cli: platform dependent genpolicy config

edgelesssys · Aug 1, 2024 · 9163c4a · 9163c4a
1 parent 6c5bd6a
commit 9163c4a
Show file tree

Hide file tree

Showing 11 changed files with 63 additions and 20 deletions.
diff --git a/cli/cmd/common.go b/cli/cmd/common.go
@@ -30,12 +30,6 @@ const (
 )
 
 var (
-	//go:embed assets/genpolicy
-	genpolicyBin []byte
-	//go:embed assets/genpolicy-settings.json
-	defaultGenpolicySettings []byte
-	//go:embed assets/genpolicy-rules.rego
-	defaultRules []byte
 	// ReleaseImageReplacements contains the image replacements used by contrast.
 	//go:embed assets/image-replacements.txt
 	ReleaseImageReplacements []byte

diff --git a/cli/cmd/generate.go b/cli/cmd/generate.go
@@ -126,7 +126,7 @@ func runGenerate(cmd *cobra.Command, args []string) error {
 	}
 	fmt.Fprintln(cmd.OutOrStdout(), "✔️ Patched targets")
 
-	if err := generatePolicies(cmd.Context(), flags.policyPath, flags.settingsPath, flags.genpolicyCachePath, paths, log); err != nil {
+	if err := generatePolicies(cmd.Context(), flags, paths, log); err != nil {
 		return fmt.Errorf("generate policies: %w", err)
 	}
 	fmt.Fprintln(cmd.OutOrStdout(), "✔️ Generated workload policy annotations")
@@ -241,15 +241,16 @@ func filterNonCoCoRuntime(runtimeClassNamePrefix string, paths []string, logger
 	return filtered
 }
 
-func generatePolicies(ctx context.Context, regoRulesPath, policySettingsPath, genpolicyCachePath string, yamlPaths []string, logger *slog.Logger) error {
-	if err := createFileWithDefault(policySettingsPath, 0o644, func() ([]byte, error) { return defaultGenpolicySettings, nil }); err != nil {
+func generatePolicies(ctx context.Context, flags *generateFlags, yamlPaths []string, logger *slog.Logger) error {
+	cfg := genpolicy.NewConfig(flags.referenceValuesPlatform)
+	if err := createFileWithDefault(flags.settingsPath, 0o644, func() ([]byte, error) { return cfg.Settings, nil }); err != nil {
 		return fmt.Errorf("creating default policy file: %w", err)
 	}
-	if err := createFileWithDefault(regoRulesPath, 0o644, func() ([]byte, error) { return defaultRules, nil }); err != nil {
+	if err := createFileWithDefault(flags.policyPath, 0o644, func() ([]byte, error) { return cfg.Rules, nil }); err != nil {
 		return fmt.Errorf("creating default policy.rego file: %w", err)
 	}
 
-	runner, err := genpolicy.New(genpolicyBin, regoRulesPath, policySettingsPath, genpolicyCachePath)
+	runner, err := genpolicy.New(flags.policyPath, flags.settingsPath, flags.genpolicyCachePath)
 	if err != nil {
 		return fmt.Errorf("preparing genpolicy: %w", err)
 	}

diff --git a/cli/cmd/assets/genpolicy → cli/genpolicy/assets/allow-all.rego b/cli/cmd/assets/genpolicy → cli/genpolicy/assets/allow-all.rego
diff --git a/cli/cmd/assets/genpolicy-rules.rego → cli/genpolicy/assets/genpolicy b/cli/cmd/assets/genpolicy-rules.rego → cli/genpolicy/assets/genpolicy
diff --git a/cli/genpolicy/assets/genpolicy-rules.rego b/cli/genpolicy/assets/genpolicy-rules.rego
@@ -0,0 +1 @@
+# THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING
diff --git a/cli/cmd/assets/genpolicy-settings.json → cli/genpolicy/assets/genpolicy-settings.json b/cli/cmd/assets/genpolicy-settings.json → cli/genpolicy/assets/genpolicy-settings.json
diff --git a/cli/genpolicy/config.go b/cli/genpolicy/config.go
@@ -0,0 +1,44 @@
+// Copyright 2024 Edgeless Systems GmbH
+// SPDX-License-Identifier: AGPL-3.0-only
+
+package genpolicy
+
+import (
+	_ "embed"
+
+	"github.com/edgelesssys/contrast/internal/platforms"
+)
+
+var (
+	//go:embed assets/genpolicy
+	genpolicyBin []byte
+	//go:embed assets/genpolicy-settings.json
+	defaultGenpolicySettings []byte
+	//go:embed assets/genpolicy-rules.rego
+	aksCloudHypervisorSNPRules []byte
+	//go:embed assets/allow-all.rego
+	permissiveRules []byte
+)
+
+// Config contains configuration files for genpolicy.
+type Config struct {
+	// Rules is a Rego module that verifies agent requests.
+	Rules []byte
+	// Settings is a json config file that holds platform-specific configuration.
+	Settings []byte
+}
+
+// NewConfig selects the appropriate genpolicy configuration for the target platform.
+func NewConfig(platform platforms.Platform) *Config {
+	cfg := &Config{
+		Settings: defaultGenpolicySettings,
+	}
+	switch platform {
+	case platforms.AKSCloudHypervisorSNP:
+		cfg.Rules = aksCloudHypervisorSNPRules
+	default:
+		// TODO(burgerdev): use real rules for supported platforms.
+		cfg.Rules = permissiveRules
+	}
+	return cfg
+}
diff --git a/cli/genpolicy/genpolicy.go b/cli/genpolicy/genpolicy.go
@@ -28,7 +28,7 @@ type Runner struct {
 }
 
 // New creates a new Runner for the given configuration.
-func New(genpolicyBin []byte, rulesPath, settingsPath, cachePath string) (*Runner, error) {
+func New(rulesPath, settingsPath, cachePath string) (*Runner, error) {
 	e := embedbin.New()
 	genpolicy, err := e.Install("", genpolicyBin)
 	if err != nil {

diff --git a/cli/genpolicy/genpolicy_test.go b/cli/genpolicy/genpolicy_test.go
@@ -48,7 +48,7 @@ func TestRunner(t *testing.T) {
 	logger := slog.Default()
 
 	d := t.TempDir()
-	genpolicyBin := []byte(fmt.Sprintf(scriptTemplate, d))
+	genpolicyBin = []byte(fmt.Sprintf(scriptTemplate, d))
 
 	expectedRulesPath := "/rules.rego"
 	rulesPathFile := filepath.Join(d, "rules_path")
@@ -58,7 +58,7 @@ func TestRunner(t *testing.T) {
 	expectedYAMLPath := filepath.Join(d, "test.yaml")
 	yamlPathFile := filepath.Join(d, "yaml_path")
 
-	r, err := New(genpolicyBin, expectedRulesPath, expectedSettingsPath, cachePath)
+	r, err := New(expectedRulesPath, expectedSettingsPath, cachePath)
 	require.NoError(err)
 
 	require.NoError(r.Run(ctx, expectedYAMLPath, logger))

diff --git a/packages/by-name/cli-release/package.nix b/packages/by-name/cli-release/package.nix
@@ -11,9 +11,10 @@
 (contrast.overrideAttrs (
   _finalAttrs: previousAttrs: {
     prePatch = ''
-      install -D ${lib.getExe genpolicy} cli/cmd/assets/genpolicy
-      install -D ${contrast.settings}/genpolicy-settings.json cli/cmd/assets/genpolicy-settings.json
-      install -D ${contrast.rules}/genpolicy-rules.rego cli/cmd/assets/genpolicy-rules.rego
+      install -D ${lib.getExe genpolicy} cli/genpolicy/assets/genpolicy
+      install -D ${contrast.settings}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings.json
+      install -D ${contrast.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules.rego
+      # TODO(burgerdev): cli/genpolicy/assets/allow-all.rego is insecure and deliberately omitted
       install -D ${contrast.embeddedReferenceValues} internal/manifest/assets/reference-values.json
     '';
 

diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix
@@ -90,6 +90,7 @@ buildGoModule rec {
         (path.append root "go.mod")
         (path.append root "go.sum")
         (path.append root "cli/cmd/assets/image-replacements.txt")
+        (path.append root "cli/genpolicy/assets/allow-all.rego")
         (path.append root "internal/attestation/snp/Milan.pem")
         (path.append root "internal/attestation/snp/Genoa.pem")
         (path.append root "nodeinstaller")
@@ -107,9 +108,10 @@ buildGoModule rec {
   subPackages = packageOutputs ++ [ "internal/kuberesource/resourcegen" ];
 
   prePatch = ''
-    install -D ${lib.getExe genpolicy} cli/cmd/assets/genpolicy
-    install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/cmd/assets/genpolicy-settings.json
-    install -D ${genpolicy.rules}/genpolicy-rules.rego cli/cmd/assets/genpolicy-rules.rego
+    install -D ${lib.getExe genpolicy} cli/genpolicy/assets/genpolicy
+    install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings.json
+    install -D ${genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules.rego
+    install -D ${genpolicy.src}/src/kata-opa/allow-all.rego cli/genpolicy/assets/allow-all.rego
     install -D ${embeddedReferenceValues} internal/manifest/assets/reference-values.json
   '';
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		# THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING