Merge branch 'master' into search-services

go.mod

@@ -24,6 +24,7 @@ require (
 	github.com/gorilla/mux v1.8.1
 	github.com/jawher/mow.cli v1.2.0
 	github.com/stretchr/testify v1.10.0
+	github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4
 	golang.org/x/crypto v0.31.0
 	golang.org/x/net v0.33.0
 	golang.org/x/oauth2 v0.24.0
@@ -32,7 +33,6 @@ require (
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
-	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
 	k8s.io/apimachinery v0.32.0
 	k8s.io/client-go v0.32.0
 	k8s.io/utils v0.0.0-20241210054802-24370beab758

go.sum

@@ -160,6 +160,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 h1:Gz0rz40FvFVLTBk/K8UNAenb36EbDSnh+q7Z9ldcC8w=
+github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4/go.mod h1:phI29ccmHQBc+wvroosENp1IF9195449VDnFDhJ4rJU=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -306,8 +308,6 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-inet.af/peercred v0.0.0-20210906144145-0893ea02156a h1:qdkS8Q5/i10xU2ArJMKYhVa1DORzBfYS/qA2UK2jheg=
-inet.af/peercred v0.0.0-20210906144145-0893ea02156a/go.mod h1:FjawnflS/udxX+SvpsMgZfdqx2aykOlkISeAsADi5IU=
 k8s.io/apimachinery v0.32.0 h1:cFSE7N3rmEEtv4ei5X6DaJPHHX0C+upp+v5lVPiEwpg=
 k8s.io/apimachinery v0.32.0/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
 k8s.io/client-go v0.32.0 h1:DimtMcnN/JIKZcrSrstiwvvZvLjG0aSxy8PxN8IChp8=

libs/go/sia/Makefile

@@ -13,7 +13,7 @@ ifneq ($(patsubst %$(SIA_DIR),,$(lastword $(ATHENZ_DIR))),)
 endif
 
 SUBDIRS = access/config access/tokens agent aws/agent aws/attestation aws/doc aws/lambda aws/meta \
-	aws/options aws/sds aws/stssession file futil gcp/attestation gcp/meta gcp/functions \
+	aws/options aws/stssession file futil gcp/attestation gcp/meta gcp/functions \
 	host/hostdoc host/ip host/provider host/signature host/utils logutil options pki/cert \
 	sds ssh/hostcert ssh/hostkey util verify
 OS = darwin linux windows

libs/go/sia/access/tokens/tokens.go

@@ -31,7 +31,7 @@ import (
 
 	"github.com/AthenZ/athenz/clients/go/zts"
 	"github.com/AthenZ/athenz/libs/go/sia/access/config"
-	"github.com/AthenZ/athenz/libs/go/sia/aws/options"
+	sc "github.com/AthenZ/athenz/libs/go/sia/config"
 	siafile "github.com/AthenZ/athenz/libs/go/sia/file"
 	"github.com/AthenZ/athenz/libs/go/sia/futil"
 	tlsconfig "github.com/AthenZ/athenz/libs/go/tls/config"
@@ -239,7 +239,7 @@ func makeTokenRequest(domain string, roles []string, expiryTime int, proxyPrinci
 	return params.Encode()
 }
 
-func NewTokenOptions(options *options.Options, ztsUrl string, userAgent string) (*config.TokenOptions, error) {
+func NewTokenOptions(options *sc.Options, ztsUrl string, userAgent string) (*config.TokenOptions, error) {
 	if options.AccessTokens == nil {
 		return nil, fmt.Errorf("not configured to fetch access tokens")
 	}
@@ -272,7 +272,7 @@ func NewTokenOptions(options *options.Options, ztsUrl string, userAgent string)
 	return tokenOpts, nil
 }
 
-func toTokenServices(services []options.Service) []config.TokenService {
+func toTokenServices(services []sc.Service) []config.TokenService {
 	var tokenServices []config.TokenService
 
 	for _, svc := range services {

libs/go/sia/agent/agent.go

@@ -23,6 +23,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"log"
+	"math"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -34,6 +35,7 @@ import (
 	"github.com/AthenZ/athenz/libs/go/athenzutils"
 	"github.com/AthenZ/athenz/libs/go/sia/access/config"
 	"github.com/AthenZ/athenz/libs/go/sia/access/tokens"
+	sc "github.com/AthenZ/athenz/libs/go/sia/config"
 	"github.com/AthenZ/athenz/libs/go/sia/options"
 	"github.com/AthenZ/athenz/libs/go/sia/sds"
 	"github.com/AthenZ/athenz/libs/go/sia/ssh/hostkey"
@@ -85,7 +87,7 @@ func RoleKey(rotateKey bool, roleKey, svcKey string) (*rsa.PrivateKey, error) {
 	}
 }
 
-func GetRoleCertificates(ztsUrl string, opts *options.Options) (int, []string) {
+func GetRoleCertificates(ztsUrl string, opts *sc.Options) (int, []string) {
 
 	//initialize our return state to success
 	failures := make([]string, 0)
@@ -170,7 +172,7 @@ func GetRoleCertificates(ztsUrl string, opts *options.Options) (int, []string) {
 	return len(opts.Roles), failures
 }
 
-func RegisterInstance(ztsUrl string, opts *options.Options, docExpiryCheck bool) error {
+func RegisterInstance(ztsUrl string, opts *sc.Options, docExpiryCheck bool) error {
 
 	//special handling for VM instances ( EC2 / GCE )
 	//before we process our register event we need to check to
@@ -190,7 +192,7 @@ func RegisterInstance(ztsUrl string, opts *options.Options, docExpiryCheck bool)
 	return nil
 }
 
-func RefreshInstance(ztsUrl string, opts *options.Options) error {
+func RefreshInstance(ztsUrl string, opts *sc.Options) error {
 	for _, svc := range opts.Services {
 		err := refreshSvc(svc, ztsUrl, opts)
 		if err != nil {
@@ -200,7 +202,7 @@ func RefreshInstance(ztsUrl string, opts *options.Options) error {
 	return nil
 }
 
-func getServiceHostname(opts *options.Options, svc options.Service, fqdn bool) string {
+func getServiceHostname(opts *sc.Options, svc sc.Service, fqdn bool) string {
 	if !opts.SanDnsHostname {
 		return ""
 	}
@@ -234,7 +236,7 @@ func getServiceHostname(opts *options.Options, svc options.Service, fqdn bool) s
 	return fmt.Sprintf("%s.%s.%s.%s", hostname, svc.Name, hyphenDomain, opts.HostnameSuffix)
 }
 
-func registerSvc(svc options.Service, ztsUrl string, opts *options.Options) error {
+func registerSvc(svc sc.Service, ztsUrl string, opts *sc.Options) error {
 
 	key, err := util.GenerateKeyPair(2048)
 	if err != nil {
@@ -298,7 +300,7 @@ func registerSvc(svc options.Service, ztsUrl string, opts *options.Options) erro
 		Hostname:          zts.DomainName(hostname),
 		Namespace:         zts.SimpleName(opts.SpiffeNamespace),
 	}
-	if svc.ExpiryTime > 0 {
+	if svc.ExpiryTime > 0 && svc.ExpiryTime <= math.MaxInt32 {
 		expiryTime := int32(svc.ExpiryTime)
 		info.ExpiryTime = &expiryTime
 	}
@@ -348,7 +350,7 @@ func registerSvc(svc options.Service, ztsUrl string, opts *options.Options) erro
 	return nil
 }
 
-func refreshSvc(svc options.Service, ztsUrl string, opts *options.Options) error {
+func refreshSvc(svc sc.Service, ztsUrl string, opts *sc.Options) error {
 
 	keyFile := util.GetSvcKeyFileName(opts.KeyDir, svc.KeyFilename, opts.Domain, svc.Name)
 	certFile := util.GetSvcCertFileName(opts.CertDir, svc.CertFilename, opts.Domain, svc.Name)
@@ -416,7 +418,7 @@ func refreshSvc(svc options.Service, ztsUrl string, opts *options.Options) error
 		Hostname:          zts.DomainName(hostname),
 		Namespace:         zts.SimpleName(opts.SpiffeNamespace),
 	}
-	if svc.ExpiryTime > 0 {
+	if svc.ExpiryTime > 0 && svc.ExpiryTime <= math.MaxInt32 {
 		expiryTime := int32(svc.ExpiryTime)
 		info.ExpiryTime = &expiryTime
 	}
@@ -465,7 +467,7 @@ func refreshSvc(svc options.Service, ztsUrl string, opts *options.Options) error
 	return nil
 }
 
-func generateSshRequest(opts *options.Options, primaryServiceName, hostname string) (*zts.SSHCertRequest, string, error) {
+func generateSshRequest(opts *sc.Options, primaryServiceName, hostname string) (*zts.SSHCertRequest, string, error) {
 	var err error
 	var sshCsr string
 	var sshCertRequest *zts.SSHCertRequest
@@ -559,7 +561,7 @@ func hostCertificateLinePresent(sshConfigFile, sshCertFile string) (bool, error)
 	return false, nil
 }
 
-func SetupAgent(opts *options.Options, siaAgentDir, siaLinkDir string) {
+func SetupAgent(opts *sc.Options, siaAgentDir, siaLinkDir string) {
 
 	//first, let's determine if we need to drop our privileges
 	//since it requires us to create the directories with the
@@ -616,15 +618,15 @@ func SetupAgent(opts *options.Options, siaAgentDir, siaLinkDir string) {
 	}
 }
 
-func RunAgent(siaCmds, ztsUrl string, opts *options.Options) {
+func RunAgent(siaCmds, ztsUrl string, opts *sc.Options) {
 	log.Printf("sia command line arguments specified: '%s'\n", siaCmds)
 	cmds := strings.Split(siaCmds, ",")
 	for _, cmd := range cmds {
 		runAgentCommand(cmd, ztsUrl, opts)
 	}
 }
 
-func runAgentCommand(siaCmd, ztsUrl string, opts *options.Options) {
+func runAgentCommand(siaCmd, ztsUrl string, opts *sc.Options) {
 
 	//make sure the meta endpoint is configured by the caller
 	if opts.MetaEndPoint == "" {
@@ -887,9 +889,9 @@ func accessTokenRequest(tokenOpts *config.TokenOptions) error {
 	return err
 }
 
-func tokenOptions(opts *options.Options, ztsUrl string) (*config.TokenOptions, error) {
+func tokenOptions(opts *sc.Options, ztsUrl string) (*config.TokenOptions, error) {
 	userAgent := fmt.Sprintf("%s-%s", opts.Provider, opts.InstanceId)
-	tokenOpts, err := tokens.NewTokenOptions(options.LegacyOptions(opts), ztsUrl, userAgent)
+	tokenOpts, err := tokens.NewTokenOptions(opts, ztsUrl, userAgent)
 	if err != nil {
 		return nil, fmt.Errorf("processing access tokens: %s", err.Error())
 	}
@@ -922,7 +924,7 @@ func fetchAccessToken(tokenOpts *config.TokenOptions) error {
 	}
 }
 
-func shouldSkipRegister(opts *options.Options) bool {
+func shouldSkipRegister(opts *sc.Options) bool {
 	if opts.EC2StartTime == nil {
 		return false
 	}
@@ -931,13 +933,13 @@ func shouldSkipRegister(opts *options.Options) bool {
 	return duration.Seconds() > 1800
 }
 
-func serviceAlreadyRegistered(opts *options.Options, svc options.Service) bool {
+func serviceAlreadyRegistered(opts *sc.Options, svc sc.Service) bool {
 	keyFile := util.GetSvcKeyFileName(opts.KeyDir, svc.KeyFilename, opts.Domain, svc.Name)
 	certFile := util.GetSvcCertFileName(opts.CertDir, svc.CertFilename, opts.Domain, svc.Name)
 	return util.FileExists(keyFile) && util.FileExists(certFile)
 }
 
-func shouldExitRightAway(failedRefreshCount int, opts *options.Options) bool {
+func shouldExitRightAway(failedRefreshCount int, opts *sc.Options) bool {
 	// if the failed count already matches or exceeds our configured
 	// value then we return right away
 	if failedRefreshCount >= opts.FailCountForExit {

libs/go/sia/agent/agent_test.go

@@ -32,12 +32,11 @@ import (
 
 	"github.com/AthenZ/athenz/libs/go/sia/access/config"
 	"github.com/AthenZ/athenz/libs/go/sia/agent/devel/ztsmock"
+	sc "github.com/AthenZ/athenz/libs/go/sia/config"
 	"github.com/AthenZ/athenz/libs/go/sia/host/ip"
 	"github.com/AthenZ/athenz/libs/go/sia/host/signature"
-	"github.com/AthenZ/athenz/libs/go/sia/options"
 	"github.com/AthenZ/athenz/libs/go/sia/ssh/hostkey"
 	"github.com/AthenZ/athenz/libs/go/sia/util"
-
 	"github.com/stretchr/testify/assert"
 )
 
@@ -200,9 +199,9 @@ func TestRegisterInstance(test *testing.T) {
 	tp := TestProvider{
 		Name: "athenz.aws.us-west-2",
 	}
-	opts := &options.Options{
+	opts := &sc.Options{
 		Domain: "athenz",
-		Services: []options.Service{
+		Services: []sc.Service{
 			{
 				Name: "hockey",
 				Uid:  util.ExecIdCommand("-u"),
@@ -248,7 +247,7 @@ func copyFile(src, dst string) error {
 	return os.WriteFile(dst, data, 0644)
 }
 
-func refreshServiceCertSetup(test *testing.T) (*options.Options, string) {
+func refreshServiceCertSetup(test *testing.T) (*sc.Options, string) {
 
 	siaDir := test.TempDir()
 
@@ -275,9 +274,9 @@ func refreshServiceCertSetup(test *testing.T) (*options.Options, string) {
 	tp := TestProvider{
 		Name: "athenz.aws.us-west-2",
 	}
-	opts := &options.Options{
+	opts := &sc.Options{
 		Domain: "athenz",
-		Services: []options.Service{
+		Services: []sc.Service{
 			{
 				Name:     "hockey",
 				Uid:      util.ExecIdCommand("-u"),
@@ -344,17 +343,17 @@ func TestRoleCertificateRequest(test *testing.T) {
 	tp := TestProvider{
 		Name: "athenz.aws.us-west-2",
 	}
-	opts := &options.Options{
+	opts := &sc.Options{
 		Domain: "athenz",
-		Services: []options.Service{
+		Services: []sc.Service{
 			{
 				Name:     "hockey",
 				Uid:      util.ExecIdCommand("-u"),
 				Gid:      util.ExecIdCommand("-g"),
 				FileMode: 0400,
 			},
 		},
-		Roles: []options.Role{
+		Roles: []sc.Role{
 			{
 				Name:             "athenz:role.writers",
 				Service:          "hockey",
@@ -385,7 +384,7 @@ func TestRoleCertificateRequest(test *testing.T) {
 
 func TestShouldSkipRegister(test *testing.T) {
 	startTime := time.Now()
-	opts := &options.Options{
+	opts := &sc.Options{
 		EC2StartTime: &startTime,
 	}
 	//current time is valid
@@ -471,7 +470,7 @@ func TestUpdateSSHConfigFile(test *testing.T) {
 }
 
 func TestNilTokenOptions(test *testing.T) {
-	opts := &options.Options{
+	opts := &sc.Options{
 		Domain: "athenz",
 	}
 	token, err := tokenOptions(opts, "")
@@ -480,7 +479,7 @@ func TestNilTokenOptions(test *testing.T) {
 }
 
 func TestTokenStoreOptions(test *testing.T) {
-	opts := &options.Options{
+	opts := &sc.Options{
 		Domain: "athenz",
 		AccessTokens: []config.AccessToken{
 			{
@@ -530,13 +529,13 @@ func TestGetServiceHostname(test *testing.T) {
 				Name:     "testProvider",
 				Hostname: tt.providerHostname,
 			}
-			opts := options.Options{
+			opts := sc.Options{
 				SanDnsHostname: tt.sanDnsHostname,
 				HostnameSuffix: tt.hostnameSuffix,
 				Domain:         tt.domain,
 				Provider:       provider,
 			}
-			svc := options.Service{
+			svc := sc.Service{
 				Name: tt.service,
 			}
 			hostname := getServiceHostname(&opts, svc, false)
@@ -551,7 +550,7 @@ func TestServiceAlreadyRegistered(test *testing.T) {
 
 	keyDir := test.TempDir()
 	certDir := test.TempDir()
-	opts := options.Options{
+	opts := sc.Options{
 		KeyDir:  keyDir,
 		CertDir: certDir,
 		Domain:  "athenz",
@@ -581,7 +580,7 @@ func TestServiceAlreadyRegistered(test *testing.T) {
 	}
 	for _, tt := range tests {
 		test.Run(tt.name, func(t *testing.T) {
-			svc := options.Service{
+			svc := sc.Service{
 				Name:         "api",
 				KeyFilename:  tt.keyFileName,
 				CertFilename: tt.certFileName,
@@ -599,7 +598,7 @@ func TestGenerateSshRequest(test *testing.T) {
 	tp := TestProvider{
 		Name: "athenz.aws.us-west-2",
 	}
-	opts := options.Options{
+	opts := sc.Options{
 		Ssh:      false,
 		Provider: tp,
 	}
@@ -610,7 +609,7 @@ func TestGenerateSshRequest(test *testing.T) {
 	assert.Nil(test, err)
 	// ssh enabled but not for primary service we should get success with nils and empty csr
 	opts.Ssh = true
-	opts.Services = []options.Service{
+	opts.Services = []sc.Service{
 		{
 			Name: "api",
 		},
@@ -653,7 +652,7 @@ func TestGenerateSshRequest(test *testing.T) {
 
 func TestShouldExitRightAwayCountsOnly(test *testing.T) {
 
-	opts := &options.Options{
+	opts := &sc.Options{
 		FailCountForExit: 2,
 	}