From 6614a2814dea830c1bb9313b35c6dc6b720d54c3 Mon Sep 17 00:00:00 2001 From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> Date: Mon, 27 Jan 2025 21:01:31 +0000 Subject: [PATCH] backport of commit 9af986907c6cc8bca2976166ff013d62bce2d011 --- .release/security-scan.hcl | 21 +++++++++++++++ .../repository_alias_list_resolvable.go | 26 ++++++++----------- internal/daemon/worker/worker.go | 1 + internal/scheduler/job/repository_run.go | 2 +- internal/scheduler/scheduler.go | 4 +-- internal/ui/VERSION | 2 +- 6 files changed, 37 insertions(+), 19 deletions(-) diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index da2c1a239d..db033ac545 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -5,6 +5,16 @@ container { dependencies = true alpine_secdb = true secrets = false + + # Triage items that are _safe_ to ignore here. Note that this list should be + # periodically cleaned up to remove items that are no longer found by the scanner. + triage { + suppress { + vulnerabilities = [ + "CVE-2024-13176", # openssl@3.3.2-r4 + ] + } + } } binary { @@ -13,4 +23,15 @@ binary { osv = true oss_index = true nvd = true + + # Triage items that are _safe_ to ignore here. Note that this list should be + # periodically cleaned up to remove items that are no longer found by the scanner. + triage { + suppress { + vulnerabilities = [ + "GO-2025-3408", # yamux@v0.1.1 + "GHSA-29qp-crvh-w22m", # yamux@v0.1.1 + ] + } + } } diff --git a/internal/alias/target/repository_alias_list_resolvable.go b/internal/alias/target/repository_alias_list_resolvable.go index bb7a39bec0..a9b144b8d2 100644 --- a/internal/alias/target/repository_alias_list_resolvable.go +++ b/internal/alias/target/repository_alias_list_resolvable.go @@ -91,11 +91,11 @@ func (r *Repository) listResolvableAliases(ctx context.Context, permissions []pe var args []any var destinationIdClauses []string + var whereClause string switch { case allDescendants: - // This matches all targets - destinationIdClauses = append(destinationIdClauses, "destination_id in (select public_id from target)") + whereClause = "destination_id is not null" default: // Add orgs with all permissions on children if len(childAllScopes) > 0 { @@ -118,10 +118,9 @@ func (r *Repository) listResolvableAliases(ctx context.Context, permissions []pe if len(destinationIdClauses) == 0 && len(childAllScopes) == 0 { return nil, time.Time{}, errors.New(ctx, errors.InvalidParameter, op, "no target ids or scope ids provided") } + whereClause = fmt.Sprintf("destination_id is not null and (%s)", strings.Join(destinationIdClauses, " or ")) } - whereClause := fmt.Sprintf("destination_id is not null and (%s)", strings.Join(destinationIdClauses, " or ")) - if opts.withStartPageAfterItem != nil { whereClause = fmt.Sprintf("(create_time, public_id) < (@last_item_create_time, @last_item_id) and %s", whereClause) args = append(args, @@ -166,11 +165,11 @@ func (r *Repository) listResolvableAliasesRefresh(ctx context.Context, updatedAf var args []any var destinationIdClauses []string + var whereClause string switch { case allDescendants: - // This matches all targets - destinationIdClauses = append(destinationIdClauses, "destination_id in (select public_id from target)") + whereClause = fmt.Sprintf("update_time > @updated_after_time and destination_id is not null") default: // Add orgs with all permissions on children if len(childAllScopes) > 0 { @@ -193,10 +192,9 @@ func (r *Repository) listResolvableAliasesRefresh(ctx context.Context, updatedAf if len(destinationIdClauses) == 0 && len(childAllScopes) == 0 { return nil, time.Time{}, errors.New(ctx, errors.InvalidParameter, op, "no target ids or scope ids provided") } + whereClause = fmt.Sprintf("update_time > @updated_after_time and destination_id is not null and (%s)", + strings.Join(destinationIdClauses, " or ")) } - - whereClause := fmt.Sprintf("update_time > @updated_after_time and destination_id is not null and (%s)", - strings.Join(destinationIdClauses, " or ")) args = append(args, sql.Named("updated_after_time", timestamp.New(updatedAfter)), ) @@ -234,11 +232,10 @@ func (r *Repository) listRemovedResolvableAliasIds(ctx context.Context, since ti var args []any var destinationIdClauses []string - + var whereClause string switch { case allDescendants: - // This matches all targets - destinationIdClauses = append(destinationIdClauses, "destination_id not in (select public_id from target)") + whereClause = "update_time > @updated_after_time and destination_id is null" default: // Add orgs with all permissions on children if len(childAllScopes) > 0 { @@ -261,10 +258,9 @@ func (r *Repository) listRemovedResolvableAliasIds(ctx context.Context, since ti if len(destinationIdClauses) == 0 && len(childAllScopes) == 0 { return nil, time.Time{}, errors.New(ctx, errors.InvalidParameter, op, "no target ids or scope ids provided") } + whereClause = fmt.Sprintf("update_time > @updated_after_time and (destination_id is null or (%s))", + strings.Join(destinationIdClauses, " and ")) } - - whereClause := fmt.Sprintf("update_time > @updated_after_time and (destination_id is null or (%s))", - strings.Join(destinationIdClauses, " and ")) args = append(args, sql.Named("updated_after_time", timestamp.New(since)), ) diff --git a/internal/daemon/worker/worker.go b/internal/daemon/worker/worker.go index cade23b679..b439524b48 100644 --- a/internal/daemon/worker/worker.go +++ b/internal/daemon/worker/worker.go @@ -299,6 +299,7 @@ func New(ctx context.Context, conf *Config) (*Worker, error) { for _, enabledPlugin := range w.conf.Server.EnabledPlugins { switch { case enabledPlugin == base.EnabledPluginHostAzure && !w.conf.SkipPlugins, + enabledPlugin == base.EnabledPluginGCP && !w.conf.SkipPlugins, enabledPlugin == base.EnabledPluginAws && !w.conf.SkipPlugins: pluginType := strings.ToLower(enabledPlugin.String()) client, cleanup, err := external_plugins.CreateHostPlugin( diff --git a/internal/scheduler/job/repository_run.go b/internal/scheduler/job/repository_run.go index b5c0eec419..a3c0803e2c 100644 --- a/internal/scheduler/job/repository_run.go +++ b/internal/scheduler/job/repository_run.go @@ -93,7 +93,7 @@ func (r *Repository) UpdateProgress(ctx context.Context, runId string, completed // Failed to update run, either it does not exist or was in an invalid state if err = r.LookupById(ctx, run); err != nil { if errors.IsNotFoundError(err) { - return errors.Wrap(ctx, err, op, errors.WithMsg(fmt.Sprintf("job run %q does not exist", runId))) + return errors.Wrap(ctx, err, op, errors.WithMsg(fmt.Sprintf("job run %q does not exist", runId)), errors.WithoutEvent()) } return errors.Wrap(ctx, err, op) } diff --git a/internal/scheduler/scheduler.go b/internal/scheduler/scheduler.go index 66592fe7b8..5969598a5f 100644 --- a/internal/scheduler/scheduler.go +++ b/internal/scheduler/scheduler.go @@ -332,8 +332,8 @@ func (s *Scheduler) updateRunningJobProgress(ctx context.Context, j *runningJob) } status := j.status() _, err = repo.UpdateProgress(ctx, j.runId, status.Completed, status.Total, status.Retries) - if errors.Match(errors.T(errors.InvalidJobRunState), err) { - // Job has been persisted with a final run status, cancel job context to trigger early exit. + if errors.Match(errors.T(errors.InvalidJobRunState), err) || errors.IsNotFoundError(err) { + // Job has been persisted with a final run status or deleted, cancel job context to trigger early exit. j.cancelCtx() return nil } diff --git a/internal/ui/VERSION b/internal/ui/VERSION index c53f1b2250..1ecaa21395 100644 --- a/internal/ui/VERSION +++ b/internal/ui/VERSION @@ -1,4 +1,4 @@ -fed32aa57b1eace616c18c15647bc989b9549c39 +ae1e6d27489f3259e6622b9fdb5781a365eb5473 # This file determines the version of the UI to embed in the boundary binary. # Update this file by running 'make update-ui-version' from the root of this repo. # Set UI_COMMITISH when running the above target to update to a specific version.