feat: add opa allowlisting support

Signed-off-by: Arjun Raja Yogidas <[email protected]>

Author: coderbirju

api/router/router.go

@@ -5,6 +5,7 @@ package router
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/http"
 	"os"
@@ -15,6 +16,7 @@ import (
 	"github.com/moby/moby/api/server/httputils"
 	"github.com/moby/moby/api/types/versions"
 
+	"github.com/open-policy-agent/opa/v1/rego"
 	"github.com/runfinch/finch-daemon/api/handlers/builder"
 	"github.com/runfinch/finch-daemon/api/handlers/container"
 	"github.com/runfinch/finch-daemon/api/handlers/distribution"
@@ -30,6 +32,14 @@ import (
 	"github.com/runfinch/finch-daemon/version"
 )
 
+var errRego = errors.New("error in rego policy file")
+var errInput = errors.New("error in HTTP request")
+
+type inputRegoRequest struct {
+	Method string
+	Path   string
+}
+
 // Options defines the router options to be passed into the handlers.
 type Options struct {
 	Config              *config.Config
@@ -41,16 +51,24 @@ type Options struct {
 	VolumeService       volume.Service
 	ExecService         exec.Service
 	DistributionService distribution.Service
+	RegoFilePath        string
 
 	// NerdctlWrapper wraps the interactions with nerdctl to build
 	NerdctlWrapper *backend.NerdctlWrapper
 }
 
 // New creates a new router and registers the handlers to it. Returns a handler object
 // The struct definitions of the HTTP responses come from https://github.com/moby/moby/tree/master/api/types.
-func New(opts *Options) http.Handler {
+func New(opts *Options) (http.Handler, error) {
 	r := mux.NewRouter()
 	r.Use(VersionMiddleware)
+	if opts.RegoFilePath != "" {
+		regoMiddleware, err := CreateRegoMiddleware(opts.RegoFilePath)
+		if err != nil {
+			return nil, err
+		}
+		r.Use(regoMiddleware)
+	}
 	vr := types.VersionedRouter{Router: r}
 
 	logger := flog.NewLogrus()
@@ -62,7 +80,7 @@ func New(opts *Options) http.Handler {
 	volume.RegisterHandlers(vr, opts.VolumeService, opts.Config, logger)
 	exec.RegisterHandlers(vr, opts.ExecService, opts.Config, logger)
 	distribution.RegisterHandlers(vr, opts.DistributionService, opts.Config, logger)
-	return ghandlers.LoggingHandler(os.Stderr, r)
+	return ghandlers.LoggingHandler(os.Stderr, r), nil
 }
 
 // VersionMiddleware checks for the requested version of the api and makes sure it falls within the bounds
@@ -90,3 +108,46 @@ func VersionMiddleware(next http.Handler) http.Handler {
 		next.ServeHTTP(w, newReq)
 	})
 }
+
+// CreateRegoMiddleware dynamically parses the rego file at the path specified in options
+// and allows or denies the request based on the policy.
+// Will return a nil function and an error if the given file path is blank or invalid.
+func CreateRegoMiddleware(regoFilePath string) (func(next http.Handler) http.Handler, error) {
+	if regoFilePath == "" {
+		return nil, errRego
+	}
+
+	query := "data.finch.authz.allow"
+	nr := rego.New(
+		rego.Load([]string{regoFilePath}, nil),
+		rego.Query(query),
+	)
+
+	preppedQuery, err := nr.PrepareForEval(context.Background())
+	if err != nil {
+		return nil, err
+	}
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			input := inputRegoRequest{
+				Method: r.Method,
+				Path:   r.URL.Path,
+			}
+
+			rs, err := preppedQuery.Eval(r.Context(), rego.EvalInput(input))
+			if err != nil {
+				response.SendErrorResponse(w, http.StatusInternalServerError, errInput)
+				return
+			}
+
+			if !rs.Allowed() {
+				response.SendErrorResponse(w, http.StatusForbidden,
+					fmt.Errorf("method %s not allowed for path %s", r.Method, r.URL.Path))
+				return
+			}
+			newReq := r.WithContext(r.Context())
+			next.ServeHTTP(w, newReq)
+		})
+	}, nil
+}

api/router/router_test.go

@@ -8,6 +8,8 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/containerd/nerdctl/v2/pkg/config"
@@ -51,8 +53,9 @@ var _ = Describe("version middleware test", func() {
 			BuilderService:   nil,
 			VolumeService:    nil,
 			NerdctlWrapper:   nil,
+			RegoFilePath:     "",
 		}
-		h = New(opts)
+		h, _ = New(opts)
 		rr = httptest.NewRecorder()
 		expected = types.VersionInfo{
 			Platform: struct {
@@ -126,3 +129,69 @@ var _ = Describe("version middleware test", func() {
 		Expect(v).Should(Equal(expected))
 	})
 })
+
+// Unit tests for the rego handler.
+var _ = Describe("rego middleware test", func() {
+	var (
+		opts         *Options
+		rr           *httptest.ResponseRecorder
+		expected     types.VersionInfo
+		sysSvc       *mocks_system.MockService
+		regoFilePath string
+	)
+
+	BeforeEach(func() {
+		mockCtrl := gomock.NewController(GinkgoT())
+		defer mockCtrl.Finish()
+
+		tempDirPath := GinkgoT().TempDir()
+		regoFilePath = filepath.Join(tempDirPath, "authz.rego")
+		os.Create(regoFilePath)
+
+		c := config.Config{}
+		sysSvc = mocks_system.NewMockService(mockCtrl)
+		opts = &Options{
+			Config:        &c,
+			SystemService: sysSvc,
+		}
+		rr = httptest.NewRecorder()
+		expected = types.VersionInfo{}
+		sysSvc.EXPECT().GetVersion(gomock.Any()).Return(&expected, nil).AnyTimes()
+	})
+	It("should return a 200 error for calls by default", func() {
+		h, err := New(opts)
+		Expect(err).Should(BeNil())
+
+		req, _ := http.NewRequest(http.MethodGet, "/version", nil)
+		h.ServeHTTP(rr, req)
+
+		Expect(rr).Should(HaveHTTPStatus(http.StatusOK))
+	})
+
+	It("should return a 400 error for disallowed calls", func() {
+		regoPolicy := `package finch.authz
+import rego.v1
+
+default allow = false`
+
+		os.WriteFile(regoFilePath, []byte(regoPolicy), 0644)
+		opts.RegoFilePath = regoFilePath
+		h, err := New(opts)
+		Expect(err).Should(BeNil())
+
+		req, _ := http.NewRequest(http.MethodGet, "/version", nil)
+		h.ServeHTTP(rr, req)
+
+		Expect(rr).Should(HaveHTTPStatus(http.StatusForbidden))
+	})
+
+	It("should return an error for poorly formed rego files", func() {
+		regoPolicy := `poorly formed rego file`
+
+		os.WriteFile(regoFilePath, []byte(regoPolicy), 0644)
+		opts.RegoFilePath = regoFilePath
+		_, err := New(opts)
+
+		Expect(err).Should(Not(BeNil()))
+	})
+})

cmd/finch-daemon/main.go

@@ -49,6 +49,9 @@ type DaemonOptions struct {
 	debugAddress string
 	configPath   string
 	pidFile      string
+	regoFilePath string
+	enableOpa    bool
+	regoFileLock *flock.Flock
 }
 
 var options = new(DaemonOptions)
@@ -67,6 +70,8 @@ func main() {
 	rootCmd.Flags().StringVar(&options.debugAddress, "debug-addr", "", "")
 	rootCmd.Flags().StringVar(&options.configPath, "config-file", defaultConfigPath, "Daemon Config Path")
 	rootCmd.Flags().StringVar(&options.pidFile, "pidfile", defaultPidFile, "pid file location")
+	rootCmd.Flags().StringVar(&options.regoFilePath, "rego-file", "", "Rego Policy Path")
+	rootCmd.Flags().BoolVar(&options.enableOpa, "enable-opa", false, "turn on opa allowlisting")
 	if err := rootCmd.Execute(); err != nil {
 		log.Printf("got error: %v", err)
 		log.Fatal(err)
@@ -193,6 +198,16 @@ func run(options *DaemonOptions) error {
 		}
 	}()
 
+	defer func() {
+		if options.regoFileLock != nil {
+			if err := options.regoFileLock.Unlock(); err != nil {
+				logrus.Errorf("failed to unlock Rego file: %v", err)
+			}
+			logger.Infof("rego file unlocked")
+			// todo : chmod to read-write permissions
+		}
+	}()
+
 	sdNotify(daemon.SdNotifyReady, logger)
 	serverWg.Wait()
 	logger.Debugln("Server stopped. Exiting...")
@@ -215,8 +230,20 @@ func newRouter(options *DaemonOptions, logger *flog.Logrus) (http.Handler, error
 		return nil, err
 	}
 
-	opts := createRouterOptions(conf, clientWrapper, ncWrapper, logger)
-	return router.New(opts), nil
+	var regoFilePath string
+	if options.enableOpa {
+		regoFilePath, err = sanitizeRegoFile(options)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	opts := createRouterOptions(conf, clientWrapper, ncWrapper, logger, regoFilePath)
+	newRouter, err := router.New(opts)
+	if err != nil {
+		return nil, err
+	}
+	return newRouter, nil
 }
 
 func handleSignal(socket string, server *http.Server, logger *flog.Logrus) {
@@ -265,3 +292,71 @@ func defineDockerConfig(uid int) error {
 		return true
 	})
 }
+
+func checkRegoFileValidity(filePath string) error {
+	fmt.Println("checking file validity.....")
+	if _, err := os.Stat(filePath); os.IsNotExist(err) {
+		return fmt.Errorf("provided Rego file path does not exist: %s", filePath)
+	}
+
+	// Check if the file has a valid extension (.rego, .yaml, or .json)
+	// validExtensions := []string{".rego", ".yaml", ".yml", ".json"}
+	fileExt := strings.ToLower(filepath.Ext(options.regoFilePath))
+
+	if fileExt != ".rego" {
+		return fmt.Errorf("invalid file extension for Rego file. Only .rego files are supported")
+	}
+
+	// isValidExtension := false
+	// for _, ext := range validExtensions {
+	//     if fileExt == ext {
+	//         isValidExtension = true
+	//         break
+	//     }
+	// }
+
+	// if !isValidExtension {
+	//     return fmt.Errorf("Invalid file extension for Rego file. Allowed extensions are: %v", validExtensions)
+	// }
+
+	fmt.Println(" file valid!")
+	return nil
+}
+
+// todo : rename this function to be more descriptve
+func sanitizeRegoFile(options *DaemonOptions) (string, error) {
+	fmt.Println("sanitizeRegoFile called.....")
+	if options.regoFilePath != "" {
+		if !options.enableOpa {
+			return "", fmt.Errorf("rego file path was provided without the --enable-opa flag, please provide the --enable-opa flag") // todo, can we default to setting this flag ourselves is this better UX?
+		}
+
+		if err := checkRegoFileValidity(options.regoFilePath); err != nil {
+			return "", err
+		}
+	}
+
+	if options.enableOpa && options.regoFilePath == "" {
+		return "", fmt.Errorf("rego file path not provided, please provide the policy file path using the --rego-file flag")
+	}
+
+	fileLock := flock.New(options.regoFilePath)
+
+	locked, err := fileLock.TryLock()
+	if err != nil {
+		return "", fmt.Errorf("error acquiring lock on rego file: %v", err)
+	}
+	if !locked {
+		return "", fmt.Errorf("unable to acquire lock on rego file, it may be in use by another process")
+	}
+
+	// Change file permissions to read-only
+	err = os.Chmod(options.regoFilePath, 0444) // read-only for all users
+	if err != nil {
+		fileLock.Unlock()
+		return "", fmt.Errorf("error changing rego file permissions: %v", err)
+	}
+	options.regoFileLock = fileLock
+
+	return options.regoFilePath, nil
+}

cmd/finch-daemon/router_utils.go

@@ -96,6 +96,7 @@ func createRouterOptions(
 	clientWrapper *backend.ContainerdClientWrapper,
 	ncWrapper *backend.NerdctlWrapper,
 	logger *flog.Logrus,
+	regoFilePath string,
 ) *router.Options {
 	fs := afero.NewOsFs()
 	tarCreator := archive.NewTarCreator(ecc.NewExecCmdCreator(), logger)
@@ -112,5 +113,6 @@ func createRouterOptions(
 		ExecService:         exec.NewService(clientWrapper, logger),
 		DistributionService: distribution.NewService(clientWrapper, ncWrapper, logger),
 		NerdctlWrapper:      ncWrapper,
+		RegoFilePath:        regoFilePath,
 	}
 }