Skip to content

Commit

Permalink
cli: create default policy setting file, rego and manifest on generate
Browse files Browse the repository at this point in the history
If files do not exist yet, generate will write default files.
  • Loading branch information
malt3 committed Jan 11, 2024
1 parent bad9ea6 commit f31da19
Show file tree
Hide file tree
Showing 8 changed files with 87 additions and 3 deletions.
12 changes: 12 additions & 0 deletions cli/constants.go
Original file line number Diff line number Diff line change
@@ -1,8 +1,20 @@
package main

import (
_ "embed"
)

const (
coordRootPEMFilename = "coordinator-root.pem"
coordIntermPEMFilename = "mesh-root.pem"
manifestFilename = "manifest.json"
rulesFilename = "rules.rego"
verifyDir = "./verify"
)

var (
//go:embed genpolicy-msft.json
defaultGenpolicySettings []byte
//go:embed rules.rego
defaultRules []byte
)
42 changes: 41 additions & 1 deletion cli/generate.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"bytes"
"context"
"crypto/sha256"
_ "embed"
"encoding/json"
"errors"
"fmt"
Expand Down Expand Up @@ -65,7 +66,12 @@ func runGenerate(cmd *cobra.Command, args []string) error {
return fmt.Errorf("failed to create policy map: %w", err)
}

manifestData, err := os.ReadFile(flags.manifestPath)
defaultManifest := manifest.Default()
defaultManifestData, err := json.MarshalIndent(&defaultManifest, "", " ")
if err != nil {
return fmt.Errorf("failed to marshal default manifest: %w", err)
}
manifestData, err := readFileOrDefault(flags.manifestPath, defaultManifestData)
if err != nil {
return fmt.Errorf("failed to read manifest file: %w", err)
}
Expand Down Expand Up @@ -136,6 +142,12 @@ func filterNonCoCoRuntime(runtimeClassName string, paths []string, logger *slog.
}

func generatePolicies(ctx context.Context, regoPath, policyPath string, yamlPaths []string, logger *slog.Logger) error {
if err := createFileWithDefault(filepath.Join(regoPath, policyPath), defaultGenpolicySettings); err != nil {
return fmt.Errorf("creating default policy file: %w", err)
}
if err := createFileWithDefault(filepath.Join(regoPath, rulesFilename), defaultRules); err != nil {
return fmt.Errorf("creating default policy.rego file: %w", err)
}
for _, yamlPath := range yamlPaths {
policyHash, err := generatePolicyForFile(ctx, regoPath, policyPath, yamlPath, logger)
if err != nil {
Expand Down Expand Up @@ -202,3 +214,31 @@ func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) {
manifestPath: manifestPath,
}, nil
}

// readFileOrDefault reads the file at path,
// or returns the default value if the file doesn't exist.
func readFileOrDefault(path string, deflt []byte) ([]byte, error) {
data, err := os.ReadFile(path)
if err == nil {
return data, nil
}
if !os.IsNotExist(err) {
return nil, err
}
return deflt, nil
}

// createFileWithDefault creates the file at path with the default value,
// if it doesn't exist.
func createFileWithDefault(path string, deflt []byte) error {
file, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o644)
if os.IsExist(err) {
return nil
}
if err != nil {
return err
}
defer file.Close()
_, err = file.Write(deflt)
return err
}
File renamed without changes.
File renamed without changes.
File renamed without changes.
31 changes: 31 additions & 0 deletions internal/manifest/constants.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
package manifest

// Default returns a default manifest.
func Default() Manifest {
return Manifest{
Policies: map[HexString][]string{
"2b3422e2e44c933f5a2bea3d25fc36502951cfac3bd07ea2033936b4b72b5c65": {
"workload.edg-coco",
"*.edg-coco",
},
"3638d61e7c8701e19e819751eb61e2e353f25f68374443d03428c8acc39ed3e9": {
"workload.edg-coco",
"*.edg-coco",
},
},
ReferenceValues: ReferenceValues{
SNP: SNPReferenceValues{
MinimumTCB: SNPTCB{
BootloaderVersion: 3,
TEEVersion: 0,
SNPVersion: 8,
MicrocodeVersion: 115,
},
TrustedIDKeyHashes: []HexString{
"b2bcf1b11d9fb3f2e4e7979546844d26c30255fff0775f3af56f8295f361a7d1a34a54516d41abfff7320763a5b701d8",
"22087e0b99b911c9cffccfd9550a054531c105d46ed6d31f948eae56bd2defa4887e2fc4207768ec610aa232ac7490c4",
},
},
},
}
}
3 changes: 1 addition & 2 deletions justfile
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ generate target=default_deploy_target:
mkdir -p ./{{worspace_dir}}
rm -rf ./{{worspace_dir}}/deployment
cp -R ./deployments/{{target}} ./{{worspace_dir}}/deployment
cp ./data/manifest.json ./{{worspace_dir}}/manifest.json
nix run .#yq-go -- -i ". \
| with(select(.spec.template.spec.containers[].image | contains(\"nunki/coordinator\")); \
.spec.template.spec.containers[0].image = \"${container_registry}/nunki/coordinator:latest\")" \
Expand All @@ -37,7 +36,7 @@ generate target=default_deploy_target:
done
nix run .#cli -- generate \
-m ./{{worspace_dir}}/manifest.json \
-p tools \
-p ./{{worspace_dir}} \
-s genpolicy-msft.json \
./{{worspace_dir}}/deployment/*.yml
Expand Down
2 changes: 2 additions & 0 deletions packages/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ let
fileset = lib.fileset.unions [
../go.mod
../go.sum
../cli/rules.rego # go embed
../cli/genpolicy-msft.json # go embed
(lib.fileset.fileFilter (file: lib.hasSuffix ".go" file.name) ../.)
];
};
Expand Down

0 comments on commit f31da19

Please sign in to comment.