krakend · kpacha · Jul 15, 2024 · Jul 4, 2024 · Jul 15, 2024
diff --git a/audit.go b/audit.go
@@ -155,4 +155,7 @@ var ruleSet = []Rule{
 	NewRule("7.2.1", SeverityHigh, "Avoid using deprecated component telemetry/ganalytics. Please visit https://www.krakend.io/docs/telemetry/opentelemetry/ to upgrade to OpenTelemetry", hasDeprecatedGanalytics),
 	NewRule("7.2.2", SeverityHigh, "Avoid using deprecated component telemetry/instana. Please visit https://www.krakend.io/docs/telemetry/opentelemetry/ to upgrade to OpenTelemetry", hasDeprecatedInstana),
 	NewRule("7.2.3", SeverityHigh, "Avoid using deprecated component telemetry/opencensus. Please visit https://www.krakend.io/docs/telemetry/opencensus/#transition-from-opencensus to upgrade to OpenTelemetry", hasDeprecatedOpenCensus),
+
+	// 7.3 Config field deprectaions
+	NewRule("7.3.1", SeverityMedium, "Avoid using 'private_key' and 'public_key' and use the 'keys' array.", hasDeprecatedTLSPrivPubKey),
 }
diff --git a/audit_example_test.go b/audit_example_test.go
@@ -47,5 +47,6 @@ func ExampleAudit() {
 	// 16: 5.1.7 MEDIUM  	Avoid using sequential proxy.
 	// 17: 7.1.3 HIGH  	Avoid using deprecated plugin basic-auth. Please move your configuration to the namespace auth/basic to use the new component. See: https://www.krakend.io/docs/enterprise/authentication/basic-authentication/ .
 	// 18: 7.1.7 HIGH  	Avoid using deprecated plugin no-redirect. Please visit https://www.krakend.io/docs/enterprise/backends/client-redirect/#migration-from-old-plugin to upgrade to the new options.
+	// 19: 7.3.1 MEDIUM  	Avoid using 'private_key' and 'public_key' and use the 'keys' array.
 
 }
diff --git a/audit_test.go b/audit_test.go
@@ -40,6 +40,7 @@ func TestAudit_all(t *testing.T) {
 			// "5.2.2", -- we added multiple backends to the test to check for multiple unsafe methods
 			"7.1.3", // deprecated server plugin basic auth
 			"7.1.7", // deprecated client plugin no-redirect
+			"7.3.1", // deprecated TLS private_key and public_key
 		},
 		levels: []string{SeverityCritical, SeverityHigh, SeverityMedium, SeverityLow},
 	}
@@ -78,6 +79,7 @@ func TestAudit_exclude(t *testing.T) {
 			// "5.2.2", -- we added multiple backends to the test to check for multiple unsafe methods
 			"7.1.3", // deprecated plugin basic-auth
 			"7.1.7", // deprecated client plugin no-redirect
+			"7.3.1", // deprecated TLS private_key and public_key
 		},
 		exclude: []string{"1.1.1", "1.1.2"},
 		levels:  []string{SeverityCritical, SeverityHigh, SeverityMedium, SeverityLow},

diff --git a/go.mod b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/krakendio/krakend-ratelimit/v3 v3.1.0
 	github.com/krakendio/krakend-rss/v2 v2.0.1
 	github.com/krakendio/krakend-xml/v2 v2.1.0
-	github.com/luraproject/lura/v2 v2.4.2
+	github.com/luraproject/lura/v2 v2.7.0
 	github.com/mitchellh/mapstructure v1.5.0
 )
 
@@ -122,11 +122,11 @@ require (
 	gocloud.dev v0.34.0 // indirect
 	gocloud.dev/secrets/hashivault v0.34.0 // indirect
 	golang.org/x/arch v0.6.0 // indirect
-	golang.org/x/crypto v0.15.0 // indirect
-	golang.org/x/net v0.18.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/oauth2 v0.14.0 // indirect
 	golang.org/x/sync v0.5.0 // indirect
-	golang.org/x/sys v0.14.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.4.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
@@ -136,7 +136,7 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	google.golang.org/grpc v1.59.0 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/Graylog2/go-gelf.v2 v2.0.0-20191017102106-1550ee647df0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

diff --git a/go.sum b/go.sum
@@ -228,8 +228,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q=
 github.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4=
-github.com/luraproject/lura/v2 v2.4.2 h1:Tv4Bbl3J+nW4v8kln57+kScZSsfqnB7UGd3YGPpCcw4=
-github.com/luraproject/lura/v2 v2.4.2/go.mod h1:GaJ74BcWX1iqAm2+byZ2tjI710XOEjeSRGEDtvbboUw=
+github.com/luraproject/lura/v2 v2.7.0 h1:9s4Pt56zBfZMLRW+igfa3tWxJJXpOcEnmVpWUkDyr3s=
+github.com/luraproject/lura/v2 v2.7.0/go.mod h1:D0+LPLJAuT9DcfjB4xvVMCnKmAMQikdbcXmYLdmEA6A=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
@@ -319,8 +319,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
-golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -340,8 +340,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
-golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
-golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0=
 golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM=
@@ -370,8 +370,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -433,8 +433,8 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/Graylog2/go-gelf.v2 v2.0.0-20191017102106-1550ee647df0 h1:Xg23ydYYJLmb9AK3XdcEpplHZd1MpN3X2ZeeMoBClmY=
 gopkg.in/Graylog2/go-gelf.v2 v2.0.0-20191017102106-1550ee647df0/go.mod h1:CeDeqW4tj9FrgZXF/dQCWZrBdcZWWBenhJtxLH4On2g=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

diff --git a/parser.go b/parser.go
@@ -61,6 +61,9 @@ func Parse(cfg *config.ServiceConfig) Service {
 		if len(cfg.TLS.CaCerts) > 0 {
 			v1 = addBit(v1, ServiceTLSCaCerts)
 		}
+		if cfg.TLS.PublicKey != "" || cfg.TLS.PrivateKey != "" {
+			v1 = addBit(v1, ServiceTLSPrivPubKey)
+		}
 	}
 
 	if cfg.Echo {

diff --git a/parser_example_test.go b/parser_example_test.go
@@ -21,7 +21,7 @@ func ExampleParse() {
 	fmt.Println("components:", result.Components)
 
 	// output:
-	// details: [3124]
+	// details: [7220]
 	// agents: []
 	// endpoints: [{[2 0 0 140000 0 0] [{[64] map[]}] map[github.com/devopsfaith/krakend-jose/validator:[]]} {[2 1 1 10000 7 0] [{[64] map[backend/http/client:[3]]}] map[github.com/devopsfaith/krakend/transport/http/client/executor:[1]]} {[2 0 0 10000 8 2] [{[64] map[]} {[64] map[]} {[64] map[]}] map[github.com/devopsfaith/krakend/proxy:[1]]}]
 	// components: map[auth/api-keys:[] github_com/devopsfaith/krakend/transport/http/server/handler:[4] github_com/luraproject/lura/router/gin:[262144] grpc:[1] qos/ratelimit/service:[] telemetry/opentelemetry:[50 100 1 2 1]]

diff --git a/parser_test.go b/parser_test.go
@@ -57,7 +57,7 @@ func TestParse(t *testing.T) {
 		return
 	}
 
-	if result.Details[0] != 4028 {
+	if result.Details[0] != 8124 {
 		t.Errorf("unexpected service details. have: %d, want: 4028", result.Details[0])
 	}
 

diff --git a/rules.go b/rules.go
@@ -341,6 +341,10 @@ func hasDeprecatedOpenCensus(s *Service) bool {
 	return ok
 }
 
+func hasDeprecatedTLSPrivPubKey(s *Service) bool {
+	return hasBit(s.Details[0], ServiceTLSPrivPubKey)
+}
+
 func hasNoLogging(s *Service) bool {
 	_, ok1 := s.Components[gologging.Namespace]
 	_, ok2 := s.Components[gelf.Namespace]

diff --git a/service.go b/service.go
@@ -111,6 +111,7 @@ const (
 	ServiceTLSCaCerts
 	ServiceEcho
 	ServiceUseH2C
+	ServiceTLSPrivPubKey
 )
 
 const (
-Original file line number
+Diff line change
@@ Expand Up / @@ -57,7 +57,7 @@ func TestParse(t *testing.T) { @@
     		return
     	}
-    	if result.Details[0] != 4028 {
+    	if result.Details[0] != 8124 {
     		t.Errorf("unexpected service details. have: %d, want: 4028", result.Details[0])
     	}
@@ Expand Down @@