Merge pull request #41691 from pjbgf/release/v2.6.13-clean

2.6 Rancher updates
rancher · May 31, 2023 · e91bb05 · e91bb05
2 parents 4e6a3cb + f9046da
commit e91bb05
Show file tree

Hide file tree

Showing 34 changed files with 1,808 additions and 179 deletions.
diff --git a/go.mod b/go.mod
@@ -103,7 +103,7 @@ require (
 	github.com/prometheus/client_model v0.2.0
 	github.com/prometheus/common v0.32.1
 	github.com/rancher/aks-operator v1.0.9
-	github.com/rancher/apiserver v0.0.0-20220610164457-643f1d19e3fc
+	github.com/rancher/apiserver v0.0.0-20230502191800-c17b7df705a5
 	github.com/rancher/channelserver v0.5.1-0.20220405170618-28c9b37deff1
 	github.com/rancher/dynamiclistener v0.3.5
 	github.com/rancher/eks-operator v1.1.5
@@ -113,7 +113,7 @@ require (
 	github.com/rancher/lasso v0.0.0-20221227210133-6ea88ca2fbcc
 	github.com/rancher/lasso/controller-runtime v0.0.0-20220627205005-00d9c8e9dda6
 	github.com/rancher/machine v0.15.0-rancher96
-	github.com/rancher/norman v0.0.0-20221228020905-1dcd4fa94899
+	github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a
 	github.com/rancher/rancher/pkg/apis v0.0.0
 	github.com/rancher/rancher/pkg/client v0.0.0
 	github.com/rancher/rdns-server v0.0.0-20180802070304-bf662911db6a

diff --git a/go.sum b/go.sum
@@ -1390,8 +1390,8 @@ github.com/quobyte/api v0.1.8/go.mod h1:jL7lIHrmqQ7yh05OJ+eEEdHr0u/kmT1Ff9iHd+4H
 github.com/rancher/aks-operator v1.0.9 h1:RXBce90HqgYpSlGMiIRMviN4qOvfYcKA8BnBG3X8gzM=
 github.com/rancher/aks-operator v1.0.9/go.mod h1:qK59c7DFxpYn14sXHbbPkNl7zUNyuN0qkFUUHXsQ0jA=
 github.com/rancher/apiserver v0.0.0-20201023000256-1a0a904f9197/go.mod h1:8W0EwaR9dH5NDFw6mpAX437D0q+EZqKWbZyX71+z2WI=
-github.com/rancher/apiserver v0.0.0-20220610164457-643f1d19e3fc h1:HI7akTmd5SBNbupaalwYWbkz7vSUKgpazrnL42oi+aA=
-github.com/rancher/apiserver v0.0.0-20220610164457-643f1d19e3fc/go.mod h1:sG6OmZ4yEWeQ9JmGjnp8WgQAk9D9z4hivMFsUUh9QF8=
+github.com/rancher/apiserver v0.0.0-20230502191800-c17b7df705a5 h1:n+hEi53DqCPD+RnjH/uGuz3ER2sx7DzGQWt/n7q1jYs=
+github.com/rancher/apiserver v0.0.0-20230502191800-c17b7df705a5/go.mod h1:Ff9wwzgKLCg30LjywsK1Tswvn+5ELvQZ6GXmutPA6po=
 github.com/rancher/aws-iam-authenticator v0.5.9-0.20220713170329-78acb8c83863 h1:7cVEMgwyiVhLyu/Ywuw58mkkh9cWpFE3+X8IrWncBxU=
 github.com/rancher/aws-iam-authenticator v0.5.9-0.20220713170329-78acb8c83863/go.mod h1:6dId2LCc8oHqeBzP6E8ndp4DflhKTxYLb5ZXwI4YmFA=
 github.com/rancher/channelserver v0.5.1-0.20220405170618-28c9b37deff1 h1:NMYQzCtLEEaJZ2xleLzDixN6Y+yO9ShzgsjHDg4zOrk=
@@ -1412,6 +1412,7 @@ github.com/rancher/kubernetes-provider-detector v0.1.5 h1:hWRAsWuJOemzGjz/XrbTlM
 github.com/rancher/kubernetes-provider-detector v0.1.5/go.mod h1:ypuJS7kP7rUiAn330xG46mj+Nhvym05GM8NqMVekpH0=
 github.com/rancher/lasso v0.0.0-20200427171700-e0509f89f319/go.mod h1:6Dw19z1lDIpL887eelVjyqH/mna1hfR61ddCFOG78lw=
 github.com/rancher/lasso v0.0.0-20200820172840-0e4cc0ef5cb0/go.mod h1:OhBBBO1pBwYp0hacWdnvSGOj+XE9yMLOLnaypIlic18=
+github.com/rancher/lasso v0.0.0-20200905045615-7fcb07d6a20b/go.mod h1:OhBBBO1pBwYp0hacWdnvSGOj+XE9yMLOLnaypIlic18=
 github.com/rancher/lasso v0.0.0-20210616224652-fc3ebd901c08/go.mod h1:9qZd/S8DqWzfKtjKGgSoHqGEByYmUE3qRaBaaAHwfEM=
 github.com/rancher/lasso v0.0.0-20220519004610-700f167d8324/go.mod h1:T6WoUopOHBWTGjnphruTJAgoZ+dpm6llvn6GDYaa7Kw=
 github.com/rancher/lasso v0.0.0-20221227210133-6ea88ca2fbcc h1:29VHrInLV4qSevvcvhBj5UhQWkPShxrxv4AahYg2Scw=
@@ -1422,8 +1423,8 @@ github.com/rancher/machine v0.15.0-rancher96 h1:aDrERdpxpFf2R5CqOlQHCD2JecZC5Mg7
 github.com/rancher/machine v0.15.0-rancher96/go.mod h1:rwF2JgIwaIqHthd9ByUQAZohCROaUP807Zsx1DLKo84=
 github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77 h1:k+vzmkZQsH06rZnDr+phskSixG9ByNj9gVdzHcc8nxw=
 github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77/go.mod h1:wpITyDPTi/Na5h73XkbuEf2AP9fbgrIGqqxVzFhYD6U=
-github.com/rancher/norman v0.0.0-20221228020905-1dcd4fa94899 h1:3y7FhdKEkewpO/BfcDdSX1HCMtMhXpsImz3pG83suEE=
-github.com/rancher/norman v0.0.0-20221228020905-1dcd4fa94899/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk=
+github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a h1:sAnJ58als7qhLCzsIUjvawoHgojPOazxFi7xMi6r/d4=
+github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk=
 github.com/rancher/pkg v0.0.0-20190514055449-b30ab9de040e h1:j6+HqCET/NLPBtew2m5apL7jWw/PStQ7iGwXjgAqdvo=
 github.com/rancher/pkg v0.0.0-20190514055449-b30ab9de040e/go.mod h1:XbYHTPaXuw8ZY9bylhYKQh/nJxDaTKk3YhAxPl4Qy/k=
 github.com/rancher/rdns-server v0.0.0-20180802070304-bf662911db6a h1:6xqYlVz4uAXBa/AuNAG0bhMusIXVh74dc1bbYOAe+HY=
@@ -1441,6 +1442,7 @@ github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20210727200656-10b0
 github.com/rancher/wrangler v0.6.1/go.mod h1:L4HtjPeX8iqLgsxfJgz+JjKMcX2q3qbRXSeTlC/CSd4=
 github.com/rancher/wrangler v0.6.2-0.20200427172034-da9b142ae061/go.mod h1:n5Du/gGD7WoiqnEo0SHnPirDIp1V9Zu+6guc8lXS2dk=
 github.com/rancher/wrangler v0.6.2-0.20200820173016-2068de651106/go.mod h1:iKqQcYs4YSDjsme52OZtQU4jHPmLlIiM93aj2c8c/W8=
+github.com/rancher/wrangler v0.7.4-security1/go.mod h1:goezjesEKwMxHLfltdjg9DW0xWV7txQee6vOuSDqXAI=
 github.com/rancher/wrangler v0.8.10/go.mod h1:Lte9WjPtGYxYacIWeiS9qawvu2R4NujFU9xuXWJvc/0=
 github.com/rancher/wrangler v0.8.11-0.20220120160420-18c996a8e956/go.mod h1:Lte9WjPtGYxYacIWeiS9qawvu2R4NujFU9xuXWJvc/0=
 github.com/rancher/wrangler v1.0.1-0.20230208234005-a59a11cc3ef5 h1:NrOPBlG0zswdgpAe6Db1rrzNpP2tpJytUiZ25LJHo+k=
@@ -1795,6 +1797,7 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=

diff --git a/package/Dockerfile b/package/Dockerfile
@@ -55,7 +55,7 @@ ENV CATTLE_SYSTEM_UPGRADE_CONTROLLER_CHART_VERSION 100.0.3+up0.3.3
 
 # System charts minimal version
 ENV CATTLE_FLEET_MIN_VERSION=100.2.3+up0.5.3
-ENV CATTLE_RANCHER_WEBHOOK_MIN_VERSION=1.0.8+up0.2.9
+ENV CATTLE_RANCHER_WEBHOOK_MIN_VERSION=1.0.9+up0.2.10
 ENV CATTLE_CSP_ADAPTER_MIN_VERSION=1.0.1
 
 RUN mkdir -p /var/lib/rancher-data/local-catalogs/system-library && \
@@ -162,12 +162,12 @@ RUN curl -sLf ${!TINI_URL} > /usr/bin/tini && \
     chmod +x /usr/bin/tini /usr/bin/telemetry && \
     mkdir -p /var/lib/rancher-data/driver-metadata
 
-ENV CATTLE_UI_VERSION 2.6.12
-ENV CATTLE_DASHBOARD_UI_VERSION v2.6.12
+ENV CATTLE_UI_VERSION 2.6.13
+ENV CATTLE_DASHBOARD_UI_VERSION v2.6.13
 ENV CATTLE_CLI_VERSION v2.6.11
 
 # Please update the api-ui-version in pkg/settings/settings.go when updating the version here.
-ENV CATTLE_API_UI_VERSION 1.1.9
+ENV CATTLE_API_UI_VERSION 1.1.10
 
 RUN mkdir -p /var/log/auditlog
 ENV AUDIT_LOG_PATH /var/log/auditlog/rancher-api-audit.log

diff --git a/pkg/apis/go.mod b/pkg/apis/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/rancher/eks-operator v1.1.5
 	github.com/rancher/fleet/pkg/apis v0.0.0-20230116113701-fc276f5505be
 	github.com/rancher/gke-operator v1.1.4
-	github.com/rancher/norman v0.0.0-20221228020905-1dcd4fa94899
+	github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a
 	github.com/rancher/rke v1.3.20
 	github.com/rancher/wrangler v1.0.1-0.20230208234005-a59a11cc3ef5
 	github.com/sirupsen/logrus v1.8.1

diff --git a/pkg/apis/go.sum b/pkg/apis/go.sum
@@ -598,8 +598,8 @@ github.com/rancher/lasso v0.0.0-20210616224652-fc3ebd901c08/go.mod h1:9qZd/S8DqW
 github.com/rancher/lasso v0.0.0-20220519004610-700f167d8324/go.mod h1:T6WoUopOHBWTGjnphruTJAgoZ+dpm6llvn6GDYaa7Kw=
 github.com/rancher/lasso v0.0.0-20221227210133-6ea88ca2fbcc h1:29VHrInLV4qSevvcvhBj5UhQWkPShxrxv4AahYg2Scw=
 github.com/rancher/lasso v0.0.0-20221227210133-6ea88ca2fbcc/go.mod h1:dEfC9eFQigj95lv/JQ8K5e7+qQCacWs1aIA6nLxKzT8=
-github.com/rancher/norman v0.0.0-20221228020905-1dcd4fa94899 h1:3y7FhdKEkewpO/BfcDdSX1HCMtMhXpsImz3pG83suEE=
-github.com/rancher/norman v0.0.0-20221228020905-1dcd4fa94899/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk=
+github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a h1:sAnJ58als7qhLCzsIUjvawoHgojPOazxFi7xMi6r/d4=
+github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk=
 github.com/rancher/rke v1.3.20 h1:t/rgErjPEnmByUPKNuMsz9EF7OjY3SBt5eD8J4pZnDI=
 github.com/rancher/rke v1.3.20/go.mod h1:FYb66B2+kAJVQ80SFEr56mC9yjm7TrviK2miZG+c5qY=
 github.com/rancher/wrangler v0.6.2-0.20200427172034-da9b142ae061/go.mod h1:n5Du/gGD7WoiqnEo0SHnPirDIp1V9Zu+6guc8lXS2dk=

diff --git a/pkg/auth/audit/audit.go b/pkg/auth/audit/audit.go
@@ -41,24 +41,27 @@ const (
 	LevelRequest
 	// LevelRequestResponse log metadata request body and response header and body.
 	LevelRequestResponse
+
+	generateKubeconfigURI = "action=generateKubeconfig"
 )
 
 var (
 	bodyMethods = map[string]bool{
 		http.MethodPut:  true,
 		http.MethodPost: true,
 	}
-	sensitiveRequestHeader  = []string{"Cookie", "Authorization"}
+	sensitiveRequestHeader  = []string{"Cookie", "Authorization", "X-Api-Tunnel-Params", "X-Api-Tunnel-Token"}
 	sensitiveResponseHeader = []string{"Cookie", "Set-Cookie"}
 	// ErrUnsupportedEncoding is returned when the response encoding is unsupported
 	ErrUnsupportedEncoding = fmt.Errorf("unsupported encoding")
+	secretBaseType         = regexp.MustCompile(".\"baseType\":\"([A-Za-z]*[S|s]ecret)\".")
 )
 
 type auditLog struct {
-	log                *log
-	writer             *LogWriter
-	reqBody            []byte
-	keysToConcealRegex *regexp.Regexp
+	log               *log
+	writer            *LogWriter
+	reqBody           []byte
+	keysToRedactRegex *regexp.Regexp
 }
 
 type log struct {
@@ -115,7 +118,7 @@ func FromContext(ctx context.Context) (*User, bool) {
 	return u, ok
 }
 
-func newAuditLog(writer *LogWriter, req *http.Request, keysToConcealRegex *regexp.Regexp) (*auditLog, error) {
+func newAuditLog(writer *LogWriter, req *http.Request, keysToRedactRegex *regexp.Regexp) (*auditLog, error) {
 	auditLog := &auditLog{
 		writer: writer,
 		log: &log{
@@ -125,7 +128,7 @@ func newAuditLog(writer *LogWriter, req *http.Request, keysToConcealRegex *regex
 			RemoteAddr:       req.RemoteAddr,
 			RequestTimestamp: time.Now().Format(time.RFC3339),
 		},
-		keysToConcealRegex: keysToConcealRegex,
+		keysToRedactRegex: keysToRedactRegex,
 	}
 
 	contentType := req.Header.Get("Content-Type")
@@ -205,7 +208,7 @@ func (a *auditLog) writeRequest(buf *bytes.Buffer) {
 	}
 
 	buf.WriteString(`,"requestBody":`)
-	buf.Write(bytes.TrimSuffix(a.concealSensitiveData(a.log.RequestURI, a.reqBody), []byte("\n")))
+	buf.Write(bytes.TrimSuffix(a.redactSensitiveData(a.log.RequestURI, a.reqBody), []byte("\n")))
 }
 
 // writeResponse attempt to write the API response to the log message.
@@ -232,7 +235,7 @@ func (a *auditLog) writeResponse(buf *bytes.Buffer, resHeaders http.Header, resB
 	}
 
 	buf.WriteString(`,"responseBody":`)
-	buf.Write(bytes.TrimSuffix(a.concealSensitiveData(a.log.RequestURI, resBody), []byte("\n")))
+	buf.Write(bytes.TrimSuffix(a.redactSensitiveData(a.log.RequestURI, resBody), []byte("\n")))
 
 	return nil
 }
@@ -275,60 +278,168 @@ func isExist(array []string, key string) bool {
 	return false
 }
 
-func (a *auditLog) concealSensitiveData(requestURI string, body []byte) []byte {
+func (a *auditLog) redactSensitiveData(requestURI string, body []byte) []byte {
 	var m map[string]interface{}
 	if err := json.Unmarshal(body, &m); err != nil {
-		return body
+		logrus.Debugf("auditLog: Redacting entire body for requestURI [%s]. Cannot marshal body into a map[string]interface{}: %v", requestURI, err)
+		return []byte{}
 	}
 
 	var changed bool
-	// Conceal values of secret data.
-	if strings.Contains(requestURI, "secrets") {
-		dataKey := "data"
-		data, _ := m[dataKey].(map[string]interface{})
-		if data == nil {
-			dataKey = "stringData"
-			data, _ = m[dataKey].(map[string]interface{})
-		}
+	// Redact values of secret data.
+	if strings.Contains(requestURI, "secrets") || secretBaseType.Match(body) {
+		changed = a.redactSecretsData(requestURI, m)
+	}
 
-		for key := range data {
-			data[key] = redacted
-		}
-		if data != nil {
-			changed = true
-			m[dataKey] = data
-		}
+	if strings.Contains(requestURI, generateKubeconfigURI) {
+		// generateKubeconfig cannot rely on regex because it uses config key instead of [kK]ube[cC]onfig
+		changed = redact(m, "config")
 	}
 
-	// Conceal values for data considered sensitive: passwords, tokens, etc.
-	if !a.concealMap(m) && !changed {
+	// Redact values for data considered sensitive: passwords, tokens, etc.
+	if !a.redactMap(m) && !changed {
 		return body
 	}
 
 	newBody, err := json.Marshal(m)
 	if err != nil {
-		return body
+		return []byte{}
 	}
 	return newBody
 }
 
-func (a *auditLog) concealMap(m map[string]interface{}) bool {
+func redact(body map[string]interface{}, key string) bool {
+	if _, ok := body[key]; !ok {
+		return false
+	}
+	body[key] = redacted
+	return true
+}
+
+func (a *auditLog) redactSecretsData(requestURI string, body map[string]interface{}) bool {
+	var changed bool
+
+	isK8sProxyList := strings.HasPrefix(requestURI, "/k8s/") && (body["kind"] != nil && body["kind"] == "SecretList")
+	isRegularList := body["type"] != nil && body["type"] == "collection"
+	if !(isK8sProxyList || isRegularList) {
+		return redactSecret(body)
+	}
+
+	itemsKey := "data"
+	if isK8sProxyList {
+		itemsKey = "items"
+	}
+
+	if _, ok := body[itemsKey]; !ok {
+		logrus.Debugf("auditLog: Skipping data redaction of secret bodies in secrets list: no key [%s] present, no data to redact.", itemsKey)
+		return false
+	}
+
+	secretsList, ok := body[itemsKey].([]interface{})
+	if !ok {
+		body[itemsKey] = redacted
+		logrus.Debugf("auditLog: Redacting entire value for key [%s] in response to request URI [%s], unable to assert body is of type []interface{}", itemsKey, requestURI)
+		return true
+	}
+
+	for index, secret := range secretsList {
+		m, ok := secret.(map[string]interface{})
+		if !ok {
+			secretsList[index] = redacted
+			logrus.Debugf("auditLog: Redacting entire value for index [%d] in list in response to request URI [%s]. Failed to assert secret element as map[string]interface", index, requestURI)
+			continue
+		}
+
+		changed = redactSecret(m) || changed
+		secretsList[index] = m
+	}
+
+	if changed {
+		body[itemsKey] = secretsList
+		return changed
+	}
+
+	return changed
+}
+
+func redactSecret(secret map[string]interface{}) bool {
+	var changed bool
+	if secret["data"] != nil {
+		secret["data"] = redacted
+		changed = true
+	}
+	if secret["stringData"] != nil {
+		secret["stringData"] = redacted
+		changed = true
+	}
+	if changed {
+		return changed
+	}
+
+	for key := range secret {
+		if key == "id" || key == "baseType" || key == "created" {
+			// censorAll is used when the secret is formatted in such a way where its
+			// data fields cannot be distinguished from its other fields. In this case
+			// most of the data is redacted apart from "id", "baseType", "key"
+			continue
+		}
+		secret[key] = redacted
+		changed = true
+	}
+	return changed
+}
+
+func (a *auditLog) redactMap(m map[string]interface{}) bool {
 	var changed bool
 	for key := range m {
-		if _, ok := m[key].(string); ok {
-			if a.keysToConcealRegex.MatchString(key) {
+		switch val := m[key].(type) {
+		case string:
+			if a.keysToRedactRegex.MatchString(key) {
 				changed = true
 				m[key] = redacted
 			}
-		} else if nested, ok := m[key].(map[string]interface{}); ok && a.concealMap(nested) {
-			changed = true
-			m[key] = nested
+		case map[string]interface{}:
+			if a.redactMap(val) {
+				changed = true
+				m[key] = val
+			}
+		case []interface{}:
+			if a.redactSlice(val) {
+				changed = true
+				m[key] = val
+			}
 		}
 	}
 
 	return changed
 }
 
+func (a *auditLog) redactSlice(valSlice []interface{}) bool {
+	var changed bool
+	for i, v := range valSlice {
+		switch val := v.(type) {
+		case map[string]interface{}:
+			if a.redactMap(val) {
+				changed = true
+				valSlice[i] = val
+			}
+		case string:
+			// this attempts to identify slices that represent commands of the format ["--<command>, <value>"], and
+			// redact value is command indicates it is sensitive.
+			if i+1 == len(valSlice) {
+				continue
+			}
+			if !strings.HasPrefix(val, "--") || !a.keysToRedactRegex.MatchString(val) {
+				// not a sensitive option flag
+				continue
+			}
+			valSlice[i+1] = redacted
+			changed = true
+		}
+	}
+	return changed
+}
+
 func decompressGZIP(data []byte) ([]byte, error) {
 	gz, err := gzip.NewReader(bytes.NewReader(data))
 	if err != nil {