Git Product home page Git Product logo

s2a-go's Introduction

Secure Session Agent Client Libraries

The Secure Session Agent is a service that enables a workload to offload select operations from the mTLS handshake and protects a workload's private key material from exfiltration. Specifically, the workload asks the Secure Session Agent for the TLS configuration to use during the handshake, to perform private key operations, and to validate the peer certificate chain. The Secure Session Agent's client libraries enable applications to communicate with the Secure Session Agent during the TLS handshake, and to encrypt traffic to the peer after the TLS handshake is complete.

This repository contains the source code for the Secure Session Agent's Go client libraries, which allow gRPC and HTTP Go applications to use the Secure Session Agent.

s2a-go's People

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar

s2a-go's Issues

Test data must be on 'testdata' directory not to break bazel / gazelle

Rename internal/v2/tlsconfigstore/example_cert_key to internal/v2/tlsconfigstore/testdata to avoid breaking bazel users. Make sure this project can be used by bazel users with gazelle out-of-the-box, without the need for workarounds.

Context

Projects that use bazel will frequently also use gazelle to generate BUILD.bazel files. Since bazel can also run tests it needs to know what files are accessed by tests for hermicity reasons, allowing tests to be rerun when data changes. Gazelle automatically declares test data for all files inside directories that are named testdata. If a test uses files from outside of testdata directory, bazel will fail to analyze the build files with a build error. Ideally code that depends on this project should be usable out-of-the-box by bazel users with gazelle.

Workarounds are possible, but requiring a workaround will make using anything that depends on this project annoying to use.

Minimally reproducible example

Project: https://gitlab.com/xyko/s2a-go-bazelisk-issue

Step-by-step

Please have bazelisk installed, then:

git clone https://gitlab.com/xyko/s2a-go-bazelisk-issue
cd s2a-go-bazelisk-issue
go mod vendor
bazel run //:gazelle
bazel test //...

Expected

Successful run.

Observed

ERROR: /home/xyko/tmp/s2a-go-bazelisk-issue/vendor/github.com/google/s2a-go/internal/v2/BUILD:41:8: no such package 'internal/proto/common_go_proto': BUILD file not found in any of the following directories. Add a BUILD file to a directory to mark it as a package.
 - /home/xyko/tmp/s2a-go-bazelisk-issue/internal/proto/common_go_proto and referenced by '//vendor/github.com/google/s2a-go/internal/v2:v2_test'
ERROR: /home/xyko/tmp/s2a-go-bazelisk-issue/vendor/github.com/google/s2a-go/internal/v2/BUILD:41:8: no such package 'internal/v2/tlsconfigstore/example_cert_key': BUILD file not found in any of the following directories. Add a BUILD file to a directory to mark it as a package.
 - /home/xyko/tmp/s2a-go-bazelisk-issue/internal/v2/tlsconfigstore/example_cert_key and referenced by '//vendor/github.com/google/s2a-go/internal/v2:v2_test'
ERROR: Analysis of target '//vendor/github.com/google/s2a-go/internal/v2:v2_test' failed; build aborted: Analysis failed
INFO: Elapsed time: 0.244s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (0 packages loaded, 31 targets configured)
ERROR: Couldn't start the build. Unable to run tests

--edit: fixed steps to reproduce the issue and the error message. The previous steps missed the vendoring step, and the result error message was reflecting that, instead of showing the issue I was trying to show. Sorry for the confusion.

Hardcoded secrets

My build failed because gitguardian found hardcoded secrets in this repository. Especially in /internal/v2/tlsconfigstore/example_cert_key and /internal/v2/remotesigner/example_cert_key folder.

BUILD.bazel being ignored causes problems with bazel projects with vendored libraries

On .gitignore there is an instruction to ignore BUILD.bazel. This is a problem for our project because we vendor our libraries, and we use bazel + gazelle, because the files generated by gazelle will not be tracked by git. When the code is checked-out from git it will be missing the files and and bazel will fail.

How to reproduce:

  • create a new go project
  • add github.com/google/s2a-go as a dependency
  • go mod tidy && go mod vendor
  • configure bazel with gazelle
  • bazel run //:gazelle
  • bazel test //... # will run and show that there are not tests to run
  • git commit -am "initial" # CAUSE OF THE ISSUE HERE: all BUILD.bazel files generated by bazel on
    vendor/github.com/google/s2a-go will not be tracked
  • git push ...

On another machine:

  • git clone ...
  • bazel test //... # << unexpected behavior here

Expected result:

The same result as on the machine that created the git repository: bazel should run and say that there are no tests to run

Observed result:

An error like the one here:

Starting local Bazel server and connecting to it...
INFO: Invocation ID: 5e938a9f-6e8b-4dfa-ad90-37fa2720ac22
ERROR: /home/xyko/tmp/events3/vendor/google.golang.org/api/internal/BUILD.bazel:3:11: no such package 'vendor/github.com/google/s2a-go/fallback': BUILD file not found in any of the following directories. Add a BUILD file to a directory to mark it as a package.
 - /home/xyko/tmp/events3/vendor/github.com/google/s2a-go/fallback and referenced by '//vendor/google.golang.org/api/internal:internal'
ERROR: Analysis of target '//vendor/google.golang.org/api/internal:internal' failed; build aborted: Analysis failed
INFO: Elapsed time: 3.812s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (522 packages loaded, 329 targets configured)
ERROR: Couldn't start the build. Unable to run tests

Comments

  • I believe the library should NOT list BUILD.bazel on .gitignore.
  • The issue affect indirect users of this library, like users of google.golang.org/api

Security Policy violation Binary Artifacts

This issue was automatically created by Allstar.

Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

  • internal/v2/fakes2av2_server/fakes2av2_server

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.


Allstar has been installed on all Google managed GitHub orgs. Policies are gradually being rolled out and enforced by the GOSST and OSPO teams. Learn more at http://go/allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

bazel issue

ERROR: /private/var/tmp/_bazel_loeffel/4a10d11c1eb568e40670f7e7808d4db4/external/org_golang_google_api/internal/BUILD.bazel:3:11: no such target '@com_github_google_s2a_go//:s2a-go': target 's2a-go' not declared in package '' defined by /private/var/tmp/_bazel_loeffel/4a10d11c1eb568e40670f7e7808d4db4/external/com_github_google_s2a_go/BUILD (did you mean 's2a.go'? Tip: use `query "@com_github_google_s2a_go//:*"` to see all the targets in that package) and referenced by '@org_golang_google_api//internal:internal'
ERROR: /private/var/tmp/_bazel_loeffel/4a10d11c1eb568e40670f7e7808d4db4/external/org_golang_google_api/internal/BUILD.bazel:3:11: no such target '@com_github_google_s2a_go//fallback:fallback': target 'fallback' not declared in package 'fallback' defined by /private/var/tmp/_bazel_loeffel/4a10d11c1eb568e40670f7e7808d4db4/external/com_github_google_s2a_go/fallback/BUILD (Tip: use `query "@com_github_google_s2a_go//fallback:*"` to see all the targets in that package) and referenced by '@org_golang_google_api//internal:internal'

Remove flags (s2a_timeout, s2a_enable_appengine_dialer)

These flags are registered by any binary that imports this library as they are registered in init(). This in turn means they should up in our binaries. This is unexpected for users.

While I couldn't find anything official recommending not to do that, looking at our entire dependency tree, which is quite large, this is the only library that does this. This leads me to believe that using flags in libraries (as opposed to binaries) is not a very established pattern in the ecosystem.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.