From d4e70a74b3d1220fb5ff351eff2f64bfa2dd9b22 Mon Sep 17 00:00:00 2001 From: Daniel Adam Date: Wed, 14 Aug 2024 11:24:36 +0200 Subject: [PATCH 1/2] Fix issues reported by static analysis --- Dockerfile.test | 5 +- bundle/Dockerfile | 128 ++++++++++++++---- .../templates/certs/default/ca-issuer.yaml | 2 +- .../templates/certs/default/root-ca.yaml | 2 +- .../templates/certs/storage/scylla-crt.yaml | 8 +- .../mongodb-standby-tool/config.yaml | 2 +- grpc-gateway/client/maintenance.go | 2 +- http-gateway/Dockerfile | 13 +- http-gateway/Dockerfile.www | 3 - m2m-oauth-server/store/mongodb/tokens_test.go | 2 +- pkg/net/grpc/authFromOutgoingMD.go | 8 +- .../certManager/general/certManager_test.go | 6 +- .../cqrs/eventstore/cqldb/load.go | 20 ++- .../events/deviceMetadataSnapshotTaken.go | 6 +- .../events/resourceLinksSnapshotTaken.go | 45 +++--- .../events/resourceStateSnapshotTaken.go | 55 ++++---- test/cloud-server/Dockerfile | 38 +++++- test/security/jwk.go | 3 +- tools/cert-tool/Dockerfile | 8 +- tools/docker/Dockerfile.in | 12 +- tools/grpc-reflection/Dockerfile | 8 +- tools/mongodb/admin-tool/Dockerfile | 12 +- tools/mongodb/standby-tool/Dockerfile | 12 +- 23 files changed, 268 insertions(+), 132 deletions(-) diff --git a/Dockerfile.test b/Dockerfile.test index 620c3a696..d0947e6b0 100644 --- a/Dockerfile.test +++ b/Dockerfile.test @@ -1,8 +1,10 @@ FROM ubuntu:22.04 AS hub-test RUN apt-get update \ - && DEBIAN_FRONTEND="noninteractive" apt-get install -y --no-install-recommends build-essential ca-certificates curl git make patch sudo \ + && DEBIAN_FRONTEND="noninteractive" apt-get install -y --no-install-recommends \ + build-essential ca-certificates curl git make patch sudo \ && apt-get clean \ && curl -sSL https://get.docker.com/ | sh +WORKDIR / # apt: ca-certificates git make sudo RUN git clone https://github.com/udhos/update-golang.git \ && cd update-golang \ @@ -20,7 +22,6 @@ WORKDIR /usr/local/go # apt: patch RUN ( patch -p1 < "$GOPATH/src/github.com/plgd-dev/hub/tools/docker/patches/shrink_tls_conn.patch" ) - WORKDIR $GOPATH/src/github.com/plgd-dev/hub # RUN go mod tidy diff --git a/bundle/Dockerfile b/bundle/Dockerfile index 4b8af490d..bf30e71a3 100644 --- a/bundle/Dockerfile +++ b/bundle/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 FROM golang:1.22.3-alpine AS build -RUN apk add --no-cache curl git build-base +RUN apk add --no-cache build-base curl git WORKDIR $GOPATH/src/github.com/plgd-dev/hub COPY go.mod go.sum ./ RUN go mod download @@ -21,7 +21,12 @@ ARG RELEASE_URL ARG service=coap-gateway WORKDIR $root_directory/$service RUN go build \ - -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X \ + github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$service" \ ./cmd/service @@ -29,7 +34,12 @@ RUN go build \ ARG service=grpc-gateway WORKDIR $root_directory/$service RUN go build \ - -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$service" \ ./cmd/service @@ -37,7 +47,12 @@ RUN go build \ ARG service=http-gateway WORKDIR $root_directory/$service RUN go build \ - -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$service" \ ./cmd/service @@ -45,7 +60,12 @@ RUN go build \ ARG service=resource-directory WORKDIR $root_directory/$service RUN go build \ - -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$service" \ ./cmd/service @@ -53,7 +73,12 @@ RUN go build \ ARG service=resource-aggregate WORKDIR $root_directory/$service RUN go build \ - -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$service" \ ./cmd/service @@ -61,7 +86,12 @@ RUN go build \ ARG service=identity-store WORKDIR $root_directory/$service RUN go build \ - -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$service" \ ./cmd/service @@ -69,7 +99,12 @@ RUN go build \ ARG service=certificate-authority WORKDIR $root_directory/$service RUN go build \ - -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$service" \ ./cmd/service @@ -77,7 +112,12 @@ RUN go build \ ARG service=oauth-server WORKDIR $root_directory/test/$service RUN go build \ - -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$service" \ ./cmd/service @@ -85,7 +125,12 @@ RUN go build \ ARG service=m2m-oauth-server WORKDIR $root_directory/$service RUN go build \ - -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$service" \ ./cmd/service @@ -93,7 +138,12 @@ RUN go build \ ARG service=cloud2cloud-gateway WORKDIR $root_directory/$service RUN go build \ - -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$service" \ ./cmd/service @@ -101,7 +151,12 @@ RUN go build \ ARG service=cloud2cloud-connector WORKDIR $root_directory/$service RUN go build \ - -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$service" \ ./cmd/service @@ -109,21 +164,38 @@ RUN go build \ ARG tool=cert-tool WORKDIR $root_directory/tools/$tool RUN go build \ - -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$tool" \ ./ #snippet-service ARG service=snippet-service WORKDIR $root_directory/$service -RUN go build -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ +RUN go build \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$service" \ ./cmd/service #grpc-reflection ARG service=grpc-reflection WORKDIR $root_directory/tools/$service -RUN go build -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ +RUN go build \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o "/go/bin/$service" \ ./cmd/service @@ -138,28 +210,26 @@ RUN apkArch="$(apk --print-arch)"; \ *) echo >&2 "error: unsupported architecture: $apkArch"; exit 1 ;; \ esac; \ curl -L https://github.com/nats-io/nats-server/releases/download/v2.3.1/nats-server-v2.3.1-linux-${ARCH}.zip -o ./nats-server.zip ; \ - curl -L https://github.com/nats-io/natscli/releases/download/0.0.24/nats-0.0.24-linux-${ARCH}.zip -o ./nats.zip -RUN mkdir -p ./nats-server -RUN unzip ./nats-server.zip -d ./nats-server -RUN cp ./nats-server/*/nats-server /go/bin/nats-server - -RUN mkdir -p ./nats -RUN unzip ./nats.zip -d ./nats -RUN cp ./nats/*/nats /go/bin/nats + curl -L https://github.com/nats-io/natscli/releases/download/0.0.24/nats-0.0.24-linux-${ARCH}.zip -o ./nats.zip \ + && mkdir -p ./nats-server \ + && unzip ./nats-server.zip -d ./nats-server \ + && cp ./nats-server/*/nats-server /go/bin/nats-server \ + && mkdir -p ./nats \ + && unzip ./nats.zip -d ./nats \ + && cp ./nats/*/nats /go/bin/nats FROM ubuntu:22.04 AS service # iproute2 -> ip utility in run.sh # netcat -> nc utility in run.sh # nginx -> nginx server in run.sh # openssl -> openssl utility in run.sh -RUN apt update \ - && apt-get install -y --no-install-recommends ca-certificates gnupg iproute2 netcat nginx openssl wget curl sudo coreutils \ - && apt-get clean # yq utility in run.sh -RUN wget https://github.com/mikefarah/yq/releases/download/v4.44.2/yq_linux_$(dpkg --print-architecture) -O /usr/bin/yq && chmod +x /usr/bin/yq -RUN wget -qO - https://pgp.mongodb.com/server-6.0.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-6.0.gpg -RUN echo "deb [ arch=$(dpkg --print-architecture) ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-6.0.list RUN apt update \ + && apt-get install -y --no-install-recommends ca-certificates coreutils curl gnupg iproute2 netcat nginx openssl sudo wget \ + && wget https://github.com/mikefarah/yq/releases/download/v4.44.2/yq_linux_$(dpkg --print-architecture) -O /usr/bin/yq && chmod +x /usr/bin/yq \ + && wget -qO - https://pgp.mongodb.com/server-6.0.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-6.0.gpg \ + && echo "deb [ arch=$(dpkg --print-architecture) ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-6.0.list \ + && apt update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends mongodb-org mongodb-org-server \ && apt-get clean diff --git a/charts/plgd-hub/templates/certs/default/ca-issuer.yaml b/charts/plgd-hub/templates/certs/default/ca-issuer.yaml index e1a9dab99..a21d90f00 100644 --- a/charts/plgd-hub/templates/certs/default/ca-issuer.yaml +++ b/charts/plgd-hub/templates/certs/default/ca-issuer.yaml @@ -14,7 +14,7 @@ metadata: {{- end }} spec: {{- if or (and .Values.certmanager.default.ca.issuerRef.name (ne ( .Values.certmanager.default.ca.issuerRef.name | toString) ( .Values.certmanager.default.ca.issuer.name | toString))) - (and .Values.certmanager.default.ca.issuerRef.kind (ne ( .Values.certmanager.default.ca.issuerRef.kind | toString) (.Values.certmanager.default.ca.issuer.kind | toString)))}} + (and .Values.certmanager.default.ca.issuerRef.kind (ne ( .Values.certmanager.default.ca.issuerRef.kind | toString) (.Values.certmanager.default.ca.issuer.kind | toString))) }} ca: secretName: {{ .Values.certmanager.default.ca.secret.name }} {{- else }} diff --git a/charts/plgd-hub/templates/certs/default/root-ca.yaml b/charts/plgd-hub/templates/certs/default/root-ca.yaml index 45b6671eb..1f0593a97 100644 --- a/charts/plgd-hub/templates/certs/default/root-ca.yaml +++ b/charts/plgd-hub/templates/certs/default/root-ca.yaml @@ -9,7 +9,7 @@ spec: commonName: {{ .Values.certmanager.default.ca.commonName }} secretName: {{ .Values.certmanager.default.ca.secret.name }} privateKey: - algorithm: {{ .Values.certmanager.default.cert.key.algorithm}} + algorithm: {{ .Values.certmanager.default.cert.key.algorithm }} size: {{ .Values.certmanager.default.cert.key.size }} usages: - "signing" diff --git a/charts/plgd-hub/templates/certs/storage/scylla-crt.yaml b/charts/plgd-hub/templates/certs/storage/scylla-crt.yaml index 99ee4e4a5..4deefceef 100644 --- a/charts/plgd-hub/templates/certs/storage/scylla-crt.yaml +++ b/charts/plgd-hub/templates/certs/storage/scylla-crt.yaml @@ -24,10 +24,10 @@ spec: - "{{ $.Release.Name }}-scylla-client.{{ $.Release.Namespace }}.svc.{{ $.Values.cluster.dns }}" {{- $rack := . }} {{- range $i := until (int .members) }} - - {{$.Release.Name}}-scylla-{{$.Values.scylla.datacenter}}-{{ $rack.name }}-{{$i}} - - {{$.Release.Name}}-scylla-{{$.Values.scylla.datacenter}}-{{ $rack.name }}-{{$i}}.{{$.Release.Namespace}}.svc.{{ $.Values.cluster.dns }} - - "*.{{$.Release.Name}}-scylla-{{$.Values.scylla.datacenter}}-{{ $rack.name }}-{{$i}}" - - "*.{{$.Release.Name}}-scylla-{{$.Values.scylla.datacenter}}-{{ $rack.name }}-{{$i}}.{{$.Release.Namespace}}.svc.{{ $.Values.cluster.dns }}" + - {{ $.Release.Name }}-scylla-{{ $.Values.scylla.datacenter }}-{{ $rack.name }}-{{ $i }} + - {{ $.Release.Name }}-scylla-{{ $.Values.scylla.datacenter }}-{{ $rack.name }}-{{ $i }}.{{ $.Release.Namespace }}.svc.{{ $.Values.cluster.dns }} + - "*.{{ $.Release.Name }}-scylla-{{ $.Values.scylla.datacenter }}-{{ $rack.name }}-{{ $i }}" + - "*.{{ $.Release.Name }}-scylla-{{ $.Values.scylla.datacenter }}-{{ $rack.name }}-{{ $i }}.{{ $.Release.Namespace }}.svc.{{ $.Values.cluster.dns }}" {{- end }} duration: {{ $.Values.certmanager.storage.cert.duration | default $.Values.certmanager.internal.cert.duration | default $.Values.certmanager.default.cert.duration }} renewBefore: {{ $.Values.certmanager.storage.cert.renewBefore | default $.Values.certmanager.internal.cert.renewBefore | default $.Values.certmanager.default.cert.renewBefore }} diff --git a/charts/plgd-hub/templates/mongodb-standby-tool/config.yaml b/charts/plgd-hub/templates/mongodb-standby-tool/config.yaml index 7fc074b3e..2246a15dc 100644 --- a/charts/plgd-hub/templates/mongodb-standby-tool/config.yaml +++ b/charts/plgd-hub/templates/mongodb-standby-tool/config.yaml @@ -25,7 +25,7 @@ data: # List of the MongoDB members in the replica set which are used as hidden and secondary members members: {{- range $standbyTool.replicaSet.standby.members }} - - {{printf "%s" . }} + - {{ printf "%s" . }} {{- end }} # Set the delay for syncing the standby members with the secondary/primary members delays: {{ $standbyTool.replicaSet.standby.delays }} diff --git a/grpc-gateway/client/maintenance.go b/grpc-gateway/client/maintenance.go index 1201aa0cc..4715d1039 100644 --- a/grpc-gateway/client/maintenance.go +++ b/grpc-gateway/client/maintenance.go @@ -83,7 +83,7 @@ func (c *Client) updateMaintenanceResource( } }() str := http.StatusText(resp.LastHTTPError) - return status.Errorf(httpCoreToGrpc(resp.LastHTTPError), str) + return status.Errorf(httpCoreToGrpc(resp.LastHTTPError), "%s", str) } return it.Err } diff --git a/http-gateway/Dockerfile b/http-gateway/Dockerfile index 4bf1bf706..a4b919135 100644 --- a/http-gateway/Dockerfile +++ b/http-gateway/Dockerfile @@ -5,7 +5,7 @@ ARG COMMIT_DATE ARG SHORT_COMMIT ARG DATE ARG RELEASE_URL -RUN apk add --no-cache curl git build-base +RUN apk add --no-cache build-base curl git WORKDIR $GOPATH/src/github.com/plgd-dev/hub COPY go.mod go.sum ./ RUN go mod download @@ -18,13 +18,18 @@ RUN ( patch -p1 < "$GOPATH/src/github.com/plgd-dev/hub/tools/docker/patches/gola WORKDIR $GOPATH/src/github.com/plgd-dev/hub/http-gateway RUN go build \ -mod=vendor \ - -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o /go/bin/http-gateway \ ./cmd/service FROM alpine:3.20 AS security-provider -RUN apk add -U --no-cache ca-certificates -RUN addgroup -S nonroot \ +RUN apk add -U --no-cache ca-certificates \ + && addgroup -S nonroot \ && adduser -S nonroot -G nonroot FROM scratch AS service diff --git a/http-gateway/Dockerfile.www b/http-gateway/Dockerfile.www index 73fcf43c2..d3baf09bb 100644 --- a/http-gateway/Dockerfile.www +++ b/http-gateway/Dockerfile.www @@ -3,9 +3,6 @@ FROM node:18 AS build-web COPY http-gateway/web /web WORKDIR /web -#TODO:hotfix, remove after shared-ui is updated -RUN npx update-browserslist-db@latest - RUN npm config set fetch-retries 3 && \ npm config set fetch-retry-mintimeout 600000 && \ npm config set fetch-retry-maxtimeout 1200000 && \ diff --git a/m2m-oauth-server/store/mongodb/tokens_test.go b/m2m-oauth-server/store/mongodb/tokens_test.go index 965fda553..4d98bcf1c 100644 --- a/m2m-oauth-server/store/mongodb/tokens_test.go +++ b/m2m-oauth-server/store/mongodb/tokens_test.go @@ -236,7 +236,7 @@ func TestDeleteTokens(t *testing.T) { require.NoError(t, err) require.NotNil(t, storedToken) require.True(t, storedToken[token.GetId()].GetBlacklisted().GetFlag()) - require.Greater(t, storedToken[token.GetId()].GetBlacklisted().GetTimestamp(), int64(0)) + require.Positive(t, storedToken[token.GetId()].GetBlacklisted().GetTimestamp()) } } diff --git a/pkg/net/grpc/authFromOutgoingMD.go b/pkg/net/grpc/authFromOutgoingMD.go index 1234f41b9..afe52dc75 100644 --- a/pkg/net/grpc/authFromOutgoingMD.go +++ b/pkg/net/grpc/authFromOutgoingMD.go @@ -14,19 +14,23 @@ const ( headerAuthorize = "authorization" ) +func errUnauthenticated(scheme string) error { + return status.Errorf(codes.Unauthenticated, "Request unauthenticated with %s", scheme) +} + // TokenFromOutgoingMD extracts token stored by CtxWithToken. func TokenFromOutgoingMD(ctx context.Context) (string, error) { expectedScheme := "bearer" val := metautils.ExtractOutgoing(ctx).Get(headerAuthorize) if val == "" { - return "", status.Errorf(codes.Unauthenticated, "Request unauthenticated with "+expectedScheme) + return "", errUnauthenticated(expectedScheme) } splits := strings.SplitN(val, " ", 2) if len(splits) < 2 { return "", status.Errorf(codes.Unauthenticated, "Bad authorization string") } if !strings.EqualFold(splits[0], strings.ToLower(expectedScheme)) { - return "", status.Errorf(codes.Unauthenticated, "Request unauthenticated with "+expectedScheme) + return "", errUnauthenticated(expectedScheme) } return splits[1], nil } diff --git a/pkg/security/certManager/general/certManager_test.go b/pkg/security/certManager/general/certManager_test.go index 3101e880b..995985636 100644 --- a/pkg/security/certManager/general/certManager_test.go +++ b/pkg/security/certManager/general/certManager_test.go @@ -178,18 +178,18 @@ func TestCertManagerWithExpiredCA(t *testing.T) { defer mng.Close() pool := mng.GetCertificateAuthorities() require.NotNil(t, pool) - require.Len(t, pool.Subjects(), 1) //nolint:staticcheck + require.Len(t, pool.Subjects(), 1) time.Sleep(time.Second * 2) pool = mng.GetCertificateAuthorities() require.NotNil(t, pool) - require.Empty(t, pool.Subjects()) //nolint:staticcheck + require.Empty(t, pool.Subjects()) caPem, _ = getCA(t, time.Now(), time.Second*100) err = os.WriteFile(caFile.Name(), caPem, os.FileMode(os.O_RDWR)) require.NoError(t, err) time.Sleep(time.Second * 1) pool = mng.GetCertificateAuthorities() require.NotNil(t, pool) - require.Len(t, pool.Subjects(), 1) //nolint:staticcheck + require.Len(t, pool.Subjects(), 1) } // Check when cert expires diff --git a/resource-aggregate/cqrs/eventstore/cqldb/load.go b/resource-aggregate/cqrs/eventstore/cqldb/load.go index b7d1574a5..e9e2bb33d 100644 --- a/resource-aggregate/cqrs/eventstore/cqldb/load.go +++ b/resource-aggregate/cqrs/eventstore/cqldb/load.go @@ -136,11 +136,7 @@ func (s *EventStore) LoadFromVersion(ctx context.Context, queries []eventstore.V return s.LoadFromSnapshot(ctx, q, eh) } -func snapshotQueriesToFilter(deviceID string, queries []eventstore.SnapshotQuery, timestamp int64) string { - var filter strings.Builder - if deviceID != "" { - filter.WriteString(deviceIDKey + "=" + deviceID) - } +func addAggregateIDsToFilter(filter *strings.Builder, queries []eventstore.SnapshotQuery) { aggrs := make([]string, 0, len(queries)) for _, q := range queries { if q.AggregateID != "" && q.AggregateID != uuid.Nil.String() { @@ -161,8 +157,11 @@ func snapshotQueriesToFilter(deviceID string, queries []eventstore.SnapshotQuery } filter.WriteString(")") } +} + +func addTimestampToFilter(filter *strings.Builder, timestamp int64) { if timestamp > 0 { - if filter.Len() != 0 { + if filter.Len() > 0 { filter.WriteString(" and ") } filter.WriteString(timestampKey) @@ -170,6 +169,15 @@ func snapshotQueriesToFilter(deviceID string, queries []eventstore.SnapshotQuery filter.WriteString(strconv.FormatInt(timestamp, 10)) filter.WriteString(" ALLOW FILTERING") } +} + +func snapshotQueriesToFilter(deviceID string, queries []eventstore.SnapshotQuery, timestamp int64) string { + var filter strings.Builder + if deviceID != "" { + filter.WriteString(deviceIDKey + "=" + deviceID) + } + addAggregateIDsToFilter(&filter, queries) + addTimestampToFilter(&filter, timestamp) return filter.String() } diff --git a/resource-aggregate/events/deviceMetadataSnapshotTaken.go b/resource-aggregate/events/deviceMetadataSnapshotTaken.go index 54c8a2c69..88aac4b7e 100644 --- a/resource-aggregate/events/deviceMetadataSnapshotTaken.go +++ b/resource-aggregate/events/deviceMetadataSnapshotTaken.go @@ -129,9 +129,6 @@ func (d *DeviceMetadataSnapshotTaken) HandleDeviceMetadataUpdatePending(_ contex } func (d *DeviceMetadataSnapshotTaken) handleByEvent(ctx context.Context, eu eventstore.EventUnmarshaler) error { - if eu.EventType() == "" { - return status.Errorf(codes.Internal, "cannot determine type of event") - } switch eu.EventType() { case (&DeviceMetadataSnapshotTaken{}).EventType(): var s DeviceMetadataSnapshotTaken @@ -161,6 +158,9 @@ func (d *DeviceMetadataSnapshotTaken) Handle(ctx context.Context, iter eventstor if !ok { break } + if eu.EventType() == "" { + return status.Errorf(codes.Internal, "cannot determine type of event") + } if err := d.handleByEvent(ctx, eu); err != nil { return err } diff --git a/resource-aggregate/events/resourceLinksSnapshotTaken.go b/resource-aggregate/events/resourceLinksSnapshotTaken.go index 654b1bdec..1a247f811 100644 --- a/resource-aggregate/events/resourceLinksSnapshotTaken.go +++ b/resource-aggregate/events/resourceLinksSnapshotTaken.go @@ -170,6 +170,30 @@ func (e *ResourceLinksSnapshotTaken) HandleEventResourceLinksSnapshotTaken(s *Re e.CopyData(s) } +func (e *ResourceLinksSnapshotTaken) handleByEvent(eu eventstore.EventUnmarshaler) error { + switch eu.EventType() { + case (&ResourceLinksSnapshotTaken{}).EventType(): + var s ResourceLinksSnapshotTaken + if err := eu.Unmarshal(&s); err != nil { + return status.Errorf(codes.Internal, "%v", err) + } + e.HandleEventResourceLinksSnapshotTaken(&s) + case (&ResourceLinksPublished{}).EventType(): + var s ResourceLinksPublished + if err := eu.Unmarshal(&s); err != nil { + return status.Errorf(codes.Internal, "%v", err) + } + e.HandleEventResourceLinksPublished(&s) + case (&ResourceLinksUnpublished{}).EventType(): + var s ResourceLinksUnpublished + if err := eu.Unmarshal(&s); err != nil { + return status.Errorf(codes.Internal, "%v", err) + } + e.HandleEventResourceLinksUnpublished(nil, &s) + } + return nil +} + func (e *ResourceLinksSnapshotTaken) Handle(ctx context.Context, iter eventstore.Iter) error { for { eu, ok := iter.Next(ctx) @@ -179,25 +203,8 @@ func (e *ResourceLinksSnapshotTaken) Handle(ctx context.Context, iter eventstore if eu.EventType() == "" { return status.Errorf(codes.Internal, "cannot determine type of event") } - switch eu.EventType() { - case (&ResourceLinksSnapshotTaken{}).EventType(): - var s ResourceLinksSnapshotTaken - if err := eu.Unmarshal(&s); err != nil { - return status.Errorf(codes.Internal, "%v", err) - } - e.HandleEventResourceLinksSnapshotTaken(&s) - case (&ResourceLinksPublished{}).EventType(): - var s ResourceLinksPublished - if err := eu.Unmarshal(&s); err != nil { - return status.Errorf(codes.Internal, "%v", err) - } - e.HandleEventResourceLinksPublished(&s) - case (&ResourceLinksUnpublished{}).EventType(): - var s ResourceLinksUnpublished - if err := eu.Unmarshal(&s); err != nil { - return status.Errorf(codes.Internal, "%v", err) - } - e.HandleEventResourceLinksUnpublished(nil, &s) + if err := e.handleByEvent(eu); err != nil { + return err } } return iter.Err() diff --git a/resource-aggregate/events/resourceStateSnapshotTaken.go b/resource-aggregate/events/resourceStateSnapshotTaken.go index 8697e4ba2..f1d99c2aa 100644 --- a/resource-aggregate/events/resourceStateSnapshotTaken.go +++ b/resource-aggregate/events/resourceStateSnapshotTaken.go @@ -112,38 +112,35 @@ func (e *ResourceStateSnapshotTaken) processValidUntil(v resourceValidUntilValid return true } -func (e *ResourceStateSnapshotTaken) checkForDuplicityCorrelationID(correlationID string, now time.Time) error { - for _, event := range e.GetResourceCreatePendings() { - if event.IsExpired(now) { +type pendingEvent interface { + GetAuditContext() *commands.AuditContext + IsExpired(now time.Time) bool +} + +func checkForDuplicityCorrelationID[T pendingEvent](pes []T, correlationID string, now time.Time) bool { + for _, pe := range pes { + if pe.IsExpired(now) { continue } - if event.GetAuditContext().GetCorrelationId() == correlationID { - return status.Errorf(codes.InvalidArgument, "duplicit correlationId('%v') at resource create pendings", correlationID) + if pe.GetAuditContext().GetCorrelationId() == correlationID { + return false } } - for _, event := range e.GetResourceUpdatePendings() { - if event.IsExpired(now) { - continue - } - if event.GetAuditContext().GetCorrelationId() == correlationID { - return status.Errorf(codes.InvalidArgument, "duplicit correlationId('%v') at resource update pendings", correlationID) - } + return true +} + +func (e *ResourceStateSnapshotTaken) checkForDuplicityCorrelationID(correlationID string, now time.Time) error { + if ok := checkForDuplicityCorrelationID(e.GetResourceCreatePendings(), correlationID, now); !ok { + return status.Errorf(codes.InvalidArgument, "duplicit correlationId('%v') at resource create pendings", correlationID) } - for _, event := range e.GetResourceRetrievePendings() { - if event.IsExpired(now) { - continue - } - if event.GetAuditContext().GetCorrelationId() == correlationID { - return status.Errorf(codes.InvalidArgument, "duplicit correlationId('%v') at resource retrieve pendings", correlationID) - } + if ok := checkForDuplicityCorrelationID(e.GetResourceUpdatePendings(), correlationID, now); !ok { + return status.Errorf(codes.InvalidArgument, "duplicit correlationId('%v') at resource update pendings", correlationID) } - for _, event := range e.GetResourceDeletePendings() { - if event.IsExpired(now) { - continue - } - if event.GetAuditContext().GetCorrelationId() == correlationID { - return status.Errorf(codes.InvalidArgument, "duplicit correlationId('%v') at resource delete pendings", correlationID) - } + if ok := checkForDuplicityCorrelationID(e.GetResourceRetrievePendings(), correlationID, now); !ok { + return status.Errorf(codes.InvalidArgument, "duplicit correlationId('%v') at resource retrieve pendings", correlationID) + } + if ok := checkForDuplicityCorrelationID(e.GetResourceDeletePendings(), correlationID, now); !ok { + return status.Errorf(codes.InvalidArgument, "duplicit correlationId('%v') at resource delete pendings", correlationID) } return nil } @@ -339,9 +336,6 @@ func (e *ResourceStateSnapshotTaken) handleEventResourceStateSnapshotTaken(snaps //nolint:gocyclo func (e *ResourceStateSnapshotTaken) handleByEvent(eu eventstore.EventUnmarshaler) error { - if eu.EventType() == "" { - return status.Errorf(codes.Internal, "cannot determine type of event") - } switch eu.EventType() { case (&ResourceStateSnapshotTaken{}).EventType(): var s ResourceStateSnapshotTaken @@ -413,6 +407,9 @@ func (e *ResourceStateSnapshotTaken) Handle(ctx context.Context, iter eventstore if !ok { break } + if eu.EventType() == "" { + return status.Errorf(codes.Internal, "cannot determine type of event") + } if err := e.handleByEvent(eu); err != nil { return err } diff --git a/test/cloud-server/Dockerfile b/test/cloud-server/Dockerfile index a4542f439..7f85c61d6 100644 --- a/test/cloud-server/Dockerfile +++ b/test/cloud-server/Dockerfile @@ -12,28 +12,56 @@ RUN go mod download COPY . . WORKDIR /usr/local/go RUN ( patch -p1 < "$GOPATH/src/github.com/plgd-dev/hub/tools/docker/patches/shrink_tls_conn.patch" ) -ARG root_directory=$GOPATH/src/github.com/plgd-dev/hub +ARG root_directory=$GOPATH/src/github.com/plgd-dev/hub #cert-tool ARG tool=cert-tool WORKDIR $root_directory/tools/$tool -RUN go build -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" -o /go/bin/cert-tool +RUN go build \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -o /go/bin/cert-tool #coap-gateway #the "device_integration" tag should ensure that only integration tests with a device simulator are compiled ARG service=coap-gateway WORKDIR $root_directory/$service/service -RUN go test -p 1 -c -tags=device_integration -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" -o /go/bin/coap-gateway.test +RUN go test -p 1 -c -tags=device_integration \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -o /go/bin/coap-gateway.test #grpc-gateway ARG service=grpc-gateway WORKDIR $root_directory/$service/service -RUN go test -p 1 -c -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" -o /go/bin/grpc-gateway.test +RUN go test -p 1 -c \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -o /go/bin/grpc-gateway.test #test/iotivity-lite ARG service=test-iotivity-lite WORKDIR $root_directory/test/iotivity-lite/service -RUN go test -p 1 -c -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" -o /go/bin/test-iotivity-lite.test +RUN go test -p 1 -c \ + -ldflags "-linkmode external -extldflags -static \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -o /go/bin/test-iotivity-lite.test #nats WORKDIR $root_directory diff --git a/test/security/jwk.go b/test/security/jwk.go index f373d487b..7f0b4013b 100644 --- a/test/security/jwk.go +++ b/test/security/jwk.go @@ -4,7 +4,6 @@ import ( "crypto/rand" "crypto/rsa" "encoding/json" - "io" "net/http" "net/http/httptest" "testing" @@ -71,7 +70,7 @@ func NewTestJwks(t *testing.T) JWKServer { mux := http.NewServeMux() mux.HandleFunc(jwksUri, func(w http.ResponseWriter, _ *http.Request) { - if _, err := io.WriteString(w, string(jwks)); err != nil { + if _, err := w.Write(jwks); err != nil { log.Debugf("failed to write jwks: %v", err) } }) diff --git a/tools/cert-tool/Dockerfile b/tools/cert-tool/Dockerfile index 87c5e7bb5..00fd43cc6 100644 --- a/tools/cert-tool/Dockerfile +++ b/tools/cert-tool/Dockerfile @@ -6,7 +6,7 @@ ARG COMMIT_DATE ARG SHORT_COMMIT ARG DATE ARG RELEASE_URL -RUN apk add --no-cache curl git build-base +RUN apk add --no-cache build-base curl git WORKDIR $GOPATH/src/github.com/plgd-dev/hub COPY go.mod go.sum ./ RUN go mod download @@ -15,7 +15,11 @@ WORKDIR /usr/local/go RUN ( patch -p1 < "$GOPATH/src/github.com/plgd-dev/hub/tools/docker/patches/shrink_tls_conn.patch" ) WORKDIR $GOPATH/src/github.com/plgd-dev/hub/tools/cert-tool RUN CGO_ENABLED=0 go build \ - -ldflags "-X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o /go/bin/cert-tool \ ./ diff --git a/tools/docker/Dockerfile.in b/tools/docker/Dockerfile.in index ee9973cf2..7fa9fc172 100644 --- a/tools/docker/Dockerfile.in +++ b/tools/docker/Dockerfile.in @@ -5,7 +5,7 @@ ARG COMMIT_DATE ARG SHORT_COMMIT ARG DATE ARG RELEASE_URL -RUN apk add --no-cache curl git build-base +RUN apk add --no-cache build-base curl git WORKDIR $GOPATH/src/github.com/plgd-dev/hub COPY go.mod go.sum ./ RUN go mod download @@ -18,13 +18,17 @@ RUN ( patch -p1 < "$GOPATH/src/github.com/plgd-dev/hub/tools/docker/patches/gola WORKDIR $GOPATH/src/github.com/plgd-dev/hub/@DIRECTORY@ RUN CGO_ENABLED=0 go build \ -mod=vendor \ - -ldflags "-X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o /go/bin/@NAME@ \ ./cmd/service FROM alpine:3.20 AS security-provider -RUN apk add -U --no-cache ca-certificates -RUN addgroup -S nonroot \ +RUN apk add -U --no-cache ca-certificates \ + && addgroup -S nonroot \ && adduser -S nonroot -G nonroot FROM scratch AS service diff --git a/tools/grpc-reflection/Dockerfile b/tools/grpc-reflection/Dockerfile index e044884ac..2608cf1ac 100644 --- a/tools/grpc-reflection/Dockerfile +++ b/tools/grpc-reflection/Dockerfile @@ -6,7 +6,7 @@ ARG COMMIT_DATE ARG SHORT_COMMIT ARG DATE ARG RELEASE_URL -RUN apk add --no-cache curl git build-base +RUN apk add --no-cache build-base curl git WORKDIR $GOPATH/src/github.com/plgd-dev/hub COPY go.mod go.sum ./ RUN go mod download @@ -15,7 +15,11 @@ WORKDIR /usr/local/go RUN ( patch -p1 < "$GOPATH/src/github.com/plgd-dev/hub/tools/docker/patches/shrink_tls_conn.patch" ) WORKDIR $GOPATH/src/github.com/plgd-dev/hub/tools/grpc-reflection RUN CGO_ENABLED=0 go build \ - -ldflags "-X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o /go/bin/grpc-reflection \ ./cmd/service diff --git a/tools/mongodb/admin-tool/Dockerfile b/tools/mongodb/admin-tool/Dockerfile index 4cafd9a5b..fb4dff65d 100644 --- a/tools/mongodb/admin-tool/Dockerfile +++ b/tools/mongodb/admin-tool/Dockerfile @@ -6,7 +6,7 @@ ARG COMMIT_DATE ARG SHORT_COMMIT ARG DATE ARG RELEASE_URL -RUN apk add --no-cache curl git build-base +RUN apk add --no-cache build-base curl git WORKDIR $GOPATH/src/github.com/plgd-dev/hub COPY go.mod go.sum ./ RUN go mod download @@ -15,14 +15,18 @@ WORKDIR /usr/local/go RUN ( patch -p1 < "$GOPATH/src/github.com/plgd-dev/hub/tools/docker/patches/shrink_tls_conn.patch" ) WORKDIR $GOPATH/src/github.com/plgd-dev/hub/tools/mongodb/admin-tool RUN CGO_ENABLED=0 go build \ - -ldflags "-X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o /go/bin/mongodb-admin-tool \ ./ FROM alpine:3.20 AS security-provider -RUN addgroup -S nonroot \ +RUN apk add -U --no-cache ca-certificates \ + && addgroup -S nonroot \ && adduser -S nonroot -G nonroot -RUN apk add -U --no-cache ca-certificates FROM alpine:3.20 AS service RUN apk add -U --no-cache bash diff --git a/tools/mongodb/standby-tool/Dockerfile b/tools/mongodb/standby-tool/Dockerfile index 0e59190e1..da3825d2b 100644 --- a/tools/mongodb/standby-tool/Dockerfile +++ b/tools/mongodb/standby-tool/Dockerfile @@ -6,7 +6,7 @@ ARG COMMIT_DATE ARG SHORT_COMMIT ARG DATE ARG RELEASE_URL -RUN apk add --no-cache curl git build-base +RUN apk add --no-cache build-base curl git WORKDIR $GOPATH/src/github.com/plgd-dev/hub COPY go.mod go.sum ./ RUN go mod download @@ -15,14 +15,18 @@ WORKDIR /usr/local/go RUN ( patch -p1 < "$GOPATH/src/github.com/plgd-dev/hub/tools/docker/patches/shrink_tls_conn.patch" ) WORKDIR $GOPATH/src/github.com/plgd-dev/hub/tools/mongodb/standby-tool RUN CGO_ENABLED=0 go build \ - -ldflags "-X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -ldflags "-X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT \ + -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE \ + -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION \ + -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ -o /go/bin/mongodb-standby-tool \ ./ FROM alpine:3.20 AS security-provider -RUN addgroup -S nonroot \ +RUN apk add -U --no-cache ca-certificates \ + && addgroup -S nonroot \ && adduser -S nonroot -G nonroot -RUN apk add -U --no-cache ca-certificates FROM scratch AS service COPY --from=security-provider /etc/passwd /etc/passwd From e360303d93594db3acfe48cf3f03854ab339c416 Mon Sep 17 00:00:00 2001 From: Daniel Adam Date: Wed, 14 Aug 2024 16:08:03 +0200 Subject: [PATCH 2/2] fixup! Fix issues reported by static analysis --- Dockerfile.test | 2 +- bundle/Dockerfile | 6 +++--- test/cloud-server/Dockerfile | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Dockerfile.test b/Dockerfile.test index d0947e6b0..a4b52cc52 100644 --- a/Dockerfile.test +++ b/Dockerfile.test @@ -3,7 +3,7 @@ RUN apt-get update \ && DEBIAN_FRONTEND="noninteractive" apt-get install -y --no-install-recommends \ build-essential ca-certificates curl git make patch sudo \ && apt-get clean \ - && curl -sSL https://get.docker.com/ | sh + && curl --proto "=https" -sSL https://get.docker.com/ | sh WORKDIR / # apt: ca-certificates git make sudo RUN git clone https://github.com/udhos/update-golang.git \ diff --git a/bundle/Dockerfile b/bundle/Dockerfile index bf30e71a3..3de136768 100644 --- a/bundle/Dockerfile +++ b/bundle/Dockerfile @@ -225,9 +225,9 @@ FROM ubuntu:22.04 AS service # openssl -> openssl utility in run.sh # yq utility in run.sh RUN apt update \ - && apt-get install -y --no-install-recommends ca-certificates coreutils curl gnupg iproute2 netcat nginx openssl sudo wget \ - && wget https://github.com/mikefarah/yq/releases/download/v4.44.2/yq_linux_$(dpkg --print-architecture) -O /usr/bin/yq && chmod +x /usr/bin/yq \ - && wget -qO - https://pgp.mongodb.com/server-6.0.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-6.0.gpg \ + && apt-get install -y --no-install-recommends ca-certificates coreutils curl gnupg iproute2 netcat nginx openssl sudo \ + && curl -L --proto "=https" https://github.com/mikefarah/yq/releases/download/v4.44.2/yq_linux_$(dpkg --print-architecture) -o /usr/bin/yq && chmod +x /usr/bin/yq \ + && curl -L --proto "=https" https://pgp.mongodb.com/server-6.0.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-6.0.gpg \ && echo "deb [ arch=$(dpkg --print-architecture) ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-6.0.list \ && apt update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends mongodb-org mongodb-org-server \ diff --git a/test/cloud-server/Dockerfile b/test/cloud-server/Dockerfile index 7f85c61d6..df4807928 100644 --- a/test/cloud-server/Dockerfile +++ b/test/cloud-server/Dockerfile @@ -89,9 +89,9 @@ FROM ubuntu:22.04 AS service # nginx -> nginx server in run.sh # openssl -> openssl utility in run.sh RUN apt update \ - && apt-get install -y --no-install-recommends ca-certificates gnupg iproute2 netcat nginx openssl wget \ + && apt-get install -y --no-install-recommends ca-certificates curl gnupg iproute2 netcat nginx openssl \ && apt-get clean -RUN wget -qO - https://pgp.mongodb.com/server-6.0.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-6.0.gpg +RUN curl -L --proto "=https" https://pgp.mongodb.com/server-6.0.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-6.0.gpg RUN echo "deb [ arch=$(dpkg --print-architecture) ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-6.0.list RUN apt update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends mongodb-org mongodb-org-server \