Merge pull request #293 from volterraedge/fixVtoken

fixed vulnerability issue and resource token
volterraedge · Feb 5, 2025 · 05d7e9f · 05d7e9f
2 parents 7c7da52 + 2ca5aec
commit 05d7e9f
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 27 deletions.
diff --git a/docs/resources/volterra_http_loadbalancer.md b/docs/resources/volterra_http_loadbalancer.md
@@ -719,7 +719,7 @@ More options like header manipulation, compression etc..
 
 `cookies_to_modify` - (Optional) List of cookies to be modified from the HTTP response being sent towards downstream.. See [More Option Cookies To Modify ](#more-option-cookies-to-modify) below for details.(Deprecated)
 
-`custom_errors` - (Optional) matches for a request. (`String`).
+`custom_errors` - (Optional) Map of integer error codes as keys and string values that can be used to provide custom http pages for each error code. Key of the map can be either response code class or HTTP Error code. Response code classes for key is configured as follows 3 -- for 3xx response code class, 4 -- for 4xx response code class, 5 -- for 5xx response code class. Value of the map is string which represents custom HTTP responses. Specific response code takes preference when both response code and response code class matches for a request. (`map(string)`)
 
 `disable_default_error_pages` - (Optional) Disable the use of default F5XC error pages. (`Bool`).
 

diff --git a/docs/resources/volterra_virtual_host.md b/docs/resources/volterra_virtual_host.md
@@ -84,7 +84,7 @@ Argument Reference
 
 `csrf_policy` - (Optional) CSRF is a mechanism that checks if request received at the server is from legitimate user.. See [Csrf Policy ](#csrf-policy) below for details.
 
-`custom_errors` - (Optional) these pages are not editable. User has an option to disable the use of default F5XC error pages (`String`).
+`custom_errors` - (Optional) Map of integer error codes as keys and string values that can be used to provide custom http pages for each error code. Key of the map can be either response code class or HTTP Error code. Response code classes for key is configured as follows 3 -- for 3xx response code class, 4 -- for 4xx response code class, 5 -- for 5xx response code class. Value is the uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. "Access Denied" or it can be HTML paragraph or a body string encoded as base64 string. E.g. "Access Denied". Base64 encoded string for this html is "PHA+IEFjY2VzcyBEZW5pZWQgPC9wPg==". Specific response code takes preference when both response code and response code class matches for a request. The configured custom errors are only applicable for loadbalancer generated errors. Errors returned from upstream server is propagated as is. F5XC provides default error pages for the errors generated by the loadbalancer. Content of these pages are not editable. User has an option to disable the use of default F5XC error pages (`map(string)`).
 
 ###### One of the arguments from this list "default_loadbalancer, non_default_loadbalancer" can be set
 

diff --git a/go.mod b/go.mod
@@ -177,13 +177,13 @@ require (
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
 	golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect
 	golang.org/x/mod v0.20.0 // indirect
-	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/term v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
 	golang.org/x/tools v0.24.0 // indirect

diff --git a/go.sum b/go.sum
@@ -497,8 +497,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa h1:ELnwvuAXPNtPk1TJRuGkI9fDTwym6AYBu0qzT8AcHdI=
 golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ=
@@ -531,8 +531,8 @@ golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
-golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -570,12 +570,12 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

diff --git a/volterra/resource_volterra_token.go b/volterra/resource_volterra_token.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"log"
 	"strings"
+	"time"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"gopkg.volterra.us/stdlib/client/vesapi"
@@ -133,18 +134,28 @@ func resourceVolterraTokenCreate(d *schema.ResourceData, meta interface{}) error
 		createMeta.Labels = ms
 	}
 
-	log.Printf("[DEBUG] Creating Volterra Token object with struct: %+v", createReq)
-
-	createTokenResp, err := client.CreateObject(context.Background(), ves_io_schema_token.ObjectType, createReq)
-	if err != nil {
-		return fmt.Errorf("error creating Token: %s", err)
-	}
-	if createSpec.Type == ves_io_schema_token.JWT {
-		d.SetId(createTokenResp.GetObjSpec().(*ves_io_schema_token.SpecType).GetGcSpec().GetContent())
+	getResp, _ := client.GetObject(context.Background(), ves_io_schema_token.ObjectType, namespace, name)
+	if getResp != nil {
+		if createSpec.Type == ves_io_schema_token.JWT {
+			d.SetId(getResp.GetObjSpec().(*ves_io_schema_token.SpecType).GetGcSpec().GetContent())
+		} else {
+			d.SetId(getResp.GetObjSystemMetadata().GetUid())
+		}
+		d.Set("tenant_name", getResp.GetObjSystemMetadata().GetTenant())
 	} else {
-		d.SetId(createTokenResp.GetObjSystemMetadata().GetUid())
+		log.Printf("[DEBUG] Creating Volterra Token object with struct: %+v", createReq)
+
+		createTokenResp, err := client.CreateObject(context.Background(), ves_io_schema_token.ObjectType, createReq)
+		if err != nil {
+			return fmt.Errorf("error creating Token: %s", err)
+		}
+		if createSpec.Type == ves_io_schema_token.JWT {
+			d.SetId(createTokenResp.GetObjSpec().(*ves_io_schema_token.SpecType).GetGcSpec().GetContent())
+		} else {
+			d.SetId(createTokenResp.GetObjSystemMetadata().GetUid())
+		}
+		d.Set("tenant_name", createTokenResp.GetObjSystemMetadata().GetTenant())
 	}
-	d.Set("tenant_name", createTokenResp.GetObjSystemMetadata().GetTenant())
 	return resourceVolterraTokenRead(d, meta)
 }
 
@@ -244,7 +255,7 @@ func resourceVolterraTokenDelete(d *schema.ResourceData, meta interface{}) error
 	name := d.Get("name").(string)
 	namespace := d.Get("namespace").(string)
 
-	_, err := client.GetObject(context.Background(), ves_io_schema_token.ObjectType, namespace, name)
+	getResp, err := client.GetObject(context.Background(), ves_io_schema_token.ObjectType, namespace, name)
 	if err != nil {
 		if strings.Contains(err.Error(), "status code 404") {
 			log.Printf("[INFO] Token %s no longer exists", d.Id())
@@ -254,6 +265,24 @@ func resourceVolterraTokenDelete(d *schema.ResourceData, meta interface{}) error
 		return fmt.Errorf("Error finding Volterra Token before deleting %q: %s", d.Id(), err)
 	}
 
-	log.Printf("[DEBUG] Deleting Volterra Token obj with name %+v in namespace %+v", name, namespace)
-	return client.DeleteObject(context.Background(), ves_io_schema_token.ObjectType, namespace, name)
+	creationTimeString, err := convertTimestampToString(getResp.GetObjSystemMetadata().GetCreationTimestamp())
+	if err != nil {
+		return fmt.Errorf("error converting expiration_timestamp : %s", err)
+	}
+
+	creationTime, err := time.Parse(time.RFC3339, creationTimeString)
+	if err != nil {
+		return fmt.Errorf("error parsing creation timestamp: : %s", err)
+	}
+
+	cutoffTime, err := time.Parse(time.RFC3339, "2025-01-01T00:00:00Z")
+	if err != nil {
+		return fmt.Errorf("error parsing cutoff date: : %s", err)
+	}
+
+	if creationTime.After(cutoffTime) {
+		log.Printf("[DEBUG] Deleting Volterra Token obj with name %+v in namespace %+v", name, namespace)
+		return client.DeleteObject(context.Background(), ves_io_schema_token.ObjectType, namespace, name)
+	}
+	return nil
 }