Compare commits

..

6 Commits

Author SHA1 Message Date
Igor Gov
2c29903910 Run snyk on all project with ignore current issues (#415) 2021-10-28 21:59:42 +03:00
Igor Gov
f49e29045c Adding Snyk to CI (#414) 2021-10-28 16:37:11 +03:00
Alex Haiut
67593345a7 upgraded base image to alpine:3.14 following snyk vuln report (#412) 2021-10-28 15:00:11 +03:00
RoyUP9
f069fdaae1 changed ask confirmation to be asked only once (#409) 2021-10-28 14:55:33 +03:00
gadotroee
d478a7ec43 TRA-3867 proxy host from config (#411) 2021-10-28 14:53:28 +03:00
gadotroee
af96e55f61 running proxy on 0.0.0.0 (#408) 2021-10-28 11:44:29 +03:00
11 changed files with 216 additions and 21 deletions

View File

@@ -0,0 +1,25 @@
name: Security validation
on:
pull_request:
branches:
- 'develop'
- 'main'
jobs:
security:
name: Check for vulnerabilities
runs-on: ubuntu-latest
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
steps:
- uses: actions/checkout@v2
- uses: snyk/actions/setup@master
- name: Set up Go 1.16
uses: actions/setup-go@v2
with:
go-version: '1.16'
- name: Run snyl on all projects
run: snyk test --all-projects

View File

@@ -44,7 +44,7 @@ RUN go build -ldflags="-s -w \
COPY devops/build_extensions.sh ..
RUN cd .. && /bin/bash build_extensions.sh
FROM alpine:3.13.5
FROM alpine:3.14
RUN apk add bash libpcap-dev tcpdump
WORKDIR /app

View File

@@ -171,6 +171,16 @@ against the contracts.
Please see [CONTRACT MONITORING](docs/CONTRACT_MONITORING.md) page for more details and syntax.
### Configure proxy host
By default, mizu will be accessible via local host: 'http://localhost:8899/mizu/', it is possible to change the host,
for instance, to '0.0.0.0' which can grant access via machine IP address.
This setting can be changed via command line flag `--set tap.proxy-host=<value>` or via config file:
tap
proxy-host: 0.0.0.0
and when changed it will support accessing by IP
## How to Run local UI
- run from mizu/agent `go run main.go --hars-read --hars-dir <folder>`

6
agent/.snyk Normal file
View File

@@ -0,0 +1,6 @@
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.14.0
ignore:
SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736:
- '*':
reason: None Given

View File

@@ -6,7 +6,6 @@ import (
"fmt"
"net"
"net/http"
"os"
"time"
"github.com/google/uuid"
@@ -33,19 +32,8 @@ func Login() error {
Token: token.AccessToken,
}
configFile, defaultConfigErr := config.GetConfigWithDefaults()
if defaultConfigErr != nil {
return fmt.Errorf("failed getting config with defaults, err: %v", defaultConfigErr)
}
if err := config.LoadConfigFile(config.Config.ConfigFilePath, configFile); err != nil && !os.IsNotExist(err) {
return fmt.Errorf("failed getting config file, err: %v", err)
}
configFile.Auth = authConfig
if err := config.WriteConfig(configFile); err != nil {
return fmt.Errorf("failed writing config with auth, err: %v", err)
if err := config.UpdateConfig(func(configStruct *config.ConfigStruct) { configStruct.Auth = authConfig }); err != nil {
return fmt.Errorf("failed updating config with auth, err: %v", err)
}
config.Config.Auth = authConfig

View File

@@ -21,7 +21,7 @@ func GetApiServerUrl() string {
}
func startProxyReportErrorIfAny(kubernetesProvider *kubernetes.Provider, cancel context.CancelFunc) {
err := kubernetes.StartProxy(kubernetesProvider, config.Config.Tap.GuiPort, config.Config.MizuResourcesNamespace, mizu.ApiServerPodName)
err := kubernetes.StartProxy(kubernetesProvider, config.Config.Tap.ProxyHost, config.Config.Tap.GuiPort, config.Config.MizuResourcesNamespace, mizu.ApiServerPodName)
if err != nil {
logger.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error occured while running k8s proxy %v\n"+
"Try setting different port by using --%s", errormessage.FormatError(err), configStructs.GuiPortTapName))

View File

@@ -80,10 +80,19 @@ Supported protocols are HTTP and gRPC.`,
func askConfirmation(flagName string) {
logger.Log.Infof(fmt.Sprintf(uploadTrafficMessageToConfirm, flagName))
if !config.Config.Tap.AskUploadConfirmation {
return
}
if !uiUtils.AskForConfirmation("Would you like to proceed [Y/n]: ") {
logger.Log.Infof("You can always run mizu without %s, aborting", flagName)
os.Exit(0)
}
if err := config.UpdateConfig(func(configStruct *config.ConfigStruct) { configStruct.Tap.AskUploadConfirmation = false }); err != nil {
logger.Log.Debugf("failed updating config with upload confirmation, err: %v", err)
}
}
func init() {

View File

@@ -40,7 +40,7 @@ func InitConfig(cmd *cobra.Command) error {
configFilePathFlag := cmd.Flags().Lookup(ConfigFilePathCommandName)
configFilePath := configFilePathFlag.Value.String()
if err := LoadConfigFile(configFilePath, &Config); err != nil {
if err := loadConfigFile(configFilePath, &Config); err != nil {
if configFilePathFlag.Changed || !os.IsNotExist(err) {
return fmt.Errorf("invalid config, %w\n"+
"you can regenerate the file by removing it (%v) and using `mizu config -r`", err, configFilePath)
@@ -81,7 +81,27 @@ func WriteConfig(config *ConfigStruct) error {
return nil
}
func LoadConfigFile(configFilePath string, config *ConfigStruct) error {
type updateConfigStruct func(*ConfigStruct)
func UpdateConfig(updateConfigStruct updateConfigStruct) error {
configFile, err := GetConfigWithDefaults()
if err != nil {
return fmt.Errorf("failed getting config with defaults, err: %v", err)
}
if err := loadConfigFile(Config.ConfigFilePath, configFile); err != nil && !os.IsNotExist(err) {
return fmt.Errorf("failed getting config file, err: %v", err)
}
updateConfigStruct(configFile)
if err := WriteConfig(configFile); err != nil {
return fmt.Errorf("failed writing config, err: %v", err)
}
return nil
}
func loadConfigFile(configFilePath string, config *ConfigStruct) error {
reader, openErr := os.Open(configFilePath)
if openErr != nil {
return openErr

View File

@@ -26,6 +26,7 @@ type TapConfig struct {
UploadIntervalSec int `yaml:"upload-interval" default:"10"`
PodRegexStr string `yaml:"regex" default:".*"`
GuiPort uint16 `yaml:"gui-port" default:"8899"`
ProxyHost string `yaml:"proxy-host" default:"127.0.0.1"`
Namespaces []string `yaml:"namespaces"`
Analysis bool `yaml:"analysis" default:"false"`
AllNamespaces bool `yaml:"all-namespaces" default:"false"`
@@ -37,6 +38,7 @@ type TapConfig struct {
Workspace string `yaml:"workspace"`
EnforcePolicyFile string `yaml:"traffic-validation-file"`
ContractFile string `yaml:"contract"`
AskUploadConfirmation bool `yaml:"ask-upload-confirmation" default:"true"`
ApiServerResources Resources `yaml:"api-server-resources"`
TapperResources Resources `yaml:"tapper-resources"`
}

View File

@@ -14,12 +14,12 @@ import (
const k8sProxyApiPrefix = "/"
const mizuServicePort = 80
func StartProxy(kubernetesProvider *Provider, mizuPort uint16, mizuNamespace string, mizuServiceName string) error {
func StartProxy(kubernetesProvider *Provider, proxyHost string, mizuPort uint16, mizuNamespace string, mizuServiceName string) error {
logger.Log.Debugf("Starting proxy. namespace: [%v], service name: [%s], port: [%v]", mizuNamespace, mizuServiceName, mizuPort)
filter := &proxy.FilterServer{
AcceptPaths: proxy.MakeRegexpArrayOrDie(proxy.DefaultPathAcceptRE),
RejectPaths: proxy.MakeRegexpArrayOrDie(proxy.DefaultPathRejectRE),
AcceptHosts: proxy.MakeRegexpArrayOrDie(proxy.DefaultHostAcceptRE),
AcceptHosts: proxy.MakeRegexpArrayOrDie("^.*"),
RejectMethods: proxy.MakeRegexpArrayOrDie(proxy.DefaultMethodRejectRE),
}
@@ -32,7 +32,7 @@ func StartProxy(kubernetesProvider *Provider, mizuPort uint16, mizuNamespace str
mux.Handle("/static/", getRerouteHttpHandlerMizuStatic(proxyHandler, mizuNamespace, mizuServiceName))
mux.Handle("/mizu/", getRerouteHttpHandlerMizuAPI(proxyHandler, mizuNamespace, mizuServiceName))
l, err := net.Listen("tcp", fmt.Sprintf("%s:%d", "127.0.0.1", int(mizuPort)))
l, err := net.Listen("tcp", fmt.Sprintf("%s:%d", proxyHost, int(mizuPort)))
if err != nil {
return err
}

135
ui/.snyk Normal file
View File

@@ -0,0 +1,135 @@
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.14.0
ignore:
SNYK-JS-AXIOS-1579269:
- '*':
reason: None Given
SNYK-JS-TRIMNEWLINES-1298042:
- '*':
reason: None Given
SNYK-JS-ANSIHTML-1296849:
- '*':
reason: None Given
SNYK-JS-ANSIREGEX-1583908:
- '*':
reason: None Given
SNYK-JS-BROWSERSLIST-1090194:
- '*':
reason: None Given
SNYK-JS-CSSWHAT-1298035:
- '*':
reason: None Given
SNYK-JS-DNSPACKET-1293563:
- '*':
reason: None Given
SNYK-JS-EJS-1049328:
- '*':
reason: None Given
SNYK-JS-GLOBPARENT-1016905:
- '*':
reason: None Given
SNYK-JS-IMMER-1540542:
- '*':
reason: None Given
SNYK-JS-LODASHTEMPLATE-1088054:
- '*':
reason: None Given
SNYK-JS-NODESASS-1059081:
- '*':
reason: None Given
SNYK-JS-NODESASS-535498:
- '*':
reason: None Given
SNYK-JS-NODESASS-535500:
- '*':
reason: None Given
SNYK-JS-NODESASS-535502:
- '*':
reason: None Given
SNYK-JS-NODESASS-540956:
- '*':
reason: Non given
SNYK-JS-NODESASS-540958:
- '*':
reason: Non given
SNYK-JS-NODESASS-540964:
- '*':
reason: Non given
SNYK-JS-NODESASS-540978:
- '*':
reason: Non given
SNYK-JS-NODESASS-540980:
- '*':
reason: Non given
SNYK-JS-NODESASS-540990:
- '*':
reason: Non given
SNYK-JS-NODESASS-540992:
- '*':
reason: Non given
SNYK-JS-NODESASS-540994:
- '*':
reason: Non given
SNYK-JS-NODESASS-540996:
- '*':
reason: Non given
SNYK-JS-NODESASS-540998:
- '*':
reason: Non given
SNYK-JS-NODESASS-541000:
- '*':
reason: Non given
SNYK-JS-NODESASS-541002:
- '*':
reason: Non given
SNYK-JS-NTHCHECK-1586032:
- '*':
reason: Non given
SNYK-JS-PATHPARSE-1077067:
- '*':
reason: Non given
SNYK-JS-POSTCSS-1090595:
- '*':
reason: Non given
SNYK-JS-POSTCSS-1255640:
- '*':
reason: Non given
SNYK-JS-PRISMJS-1314893:
- '*':
reason: Non given
SNYK-JS-PRISMJS-1585202:
- '*':
reason: Non given
SNYK-JS-PROMPTS-1729737:
- '*':
reason: Non given
SNYK-JS-SHELLQUOTE-1766506:
- '*':
reason: Non given
SNYK-JS-TAR-1536528:
- '*':
reason: Non given
SNYK-JS-TAR-1536531:
- '*':
reason: Non given
SNYK-JS-TAR-1536758:
- '*':
reason: Non given
SNYK-JS-TAR-1579147:
- '*':
reason: Non given
SNYK-JS-TAR-1579152:
- '*':
reason: Non given
SNYK-JS-TAR-1579155:
- '*':
reason: Non given
SNYK-JS-TMPL-1583443:
- '*':
reason: Non given
SNYK-JS-URLPARSE-1533425:
- '*':
reason: Non given
SNYK-JS-WS-1296835:
- '*':
reason: Non given