From 2af1922dec4b41475aca1d154c7ce76101a7e1ce Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Thu, 30 Nov 2023 11:58:24 +0100 Subject: [PATCH 1/2] apikey secrets suggestion in stderr --- go.mod | 4 ++-- pkg/kuadrantapi/authpolicy.go | 38 +++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index fa79738..989225e 100644 --- a/go.mod +++ b/go.mod @@ -4,6 +4,7 @@ go 1.21 require ( github.com/getkin/kin-openapi v0.120.0 + github.com/kuadrant/authorino v0.15.0 github.com/kuadrant/kuadrant-operator v0.4.1 github.com/onsi/ginkgo v1.16.5 github.com/onsi/gomega v1.27.10 @@ -16,6 +17,7 @@ require ( k8s.io/utils v0.0.0-20230726121419-3b25d923346b sigs.k8s.io/controller-runtime v0.16.3 sigs.k8s.io/gateway-api v0.6.2 + sigs.k8s.io/yaml v1.4.0 ) require ( @@ -44,7 +46,6 @@ require ( github.com/invopop/yaml v0.2.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/kuadrant/authorino v0.15.0 // indirect github.com/kuadrant/authorino-operator v0.9.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect @@ -88,5 +89,4 @@ require ( k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect - sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/pkg/kuadrantapi/authpolicy.go b/pkg/kuadrantapi/authpolicy.go index fd13e94..0f5d46d 100644 --- a/pkg/kuadrantapi/authpolicy.go +++ b/pkg/kuadrantapi/authpolicy.go @@ -3,13 +3,16 @@ package kuadrantapi import ( "errors" "fmt" + "os" "github.com/getkin/kin-openapi/openapi3" authorinoapi "github.com/kuadrant/authorino/api/v1beta2" kuadrantapiv1beta2 "github.com/kuadrant/kuadrant-operator/api/v1beta2" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" gatewayapiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" + "sigs.k8s.io/yaml" "github.com/kuadrant/kuadrantctl/pkg/gatewayapi" "github.com/kuadrant/kuadrantctl/pkg/utils" @@ -217,6 +220,8 @@ func apiKeyAuthenticationSpec(basePath, path string, pathItem *openapi3.PathItem credentials.Cookie = &authorinoapi.Named{Name: secScheme.Name} } + printSecretSuggestion(basePath, path, verb, secScheme.Name) + return kuadrantapiv1beta2.AuthenticationSpec{ CommonAuthRuleSpec: kuadrantapiv1beta2.CommonAuthRuleSpec{ RouteSelectors: buildAuthPolicyRouteSelectors(basePath, path, pathItem, verb, op, pathMatchType), @@ -252,3 +257,36 @@ func openIDAuthenticationSpec(basePath, path string, pathItem *openapi3.PathItem }, } } + +func printSecretSuggestion(basePath, path, verb, secSchemeName string) { + // remove the last slash of the Base Path + sanitizedBasePath := utils.LastSlashRegexp.ReplaceAllString(basePath, "") + + // According OAS 3.0: path MUST begin with a slash + matchPath := fmt.Sprintf("%s%s", sanitizedBasePath, path) + fmt.Fprintln(os.Stderr, "======================================================================================================") + fmt.Fprintf(os.Stderr, "%s %s endpoint is protected with ApiKey. Consider creating secrets with valid tokens\n", verb, matchPath) + fmt.Fprintln(os.Stderr, "---") + + secret := &corev1.Secret{ + TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Secret"}, + ObjectMeta: metav1.ObjectMeta{ + Name: secSchemeName, + Labels: map[string]string{ + "authorino.kuadrant.io/managed-by": "authorino", + APIKeySecretLabel: secSchemeName, + }, + }, + StringData: map[string]string{ + "api_key": "MY_SECRET_TOKEN_VALUE", + }, + Type: corev1.SecretTypeOpaque, + } + + secretSerialized, err := yaml.Marshal(secret) + if err != nil { + panic(err) + } + + fmt.Fprintln(os.Stderr, string(secretSerialized)) +} From dcf0d4ee57ccc7cede1118ea1f6d2fa9a22d49e5 Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Thu, 30 Nov 2023 12:07:35 +0100 Subject: [PATCH 2/2] fixing scheme name --- pkg/kuadrantapi/authpolicy.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/kuadrantapi/authpolicy.go b/pkg/kuadrantapi/authpolicy.go index 0f5d46d..9636b83 100644 --- a/pkg/kuadrantapi/authpolicy.go +++ b/pkg/kuadrantapi/authpolicy.go @@ -220,7 +220,7 @@ func apiKeyAuthenticationSpec(basePath, path string, pathItem *openapi3.PathItem credentials.Cookie = &authorinoapi.Named{Name: secScheme.Name} } - printSecretSuggestion(basePath, path, verb, secScheme.Name) + printSecretSuggestion(basePath, path, verb, secSchemeName) return kuadrantapiv1beta2.AuthenticationSpec{ CommonAuthRuleSpec: kuadrantapiv1beta2.CommonAuthRuleSpec{