Security audit check (treeverse#2776)

takikadiri · Dec 12, 2021 · 923a649 · 923a649
1 parent 9685485
commit 923a649
Show file tree

Hide file tree

Showing 19 changed files with 611 additions and 6 deletions.
diff --git a/api/swagger.yml b/api/swagger.yml
@@ -721,6 +721,10 @@ components:
       properties:
         version:
           type: string
+        upgrade_recommended:
+          type: boolean
+        upgrade_url:
+          type: string
 
     ActionRun:
       type: object

diff --git a/clients/java/api/openapi.yaml b/clients/java/api/openapi.yaml
diff --git a/clients/java/docs/VersionConfig.md b/clients/java/docs/VersionConfig.md
diff --git a/clients/java/src/main/java/io/lakefs/clients/api/model/VersionConfig.java b/clients/java/src/main/java/io/lakefs/clients/api/model/VersionConfig.java
diff --git a/clients/java/src/test/java/io/lakefs/clients/api/model/VersionConfigTest.java b/clients/java/src/test/java/io/lakefs/clients/api/model/VersionConfigTest.java
diff --git a/clients/python/docs/VersionConfig.md b/clients/python/docs/VersionConfig.md
diff --git a/clients/python/lakefs_client/model/version_config.py b/clients/python/lakefs_client/model/version_config.py
diff --git a/cmd/lakefs/cmd/run.go b/cmd/lakefs/cmd/run.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math/rand"
 	"net"
 	"net/http"
 	"net/url"
@@ -164,6 +165,15 @@ var runCmd = &cobra.Command{
 		c.SetHooksHandler(actionsService)
 		defer actionsService.Stop()
 
+		auditChecker := version.NewDefaultAuditChecker(cfg.GetSecurityAuditCheckURL())
+		defer auditChecker.Close()
+		if version.Version != version.UnreleasedVersion {
+			const maxSecondsToJitter = 12 * 60 * 60                                // 12h in seconds
+			jitter := time.Duration(rand.Int63n(maxSecondsToJitter)) * time.Second //nolint:gosec
+			interval := cfg.GetSecurityAuditCheckInterval() + jitter
+			auditChecker.StartPeriodicCheck(ctx, interval, logger)
+		}
+
 		allowForeign, err := cmd.Flags().GetBool(mismatchedReposFlagName)
 		if err != nil {
 			fmt.Printf("%s: %s\n", mismatchedReposFlagName, err)
@@ -192,6 +202,7 @@ var runCmd = &cobra.Command{
 			bufferedCollector,
 			cloudMetadataProvider,
 			actionsService,
+			auditChecker,
 			logger.WithField("service", "api_gateway"),
 			cfg.GetS3GatewayDomainNames(),
 		)
@@ -405,7 +416,7 @@ func init() {
 	runCmd.Flags().BoolP(mismatchedReposFlagName, "m", false, "Allow repositories from other object store types")
 	if err := runCmd.Flags().MarkHidden(mismatchedReposFlagName); err != nil {
 		// (internal error)
-		fmt.Fprint(os.Stderr, err)
+		_, _ = fmt.Fprint(os.Stderr, err)
 		os.Exit(internalErrorCode)
 	}
 }
diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md
@@ -103,6 +103,7 @@ This reference uses `.` to denote the nesting of values.
 * `gateways.s3.region` `(string : "us-east-1")` - AWS region we're pretending to be. Should match the region configuration used in AWS SDK clients
 * `gateways.s3.fallback_url` `(string)` - If specified, requests with a non-existing repository will be forwarded to this url. This can be useful for using lakeFS side-by-side with S3, with the URL pointing at an [S3Proxy](https://github.com/gaul/s3proxy) instance.
 * `stats.enabled` `(boolean : true)` - Whether or not to periodically collect anonymous usage statistics
+* `security.audit_check_interval` `(duration : 12h)` - Duration in which we check for security audit
 {: .ref-list }
 
 ## Using Environment Variables

diff --git a/pkg/api/audit.go b/pkg/api/audit.go
@@ -0,0 +1,7 @@
+package api
+
+import "github.com/treeverse/lakefs/pkg/version"
+
+type AuditChecker interface {
+	LastCheck() (*version.AuditResponse, error)
+}
diff --git a/pkg/api/controller.go b/pkg/api/controller.go
@@ -73,6 +73,7 @@ type Controller struct {
 	Collector             stats.Collector
 	CloudMetadataProvider cloud.MetadataProvider
 	Actions               actionsHandler
+	AuditChecker          AuditChecker
 	Logger                logging.Logger
 }
 
@@ -2936,7 +2937,25 @@ func (c *Controller) GetLakeFSVersion(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusUnauthorized, ErrAuthenticatingRequest)
 		return
 	}
-	writeResponse(w, http.StatusOK, VersionConfig{Version: swag.String(version.Version)})
+	// set upgrade recommended based on last security audit check
+	var (
+		upgradeRecommended *bool
+		upgradeURL         *string
+	)
+	lastCheck, _ := c.AuditChecker.LastCheck()
+	if lastCheck != nil {
+		recommendedURL := lastCheck.UpgradeRecommendedURL()
+		if recommendedURL != "" {
+			upgradeRecommended = swag.Bool(true)
+			upgradeURL = swag.String(recommendedURL)
+		}
+	}
+
+	writeResponse(w, http.StatusOK, VersionConfig{
+		UpgradeRecommended: upgradeRecommended,
+		UpgradeUrl:         upgradeURL,
+		Version:            swag.String(version.Version),
+	})
 }
 
 func IsStatusCodeOK(statusCode int) bool {
@@ -3078,6 +3097,7 @@ func NewController(
 	collector stats.Collector,
 	cloudMetadataProvider cloud.MetadataProvider,
 	actions actionsHandler,
+	auditChecker AuditChecker,
 	logger logging.Logger,
 ) *Controller {
 	return &Controller{
@@ -3091,6 +3111,7 @@ func NewController(
 		Collector:             collector,
 		CloudMetadataProvider: cloudMetadataProvider,
 		Actions:               actions,
+		AuditChecker:          auditChecker,
 		Logger:                logger,
 	}
 }

diff --git a/pkg/api/serve.go b/pkg/api/serve.go
@@ -48,6 +48,7 @@ func Serve(
 	collector stats.Collector,
 	cloudMetadataProvider cloud.MetadataProvider,
 	actions actionsHandler,
+	auditChecker AuditChecker,
 	logger logging.Logger,
 	gatewayDomains []string,
 ) http.Handler {
@@ -80,6 +81,7 @@ func Serve(
 		collector,
 		cloudMetadataProvider,
 		actions,
+		auditChecker,
 		logger,
 	)
 	HandlerFromMuxWithBaseURL(controller, apiRouter, BaseURL)

diff --git a/pkg/api/serve_test.go b/pkg/api/serve_test.go
@@ -26,6 +26,7 @@ import (
 	"github.com/treeverse/lakefs/pkg/logging"
 	"github.com/treeverse/lakefs/pkg/stats"
 	"github.com/treeverse/lakefs/pkg/testutil"
+	"github.com/treeverse/lakefs/pkg/version"
 )
 
 const (
@@ -110,6 +111,8 @@ func setupHandler(t testing.TB, blockstoreType string, opts ...testutil.GetDBOpt
 		_ = c.Close()
 	})
 
+	auditChecker := version.NewDefaultAuditChecker(cfg.GetSecurityAuditCheckURL())
+
 	handler := api.Serve(
 		cfg,
 		c,
@@ -121,6 +124,7 @@ func setupHandler(t testing.TB, blockstoreType string, opts ...testutil.GetDBOpt
 		collector,
 		nil,
 		actionsService,
+		auditChecker,
 		logging.Default(),
 		nil,
 	)

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -147,6 +147,12 @@ const (
 	StatsEnabledKey       = "stats.enabled"
 	StatsAddressKey       = "stats.address"
 	StatsFlushIntervalKey = "stats.flush_interval"
+
+	SecurityAuditCheckIntervalKey     = "security.audit_check_interval"
+	DefaultSecurityAuditCheckInterval = 12 * time.Hour
+
+	SecurityAuditCheckURLKey     = "security.audit_check_url"
+	DefaultSecurityAuditCheckURL = "https://audit.lakefs.io/audit"
 )
 
 func setDefaults() {
@@ -192,6 +198,9 @@ func setDefaults() {
 
 	viper.SetDefault(BlockstoreAzureTryTimeoutKey, DefaultAzureTryTimeout)
 	viper.SetDefault(BlockstoreAzureAuthMethod, DefaultAzureAuthMethod)
+
+	viper.SetDefault(SecurityAuditCheckIntervalKey, DefaultSecurityAuditCheckInterval)
+	viper.SetDefault(SecurityAuditCheckURLKey, DefaultSecurityAuditCheckURL)
 }
 
 func reverse(s string) string {
@@ -429,3 +438,11 @@ func (c *Config) ToLoggerFields() logging.Fields {
 func (c *Config) GetLoggingTraceRequestHeaders() bool {
 	return c.values.Logging.TraceRequestHeaders
 }
+
+func (c *Config) GetSecurityAuditCheckInterval() time.Duration {
+	return c.values.Security.AuditCheckInterval
+}
+
+func (c *Config) GetSecurityAuditCheckURL() string {
+	return c.values.Security.AuditCheckURL
+}
diff --git a/pkg/config/template.go b/pkg/config/template.go
@@ -157,4 +157,8 @@ type configuration struct {
 	Installation struct {
 		FixedID string `mapstructure:"fixed_id"`
 	}
+	Security struct {
+		AuditCheckInterval time.Duration `mapstructure:"audit_check_interval"`
+		AuditCheckURL      string        `mapstructure:"audit_check_url"`
+	} `mapstructure:"security"`
 }