open-nomad/.semgrep/rpc_endpoint.yml

rules:
  # Check potentially unauthenticated RPC endpoints
  - id: "rpc-potentially-unauthenticated"
    patterns:
      - pattern: |
          if done, err := $A.$B.forward($METHOD, ...); done {
            return err
          }          
      - pattern-not-inside: |
          if done, err := $A.$B.forward($METHOD, ...); done {
            return err
          }
          ...
          ... := $X.$Y.ResolveToken(...)
          ...          
      - pattern-not-inside: |
          if done, err := $A.$B.forward($METHOD, ...); done {
            return err
          }
          ...
          ... := $U.requestACLToken(...)
          ...          
      - pattern-not-inside: |
          if done, err := $A.$B.forward($METHOD, ...); done {
            return err
          }
          ...
          ... := $T.NamespaceValidator(...)
          ...          
      # Pattern used by endpoints called exclusively between agents
      # (server -> server or client -> server)
      - pattern-not-inside: |
          ...
          ... := validateTLSCertificateLevel(...)
          ...
          if done, err := $A.$B.forward($METHOD, ...); done {
            return err
          }          
      # Pattern used by endpoints that support both normal ACLs and
      # workload identity
      - pattern-not-inside: |
          if done, err := $A.$B.forward($METHOD, ...); done {
            return err
          }
          ...
          ... := $T.handleMixedAuthEndpoint(...)
          ...          
      # Pattern used by some Node endpoints.
      - pattern-not-inside: |
          if done, err := $A.$B.forward($METHOD, ...); done {
            return err
          }
          ...
          return $A.deregister(...)
          ...          
      - metavariable-pattern:
          metavariable: $METHOD
          patterns:
            # Endpoints that are expected not to have authentication.
            - pattern-not: '"ACL.Bootstrap"'
            - pattern-not: '"ACL.ResolveToken"'
            - pattern-not: '"ACL.UpsertOneTimeToken"'
            - pattern-not: '"ACL.ExchangeOneTimeToken"'
            - pattern-not: '"CSIPlugin.Get"'
            - pattern-not: '"CSIPlugin.List"'
            - pattern-not: '"Status.Leader"'
            - pattern-not: '"Status.Peers"'
            - pattern-not: '"Status.Version"'
    message: "RPC method $METHOD appears to be unauthenticated"
    languages:
      - "go"
    severity: "WARNING"
    paths:
      include:
        - "*_endpoint.go"