github.com/hernad/nomad@v1.6.112/.semgrep/rpc_endpoint.yml (about) 1 # Copyright (c) HashiCorp, Inc. 2 # SPDX-License-Identifier: MPL-2.0 3 4 rules: 5 # Check potentially unauthenticated RPC endpoints. Technically more 6 # authorization (authz) oriented than authn, but before Nomad 1.4/1.5 that 7 # distinction wasn't as important. 8 - id: "rpc-potentially-unauthenticated" 9 patterns: 10 - pattern: | 11 if done, err := $A.$B.forward($METHOD, ...); done { 12 return err 13 } 14 # Pattern used by typical endpoints that take an auth token or workload 15 # identity. Some of these endpoints have no context for Authenticate 16 - pattern-not-inside: | 17 authErr := $A.$B.Authenticate(...) 18 ... 19 if done, err := $A.$B.forward($METHOD, ...); done { 20 return err 21 } 22 ... 23 ... := $A.$B.ResolveACL(...) 24 ... 25 # Pattern used by endpoints that are used by both ACLs and Clients. 26 # These endpoints will always have a ctx passed to Authenticate 27 - pattern-not-inside: | 28 authErr := $A.$B.Authenticate($A.ctx, args) 29 ... 30 if done, err := $A.$B.forward($METHOD, ...); done { 31 return err 32 } 33 ... 34 ... := $A.$B.ResolveClientOrACL(...) 35 ... 36 # Pattern used by ACL endpoints that need to interact with the token directly 37 - pattern-not-inside: | 38 authErr := $A.$B.Authenticate($A.ctx, args) 39 ... 40 if done, err := $A.$B.forward($METHOD, ...); done { 41 return err 42 } 43 ... 44 ... := args.GetIdentity().GetACLToken() 45 ... 46 # Pattern used by endpoints called exclusively between agents 47 # (server -> server or client -> server) 48 - pattern-not-inside: | 49 authErr := $A.$B.Authenticate($A.ctx, args) 50 ... 51 ... := validateTLSCertificateLevel(...) 52 ... 53 if done, err := $A.$B.forward($METHOD, ...); done { 54 return err 55 } 56 # Pattern used by endpoints that support both normal ACLs and workload 57 # identity but break authentication and authorization up 58 # TODO: currently this is just for Variables and should be removed once 59 # https://github.com/hernad/nomad/issues/15875 is complete. 60 - pattern-not-inside: | 61 authErr := $A.$B.Authenticate($A.ctx, args) 62 ... 63 if done, err := $A.$B.forward($METHOD, ...); done { 64 return err 65 } 66 ... 67 ... := $T.handleMixedAuthEndpoint(...) 68 ... 69 # Second pattern used by endpoints that support both normal ACLs and 70 # workload identity but break authentication and authorization up 71 # TODO: currently this is just for Variables and should be removed once 72 # https://github.com/hernad/nomad/issues/15875 is complete. 73 - pattern-not-inside: | 74 authErr := $A.$B.Authenticate($A.ctx, args) 75 ... 76 if done, err := $A.$B.forward($METHOD, ...); done { 77 return err 78 } 79 ... 80 ... := svePreApply($A, args, args.Var) 81 ... 82 # Pattern used by some Node endpoints. 83 - pattern-not-inside: | 84 authErr := $A.$B.Authenticate($A.ctx, args) 85 ... 86 if done, err := $A.$B.forward($METHOD, ...); done { 87 return err 88 } 89 ... 90 return $A.deregister(...) 91 ... 92 - metavariable-pattern: 93 metavariable: $METHOD 94 patterns: 95 # Endpoints that are expected not to have authentication. 96 - pattern-not: '"ACL.Bootstrap"' 97 - pattern-not: '"ACL.GetClaimPolicies"' 98 - pattern-not: '"ACL.ResolveToken"' 99 - pattern-not: '"ACL.UpsertOneTimeToken"' 100 - pattern-not: '"ACL.ExchangeOneTimeToken"' 101 - pattern-not: '"ACL.WhoAmI"' 102 - pattern-not: 'structs.ACLListAuthMethodsRPCMethod' 103 - pattern-not: 'structs.ACLOIDCAuthURLRPCMethod' 104 - pattern-not: 'structs.ACLOIDCCompleteAuthRPCMethod' 105 - pattern-not: 'structs.ACLLoginRPCMethod' 106 - pattern-not: '"CSIPlugin.Get"' 107 - pattern-not: '"CSIPlugin.List"' 108 - pattern-not: '"Status.Leader"' 109 - pattern-not: '"Status.Peers"' 110 - pattern-not: '"Status.Version"' 111 message: "RPC method $METHOD appears to be unauthenticated" 112 languages: 113 - "go" 114 severity: "WARNING" 115 paths: 116 include: 117 - "nomad/*_endpoint.go"