118 lines
4.4 KiB
YAML
118 lines
4.4 KiB
YAML
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
|
|
rules:
|
|
# Check potentially unauthenticated RPC endpoints. Technically more
|
|
# authorization (authz) oriented than authn, but before Nomad 1.4/1.5 that
|
|
# distinction wasn't as important.
|
|
- id: "rpc-potentially-unauthenticated"
|
|
patterns:
|
|
- pattern: |
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
# Pattern used by typical endpoints that take an auth token or workload
|
|
# identity. Some of these endpoints have no context for Authenticate
|
|
- pattern-not-inside: |
|
|
authErr := $A.$B.Authenticate(...)
|
|
...
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
...
|
|
... := $A.$B.ResolveACL(...)
|
|
...
|
|
# Pattern used by endpoints that are used by both ACLs and Clients.
|
|
# These endpoints will always have a ctx passed to Authenticate
|
|
- pattern-not-inside: |
|
|
authErr := $A.$B.Authenticate($A.ctx, args)
|
|
...
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
...
|
|
... := $A.$B.ResolveClientOrACL(...)
|
|
...
|
|
# Pattern used by ACL endpoints that need to interact with the token directly
|
|
- pattern-not-inside: |
|
|
authErr := $A.$B.Authenticate($A.ctx, args)
|
|
...
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
...
|
|
... := args.GetIdentity().GetACLToken()
|
|
...
|
|
# Pattern used by endpoints called exclusively between agents
|
|
# (server -> server or client -> server)
|
|
- pattern-not-inside: |
|
|
authErr := $A.$B.Authenticate($A.ctx, args)
|
|
...
|
|
... := validateTLSCertificateLevel(...)
|
|
...
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
# Pattern used by endpoints that support both normal ACLs and workload
|
|
# identity but break authentication and authorization up
|
|
# TODO: currently this is just for Variables and should be removed once
|
|
# https://github.com/hashicorp/nomad/issues/15875 is complete.
|
|
- pattern-not-inside: |
|
|
authErr := $A.$B.Authenticate($A.ctx, args)
|
|
...
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
...
|
|
... := $T.handleMixedAuthEndpoint(...)
|
|
...
|
|
# Second pattern used by endpoints that support both normal ACLs and
|
|
# workload identity but break authentication and authorization up
|
|
# TODO: currently this is just for Variables and should be removed once
|
|
# https://github.com/hashicorp/nomad/issues/15875 is complete.
|
|
- pattern-not-inside: |
|
|
authErr := $A.$B.Authenticate($A.ctx, args)
|
|
...
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
...
|
|
... := svePreApply($A, args, args.Var)
|
|
...
|
|
# Pattern used by some Node endpoints.
|
|
- pattern-not-inside: |
|
|
authErr := $A.$B.Authenticate($A.ctx, args)
|
|
...
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
...
|
|
return $A.deregister(...)
|
|
...
|
|
- metavariable-pattern:
|
|
metavariable: $METHOD
|
|
patterns:
|
|
# Endpoints that are expected not to have authentication.
|
|
- pattern-not: '"ACL.Bootstrap"'
|
|
- pattern-not: '"ACL.GetClaimPolicies"'
|
|
- pattern-not: '"ACL.ResolveToken"'
|
|
- pattern-not: '"ACL.UpsertOneTimeToken"'
|
|
- pattern-not: '"ACL.ExchangeOneTimeToken"'
|
|
- pattern-not: '"ACL.WhoAmI"'
|
|
- pattern-not: 'structs.ACLListAuthMethodsRPCMethod'
|
|
- pattern-not: 'structs.ACLOIDCAuthURLRPCMethod'
|
|
- pattern-not: 'structs.ACLOIDCCompleteAuthRPCMethod'
|
|
- pattern-not: 'structs.ACLLoginRPCMethod'
|
|
- pattern-not: '"CSIPlugin.Get"'
|
|
- pattern-not: '"CSIPlugin.List"'
|
|
- pattern-not: '"Status.Leader"'
|
|
- pattern-not: '"Status.Peers"'
|
|
- pattern-not: '"Status.Version"'
|
|
message: "RPC method $METHOD appears to be unauthenticated"
|
|
languages:
|
|
- "go"
|
|
severity: "WARNING"
|
|
paths:
|
|
include:
|
|
- "nomad/*_endpoint.go"
|