From f56c5a9fd8fd73a690ad64676d5fdc99ee17e0c1 Mon Sep 17 00:00:00 2001 From: Chandan Krishna Date: Fri, 16 Jan 2026 11:24:33 +0530 Subject: [PATCH] Updated Kratos Client and Fixed SQL Migration issues (#403) * created new migrations for null values Signed-off-by: zyncc * fixed not null constraint for sentry_bootstrap_infra Signed-off-by: zyncc * migrations not being applied Signed-off-by: zyncc * added default values to all not null columns Signed-off-by: zyncc * changes to kratos client api Signed-off-by: zyncc * fixed casbin entries not showing in database Signed-off-by: zyncc * . Signed-off-by: zyncc * fixed create / upsert mismatch Signed-off-by: zyncc * . Signed-off-by: zyncc * . Signed-off-by: zyncc * . Signed-off-by: zyncc * . Signed-off-by: zyncc * created one sql migration file Signed-off-by: zyncc * . Signed-off-by: zyncc * fixed CVE Vulnerability for golang and golang.org/x/oauth2 Signed-off-by: zyncc * changed go version to 1.25.5 Signed-off-by: zyncc * updated golangct-lint version to v2.6 Signed-off-by: zyncc * golang-ci version Signed-off-by: zyncc * added version to golang-ci.yaml Signed-off-by: zyncc * fixed golangci config Signed-off-by: zyncc --------- Signed-off-by: zyncc --- .github/workflows/go.yml | 13 +- .golangci.yml | 14 +- Dockerfile | 6 +- Dockerfile.initialize | 6 +- Dockerfile.synchronizer | 4 +- _kratos/development/pkg/resources.go | 34 +++-- _kratos/development/session_main.go | 6 +- docker-compose.yml | 12 +- go.mod | 6 +- go.sum | 8 +- internal/provider/kratos/kratos.go | 10 +- ...00040_fixing_not_null_constraints.down.sql | 126 ++++++++++++++++++ .../000040_fixing_not_null_constraints.up.sql | 126 ++++++++++++++++++ pkg/auth/v3/core.go | 5 +- pkg/sentry/authz/authz.go | 5 +- pkg/service/authz.go | 27 ++-- pkg/service/cluster.go | 6 +- pkg/service/oidc_provider.go | 2 +- scripts/initialize/main.go | 18 ++- 19 files changed, 343 insertions(+), 91 deletions(-) create mode 100644 persistence/migrations/admindb/000040_fixing_not_null_constraints.down.sql create mode 100644 persistence/migrations/admindb/000040_fixing_not_null_constraints.up.sql diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index bd7f9f8..4c78fda 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -2,12 +2,11 @@ name: Go on: push: - branches: [ main ] + branches: [main] pull_request: - branches: [ main ] + branches: [main] jobs: - test: strategy: matrix: @@ -20,7 +19,7 @@ jobs: uses: actions/setup-go@v5 with: # Getting go version from the go.mod file - go-version-file: 'go.mod' + go-version-file: "go.mod" - name: Format run: if [ "$(gofmt -s -l . | wc -l)" -gt 0 ]; then exit 1; fi @@ -33,7 +32,7 @@ jobs: - name: Upload coverage to Codecov uses: codecov/codecov-action@v4 - + golangci-lint: strategy: matrix: @@ -47,9 +46,9 @@ jobs: uses: actions/setup-go@v5 with: # Getting go version from the go.mod file - go-version-file: 'go.mod' + go-version-file: "go.mod" - name: golangci-lint - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@v9.2.0 with: version: latest diff --git a/.golangci.yml b/.golangci.yml index e13ab42..a46f42b 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,12 +1,10 @@ +version: "2" linters: - # Disable all linters untill all errors are fixed. - disable-all: true - # uncomment as we fix the linting issues enable: - # - errcheck - # - gosimple - # - govet - # - staticcheck - unused - # - ineffassign - misspell + disable: + - errcheck + - govet + - ineffassign + - staticcheck diff --git a/Dockerfile b/Dockerfile index 067a05d..8535cbd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.23.1 as build +FROM golang:1.25.5 AS build LABEL description="Build container" ENV CGO_ENABLED 0 @@ -9,7 +9,7 @@ RUN go mod download COPY . . RUN make build -FROM alpine:latest as runtime +FROM alpine:latest AS runtime LABEL description="Run container" WORKDIR /usr/bin @@ -20,4 +20,4 @@ EXPOSE 10000 # RPC relay peering port EXPOSE 10001 # HTTP port -EXPOSE 11000 +EXPOSE 11000 \ No newline at end of file diff --git a/Dockerfile.initialize b/Dockerfile.initialize index 80b21d6..0341f31 100644 --- a/Dockerfile.initialize +++ b/Dockerfile.initialize @@ -1,4 +1,4 @@ -FROM golang:1.23.1 as build +FROM golang:1.25.5 AS build LABEL description="Build container" ENV CGO_ENABLED 0 WORKDIR /build @@ -16,11 +16,11 @@ RUN if [ "$TARGETARCH" = "arm64" ]; then \ COPY . /build RUN go build -ldflags "-s" -o paralus-init scripts/initialize/main.go -FROM alpine:latest as runtime +FROM alpine:latest AS runtime LABEL description="Run container" WORKDIR /usr/bin COPY --from=build /build/paralus-init /usr/bin/paralus-init COPY --from=build /build/scripts/initialize/ /usr/bin/scripts/initialize/ COPY --from=build /build/kratos /usr/bin/kratos COPY --from=build /build/migrate /usr/bin/migrate -COPY ./persistence/migrations/admindb /data/migrations/admindb +COPY ./persistence/migrations/admindb /data/migrations/admindb \ No newline at end of file diff --git a/Dockerfile.synchronizer b/Dockerfile.synchronizer index c40005f..1d7cd65 100644 --- a/Dockerfile.synchronizer +++ b/Dockerfile.synchronizer @@ -1,4 +1,4 @@ -FROM golang:1.23.1 as build +FROM golang:1.25.5 AS build LABEL description="Build container" ENV CGO_ENABLED 0 @@ -6,7 +6,7 @@ COPY . /build WORKDIR /build RUN go build -ldflags "-s" -o start-sync scripts/kratos/providers_sync.go -FROM alpine:latest as runtime +FROM alpine:latest AS runtime LABEL description="Run container" WORKDIR /usr/bin diff --git a/_kratos/development/pkg/resources.go b/_kratos/development/pkg/resources.go index 3dfb063..60bb6c8 100644 --- a/_kratos/development/pkg/resources.go +++ b/_kratos/development/pkg/resources.go @@ -29,21 +29,21 @@ func CreateIdentityWithSession(c *ory.APIClient, email, password string) (*ory.S } // Initialize a registration flow - flow, _, err := c.V0alpha2Api.InitializeSelfServiceRegistrationFlowWithoutBrowser(ctx).Execute() - ExitOnError(err) + flow, _, err := c.FrontendAPI.CreateNativeRegistrationFlow(ctx).Execute() - // Submit the registration flow - result, res, err := c.V0alpha2Api.SubmitSelfServiceRegistrationFlow(ctx).Flow(flow.Id).SubmitSelfServiceRegistrationFlowBody( - ory.SubmitSelfServiceRegistrationFlowWithPasswordMethodBodyAsSubmitSelfServiceRegistrationFlowBody(&ory.SubmitSelfServiceRegistrationFlowWithPasswordMethodBody{ - Method: "password", - Password: password, - Traits: map[string]interface{}{ - "email": email, - "first_name": "Jon", - "last_name": "Doe", - "description": "nothing", + result, res, err := c.FrontendAPI.UpdateRegistrationFlow(ctx).Flow(flow.Id).UpdateRegistrationFlowBody( + ory.UpdateRegistrationFlowWithPasswordMethodAsUpdateRegistrationFlowBody( + &ory.UpdateRegistrationFlowWithPasswordMethod{ + Method: "password", + Password: password, + Traits: map[string]interface{}{ + "email": email, + "first_name": "Jon", + "last_name": "Doe", + "description": "nothing", + }, }, - }), + ), ).Execute() SDKExitOnError(err, res) @@ -58,11 +58,9 @@ func CreateIdentity(c *ory.APIClient) *ory.Identity { ctx := context.Background() email, _ := RandomCredentials() - identity, _, err := c.V0alpha2Api.AdminCreateIdentity(ctx).AdminCreateIdentityBody(ory.AdminCreateIdentityBody{ - SchemaId: "default", - Traits: map[string]interface{}{ - "email": email, - }}).Execute() + + identity, _, err := c.IdentityAPI.CreateIdentity(ctx).CreateIdentityBody(*ory.NewCreateIdentityBody("default", map[string]interface{}{"email": email,}})).Execute() ExitOnError(err) + return identity } diff --git a/_kratos/development/session_main.go b/_kratos/development/session_main.go index b3ea2ed..c3f1ad7 100644 --- a/_kratos/development/session_main.go +++ b/_kratos/development/session_main.go @@ -15,11 +15,9 @@ func toSession() *ory.Session { email, password := pkg.RandomCredentials() _, sessionToken := pkg.CreateIdentityWithSession(client, email, password) - session, res, err := client.V0alpha2Api. - ToSessionExecute(ory. - V0alpha2ApiApiToSessionRequest{}. - XSessionToken(sessionToken)) + session, res, err := client.FrontendAPI.ToSessionExecute(ory.FrontendApiToSessionRequest{}.XSessionToken(sessionToken)) pkg.SDKExitOnError(err, res) + return session } diff --git a/docker-compose.yml b/docker-compose.yml index 70d5221..d2a3bde 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.7' - services: postgresd: image: postgres:14.2 @@ -15,6 +13,8 @@ services: kratos-migrate: image: oryd/kratos:v0.11.0 + depends_on: + - postgresd environment: - DSN=postgres://$DB_USER:$DB_PASSWORD@postgresd:$DB_PORT/$DB_NAME?sslmode=disable&max_conns=20&max_idle_conns=4 volumes: @@ -41,8 +41,8 @@ services: - kratos-migrate image: oryd/kratos:v0.11.0 ports: - - '4433:4433' # public - - '4434:4434' # admin + - "4433:4433" # public + - "4434:4434" # admin environment: - DSN=postgres://$DB_USER:$DB_PASSWORD@postgresd:$DB_PORT/$DB_NAME?sslmode=disable&max_conns=20&max_idle_conns=4 - LOG_LEVEL=trace @@ -55,8 +55,8 @@ services: mailslurper: image: oryd/mailslurper:latest-smtps ports: - - '4436:4436' - - '4437:4437' + - "4436:4436" + - "4437:4437" volumes: paralus_db_data: diff --git a/go.mod b/go.mod index 06e30bf..cb24977 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/paralus/paralus -go 1.23.1 +go 1.25.5 require ( github.com/DATA-DOG/go-sqlmock v1.5.0 @@ -20,7 +20,7 @@ require ( github.com/grpc-ecosystem/grpc-gateway v1.16.0 github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 github.com/json-iterator/go v1.1.12 - github.com/ory/kratos-client-go v0.11.0 + github.com/ory/kratos-client-go v1.3.8 github.com/pkg/errors v0.9.1 github.com/processout/grpc-go-pool v1.2.1 github.com/rs/xid v1.3.0 @@ -131,7 +131,7 @@ require ( go.uber.org/multierr v1.6.0 // indirect golang.org/x/crypto v0.35.0 // indirect golang.org/x/net v0.33.0 // indirect - golang.org/x/oauth2 v0.20.0 // indirect + golang.org/x/oauth2 v0.27.0 // indirect golang.org/x/sys v0.30.0 // indirect golang.org/x/term v0.29.0 // indirect golang.org/x/text v0.22.0 // indirect diff --git a/go.sum b/go.sum index 3264c6c..9587dda 100644 --- a/go.sum +++ b/go.sum @@ -600,8 +600,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= -github.com/ory/kratos-client-go v0.11.0 h1:8FF2GiLjvDEPiN4fVLiHgnKZspQdd7kXDlBbeJJq+aw= -github.com/ory/kratos-client-go v0.11.0/go.mod h1:8gqPMa6bB+NHbDurRY6D2dOTLrjYEdg/Dx+JvwXsZ0Q= +github.com/ory/kratos-client-go v1.3.8 h1:S4D5dAURq5C6LbOUU+DgE4ZXxp37IlJG2GngemdF9h0= +github.com/ory/kratos-client-go v1.3.8/go.mod h1:Dc+ANapsPxu+CfdC0yk8TxmvceCmrvNozW+ZGS/xq5o= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= @@ -952,8 +952,8 @@ golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo= -golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M= +golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= diff --git a/internal/provider/kratos/kratos.go b/internal/provider/kratos/kratos.go index 37b3e47..66df76f 100644 --- a/internal/provider/kratos/kratos.go +++ b/internal/provider/kratos/kratos.go @@ -54,7 +54,7 @@ func (k *kratosAuthProvider) Create(ctx context.Context, password string, traits }, }) cib.SetMetadataPublic(metadata) - ir, hr, err := k.kc.IdentityApi.CreateIdentity(ctx).CreateIdentityBody(*cib).Execute() + ir, hr, err := k.kc.IdentityAPI.CreateIdentity(ctx).CreateIdentityBody(*cib).Execute() if err != nil { _log.Error("failed to create identity ", hr) return "", err @@ -73,7 +73,7 @@ func (k *kratosAuthProvider) Update(ctx context.Context, id string, traits map[s ipm.ForceReset = metadata.ForceReset uib.SetMetadataPublic(ipm) - _, hr, err := k.kc.IdentityApi.UpdateIdentity(ctx, id).UpdateIdentityBody(*uib).Execute() + _, hr, err := k.kc.IdentityAPI.UpdateIdentity(ctx, id).UpdateIdentityBody(*uib).Execute() if err != nil { _log.Error("failed to update identity ", hr) } @@ -82,7 +82,7 @@ func (k *kratosAuthProvider) Update(ctx context.Context, id string, traits map[s func (k *kratosAuthProvider) GetRecoveryLink(ctx context.Context, id string) (string, error) { rlb := kclient.NewCreateRecoveryLinkForIdentityBody(id) - rl, _, err := k.kc.IdentityApi.CreateRecoveryLinkForIdentity(ctx).CreateRecoveryLinkForIdentityBody(*rlb).Execute() + rl, _, err := k.kc.IdentityAPI.CreateRecoveryLinkForIdentity(ctx).CreateRecoveryLinkForIdentityBody(*rlb).Execute() if err != nil { return "", err } @@ -90,7 +90,7 @@ func (k *kratosAuthProvider) GetRecoveryLink(ctx context.Context, id string) (st } func (k *kratosAuthProvider) Delete(ctx context.Context, id string) error { - hr, err := k.kc.IdentityApi.DeleteIdentity(ctx, id).Execute() + hr, err := k.kc.IdentityAPI.DeleteIdentity(ctx, id).Execute() if err != nil { fmt.Println(hr) } @@ -98,7 +98,7 @@ func (k *kratosAuthProvider) Delete(ctx context.Context, id string) error { } func (k *kratosAuthProvider) GetPublicMetadata(ctx context.Context, id string) (*IdentityPublicMetadata, error) { - identity, res, err := k.kc.IdentityApi.GetIdentity(ctx, id).Execute() + identity, res, err := k.kc.IdentityAPI.GetIdentity(ctx, id).Execute() if err != nil { return nil, err } diff --git a/persistence/migrations/admindb/000040_fixing_not_null_constraints.down.sql b/persistence/migrations/admindb/000040_fixing_not_null_constraints.down.sql new file mode 100644 index 0000000..27bfa7a --- /dev/null +++ b/persistence/migrations/admindb/000040_fixing_not_null_constraints.down.sql @@ -0,0 +1,126 @@ +ALTER TABLE authsrv_partner + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_organization + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_project + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_ssoaccount + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_group + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_resourcerole + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_resourcepermission + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_resourcerolepermission + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_projectaccountresourcerole + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_projectaccountnamespacerole + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_projectgroupnamespacerole + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_projectgrouprole + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_groupaccount + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_grouprole + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_accountresourcerole + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_template + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE sentry_bootstrap_infra + ALTER COLUMN created_at DROP DEFAULT; + +ALTER TABLE sentry_bootstrap_agent_template + ALTER COLUMN created_at DROP DEFAULT; + +ALTER TABLE sentry_bootstrap_agent + ALTER COLUMN created_at DROP DEFAULT; + +ALTER TABLE sentry_kubeconfig_revocation + ALTER COLUMN created_at DROP DEFAULT; + +ALTER TABLE sentry_kubeconfig_setting + ALTER COLUMN created_at DROP DEFAULT; + +ALTER TABLE sentry_kubectl_cluster_settings + ALTER COLUMN created_at DROP DEFAULT; + +ALTER TABLE authsrv_idp + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE authsrv_oidc_provider + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE cluster_metro + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE cluster_operator_bootstrap + ALTER COLUMN created_at DROP DEFAULT, + ALTER COLUMN modified_at DROP DEFAULT, + ALTER COLUMN trash DROP DEFAULT; + +ALTER TABLE cluster_tokens + ALTER COLUMN created_at DROP DEFAULT; + +ALTER TABLE cluster_clusters + ALTER COLUMN created_at DROP DEFAULT; + +ALTER TABLE authsrv_apikey + ALTER COLUMN created_at DROP DEFAULT; diff --git a/persistence/migrations/admindb/000040_fixing_not_null_constraints.up.sql b/persistence/migrations/admindb/000040_fixing_not_null_constraints.up.sql new file mode 100644 index 0000000..dc53207 --- /dev/null +++ b/persistence/migrations/admindb/000040_fixing_not_null_constraints.up.sql @@ -0,0 +1,126 @@ +ALTER TABLE authsrv_partner + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_organization + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_project + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_ssoaccount + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_group + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_resourcerole + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_resourcepermission + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_resourcerolepermission + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_projectaccountresourcerole + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_projectaccountnamespacerole + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_projectgroupnamespacerole + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_projectgrouprole + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_groupaccount + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_grouprole + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_accountresourcerole + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_template + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE sentry_bootstrap_infra + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP; + +ALTER TABLE sentry_bootstrap_agent_template + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP; + +ALTER TABLE sentry_bootstrap_agent + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP; + +ALTER TABLE sentry_kubeconfig_revocation + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP; + +ALTER TABLE sentry_kubeconfig_setting + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP; + +ALTER TABLE sentry_kubectl_cluster_settings + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP; + +ALTER TABLE authsrv_idp + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE authsrv_oidc_provider + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE cluster_metro + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE cluster_operator_bootstrap + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN modified_at SET DEFAULT CURRENT_TIMESTAMP, + ALTER COLUMN trash SET DEFAULT FALSE; + +ALTER TABLE cluster_tokens + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP; + +ALTER TABLE cluster_clusters + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP; + +ALTER TABLE authsrv_apikey + ALTER COLUMN created_at SET DEFAULT CURRENT_TIMESTAMP; \ No newline at end of file diff --git a/pkg/auth/v3/core.go b/pkg/auth/v3/core.go index e399592..617b8b4 100644 --- a/pkg/auth/v3/core.go +++ b/pkg/auth/v3/core.go @@ -77,9 +77,8 @@ func (ac *authContext) authenticate(ctx context.Context, req *commonv3.IsRequest res.SessionData.Organization = resp.OrganizationID.String() res.SessionData.Partner = resp.PartnerID.String() } else { - - tsr := ac.kc.FrontendApi.ToSession(ctx).XSessionToken(req.GetXSessionToken()).Cookie(req.GetCookie()) - session, _, err := ac.kc.FrontendApi.ToSessionExecute(tsr) + tsr := ac.kc.FrontendAPI.ToSession(ctx).XSessionToken(req.GetXSessionToken()).Cookie(req.GetCookie()) + session, _, err := ac.kc.FrontendAPI.ToSessionExecute(tsr) if err != nil { // '401 Unauthorized' if the credentials are invalid or no credentials were sent. if strings.Contains(err.Error(), "401 Unauthorized") { diff --git a/pkg/sentry/authz/authz.go b/pkg/sentry/authz/authz.go index e67fac6..5aa6b63 100644 --- a/pkg/sentry/authz/authz.go +++ b/pkg/sentry/authz/authz.go @@ -2,6 +2,7 @@ package authz import ( "context" + "errors" "fmt" "strconv" "strings" @@ -818,7 +819,7 @@ func verifyKubectlSettings(cnAttr kubeconfig.CNAttributes, ks *sentry.Kubeconfig // backward compatibility treat "" as terminal session for old kubeconfigs if ks.DisableCLIKubectl { _log.Infow("kubectl cli is not authorized for ", "cnAttr", cnAttr, " by ", level, "config") - return fmt.Errorf("kubectl cli is not authorized" + " by " + level + "config") //deny + return errors.New("kubectl cli is not authorized" + " by " + level + "config") //deny } return nil // allow } @@ -826,7 +827,7 @@ func verifyKubectlSettings(cnAttr kubeconfig.CNAttributes, ks *sentry.Kubeconfig if cnAttr.SessionType == kubeconfig.WebShell { if ks.DisableWebKubectl { _log.Infow("browser based kubectl is not authorized for ", "cnAttr", cnAttr, " by ", level, "config") - return fmt.Errorf("browser based kubectl is not authorized" + " by " + level + "config") //deny + return errors.New("browser based kubectl is not authorized" + " by " + level + "config") //deny } return nil // allow } diff --git a/pkg/service/authz.go b/pkg/service/authz.go index a5ae081..21c8550 100644 --- a/pkg/service/authz.go +++ b/pkg/service/authz.go @@ -133,7 +133,7 @@ func (s *authzService) fromPolicies(policies *authzpbv1.Policies) ([][]string, e rule := []string{p.GetSub(), p.GetNs(), p.GetProj(), p.GetOrg(), p.GetObj()} for _, field := range rule { if field == "" { - return res, fmt.Errorf(fmt.Sprintf("index %d: policy elements do not meet definition", i)) + return res, fmt.Errorf("index %d: policy elements do not meet definition", i) } } res = append(res, rule) @@ -165,7 +165,7 @@ func (s *authzService) fromUserGroups(ugs *authzpbv1.UserGroups) ([][]string, er rule := []string{p.GetUser(), p.GetGrp()} for _, field := range rule { if field == "" { - return res, fmt.Errorf(fmt.Sprintf("index %d: request elements do not meet definition", i)) + return res, fmt.Errorf("index %d: request elements do not meet definition", i) } } res = append(res, rule) @@ -212,7 +212,7 @@ func (s *authzService) fromRolePermissionMappingList(ctx context.Context, r *aut rule := []string{rpm.url, mapping.GetRole(), method} for _, field := range rule { if field == "" { - return res, fmt.Errorf(fmt.Sprintf("index %d: mapping elements do not meet definition", i)) + return res, fmt.Errorf("index %d: mapping elements do not meet definition", i) } } rules = append(rules, rule) @@ -231,10 +231,9 @@ func (s *authzService) Enforce(ctx context.Context, req *authzpbv1.EnforceReques param = req.Params[index] params = append(params, param) } - res, err := s.enforcer.Enforce(params...) if err != nil { - return nil, status.Errorf(codes.InvalidArgument, err.Error()) + return nil, status.Error(codes.InvalidArgument, err.Error()) } return &authzpbv1.BoolReply{Res: res}, nil @@ -250,13 +249,13 @@ func (s *authzService) CreatePolicies(ctx context.Context, p *authzpbv1.Policies } policies, err := s.fromPolicies(p) if err != nil { - return nil, status.Errorf(codes.InvalidArgument, err.Error()) + return nil, status.Error(codes.InvalidArgument, err.Error()) } // err could be from db, policy assertions; dispatcher, watcher updates (not pertinent) res, err := s.enforcer.AddPolicies(policies) if err != nil { - return nil, status.Errorf(codes.Internal, err.Error()) + return nil, status.Error(codes.Internal, err.Error()) } // s.enforcer.InvalidateCache() return &authzpbv1.BoolReply{Res: res}, nil @@ -266,7 +265,7 @@ func (s *authzService) DeletePolicies(ctx context.Context, p *authzpbv1.Policy) // err could be from db, policy assertions, cache; dispatcher, watcher updates (not pertinent) res, err := s.enforcer.RemoveFilteredPolicy(0, p.GetSub(), p.GetNs(), p.GetProj(), p.GetOrg(), p.GetObj()) if err != nil { - return nil, status.Errorf(codes.Internal, err.Error()) + return nil, status.Error(codes.Internal, err.Error()) } // s.enforcer.InvalidateCache() return &authzpbv1.BoolReply{Res: res}, nil @@ -283,13 +282,13 @@ func (s *authzService) CreateUserGroups(ctx context.Context, p *authzpbv1.UserGr ugs, err := s.fromUserGroups(p) if err != nil { - return nil, status.Errorf(codes.InvalidArgument, err.Error()) + return nil, status.Error(codes.InvalidArgument, err.Error()) } // err could be from db, policy assertions; dispatcher, watcher updates (not pertinent) res, err := s.enforcer.AddNamedGroupingPolicies(groupGtype, ugs) if err != nil { - return nil, status.Errorf(codes.Internal, err.Error()) + return nil, status.Error(codes.Internal, err.Error()) } // s.enforcer.InvalidateCache() @@ -300,7 +299,7 @@ func (s *authzService) DeleteUserGroups(ctx context.Context, p *authzpbv1.UserGr // err could be from db, policy assertions, cache; dispatcher, watcher updates (not pertinent) res, err := s.enforcer.RemoveFilteredNamedGroupingPolicy(groupGtype, 0, p.GetUser(), p.GetGrp()) if err != nil { - return nil, status.Errorf(codes.Internal, err.Error()) + return nil, status.Error(codes.Internal, err.Error()) } // s.enforcer.InvalidateCache() @@ -320,12 +319,12 @@ func (s *authzService) CreateRolePermissionMappings(ctx context.Context, p *auth rpms, err := s.fromRolePermissionMappingList(ctx, p) if err != nil { - return nil, status.Errorf(codes.Internal, err.Error()) + return nil, status.Error(codes.Internal, err.Error()) } res, err := s.enforcer.AddNamedGroupingPolicies(roleGtype, rpms) if err != nil { - return nil, status.Errorf(codes.Internal, err.Error()) + return nil, status.Error(codes.Internal, err.Error()) } // s.enforcer.InvalidateCache() @@ -335,7 +334,7 @@ func (s *authzService) CreateRolePermissionMappings(ctx context.Context, p *auth func (s *authzService) DeleteRolePermissionMappings(ctx context.Context, p *authzpbv1.FilteredRolePermissionMapping) (*authzpbv1.BoolReply, error) { res, err := s.enforcer.RemoveFilteredNamedGroupingPolicy(roleGtype, 1, p.GetRole()) if err != nil { - return nil, status.Errorf(codes.Internal, err.Error()) + return nil, status.Error(codes.Internal, err.Error()) } // s.enforcer.InvalidateCache() diff --git a/pkg/service/cluster.go b/pkg/service/cluster.go index 29d9f46..edb3074 100644 --- a/pkg/service/cluster.go +++ b/pkg/service/cluster.go @@ -126,7 +126,7 @@ func (s *clusterService) Create(ctx context.Context, cluster *infrav3.Cluster) ( ConditionStatus: commonv3.ConditionStatus_StatusFailed, Reason: errormsg, } - return cluster, fmt.Errorf(errormsg) + return cluster, errors.New(errormsg) } if len(cluster.Metadata.Name) > 63 { errormsg = "maximum characters allowed for cluster name is 63. please try another name" @@ -135,7 +135,7 @@ func (s *clusterService) Create(ctx context.Context, cluster *infrav3.Cluster) ( ConditionStatus: commonv3.ConditionStatus_StatusFailed, Reason: errormsg, } - return cluster, fmt.Errorf(errormsg) + return cluster, errors.New(errormsg) } clusterPresent, err := dao.GetByNamePartnerOrg(ctx, s.db, cluster.Metadata.Name, uuid.NullUUID{UUID: proj.PartnerId, Valid: true}, @@ -144,7 +144,7 @@ func (s *clusterService) Create(ctx context.Context, cluster *infrav3.Cluster) ( _log.Infof("Skipping as first time cluster create ") } else if clusterPresent != nil { errormsg = "cluster name is already taken. please try another name" - return &infrav3.Cluster{}, fmt.Errorf(errormsg) + return &infrav3.Cluster{}, errors.New(errormsg) } metro := &models.Metro{} diff --git a/pkg/service/oidc_provider.go b/pkg/service/oidc_provider.go index 4e40bc5..0295e01 100644 --- a/pkg/service/oidc_provider.go +++ b/pkg/service/oidc_provider.go @@ -242,7 +242,7 @@ func (s *oidcProvider) GetByName(ctx context.Context, provider *systemv3.OIDCPro if errors.Is(err, sql.ErrNoRows) { return &systemv3.OIDCProvider{}, status.Errorf(codes.InvalidArgument, "OIDC PROVIDER %q NOT EXIST", name) } else { - return &systemv3.OIDCProvider{}, status.Errorf(codes.Internal, codes.Internal.String()) + return &systemv3.OIDCProvider{}, status.Error(codes.Internal, codes.Internal.String()) } } diff --git a/scripts/initialize/main.go b/scripts/initialize/main.go index a1a4305..386982d 100644 --- a/scripts/initialize/main.go +++ b/scripts/initialize/main.go @@ -297,10 +297,15 @@ func main() { }, } - _, err := rs.Upsert(internalCtx, role) + _, err := rs.Create(internalCtx, role) if err != nil { - log.Fatalf("unable to upsert role %s: %v", name, err) + if strings.Contains(err.Error(), "already exists") { + // role already present, safe to ignore + continue + } + log.Fatalf("unable to create role %s: %v", name, err) } + } } //default "All Local Users" group should be created @@ -337,11 +342,14 @@ func main() { } existingProject, err := prs.GetByName(context.Background(), "default") - if err != nil && !strings.Contains(err.Error(), "not found") && !strings.Contains(err.Error(), "no rows in result set") { + fmt.Println(existingProject) + isNotFound := err != nil && + (strings.Contains(err.Error(), "not found") || + strings.Contains(err.Error(), "no rows in result set")) + if err != nil && !isNotFound { log.Fatal("unable to get project", err) } - if existingProject == nil { - //default project with name "default" should be created with default flag true + if isNotFound { _, err := prs.Create(context.Background(), &systemv3.Project{ Metadata: &commonv3.Metadata{ Name: "default",