2022-02-02 20:03:18 +00:00
|
|
|
rules:
|
|
|
|
|
# Check potentially unauthenticated RPC endpoints
|
|
|
|
|
- id: "rpc-potentially-unauthenticated"
|
|
|
|
|
patterns:
|
|
|
|
|
- pattern: |
|
|
|
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
- pattern-not-inside: |
|
|
|
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
...
|
|
|
|
|
... := $X.$Y.ResolveToken(...)
|
|
|
|
|
...
|
|
|
|
|
- pattern-not-inside: |
|
|
|
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
...
|
|
|
|
|
... := $U.requestACLToken(...)
|
|
|
|
|
...
|
|
|
|
|
- pattern-not-inside: |
|
|
|
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
...
|
|
|
|
|
... := $T.NamespaceValidator(...)
|
|
|
|
|
...
|
|
|
|
|
# Pattern used by endpoints called exclusively between agents
|
|
|
|
|
# (server -> server or client -> server)
|
|
|
|
|
- pattern-not-inside: |
|
2022-03-25 16:00:48 +00:00
|
|
|
...
|
2022-02-05 01:35:20 +00:00
|
|
|
... := validateTLSCertificateLevel(...)
|
2022-02-02 20:03:18 +00:00
|
|
|
...
|
|
|
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2022-06-10 13:41:54 +00:00
|
|
|
# Pattern used by endpoints that support both normal ACLs and
|
|
|
|
|
# workload identity
|
|
|
|
|
- pattern-not-inside: |
|
|
|
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
...
|
|
|
|
|
... := $T.handleMixedAuthEndpoint(...)
|
|
|
|
|
...
|
2022-10-18 20:43:59 +00:00
|
|
|
# Pattern used by endpoints that support both normal ACLs and
|
|
|
|
|
# workload identity but break authentication and authorization up
|
|
|
|
|
- pattern-not-inside: |
|
|
|
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
...
|
|
|
|
|
... := $T.authorize(...)
|
|
|
|
|
...
|
2022-02-02 20:03:18 +00:00
|
|
|
# Pattern used by some Node endpoints.
|
|
|
|
|
- pattern-not-inside: |
|
|
|
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
...
|
|
|
|
|
return $A.deregister(...)
|
|
|
|
|
...
|
2022-12-06 19:44:03 +00:00
|
|
|
# Pattern used by Authenticate method.
|
|
|
|
|
# TODO: add authorization steps as well.
|
|
|
|
|
- pattern-not-inside: |
|
2023-01-10 14:46:38 +00:00
|
|
|
authErr := $A.$B.Authenticate($A.ctx, args)
|
2022-12-06 19:44:03 +00:00
|
|
|
...
|
2023-01-10 14:46:38 +00:00
|
|
|
if authErr != nil {
|
|
|
|
|
return authErr
|
|
|
|
|
}
|
2022-02-02 20:03:18 +00:00
|
|
|
- metavariable-pattern:
|
|
|
|
|
metavariable: $METHOD
|
|
|
|
|
patterns:
|
|
|
|
|
# Endpoints that are expected not to have authentication.
|
|
|
|
|
- pattern-not: '"ACL.Bootstrap"'
|
|
|
|
|
- pattern-not: '"ACL.ResolveToken"'
|
|
|
|
|
- pattern-not: '"ACL.UpsertOneTimeToken"'
|
|
|
|
|
- pattern-not: '"ACL.ExchangeOneTimeToken"'
|
|
|
|
|
- pattern-not: '"CSIPlugin.Get"'
|
|
|
|
|
- pattern-not: '"CSIPlugin.List"'
|
|
|
|
|
- pattern-not: '"Status.Leader"'
|
|
|
|
|
- pattern-not: '"Status.Peers"'
|
|
|
|
|
- pattern-not: '"Status.Version"'
|
|
|
|
|
message: "RPC method $METHOD appears to be unauthenticated"
|
|
|
|
|
languages:
|
|
|
|
|
- "go"
|
|
|
|
|
severity: "WARNING"
|
|
|
|
|
paths:
|
|
|
|
|
include:
|
|
|
|
|
- "*_endpoint.go"
|
