76 lines
2.4 KiB
YAML
76 lines
2.4 KiB
YAML
rules:
|
|
# Check potentially unauthenticated RPC endpoints
|
|
- id: "rpc-potentially-unauthenticated"
|
|
patterns:
|
|
- pattern: |
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
- pattern-not-inside: |
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
...
|
|
... := $X.$Y.ResolveToken(...)
|
|
...
|
|
- pattern-not-inside: |
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
...
|
|
... := $U.requestACLToken(...)
|
|
...
|
|
- pattern-not-inside: |
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
...
|
|
... := $T.NamespaceValidator(...)
|
|
...
|
|
# Pattern used by endpoints called exclusively between agents
|
|
# (server -> server or client -> server)
|
|
- pattern-not-inside: |
|
|
...
|
|
... := validateTLSCertificateLevel(...)
|
|
...
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
# Pattern used by endpoints that support both normal ACLs and
|
|
# workload identity
|
|
- pattern-not-inside: |
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
...
|
|
... := $T.handleMixedAuthEndpoint(...)
|
|
...
|
|
# Pattern used by some Node endpoints.
|
|
- pattern-not-inside: |
|
|
if done, err := $A.$B.forward($METHOD, ...); done {
|
|
return err
|
|
}
|
|
...
|
|
return $A.deregister(...)
|
|
...
|
|
- metavariable-pattern:
|
|
metavariable: $METHOD
|
|
patterns:
|
|
# Endpoints that are expected not to have authentication.
|
|
- pattern-not: '"ACL.Bootstrap"'
|
|
- pattern-not: '"ACL.ResolveToken"'
|
|
- pattern-not: '"ACL.UpsertOneTimeToken"'
|
|
- pattern-not: '"ACL.ExchangeOneTimeToken"'
|
|
- pattern-not: '"CSIPlugin.Get"'
|
|
- pattern-not: '"CSIPlugin.List"'
|
|
- pattern-not: '"Status.Leader"'
|
|
- pattern-not: '"Status.Peers"'
|
|
- pattern-not: '"Status.Version"'
|
|
message: "RPC method $METHOD appears to be unauthenticated"
|
|
languages:
|
|
- "go"
|
|
severity: "WARNING"
|
|
paths:
|
|
include:
|
|
- "*_endpoint.go"
|