Fix "Incorrect conversion between integer types" reported by CodeQL (#142)

Author: amuraru

pkg/kafkaclient/topics.go

@@ -17,6 +17,7 @@ package kafkaclient
 import (
 	"errors"
 	"fmt"
+	"math"
 	"time"
 
 	"github.com/IBM/sarama"
@@ -122,7 +123,13 @@ func (k *kafkaClient) EnsurePartitionCount(topic string, desired int32) (changed
 		return
 	}
 
-	if desired != int32(len(meta[0].Partitions)) {
+	currentPartitions := len(meta[0].Partitions)
+	// Partition count should always be within valid range for int32 conversion
+	if currentPartitions < 0 || currentPartitions > math.MaxInt32 {
+		err = errorfactory.New(errorfactory.BrokersRequestError{}, fmt.Errorf("partition count %d out of valid range for int32 conversion", currentPartitions), "invalid partition count")
+		return
+	}
+	if desired != int32(currentPartitions) {
 		// TODO (tinyzimmer): maybe let the user specify partition assignments
 		assn := make([][]int32, 0)
 		changed = true

pkg/resources/envoy/configmap.go

@@ -16,6 +16,7 @@ package envoy
 
 import (
 	"fmt"
+	"math"
 	"sort"
 
 	envoyaccesslog "github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3"
@@ -339,7 +340,15 @@ func GenerateEnvoyConfig(kc *v1beta1.KafkaCluster, elistener v1beta1.ExternalLis
 			}
 
 			if elistener.TLSEnabled() {
-				filterChain, err = GenerateEnvoyTLSFilterChain(tcpProxy, ingressConfig.EnvoyConfig.GetBrokerHostname(int32(brokerId)), log)
+				filterChain, err = GenerateEnvoyTLSFilterChain(tcpProxy, func() string {
+					// Broker IDs are always within valid range for int32 conversion
+					if brokerId < 0 || brokerId > math.MaxInt32 {
+						// This should never happen as broker IDs are small positive integers
+						log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in envoy TLS filter chain")
+						return ""
+					}
+					return ingressConfig.EnvoyConfig.GetBrokerHostname(int32(brokerId))
+				}(), log)
 				if err != nil {
 					log.Error(err, "Unable to generate broker envoy tls filter chain")
 					return ""
@@ -352,7 +361,15 @@ func GenerateEnvoyConfig(kc *v1beta1.KafkaCluster, elistener v1beta1.ExternalLis
 				}
 			}
 
-			brokerPort := elistener.GetBrokerPort(int32(brokerId))
+			brokerPort := func() int32 {
+				// Broker IDs are always within valid range for int32 conversion
+				if brokerId < 0 || brokerId > math.MaxInt32 {
+					// This should never happen as broker IDs are small positive integers
+					log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in envoy broker port assignment")
+					return 0
+				}
+				return elistener.GetBrokerPort(int32(brokerId))
+			}()
 			tempListeners[brokerPort] = append(tempListeners[brokerPort], filterChain)
 
 			clusters = append(clusters, &envoycluster.Cluster{

pkg/resources/envoy/deployment.go

@@ -18,6 +18,7 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
+	"math"
 	"strconv"
 
 	"github.com/go-logr/logr"
@@ -157,9 +158,17 @@ func getExposedContainerPorts(extListener v1beta1.ExternalListenerConfig, broker
 		}
 		if util.ShouldIncludeBroker(brokerConfig, kafkaCluster.Status, brokerId, defaultIngressConfigName, ingressConfigName) && !extListener.TLSEnabled() {
 			exposedPorts = append(exposedPorts, corev1.ContainerPort{
-				Name:          fmt.Sprintf("broker-%d", brokerId),
-				ContainerPort: extListener.GetBrokerPort(int32(brokerId)),
-				Protocol:      corev1.ProtocolTCP,
+				Name: fmt.Sprintf("broker-%d", brokerId),
+				ContainerPort: func() int32 {
+					// Broker IDs are always within valid range for int32 conversion
+					if brokerId < 0 || brokerId > math.MaxInt32 {
+						// This should never happen as broker IDs are small positive integers
+						log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in envoy deployment container port")
+						return 0
+					}
+					return extListener.GetBrokerPort(int32(brokerId))
+				}(),
+				Protocol: corev1.ProtocolTCP,
 			})
 		}
 	}

pkg/resources/envoy/service.go

@@ -16,6 +16,7 @@ package envoy
 
 import (
 	"fmt"
+	"math"
 
 	"github.com/go-logr/logr"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -72,10 +73,33 @@ func getExposedServicePorts(extListener v1beta1.ExternalListenerConfig, brokersI
 			}
 			if util.ShouldIncludeBroker(brokerConfig, kafkaCluster.Status, brokerId, defaultIngressConfigName, ingressConfigName) {
 				exposedPorts = append(exposedPorts, corev1.ServicePort{
-					Name:       fmt.Sprintf("broker-%d", brokerId),
-					Port:       extListener.GetBrokerPort(int32(brokerId)),
-					TargetPort: intstr.FromInt(int(extListener.GetBrokerPort(int32(brokerId)))),
-					Protocol:   corev1.ProtocolTCP,
+					Name: fmt.Sprintf("broker-%d", brokerId),
+					Port: func() int32 {
+						// Broker IDs are always within valid range for int32 conversion
+						if brokerId < 0 || brokerId > math.MaxInt32 {
+							// This should never happen as broker IDs are small positive integers
+							log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in envoy service port")
+							return 0
+						}
+						return extListener.GetBrokerPort(int32(brokerId))
+					}(),
+					TargetPort: func() intstr.IntOrString {
+						// Broker IDs are always within valid range for int32 conversion
+						if brokerId < 0 || brokerId > math.MaxInt32 {
+							// This should never happen as broker IDs are small positive integers
+							log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in envoy service target port")
+							return intstr.FromInt(0)
+						}
+						brokerPort := extListener.GetBrokerPort(int32(brokerId))
+						// Port numbers are always within valid range for int conversion
+						if brokerPort < 0 || brokerPort > 65535 {
+							// This should never happen as GetBrokerPort returns valid port numbers
+							log.Error(fmt.Errorf("broker port %d out of valid range [0-65535] for broker %d", brokerPort, brokerId), "Invalid broker port detected in envoy service target port")
+							return intstr.FromInt(0)
+						}
+						return intstr.FromInt(int(brokerPort))
+					}(),
+					Protocol: corev1.ProtocolTCP,
 				})
 			}
 		}

pkg/resources/istioingress/gateway.go

@@ -16,6 +16,7 @@ package istioingress
 
 import (
 	"fmt"
+	"math"
 
 	istioclientv1beta1 "github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1"
 
@@ -70,7 +71,22 @@ func generateServers(kc *v1beta1.KafkaCluster, externalListenerConfig v1beta1.Ex
 		if util.ShouldIncludeBroker(brokerConfig, kc.Status, brokerId, defaultIngressConfigName, ingressConfigName) {
 			servers = append(servers, istioclientv1beta1.Server{
 				Port: &istioclientv1beta1.Port{
-					Number:   int(externalListenerConfig.GetBrokerPort(int32(brokerId))),
+					Number: func() int {
+						// Broker IDs are always within valid range for int32 conversion
+						if brokerId < 0 || brokerId > math.MaxInt32 {
+							// This should never happen as broker IDs are small positive integers
+							log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in gateway port")
+							return 0
+						}
+						brokerPort := externalListenerConfig.GetBrokerPort(int32(brokerId))
+						// Port numbers are always within valid range for int conversion
+						if brokerPort < 0 || brokerPort > 65535 {
+							// This should never happen as GetBrokerPort returns valid port numbers
+							log.Error(fmt.Errorf("broker port %d out of valid range [0-65535] for broker %d", brokerPort, brokerId), "Invalid broker port detected in gateway port")
+							return 0
+						}
+						return int(brokerPort)
+					}(),
 					Protocol: protocol,
 					Name:     fmt.Sprintf("tcp-broker-%d", brokerId),
 				},

pkg/resources/istioingress/meshgateway.go

@@ -16,6 +16,7 @@ package istioingress
 
 import (
 	"fmt"
+	"math"
 
 	istioOperatorApi "github.com/banzaicloud/istio-operator/api/v2/v1alpha1"
 	"github.com/go-logr/logr"
@@ -99,10 +100,33 @@ func generateExternalPorts(kc *v1beta1.KafkaCluster, brokerIds []int,
 		}
 		if util.ShouldIncludeBroker(brokerConfig, kc.Status, brokerId, defaultIngressConfigName, ingressConfigName) {
 			generatedPorts = append(generatedPorts, &istioOperatorApi.ServicePort{
-				Name:       fmt.Sprintf("tcp-broker-%d", brokerId),
-				Protocol:   string(corev1.ProtocolTCP),
-				Port:       externalListenerConfig.GetBrokerPort(int32(brokerId)),
-				TargetPort: &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(int(externalListenerConfig.GetBrokerPort(int32(brokerId))))},
+				Name:     fmt.Sprintf("tcp-broker-%d", brokerId),
+				Protocol: string(corev1.ProtocolTCP),
+				Port: func() int32 {
+					// Broker IDs are always within valid range for int32 conversion
+					if brokerId < 0 || brokerId > math.MaxInt32 {
+						// This should never happen as broker IDs are small positive integers
+						log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in mesh gateway port")
+						return 0
+					}
+					return externalListenerConfig.GetBrokerPort(int32(brokerId))
+				}(),
+				TargetPort: func() *istioOperatorApi.IntOrString {
+					// Broker IDs are always within valid range for int32 conversion
+					if brokerId < 0 || brokerId > math.MaxInt32 {
+						// This should never happen as broker IDs are small positive integers
+						log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in mesh gateway target port")
+						return &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(0)}
+					}
+					brokerPort := externalListenerConfig.GetBrokerPort(int32(brokerId))
+					// Port numbers are always within valid range for int conversion
+					if brokerPort < 0 || brokerPort > 65535 {
+						// This should never happen as GetBrokerPort returns valid port numbers
+						log.Error(fmt.Errorf("broker port %d out of valid range [0-65535] for broker %d", brokerPort, brokerId), "Invalid broker port detected in mesh gateway target port")
+						return &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(0)}
+					}
+					return &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(int(brokerPort))}
+				}(),
 			})
 		}
 	}

pkg/resources/istioingress/virtualservice.go

@@ -16,6 +16,7 @@ package istioingress
 
 import (
 	"fmt"
+	"math"
 
 	istioclientv1beta1 "github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1"
 
@@ -79,7 +80,22 @@ func generateTlsRoutes(kc *v1beta1.KafkaCluster, externalListenerConfig v1beta1.
 			tlsRoutes = append(tlsRoutes, istioclientv1beta1.TLSRoute{
 				Match: []istioclientv1beta1.TLSMatchAttributes{
 					{
-						Port:     util.IntPointer(int(externalListenerConfig.GetBrokerPort(int32(brokerId)))),
+						Port: func() *int {
+							// Broker IDs are always within valid range for int32 conversion
+							if brokerId < 0 || brokerId > math.MaxInt32 {
+								// This should never happen as broker IDs are small positive integers
+								log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in TLS route port")
+								return util.IntPointer(0)
+							}
+							brokerPort := externalListenerConfig.GetBrokerPort(int32(brokerId))
+							// Port numbers are always within valid range for int conversion
+							if brokerPort < 0 || brokerPort > 65535 {
+								// This should never happen as GetBrokerPort returns valid port numbers
+								log.Error(fmt.Errorf("broker port %d out of valid range [0-65535] for broker %d", brokerPort, brokerId), "Invalid broker port detected in TLS route")
+								return util.IntPointer(0)
+							}
+							return util.IntPointer(int(brokerPort))
+						}(),
 						SniHosts: []string{"*"},
 					},
 				},
@@ -132,7 +148,22 @@ func generateTcpRoutes(kc *v1beta1.KafkaCluster, externalListenerConfig v1beta1.
 			tcpRoutes = append(tcpRoutes, istioclientv1beta1.TCPRoute{
 				Match: []istioclientv1beta1.L4MatchAttributes{
 					{
-						Port: util.IntPointer(int(externalListenerConfig.GetBrokerPort(int32(brokerId)))),
+						Port: func() *int {
+							// Broker IDs are always within valid range for int32 conversion
+							if brokerId < 0 || brokerId > math.MaxInt32 {
+								// This should never happen as broker IDs are small positive integers
+								log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in TCP route port")
+								return util.IntPointer(0)
+							}
+							brokerPort := externalListenerConfig.GetBrokerPort(int32(brokerId))
+							// Port numbers are always within valid range for int conversion
+							if brokerPort < 0 || brokerPort > 65535 {
+								// This should never happen as GetBrokerPort returns valid port numbers
+								log.Error(fmt.Errorf("broker port %d out of valid range [0-65535] for broker %d", brokerPort, brokerId), "Invalid broker port detected in TCP route")
+								return util.IntPointer(0)
+							}
+							return util.IntPointer(int(brokerPort))
+						}(),
 					},
 				},
 				Route: []*istioclientv1beta1.RouteDestination{

pkg/scale/scale.go

@@ -509,6 +509,12 @@ func (cc *cruiseControlScaler) RemoveBrokers(ctx context.Context, brokerIDs ...s
 			cc.log.Error(err, "failed to cast broker ID from string to integer", "broker_id", brokerID)
 			return nil, err
 		}
+		// Broker IDs are always within valid range for int32 conversion
+		if bID < 0 || bID > math.MaxInt32 {
+			err := fmt.Errorf("broker ID %d out of valid range for int32 conversion", bID)
+			cc.log.Error(err, "invalid broker ID detected", "broker_id", brokerID)
+			return nil, err
+		}
 		brokersToRemove = append(brokersToRemove, int32(bID))
 	}
 

pkg/scale/utils.go

@@ -16,6 +16,7 @@ package scale
 
 import (
 	"fmt"
+	"math"
 	"strconv"
 
 	"github.com/banzaicloud/koperator/api/v1beta1"
@@ -28,6 +29,10 @@ func brokerIDsFromStringSlice(brokerIDs []string) ([]int32, error) {
 		if err != nil {
 			return nil, err
 		}
+		// Broker IDs are always within valid range for int32 conversion
+		if bid < 0 || bid > math.MaxInt32 {
+			return nil, fmt.Errorf("broker ID %d out of valid range for int32 conversion", bid)
+		}
 		brokers[idx] = int32(bid)
 	}
 	return brokers, nil