merge conflicts with master

PaloAltoNetworks · Jul 8, 2024 · 5b93c79 · 5b93c79
2 parents 827854f + 72a4c59
commit 5b93c79
Show file tree

Hide file tree

Showing 83 changed files with 3,244 additions and 1,748 deletions.
diff --git a/.codacy.yaml b/.codacy.yaml
diff --git a/.gitattributes b/.gitattributes
diff --git a/.github/workflows/build-go.yaml b/.github/workflows/build-go.yaml
@@ -19,27 +19,27 @@ jobs:
       fail-fast: false
       matrix:
         go:
-          - 1.18
-          - 1.19
+          - "1.22"
     steps:
       - uses: actions/checkout@v3
 
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v4
         with:
           go-version: ${{ matrix.go }}
-          cache: true
+          check-latest: true
 
       - name: setup
         run: |
           go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+          go install golang.org/x/vuln/cmd/govulncheck@latest
 
       - name: build
         run: |
           make
 
-      - uses: PaloAltoNetworks/[email protected]
-        if: ${{matrix.go == 1.19}}
+      - uses: PaloAltoNetworks/[email protected]
         with:
           main_branch: master
           cov_file: unit_coverage.out
           cov_threshold: "75"
+          cov_mode: coverage
diff --git a/.github/workflows/cov.yaml b/.github/workflows/cov.yaml
@@ -0,0 +1,17 @@
+name: cov
+
+on:
+  workflow_run:
+    workflows: ["build-go"]
+    types:
+      - completed
+
+jobs:
+  cov:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: PaloAltoNetworks/[email protected]
+        with:
+          cov_mode: send-status
+          workflow_run_id: ${{github.event.workflow_run.id}}
+          workflow_head_sha: ${{github.event.workflow_run.head_sha}}
diff --git a/.gitignore b/.gitignore
@@ -2,8 +2,11 @@ cmd/a3s/a3s
 cmd/a3sctl/a3sctl
 coverage.xml
 unit_coverage.out
+cov.report
 remod.dev
 .remod
+go.work
+go.work.sum
 .data
 dist
 docker/in
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -4,45 +4,53 @@ changelog:
   sort: asc
   filters:
     exclude:
-    - '^docs:'
-    - '^test:'
-    - '^examples:'
+      - "^docs:"
+      - "^test:"
+      - "^examples:"
 builds:
   - id: a3s
     main: ./cmd/a3s
     binary: a3s
     goos:
-    - linux
-    - freebsd
-    - darwin
+      - linux
+      - freebsd
+      - darwin
     goarch:
-    - amd64
+      - amd64
     env:
-    - CGO_ENABLED=0
+      - CGO_ENABLED=0
 
   - id: a3sctl
     main: ./cmd/a3sctl
     binary: a3sctl
     goos:
-    - linux
-    - freebsd
-    - darwin
+      - linux
+      - freebsd
+      - darwin
     goarch:
-    - amd64
+      - amd64
     env:
-    - CGO_ENABLED=0
+      - CGO_ENABLED=0
 
 archives:
   - id: a3s
     format: binary
     builds:
-    - a3s
+      - a3s
 
   - id: a3sctl
     format: binary
     builds:
-    - a3sctl
+      - a3sctl
 
 signs:
   - artifacts: checksum
-    args: ["-u", "0C3214A61024881F5CA1F5F056EDB08A11DCE325", "--output", "${signature}", "--detach-sign", "${artifact}"]
+    args:
+      [
+        "-u",
+        "047425996F52AAC835C75B3F2CE3F8894D4DA57A",
+        "--output",
+        "${signature}",
+        "--detach-sign",
+        "${artifact}",
+      ]
diff --git a/Makefile b/Makefile
@@ -7,7 +7,7 @@ CONTAINER_TAG ?= "dev"
 
 export GO111MODULE = on
 
-default: lint test a3s cli
+default: lint vuln test a3s cli
 .PHONY: ui docker
 
 ## Tests
@@ -17,7 +17,10 @@ lint:
 		--timeout=5m \
 		--disable-all \
 		--exclude-use-default=false \
+		--exclude=dot-imports \
 		--exclude=package-comments \
+		--exclude=unused-parameter \
+		--exclude=dot-imports \
 		--enable=errcheck \
 		--enable=goimports \
 		--enable=ineffassign \
@@ -34,12 +37,16 @@ lint:
 		--enable=nilerr \
 		./...
 
+
 test:
 	go test ./... -race -cover -covermode=atomic -coverprofile=unit_coverage.out
 
 sec:
 	gosec -quiet ./...
 
+vuln:
+	govulncheck ./...
+
 
 ## Code generation
 
@@ -90,3 +97,7 @@ package_ca_certs:
 	mkdir -p docker/in
 	extract-nss-root-certs > docker/in/ca-certificates.pem
 	rm -f certdata.txt
+
+# tag the commit, set GITHUB_TOKEN, then run...
+release:
+	unset GITLAB_TOKEN && goreleaser check && goreleaser release --clean
diff --git a/cmd/a3s/main.go b/cmd/a3s/main.go
@@ -69,8 +69,8 @@ func main() {
 
 	cfg := newConf()
 
-	if close := bootstrap.ConfigureLogger("a3s", cfg.LoggingConf); close != nil {
-		defer close()
+	if closeFunc := bootstrap.ConfigureLogger("a3s", cfg.LoggingConf); closeFunc != nil {
+		defer closeFunc()
 	}
 
 	if cfg.InitDB {
@@ -83,7 +83,7 @@ func main() {
 		}
 	}
 
-	m := bootstrap.MakeMongoManipulator(cfg.MongoConf, &hasher.Hasher{})
+	m := bootstrap.MakeMongoManipulator(cfg.MongoConf, &hasher.Hasher{}, api.Manager())
 	if err := indexes.Ensure(m, api.Manager(), "a3s"); err != nil {
 		zap.L().Fatal("Unable to ensure indexes", zap.Error(err))
 	}
@@ -96,6 +96,14 @@ func main() {
 		zap.L().Fatal("Unable to create exp expiration index for oidccache", zap.Error(err))
 	}
 
+	if err := manipmongo.EnsureIndex(m, api.NamespaceDeletionRecordIdentity, mgo.Index{
+		Key:         []string{"deletetime"},
+		ExpireAfter: 24 * time.Hour,
+		Name:        "index_expiration_deletetime",
+	}); err != nil {
+		zap.L().Fatal("Unable to create expiration index for namesapce deletion records", zap.Error(err))
+	}
+
 	if err := createRootNamespaceIfNeeded(m); err != nil {
 		zap.L().Fatal("Unable to handle root namespace", zap.Error(err))
 	}
@@ -348,6 +356,7 @@ func main() {
 	bahamut.RegisterProcessorOrDie(server, processors.NewPermissionsProcessor(retriever), api.PermissionsIdentity)
 	bahamut.RegisterProcessorOrDie(server, processors.NewAuthzProcessor(pauthz, jwks, cfg.JWT.JWTIssuer, cfg.JWT.JWTAudience), api.AuthzIdentity)
 	bahamut.RegisterProcessorOrDie(server, processors.NewNamespacesProcessor(m, pubsub), api.NamespaceIdentity)
+	bahamut.RegisterProcessorOrDie(server, processors.NewNamespaceDeletionRecordsProcessor(m), api.NamespaceDeletionRecordIdentity)
 	bahamut.RegisterProcessorOrDie(server, processors.NewAuthorizationProcessor(m, pubsub, retriever, cfg.JWT.JWTIssuer), api.AuthorizationIdentity)
 	bahamut.RegisterProcessorOrDie(server, processors.NewImportProcessor(bmanipMaker, pauthz), api.ImportIdentity)
 
@@ -370,10 +379,10 @@ func main() {
 
 func createMongoDBAccount(cfg conf.MongoConf, username string) error {
 
-	m := bootstrap.MakeMongoManipulator(cfg, &hasher.Hasher{})
+	m := bootstrap.MakeMongoManipulator(cfg, &hasher.Hasher{}, api.Manager())
 
-	db, close, _ := manipmongo.GetDatabase(m)
-	defer close()
+	db, closeFunc, _ := manipmongo.GetDatabase(m)
+	defer closeFunc()
 
 	role := map[string][]string{
 		"a3s": {"readWrite", "dbAdmin"},
@@ -485,6 +494,8 @@ func initRootPermissions(ctx context.Context, m manipulate.Manipulator, caPath s
 	source.Name = "root"
 	source.Description = "Auth source to authenticate root users"
 	source.CA = string(caData)
+	source.CreateTime = time.Now()
+	source.UpdateTime = source.CreateTime
 	certs, err := tglib.ParseCertificates([]byte(source.CA))
 	if err != nil {
 		return false, err
@@ -519,6 +530,8 @@ func initRootPermissions(ctx context.Context, m manipulate.Manipulator, caPath s
 	auth.Permissions = []string{"*:*"}
 	auth.TargetNamespaces = []string{"/"}
 	auth.Hidden = true
+	auth.CreateTime = time.Now()
+	auth.UpdateTime = auth.CreateTime
 
 	if err := m.Create(manipulate.NewContext(ctx), auth); err != nil {
 		return false, fmt.Errorf("unable to create root auth: %w", err)
@@ -549,6 +562,8 @@ func initPlatformPermissions(ctx context.Context, m manipulate.Manipulator, caPa
 	source.Name = "platform"
 	source.Description = "Auth source used to authenticate internal platform services"
 	source.CA = string(caData)
+	source.CreateTime = time.Now()
+	source.UpdateTime = source.CreateTime
 	certs, err := tglib.ParseCertificates([]byte(source.CA))
 	if err != nil {
 		return false, err
@@ -584,6 +599,8 @@ func initPlatformPermissions(ctx context.Context, m manipulate.Manipulator, caPa
 	auth.Permissions = []string{"*:*"}
 	auth.TargetNamespaces = []string{"/"}
 	auth.Hidden = true
+	auth.CreateTime = time.Now()
+	auth.UpdateTime = auth.CreateTime
 
 	if err := m.Create(manipulate.NewContext(ctx), auth); err != nil {
 		return false, fmt.Errorf("unable to create root auth: %w", err)
@@ -700,11 +717,17 @@ func makeNamespaceCleaner(ctx context.Context, m manipulate.Manipulator) notific
 		ns := msg.Data.(string)
 
 		for _, i := range api.Manager().AllIdentities() {
+
+			if i.IsEqual(api.NamespaceDeletionRecordIdentity) {
+				continue
+			}
+
 			mctx := manipulate.NewContext(
 				ctx,
 				manipulate.ContextOptionNamespace(ns),
 				manipulate.ContextOptionRecursive(true),
 			)
+
 			if err := m.DeleteMany(mctx, i); err != nil {
 				zap.L().Error("Unable to clean namespace", zap.String("ns", ns), zap.Error(err))
 			}

diff --git a/cmd/a3sctl/internal/authcmd/auto.go b/cmd/a3sctl/internal/authcmd/auto.go
@@ -158,8 +158,8 @@ func HandleAutoAuth(
 			zap.L().Debug("autoauth: retrieving token using autoauth.mtls")
 			t, err := GetMTLSToken(
 				mmaker,
-				viper.GetString("autoauth.mtls.cert"),
-				viper.GetString("autoauth.mtls.key"),
+				os.ExpandEnv(viper.GetString("autoauth.mtls.cert")),
+				os.ExpandEnv(viper.GetString("autoauth.mtls.key")),
 				helpers.ReadFlag("passphrase: ", "autoauth.mtls.pass", true),
 				viper.GetString("autoauth.mtls.source.namespace"),
 				viper.GetString("autoauth.mtls.source.name"),

diff --git a/cmd/a3sctl/internal/compcmd/comp.go b/cmd/a3sctl/internal/compcmd/comp.go
@@ -14,7 +14,7 @@ func New() *cobra.Command {
 		Short:                 "Generate completion script",
 		DisableFlagsInUseLine: true,
 		ValidArgs:             []string{"bash", "zsh", "fish"},
-		Args:                  cobra.ExactValidArgs(1),
+		Args:                  cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			switch args[0] {
 			case "bash":