Merge branch 'main' into feat/explore-paranoia

rond-authz · Mar 14, 2024 · be3fb95 · be3fb95
2 parents 3fb3780 + f8563c3
commit be3fb95
Show file tree

Hide file tree

Showing 38 changed files with 919 additions and 905 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -28,12 +28,12 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -46,4 +46,4 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,7 +10,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           generate_release_notes: true
           prerelease: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-rc.') }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,14 +8,14 @@ jobs:
     name: Test
     strategy:
       matrix:
-        go_version: ['1.20']
+        go_version: ['1.20', '1.21', '1.22']
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
 
     steps:
       - uses: actions/checkout@v4
       - name: Use golang ${{ matrix.go_version }}
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go_version }}
       - name: Go version
@@ -28,6 +28,17 @@ jobs:
         uses: shogo82148/actions-goveralls@v1
         with:
           path-to-profile: coverage.out
+          flag-name: Go-${{ matrix.go_version }}
+          parallel: true
+
+  post-tests:
+      runs-on: ubuntu-latest
+      needs: tests
+      steps:
+        - name: Close coverage report
+          uses: shogo82148/actions-goveralls@v1
+          with:
+            parallel-finished: true
 
   test-latest:
     name: Test latest
@@ -39,19 +50,16 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Use golang ${{ matrix.go_version }}
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
+          go-version: 'stable'
           check-latest: true
       - name: Go version
         run: go version
       - name: Go get dependencies
         run: go get -v -t -d ./...
       - name: Run tests
         run: make coverage
-      - name: Send the coverage output
-        uses: shogo82148/actions-goveralls@v1
-        with:
-          path-to-profile: coverage.out
 
   bench:
     name: Benchmark
@@ -62,13 +70,13 @@ jobs:
         os: [ubuntu-latest]
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go_version }}
       - name: Run benchmark
         run: make bench | tee output.txt
       - name: Download previous benchmark data
-        uses: actions/cache/restore@v3
+        uses: actions/cache/restore@v4
         with:
           path: ./cache
           key: ${{ runner.os }}-benchmark
@@ -93,7 +101,7 @@ jobs:
         continue-on-error: true
       - name: Update benchmark data
         if: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
-        uses: actions/cache/save@v3
+        uses: actions/cache/save@v4
         with:
           path: ./cache
           key: ${{ runner.os }}-benchmark
@@ -115,6 +123,7 @@ jobs:
           images: |
             ghcr.io/rond-authz/rond
             docker.io/rondauthz/rond
+            nexus.mia-platform.eu/rond-authz/rond
           tags: |
             type=ref,event=branch
             type=semver,pattern={{version}}
@@ -143,8 +152,15 @@ jobs:
           username: ${{ secrets.BOT_DOCKER_USERNAME }}
           password: ${{ secrets.BOT_DOCKER_TOKEN }}
 
+      - name: Docker Login to Mia-Platform Registry
+        uses: docker/login-action@v3
+        with:
+          registry: nexus.mia-platform.eu
+          username: ${{ secrets.MIA_PLATFORM_DOCKER_REGISTRY_USERNAME }}
+          password: ${{ secrets.MIA_PLATFORM_DOCKER_REGISTRY_PASSWORD }}
+
       - name: Prepare build cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.sha }}

diff --git a/.gitignore b/.gitignore
@@ -6,3 +6,5 @@
 rond
 coverage.out
 output.txt
+test-data
+*.bin
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 ############################
 # STEP 1 build executable binary
 ############################
-FROM golang:1.21.1 AS builder
+FROM golang:1.22.1 AS builder
 
 WORKDIR /app
 
@@ -33,7 +33,7 @@ LABEL maintainer="rond@rond-authz.io" \
 
 LABEL org.opencontainers.image.description "Rönd is a lightweight container that distributes security policy enforcement throughout your application."
 
-ENV SERVICE_VERSION="1.10.1"
+ENV SERVICE_VERSION="1.12.3"
 
 # Import the user and group files from the builder.
 COPY --from=builder /etc/passwd /etc/passwd

diff --git a/Makefile b/Makefile
@@ -16,12 +16,12 @@ mongo-start:
 
 .PHONY: test
 test: clean mongo-start
-	go test ./... -cover
+	go test ./... -cover -race
 	$(MAKE) clean
 
 .PHONY: coverage
 coverage: clean mongo-start
-	go test ./... -coverprofile coverage.out
+	go test ./... -coverprofile coverage.out -count=1 -race=1
 	$(MAKE) clean
 
 .PHONY: bench

diff --git a/core/opaevaluator.go b/core/opaevaluator.go
@@ -45,9 +45,10 @@ type QueryOptions struct {
 }
 
 type RequestFlow struct {
-	PolicyName    string       `json:"policyName"`
-	GenerateQuery bool         `json:"generateQuery"`
-	QueryOptions  QueryOptions `json:"queryOptions"`
+	PolicyName      string       `json:"policyName"`
+	GenerateQuery   bool         `json:"generateQuery"`
+	QueryOptions    QueryOptions `json:"queryOptions"`
+	PreventBodyLoad bool         `json:"preventBodyLoad"`
 }
 
 type ResponseFlow struct {

diff --git a/custom_builtins/mongoclient.go b/custom_builtins/mongoclient.go
@@ -20,8 +20,8 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/rond-authz/rond/internal/mongoclient"
 	"github.com/rond-authz/rond/logging"
+	"github.com/rond-authz/rond/types"
 
 	"go.mongodb.org/mongo-driver/bson"
 	"go.mongodb.org/mongo-driver/mongo"
@@ -30,7 +30,6 @@ import (
 type IMongoClient interface {
 	FindOne(ctx context.Context, collectionName string, query map[string]interface{}) (interface{}, error)
 	FindMany(ctx context.Context, collectionName string, query map[string]interface{}) ([]interface{}, error)
-	Disconnect() error
 }
 
 type mongoClientCustomBuiltinContextKey struct{}
@@ -53,20 +52,11 @@ func GetMongoClientFromContext(ctx context.Context) (IMongoClient, error) {
 }
 
 type MongoClient struct {
-	client *mongoclient.MongoClient
+	client types.MongoClient
 }
 
-func NewMongoClient(logger logging.Logger, mongodbURL string) (IMongoClient, error) {
-	mongoClient, err := mongoclient.NewMongoClient(logger, mongodbURL)
-	if err != nil {
-		return nil, err
-	}
-	if mongoClient == nil {
-		return nil, nil
-	}
-	return &MongoClient{
-		client: mongoClient,
-	}, nil
+func NewMongoClient(logger logging.Logger, mongoClient types.MongoClient) (IMongoClient, error) {
+	return &MongoClient{client: mongoClient}, nil
 }
 
 func (mongoClient *MongoClient) FindOne(ctx context.Context, collectionName string, query map[string]interface{}) (interface{}, error) {
@@ -143,7 +133,3 @@ func (mongoClient *MongoClient) FindMany(ctx context.Context, collectionName str
 	}
 	return results, nil
 }
-
-func (mongoClient *MongoClient) Disconnect() error {
-	return mongoClient.client.Disconnect()
-}
diff --git a/custom_builtins/mongoclient_test.go b/custom_builtins/mongoclient_test.go
@@ -20,6 +20,7 @@ import (
 	"os"
 	"testing"
 
+	"github.com/rond-authz/rond/internal/mongoclient"
 	"github.com/rond-authz/rond/internal/testutils"
 	"github.com/rond-authz/rond/logging"
 
@@ -28,17 +29,15 @@ import (
 )
 
 func TestNewMongoClient(t *testing.T) {
-	t.Run("return nil client if mongodb url not passed", func(t *testing.T) {
-		client, err := NewMongoClient(logging.NewNoOpLogger(), "")
-		require.NoError(t, err)
-		require.Nil(t, client)
-	})
+	log := logging.NewNoOpLogger()
 
-	t.Run("fails if mongo url is wrong", func(t *testing.T) {
-		client, err := NewMongoClient(logging.NewNoOpLogger(), "wrong-url")
-		require.EqualError(t, err, "failed MongoDB connection string validation: error parsing uri: scheme must be \"mongodb\" or \"mongodb+srv\"")
-		require.Nil(t, client)
-	})
+	mongoDBURL, _ := getMongoDBURL(t)
+	mongoClient, err := mongoclient.NewMongoClient(log, mongoDBURL, mongoclient.ConnectionOpts{})
+	require.NoError(t, err)
+
+	client, err := NewMongoClient(logging.NewNoOpLogger(), mongoClient)
+	require.NoError(t, err)
+	require.NotNil(t, client)
 }
 
 func TestGetMongoCollectionFromContext(t *testing.T) {
@@ -66,18 +65,14 @@ func TestGetMongoCollectionFromContext(t *testing.T) {
 }
 
 func TestMongoFindOne(t *testing.T) {
-	mongoHost := os.Getenv("MONGO_HOST_CI")
-	if mongoHost == "" {
-		mongoHost = testutils.LocalhostMongoDB
-		t.Logf("Connection to localhost MongoDB, on CI env this is a problem!")
-	}
-
-	dbName := testutils.GetRandomName(10)
 	log := logging.NewNoOpLogger()
-	mongoClient, err := NewMongoClient(log, fmt.Sprintf("mongodb://%s/%s", mongoHost, dbName))
+	mongoDBURL, dbName := getMongoDBURL(t)
+	client, err := mongoclient.NewMongoClient(log, mongoDBURL, mongoclient.ConnectionOpts{})
+	require.NoError(t, err)
+	defer client.Disconnect()
+
+	mongoClient, err := NewMongoClient(log, client)
 	require.NoError(t, err)
-	defer mongoClient.Disconnect()
-	require.True(t, err == nil, "setup mongo returns error")
 
 	collectionName := "my-collection"
 	populateCollection(t, dbName, collectionName)
@@ -112,18 +107,14 @@ func TestMongoFindOne(t *testing.T) {
 }
 
 func TestMongoFindMany(t *testing.T) {
-	mongoHost := os.Getenv("MONGO_HOST_CI")
-	if mongoHost == "" {
-		mongoHost = testutils.LocalhostMongoDB
-		t.Logf("Connection to localhost MongoDB, on CI env this is a problem!")
-	}
-
-	dbName := testutils.GetRandomName(10)
 	log := logging.NewNoOpLogger()
-	mongoClient, err := NewMongoClient(log, fmt.Sprintf("mongodb://%s/%s", mongoHost, dbName))
+	mongoDBURL, dbName := getMongoDBURL(t)
+	client, err := mongoclient.NewMongoClient(log, mongoDBURL, mongoclient.ConnectionOpts{})
+	require.NoError(t, err)
+	defer client.Disconnect()
+
+	mongoClient, err := NewMongoClient(log, client)
 	require.NoError(t, err)
-	defer mongoClient.Disconnect()
-	require.True(t, err == nil, "setup mongo returns error")
 
 	collectionName := "my-collection"
 	populateCollection(t, dbName, collectionName)
@@ -210,3 +201,16 @@ func populateCollection(t *testing.T, dbName string, collectionName string) {
 		db.Drop(ctx)
 	})
 }
+
+func getMongoDBURL(t *testing.T) (connectionString string, dbName string) {
+	t.Helper()
+	mongoHost := os.Getenv("MONGO_HOST_CI")
+	if mongoHost == "" {
+		mongoHost = testutils.LocalhostMongoDB
+		t.Logf("Connection to localhost MongoDB, on CI env this is a problem!")
+	}
+
+	dbName = testutils.GetRandomName(10)
+	connectionString = fmt.Sprintf("mongodb://%s/%s", mongoHost, dbName)
+	return
+}