Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TT-2539] added access/transaction logs #6616

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

LLe27
Copy link
Contributor

@LLe27 LLe27 commented Oct 8, 2024

TT-2539
Summary Transaction/Access Logs
Type Story Story
Status In Dev
Points N/A
Labels A, America's, CSE, Gold, customer_request, innersource, jira_escalated, QA_Fail

Reverts #6524

FR Jira Ticket

https://tyktech.atlassian.net/browse/TT-2539

Description

  • Added the TYK_GW_ACCESSLOGS_ENABLED Gateway config option
  • The Tyk Gateway will determine to print access logs to STDOUT for both success and error handling situations
    • If the TYK_GW_ACCESSLOGS_ENABLED is set to true then the Gateway will print access logs to STDOUT
    • If the TYK_GW_ACCESSLOGS_ENABLED is set to false then the Gateway will not print access logs to STDOUT

Note that this feature is off by default and that the AccessLog struct only contains the more common elements. Below are some examples of an access log

time="Sep 04 08:04:18" level=info APIID=c062396cb62d4e9a5ee37adaf85b9e4c APIKey=00000000 ClientIP=127.0.0.1 ClientRemoteAddr="127.0.0.1:53506" Host="localhost:8080" Method=GET OrgID=66d07f00247d80811d5199c3 Proto=HTTP/1.1 RequestURI=/httpbin/get StatusCode=200 TotalLatency=381 UpstreamAddress="http://httpbin.org/get" UpstreamLatency=381 UpstreamPath=/get UpstreamURI=/get UserAgent=curl/8.1.2 prefix=access-log
time="Sep 04 08:08:20" level=info APIID=c062396cb62d4e9a5ee37adaf85b9e4c APIKey=00000000 ClientIP=127.0.0.1 ClientRemoteAddr="127.0.0.1:53566" Host="localhost:8080" Method=GET OrgID=66d07f00247d80811d5199c3 Proto=HTTP/1.1 RequestURI=/httpbin/get StatusCode=401 TotalLatency=0 UpstreamAddress=":///httpbin/get" UpstreamLatency=0 UpstreamPath=/httpbin/get UpstreamURI=/httpbin/get UserAgent=curl/8.1.2 prefix=access-log

Related Issue

Motivation and Context

Today the Tyk Gateway does not print access logs for success API calls but instead only for error API calls. Providing access logs for both scenarios within the Tyk Gateway is extremely valuable especially if you are monitoring logs, capturing analytics or even debugging. Providing the option to turn on or off the Tyk Gateway access logs will provide clients more insights in for API calls in regards to success and error situations.

How This Has Been Tested

  • Manual testing
  • Unit testing
  • Performance testing/benchmarks

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

  • I ensured that the documentation is up to date
  • I explained why this PR updates go.mod in detail with reasoning why it's required
  • I would like a code coverage CI quality gate exception and have explained why

@buger
Copy link
Member

buger commented Oct 8, 2024

I'm a bot and I 👍 this PR title. 🤖

Copy link
Contributor

github-actions bot commented Oct 8, 2024

API Changes

--- prev.txt	2024-10-15 13:55:55.539608474 +0000
+++ current.txt	2024-10-15 13:55:49.252548344 +0000
@@ -853,66 +853,7 @@
 		},
         "detailed_tracing": {
             "type": "boolean"
-        },
-		"upstream_auth": {
-			"type": "object",
-			"properties": {
-				"enabled": {
-					"type": "boolean"
-				},
-				"basic_auth": {
-					"type": "object",
-					"properties": {
-						"enabled": {
-							"type": "boolean"
-						},
-						"username": {
-							"type": "string"
-						},
-						"password": {
-							"type": "string"
-						},
-						"header_name": {
-							"type": "string"
-						}
-					}
-				},
-				"oauth": {
-					"type":"object",
-					"properties": {
-						"enabled": {
-							"type": "boolean"
-						},
-						"client_credentials": {
-							"type": "object",
-							"properties": {
-								"client_id": {
-									"type": "string"
-								},
-								"client_secret": {
-									"type": "string"
-								},
-								"token_url": {
-									"type": "string"
-								},
-								"scopes":{
-									"type": ["array", "null"]
-								},
-								"endpoint_params": {
-									"type": ["object", "null"]
-								}	
-							}
-						},
-						"header_name": {
-							"type": "string"		
-						},
-						"distributed_token": {
-							"type": "boolean"
-						}
-					}
-				}
-			}
-    	}
+        }
     },
     "required": [
         "name",
@@ -1093,9 +1034,6 @@
 	VersionName string `bson:"-" json:"-"`
 
 	DetailedTracing bool `bson:"detailed_tracing" json:"detailed_tracing"`
-
-	// UpstreamAuth stores information about authenticating against upstream.
-	UpstreamAuth UpstreamAuth `bson:"upstream_auth" json:"upstream_auth"`
 }
     APIDefinition represents the configuration for a single proxied API and it's
     versions.
@@ -1213,22 +1151,6 @@
 	DisableHalfOpenState bool    `bson:"disable_half_open_state" json:"disable_half_open_state"`
 }
 
-type ClientCredentials struct {
-	// ClientID is the application's ID.
-	ClientID string `bson:"client_id" json:"client_id"`
-	// ClientSecret is the application's secret.
-	ClientSecret string `bson:"client_secret" json:"client_secret"`
-	// TokenURL is the resource server's token endpoint
-	// URL. This is a constant specific to each server.
-	TokenURL string `bson:"token_url" json:"token_url"`
-	// Scopes specifies optional requested permissions.
-	Scopes []string `bson:"scopes" json:"scopes,omitempty"`
-
-	TokenProvider oauth2.TokenSource `bson:"-" json:"-"`
-}
-    ClientCredentials holds the client credentials for upstream OAuth2
-    authentication.
-
 type DefRequest struct {
 	OrgId   string
 	Tags    []string
@@ -1549,14 +1471,6 @@
 	Body                string            `bson:"body" json:"body"`
 }
 
-type HostDetails struct {
-	Hostname string
-	PID      int
-	Address  string
-}
-    HostDetails contains information about a host machine, including its
-    hostname, process ID (PID), and IP address.
-
 type HostList struct {
 	// Has unexported fields.
 }
@@ -1692,7 +1606,7 @@
 	Tags            []string                   `json:"tags"`
 	Health          map[string]HealthCheckItem `json:"health"`
 	Stats           GWStats                    `json:"stats"`
-	HostDetails     HostDetails                `json:"host_details"`
+	HostDetails     internalmodel.HostDetails  `json:"host_details"`
 }
 
 type NotificationsManager struct {
@@ -2045,47 +1959,6 @@
 	MatchRegexp  *regexp.Regexp   `json:"-"`
 }
 
-type UpstreamAuth struct {
-	// Enabled enables upstream API authentication.
-	Enabled bool `bson:"enabled" json:"enabled"`
-	// BasicAuth holds the basic authentication configuration for upstream API authentication.
-	BasicAuth UpstreamBasicAuth `bson:"basic_auth" json:"basic_auth"`
-	// OAuth holds the OAuth2 configuration for the upstream client credentials API authentication.
-	OAuth UpstreamOAuth `bson:"oauth" json:"oauth"`
-}
-    UpstreamAuth holds the configurations related to upstream API
-    authentication.
-
-func (u *UpstreamAuth) IsEnabled() bool
-    IsEnabled checks if UpstreamAuthentication is enabled for the API.
-
-type UpstreamBasicAuth struct {
-	// Enabled enables upstream basic authentication.
-	Enabled bool `bson:"enabled" json:"enabled,omitempty"`
-	// Username is the username to be used for upstream basic authentication.
-	Username string `bson:"username" json:"username"`
-	// Password is the password to be used for upstream basic authentication.
-	Password string `bson:"password" json:"password"`
-	// HeaderName is the custom header name to be used for upstream basic authentication.
-	// Defaults to `Authorization`.
-	HeaderName string `bson:"header_name" json:"header_name"`
-}
-    UpstreamBasicAuth holds upstream basic authentication configuration.
-
-type UpstreamOAuth struct {
-	// Enabled enables upstream OAuth2 authentication.
-	Enabled bool `bson:"enabled" json:"enabled"`
-	// ClientCredentials holds the client credentials for upstream OAuth2 authentication.
-	ClientCredentials ClientCredentials `bson:"client_credentials" json:"client_credentials"`
-	// HeaderName is the custom header name to be used for upstream basic authentication.
-	// Defaults to `Authorization`.
-	HeaderName string `bson:"header_name" json:"header_name,omitempty"`
-}
-    UpstreamOAuth holds upstream OAuth2 authentication configuration.
-
-func (u UpstreamOAuth) IsEnabled() bool
-    IsEnabled checks if UpstreamOAuth is enabled for the API.
-
 type UptimeTests struct {
 	CheckList []HostCheckObject `bson:"check_list" json:"check_list"`
 	Config    UptimeTestsConfig `bson:"config" json:"config"`
@@ -3118,24 +2991,6 @@
 func (cc *ClientCertificates) Fill(api apidef.APIDefinition)
     Fill fills *ClientCertificates from apidef.APIDefinition.
 
-type ClientCredentials struct {
-	// ClientID is the application's ID.
-	ClientID string `bson:"clientID" json:"clientID"`
-	// ClientSecret is the application's secret.
-	ClientSecret string `bson:"clientSecret" json:"clientSecret"`
-	// TokenURL is the resource server's token endpoint
-	// URL. This is a constant specific to each server.
-	TokenURL string `bson:"tokenURL" json:"tokenURL"`
-	// Scopes specifies optional requested permissions.
-	Scopes []string `bson:"scopes,omitempty" json:"scopes,omitempty"`
-}
-    ClientCredentials holds the configuration for OAuth2 Client Credentials
-    flow.
-
-func (c *ClientCredentials) ExtractTo(api *apidef.ClientCredentials)
-
-func (c *ClientCredentials) Fill(api apidef.ClientCredentials)
-
 type ClientToPolicy struct {
 	// ClientID contains a Client ID.
 	ClientID string `bson:"clientId,omitempty" json:"clientId,omitempty"`
@@ -4705,8 +4560,6 @@
 	ValidateRequest *bool
 	// MockResponse is true if a mocked response is configured.
 	MockResponse *bool
-
-	// Has unexported fields.
 }
     TykExtensionConfigParams holds the essential configuration required for the
     Tyk Extension schema.
@@ -4829,9 +4682,6 @@
 
 	// RateLimit contains the configuration related to API level rate limit.
 	RateLimit *RateLimit `bson:"rateLimit,omitempty" json:"rateLimit,omitempty"`
-
-	// Authentication contains the configuration related to upstream authentication.
-	Authentication *UpstreamAuth `bson:"authentication,omitempty" json:"authentication,omitempty"`
 }
     Upstream holds configuration for the upstream server to which Tyk should
     proxy requests.
@@ -4842,57 +4692,6 @@
 func (u *Upstream) Fill(api apidef.APIDefinition)
     Fill fills *Upstream from apidef.APIDefinition.
 
-type UpstreamAuth struct {
-	// Enabled enables upstream API authentication.
-	Enabled bool `bson:"enabled" json:"enabled"`
-	// BasicAuth holds the basic authentication configuration for upstream API authentication.
-	BasicAuth *UpstreamBasicAuth `bson:"basicAuth,omitempty" json:"basicAuth,omitempty"`
-	// OAuth contains the configuration for OAuth2 Client Credentials flow.
-	OAuth *UpstreamOAuth `bson:"oauth,omitempty" json:"oauth,omitempty"`
-}
-    UpstreamAuth holds the configurations related to upstream API
-    authentication.
-
-func (u *UpstreamAuth) ExtractTo(api *apidef.UpstreamAuth)
-    ExtractTo extracts *UpstreamAuth into *apidef.UpstreamAuth.
-
-func (u *UpstreamAuth) Fill(api apidef.UpstreamAuth)
-    Fill fills *UpstreamAuth from apidef.UpstreamAuth.
-
-type UpstreamBasicAuth struct {
-	// Enabled enables upstream basic authentication.
-	Enabled bool `bson:"enabled" json:"enabled"`
-	// HeaderName is the custom header name to be used for upstream basic authentication.
-	// Defaults to `Authorization`.
-	HeaderName string `bson:"headerName" json:"headerName"`
-	// Username is the username to be used for upstream basic authentication.
-	Username string `bson:"username" json:"username"`
-	// Password is the password to be used for upstream basic authentication.
-	Password string `bson:"password" json:"password"`
-}
-    UpstreamBasicAuth holds upstream basic authentication configuration.
-
-func (u *UpstreamBasicAuth) ExtractTo(api *apidef.UpstreamBasicAuth)
-    ExtractTo extracts *UpstreamBasicAuth into *apidef.UpstreamBasicAuth.
-
-func (u *UpstreamBasicAuth) Fill(api apidef.UpstreamBasicAuth)
-    Fill fills *UpstreamBasicAuth from apidef.UpstreamBasicAuth.
-
-type UpstreamOAuth struct {
-	// Enabled activates upstream OAuth2 authentication.
-	Enabled bool `bson:"enabled" json:"enabled"`
-	// ClientCredentials holds the configuration for OAuth2 Client Credentials flow.
-	ClientCredentials *ClientCredentials `bson:"clientCredentials,omitempty" json:"clientCredentials,omitempty"`
-	// HeaderName is the custom header name to be used for upstream basic authentication.
-	// Defaults to `Authorization`.
-	HeaderName string `bson:"headerName" json:"headerName"`
-}
-    UpstreamOAuth holds the configuration for OAuth2 Client Credentials flow.
-
-func (u *UpstreamOAuth) ExtractTo(api *apidef.UpstreamOAuth)
-
-func (u *UpstreamOAuth) Fill(api apidef.UpstreamOAuth)
-
 type ValidateRequest struct {
 	// Enabled is a boolean flag, if set to `true`, it enables request validation.
 	Enabled bool `bson:"enabled" json:"enabled"`
@@ -5393,6 +5192,12 @@
 
 TYPES
 
+type AccessLogsConfig struct {
+	// Enable the transaction logs. Default: false
+	Enabled bool `json:"enabled"`
+}
+    AccessLogsConfig defines the type of transactions logs printed to stdout
+
 type AnalyticsConfigConfig struct {
 	// Set empty for a Self-Managed installation or `rpc` for multi-cloud.
 	Type string `json:"type"`
@@ -5842,6 +5647,10 @@
 	// If not set or left empty, it will default to `standard`.
 	LogFormat string `json:"log_format"`
 
+	// You can configure the transaction logs to be turned on
+	// If not set or left empty, it will default to 'false'
+	AccessLogs AccessLogsConfig `json:"access_logs"`
+
 	// Section for configuring OpenTracing support
 	// Deprecated: use OpenTelemetry instead.
 	Tracer Tracer `json:"tracing"`
@@ -7754,13 +7563,6 @@
 	MsgCertificateExpired                      = "Certificate has expired"
 )
 const (
-	Pass      = model.Pass
-	Fail      = model.Fail
-	Warn      = model.Warn
-	Datastore = model.Datastore
-	System    = model.System
-)
-const (
 	// Zero value - the service is open and ready to use
 	OPEN = 0
 
@@ -7798,21 +7600,12 @@
 	ECDSASign = "ecdsa"
 )
 const (
-	UpstreamOAuthErrorEventName = "UpstreamOAuthError"
-	UpstreamOAuthMiddlewareName = "UpstreamOAuth"
-)
-const (
 	ErrOAuthAuthorizationFieldMissing   = "oauth.auth_field_missing"
 	ErrOAuthAuthorizationFieldMalformed = "oauth.auth_field_malformed"
 	ErrOAuthKeyNotFound                 = "oauth.key_not_found"
 	ErrOAuthClientDeleted               = "oauth.client_deleted"
 )
 const (
-	// ExtensionTykStreaming is the oas extension for tyk streaming
-	ExtensionTykStreaming = "x-tyk-streaming"
-	StreamGCInterval      = 1 * time.Minute
-)
-const (
 	ResetQuota              string = "resetQuota"
 	CertificateRemoved      string = "CertificateRemoved"
 	CertificateAdded        string = "CertificateAdded"
@@ -7864,6 +7657,10 @@
     The name for event handlers as defined in the API Definition JSON/BSON
     format
 
+const (
+	// ExtensionTykStreaming is the oas extension for tyk streaming
+	ExtensionTykStreaming = "x-tyk-streaming"
+)
 const ListDetailed = "detailed"
 const LoopScheme = "tyk"
 const OIDPREFIX = "openid"
@@ -8068,7 +7865,7 @@
 
 func (a APIDefinitionLoader) GetOASFilepath(path string) string
 
-func (a APIDefinitionLoader) MakeSpec(def *model.MergedAPI, logger *logrus.Entry) (*APISpec, error)
+func (a APIDefinitionLoader) MakeSpec(def *nestedApiDefinition, logger *logrus.Entry) (*APISpec, error)
     MakeSpec will generate a flattened URLSpec from and APIDefinitions'
     VersionInfo data. paths are keyed to the Api version name, which is
     determined during routing to speed up lookups
@@ -8580,8 +8377,6 @@
 	resetTTLTo int64, hashed bool) error
     UpdateSession updates the session state in the storage engine
 
-type DistributedCacheOAuthProvider struct{}
-
 type DummyProxyHandler struct {
 	SH SuccessHandler
 	Gw *Gateway `json:"-"`
@@ -8668,12 +8463,6 @@
 	UsagePercentage int64  `json:"usage_percentage"`
 }
 
-type EventUpstreamOAuthMeta struct {
-	EventMetaDefault
-	APIID string
-}
-    EventUpstreamOAuthMeta is the metadata structure for an upstream OAuth event
-
 type EventVersionFailureMeta struct {
 	EventMetaDefault
 	Path   string
@@ -8778,8 +8567,6 @@
 	HostCheckTicker      chan struct{}
 	HostCheckerClient    *http.Client
 	TracerProvider       otel.TracerProvider
-	// UpstreamOAuthCache is used to cache upstream OAuth tokens
-	UpstreamOAuthCache *upstreamOAuthCache
 
 	SessionLimiter SessionLimiter
 	SessionMonitor Monitor
@@ -8914,13 +8701,6 @@
 func (gw *Gateway) SetNodeID(nodeID string)
     SetNodeID writes NodeID safely.
 
-func (gw *Gateway) SetPolicies(pols map[string]user.Policy)
-    SetPolicies updates the internal policy map with a new policy map.
-
-func (gw *Gateway) SetPoliciesByID(pols ...user.Policy)
-    SetPoliciesByID will update the internal policiesByID map with new policies.
-    The key used will be the policy ID.
-
 func (gw *Gateway) SetupNewRelic() (app newrelic.Application)
     SetupNewRelic creates new newrelic.Application instance
 
@@ -9162,12 +8942,6 @@
 	RevProxyTransform RevProxyTransform `mapstructure:"rev_proxy_header_cleanup" bson:"rev_proxy_header_cleanup" json:"rev_proxy_header_cleanup"`
 }
 
-type HealthCheckItem = model.HealthCheckItem
-
-type HealthCheckResponse = model.HealthCheckResponse
-
-type HealthCheckStatus = model.HealthCheckStatus
-
 type HealthCheckValues struct {
 	ThrottledRequestsPS float64 `bson:"throttle_reqests_per_second,omitempty" json:"throttle_reqests_per_second"`
 	QuotaViolationsPS   float64 `bson:"quota_violations_per_second,omitempty" json:"quota_violations_per_second"`
@@ -9689,10 +9463,6 @@
     in compliance with https://tools.ietf.org/html/rfc7009#section-2.1 ToDo:
     set an authentication mechanism
 
-type OAuthHeaderProvider interface {
-	// Has unexported methods.
-}
-
 type OAuthManager struct {
 	API        *APISpec
 	OsinServer *TykOsinServer
@@ -9774,8 +9544,6 @@
 
 func (k *OrganizationMonitor) SetOrgSentinel(orgChan chan bool, orgId string)
 
-type PerAPIOAuthProvider struct{}
-
 type PersistGraphQLOperationMiddleware struct {
 	*BaseMiddleware
 }
@@ -10955,62 +10723,6 @@
     Enums representing the various statuses for a VersionInfo Path match during
     a proxy request
 
-type UpstreamBasicAuth struct {
-	*BaseMiddleware
-}
-    UpstreamBasicAuth is a middleware that will do basic authentication for
-    upstream connections. UpstreamBasicAuth middleware is only supported in Tyk
-    OAS API definitions.
-
-func (t *UpstreamBasicAuth) EnabledForSpec() bool
-    EnabledForSpec returns true if the middleware is enabled based on API Spec.
-
-func (t *UpstreamBasicAuth) Name() string
-    Name returns the name of middleware.
-
-func (t *UpstreamBasicAuth) ProcessRequest(_ http.ResponseWriter, r *http.Request, _ interface{}) (error, int)
-    ProcessRequest will inject basic auth info into request context so that it
-    can be used during reverse proxy.
-
-type UpstreamBasicAuthProvider struct {
-	// HeaderName is the header name to be used to fill upstream auth with.
-	HeaderName string
-	// AuthValue is the value of auth header.
-	AuthValue string
-}
-    UpstreamBasicAuthProvider implements upstream auth provider.
-
-func (u UpstreamBasicAuthProvider) Fill(r *http.Request)
-    Fill sets the request's HeaderName with AuthValue
-
-type UpstreamOAuth struct {
-	*BaseMiddleware
-}
-    UpstreamOAuth is a middleware that will do basic authentication for upstream
-    connections. UpstreamOAuth middleware is only supported in Tyk OAS API
-    definitions.
-
-func (OAuthSpec *UpstreamOAuth) EnabledForSpec() bool
-    EnabledForSpec returns true if the middleware is enabled based on API Spec.
-
-func (OAuthSpec *UpstreamOAuth) Name() string
-    Name returns the name of middleware.
-
-func (OAuthSpec *UpstreamOAuth) ProcessRequest(_ http.ResponseWriter, r *http.Request, _ interface{}) (error, int)
-    ProcessRequest will inject basic auth info into request context so that it
-    can be used during reverse proxy.
-
-type UpstreamOAuthProvider struct {
-	// HeaderName is the header name to be used to fill upstream auth with.
-	HeaderName string
-	// AuthValue is the value of auth header.
-	AuthValue string
-}
-    UpstreamOAuthProvider implements upstream auth provider.
-
-func (u UpstreamOAuthProvider) Fill(r *http.Request)
-    Fill sets the request's HeaderName with AuthValue
-
 type UptimeReportData struct {
 	URL          string
 	RequestTime  int64
@@ -11686,6 +11398,12 @@
 CONSTANTS
 
 const (
+	HashSha256    = crypto.HashSha256
+	HashMurmur32  = crypto.HashMurmur32
+	HashMurmur64  = crypto.HashMurmur64
+	HashMurmur128 = crypto.HashMurmur128
+)
+const (
 	// DefaultConn is the default connection type. Not analytics and Not cache.
 	DefaultConn = "default"
 	// CacheConn is the cache connection type
@@ -11693,26 +11411,26 @@
 	// AnalyticsConn is the analytics connection type
 	AnalyticsConn = "analytics"
 )
-const B64JSONPrefix = "ey"
-    `{"` in base64
-
-const MongoBsonIdLength = 24
 
 VARIABLES
 
 var (
+	HashStr = crypto.HashStr
+	HashKey = crypto.HashKey
+)
+var (
+	GenerateToken = crypto.GenerateToken
+	TokenHashAlgo = crypto.TokenHashAlgo
+	TokenID       = crypto.TokenID
+	TokenOrg      = crypto.TokenOrg
+)
+var (
 	// ErrRedisIsDown is returned when we can't communicate with redis
 	ErrRedisIsDown = errors.New("storage: Redis is either down or was not configured")
 
 	// ErrStorageConn is returned when we can't get a connection from the ConnectionHandler
 	ErrStorageConn = fmt.Errorf("Error trying to get singleton instance: %w", ErrRedisIsDown)
 )
-var (
-	HashSha256    = "sha256"
-	HashMurmur32  = "murmur32"
-	HashMurmur64  = "murmur64"
-	HashMurmur128 = "murmur128"
-)
 var ErrKeyNotFound = errors.New("key not found")
     ErrKeyNotFound is a standard error for when a key is not found in the
     storage engine
@@ -11721,19 +11439,9 @@
 
 FUNCTIONS
 
-func GenerateToken(orgID, keyID, hashAlgorithm string) (string, error)
-    If hashing algorithm is empty, use legacy key generation
-
-func HashKey(in string, hashKey bool) string
-func HashStr(in string, withAlg ...string) string
 func NewConnector(connType string, conf config.Config) (model.Connector, error)
     NewConnector creates a new storage connection.
 
-func TokenHashAlgo(token string) string
-func TokenID(token string) (id string, err error)
-    TODO: add checks
-
-func TokenOrg(token string) string
 
 TYPES
 
@@ -12511,8 +12219,6 @@
 	ControlRequest bool `json:",omitempty"`
 }
 
-type TestCases []TestCase
-
 type TransportOption func(*http.Transport)
     Options for populating a http.Transport
 
@@ -12560,23 +12266,6 @@
 
 package coprocess // import "github.com/TykTechnologies/tyk/tests/coprocess"
 
-# Package: ./tests/policy
-
-package policy // import "github.com/TykTechnologies/tyk/tests/policy"
-
-
-CONSTANTS
-
-const DefaultOrg = "default-org-id"
-
-VARIABLES
-
-var StartTest = gateway.StartTest
-
-TYPES
-
-type APISpec = gateway.APISpec
-
 # Package: ./tests/proxy
 
 package proxy // import "github.com/TykTechnologies/tyk/tests/proxy"
@@ -13086,12 +12775,6 @@
     Clone returns a fresh copy of s
 
 func (s *SessionState) CustomPolicies() (map[string]Policy, error)
-    CustomPolicies returns a map of custom policies on the session. To preserve
-    policy order, use GetCustomPolicies instead.
-
-func (s *SessionState) GetCustomPolicies() ([]Policy, error)
-    GetCustomPolicies is like CustomPolicies but returns the list, preserving
-    order.
 
 func (s *SessionState) GetQuotaLimitByAPIID(apiID string) (int64, int64, int64, int64)
     GetQuotaLimitByAPIID return quota max, quota remaining, quota renewal rate
@@ -13131,7 +12814,6 @@
     Reset marks the session as not modified, skipping related updates.
 
 func (s *SessionState) SetCustomPolicies(list []Policy)
-    SetCustomPolicies sets custom policies into session metadata.
 
 func (s *SessionState) SetKeyHash(hash string)
 

Copy link
Contributor

github-actions bot commented Oct 8, 2024

Failed to generate code suggestions for PR

hashAlgorithm = DefaultHashAlgorithm
}

jsonToken := fmt.Sprintf(`{"org":"%s","id":"%s","h":"%s"}`, orgID, keyID, hashAlgorithm)

Check failure

Code scanning / CodeQL

Potentially unsafe quoting Critical

If this
JSON value
contains a double quote, it could break out of the enclosing quotes.
If this
JSON value
contains a double quote, it could break out of the enclosing quotes.
If this
JSON value
contains a double quote, it could break out of the enclosing quotes.

Copilot Autofix AI 2 months ago

To fix the problem, we need to ensure that any user-provided data embedded in the JSON string is properly escaped. The best way to achieve this is by using a structured approach to build the JSON string, avoiding manual string concatenation. We can use the encoding/json package to marshal the data into a JSON string safely.

  • Replace the manual construction of the JSON string with a map and marshal it using json.Marshal.
  • This change should be made in the GenerateToken function in the internal/crypto/token.go file.
Suggested changeset 1
internal/crypto/token.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/internal/crypto/token.go b/internal/crypto/token.go
--- a/internal/crypto/token.go
+++ b/internal/crypto/token.go
@@ -33,4 +33,12 @@
 
-		jsonToken := fmt.Sprintf(`{"org":"%s","id":"%s","h":"%s"}`, orgID, keyID, hashAlgorithm)
-		return base64.StdEncoding.EncodeToString([]byte(jsonToken)), err
+		tokenData := map[string]string{
+			"org": orgID,
+			"id":  keyID,
+			"h":   hashAlgorithm,
+		}
+		jsonToken, err := json.Marshal(tokenData)
+		if err != nil {
+			return "", err
+		}
+		return base64.StdEncoding.EncodeToString(jsonToken), nil
 	}
EOF
@@ -33,4 +33,12 @@

jsonToken := fmt.Sprintf(`{"org":"%s","id":"%s","h":"%s"}`, orgID, keyID, hashAlgorithm)
return base64.StdEncoding.EncodeToString([]byte(jsonToken)), err
tokenData := map[string]string{
"org": orgID,
"id": keyID,
"h": hashAlgorithm,
}
jsonToken, err := json.Marshal(tokenData)
if err != nil {
return "", err
}
return base64.StdEncoding.EncodeToString(jsonToken), nil
}
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)
7.1% Duplication on New Code (required ≤ 3%)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants