Merge pull request #669 from snyk/feat/load-rego-policy

ivanstanev · web-flow · commit f97dcb7feead · 2021-02-24T11:44:25.000+02:00
feat: load user-defined Rego rules for workload auto-import
diff --git a/package.json b/package.json
@@ -20,7 +20,7 @@
     "prepare": "npm run build",
     "build": "tsc",
     "dev": "tsc-watch --project tsconfig.json --onSuccess 'node --inspect .'",
-    "debug": "tsc-watch --project tsconfig.json --onSuccess 'node --inspect --debug-brk .'",
+    "debug": "tsc-watch --project tsconfig.json --onSuccess 'node --inspect-brk .'",
     "lint": "eslint \"src/**/*.ts\" && (cd test && eslint \"**/*.ts\")"
   },
   "author": "snyk.io",
diff --git a/snyk-monitor-deployment.yaml b/snyk-monitor-deployment.yaml
@@ -34,6 +34,8 @@ spec:
           mountPath: "/srv/app/certs"
         - name: registries-conf
           mountPath: "/srv/app/.config/containers"
+        - name: workload-policies
+          mountPath: "/var/tmp/policies"
         env:
           - name: SNYK_INTEGRATION_ID
             valueFrom:
@@ -115,4 +117,8 @@ spec:
         configMap:
           name: snyk-monitor-registries-conf
           optional: true
+      - name: workload-policies
+        configMap:
+          name: snyk-monitor-workload-policies
+          optional: true
       serviceAccountName: snyk-monitor
diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml
@@ -49,6 +49,9 @@ spec:
             mountPath: "/var/tmp"
           - name: ssl-certs
             mountPath: "/srv/app/certs"
+          - name: workload-policies
+            mountPath: "/var/tmp/policies"
+            readOnly: true
           - name: registries-conf
             mountPath: "/srv/app/.config/containers"
           env:
@@ -114,6 +117,10 @@ spec:
           configMap:
             name: {{ .Values.certsConfigMap }}
             optional: true
+        - name: workload-policies
+          configMap:
+            name: {{ .Values.workloadPoliciesMap }}
+            optional: true
         - name: registries-conf
           configMap:
             name: {{ .Values.registriesConfConfigMap }}
diff --git a/snyk-monitor/values.yaml b/snyk-monitor/values.yaml
@@ -7,6 +7,7 @@
 monitorSecrets: snyk-monitor
 certsConfigMap: snyk-monitor-certs
 registriesConfConfigMap: snyk-monitor-registries-conf
+workloadPoliciesMap: snyk-monitor-workload-policies
 
 # One of: Cluster, Namespaced
 # Cluster - creates a ClusterRole and ClusterRoleBinding with the ServiceAccount
diff --git a/src/common/policy.ts b/src/common/policy.ts
@@ -0,0 +1,31 @@
+import { existsSync, readFile } from 'fs';
+import { resolve as resolvePath } from 'path';
+import { promisify } from 'util';
+
+import { logger } from './logger';
+import { constructWorkloadAutoImportPolicy } from '../transmitter/payload';
+import { sendWorkloadAutoImportPolicy } from '../transmitter';
+import { config } from './config';
+
+const readFileAsync = promisify(readFile);
+
+export async function loadAndSendWorkloadAutoImportPolicy(): Promise<void> {
+  try {
+    /** This path is set in snyk-monitor during installation/deployment and is defined in the Helm chart. */
+    const userProvidedRegoPolicyPath = resolvePath(
+      config.IMAGE_STORAGE_ROOT,
+      'policies',
+      'workload-auto-import.rego',
+    );
+    if (!existsSync(userProvidedRegoPolicyPath)) {
+      logger.info({}, 'Rego policy file does not exist, skipping loading');
+      return;
+    }
+
+    const regoPolicy = await readFileAsync(userProvidedRegoPolicyPath, 'utf8');
+    const payload = constructWorkloadAutoImportPolicy(regoPolicy);
+    await sendWorkloadAutoImportPolicy(payload);
+  } catch (err) {
+    logger.error({ err }, 'Unexpected error occurred while loading workload auto-import policy');
+  }
+}
diff --git a/src/index.ts b/src/index.ts
@@ -7,6 +7,7 @@ import { config } from './common/config';
 import { logger } from './common/logger';
 import { currentClusterName } from './supervisor/cluster';
 import { beginWatchingWorkloads } from './supervisor/watchers';
+import { loadAndSendWorkloadAutoImportPolicy } from './common/policy';
 
 process.on('uncaughtException', (err) => {
   if (state.shutdownInProgress) {
@@ -58,4 +59,9 @@ function monitor(): void {
 
 SourceMapSupport.install();
 cleanUpTempStorage();
-monitor();
+
+// Allow running in an async context
+setImmediate(async function setUpAndMonitor(): Promise<void> {
+  await loadAndSendWorkloadAutoImportPolicy();
+  monitor();
+});
diff --git a/src/transmitter/index.ts b/src/transmitter/index.ts
@@ -10,6 +10,7 @@ import {
   IRequestError,
   ScanResultsPayload,
   IDependencyGraphPayload,
+  WorkloadAutoImportPolicyPayload,
 } from './types';
 import { getProxyAgent } from './proxy';
 
@@ -69,6 +70,30 @@ export async function sendWorkloadMetadata(payload: IWorkloadMetadataPayload): P
     }
 }
 
+export async function sendWorkloadAutoImportPolicy(payload: WorkloadAutoImportPolicyPayload): Promise<void> {
+  try {
+    logger.info(
+      { userLocator: payload.userLocator, cluster: payload.cluster, agentId: payload.agentId },
+      'attempting to send workload auto-import policy',
+    );
+
+    const { response, attempt } = await retryRequest('post', `${upstreamUrl}/api/v1/policy`, payload);
+    if (!isSuccessStatusCode(response.statusCode)) {
+      throw new Error(`${response.statusCode} ${response.statusMessage}`);
+    }
+
+    logger.info(
+      { userLocator: payload.userLocator, cluster: payload.cluster, agentId: payload.agentId, attempt },
+      'workload auto-import policy sent upstream successfully',
+    );
+  } catch (error) {
+    logger.error(
+      { error, userLocator: payload.userLocator, cluster: payload.cluster, agentId: payload.agentId },
+      'could not send workload auto-import policy',
+    );
+  }
+}
+
 export async function deleteWorkload(payload: IDeleteWorkloadPayload): Promise<void> {
   try {
     const {response, attempt} = await retryRequest('delete', `${upstreamUrl}/api/v1/workload`, payload);
diff --git a/src/transmitter/payload.ts b/src/transmitter/payload.ts
@@ -12,6 +12,7 @@ import {
   IKubernetesMonitorMetadata,
   ScanResultsPayload,
   IDependencyGraphPayload,
+  WorkloadAutoImportPolicyPayload,
 } from './types';
 
 export function constructDepGraph(
@@ -125,3 +126,14 @@ export function constructDeleteWorkload(
     agentId: config.AGENT_ID,
   };
 }
+
+export function constructWorkloadAutoImportPolicy(
+  policy: string,
+): WorkloadAutoImportPolicyPayload {
+  return {
+    policy,
+    userLocator: config.INTEGRATION_ID,
+    cluster: currentClusterName,
+    agentId: config.AGENT_ID,
+  };
+}
diff --git a/src/transmitter/types.ts b/src/transmitter/types.ts
@@ -61,6 +61,13 @@ export interface IDeleteWorkloadPayload {
   agentId: string;
 }
 
+export interface WorkloadAutoImportPolicyPayload {
+  userLocator: string;
+  cluster: string;
+  agentId: string;
+  policy: string;
+}
+
 export interface IWorkload {
   type: string;
   name: string;
diff --git a/test/fixtures/workload-auto-import.rego b/test/fixtures/workload-auto-import.rego
@@ -0,0 +1,3 @@
+package snyk
+
+default workload_auto_import = false
diff --git a/test/system/kind.spec.ts b/test/system/kind.spec.ts
@@ -1,11 +1,19 @@
 import * as fsExtra from 'fs-extra';
 import * as nock from 'nock';
+import { copyFile, readFile, mkdir, exists } from 'fs';
+import { promisify } from 'util';
+import { resolve as resolvePath } from 'path';
 
 import * as kubectl from '../helpers/kubectl';
 import * as kind from '../setup/platforms/kind';
 import * as transmitterTypes from '../../src/transmitter/types';
 import { execWrapper as exec } from '../helpers/exec';
 
+const copyFileAsync = promisify(copyFile);
+const readFileAsync = promisify(readFile);
+const mkdirAsync = promisify(mkdir);
+const existsAsync = promisify(exists);
+
 /**
  * TODO graceful shutdown
  * We abruptly close the connection to the K8s API server during shutdown, which can result in exceptions.
@@ -61,10 +69,38 @@ test('Kubernetes-Monitor with KinD', async (jestDoneCallback) => {
 
   // Services
   await Promise.all([
-    kubectl.applyK8sYaml('./test/fixtures/java-deployment.yaml'),
+    kubectl.applyK8sYaml(resolvePath('./test/fixtures/java-deployment.yaml')),
     kubectl.waitForDeployment('java', 'services'),
   ]);
 
+  // Create a copy of the policy file fixture in the location that snyk-monitor is expecting to load it from.
+  const regoPolicyFixturePath = resolvePath('./test/fixtures/workload-auto-import.rego');
+  const expectedPoliciesPath = resolvePath('/var/tmp/policies');
+  if (!(await existsAsync(expectedPoliciesPath))) {
+    await mkdirAsync(expectedPoliciesPath);
+  }
+  await copyFileAsync(
+    regoPolicyFixturePath,
+    resolvePath(expectedPoliciesPath, 'workload-auto-import.rego'),
+  );
+
+  const regoPolicyContents = await readFileAsync(regoPolicyFixturePath, 'utf8');
+  nock('https://kubernetes-upstream.snyk.io')
+    .post('/api/v1/policy')
+    .times(1)
+    .reply(200, (uri, requestBody: transmitterTypes.WorkloadAutoImportPolicyPayload) => {
+      try {
+        expect(requestBody).toEqual<transmitterTypes.WorkloadAutoImportPolicyPayload>({
+          agentId: expect.any(String),
+          cluster: expect.any(String),
+          userLocator: expect.any(String),
+          policy: regoPolicyContents,
+        });
+      } catch (error) {
+        jestDoneCallback(error);
+      }
+    });
+
   // Setup nocks
   nock(/https\:\/\/127\.0\.0\.1\:\d+/, { allowUnmocked: true })
     .get('/api/v1/namespaces')

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+package snyk`
	`2`	`+`
	`3`	`+default workload_auto_import = false`