Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions charts/capsule-proxy/templates/flowschema.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,8 @@ spec:
apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
clusterScope: true
- verbs: ["create"]
apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
clusterScope: true
{{- end }}
2 changes: 0 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ go 1.26.4
require (
github.com/go-logr/logr v1.4.3
github.com/golang-jwt/jwt/v5 v5.3.1
github.com/gorilla/handlers v1.5.2
github.com/gorilla/mux v1.8.1
github.com/onsi/ginkgo/v2 v2.29.0
github.com/onsi/gomega v1.41.0
Expand Down Expand Up @@ -41,7 +40,6 @@ require (
github.com/emicklei/go-restful/v3 v3.13.0 // indirect
github.com/evanphx/json-patch v5.7.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.9.11 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fsnotify/fsnotify v1.10.1 // indirect
github.com/fxamacker/cbor/v2 v2.9.2 // indirect
github.com/go-logr/zapr v1.3.0 // indirect
Expand Down
16 changes: 1 addition & 15 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
Expand All @@ -45,8 +44,6 @@ github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ
github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
Expand All @@ -70,8 +67,6 @@ github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
github.com/go-openapi/jsonpointer v0.23.1 h1:1HBACs7XIwR2RcmItfdSFlALhGbe6S92p0ry4d1GWg4=
github.com/go-openapi/jsonpointer v0.23.1/go.mod h1:iWRmZTrGn7XwYhtPt/fvdSFj1OfNBngqRT2UG3BxSqY=
github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe+pJyVWRdiE=
github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw=
github.com/go-openapi/jsonreference v0.21.6 h1:NZ5nGfnaM1n4I43Xjm1e5/M2GjOwQwndQz22uhxwD+Y=
github.com/go-openapi/jsonreference v0.21.6/go.mod h1:xzbgtQ3ZbWxvET3AxdzCJlJt6vkovbf+IfSPJjD0tUY=
github.com/go-openapi/swag v0.26.0 h1:GVDXCmfvhfu1BxiHo8/FA+BbKmhecHnG3varjON5/RI=
Expand Down Expand Up @@ -102,9 +97,8 @@ github.com/go-openapi/swag/yamlutils v0.26.0 h1:H7O8l/8NJJQ/oiReEN+oMpnGMyt8G0hl
github.com/go-openapi/swag/yamlutils v0.26.0/go.mod h1:1evKEGAtP37Pkwcc7EWMF0hedX0/x3Rkvei2wtG/TbU=
github.com/go-openapi/testify/enable/yaml/v2 v2.4.2 h1:5zRca5jw7lzVREKCZVNBpysDNBjj74rBh0N2BGQbSR0=
github.com/go-openapi/testify/enable/yaml/v2 v2.4.2/go.mod h1:XVevPw5hUXuV+5AkI1u1PeAm27EQVrhXTTCPAF85LmE=
github.com/go-openapi/testify/v2 v2.4.2 h1:tiByHpvE9uHrrKjOszax7ZvKB7QOgizBWGBLuq0ePx4=
github.com/go-openapi/testify/v2 v2.4.2/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
github.com/go-openapi/testify/v2 v2.5.1 h1:TMdhCaw8fUNraVSf3Omoob1dO/AzBfhtFAPW0an6sBo=
github.com/go-openapi/testify/v2 v2.5.1/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
github.com/go-sprout/sprout v1.0.3 h1:LLuz0D3aYazgbVTOwCVuMor3LOUVYinipXRIdjA/D+I=
github.com/go-sprout/sprout v1.0.3/go.mod h1:cFFzpnyGGry3cmN0UNCAM1f7AGok6vPVabeYQzBMBZY=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
Expand Down Expand Up @@ -134,8 +128,6 @@ github.com/google/pprof v0.0.0-20260402051712-545e8a4df936 h1:EwtI+Al+DeppwYX2oX
github.com/google/pprof v0.0.0-20260402051712-545e8a4df936/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
Expand Down Expand Up @@ -207,8 +199,6 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/projectcapsule/capsule v0.13.0 h1:Ucf1eEykHKd/+ldQU+mupaLlgUiWX4RJwBlyHicWkBI=
github.com/projectcapsule/capsule v0.13.0/go.mod h1:31bHFA3xRYeh8n+uV5nmVzGu1GYkREhajY3hYe7wqYQ=
github.com/projectcapsule/capsule v0.13.2 h1:MvSGvwszQWg6WrJud+USeHjeBnai0JXbrUifFaTOvY4=
github.com/projectcapsule/capsule v0.13.2/go.mod h1:QuNfwc1IkAhWZyWvWTL58P/PYjpPeAf6wqKzysWNLG0=
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
Expand All @@ -221,8 +211,6 @@ github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNw
github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
github.com/prometheus/common v0.68.1 h1:omjRRl4QP4komogpXuhfeOiisQg7xdy8VM1UY+pStaY=
github.com/prometheus/common v0.68.1/go.mod h1:ZzL3f6u94qUxh9p+tJTrF+FvBS1XXbbRAZCQkytAL0Y=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
Expand Down Expand Up @@ -388,8 +376,6 @@ k8s.io/component-base v0.36.1 h1:iG6GsELftXqTNG9HG6kiVjatSgAw1sf5pJ6R5a6N0kA=
k8s.io/component-base v0.36.1/go.mod h1:nf9XPlntRdqO6WMeEWAA5F93Y4ICZQdeT9GeqLDB3JI=
k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
k8s.io/kube-openapi v0.0.0-20260520065146-aa012df4f4af h1:zLXA2Irn14q2/06WMkxViyr7YCPUO2lJ0QYE9Juy5vA=
k8s.io/kube-openapi v0.0.0-20260520065146-aa012df4f4af/go.mod h1:V/QaCUYDa+0QpcHhVVc5l99Uz56wEMEXBSj9oCDkNDY=
k8s.io/kube-openapi v0.0.0-20260603220949-865597e52e25 h1:mPMaPMpBij2V1Wv/fR+HW124vVGXXvOSS9ver/9yjWs=
k8s.io/kube-openapi v0.0.0-20260603220949-865597e52e25/go.mod h1:V/QaCUYDa+0QpcHhVVc5l99Uz56wEMEXBSj9oCDkNDY=
k8s.io/kubectl v0.36.1 h1:96HqS9twIdHM0MlJLTwbo14b9kUKPkOzZ4tlRDLv4qI=
Expand Down
2 changes: 1 addition & 1 deletion internal/indexer/tenant_owner.go
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2020-2026 Project Capsule Authors
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0

package indexer
Expand Down
8 changes: 4 additions & 4 deletions internal/webserver/errors/panic.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,11 @@ func HandleUnauthorized(w http.ResponseWriter, err error, message string) {
}

w.Header().Set("content-type", "application/json")
w.WriteHeader(int(status.Code))

//nolint:errchkjson
b, _ := json.Marshal(status)
_, _ = w.Write(b)

panic(message)
}

func HandleError(w http.ResponseWriter, err error, message string) {
Expand All @@ -42,15 +41,16 @@ func HandleError(w http.ResponseWriter, err error, message string) {
Kind: "Status",
APIVersion: "v1",
},
Status: metav1.StatusFailure,
Message: message,
Reason: metav1.StatusReasonInternalError,
Code: http.StatusInternalServerError,
}

w.Header().Set("content-type", "application/json")
w.WriteHeader(int(status.Code))

//nolint:errchkjson
b, _ := json.Marshal(status)
_, _ = w.Write(b)

panic(message)
}
18 changes: 16 additions & 2 deletions internal/webserver/middleware/jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package middleware
import (
"net/http"
"strings"
"sync"

"github.com/gorilla/mux"
goerrors "github.com/pkg/errors"
Expand All @@ -19,15 +20,20 @@ import (

func CheckJWTMiddleware(client client.Writer) mux.MiddlewareFunc {
invalidatedToken := sets.New[string]()
var mu sync.RWMutex

return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
var err error

token := strings.ReplaceAll(request.Header.Get("Authorization"), "Bearer ", "")

mu.RLock()
hasToken := invalidatedToken.Has(token)
mu.RUnlock()

switch {
case len(token) > 0 && !invalidatedToken.Has(token):
case len(token) > 0 && !hasToken:
tr := authenticationv1.TokenReview{
TypeMeta: metav1.TypeMeta{
Kind: "TokenReview",
Expand All @@ -39,15 +45,23 @@ func CheckJWTMiddleware(client client.Writer) mux.MiddlewareFunc {
}
if err = client.Create(request.Context(), &tr); err != nil {
errors.HandleError(writer, err, "cannot create TokenReview")

return
}

if statusErr := tr.Status.Error; len(statusErr) > 0 {
mu.Lock()
invalidatedToken.Insert(token)
mu.Unlock()

errors.HandleUnauthorized(writer, goerrors.New(statusErr), "cannot authenticate the token due to error")

return
}
case invalidatedToken.Has(token):
case hasToken:
errors.HandleUnauthorized(writer, goerrors.New("token is invalid"), "cannot authenticate the token due to error")

return
}

next.ServeHTTP(writer, request)
Expand Down
24 changes: 24 additions & 0 deletions internal/webserver/middleware/user_in_group.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,13 @@ import (

"github.com/go-logr/logr"
"github.com/gorilla/mux"
pkgerrors "github.com/pkg/errors"
"k8s.io/apimachinery/pkg/util/sets"
"sigs.k8s.io/controller-runtime/pkg/client"

"github.com/projectcapsule/capsule-proxy/internal/controllers"
req "github.com/projectcapsule/capsule-proxy/internal/request"
"github.com/projectcapsule/capsule-proxy/internal/webserver/errors"
)

func CheckUserInIgnoredGroupMiddleware(client client.Writer, log logr.Logger, claim string, authTypes []req.AuthType, ignoredUserGroups sets.Set[string], ignoredImpersonationGroups []string, impersonationGroupsRegexp *regexp.Regexp, skipImpersonationReview bool, xfcc_header string, fn func(writer http.ResponseWriter, request *http.Request)) mux.MiddlewareFunc {
Expand All @@ -30,6 +32,17 @@ func CheckUserInIgnoredGroupMiddleware(client client.Writer, log logr.Logger, cl
request, user, groups, err = req.ResolveUserAndGroups(request, authTypes, claim, client, ignoredImpersonationGroups, impersonationGroupsRegexp, skipImpersonationReview, xfcc_header)
if err != nil {
log.Error(err, "Cannot retrieve username and group from request")

msg := "cannot retrieve user and group from the request"

var t *req.ErrUnauthorized
if pkgerrors.As(err, &t) {
errors.HandleUnauthorized(writer, err, msg)
} else {
errors.HandleError(writer, err, msg)
}

return
}

if slices.ContainsFunc(groups, func(group string) bool {
Expand All @@ -53,6 +66,17 @@ func CheckUserInCapsuleGroupMiddleware(client client.Writer, log logr.Logger, cl
request, user, groups, err := req.ResolveUserAndGroups(request, authTypes, claim, client, ignoredImpersonationGroups, impersonationGroupsRegexp, skipImpersonationReview, xfcc_header)
if err != nil {
log.Error(err, "Cannot retrieve username and group from request")

msg := "cannot retrieve user and group from the request"

var t *req.ErrUnauthorized
if pkgerrors.As(err, &t) {
errors.HandleUnauthorized(writer, err, msg)
} else {
errors.HandleError(writer, err, msg)
}

return
}

log.V(10).Info("request groups", "groups", groups)
Expand Down
59 changes: 52 additions & 7 deletions internal/webserver/webserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ import (

"github.com/go-logr/logr"
"github.com/golang-jwt/jwt/v5"
"github.com/gorilla/handlers"
"github.com/gorilla/mux"
"github.com/pkg/errors"
capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
Expand Down Expand Up @@ -167,7 +166,7 @@ func (n *kubeFilter) NeedLeaderElection() bool {
//nolint:funlen
func (n *kubeFilter) Start(ctx context.Context) error {
r := mux.NewRouter()
r.Use(handlers.RecoveryHandler())
r.Use(n.recoveryMiddleware)

r.Path("/_healthz").Subrouter().HandleFunc("", func(writer http.ResponseWriter, _ *http.Request) {
writer.WriteHeader(http.StatusOK)
Expand Down Expand Up @@ -349,13 +348,24 @@ func (n *kubeFilter) authorizationMiddleware(next http.Handler) http.Handler {

request, username, groups, err := req.ResolveUserAndGroups(request, n.authTypes, n.usernameClaimField, n.writer, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp, n.skipImpersonationReview, n.xfcc_header)
if err != nil {
server.HandleError(writer, err, "cannot retrieve user and group from the request")
msg := "cannot retrieve user and group from the request"

var t *req.ErrUnauthorized
if errors.As(err, &t) {
server.HandleUnauthorized(writer, err, msg)
} else {
server.HandleError(writer, err, msg)
}

return
}

//nolint:contextcheck
proxyTenants, err := n.getTenantsForOwner(request.Context(), username, groups)
if err != nil {
server.HandleError(writer, err, "cannot list Tenant resources")

return
}

obj, gvk, err := n.universalDecoder.Decode(body, nil, nil)
Expand Down Expand Up @@ -547,12 +557,23 @@ func (n *kubeFilter) registerModules(ctx context.Context, root *mux.Router) {
sr.HandleFunc("", func(writer http.ResponseWriter, request *http.Request) {
request, username, groups, err := req.ResolveUserAndGroups(request, n.authTypes, n.usernameClaimField, n.writer, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp, n.skipImpersonationReview, n.xfcc_header)
if err != nil {
server.HandleError(writer, err, "cannot retrieve user and group from the request")
msg := "cannot retrieve user and group from the request"

var t *req.ErrUnauthorized
if errors.As(err, &t) {
server.HandleUnauthorized(writer, err, msg)
} else {
server.HandleError(writer, err, msg)
}

return
}

proxyTenants, err := n.getTenantsForOwner(ctx, username, groups)
if err != nil {
server.HandleError(writer, err, "cannot list Tenant resources")

return
}

var selector labels.Selector
Expand All @@ -574,19 +595,23 @@ func (n *kubeFilter) registerModules(ctx context.Context, root *mux.Router) {
case err != nil:
var t moderrors.Error
if errors.As(err, &t) {
writer.Header().Set("Content-Type", "application/json")

if t.Status().Code > 0 {
writer.WriteHeader(int(t.Status().Code))
} else {
writer.WriteHeader(http.StatusInternalServerError)
}

writer.Header().Set("Content-Type", "application/json")

b, _ := json.Marshal(t.Status())
_, _ = writer.Write(b)

panic(err.Error())
return
}

server.HandleError(writer, err, err.Error())

return
case selector == nil:
// if there's no selector, let it pass to the
n.impersonateHandler(writer, request)
Expand All @@ -597,6 +622,26 @@ func (n *kubeFilter) registerModules(ctx context.Context, root *mux.Router) {
}
}

func (n *kubeFilter) recoveryMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
defer func() {
recovered := recover()
if recovered == nil {
return
}

if err, ok := recovered.(error); ok && errors.Is(err, http.ErrAbortHandler) {
panic(err)
}

n.log.Error(fmt.Errorf("%v", recovered), "panic while handling request")
server.HandleError(writer, fmt.Errorf("%v", recovered), "internal server error")
}()

next.ServeHTTP(writer, request)
})
}

func (n *kubeFilter) getTenantsForOwner(ctx context.Context, username string, groups []string) (proxyTenants []*tenant.ProxyTenant, err error) {
if strings.HasPrefix(username, serviceaccount.ServiceAccountUsernamePrefix) {
proxyTenants, err = n.getProxyTenantsForOwnerKind(ctx, capsulerbac.ServiceAccountOwner, username)
Expand Down