Merge branch 'main' into feat/explore-paranoia

.github/ISSUE_TEMPLATE/bug_report.md

@@ -7,20 +7,20 @@ assignees: ''
 
 ---
 
-**Describe the bug**
+#### Describe the bug
 
-A clear and concise description of what the bug is.
+<!-- A clear and concise description of what the bug is. -->
 
-**Expected behavior**
+#### Expected behavior
 
-A clear and concise description of what you expected to happen.
+<!-- A clear and concise description of what you expected to happen. -->
 
-**Replication info**
+#### Replication info
 
- - Rönd version:
- - Running mode: sidecar/standalone
- - policy type:
+- Rönd version:
+- Running mode: sidecar/standalone
+- policy type:
 
-**Additional context**
+#### Additional context
 
-Add any other context about the problem here.
+<!-- Add any other context about the problem here. -->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -7,14 +7,14 @@ assignees: ''
 
 ---
 
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+#### Is your feature request related to a problem? Please describe
+<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
 
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
+#### Describe the solution you'd like
+<!-- A clear and concise description of what you want to happen. -->
 
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
+#### Describe alternatives you've considered
+<!-- A clear and concise description of any alternative solutions or features you've considered. -->
 
-**Additional context**
-Add any other context or screenshots about the feature request here.
+#### Additional context
+<!-- Add any other context or screenshots about the feature request here. -->

.github/workflows/codeql-analysis.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/release.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Release
         uses: softprops/action-gh-release@v1
         with:

.github/workflows/security.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Source
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Run Gosec Security Scanner
         uses: securego/gosec@master
         with:

.github/workflows/test.yml

@@ -5,45 +5,70 @@ on:
   push:
 jobs:
   tests:
-    name: Test with go version ${{ matrix.go_version }} on OS ${{matrix.os}} 
-    runs-on: ${{ matrix.os }}
+    name: Test
     strategy:
       matrix:
-        go_version: [1.19]
+        go_version: ['1.20']
         os: [ubuntu-latest]
+    runs-on: ${{ matrix.os }}
+
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Use golang ${{ matrix.go_version }}
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ matrix.go_version }}
       - name: Go version
         run: go version
       - name: Go get dependencies
         run: go get -v -t -d ./...
       - name: Run tests
-        run: make test
+        run: make coverage
+      - name: Send the coverage output
+        uses: shogo82148/actions-goveralls@v1
+        with:
+          path-to-profile: coverage.out
+
+  test-latest:
+    name: Test latest
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+    runs-on: ${{ matrix.os }}
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use golang ${{ matrix.go_version }}
+        uses: actions/setup-go@v4
+        with:
+          check-latest: true
+      - name: Go version
+        run: go version
+      - name: Go get dependencies
+        run: go get -v -t -d ./...
+      - name: Run tests
+        run: make coverage
       - name: Send the coverage output
         uses: shogo82148/actions-goveralls@v1
         with:
           path-to-profile: coverage.out
 
   bench:
-    name: Bench with go version ${{ matrix.go_version }} on OS ${{matrix.os}} 
+    name: Benchmark
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        go_version: [1.19]
+        go_version: ['1.20']
         os: [ubuntu-latest]
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
         with:
           go-version: ${{ matrix.go_version }}
       - name: Run benchmark
-        run: go test -bench=. -run=Bench | tee output.txt
+        run: make bench | tee output.txt
       - name: Download previous benchmark data
-        uses: actions/cache@v3
+        uses: actions/cache/restore@v3
         with:
           path: ./cache
           key: ${{ runner.os }}-benchmark
@@ -55,20 +80,37 @@ jobs:
           external-data-json-path: ./cache/benchmark-data.json
           comment-on-alert: false
           fail-on-alert: true
+      # only execute this step when cache was restored
+      # do not fail hard here, as the key might not exist
+      - name: Clear cache
+        shell: bash
+        if: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh extension install actions/gh-actions-cache
+          gh actions-cache delete '${{ runner.os }}-benchmark' --confirm
+        continue-on-error: true
+      - name: Update benchmark data
+        if: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+        uses: actions/cache/save@v3
+        with:
+          path: ./cache
+          key: ${{ runner.os }}-benchmark
 
   build:
     name: Build docker image
     needs: tests
     runs-on: ubuntu-latest
     if: ${{ startsWith(github.ref, 'refs/tags/') || github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
-    
+
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
-        
+        uses: actions/checkout@v4
+
       - name: Configure docker metadata
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: |
             ghcr.io/rond-authz/rond
@@ -81,35 +123,39 @@ jobs:
           labels: |
             org.opencontainers.image.documentation=https://rond-authz.io
             org.opencontainers.image.vendor=rond authz
-            
+
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
 
       - name: Docker Login to ghcr.io
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.BOT_DOCKER_USERNAME }}
           password: ${{ secrets.BOT_DOCKER_TOKEN }}
-          
+
       - name: Prepare build cache
         uses: actions/cache@v3
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-buildx-
-            
+
       - name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: .
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -4,4 +4,5 @@
 *.env
 *.log*
 rond
-coverage.out
+coverage.out
+output.txt

CHANGELOG.md

@@ -1,14 +1,7 @@
-> ⚠ This file is deprecated. Releases after 1.4.3 use GitHub built-in releases to track changes ⚠
+> ⚠ <b>This file is deprecated. Releases after 1.4.3 use GitHub built-in releases to track changes</b> ⚠
 
 # CHANGELOG
 
-All notable changes to this project will be documented in this file.
-
-The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
-and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
-
-## Unreleased
-
 ## 1.5.0 - 19-10-2022
 
 ## 1.4.3 - 12-10-2022

CONTRIBUTING.md

@@ -49,7 +49,7 @@ sure you run benchmarks and verify that results are not affected by tour changes
 To run benchmark use:
 
 ```sh
-go test ./... -bench=. -run=Bench  -benchmem
+make bench
 ```
 
 ### Bench results

Dockerfile

@@ -1,7 +1,7 @@
 ############################
 # STEP 1 build executable binary
 ############################
-FROM golang:1.19.3 AS builder
+FROM golang:1.21.1 AS builder
 
 WORKDIR /app
 
@@ -31,7 +31,9 @@ LABEL maintainer="rond@rond-authz.io" \
   name="rond" \
   vcs.sha="$COMMIT_SHA"
 
-ENV SERVICE_VERSION="1.5.1"
+LABEL org.opencontainers.image.description "Rönd is a lightweight container that distributes security policy enforcement throughout your application."
+
+ENV SERVICE_VERSION="1.10.1"
 
 # Import the user and group files from the builder.
 COPY --from=builder /etc/passwd /etc/passwd

Makefile

@@ -16,9 +16,18 @@ mongo-start:
 
 .PHONY: test
 test: clean mongo-start
+	go test ./... -cover
+	$(MAKE) clean
+
+.PHONY: coverage
+coverage: clean mongo-start
 	go test ./... -coverprofile coverage.out
 	$(MAKE) clean
 
+.PHONY: bench
+bench: clean mongo-start
+	go test -benchmem -bench=^Bench ./... -run=^Bench
+
 .PHONY: clean
 clean:
 	docker rm mongo --force
@@ -28,5 +37,5 @@ version:
 	sed -i.bck "s|SERVICE_VERSION=\"[0-9]*.[0-9]*.[0-9]*.*\"|SERVICE_VERSION=\"${VERSION}\"|" "Dockerfile"
 	rm -fr "Dockerfile.bck"
 	git add "Dockerfile"
-	git commit -m "Upgrade version to v${VERSION}"
+	git commit -m "v${VERSION}"
 	git tag v${VERSION}

README.md

@@ -43,8 +43,11 @@ Rönd natively allows you to build an RBAC solution based on Roles and Bindings
 
 Here is a list of awesome people using Rönd, if you're using it but do not appear in this list feel free to open a PR!
 
- * [Mia-Platform](https://mia-platform.eu)
+ * [Cattolica Assicurazioni](https://www.cattolica.it/)
+ * [MDConcierge](https://www.mdconcierge.it/)
  * [Mia-Care](https://mia-care.io/)
+ * [Mia-Platform](https://mia-platform.eu)
+ * [PreviDigital](https://previdigital.com/)
 
 ## Local development
 
@@ -56,7 +59,15 @@ For local development you need to have Go installed locally, checkout the [go.mo
 make test
 ```
 
-Please note that in order to run tests you need Docker to be installed, since tests need a local instance of MongoDB to be up and running `make tests` takes care of it by creating a new `mongo` container.
+Please note that in order to run tests you need Docker to be installed; tests need a local instance of MongoDB to be up and running, the `make test` command will take care of it by creating a new `mongodb` container. The container is auomatically removed at the end of tests; if it remains leaked simply run `make clean`.
+
+#### With coverage
+
+To run test with coverage file in output, run
+
+```sh
+make coverage
+```
 
 ### Contributing