From 7e541b9a21f19ffde4cb2e2ff668e3d55debde1f Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Thu, 11 Jan 2024 15:50:51 +0100 Subject: [PATCH] cli: create default policy setting file, rego and manifest on generate If files do not exist yet, generate will write default files. --- cli/constants.go | 12 +++++++++ cli/generate.go | 41 +++++++++++++++++++++++++++++- {tools => cli}/genpolicy-msft.json | 0 {tools => cli}/rules.rego | 0 data/manifest.json | 26 ------------------- internal/manifest/constants.go | 21 +++++++++++++++ justfile | 3 +-- packages/default.nix | 2 ++ 8 files changed, 76 insertions(+), 29 deletions(-) rename {tools => cli}/genpolicy-msft.json (100%) rename {tools => cli}/rules.rego (100%) delete mode 100644 data/manifest.json create mode 100644 internal/manifest/constants.go diff --git a/cli/constants.go b/cli/constants.go index ec0cfbcb33..f143daccca 100644 --- a/cli/constants.go +++ b/cli/constants.go @@ -1,8 +1,20 @@ package main +import ( + _ "embed" +) + const ( coordRootPEMFilename = "coordinator-root.pem" coordIntermPEMFilename = "mesh-root.pem" manifestFilename = "manifest.json" + rulesFilename = "rules.rego" verifyDir = "./verify" ) + +var ( + //go:embed genpolicy-msft.json + defaultGenpolicySettings []byte + //go:embed rules.rego + defaultRules []byte +) diff --git a/cli/generate.go b/cli/generate.go index 55fcfa62ef..d88adbd8e3 100644 --- a/cli/generate.go +++ b/cli/generate.go @@ -65,7 +65,12 @@ func runGenerate(cmd *cobra.Command, args []string) error { return fmt.Errorf("failed to create policy map: %w", err) } - manifestData, err := os.ReadFile(flags.manifestPath) + defaultManifest := manifest.Default() + defaultManifestData, err := json.MarshalIndent(&defaultManifest, "", " ") + if err != nil { + return fmt.Errorf("marshaling default manifest: %w", err) + } + manifestData, err := readFileOrDefault(flags.manifestPath, defaultManifestData) if err != nil { return fmt.Errorf("failed to read manifest file: %w", err) } @@ -136,6 +141,12 @@ func filterNonCoCoRuntime(runtimeClassName string, paths []string, logger *slog. } func generatePolicies(ctx context.Context, regoPath, policyPath string, yamlPaths []string, logger *slog.Logger) error { + if err := createFileWithDefault(filepath.Join(regoPath, policyPath), defaultGenpolicySettings); err != nil { + return fmt.Errorf("creating default policy file: %w", err) + } + if err := createFileWithDefault(filepath.Join(regoPath, rulesFilename), defaultRules); err != nil { + return fmt.Errorf("creating default policy.rego file: %w", err) + } for _, yamlPath := range yamlPaths { policyHash, err := generatePolicyForFile(ctx, regoPath, policyPath, yamlPath, logger) if err != nil { @@ -202,3 +213,31 @@ func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) { manifestPath: manifestPath, }, nil } + +// readFileOrDefault reads the file at path, +// or returns the default value if the file doesn't exist. +func readFileOrDefault(path string, deflt []byte) ([]byte, error) { + data, err := os.ReadFile(path) + if err == nil { + return data, nil + } + if !os.IsNotExist(err) { + return nil, err + } + return deflt, nil +} + +// createFileWithDefault creates the file at path with the default value, +// if it doesn't exist. +func createFileWithDefault(path string, deflt []byte) error { + file, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o644) + if os.IsExist(err) { + return nil + } + if err != nil { + return err + } + defer file.Close() + _, err = file.Write(deflt) + return err +} diff --git a/tools/genpolicy-msft.json b/cli/genpolicy-msft.json similarity index 100% rename from tools/genpolicy-msft.json rename to cli/genpolicy-msft.json diff --git a/tools/rules.rego b/cli/rules.rego similarity index 100% rename from tools/rules.rego rename to cli/rules.rego diff --git a/data/manifest.json b/data/manifest.json deleted file mode 100644 index ff0d659a5b..0000000000 --- a/data/manifest.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "Policies": { - "2b3422e2e44c933f5a2bea3d25fc36502951cfac3bd07ea2033936b4b72b5c65": [ - "workload.edg-coco", - "*.edg-coco" - ], - "3638d61e7c8701e19e819751eb61e2e353f25f68374443d03428c8acc39ed3e9": [ - "coordinator.edg-coco", - "*.edg-coco" - ] - }, - "ReferenceValues": { - "SNP": { - "MinimumTCB": { - "BootloaderVersion": 3, - "TEEVersion": 0, - "SNPVersion": 8, - "MicrocodeVersion": 115 - }, - "TrustedIDKeyHashes": [ - "b2bcf1b11d9fb3f2e4e7979546844d26c30255fff0775f3af56f8295f361a7d1a34a54516d41abfff7320763a5b701d8", - "22087e0b99b911c9cffccfd9550a054531c105d46ed6d31f948eae56bd2defa4887e2fc4207768ec610aa232ac7490c4" - ] - } - } -} diff --git a/internal/manifest/constants.go b/internal/manifest/constants.go new file mode 100644 index 0000000000..28541a1085 --- /dev/null +++ b/internal/manifest/constants.go @@ -0,0 +1,21 @@ +package manifest + +// Default returns a default manifest. +func Default() Manifest { + return Manifest{ + ReferenceValues: ReferenceValues{ + SNP: SNPReferenceValues{ + MinimumTCB: SNPTCB{ + BootloaderVersion: 3, + TEEVersion: 0, + SNPVersion: 8, + MicrocodeVersion: 115, + }, + TrustedIDKeyHashes: []HexString{ + "b2bcf1b11d9fb3f2e4e7979546844d26c30255fff0775f3af56f8295f361a7d1a34a54516d41abfff7320763a5b701d8", + "22087e0b99b911c9cffccfd9550a054531c105d46ed6d31f948eae56bd2defa4887e2fc4207768ec610aa232ac7490c4", + }, + }, + }, + } +} diff --git a/justfile b/justfile index 3e38c10642..b3ce7a8f29 100644 --- a/justfile +++ b/justfile @@ -24,7 +24,6 @@ generate target=default_deploy_target: mkdir -p ./{{worspace_dir}} rm -rf ./{{worspace_dir}}/deployment cp -R ./deployments/{{target}} ./{{worspace_dir}}/deployment - cp ./data/manifest.json ./{{worspace_dir}}/manifest.json nix run .#yq-go -- -i ". \ | with(select(.spec.template.spec.containers[].image | contains(\"nunki/coordinator\")); \ .spec.template.spec.containers[0].image = \"${container_registry}/nunki/coordinator:latest\")" \ @@ -37,7 +36,7 @@ generate target=default_deploy_target: done nix run .#cli -- generate \ -m ./{{worspace_dir}}/manifest.json \ - -p tools \ + -p ./{{worspace_dir}} \ -s genpolicy-msft.json \ ./{{worspace_dir}}/deployment/*.yml diff --git a/packages/default.nix b/packages/default.nix index 8b5f0dac2b..8b4d602aa2 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -12,6 +12,8 @@ let fileset = lib.fileset.unions [ ../go.mod ../go.sum + ../cli/rules.rego # go embed + ../cli/genpolicy-msft.json # go embed (lib.fileset.fileFilter (file: lib.hasSuffix ".go" file.name) ../.) ]; };