From 651c8e25eda83d01a0ef4eb5eba9ed064071f4fd Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Thu, 15 Feb 2024 13:56:06 +0100 Subject: [PATCH] genpolicy: backport path handling fixes to msft fork --- cli/constants.go | 1 - cli/generate.go | 14 +++++++------- justfile | 4 ++-- packages/genpolicy_msft.nix | 22 +++++++++++++++++++--- 4 files changed, 28 insertions(+), 13 deletions(-) diff --git a/cli/constants.go b/cli/constants.go index 62ec8ddf78..ce4ec73aed 100644 --- a/cli/constants.go +++ b/cli/constants.go @@ -13,7 +13,6 @@ const ( manifestFilename = "manifest.json" settingsFilename = "settings.json" rulesFilename = "rules.rego" - policyDir = "." verifyDir = "./verify" cacheDirEnv = "NUNKI_CACHE_DIR" ) diff --git a/cli/generate.go b/cli/generate.go index 4bd3e622c2..ace23a12fb 100644 --- a/cli/generate.go +++ b/cli/generate.go @@ -52,7 +52,7 @@ func newGenerateCmd() *cobra.Command { RunE: runGenerate, } - cmd.Flags().StringP("policy", "p", policyDir, "path to policy (.rego) file") + cmd.Flags().StringP("policy", "p", rulesFilename, "path to policy (.rego) file") cmd.Flags().StringP("settings", "s", settingsFilename, "path to settings (.json) file") cmd.Flags().StringP("manifest", "m", manifestFilename, "path to manifest (.json) file") cmd.Flags().StringArrayP("workload-owner-key", "w", []string{workloadOwnerPEM}, "path to workload owner key (.pem) file") @@ -188,11 +188,11 @@ func filterNonCoCoRuntime(runtimeClassName string, paths []string, logger *slog. return filtered } -func generatePolicies(ctx context.Context, regoPath, policyPath string, yamlPaths []string, logger *slog.Logger) error { - if err := createFileWithDefault(filepath.Join(regoPath, policyPath), func() ([]byte, error) { return defaultGenpolicySettings, nil }); err != nil { +func generatePolicies(ctx context.Context, regoRulesPath, policySettingsPath string, yamlPaths []string, logger *slog.Logger) error { + if err := createFileWithDefault(policySettingsPath, func() ([]byte, error) { return defaultGenpolicySettings, nil }); err != nil { return fmt.Errorf("creating default policy file: %w", err) } - if err := createFileWithDefault(filepath.Join(regoPath, rulesFilename), func() ([]byte, error) { return defaultRules, nil }); err != nil { + if err := createFileWithDefault(regoRulesPath, func() ([]byte, error) { return defaultRules, nil }); err != nil { return fmt.Errorf("creating default policy.rego file: %w", err) } binaryInstallDir, err := installDir() @@ -209,7 +209,7 @@ func generatePolicies(ctx context.Context, regoPath, policyPath string, yamlPath } }() for _, yamlPath := range yamlPaths { - policyHash, err := generatePolicyForFile(ctx, genpolicyInstall.Path(), regoPath, policyPath, yamlPath, logger) + policyHash, err := generatePolicyForFile(ctx, genpolicyInstall.Path(), regoRulesPath, policySettingsPath, yamlPath, logger) if err != nil { return fmt.Errorf("failed to generate policy for %s: %w", yamlPath, err) } @@ -263,8 +263,8 @@ func generatePolicyForFile(ctx context.Context, genpolicyPath, regoPath, policyP args := []string{ "--raw-out", "--use-cached-files", - fmt.Sprintf("--input-files-path=%s", regoPath), - fmt.Sprintf("--settings-file-name=%s", policyPath), + fmt.Sprintf("--rego-rules-path=%s", regoPath), + fmt.Sprintf("--json-settings-path=%s", policyPath), fmt.Sprintf("--yaml-file=%s", yamlPath), } genpolicy := exec.CommandContext(ctx, genpolicyPath, args...) diff --git a/justfile b/justfile index 1e0a7828a1..facbd9b027 100644 --- a/justfile +++ b/justfile @@ -39,8 +39,8 @@ generate target=default_deploy_target: t=$(date +%s) nix run .#cli -- generate \ -m ./{{ workspace_dir }}/manifest.json \ - -p ./{{ workspace_dir }} \ - -s genpolicy-msft.json \ + -p ./{{ workspace_dir }}/rules.rego \ + -s ./{{ workspace_dir }}/genpolicy-msft.json \ ./{{ workspace_dir }}/deployment/*.yml > ./{{ workspace_dir }}/just.coordinator-policy-hash duration=$(( $(date +%s) - $t )) echo "Generated policies in $duration seconds." diff --git a/packages/genpolicy_msft.nix b/packages/genpolicy_msft.nix index f0d239e878..28f90baa81 100644 --- a/packages/genpolicy_msft.nix +++ b/packages/genpolicy_msft.nix @@ -1,6 +1,7 @@ { lib , fetchFromGitHub , fetchurl +, fetchpatch , applyPatches , rustPlatform , openssl @@ -17,13 +18,28 @@ rustPlatform.buildRustPackage rec { src = fetchFromGitHub { owner = "microsoft"; repo = "kata-containers"; - rev = "genpolicy-${version}"; - hash = "sha256-R+kiyG3xLsoLBVTy1lmmqvDgoQuqfcV3DkfQtRCiYCw="; + # Latest released version of genpolicy + # is too old for the path handling patch. + # Using a commit from main for now. + # rev = "genpolicy-${version}"; + rev = "401db3a3e75c699422537551e7862cd510fb68b0"; + hash = "sha256-dyYGGQPGWe6oVcAa48Kr/SsdSpUhwQZrRQ2d54BIac8="; }; + patches = [ + # TODO(malt3): drop this patch when msft fork adopted this from upstream + (fetchpatch { + name = "genpolicy_path_handling.patch"; + url = "https://github.com/kata-containers/kata-containers/commit/befef119ff4df2868cdc88d4273c8be965387793.patch"; + sha256 = "sha256-4pfYrP9KaPVcrFbm6DkiZUNckUq0fKWZPfCONW8/kso="; + }) + ]; + + patchFlags = [ "-p4" ]; + sourceRoot = "${src.name}/src/tools/genpolicy"; - cargoHash = "sha256-MRVtChYQkiU92n/z+5r4ge58t9yVeOCdqs0zx81IQUY="; + cargoHash = "sha256-WRSDqrOgSZVcJGN7PuyIqqmOSbrob75QNE2Ztb1L9Ww="; OPENSSL_NO_VENDOR = 1;