GO-2023-1955: Dapr API token authentication bypass in HTTP endpoints in github.com/dapr/dapr

security

package

v1.7.5 Latest Latest Go to latest Published: Oct 26, 2022 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/dapr/dapr

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func CertPool(certPem []byte) (*x509.CertPool, error)
func ExcludedRoute(route string) bool
func GetAPIToken() string
func GetAppToken() string
func GetCertChain() (*credentials.CertChain, error)
type Authenticator
- func GetSidecarAuthenticator(sentryAddress string, certChain *credentials.CertChain) (Authenticator, error)
type SignedCertificate

Constants ¶

View Source

const (
	// APITokenEnvVar is the environment variable for the api token.
	APITokenEnvVar    = "DAPR_API_TOKEN"
	AppAPITokenEnvVar = "APP_API_TOKEN"
	// APITokenHeader is header name for http/gRPC calls to hold the token.
	APITokenHeader = "dapr-api-token"
)

#nosec.

View Source

const (
	TLSServerName = "cluster.local"
)

Variables ¶

This section is empty.

Functions ¶

func CertPool ¶ added in v0.6.0

func CertPool(certPem []byte) (*x509.CertPool, error)

func ExcludedRoute ¶ added in v0.8.0

func ExcludedRoute(route string) bool

ExcludedRoute returns whether a given route should be excluded from a token check.

func GetAPIToken ¶ added in v0.8.0

func GetAPIToken() string

GetAPIToken returns the value of the api token from an environment variable.

func GetAppToken ¶ added in v1.0.0

func GetAppToken() string

GetAppToken returns the value of the app api token from an environment variable.

func GetCertChain ¶ added in v0.6.0

func GetCertChain() (*credentials.CertChain, error)

Types ¶

type Authenticator ¶

type Authenticator interface {
	GetTrustAnchors() *x509.CertPool
	GetCurrentSignedCert() *SignedCertificate
	CreateSignedWorkloadCert(id, namespace, trustDomain string) (*SignedCertificate, error)
}

func GetSidecarAuthenticator ¶

func GetSidecarAuthenticator(sentryAddress string, certChain *credentials.CertChain) (Authenticator, error)

GetSidecarAuthenticator returns a new authenticator with the extracted trust anchors.

type SignedCertificate ¶

type SignedCertificate struct {
	WorkloadCert  []byte
	PrivateKeyPem []byte
	Expiry        time.Time
	TrustChain    *x509.CertPool
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL