From b7a943f0248c9c62918a1836a922df098b834fe2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 2 Jul 2026 12:36:43 +0000 Subject: [PATCH 1/4] Initial plan From 4be3ebcdcb1dec0be4c4f2c05776fddf7f22c599 Mon Sep 17 00:00:00 2001 From: Oliver Baehler Date: Thu, 2 Jul 2026 14:13:05 +0200 Subject: [PATCH 2/4] fix: hanlding panic Signed-off-by: Oliver Baehler --- .../capsule-proxy/templates/flowschema.yaml | 4 ++ go.mod | 1 - go.sum | 2 - internal/webserver/errors/panic.go | 8 ++-- internal/webserver/middleware/jwt.go | 6 +++ .../webserver/middleware/user_in_group.go | 7 ++++ internal/webserver/webserver.go | 41 ++++++++++++++++--- 7 files changed, 57 insertions(+), 12 deletions(-) diff --git a/charts/capsule-proxy/templates/flowschema.yaml b/charts/capsule-proxy/templates/flowschema.yaml index 1f7cfc61..e63579e4 100644 --- a/charts/capsule-proxy/templates/flowschema.yaml +++ b/charts/capsule-proxy/templates/flowschema.yaml @@ -40,4 +40,8 @@ spec: apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] clusterScope: true + - verbs: ["create"] + apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + clusterScope: true {{- end }} diff --git a/go.mod b/go.mod index 4be56b67..2e01cf06 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,6 @@ go 1.26.4 require ( github.com/go-logr/logr v1.4.3 github.com/golang-jwt/jwt/v5 v5.3.1 - github.com/gorilla/handlers v1.5.2 github.com/gorilla/mux v1.8.1 github.com/onsi/ginkgo/v2 v2.29.0 github.com/onsi/gomega v1.41.0 diff --git a/go.sum b/go.sum index 5f4e243c..f3adfcc7 100644 --- a/go.sum +++ b/go.sum @@ -134,8 +134,6 @@ github.com/google/pprof v0.0.0-20260402051712-545e8a4df936 h1:EwtI+Al+DeppwYX2oX github.com/google/pprof v0.0.0-20260402051712-545e8a4df936/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE= -github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= diff --git a/internal/webserver/errors/panic.go b/internal/webserver/errors/panic.go index 20f5c117..5048d0cf 100644 --- a/internal/webserver/errors/panic.go +++ b/internal/webserver/errors/panic.go @@ -27,12 +27,11 @@ func HandleUnauthorized(w http.ResponseWriter, err error, message string) { } w.Header().Set("content-type", "application/json") + w.WriteHeader(http.StatusForbidden) //nolint:errchkjson b, _ := json.Marshal(status) _, _ = w.Write(b) - - panic(message) } func HandleError(w http.ResponseWriter, err error, message string) { @@ -42,15 +41,16 @@ func HandleError(w http.ResponseWriter, err error, message string) { Kind: "Status", APIVersion: "v1", }, + Status: metav1.StatusFailure, Message: message, Reason: metav1.StatusReasonInternalError, + Code: http.StatusInternalServerError, } w.Header().Set("content-type", "application/json") + w.WriteHeader(http.StatusInternalServerError) //nolint:errchkjson b, _ := json.Marshal(status) _, _ = w.Write(b) - - panic(message) } diff --git a/internal/webserver/middleware/jwt.go b/internal/webserver/middleware/jwt.go index 77b9c50d..9ba46abf 100644 --- a/internal/webserver/middleware/jwt.go +++ b/internal/webserver/middleware/jwt.go @@ -39,15 +39,21 @@ func CheckJWTMiddleware(client client.Writer) mux.MiddlewareFunc { } if err = client.Create(request.Context(), &tr); err != nil { errors.HandleError(writer, err, "cannot create TokenReview") + + return } if statusErr := tr.Status.Error; len(statusErr) > 0 { invalidatedToken.Insert(token) errors.HandleUnauthorized(writer, goerrors.New(statusErr), "cannot authenticate the token due to error") + + return } case invalidatedToken.Has(token): errors.HandleUnauthorized(writer, goerrors.New("token is invalid"), "cannot authenticate the token due to error") + + return } next.ServeHTTP(writer, request) diff --git a/internal/webserver/middleware/user_in_group.go b/internal/webserver/middleware/user_in_group.go index fc346d29..08585aff 100644 --- a/internal/webserver/middleware/user_in_group.go +++ b/internal/webserver/middleware/user_in_group.go @@ -15,6 +15,7 @@ import ( "github.com/projectcapsule/capsule-proxy/internal/controllers" req "github.com/projectcapsule/capsule-proxy/internal/request" + "github.com/projectcapsule/capsule-proxy/internal/webserver/errors" ) func CheckUserInIgnoredGroupMiddleware(client client.Writer, log logr.Logger, claim string, authTypes []req.AuthType, ignoredUserGroups sets.Set[string], ignoredImpersonationGroups []string, impersonationGroupsRegexp *regexp.Regexp, skipImpersonationReview bool, xfcc_header string, fn func(writer http.ResponseWriter, request *http.Request)) mux.MiddlewareFunc { @@ -30,6 +31,9 @@ func CheckUserInIgnoredGroupMiddleware(client client.Writer, log logr.Logger, cl request, user, groups, err = req.ResolveUserAndGroups(request, authTypes, claim, client, ignoredImpersonationGroups, impersonationGroupsRegexp, skipImpersonationReview, xfcc_header) if err != nil { log.Error(err, "Cannot retrieve username and group from request") + errors.HandleError(writer, err, "cannot retrieve user and group from the request") + + return } if slices.ContainsFunc(groups, func(group string) bool { @@ -53,6 +57,9 @@ func CheckUserInCapsuleGroupMiddleware(client client.Writer, log logr.Logger, cl request, user, groups, err := req.ResolveUserAndGroups(request, authTypes, claim, client, ignoredImpersonationGroups, impersonationGroupsRegexp, skipImpersonationReview, xfcc_header) if err != nil { log.Error(err, "Cannot retrieve username and group from request") + errors.HandleError(writer, err, "cannot retrieve user and group from the request") + + return } log.V(10).Info("request groups", "groups", groups) diff --git a/internal/webserver/webserver.go b/internal/webserver/webserver.go index a4cf12fc..f94e5c54 100644 --- a/internal/webserver/webserver.go +++ b/internal/webserver/webserver.go @@ -22,7 +22,6 @@ import ( "github.com/go-logr/logr" "github.com/golang-jwt/jwt/v5" - "github.com/gorilla/handlers" "github.com/gorilla/mux" "github.com/pkg/errors" capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2" @@ -167,7 +166,7 @@ func (n *kubeFilter) NeedLeaderElection() bool { //nolint:funlen func (n *kubeFilter) Start(ctx context.Context) error { r := mux.NewRouter() - r.Use(handlers.RecoveryHandler()) + r.Use(n.recoveryMiddleware) r.Path("/_healthz").Subrouter().HandleFunc("", func(writer http.ResponseWriter, _ *http.Request) { writer.WriteHeader(http.StatusOK) @@ -350,12 +349,16 @@ func (n *kubeFilter) authorizationMiddleware(next http.Handler) http.Handler { request, username, groups, err := req.ResolveUserAndGroups(request, n.authTypes, n.usernameClaimField, n.writer, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp, n.skipImpersonationReview, n.xfcc_header) if err != nil { server.HandleError(writer, err, "cannot retrieve user and group from the request") + + return } //nolint:contextcheck proxyTenants, err := n.getTenantsForOwner(request.Context(), username, groups) if err != nil { server.HandleError(writer, err, "cannot list Tenant resources") + + return } obj, gvk, err := n.universalDecoder.Decode(body, nil, nil) @@ -548,11 +551,15 @@ func (n *kubeFilter) registerModules(ctx context.Context, root *mux.Router) { request, username, groups, err := req.ResolveUserAndGroups(request, n.authTypes, n.usernameClaimField, n.writer, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp, n.skipImpersonationReview, n.xfcc_header) if err != nil { server.HandleError(writer, err, "cannot retrieve user and group from the request") + + return } proxyTenants, err := n.getTenantsForOwner(ctx, username, groups) if err != nil { server.HandleError(writer, err, "cannot list Tenant resources") + + return } var selector labels.Selector @@ -574,19 +581,23 @@ func (n *kubeFilter) registerModules(ctx context.Context, root *mux.Router) { case err != nil: var t moderrors.Error if errors.As(err, &t) { + writer.Header().Set("Content-Type", "application/json") + if t.Status().Code > 0 { writer.WriteHeader(int(t.Status().Code)) + } else { + writer.WriteHeader(http.StatusInternalServerError) } - writer.Header().Set("Content-Type", "application/json") - b, _ := json.Marshal(t.Status()) _, _ = writer.Write(b) - panic(err.Error()) + return } server.HandleError(writer, err, err.Error()) + + return case selector == nil: // if there's no selector, let it pass to the n.impersonateHandler(writer, request) @@ -597,6 +608,26 @@ func (n *kubeFilter) registerModules(ctx context.Context, root *mux.Router) { } } +func (n *kubeFilter) recoveryMiddleware(next http.Handler) http.Handler { + return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) { + defer func() { + recovered := recover() + if recovered == nil { + return + } + + if err, ok := recovered.(error); ok && errors.Is(err, http.ErrAbortHandler) { + return + } + + n.log.Error(fmt.Errorf("%v", recovered), "panic while handling request") + http.Error(writer, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) + }() + + next.ServeHTTP(writer, request) + }) +} + func (n *kubeFilter) getTenantsForOwner(ctx context.Context, username string, groups []string) (proxyTenants []*tenant.ProxyTenant, err error) { if strings.HasPrefix(username, serviceaccount.ServiceAccountUsernamePrefix) { proxyTenants, err = n.getProxyTenantsForOwnerKind(ctx, capsulerbac.ServiceAccountOwner, username) From 73c501668d7831c5c5d81f176c0daef04e8b7c06 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 2 Jul 2026 12:43:34 +0000 Subject: [PATCH 3/4] fix: address review comments - ErrUnauthorized handling, panic recovery, and JWT concurrency --- internal/webserver/middleware/jwt.go | 12 ++++++++-- .../webserver/middleware/user_in_group.go | 21 ++++++++++++++++-- internal/webserver/webserver.go | 22 +++++++++++++++---- 3 files changed, 47 insertions(+), 8 deletions(-) diff --git a/internal/webserver/middleware/jwt.go b/internal/webserver/middleware/jwt.go index 9ba46abf..78da8571 100644 --- a/internal/webserver/middleware/jwt.go +++ b/internal/webserver/middleware/jwt.go @@ -6,6 +6,7 @@ package middleware import ( "net/http" "strings" + "sync" "github.com/gorilla/mux" goerrors "github.com/pkg/errors" @@ -19,6 +20,7 @@ import ( func CheckJWTMiddleware(client client.Writer) mux.MiddlewareFunc { invalidatedToken := sets.New[string]() + var mu sync.RWMutex return func(next http.Handler) http.Handler { return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) { @@ -26,8 +28,12 @@ func CheckJWTMiddleware(client client.Writer) mux.MiddlewareFunc { token := strings.ReplaceAll(request.Header.Get("Authorization"), "Bearer ", "") + mu.RLock() + hasToken := invalidatedToken.Has(token) + mu.RUnlock() + switch { - case len(token) > 0 && !invalidatedToken.Has(token): + case len(token) > 0 && !hasToken: tr := authenticationv1.TokenReview{ TypeMeta: metav1.TypeMeta{ Kind: "TokenReview", @@ -44,13 +50,15 @@ func CheckJWTMiddleware(client client.Writer) mux.MiddlewareFunc { } if statusErr := tr.Status.Error; len(statusErr) > 0 { + mu.Lock() invalidatedToken.Insert(token) + mu.Unlock() errors.HandleUnauthorized(writer, goerrors.New(statusErr), "cannot authenticate the token due to error") return } - case invalidatedToken.Has(token): + case hasToken: errors.HandleUnauthorized(writer, goerrors.New("token is invalid"), "cannot authenticate the token due to error") return diff --git a/internal/webserver/middleware/user_in_group.go b/internal/webserver/middleware/user_in_group.go index 08585aff..6b510c74 100644 --- a/internal/webserver/middleware/user_in_group.go +++ b/internal/webserver/middleware/user_in_group.go @@ -10,6 +10,7 @@ import ( "github.com/go-logr/logr" "github.com/gorilla/mux" + pkgerrors "github.com/pkg/errors" "k8s.io/apimachinery/pkg/util/sets" "sigs.k8s.io/controller-runtime/pkg/client" @@ -31,7 +32,15 @@ func CheckUserInIgnoredGroupMiddleware(client client.Writer, log logr.Logger, cl request, user, groups, err = req.ResolveUserAndGroups(request, authTypes, claim, client, ignoredImpersonationGroups, impersonationGroupsRegexp, skipImpersonationReview, xfcc_header) if err != nil { log.Error(err, "Cannot retrieve username and group from request") - errors.HandleError(writer, err, "cannot retrieve user and group from the request") + + msg := "cannot retrieve user and group from the request" + + var t *req.ErrUnauthorized + if pkgerrors.As(err, &t) { + errors.HandleUnauthorized(writer, err, msg) + } else { + errors.HandleError(writer, err, msg) + } return } @@ -57,7 +66,15 @@ func CheckUserInCapsuleGroupMiddleware(client client.Writer, log logr.Logger, cl request, user, groups, err := req.ResolveUserAndGroups(request, authTypes, claim, client, ignoredImpersonationGroups, impersonationGroupsRegexp, skipImpersonationReview, xfcc_header) if err != nil { log.Error(err, "Cannot retrieve username and group from request") - errors.HandleError(writer, err, "cannot retrieve user and group from the request") + + msg := "cannot retrieve user and group from the request" + + var t *req.ErrUnauthorized + if pkgerrors.As(err, &t) { + errors.HandleUnauthorized(writer, err, msg) + } else { + errors.HandleError(writer, err, msg) + } return } diff --git a/internal/webserver/webserver.go b/internal/webserver/webserver.go index f94e5c54..492acac2 100644 --- a/internal/webserver/webserver.go +++ b/internal/webserver/webserver.go @@ -348,7 +348,14 @@ func (n *kubeFilter) authorizationMiddleware(next http.Handler) http.Handler { request, username, groups, err := req.ResolveUserAndGroups(request, n.authTypes, n.usernameClaimField, n.writer, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp, n.skipImpersonationReview, n.xfcc_header) if err != nil { - server.HandleError(writer, err, "cannot retrieve user and group from the request") + msg := "cannot retrieve user and group from the request" + + var t *req.ErrUnauthorized + if errors.As(err, &t) { + server.HandleUnauthorized(writer, err, msg) + } else { + server.HandleError(writer, err, msg) + } return } @@ -550,7 +557,14 @@ func (n *kubeFilter) registerModules(ctx context.Context, root *mux.Router) { sr.HandleFunc("", func(writer http.ResponseWriter, request *http.Request) { request, username, groups, err := req.ResolveUserAndGroups(request, n.authTypes, n.usernameClaimField, n.writer, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp, n.skipImpersonationReview, n.xfcc_header) if err != nil { - server.HandleError(writer, err, "cannot retrieve user and group from the request") + msg := "cannot retrieve user and group from the request" + + var t *req.ErrUnauthorized + if errors.As(err, &t) { + server.HandleUnauthorized(writer, err, msg) + } else { + server.HandleError(writer, err, msg) + } return } @@ -617,11 +631,11 @@ func (n *kubeFilter) recoveryMiddleware(next http.Handler) http.Handler { } if err, ok := recovered.(error); ok && errors.Is(err, http.ErrAbortHandler) { - return + panic(err) } n.log.Error(fmt.Errorf("%v", recovered), "panic while handling request") - http.Error(writer, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) + server.HandleError(writer, fmt.Errorf("%v", recovered), "internal server error") }() next.ServeHTTP(writer, request) From ddc8f0f8dfacdecc1fb1da2355da8c1073c51586 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 2 Jul 2026 12:47:09 +0000 Subject: [PATCH 4/4] fix: use status.Code in WriteHeader for consistency in error handlers --- go.mod | 1 - go.sum | 14 +------------- internal/indexer/tenant_owner.go | 2 +- internal/webserver/errors/panic.go | 4 ++-- 4 files changed, 4 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index 2e01cf06..1f7f86a2 100644 --- a/go.mod +++ b/go.mod @@ -40,7 +40,6 @@ require ( github.com/emicklei/go-restful/v3 v3.13.0 // indirect github.com/evanphx/json-patch v5.7.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.9.11 // indirect - github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.10.1 // indirect github.com/fxamacker/cbor/v2 v2.9.2 // indirect github.com/go-logr/zapr v1.3.0 // indirect diff --git a/go.sum b/go.sum index f3adfcc7..dbea28c1 100644 --- a/go.sum +++ b/go.sum @@ -22,7 +22,6 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= -github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= @@ -45,8 +44,6 @@ github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= -github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= -github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= @@ -70,8 +67,6 @@ github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.23.1 h1:1HBACs7XIwR2RcmItfdSFlALhGbe6S92p0ry4d1GWg4= github.com/go-openapi/jsonpointer v0.23.1/go.mod h1:iWRmZTrGn7XwYhtPt/fvdSFj1OfNBngqRT2UG3BxSqY= -github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe+pJyVWRdiE= -github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw= github.com/go-openapi/jsonreference v0.21.6 h1:NZ5nGfnaM1n4I43Xjm1e5/M2GjOwQwndQz22uhxwD+Y= github.com/go-openapi/jsonreference v0.21.6/go.mod h1:xzbgtQ3ZbWxvET3AxdzCJlJt6vkovbf+IfSPJjD0tUY= github.com/go-openapi/swag v0.26.0 h1:GVDXCmfvhfu1BxiHo8/FA+BbKmhecHnG3varjON5/RI= @@ -102,9 +97,8 @@ github.com/go-openapi/swag/yamlutils v0.26.0 h1:H7O8l/8NJJQ/oiReEN+oMpnGMyt8G0hl github.com/go-openapi/swag/yamlutils v0.26.0/go.mod h1:1evKEGAtP37Pkwcc7EWMF0hedX0/x3Rkvei2wtG/TbU= github.com/go-openapi/testify/enable/yaml/v2 v2.4.2 h1:5zRca5jw7lzVREKCZVNBpysDNBjj74rBh0N2BGQbSR0= github.com/go-openapi/testify/enable/yaml/v2 v2.4.2/go.mod h1:XVevPw5hUXuV+5AkI1u1PeAm27EQVrhXTTCPAF85LmE= -github.com/go-openapi/testify/v2 v2.4.2 h1:tiByHpvE9uHrrKjOszax7ZvKB7QOgizBWGBLuq0ePx4= -github.com/go-openapi/testify/v2 v2.4.2/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw= github.com/go-openapi/testify/v2 v2.5.1 h1:TMdhCaw8fUNraVSf3Omoob1dO/AzBfhtFAPW0an6sBo= +github.com/go-openapi/testify/v2 v2.5.1/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw= github.com/go-sprout/sprout v1.0.3 h1:LLuz0D3aYazgbVTOwCVuMor3LOUVYinipXRIdjA/D+I= github.com/go-sprout/sprout v1.0.3/go.mod h1:cFFzpnyGGry3cmN0UNCAM1f7AGok6vPVabeYQzBMBZY= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -205,8 +199,6 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/projectcapsule/capsule v0.13.0 h1:Ucf1eEykHKd/+ldQU+mupaLlgUiWX4RJwBlyHicWkBI= -github.com/projectcapsule/capsule v0.13.0/go.mod h1:31bHFA3xRYeh8n+uV5nmVzGu1GYkREhajY3hYe7wqYQ= github.com/projectcapsule/capsule v0.13.2 h1:MvSGvwszQWg6WrJud+USeHjeBnai0JXbrUifFaTOvY4= github.com/projectcapsule/capsule v0.13.2/go.mod h1:QuNfwc1IkAhWZyWvWTL58P/PYjpPeAf6wqKzysWNLG0= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= @@ -219,8 +211,6 @@ github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNw github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= -github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4= -github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw= github.com/prometheus/common v0.68.1 h1:omjRRl4QP4komogpXuhfeOiisQg7xdy8VM1UY+pStaY= github.com/prometheus/common v0.68.1/go.mod h1:ZzL3f6u94qUxh9p+tJTrF+FvBS1XXbbRAZCQkytAL0Y= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= @@ -386,8 +376,6 @@ k8s.io/component-base v0.36.1 h1:iG6GsELftXqTNG9HG6kiVjatSgAw1sf5pJ6R5a6N0kA= k8s.io/component-base v0.36.1/go.mod h1:nf9XPlntRdqO6WMeEWAA5F93Y4ICZQdeT9GeqLDB3JI= k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc= k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0= -k8s.io/kube-openapi v0.0.0-20260520065146-aa012df4f4af h1:zLXA2Irn14q2/06WMkxViyr7YCPUO2lJ0QYE9Juy5vA= -k8s.io/kube-openapi v0.0.0-20260520065146-aa012df4f4af/go.mod h1:V/QaCUYDa+0QpcHhVVc5l99Uz56wEMEXBSj9oCDkNDY= k8s.io/kube-openapi v0.0.0-20260603220949-865597e52e25 h1:mPMaPMpBij2V1Wv/fR+HW124vVGXXvOSS9ver/9yjWs= k8s.io/kube-openapi v0.0.0-20260603220949-865597e52e25/go.mod h1:V/QaCUYDa+0QpcHhVVc5l99Uz56wEMEXBSj9oCDkNDY= k8s.io/kubectl v0.36.1 h1:96HqS9twIdHM0MlJLTwbo14b9kUKPkOzZ4tlRDLv4qI= diff --git a/internal/indexer/tenant_owner.go b/internal/indexer/tenant_owner.go index 7a31a9eb..3f8816d1 100644 --- a/internal/indexer/tenant_owner.go +++ b/internal/indexer/tenant_owner.go @@ -1,4 +1,4 @@ -// Copyright 2020-2026 Project Capsule Authors +// Copyright 2020-2025 Project Capsule Authors // SPDX-License-Identifier: Apache-2.0 package indexer diff --git a/internal/webserver/errors/panic.go b/internal/webserver/errors/panic.go index 5048d0cf..5475c858 100644 --- a/internal/webserver/errors/panic.go +++ b/internal/webserver/errors/panic.go @@ -27,7 +27,7 @@ func HandleUnauthorized(w http.ResponseWriter, err error, message string) { } w.Header().Set("content-type", "application/json") - w.WriteHeader(http.StatusForbidden) + w.WriteHeader(int(status.Code)) //nolint:errchkjson b, _ := json.Marshal(status) @@ -48,7 +48,7 @@ func HandleError(w http.ResponseWriter, err error, message string) { } w.Header().Set("content-type", "application/json") - w.WriteHeader(http.StatusInternalServerError) + w.WriteHeader(int(status.Code)) //nolint:errchkjson b, _ := json.Marshal(status)