Documentation
¶
Overview ¶
Package audit contains types and functions to summarize the features used in a configuration and to emit recommendations and comments when executing a check
Index ¶
Examples ¶
Constants ¶
View Source
const ( SeverityCritical = "CRITICAL" SeverityHigh = "HIGH" SeverityMedium = "MEDIUM" SeverityLow = "LOW" )
View Source
const ( BitEndpointWildcard int = 0 BitEndpointQueryStringWildcard int = 1 BitEndpointHeaderStringWildcard int = 2 BitEndpointCatchAll int = 3 )
View Source
const ( ServicePlugin = iota ServiceSequentialStart ServiceDebug ServiceAllowInsecureConnections ServiceDisableStrictREST ServiceHasTLS ServiceTLSEnabled ServiceTLSEnableMTLS ServiceTLSDisableSystemCaPool ServiceTLSCaCerts ServiceEcho ServiceUseH2C ServiceTLSPrivPubKey )
View Source
const ( EncodingNOOP = iota EncodingJSON EncodingSAFEJSON EncodingSTRING EncodingRSS EncodingXML EncodingOther )
View Source
const ( BackendAllow = iota + EncodingOther + 1 BackendDeny BackendMapping BackendGroup BackendTarget BackendIsCollection BackendHeadersToPass BackendQuery )
View Source
const ( RouterErrorBody = iota RouterDisableHealth RouterDisableAccessLog RouterHealthPath RouterErrorMsg RouterDisableRedirectTrailingSlash RouterDisableRedirectFixedPath RouterExtraSlash RouterHandleMethodNotAllowed RouterPathDecoding RouterAutoOptions RouterForwardedByClientIp RouterRemoteIpHeaders RouterTrustedProxies RouterAppEngine RouterMaxMultipartMemory RouterLoggerSkipPaths RouterHideVersionHeader RouterUseH2C )
View Source
const ( BackendComponentHTTPClient = iota BackendComponentHTTPClientAllowInsecureConnections BackendComponentHTTPClientCerts )
Variables ¶
View Source
var AiProviders = [][]string{{"gemini", "v1beta"}, {"openai", "v1"}, {"mistral", "v1"}, {"anthropic", "v1"}}
Functions ¶
Types ¶
type Agent ¶
type Agent struct {
Details []int `json:"d"`
Backends []Backend `json:"b"`
Components Component `json:"c"`
}
Agent captures details of the AsyncAgents present at the configuration
type AuditResult ¶
type AuditResult struct {
Recommendations []Recommendation `json:"recommendations"`
Stats Stats `json:"stats"`
}
AuditResult contains all the recommendations and stats generated by the audit process
func Audit ¶
func Audit(cfg *config.ServiceConfig, ignore, severities []string) (AuditResult, error)
Audit audits the received configuration and generates an AuditResult with all the Recommendations
Example ¶
cfg, err := config.NewParser().Parse("./tests/example1.json")
if err != nil {
fmt.Println(err.Error())
return
}
cfg.Normalize()
exclude := []string{"1.1.1", "1.1.2", "7.2.4"}
levels := []string{SeverityCritical, SeverityHigh, SeverityMedium}
result, err := Audit(&cfg, exclude, levels)
if err != nil {
fmt.Println(err)
return
}
for i, r := range result.Recommendations {
fmt.Printf("%02d: %s %s \t%s\n", i, r.Rule, r.Severity, r.Message)
}
Output: 00: 2.1.3 CRITICAL TLS is configured but its disable flag prevents from using it. 01: 2.1.7 HIGH Enable HTTP security header checks (security/http). 02: 2.1.8 HIGH Avoid clear text communication (h2c). 03: 2.2.1 MEDIUM Hide the version banner in runtime. 04: 2.2.2 HIGH Enable CORS. 05: 2.2.3 HIGH Avoid passing all input headers to the backend. 06: 2.2.4 HIGH Avoid passing all input query strings to the backend. 07: 2.3.1 MEDIUM Limit the amount of cacheable content. 08: 3.1.3 HIGH Protect your backends with a circuit breaker. 09: 3.3.2 MEDIUM Set timeouts to below 5 seconds for improved performance. 10: 3.3.3 HIGH Set timeouts to below 30 seconds for improved performance. 11: 3.3.4 CRITICAL Set timeouts to below 1 minute for improved performance. 12: 4.1.1 MEDIUM Implement a telemetry system for collecting metrics for monitoring and troubleshooting. 13: 4.1.3 HIGH Avoid duplicating telemetry options to prevent system overload. 14: 4.3.1 MEDIUM Use the improved logging component for better log parsing. 15: 5.1.5 MEDIUM Declare explicit endpoints instead of using /__catchall. 16: 5.1.6 MEDIUM Avoid using multiple write methods in endpoint definitions. 17: 5.1.7 MEDIUM Avoid using sequential proxy. 18: 7.1.3 HIGH Avoid using deprecated plugin basic-auth. Please move your configuration to the namespace auth/basic to use the new component. See: https://www.krakend.io/docs/enterprise/authentication/basic-authentication/ . 19: 7.1.7 HIGH Avoid using deprecated plugin no-redirect. Please visit https://www.krakend.io/docs/enterprise/backends/client-redirect/#migration-from-old-plugin to upgrade to the new options. 20: 7.3.1 MEDIUM Avoid using 'private_key' and 'public_key' and use the 'keys' array.
Example (Cb) ¶
cfg, err := config.NewParser().Parse("./tests/example-cb.json")
if err != nil {
fmt.Println(err.Error())
return
}
cfg.Normalize()
exclude := []string{"1.1.1", "1.1.2", "7.2.4"}
levels := []string{SeverityCritical, SeverityHigh, SeverityMedium}
result, err := Audit(&cfg, exclude, levels)
if err != nil {
fmt.Println(err)
return
}
for i, r := range result.Recommendations {
fmt.Printf("%02d: %s %s \t%s\n", i, r.Rule, r.Severity, r.Message)
}
Output: 00: 1.2.1 HIGH Prioritize using JWT for endpoint authorization to ensure security. 01: 2.1.2 HIGH Enable TLS or use a terminator in front of KrakenD. 02: 2.1.7 HIGH Enable HTTP security header checks (security/http). 03: 2.2.1 MEDIUM Hide the version banner in runtime. 04: 2.2.2 HIGH Enable CORS. 05: 3.1.2 HIGH Implement a rate-limiting strategy and avoid having an All-You-Can-Eat API. 06: 4.1.1 MEDIUM Implement a telemetry system for collecting metrics for monitoring and troubleshooting. 07: 4.2.1 MEDIUM Implement a telemetry system for tracing for monitoring and troubleshooting. 08: 4.3.1 MEDIUM Use the improved logging component for better log parsing.
type Endpoint ¶
type Endpoint struct {
Details []int `json:"d"`
Backends []Backend `json:"b"`
Components Component `json:"c"`
}
Endpoint captures details of the endpoints present at the configuration
type Recommendation ¶
type Recommendation struct {
Rule string `json:"rule"`
Severity string `json:"severity"`
Message string `json:"message"`
}
Recommendation maps a rule id with a severity and a message
type Rule ¶
type Rule struct {
Recommendation Recommendation
Evaluate func(*Service) bool
}
Rule encapsulates a recommendation and an evaluation function that determines if the recommendation applies for a given service definition
type Service ¶
type Service struct {
Details []int `json:"d"`
Agents []Agent `json:"a"`
Endpoints []Endpoint `json:"e"`
Components Component `json:"c"`
}
Service represents a KrakenD configuration as a tree of bitsets representing which components and flags are enabled at the KrakenD configuration
func Parse ¶
func Parse(cfg *config.ServiceConfig) Service
Parse creates a Service capturing the details of the received configuration
Example ¶
cfg, err := config.NewParser().Parse("./tests/example1.json")
if err != nil {
fmt.Println(err.Error())
return
}
cfg.Normalize()
result := Parse(&cfg)
r, _ := json.MarshalIndent(result, "", " ")
fmt.Println(string(r))
Output: { "d": [ 7220 ], "a": null, "e": [ { "d": [ 2, 0, 0, 140000, 0, 0 ], "b": [ { "d": [ 64 ], "c": { "github.com/devopsfaith/krakend-httpcache": [ 0 ], "github.com/devopsfaith/krakend-lua/proxy/backend": [ 2 ] } } ], "c": { "github.com/devopsfaith/krakend-jose/validator": [], "github.com/devopsfaith/krakend-lua/proxy": [ 3 ], "modifier/response-body": [ 5, 2, 0, 1, 1, 1 ], "validation/response-json-schema": [ 18, 1, 400, 1 ] } }, { "d": [ 2, 1, 1, 10000, 7, 0 ], "b": [ { "d": [ 64 ], "c": { "backend/http/client": [ 3 ] } } ], "c": { "github.com/devopsfaith/krakend/transport/http/client/executor": [ 1 ] } }, { "d": [ 2, 0, 0, 2000, 0, 0 ], "b": [ { "d": [ 64 ], "c": {} } ], "c": { "websocket": [ 27, 4096, 4096, 4096, 3200000, 0, 10000, 60000, 54000, 300000, 1 ] } }, { "d": [ 2, 0, 0, 2000, 0, 0 ], "b": [ { "d": [ 64 ], "c": { "github.com/devopsfaith/krakend-httpcache": [ 7 ] } } ], "c": {} }, { "d": [ 2, 0, 0, 2000, 0, 1 ], "b": [ { "d": [ 64 ], "c": { "ai/llm": [ 1, 0, 0, 1 ] } } ], "c": {} }, { "d": [ 2, 0, 0, 2000, 0, 1 ], "b": [ { "d": [ 64 ], "c": { "ai/llm": [ 2, 1, 0, 1 ] } } ], "c": {} }, { "d": [ 2, 0, 0, 2000, 0, 1 ], "b": [ { "d": [ 64 ], "c": { "ai/llm": [ 4, 0, 1, 1 ] } } ], "c": {} }, { "d": [ 2, 0, 0, 2000, 0, 1 ], "b": [ { "d": [ 64 ], "c": { "ai/llm": [ 8, 1, 1, 1 ] } } ], "c": {} }, { "d": [ 2, 0, 0, 2000, 0, 1 ], "b": [ { "d": [ 64 ], "c": {} } ], "c": { "ai/mcp": [] } }, { "d": [ 2, 0, 0, 2000, 0, 0 ], "b": [ { "d": [ 64 ], "c": {} } ], "c": { "ai/mcp": [] } }, { "d": [ 2, 0, 0, 2000, 0, 1 ], "b": [ { "d": [ 64 ], "c": {} } ], "c": { "ai/mcp": [] } }, { "d": [ 2, 0, 0, 2000, 0, 1 ], "b": [ { "d": [ 64 ], "c": {} } ], "c": { "ai/mcp": [] } }, { "d": [ 2, 0, 0, 10000, 8, 2 ], "b": [ { "d": [ 64 ], "c": {} }, { "d": [ 64 ], "c": {} }, { "d": [ 64 ], "c": {} } ], "c": { "github.com/devopsfaith/krakend/proxy": [ 1 ] } } ], "c": { "ai/mcp": [ 2, 3 ], "auth/api-keys": [], "github.com/devopsfaith/krakend-lua/router": [ 1 ], "github_com/devopsfaith/bloomfilter": [ 1, 2, 0 ], "github_com/devopsfaith/krakend/transport/http/server/handler": [ 4 ], "github_com/letgoapp/krakend-influx": [], "github_com/luraproject/lura/router/gin": [ 262144 ], "grpc": [ 1 ], "modifier/response-headers": [ 15 ], "qos/ratelimit/service": [], "telemetry/opentelemetry": [ 50, 100, 1, 2, 1 ] } }
Example (WithRevokerServer) ¶
cfg, err := config.NewParser().Parse("./tests/revoker.json")
if err != nil {
fmt.Println(err.Error())
return
}
cfg.Normalize()
result := Parse(&cfg)
r, _ := json.MarshalIndent(result, "", " ")
fmt.Println(string(r))
Output: { "d": [ 0 ], "a": null, "e": [ { "d": [ 2, 0, 0, 2000, 0, 0 ], "b": [ { "d": [ 64 ], "c": {} } ], "c": {} } ], "c": { "github_com/devopsfaith/bloomfilter": [ 1, 1, 1 ] } }
Source Files
Click to show internal directories.
Click to hide internal directories.