diff --git a/cli/cmd/common.go b/cli/cmd/common.go index 317f0868cd..5c875d5db7 100644 --- a/cli/cmd/common.go +++ b/cli/cmd/common.go @@ -30,12 +30,6 @@ const ( ) var ( - //go:embed assets/genpolicy - genpolicyBin []byte - //go:embed assets/genpolicy-settings.json - defaultGenpolicySettings []byte - //go:embed assets/genpolicy-rules.rego - defaultRules []byte // ReleaseImageReplacements contains the image replacements used by contrast. //go:embed assets/image-replacements.txt ReleaseImageReplacements []byte diff --git a/cli/cmd/generate.go b/cli/cmd/generate.go index 459948a6b7..56124d156c 100644 --- a/cli/cmd/generate.go +++ b/cli/cmd/generate.go @@ -126,7 +126,7 @@ func runGenerate(cmd *cobra.Command, args []string) error { } fmt.Fprintln(cmd.OutOrStdout(), "✔️ Patched targets") - if err := generatePolicies(cmd.Context(), flags.policyPath, flags.settingsPath, flags.genpolicyCachePath, paths, log); err != nil { + if err := generatePolicies(cmd.Context(), flags, paths, log); err != nil { return fmt.Errorf("generate policies: %w", err) } fmt.Fprintln(cmd.OutOrStdout(), "✔️ Generated workload policy annotations") @@ -241,15 +241,16 @@ func filterNonCoCoRuntime(runtimeClassNamePrefix string, paths []string, logger return filtered } -func generatePolicies(ctx context.Context, regoRulesPath, policySettingsPath, genpolicyCachePath string, yamlPaths []string, logger *slog.Logger) error { - if err := createFileWithDefault(policySettingsPath, 0o644, func() ([]byte, error) { return defaultGenpolicySettings, nil }); err != nil { +func generatePolicies(ctx context.Context, flags *generateFlags, yamlPaths []string, logger *slog.Logger) error { + cfg := genpolicy.NewConfig(flags.referenceValuesPlatform) + if err := createFileWithDefault(flags.settingsPath, 0o644, func() ([]byte, error) { return cfg.Settings, nil }); err != nil { return fmt.Errorf("creating default policy file: %w", err) } - if err := createFileWithDefault(regoRulesPath, 0o644, func() ([]byte, error) { return defaultRules, nil }); err != nil { + if err := createFileWithDefault(flags.policyPath, 0o644, func() ([]byte, error) { return cfg.Rules, nil }); err != nil { return fmt.Errorf("creating default policy.rego file: %w", err) } - runner, err := genpolicy.New(genpolicyBin, regoRulesPath, policySettingsPath, genpolicyCachePath) + runner, err := genpolicy.New(flags.policyPath, flags.settingsPath, flags.genpolicyCachePath) if err != nil { return fmt.Errorf("preparing genpolicy: %w", err) } diff --git a/cli/cmd/assets/genpolicy b/cli/genpolicy/assets/allow-all.rego similarity index 100% rename from cli/cmd/assets/genpolicy rename to cli/genpolicy/assets/allow-all.rego diff --git a/cli/cmd/assets/genpolicy-rules.rego b/cli/genpolicy/assets/genpolicy old mode 100755 new mode 100644 similarity index 100% rename from cli/cmd/assets/genpolicy-rules.rego rename to cli/genpolicy/assets/genpolicy diff --git a/cli/genpolicy/assets/genpolicy-rules.rego b/cli/genpolicy/assets/genpolicy-rules.rego new file mode 100755 index 0000000000..5c169759e7 --- /dev/null +++ b/cli/genpolicy/assets/genpolicy-rules.rego @@ -0,0 +1 @@ +# THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING diff --git a/cli/cmd/assets/genpolicy-settings.json b/cli/genpolicy/assets/genpolicy-settings.json similarity index 100% rename from cli/cmd/assets/genpolicy-settings.json rename to cli/genpolicy/assets/genpolicy-settings.json diff --git a/cli/genpolicy/config.go b/cli/genpolicy/config.go new file mode 100644 index 0000000000..f6004878b4 --- /dev/null +++ b/cli/genpolicy/config.go @@ -0,0 +1,44 @@ +// Copyright 2024 Edgeless Systems GmbH +// SPDX-License-Identifier: AGPL-3.0-only + +package genpolicy + +import ( + _ "embed" + + "github.com/edgelesssys/contrast/internal/platforms" +) + +var ( + //go:embed assets/genpolicy + genpolicyBin []byte + //go:embed assets/genpolicy-settings.json + defaultGenpolicySettings []byte + //go:embed assets/genpolicy-rules.rego + aksCloudHypervisorSNPRules []byte + //go:embed assets/allow-all.rego + permissiveRules []byte +) + +// Config contains configuration files for genpolicy. +type Config struct { + // Rules is a Rego module that verifies agent requests. + Rules []byte + // Settings is a json config file that holds platform-specific configuration. + Settings []byte +} + +// NewConfig selects the appropriate genpolicy configuration for the target platform. +func NewConfig(platform platforms.Platform) *Config { + cfg := &Config{ + Settings: defaultGenpolicySettings, + } + switch platform { + case platforms.AKSCloudHypervisorSNP: + cfg.Rules = aksCloudHypervisorSNPRules + default: + // TODO(burgerdev): use real rules for supported platforms. + cfg.Rules = permissiveRules + } + return cfg +} diff --git a/cli/genpolicy/genpolicy.go b/cli/genpolicy/genpolicy.go index 6d8315da60..787b436c18 100644 --- a/cli/genpolicy/genpolicy.go +++ b/cli/genpolicy/genpolicy.go @@ -28,7 +28,7 @@ type Runner struct { } // New creates a new Runner for the given configuration. -func New(genpolicyBin []byte, rulesPath, settingsPath, cachePath string) (*Runner, error) { +func New(rulesPath, settingsPath, cachePath string) (*Runner, error) { e := embedbin.New() genpolicy, err := e.Install("", genpolicyBin) if err != nil { diff --git a/cli/genpolicy/genpolicy_test.go b/cli/genpolicy/genpolicy_test.go index 90f05d28f8..4401f3eb8e 100644 --- a/cli/genpolicy/genpolicy_test.go +++ b/cli/genpolicy/genpolicy_test.go @@ -48,7 +48,7 @@ func TestRunner(t *testing.T) { logger := slog.Default() d := t.TempDir() - genpolicyBin := []byte(fmt.Sprintf(scriptTemplate, d)) + genpolicyBin = []byte(fmt.Sprintf(scriptTemplate, d)) expectedRulesPath := "/rules.rego" rulesPathFile := filepath.Join(d, "rules_path") @@ -58,7 +58,7 @@ func TestRunner(t *testing.T) { expectedYAMLPath := filepath.Join(d, "test.yaml") yamlPathFile := filepath.Join(d, "yaml_path") - r, err := New(genpolicyBin, expectedRulesPath, expectedSettingsPath, cachePath) + r, err := New(expectedRulesPath, expectedSettingsPath, cachePath) require.NoError(err) require.NoError(r.Run(ctx, expectedYAMLPath, logger)) diff --git a/packages/by-name/cli-release/package.nix b/packages/by-name/cli-release/package.nix index 00ebb3b27f..c7100ab81c 100644 --- a/packages/by-name/cli-release/package.nix +++ b/packages/by-name/cli-release/package.nix @@ -11,9 +11,10 @@ (contrast.overrideAttrs ( _finalAttrs: previousAttrs: { prePatch = '' - install -D ${lib.getExe genpolicy} cli/cmd/assets/genpolicy - install -D ${contrast.settings}/genpolicy-settings.json cli/cmd/assets/genpolicy-settings.json - install -D ${contrast.rules}/genpolicy-rules.rego cli/cmd/assets/genpolicy-rules.rego + install -D ${lib.getExe genpolicy} cli/genpolicy/assets/genpolicy + install -D ${contrast.settings}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings.json + install -D ${contrast.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules.rego + # TODO(burgerdev): cli/genpolicy/assets/allow-all.rego is insecure and deliberately omitted install -D ${contrast.embeddedReferenceValues} internal/manifest/assets/reference-values.json ''; diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index b3987629b6..448be295d9 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -90,6 +90,7 @@ buildGoModule rec { (path.append root "go.mod") (path.append root "go.sum") (path.append root "cli/cmd/assets/image-replacements.txt") + (path.append root "cli/genpolicy/assets/allow-all.rego") (path.append root "internal/attestation/snp/Milan.pem") (path.append root "internal/attestation/snp/Genoa.pem") (path.append root "nodeinstaller") @@ -107,9 +108,10 @@ buildGoModule rec { subPackages = packageOutputs ++ [ "internal/kuberesource/resourcegen" ]; prePatch = '' - install -D ${lib.getExe genpolicy} cli/cmd/assets/genpolicy - install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/cmd/assets/genpolicy-settings.json - install -D ${genpolicy.rules}/genpolicy-rules.rego cli/cmd/assets/genpolicy-rules.rego + install -D ${lib.getExe genpolicy} cli/genpolicy/assets/genpolicy + install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings.json + install -D ${genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules.rego + install -D ${genpolicy.src}/src/kata-opa/allow-all.rego cli/genpolicy/assets/allow-all.rego install -D ${embeddedReferenceValues} internal/manifest/assets/reference-values.json '';