cli: create default policy setting file, rego and manifest on generate

If files do not exist yet, generate will write default files.
edgelesssys · Jan 11, 2024 · cc7d9a4 · cc7d9a4
1 parent bad9ea6
commit cc7d9a4
Show file tree

Hide file tree

Showing 9 changed files with 1,435 additions and 1,120 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,6 @@
 tools/genpolicy.cache/*
+tools/genpolicy-msft.json
+tools/rules.rego
 !tools/genpolicy.cache/.gitkeep
 *.bin
 edgcoco

diff --git a/cli/constants.go b/cli/constants.go
@@ -1,8 +1,50 @@
 package main
 
+import (
+	_ "embed"
+	"encoding/json"
+
+	"github.com/edgelesssys/nunki/internal/manifest"
+)
+
 const (
 	coordRootPEMFilename   = "coordinator-root.pem"
 	coordIntermPEMFilename = "mesh-root.pem"
 	manifestFilename       = "manifest.json"
+	policyFilename         = "rules.rego"
 	verifyDir              = "./verify"
 )
+
+var (
+	defaultManifest = manifest.Manifest{
+		Policies: map[manifest.HexString][]string{
+			"2b3422e2e44c933f5a2bea3d25fc36502951cfac3bd07ea2033936b4b72b5c65": {
+				"workload.edg-coco",
+				"*.edg-coco",
+			},
+			"3638d61e7c8701e19e819751eb61e2e353f25f68374443d03428c8acc39ed3e9": {
+				"workload.edg-coco",
+				"*.edg-coco",
+			},
+		},
+		ReferenceValues: manifest.ReferenceValues{
+			SNP: manifest.SNPReferenceValues{
+				MinimumTCB: manifest.SNPTCB{
+					BootloaderVersion: 3,
+					TEEVersion:        0,
+					SNPVersion:        8,
+					MicrocodeVersion:  115,
+				},
+				TrustedIDKeyHashes: []manifest.HexString{
+					"b2bcf1b11d9fb3f2e4e7979546844d26c30255fff0775f3af56f8295f361a7d1a34a54516d41abfff7320763a5b701d8",
+					"22087e0b99b911c9cffccfd9550a054531c105d46ed6d31f948eae56bd2defa4887e2fc4207768ec610aa232ac7490c4",
+				},
+			},
+		},
+	}
+	defaultManifestData, _ = json.MarshalIndent(defaultManifest, "", "  ")
+	//go:embed genpolicy-msft.json
+	defaultGenpolicySettings []byte
+	//go:embed rules.rego
+	defaultRules []byte
+)
diff --git a/cli/generate.go b/cli/generate.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/sha256"
+	_ "embed"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -65,7 +66,7 @@ func runGenerate(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create policy map: %w", err)
 	}
 
-	manifestData, err := os.ReadFile(flags.manifestPath)
+	manifestData, err := readFileOrCreateWithDefault(flags.manifestPath, defaultManifestData)
 	if err != nil {
 		return fmt.Errorf("failed to read manifest file: %w", err)
 	}
@@ -136,6 +137,12 @@ func filterNonCoCoRuntime(runtimeClassName string, paths []string, logger *slog.
 }
 
 func generatePolicies(ctx context.Context, regoPath, policyPath string, yamlPaths []string, logger *slog.Logger) error {
+	if err := createFileWithDefault(filepath.Join(regoPath, policyPath), defaultGenpolicySettings); err != nil {
+		return fmt.Errorf("creating default policy file: %w", err)
+	}
+	if err := createFileWithDefault(filepath.Join(regoPath, policyFilename), defaultGenpolicySettings); err != nil {
+		return fmt.Errorf("creating default policy.rego file: %w", err)
+	}
 	for _, yamlPath := range yamlPaths {
 		policyHash, err := generatePolicyForFile(ctx, regoPath, policyPath, yamlPath, logger)
 		if err != nil {
@@ -202,3 +209,35 @@ func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) {
 		manifestPath: manifestPath,
 	}, nil
 }
+
+// readFileOrCreateWithDefault reads the file at path,
+// or creates it with the default value if it doesn't exist.
+func readFileOrCreateWithDefault(path string, deflt []byte) ([]byte, error) {
+	data, err := os.ReadFile(path)
+	if err == nil {
+		return data, nil
+	}
+	if !os.IsNotExist(err) {
+		return nil, err
+	}
+	if err := os.WriteFile(path, deflt, 0o644); err != nil {
+		return nil, err
+	}
+	return deflt, nil
+}
+
+// createFileWithDefault creates the file at path with the default value,
+// if it doesn't exist.
+func createFileWithDefault(path string, deflt []byte) error {
+	fmt.Printf("Creating %s\n", path)
+	file, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o644)
+	if os.IsExist(err) {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	_, err = file.Write(deflt)
+	return err
+}
diff --git a/tools/genpolicy-msft.json → cli/genpolicy-msft.json b/tools/genpolicy-msft.json → cli/genpolicy-msft.json
diff --git a/data/manifest.json → cli/manifest.json b/data/manifest.json → cli/manifest.json