009afb90}, {0x17999e0, 0x40009afbc0}, 0x40007359f8?, 0xfb46b0?)
/usr/src/authorino/vendor/google.golang.org/grpc/server.go:1155 +0x88
github.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler({0x170fee0?, 0x40001b3e60}, {0x1c56610, 0x40009afb90}, 0x40004a7b90, 0x40001b3de0)
/usr/src/authorino/vendor/github.com/envoyproxy/go-control-plane/envoy/service/auth/v3/external_auth.pb.go:701 +0x134
google.golang.org/grpc.(*Server).processUnaryRPC(0x40000fc5a0, {0x1c5e020, 0x40008c1a00}, 0x400093c7e0, 0x4000358030, 0x2c25960, 0x0)
/usr/src/authorino/vendor/google.golang.org/grpc/server.go:1345 +0xc50
google.golang.org/grpc.(*Server).handleStream(0x40000fc5a0, {0x1c5e020, 0x40008c1a00}, 0x400093c7e0, 0x0)
/usr/src/authorino/vendor/google.golang.org/grpc/server.go:1722 +0x840
google.golang.org/grpc.(*Server).serveStreams.func1.2()
/usr/src/authorino/vendor/google.golang.org/grpc/server.go:966 +0x84
created by google.golang.org/grpc.(*Server).serveStreams.func1
/usr/src/authorino/vendor/google.golang.org/grpc/server.go:964 +0x294
a13bf50
to
30e4743
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm afraid we may still be missing a few null checks, @didierofrivia.
E.g., try: (Requires grpcurl.)
make cluster install run
grpcurl -plaintext -d @ localhost:50051 envoy.service.auth.v3.Authorization.Check <<EOF
{}
EOF
Thanks again @guicassolato ! will do :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@didierofrivia, as discussed offline, the error pointed out by me before is not caused by the changes in this PR, but a preexisting bug.
A more fair test would be:
grpcurl -plaintext -d @ localhost:50051 envoy.service.auth.v3.Authorization.Check <<EOF
{
"attributes": {
"request": {
"http": {
"headers": {},
"host": "talker-api-authorino.127.0.0.1.nip.io"
}
}
}
}
EOF
The above avoids the bug in AuthService.Check()
(i.e., lack of validation of the user input) and lets the flow go through the new code to build the Authorization JSON, where it does not fail.
I think all the functions you use in the PR to obtain attribute context data, such as GetScheme()
, GetHost()
, GetAddress()
, GetSocketAddress()
, etc, already implement the necessary null-checks.
Closes #425
This PR is an effort to implement the Well Known Attributes, in this case, aimed just for Auth purposes.
The built AuthorizationJson would look like
Verification Steps:
kubectl port-forward deployment/envoy 8000:8000 &
AuthConfig
With a valid API key:
With missing or invalid API key: