Simplify & no metrics

Co-authored-by: Ona <[email protected]>

Author: kylos101

components/ee/agent-smith/pkg/agent/agent.go

@@ -149,15 +149,17 @@ func NewAgentSmith(cfg config.Config) (*Smith, error) {
 			WorkingArea:  cfg.FilesystemScanning.WorkingArea,
 		}
 
-		// Check if the main classifier supports filesystem detection
-		if fsc, ok := class.(classifier.FileClassifier); ok {
-			filesystemClass = fsc
+		// Create independent filesystem classifier (no dependency on process classifier)
+		filesystemClass, err = cfg.Blocklists.FileClassifier()
+		if err != nil {
+			log.WithError(err).Error("failed to create filesystem classifier")
+		} else {
 			filesystemDetec, err = detector.NewfileDetector(fsConfig, filesystemClass)
 			if err != nil {
-				log.WithError(err).Warn("failed to create filesystem detector")
+				log.WithError(err).Error("failed to create filesystem detector")
+			} else {
+				log.Info("Filesystem detector created successfully with independent classifier")
 			}
-		} else {
-			log.Warn("classifier does not support filesystem detection, filesystem scanning disabled")
 		}
 	}
 

components/ee/agent-smith/pkg/classifier/classifier.go

@@ -254,12 +254,7 @@ func (sigcl *SignatureMatchClassifier) Matches(executable string, cmdline []stri
 
 // MatchesFile checks if a filesystem file matches any filesystem signatures
 func (sigcl *SignatureMatchClassifier) MatchesFile(filePath string) (c *Classification, err error) {
-	filesystemSignatures := make([]*Signature, 0)
-	for _, sig := range sigcl.Signatures {
-		if sig.Domain == DomainFileSystem {
-			filesystemSignatures = append(filesystemSignatures, sig)
-		}
-	}
+	filesystemSignatures := sigcl.GetFileSignatures()
 
 	if len(filesystemSignatures) == 0 {
 		return sigNoMatch, nil
@@ -506,14 +501,6 @@ func (cl *CountingMetricsClassifier) Matches(executable string, cmdline []string
 	return cl.D.Matches(executable, cmdline)
 }
 
-func (cl *CountingMetricsClassifier) MatchesFile(filePath string) (*Classification, error) {
-	cl.callCount.Inc()
-	if fsc, ok := cl.D.(FileClassifier); ok {
-		return fsc.MatchesFile(filePath)
-	}
-	return sigNoMatch, nil
-}
-
 func (cl *CountingMetricsClassifier) Describe(d chan<- *prometheus.Desc) {
 	cl.callCount.Describe(d)
 	cl.D.Describe(d)
@@ -523,99 +510,3 @@ func (cl *CountingMetricsClassifier) Collect(m chan<- prometheus.Metric) {
 	cl.callCount.Collect(m)
 	cl.D.Collect(m)
 }
-
-func (cl *CountingMetricsClassifier) GetFileSignatures() []*Signature {
-	if fsc, ok := cl.D.(FileClassifier); ok {
-		return fsc.GetFileSignatures()
-	}
-	return nil
-}
-
-func (cl GradedClassifier) MatchesFile(filePath string) (*Classification, error) {
-	order := []Level{LevelVery, LevelBarely, LevelAudit}
-
-	var (
-		c   *Classification
-		err error
-	)
-	for _, level := range order {
-		classifier, exists := cl[level]
-		if !exists {
-			continue
-		}
-
-		if fsc, ok := classifier.(FileClassifier); ok {
-			c, err = fsc.MatchesFile(filePath)
-			if err != nil {
-				return nil, err
-			}
-			if c.Level != LevelNoMatch {
-				break
-			}
-		}
-	}
-
-	if c == nil || c.Level == LevelNoMatch {
-		return sigNoMatch, nil
-	}
-
-	res := *c
-	res.Classifier = ClassifierGraded + "." + res.Classifier
-	return &res, nil
-}
-
-func (cl GradedClassifier) GetFileSignatures() []*Signature {
-	var allSignatures []*Signature
-
-	for _, classifier := range cl {
-		if fsc, ok := classifier.(FileClassifier); ok {
-			signatures := fsc.GetFileSignatures()
-			allSignatures = append(allSignatures, signatures...)
-		}
-	}
-
-	return allSignatures
-}
-
-func (cl CompositeClassifier) MatchesFile(filePath string) (*Classification, error) {
-	var (
-		c   *Classification
-		err error
-	)
-	for _, classifier := range cl {
-		if fsc, ok := classifier.(FileClassifier); ok {
-			c, err = fsc.MatchesFile(filePath)
-			if err != nil {
-				return nil, err
-			}
-			if c.Level != LevelNoMatch {
-				break
-			}
-		}
-	}
-
-	if c == nil || len(cl) == 0 {
-		// empty composite classifier
-		return sigNoMatch, nil
-	}
-	if c.Level == LevelNoMatch {
-		return sigNoMatch, nil
-	}
-
-	res := *c
-	res.Classifier = ClassifierComposite + "." + res.Classifier
-	return &res, nil
-}
-
-func (cl CompositeClassifier) GetFileSignatures() []*Signature {
-	var allSignatures []*Signature
-
-	for _, classifier := range cl {
-		if fsc, ok := classifier.(FileClassifier); ok {
-			signatures := fsc.GetFileSignatures()
-			allSignatures = append(allSignatures, signatures...)
-		}
-	}
-
-	return allSignatures
-}

components/ee/agent-smith/pkg/classifier/classifier_test.go

@@ -91,38 +91,3 @@ func TestCommandlineClassifier(t *testing.T) {
 		})
 	}
 }
-
-func TestCountingMetricsClassifierFilesystemInterface(t *testing.T) {
-	// Create a signature classifier with filesystem signatures
-	signatures := []*classifier.Signature{
-		{
-			Name:     "test-filesystem",
-			Domain:   classifier.DomainFileSystem,
-			Pattern:  []byte("malware"),
-			Filename: []string{"malware.exe"},
-		},
-	}
-
-	sigClassifier := classifier.NewSignatureMatchClassifier("test", classifier.LevelAudit, signatures)
-	countingClassifier := classifier.NewCountingMetricsClassifier("counting", sigClassifier)
-
-	// Test that CountingMetricsClassifier implements FileClassifier
-	var fsc classifier.FileClassifier = countingClassifier
-
-	// Test filesystem file matching (file doesn't exist, should return no match without error)
-	result, err := fsc.MatchesFile("/nonexistent/path/malware.exe")
-	if err != nil {
-		t.Fatalf("MatchesFile failed: %v", err)
-	}
-
-	// Should return no match since file doesn't exist, but no error
-	if result.Level != classifier.LevelNoMatch {
-		t.Errorf("Expected LevelNoMatch for nonexistent file, got %v", result.Level)
-	}
-
-	// Test that the interface delegation works by checking that it doesn't panic
-	// and returns a valid Classification
-	if result == nil {
-		t.Error("Expected non-nil Classification result")
-	}
-}

components/ee/agent-smith/pkg/config/config.go

@@ -261,6 +261,42 @@ func (b *Blocklists) Classifier() (res classifier.ProcessClassifier, err error)
 	return gres, nil
 }
 
+// FileClassifier creates a classifier specifically for filesystem scanning
+// This extracts only filesystem signatures from all blocklist levels and creates
+// a clean classifier without any CountingMetricsClassifier wrapper
+func (b *Blocklists) FileClassifier() (classifier.FileClassifier, error) {
+	if b == nil {
+		// Return a classifier with no signatures - will match nothing
+		return classifier.NewSignatureMatchClassifier("filesystem-empty", classifier.LevelAudit, nil), nil
+	}
+
+	// Collect all filesystem signatures from all levels
+	var allFilesystemSignatures []*classifier.Signature
+
+	for _, bl := range b.Levels() {
+		if bl == nil || bl.Signatures == nil {
+			continue
+		}
+
+		for _, sig := range bl.Signatures {
+			if sig.Domain == classifier.DomainFileSystem {
+				fsSig := &classifier.Signature{
+					Name:     sig.Name,
+					Domain:   sig.Domain,
+					Pattern:  sig.Pattern,
+					Filename: sig.Filename,
+					Regexp:   sig.Regexp,
+				}
+				allFilesystemSignatures = append(allFilesystemSignatures, fsSig)
+			}
+		}
+	}
+
+	// Create a single SignatureMatchClassifier with all filesystem signatures
+	// Use LevelAudit as default - individual signatures can still have their own severity
+	return classifier.NewSignatureMatchClassifier("filesystem", classifier.LevelAudit, allFilesystemSignatures), nil
+}
+
 func (b *Blocklists) Levels() map[common.Severity]*PerLevelBlocklist {
 	res := make(map[common.Severity]*PerLevelBlocklist)
 	if b.Barely != nil {

components/ee/agent-smith/pkg/config/config_test.go

@@ -0,0 +1,149 @@
+// Copyright (c) 2024 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package config
+
+import (
+	"testing"
+
+	"github.com/gitpod-io/gitpod/agent-smith/pkg/classifier"
+)
+
+func TestFileClassifierIndependence(t *testing.T) {
+	// Create a blocklist with both process and filesystem signatures
+	blocklists := &Blocklists{
+		Audit: &PerLevelBlocklist{
+			Binaries: []string{"malware"}, // Process-related
+			Signatures: []*classifier.Signature{
+				{
+					Name:     "process-sig",
+					Domain:   classifier.DomainProcess,
+					Pattern:  []byte("process-pattern"),
+					Filename: []string{"malware.exe"},
+				},
+				{
+					Name:     "filesystem-sig",
+					Domain:   classifier.DomainFileSystem,
+					Pattern:  []byte("filesystem-pattern"),
+					Filename: []string{"virus.exe"},
+				},
+			},
+		},
+		Very: &PerLevelBlocklist{
+			Signatures: []*classifier.Signature{
+				{
+					Name:     "filesystem-sig-2",
+					Domain:   classifier.DomainFileSystem,
+					Pattern:  []byte("another-pattern"),
+					Filename: []string{"trojan.exe"},
+				},
+			},
+		},
+	}
+
+	// Test process classifier (existing functionality - should be unchanged)
+	processClass, err := blocklists.Classifier()
+	if err != nil {
+		t.Fatalf("Failed to create process classifier: %v", err)
+	}
+	if processClass == nil {
+		t.Fatal("Process classifier should not be nil")
+	}
+
+	// Test new filesystem classifier
+	filesystemClass, err := blocklists.FileClassifier()
+	if err != nil {
+		t.Fatalf("Failed to create filesystem classifier: %v", err)
+	}
+	if filesystemClass == nil {
+		t.Fatal("Filesystem classifier should not be nil")
+	}
+
+	// Verify filesystem classifier has the right signatures
+	fsSignatures := filesystemClass.GetFileSignatures()
+	if len(fsSignatures) != 2 {
+		t.Errorf("Expected 2 filesystem signatures, got %d", len(fsSignatures))
+	}
+
+	// Verify signatures are filesystem domain only
+	for _, sig := range fsSignatures {
+		if sig.Domain != classifier.DomainFileSystem {
+			t.Errorf("Expected filesystem domain signature, got %s", sig.Domain)
+		}
+	}
+
+	// Verify they are completely independent objects (can't directly compare different interface types)
+	// Instead, verify they have different behaviors
+	processSignatures := 0
+	if pc, ok := processClass.(*classifier.CountingMetricsClassifier); ok {
+		// Process classifier is wrapped in CountingMetricsClassifier
+		_ = pc                // Just verify the type cast works
+		processSignatures = 1 // We know it exists because we created it
+	}
+
+	filesystemSignatures := len(filesystemClass.GetFileSignatures())
+	if filesystemSignatures == 0 {
+		t.Error("Filesystem classifier should have signatures")
+	}
+
+	// They should serve different purposes
+	if processSignatures == 0 && filesystemSignatures == 0 {
+		t.Error("At least one classifier should have content")
+	}
+
+	// Test filesystem classifier functionality
+	result, err := filesystemClass.MatchesFile("/nonexistent/virus.exe")
+	if err != nil {
+		t.Fatalf("Filesystem classification failed: %v", err)
+	}
+	if result == nil {
+		t.Error("Expected non-nil classification result")
+	}
+}
+
+func TestFileClassifierEmptyConfig(t *testing.T) {
+	// Test with nil blocklists
+	var blocklists *Blocklists
+	filesystemClass, err := blocklists.FileClassifier()
+	if err != nil {
+		t.Fatalf("Failed to create filesystem classifier from nil config: %v", err)
+	}
+	if filesystemClass == nil {
+		t.Fatal("Filesystem classifier should not be nil even with empty config")
+	}
+
+	// Should have no signatures
+	signatures := filesystemClass.GetFileSignatures()
+	if len(signatures) != 0 {
+		t.Errorf("Expected 0 signatures from empty config, got %d", len(signatures))
+	}
+}
+
+func TestFileClassifierNoFilesystemSignatures(t *testing.T) {
+	// Test with blocklists that have no filesystem signatures
+	blocklists := &Blocklists{
+		Audit: &PerLevelBlocklist{
+			Binaries: []string{"malware"},
+			Signatures: []*classifier.Signature{
+				{
+					Name:     "process-only",
+					Domain:   classifier.DomainProcess,
+					Pattern:  []byte("process-pattern"),
+					Filename: []string{"malware.exe"},
+				},
+			},
+		},
+	}
+
+	filesystemClass, err := blocklists.FileClassifier()
+	if err != nil {
+		t.Fatalf("Failed to create filesystem classifier: %v", err)
+	}
+
+	// Should have no filesystem signatures
+	signatures := filesystemClass.GetFileSignatures()
+	if len(signatures) != 0 {
+		t.Errorf("Expected 0 filesystem signatures, got %d", len(signatures))
+	}
+}