From b4bdfa51a97a637361ea984a526225c09eec5c36 Mon Sep 17 00:00:00 2001 From: jay-dee7 Date: Wed, 10 Jan 2024 00:20:50 +0530 Subject: [PATCH] add: Logs for failed clair requests Signed-off-by: jay-dee7 --- .dockerignore | 1 - auth/github.go | 8 ++-- auth/reset_password.go | 7 +-- auth/server/webauthn_server.go | 26 ++++-------- router/github.go | 25 ++++++++--- router/vuln_scanning_routes.go | 9 ++-- services/yor/clair/v1/server/clair.go | 61 +++++++++++++++------------ vcs/github/github.go | 13 +++--- vcs/github/handlers.go | 2 +- 9 files changed, 79 insertions(+), 73 deletions(-) diff --git a/.dockerignore b/.dockerignore index 4f0222bd..e69de29b 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1 +0,0 @@ -.go-skynet/ diff --git a/auth/github.go b/auth/github.go index 0061a3aa..0422eb51 100644 --- a/auth/github.go +++ b/auth/github.go @@ -8,13 +8,13 @@ import ( "strings" "time" - "github.com/containerish/OpenRegistry/config" - "github.com/containerish/OpenRegistry/store/v1/types" - "github.com/fatih/color" "github.com/google/go-github/v56/github" "github.com/google/uuid" "github.com/labstack/echo/v4" "golang.org/x/oauth2" + + "github.com/containerish/OpenRegistry/config" + "github.com/containerish/OpenRegistry/store/v1/types" ) func (a *auth) LoginWithGithub(ctx echo.Context) error { @@ -201,8 +201,6 @@ func (a *auth) createCookie( HttpOnly: httpOnly, } - color.Red("cookie: %#v", cookie) - if expiresAt.Unix() < time.Now().Unix() { // set cookie deletion cookie.MaxAge = -1 diff --git a/auth/reset_password.go b/auth/reset_password.go index 2a717fa8..c47b153d 100644 --- a/auth/reset_password.go +++ b/auth/reset_password.go @@ -7,12 +7,13 @@ import ( "net/http" "time" - "github.com/containerish/OpenRegistry/services/email" - "github.com/containerish/OpenRegistry/store/v1/types" "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" "github.com/jackc/pgx/v4" "github.com/labstack/echo/v4" + + "github.com/containerish/OpenRegistry/services/email" + "github.com/containerish/OpenRegistry/store/v1/types" ) func (a *auth) ResetForgottenPassword(ctx echo.Context) error { @@ -123,7 +124,7 @@ func (a *auth) ResetPassword(ctx echo.Context) error { user, ok := ctx.Get(string(types.UserContextKey)).(*types.User) if !ok { - err := fmt.Errorf("Unauthorized: missing user auth credentials") + err := fmt.Errorf("unauthorized: missing user auth credentials") echoErr := ctx.JSON(http.StatusUnauthorized, echo.Map{ "error": err.Error(), }) diff --git a/auth/server/webauthn_server.go b/auth/server/webauthn_server.go index 7108654c..84f1c6f3 100644 --- a/auth/server/webauthn_server.go +++ b/auth/server/webauthn_server.go @@ -5,10 +5,13 @@ import ( "encoding/json" "fmt" "net/http" - "net/url" "strings" "time" + "github.com/google/uuid" + "github.com/labstack/echo/v4" + "github.com/uptrace/bun" + "github.com/containerish/OpenRegistry/auth" "github.com/containerish/OpenRegistry/auth/webauthn" "github.com/containerish/OpenRegistry/config" @@ -16,9 +19,6 @@ import ( "github.com/containerish/OpenRegistry/store/v1/users" webauthn_store "github.com/containerish/OpenRegistry/store/v1/webauthn" "github.com/containerish/OpenRegistry/telemetry" - "github.com/google/uuid" - "github.com/labstack/echo/v4" - "github.com/uptrace/bun" ) type ( @@ -459,19 +459,11 @@ func (wa *webauthn_server) FinishLogin(ctx echo.Context) error { return echoErr } - domain := "" - url, err := url.Parse(wa.cfg.WebAuthnConfig.GetAllowedURLFromEchoContext(ctx, wa.cfg.Environment)) - if err != nil { - domain = wa.cfg.WebAuthnConfig.RPOrigins[0] - } else { - domain = url.Hostname() - } - sessionIdCookie := auth.CreateCookie(&auth.CreateCookieOptions{ - ExpiresAt: time.Now().Add(time.Hour * 750), //one month + ExpiresAt: time.Now().Add(time.Hour * 750), // one month Name: "session_id", Value: sessionId, - FQDN: domain, + FQDN: wa.cfg.Registry.FQDN, Environment: wa.cfg.Environment, HTTPOnly: false, }) @@ -480,16 +472,16 @@ func (wa *webauthn_server) FinishLogin(ctx echo.Context) error { ExpiresAt: time.Now().Add(time.Hour * 750), Name: auth.AccessCookieKey, Value: accessToken, - FQDN: domain, + FQDN: wa.cfg.Registry.FQDN, Environment: wa.cfg.Environment, HTTPOnly: true, }) refreshTokenCookie := auth.CreateCookie(&auth.CreateCookieOptions{ - ExpiresAt: time.Now().Add(time.Hour * 750), //one month + ExpiresAt: time.Now().Add(time.Hour * 750), // one month Name: auth.RefreshCookKey, Value: refreshToken, - FQDN: domain, + FQDN: wa.cfg.Registry.FQDN, Environment: wa.cfg.Environment, HTTPOnly: true, }) diff --git a/router/github.go b/router/github.go index 8937549b..202f5ce6 100644 --- a/router/github.go +++ b/router/github.go @@ -6,17 +6,18 @@ import ( "net/http" "strings" + "github.com/fatih/color" + "github.com/labstack/echo/v4" + "github.com/rs/cors" + "golang.org/x/net/http2" + "golang.org/x/net/http2/h2c" + "github.com/containerish/OpenRegistry/config" github_actions_server "github.com/containerish/OpenRegistry/services/kon/github_actions/v1/server" "github.com/containerish/OpenRegistry/store/v1/automation" "github.com/containerish/OpenRegistry/telemetry" "github.com/containerish/OpenRegistry/vcs" "github.com/containerish/OpenRegistry/vcs/github" - "github.com/fatih/color" - "github.com/labstack/echo/v4" - "github.com/rs/cors" - "golang.org/x/net/http2" - "golang.org/x/net/http2/h2c" ) func RegisterGitHubRoutes( @@ -57,12 +58,22 @@ func RegisterGitHubRoutes( AllowOriginFunc: func(origin string) bool { return strings.HasSuffix(origin, "openregistry.dev") || strings.HasSuffix(origin, "cntr.sh") || - strings.HasSuffix(origin, "openregistry-web.pages.dev") + strings.HasSuffix(origin, "openregistry-web.pages.dev") || + strings.Contains(origin, "localhost") }, AllowedMethods: []string{ http.MethodOptions, http.MethodGet, http.MethodPost, }, - AllowedHeaders: []string{"*"}, + AllowedHeaders: []string{ + "Origin", + "Content-Type", + "Authorization", + "Connect-Protocol-Version", + "Connect-Timeout-Ms", + "Grpc-Timeout", + "X-Grpc-Web", + "X-User-Agent", + }, AllowCredentials: true, Debug: true, }) diff --git a/router/vuln_scanning_routes.go b/router/vuln_scanning_routes.go index cc2d2079..4798f18c 100644 --- a/router/vuln_scanning_routes.go +++ b/router/vuln_scanning_routes.go @@ -6,14 +6,15 @@ import ( "net/http" "strings" - "github.com/containerish/OpenRegistry/config" - "github.com/containerish/OpenRegistry/services/yor/clair/v1/server" - "github.com/containerish/OpenRegistry/store/v1/users" - "github.com/containerish/OpenRegistry/telemetry" "github.com/fatih/color" "github.com/rs/cors" "golang.org/x/net/http2" "golang.org/x/net/http2/h2c" + + "github.com/containerish/OpenRegistry/config" + "github.com/containerish/OpenRegistry/services/yor/clair/v1/server" + "github.com/containerish/OpenRegistry/store/v1/users" + "github.com/containerish/OpenRegistry/telemetry" ) func RegisterVulnScaningRoutes( diff --git a/services/yor/clair/v1/server/clair.go b/services/yor/clair/v1/server/clair.go index 8e339f35..039439d0 100644 --- a/services/yor/clair/v1/server/clair.go +++ b/services/yor/clair/v1/server/clair.go @@ -3,14 +3,16 @@ package server import ( "bytes" "context" + "encoding/json" "fmt" "io" "net/http" "github.com/bufbuild/connect-go" - clair_v1 "github.com/containerish/OpenRegistry/services/yor/clair/v1" "github.com/golang-jwt/jwt/v5" "google.golang.org/protobuf/encoding/protojson" + + clair_v1 "github.com/containerish/OpenRegistry/services/yor/clair/v1" ) func (c *clair) EnableVulnerabilityScanning( @@ -40,21 +42,16 @@ func (c *clair) GetVulnerabilityReport( manifestID := req.Msg.GetManifestId() logEvent.Str("manifest", manifestID) - report, err := c.getVulnReport(ctx, manifestID) + reportBz, err := c.getVulnReport(ctx, manifestID) if err != nil { - logEvent.Err(err).Send() + var errMap map[string]any + _ = json.Unmarshal(reportBz, &errMap) + logEvent.Err(err).Any("get_manifest_err", errMap).Send() return nil, connect.NewError(connect.CodeInvalidArgument, err) } - reportBz, err := io.ReadAll(report) - if err != nil { - logEvent.Err(err).Send() - return nil, connect.NewError(connect.CodeInternal, err) - } - defer report.Close() - resp := &clair_v1.GetVulnerabilityReportResponse{} - if err = protojson.Unmarshal(reportBz, resp); err != nil { + if err = (protojson.UnmarshalOptions{DiscardUnknown: true}).Unmarshal(reportBz, resp); err != nil { logEvent.Err(err).Send() return nil, connect.NewError(connect.CodeInternal, err) } @@ -105,21 +102,16 @@ func (c *clair) SubmitManifestToScan( Layers: layers, } - result, err := c.submitManifest(ctx, body) + resultBz, err := c.submitManifest(ctx, body) if err != nil { - logEvent.Err(err).Send() + var errMap map[string]any + _ = json.Unmarshal(resultBz, &errMap) + logEvent.Err(err).Any("manifest_submit_err", errMap).Send() return nil, connect.NewError(connect.CodeInvalidArgument, err) } - resultBz, err := io.ReadAll(result) - if err != nil { - logEvent.Err(err).Send() - return nil, connect.NewError(connect.CodeInternal, err) - } - defer result.Close() - msg := &clair_v1.SubmitManifestToScanResponse{} - if err = protojson.Unmarshal(resultBz, msg); err != nil { + if err = (protojson.UnmarshalOptions{DiscardUnknown: true}).Unmarshal(resultBz, msg); err != nil { logEvent.Err(err).Send() return nil, connect.NewError(connect.CodeInternal, err) } @@ -129,7 +121,7 @@ func (c *clair) SubmitManifestToScan( return connect.NewResponse(msg), nil } -func (c *clair) getVulnReport(ctx context.Context, manifestID string) (io.ReadCloser, error) { +func (c *clair) getVulnReport(ctx context.Context, manifestID string) ([]byte, error) { uri := fmt.Sprintf("%s/matcher/api/v1/vulnerability_report/%s", c.config.ClairEndpoint, manifestID) req, err := c.newClairRequest(ctx, http.MethodGet, uri, nil) @@ -142,13 +134,23 @@ func (c *clair) getVulnReport(ctx context.Context, manifestID string) (io.ReadCl return nil, err } - return resp.Body, nil + bz, err := io.ReadAll(resp.Body) + if err != nil { + return nil, fmt.Errorf("ERR_GET_VULN_REPORT: READ_RESPONSE: %w", err) + } + defer resp.Body.Close() + + if resp.StatusCode >= 200 && resp.StatusCode <= 299 { + return bz, nil + } + + return bz, fmt.Errorf("ERR_GET_VULN_REPORT: INVALID_RESPONSE: %d", resp.StatusCode) } func (c *clair) submitManifest( ctx context.Context, manifest *clair_v1.ClairIndexManifestRequest, -) (io.ReadCloser, error) { +) ([]byte, error) { uri := fmt.Sprintf("%s/indexer/api/v1/index_report", c.config.ClairEndpoint) bz, err := protojson.Marshal(manifest) @@ -165,12 +167,17 @@ func (c *clair) submitManifest( return nil, err } - if res.StatusCode >= 200 && res.StatusCode <= 300 { - return res.Body, nil + bz, err = io.ReadAll(res.Body) + if err != nil { + return nil, fmt.Errorf("ERR_SUBMIT_MANIFEST_TO_SCAN: READ_RESPONSE: %w", err) } + defer res.Body.Close() - return nil, fmt.Errorf("ERR_SUBMIT_MANIFEST_TO_SCAN: CODE: %d", res.StatusCode) + if res.StatusCode >= 200 && res.StatusCode <= 300 { + return bz, nil + } + return bz, fmt.Errorf("ERR_SUBMIT_MANIFEST_TO_SCAN: CODE: %d", res.StatusCode) } func (c *clair) newClairRequest(ctx context.Context, method string, url string, body io.Reader) (*http.Request, error) { diff --git a/vcs/github/github.go b/vcs/github/github.go index 8683699f..a6e83544 100644 --- a/vcs/github/github.go +++ b/vcs/github/github.go @@ -9,14 +9,15 @@ import ( "time" "github.com/bradleyfalzon/ghinstallation/v2" - "github.com/containerish/OpenRegistry/config" - "github.com/containerish/OpenRegistry/store/v1/types" - "github.com/containerish/OpenRegistry/telemetry" - "github.com/containerish/OpenRegistry/vcs" "github.com/fatih/color" "github.com/google/go-github/v56/github" "github.com/google/uuid" "github.com/labstack/echo/v4" + + "github.com/containerish/OpenRegistry/config" + "github.com/containerish/OpenRegistry/store/v1/types" + "github.com/containerish/OpenRegistry/telemetry" + "github.com/containerish/OpenRegistry/vcs" ) type ghAppService struct { @@ -88,10 +89,6 @@ func (gh *ghAppService) RegisterRoutes(router *echo.Group) { func (gh *ghAppService) getUsernameMiddleware() echo.MiddlewareFunc { return func(next echo.HandlerFunc) echo.HandlerFunc { return func(ctx echo.Context) error { - for key, header := range ctx.Request().Header { - color.Green("getUsernameMiddleware %s = %s", key, header) - } - // skip if it's a webhook call // if c.Path() == "/github"+vcs.HandleWebhookEventsEndpoint || c.Path() == "/github/app/callback" { if ctx.Path() == "/github"+vcs.HandleWebhookEventsEndpoint { diff --git a/vcs/github/handlers.go b/vcs/github/handlers.go index 94bb3a7b..0cde8197 100644 --- a/vcs/github/handlers.go +++ b/vcs/github/handlers.go @@ -307,7 +307,7 @@ func (gh *ghAppService) CreateInitialPR(ctx echo.Context) error { workflowExists := gh.doesWorkflowExist(ctx.Request().Context(), client, &repository) if workflowExists { - echoErr := ctx.NoContent(http.StatusAccepted) + echoErr := ctx.NoContent(http.StatusNoContent) gh.logger.Log(ctx, echoErr).Send() return echoErr }