build: move e2e dependencies into e2e/go.mod

Several packages are only used while running the e2e suite. These
packages are less important to update, as the they can not influence the
final executable that is part of the Ceph-CSI container-image.

By moving these dependencies out of the main Ceph-CSI go.mod, it is
easier to identify if a reported CVE affects Ceph-CSI, or only the
testing (like most of the Kubernetes CVEs).

Signed-off-by: Niels de Vos <ndevos@ibm.com>

e2e/vendor/k8s.io/apiserver/pkg/audit/policy/checker.go

@@ -0,0 +1,239 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"strings"
+
+	"k8s.io/apiserver/pkg/apis/audit"
+	auditinternal "k8s.io/apiserver/pkg/audit"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+const (
+	// DefaultAuditLevel is the default level to audit at, if no policy rules are matched.
+	DefaultAuditLevel = audit.LevelNone
+)
+
+// NewPolicyRuleEvaluator creates a new policy rule evaluator.
+func NewPolicyRuleEvaluator(policy *audit.Policy) auditinternal.PolicyRuleEvaluator {
+	for i, rule := range policy.Rules {
+		policy.Rules[i].OmitStages = unionStages(policy.OmitStages, rule.OmitStages)
+	}
+	return &policyRuleEvaluator{*policy}
+}
+
+func unionStages(stageLists ...[]audit.Stage) []audit.Stage {
+	m := make(map[audit.Stage]bool)
+	for _, sl := range stageLists {
+		for _, s := range sl {
+			m[s] = true
+		}
+	}
+	result := make([]audit.Stage, 0, len(m))
+	for key := range m {
+		result = append(result, key)
+	}
+	return result
+}
+
+// NewFakePolicyRuleEvaluator creates a fake policy rule evaluator that returns
+// a constant level for all requests (for testing).
+func NewFakePolicyRuleEvaluator(level audit.Level, stage []audit.Stage) auditinternal.PolicyRuleEvaluator {
+	return &fakePolicyRuleEvaluator{level, stage}
+}
+
+type policyRuleEvaluator struct {
+	audit.Policy
+}
+
+func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) auditinternal.RequestAuditConfig {
+	for _, rule := range p.Rules {
+		if ruleMatches(&rule, attrs) {
+			return auditinternal.RequestAuditConfig{
+				Level:             rule.Level,
+				OmitStages:        rule.OmitStages,
+				OmitManagedFields: isOmitManagedFields(&rule, p.OmitManagedFields),
+			}
+		}
+	}
+
+	return auditinternal.RequestAuditConfig{
+		Level:             DefaultAuditLevel,
+		OmitStages:        p.OmitStages,
+		OmitManagedFields: p.OmitManagedFields,
+	}
+}
+
+// isOmitManagedFields returns whether to omit managed fields from the request
+// and response bodies from being written to the API audit log.
+// If a user specifies OmitManagedFields inside a policy rule, that overrides
+// the global policy default in Policy.OmitManagedFields.
+func isOmitManagedFields(policyRule *audit.PolicyRule, policyDefault bool) bool {
+	if policyRule.OmitManagedFields == nil {
+		return policyDefault
+	}
+
+	return *policyRule.OmitManagedFields
+}
+
+// Check whether the rule matches the request attrs.
+func ruleMatches(r *audit.PolicyRule, attrs authorizer.Attributes) bool {
+	user := attrs.GetUser()
+	if len(r.Users) > 0 {
+		if user == nil || !hasString(r.Users, user.GetName()) {
+			return false
+		}
+	}
+	if len(r.UserGroups) > 0 {
+		if user == nil {
+			return false
+		}
+		matched := false
+		for _, group := range user.GetGroups() {
+			if hasString(r.UserGroups, group) {
+				matched = true
+				break
+			}
+		}
+		if !matched {
+			return false
+		}
+	}
+	if len(r.Verbs) > 0 {
+		if !hasString(r.Verbs, attrs.GetVerb()) {
+			return false
+		}
+	}
+
+	if len(r.Namespaces) > 0 || len(r.Resources) > 0 {
+		return ruleMatchesResource(r, attrs)
+	}
+
+	if len(r.NonResourceURLs) > 0 {
+		return ruleMatchesNonResource(r, attrs)
+	}
+
+	return true
+}
+
+// Check whether the rule's non-resource URLs match the request attrs.
+func ruleMatchesNonResource(r *audit.PolicyRule, attrs authorizer.Attributes) bool {
+	if attrs.IsResourceRequest() {
+		return false
+	}
+
+	path := attrs.GetPath()
+	for _, spec := range r.NonResourceURLs {
+		if pathMatches(path, spec) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// Check whether the path matches the path specification.
+func pathMatches(path, spec string) bool {
+	// Allow wildcard match
+	if spec == "*" {
+		return true
+	}
+	// Allow exact match
+	if spec == path {
+		return true
+	}
+	// Allow a trailing * subpath match
+	if strings.HasSuffix(spec, "*") && strings.HasPrefix(path, strings.TrimRight(spec, "*")) {
+		return true
+	}
+	return false
+}
+
+// Check whether the rule's resource fields match the request attrs.
+func ruleMatchesResource(r *audit.PolicyRule, attrs authorizer.Attributes) bool {
+	if !attrs.IsResourceRequest() {
+		return false
+	}
+
+	if len(r.Namespaces) > 0 {
+		if !hasString(r.Namespaces, attrs.GetNamespace()) { // Non-namespaced resources use the empty string.
+			return false
+		}
+	}
+	if len(r.Resources) == 0 {
+		return true
+	}
+
+	apiGroup := attrs.GetAPIGroup()
+	resource := attrs.GetResource()
+	subresource := attrs.GetSubresource()
+	combinedResource := resource
+	// If subresource, the resource in the policy must match "(resource)/(subresource)"
+	if subresource != "" {
+		combinedResource = resource + "/" + subresource
+	}
+
+	name := attrs.GetName()
+
+	for _, gr := range r.Resources {
+		if gr.Group == apiGroup {
+			if len(gr.Resources) == 0 {
+				return true
+			}
+			for _, res := range gr.Resources {
+				if len(gr.ResourceNames) == 0 || hasString(gr.ResourceNames, name) {
+					// match "*"
+					if res == combinedResource || res == "*" {
+						return true
+					}
+					// match "*/subresource"
+					if len(subresource) > 0 && strings.HasPrefix(res, "*/") && subresource == strings.TrimPrefix(res, "*/") {
+						return true
+					}
+					// match "resource/*"
+					if strings.HasSuffix(res, "/*") && resource == strings.TrimSuffix(res, "/*") {
+						return true
+					}
+				}
+			}
+		}
+	}
+	return false
+}
+
+// Utility function to check whether a string slice contains a string.
+func hasString(slice []string, value string) bool {
+	for _, s := range slice {
+		if s == value {
+			return true
+		}
+	}
+	return false
+}
+
+type fakePolicyRuleEvaluator struct {
+	level audit.Level
+	stage []audit.Stage
+}
+
+func (f *fakePolicyRuleEvaluator) EvaluatePolicyRule(_ authorizer.Attributes) auditinternal.RequestAuditConfig {
+	return auditinternal.RequestAuditConfig{
+		Level:      f.level,
+		OmitStages: f.stage,
+	}
+}

e2e/vendor/k8s.io/apiserver/pkg/audit/policy/reader.go

@@ -0,0 +1,101 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"fmt"
+	"io/ioutil"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	auditinternal "k8s.io/apiserver/pkg/apis/audit"
+	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
+	"k8s.io/apiserver/pkg/apis/audit/validation"
+	"k8s.io/apiserver/pkg/audit"
+	"k8s.io/klog/v2"
+)
+
+var (
+	apiGroupVersions = []schema.GroupVersion{
+		auditv1.SchemeGroupVersion,
+	}
+	apiGroupVersionSet = map[schema.GroupVersion]bool{}
+)
+
+func init() {
+	for _, gv := range apiGroupVersions {
+		apiGroupVersionSet[gv] = true
+	}
+}
+
+func LoadPolicyFromFile(filePath string) (*auditinternal.Policy, error) {
+	if filePath == "" {
+		return nil, fmt.Errorf("file path not specified")
+	}
+	policyDef, err := ioutil.ReadFile(filePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read file path %q: %+v", filePath, err)
+	}
+
+	ret, err := LoadPolicyFromBytes(policyDef)
+	if err != nil {
+		return nil, fmt.Errorf("%v: from file %v", err.Error(), filePath)
+	}
+
+	return ret, nil
+}
+
+func LoadPolicyFromBytes(policyDef []byte) (*auditinternal.Policy, error) {
+	policy := &auditinternal.Policy{}
+	strictDecoder := serializer.NewCodecFactory(audit.Scheme, serializer.EnableStrict).UniversalDecoder()
+
+	// Try strict decoding first.
+	_, gvk, err := strictDecoder.Decode(policyDef, nil, policy)
+	if err != nil {
+		if !runtime.IsStrictDecodingError(err) {
+			return nil, fmt.Errorf("failed decoding: %w", err)
+		}
+		var (
+			lenientDecoder = audit.Codecs.UniversalDecoder(apiGroupVersions...)
+			lenientErr     error
+		)
+		_, gvk, lenientErr = lenientDecoder.Decode(policyDef, nil, policy)
+		if lenientErr != nil {
+			return nil, fmt.Errorf("failed lenient decoding: %w", lenientErr)
+		}
+		klog.Warningf("Audit policy contains errors, falling back to lenient decoding: %v", err)
+	}
+
+	// Ensure the policy file contained an apiVersion and kind.
+	gv := schema.GroupVersion{Group: gvk.Group, Version: gvk.Version}
+	if !apiGroupVersionSet[gv] {
+		return nil, fmt.Errorf("unknown group version field %v in policy", gvk)
+	}
+
+	if err := validation.ValidatePolicy(policy); err != nil {
+		return nil, err.ToAggregate()
+	}
+
+	policyCnt := len(policy.Rules)
+	if policyCnt == 0 {
+		return nil, fmt.Errorf("loaded illegal policy with 0 rules")
+	}
+
+	klog.V(4).InfoS("Load audit policy rules success", "policyCnt", policyCnt)
+	return policy, nil
+}

e2e/vendor/k8s.io/apiserver/pkg/audit/policy/util.go

@@ -0,0 +1,68 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/apis/audit"
+)
+
+// AllStages returns all possible stages
+func AllStages() sets.String {
+	return sets.NewString(
+		string(audit.StageRequestReceived),
+		string(audit.StageResponseStarted),
+		string(audit.StageResponseComplete),
+		string(audit.StagePanic),
+	)
+}
+
+// AllLevels returns all possible levels
+func AllLevels() sets.String {
+	return sets.NewString(
+		string(audit.LevelNone),
+		string(audit.LevelMetadata),
+		string(audit.LevelRequest),
+		string(audit.LevelRequestResponse),
+	)
+}
+
+// InvertStages subtracts the given array of stages from all stages
+func InvertStages(stages []audit.Stage) []audit.Stage {
+	s := ConvertStagesToStrings(stages)
+	a := AllStages()
+	a.Delete(s...)
+	return ConvertStringSetToStages(a)
+}
+
+// ConvertStagesToStrings converts an array of stages to a string array
+func ConvertStagesToStrings(stages []audit.Stage) []string {
+	s := make([]string, len(stages))
+	for i, stage := range stages {
+		s[i] = string(stage)
+	}
+	return s
+}
+
+// ConvertStringSetToStages converts a string set to an array of stages
+func ConvertStringSetToStages(set sets.String) []audit.Stage {
+	stages := make([]audit.Stage, len(set))
+	for i, stage := range set.List() {
+		stages[i] = audit.Stage(stage)
+	}
+	return stages
+}