From e5bc3e1b5cb937c5a55ed6bab6b1629f99241557 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Tue, 21 Jan 2025 15:03:29 +0100 Subject: [PATCH] chore: removed old api group The old rancher API group was marked for removal for the next release Signed-off-by: Bruno Bressi --- pkg/agent/http_api_context.go | 6 +++--- pkg/agent/http_hijack.go | 2 +- pkg/agent/http_test.go | 5 +++-- pkg/kube/namespaces.go | 31 +++++-------------------------- pkg/prom/matcher.go | 6 +++--- 5 files changed, 15 insertions(+), 35 deletions(-) diff --git a/pkg/agent/http_api_context.go b/pkg/agent/http_api_context.go index 8ace16f..a9e8c7a 100644 --- a/pkg/agent/http_api_context.go +++ b/pkg/agent/http_api_context.go @@ -66,7 +66,7 @@ func (c *apiContext) responseJSON(data interface{}) (err error) { } }) - return + return err } func (c *apiContext) responseProto(data proto.Message) (err error) { @@ -92,7 +92,7 @@ func (c *apiContext) responseProto(data proto.Message) (err error) { } }) - return + return err } func (c *apiContext) responseMetrics(data *promgo.MetricFamily) (err error) { @@ -112,7 +112,7 @@ func (c *apiContext) responseMetrics(data *promgo.MetricFamily) (err error) { } }) - return + return err } func (c *apiContext) proxyWith(request *http.Request) error { diff --git a/pkg/agent/http_hijack.go b/pkg/agent/http_hijack.go index 2ab7ca7..09cf109 100644 --- a/pkg/agent/http_hijack.go +++ b/pkg/agent/http_hijack.go @@ -330,7 +330,7 @@ func hijackRead(apiCtx *apiContext) error { size := len(rawQueries) results := make([]*prompb.QueryResult, 0, size) - for i := 0; i < size; i++ { + for range size { results = append(results, &prompb.QueryResult{}) } diff --git a/pkg/agent/http_test.go b/pkg/agent/http_test.go index b99a06a..ebc6034 100644 --- a/pkg/agent/http_test.go +++ b/pkg/agent/http_test.go @@ -16,6 +16,7 @@ import ( "time" "unsafe" + "github.com/juju/errors" "github.com/prometheus/prometheus/promql/promqltest" "github.com/caas-team/prometheus-auth/pkg/agent/test" @@ -551,7 +552,7 @@ func (v ScenarioValidator) validateProtoBody(t *testing.T, res *httptest.Respons } func (v ScenarioValidator) validateJSONBody(t *testing.T, res *httptest.ResponseRecorder) { - if got, want := string(res.Body.Bytes()), jsonResponseBody(v.Scenario.RespBody); got != want { + if got, want := res.Body.String(), jsonResponseBody(v.Scenario.RespBody); got != want { t.Errorf("[%s] [%s] token %q scenario %q: got body\n%s\n, want\n%s\n", v.Type, v.Method, v.Token, v.Name, got, want) } } @@ -641,7 +642,7 @@ type fakeTokenAuth struct { func (f *fakeTokenAuth) Authenticate(token string) (authentication.UserInfo, error) { userInfo, ok := f.token2UserInfo[token] if !ok { - return userInfo, fmt.Errorf("user is not authenticated") + return userInfo, errors.New("user is not authenticated") } return userInfo, nil } diff --git a/pkg/kube/namespaces.go b/pkg/kube/namespaces.go index f2a171a..0126aef 100644 --- a/pkg/kube/namespaces.go +++ b/pkg/kube/namespaces.go @@ -131,37 +131,16 @@ func (n *namespaces) validate(token string) (string, error) { return "", errors.Annotatef(err, "failed to review token") } + if !reviewResult.Status.Allowed || reviewResult.Status.Denied { + return "", fmt.Errorf("token is not allowed to access namespace %q", claimNamespace) + } + if reviewResult.Status.Allowed { n.reviewResultTTLCache.Add(token, struct{}{}, 5*time.Minute) return claimNamespace, nil } - // DEPRECATED: this is to ensure backward compatibility with old monitoring.cattle.io group - // it'll be removed in the next release. - sar = &authorization.SubjectAccessReview{ - Spec: authorization.SubjectAccessReviewSpec{ - ResourceAttributes: &authorization.ResourceAttributes{ - Namespace: claimNamespace, - Verb: "view", - Group: "monitoring.cattle.io", - Resource: "prometheus", - }, - User: sarUser, - }, - } - - reviewResult, err = n.subjectAccessReviewsClient.Create(context.TODO(), sar, meta.CreateOptions{}) - if err != nil { - return "", errors.Annotatef(err, "failed to review token") - } - // if this also doesn't validate, return the error - // move after error check after removing the second subject access review - if !reviewResult.Status.Allowed || reviewResult.Status.Denied { - return "", fmt.Errorf("token is not allowed to access namespace %q", claimNamespace) - } - - log.Warnf("namespace %q is still using the deprecated monitoring.cattle.io group", claimNamespace) - n.reviewResultTTLCache.Add(token, struct{}{}, 5*time.Minute) + log.Debugf("token is not allowed to access namespace %q, denied: %s", claimNamespace, reviewResult.Status.Reason) return claimNamespace, nil } diff --git a/pkg/prom/matcher.go b/pkg/prom/matcher.go index 5f41cec..2b7add7 100644 --- a/pkg/prom/matcher.go +++ b/pkg/prom/matcher.go @@ -1,7 +1,7 @@ package prom import ( - "fmt" + "errors" promlb "github.com/prometheus/prometheus/model/labels" "github.com/prometheus/prometheus/prompb" @@ -86,7 +86,7 @@ func toLabelMatchers(matchers []*promlb.Matcher) ([]*prompb.LabelMatcher, error) case promlb.MatchNotRegexp: mType = prompb.LabelMatcher_NRE default: - return nil, fmt.Errorf("invalid matcher type") + return nil, errors.New("invalid matcher type") } pbMatchers = append(pbMatchers, &prompb.LabelMatcher{ Type: mType, @@ -111,7 +111,7 @@ func fromLabelMatchers(matchers []*prompb.LabelMatcher) ([]*promlb.Matcher, erro case prompb.LabelMatcher_NRE: mtype = promlb.MatchNotRegexp default: - return nil, fmt.Errorf("invalid matcher type") + return nil, errors.New("invalid matcher type") } matcher, err := promlb.NewMatcher(mtype, matcher.Name, matcher.Value) if err != nil {