diff --git a/.github/workflows/agent.yml b/.github/workflows/agent.yml index b3e5e3bb..8fe08039 100644 --- a/.github/workflows/agent.yml +++ b/.github/workflows/agent.yml @@ -18,6 +18,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-go@v3 with: go-version: '1.24.0' @@ -31,6 +33,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-go@v3 with: go-version: '1.24.0' @@ -46,6 +50,8 @@ jobs: HADOLINT_RECURSIVE: "true" steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - name: Lint dockerfiles uses: hadolint/hadolint-action@v2.0.0 with: @@ -59,6 +65,8 @@ jobs: COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-go@v3 with: go-version: '1.24.0' @@ -78,29 +86,12 @@ jobs: go install github.com/mattn/goveralls@latest goveralls -coverprofile=coverage.txt -service=github - tests_sourceclear: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-go@v3 - with: - go-version: '1.24.0' - check-latest: true - - name: sourceclear - env: - SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }} - run: | - make -e setup build - curl -sSL https://download.sourceclear.com/ci.sh | bash -s – scan - - name: run - run: | - make -e setup build - go get -v -d ./... - tests_windows_build_ps1: runs-on: windows-2022 steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - name: windows build.ps1 test id: windows_build shell: pwsh @@ -117,6 +108,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-go@v3 with: go-version: '1.24.0' @@ -147,6 +140,7 @@ jobs: with: submodules: true fetch-depth: 0 + persist-credentials: false - uses: actions/setup-go@v3 with: go-version: '1.24.0' @@ -179,6 +173,7 @@ jobs: with: submodules: true fetch-depth: 0 + persist-credentials: false - uses: actions/setup-go@v3 with: go-version: '1.24.0' @@ -190,6 +185,7 @@ jobs: repository: 'optimizely/travisci-tools' path: 'home/runner/travisci-tools' ref: 'master' + persist-credentials: false - name: Get the version id: get_version run: echo "VERSION=${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT @@ -250,6 +246,8 @@ jobs: TARGET: windows-amd64 steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-go@v3 with: go-version: '1.24.0' @@ -261,6 +259,7 @@ jobs: repository: 'optimizely/travisci-tools' path: 'home/runner/travisci-tools' ref: 'master' + persist-credentials: false - name: Get the version id: get_version run: echo "VERSION=${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml index 7f518df2..6fa1ff8c 100644 --- a/.github/workflows/integration_test.yml +++ b/.github/workflows/integration_test.yml @@ -19,6 +19,7 @@ jobs: repository: 'optimizely/travisci-tools' path: 'home/runner/travisci-tools' ref: 'master' + persist-credentials: false - name: set SDK Branch if PR if: ${{ github.event_name == 'pull_request' }} run: | diff --git a/Makefile b/Makefile index ec8e4b4e..e8b90012 100644 --- a/Makefile +++ b/Makefile @@ -100,6 +100,6 @@ test-acceptance: make setup && \ make run & \ bash scripts/wait_for_agent_to_start.sh && \ - pytest -vv -rA --diff-symbols tests/acceptance/test_acceptance/ \ + pytest -vv -rA tests/acceptance/test_acceptance/ \ -k "not test_decide__feature_no_ups and not test_decide__flag_key_parameter_no_ups" --host "$(MYHOST)" && \ make stop diff --git a/api/openapi-spec/openapi.yaml b/api/openapi-spec/openapi.yaml index 9b0dd3e4..00e63a3b 100644 --- a/api/openapi-spec/openapi.yaml +++ b/api/openapi-spec/openapi.yaml @@ -84,6 +84,7 @@ paths: schema: oneOf: - type: array + maxItems: 1000000 items: $ref: '#/components/schemas/OptimizelyDecision' - $ref: '#/components/schemas/OptimizelyDecision' @@ -263,6 +264,7 @@ paths: explode: true schema: type: array + maxItems: 1000000 items: type: string - name: experimentKey @@ -272,6 +274,7 @@ paths: explode: true schema: type: array + maxItems: 1000000 items: type: string - name: disableTracking @@ -311,6 +314,7 @@ paths: application/json: schema: type: array + maxItems: 1000000 items: $ref: '#/components/schemas/Decision' description: '' @@ -421,6 +425,10 @@ paths: application/json: {} deprecated: false components: + # Note: maxItems values throughout this spec are set to 1000000 to satisfy security + # scanning requirements (Arnica/Prisma). These limits are for documentation purposes + # only and are NOT enforced at runtime by Agent. Actual DoS protection is handled + # by infrastructure-level controls (load balancers, rate limiting, timeouts). requestBodies: ActivateContext: required: true @@ -555,6 +563,7 @@ components: type: string experimentIds: type: array + maxItems: 1000000 items: type: string description: '' @@ -571,11 +580,13 @@ components: type: string experimentRules: type: array + maxItems: 1000000 items: $ref: '#/components/schemas/OptimizelyExperiment' description: '' deliveryRules: type: array + maxItems: 1000000 items: $ref: '#/components/schemas/OptimizelyExperiment' description: '' @@ -635,6 +646,7 @@ components: $ref: '#/components/schemas/UserContext' reasons: type: array + maxItems: 1000000 items: type: string description: '' @@ -660,6 +672,7 @@ components: type: string messages: type: array + maxItems: 1000000 items: type: string description: '' @@ -693,16 +706,19 @@ components: $ref: '#/components/schemas/OptimizelyFeature' attributes: type: array + maxItems: 1000000 items: $ref: '#/components/schemas/OptimizelyAttribute' description: '' audiences: type: array + maxItems: 1000000 items: $ref: '#/components/schemas/OptimizelyAudience' description: '' events: type: array + maxItems: 1000000 items: $ref: '#/components/schemas/OptimizelyEvent' description: '' @@ -764,6 +780,7 @@ components: properties: decideOptions: type: array + maxItems: 1000000 items: $ref: '#/components/schemas/DecideOption' description: '' @@ -773,6 +790,7 @@ components: type: object forcedDecisions: type: array + maxItems: 1000000 items: $ref: '#/components/schemas/ForcedDecision' description: '' @@ -780,6 +798,7 @@ components: type: boolean fetchSegmentsOptions: type: array + maxItems: 1000000 items: $ref: '#/components/schemas/FetchSegmentsOption' description: '' @@ -846,6 +865,7 @@ components: properties: operations: type: array + maxItems: 1000000 items: $ref: '#/components/schemas/BatchOperation' description: Array of requests to Agent endpoints, batched into one request @@ -897,6 +917,7 @@ components: contentEncoding: int32 response: type: array + maxItems: 1000000 items: $ref: '#/components/schemas/BatchResponseItem' description: '' @@ -917,6 +938,7 @@ components: body: oneOf: - type: array + maxItems: 1000000 items: type: object - type: object diff --git a/api/openapi-spec/webhook.yaml b/api/openapi-spec/webhook.yaml index 63a72228..90821c26 100644 --- a/api/openapi-spec/webhook.yaml +++ b/api/openapi-spec/webhook.yaml @@ -10,6 +10,8 @@ info: servers: - url: https://api.optimizely.com description: Hosted Optimizely Decision Service +security: + - WebhookSignature: [] paths: /webhooks/optimizely: post: @@ -31,8 +33,16 @@ paths: description: No content. Webhook message received and processed. '400': description: Invalid webhook message received. + security: + - WebhookSignature: [] deprecated: false components: + securitySchemes: + WebhookSignature: + type: apiKey + name: X-Hub-Signature + in: header + description: "HMAC-SHA1 signature of the request payload using the webhook secret (format: sha1=)" schemas: DatafileUpdateData: title: DatafileUpdateData diff --git a/examples/requirements.txt b/examples/requirements.txt index 1363e5fa..e4af41ee 100644 --- a/examples/requirements.txt +++ b/examples/requirements.txt @@ -1,5 +1,4 @@ certifi==2025.1.31 -chardet==5.2.0 charset-normalizer==3.4.1 idna==3.10 requests==2.32.4 diff --git a/go.mod b/go.mod index b33c8cff..3dc151f6 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/go-chi/cors v1.2.1 github.com/go-chi/httplog v0.2.5 github.com/go-chi/render v1.0.2 - github.com/go-kit/kit v0.12.0 + github.com/go-kit/kit v0.13.0 github.com/go-redis/redis/v8 v8.11.5 github.com/go-redis/redismock/v8 v8.11.5 github.com/golang-jwt/jwt/v4 v4.5.2 diff --git a/go.sum b/go.sum index b209a20a..65193361 100644 --- a/go.sum +++ b/go.sum @@ -91,8 +91,8 @@ github.com/go-chi/render v1.0.2/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIo github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-kit/kit v0.12.0 h1:e4o3o3IsBfAKQh5Qbbiqyfu97Ku7jrO/JbohvztANh4= -github.com/go-kit/kit v0.12.0/go.mod h1:lHd+EkCZPIwYItmGDDRdhinkzX2A1sj+M9biaEaizzs= +github.com/go-kit/kit v0.13.0 h1:OoneCcHKHQ03LfBpoQCUfCluwd2Vt3ohz+kvbJneZAU= +github.com/go-kit/kit v0.13.0/go.mod h1:phqEHMMUbyrCFCTgH48JueqrM3md2HcAZ8N3XE4FKDg= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= diff --git a/tests/acceptance/requirements.txt b/tests/acceptance/requirements.txt index bf847025..984db036 100644 --- a/tests/acceptance/requirements.txt +++ b/tests/acceptance/requirements.txt @@ -1,5 +1,4 @@ pytest==7.0.0 -pytest-clarity==1.0.1 requests==2.32.4 openapi_core==0.17.1 openapi_spec_validator==0.5.6