step-security
diff --git a/‎.github/dependabot.yml‎
Lines changed: 16 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/int.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/int.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/release.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/scorecard-analysis.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecard-analysis.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/test.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎agent.go‎
Lines changed: 72 additions & 9 deletions b/‎agent.go‎
Lines changed: 72 additions & 9 deletions
diff --git a/‎agent_test.go‎
Lines changed: 36 additions & 26 deletions b/‎agent_test.go‎
Lines changed: 36 additions & 26 deletions
@@ -0,0 +1,16 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "gomod" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"
+  
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
@@ -45,7 +45,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@e095058bfa09de8070f94e98f5dc059531bc6235
+      uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@e095058bfa09de8070f94e98f5dc059531bc6235
+      uses: github/codeql-action/autobuild@5f532563584d71fdef14ee64d17bafb34f751ce5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -70,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@e095058bfa09de8070f94e98f5dc059531bc6235
+      uses: github/codeql-action/analyze@5f532563584d71fdef14ee64d17bafb34f751ce5
@@ -27,7 +27,7 @@ jobs:
     - name: Checkout
       uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
     - name: Set up Go 
-      uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8
+      uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4
       with:
         go-version: 1.17
     - run: sudo go test -v
 
@@ -26,7 +26,7 @@ jobs:
     - name: Checkout
       uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
     - name: Set up Go 
-      uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8
+      uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4
       with:
         go-version: 1.17    
     - uses: goreleaser/goreleaser-action@5df302e5e9e4c66310a6b6493a8865b12c555af2
 
@@ -47,6 +47,6 @@ jobs:
           retention-days: 5
 
       - name: "Upload SARIF results"
-        uses: github/codeql-action/upload-sarif@e095058bfa09de8070f94e98f5dc059531bc6235
+        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5
         with:
           sarif_file: results.sarif
@@ -13,7 +13,7 @@ jobs:
     - name: Checkout
       uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
     - name: Set up Go 
-      uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8
+      uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4
       with:
         go-version: 1.17
     - name: Run coverage
 
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"time"
 
 	"github.com/florianl/go-nflog/v2"
 )
@@ -42,6 +43,8 @@ type Firewall struct {
 
 type IPTables interface {
 	Append(table, chain string, rulespec ...string) error
+	Insert(table, chain string, pos int, rulespec ...string) error
+	Exists(table, chain string, rulespec ...string) (bool, error)
 	ClearChain(table, chain string) error
 }
 
@@ -67,8 +70,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 
 	WriteLog(fmt.Sprintf("%s %s", StepSecurityLogCorrelationPrefix, config.CorrelationId))
 
-	// TODO: fix the cache and time
-	Cache := InitCache(10 * 60 * 1000000000) // 10 * 60 seconds
+	Cache := InitCache(config.EgressPolicy)
 
 	allowedEndpoints := addImplicitEndpoints(config.Endpoints)
 
@@ -98,17 +100,19 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 
 	// hydrate dns cache
 	if config.EgressPolicy == EgressPolicyBlock {
-		for _, endpoint := range allowedEndpoints {
+		for domainName, endpoints := range allowedEndpoints {
 			// this will cause domain, IP mapping to be cached
-			ipAddress, err := dnsProxy.getIPByDomain(endpoint.domainName)
+			ipAddress, err := dnsProxy.getIPByDomain(domainName)
 			if err != nil {
 				WriteLog(fmt.Sprintf("Error resolving allowed domain %v", err))
 				RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
 				return err
 			}
+			for _, endpoint := range endpoints {
+				// create list of ip address to be added to firewall
+				ipAddressEndpoints = append(ipAddressEndpoints, ipAddressEndpoint{ipAddress: ipAddress, port: fmt.Sprintf("%d", endpoint.port)})
+			}
 
-			// create list of ip address to be added to firewall
-			ipAddressEndpoints = append(ipAddressEndpoints, ipAddressEndpoint{ipAddress: ipAddress, port: fmt.Sprintf("%d", endpoint.port)})
 		}
 	}
 
@@ -165,11 +169,13 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 		// Start network monitor
 		go netMonitor.MonitorNetwork(nflog, errc) // listens for NFLOG messages
 
-		if err := addBlockRulesForGitHubHostedRunner(ipAddressEndpoints); err != nil {
+		if err := addBlockRulesForGitHubHostedRunner(iptables, ipAddressEndpoints); err != nil {
 			WriteLog(fmt.Sprintf("Error setting firewall for allowed domains %v", err))
 			RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
 			return err
 		}
+
+		go refreshDNSEntries(ctx, iptables, allowedEndpoints, &dnsProxy)
 	}
 
 	WriteLog("done")
@@ -190,7 +196,60 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 	}
 }
 
-func addImplicitEndpoints(endpoints []Endpoint) []Endpoint {
+func refreshDNSEntries(ctx context.Context, iptables *Firewall, allowedEndpoints map[string][]Endpoint, dnsProxy *DNSProxy) {
+	ticker := time.NewTicker(30 * time.Second)
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				WriteLog("Refreshing DNS entries")
+				for domainName, endpoints := range allowedEndpoints {
+					element, found := dnsProxy.Cache.Get(domainName)
+					if found {
+						var err error
+						var answer *Answer
+						// check if DNS TTL is close to expiry
+						if time.Now().Unix()+10-element.TimeAdded > int64(element.Value.TTL) {
+							// resolve domain name
+							answer, err = dnsProxy.ResolveDomain(domainName)
+							if err != nil {
+								// log and continue
+								WriteLog(fmt.Sprintf("domain could not be resolved: %s, %v", domainName, err))
+								continue
+							}
+
+							for _, endpoint := range endpoints {
+								// add endpoint to firewall
+								err = InsertAllowRule(iptables, answer.Data, fmt.Sprintf("%d", endpoint.port))
+								if err != nil {
+									break
+								}
+							}
+
+							if err != nil {
+								// log and continue
+								WriteLog(fmt.Sprintf("failed to insert new ipaddress in firewall: %s, %v", domainName, err))
+								continue
+							}
+
+							// add to cache with new TTL
+							dnsProxy.Cache.Set(domainName, answer)
+
+							go dnsProxy.ApiClient.sendDNSRecord(dnsProxy.CorrelationId, dnsProxy.Repo, domainName, answer.Data)
+
+							WriteLog(fmt.Sprintf("domain resolved: %s, ip address: %s, TTL: %d", domainName, answer.Data, answer.TTL))
+						}
+					}
+				}
+			}
+		}
+	}()
+
+}
+
+func addImplicitEndpoints(endpoints map[string][]Endpoint) map[string][]Endpoint {
 	implicitEndpoints := []Endpoint{
 		{domainName: "agent.api.stepsecurity.io", port: 443},               // Should be implicit based on user feedback
 		{domainName: "pipelines.actions.githubusercontent.com", port: 443}, // GitHub
@@ -200,7 +259,11 @@ func addImplicitEndpoints(endpoints []Endpoint) []Endpoint {
 		{domainName: "vstsmms.actions.githubusercontent.com", port: 443},   // GitHub
 	}
 
-	return append(endpoints, implicitEndpoints...)
+	for _, endpoint := range implicitEndpoints {
+		endpoints[endpoint.domainName] = append(endpoints[endpoint.domainName], endpoint)
+	}
+
+	return endpoints
 }
 
 func RevertChanges(iptables *Firewall, nflog AgentNflogger,
 
@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/florianl/go-nflog/v2"
+	"github.com/jarcoal/httpmock"
 )
 
 type mockDNSServer struct {
@@ -36,6 +37,14 @@ func (m *MockIPTables) Append(table, chain string, rulespec ...string) error {
 	return nil
 }
 
+func (m *MockIPTables) Exists(table, chain string, rulespec ...string) (bool, error) {
+	return false, nil
+}
+
+func (m *MockIPTables) Insert(table, chain string, post int, rulespec ...string) error {
+	return nil
+}
+
 func (m *MockIPTables) ClearChain(table, chain string) error {
 	return nil
 }
@@ -83,39 +92,14 @@ func (m *MockCommandWithError) Run() error {
 	return fmt.Errorf("failed to run command")
 }
 
-/*
-func TestRunWithNflogError(t *testing.T) {
-
-	ctx := context.Background()
-	ctx, cancel := context.WithCancel(ctx)
-	time.AfterFunc(5*time.Second, cancel) // this should not be used, it should error out earlier
-
-	httpmock.Activate()
-	defer httpmock.DeactivateAndReset()
-
-	httpmock.RegisterResponder("POST", fmt.Sprintf("%s/owner/repo/actions/runs/1287185438/monitor", agentApiBaseUrl),
-		httpmock.NewStringResponder(200, ""))
-
-	err := Run(ctx, "./testfiles/agent.json",
-		&mockDNSServer{}, &mockDNSServer{}, &Firewall{&MockIPTables{}},
-		&MockAgentNfloggerWithErr{}, &MockCommand{}, createTempFileWithContents(""), createTempFileWithContents("{}"), nil)
-
-	// if 2 seconds pass
-	if err == nil {
-		t.Fail()
-	}
-
-}
-*/
-
 func deleteTempFile(path string) {
 	os.Remove(path)
 }
 
 func getContext(seconds int) context.Context {
 	ctx := context.Background()
 	ctx, cancel := context.WithCancel(ctx)
-	time.AfterFunc(2*time.Second, cancel)
+	time.AfterFunc(time.Duration(seconds)*time.Second, cancel)
 
 	return ctx
 }
@@ -134,6 +118,17 @@ func TestRun(t *testing.T) {
 		ciTestOnly             bool
 	}
 
+	httpmock.Activate()
+
+	httpmock.RegisterResponder("GET", "https://dns.google/resolve?name=domain1.com.&type=a",
+		httpmock.NewStringResponder(200, `{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"domain1.com.","type":1}],"Answer":[{"name":"domain1.com.","type":1,"TTL":30,"data":"67.67.67.67"}]}`))
+
+	httpmock.RegisterResponder("GET", "https://dns.google/resolve?name=domain2.com.&type=a",
+		httpmock.NewStringResponder(200, `{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"domain2.com.","type":1}],"Answer":[{"name":"domain2.com.","type":1,"TTL":30,"data":"68.68.68.68"}]}`))
+
+	httpmock.RegisterResponder("GET", "https://dns.google/resolve", // no query params to match all other requests
+		httpmock.NewStringResponder(200, `{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"requesteddomain.com.","type":1}],"Answer":[{"name":"requesteddomain.com.","type":1,"TTL":300,"data":"69.69.69.69"}]}`))
+
 	tests := []struct {
 		name    string
 		args    args
@@ -142,19 +137,34 @@ func TestRun(t *testing.T) {
 		{name: "success", args: args{ctxCancelDuration: 2, configFilePath: "./testfiles/agent.json", hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServer{},
 			iptables: &Firewall{&MockIPTables{}}, nflog: &MockAgentNflogger{}, cmd: &MockCommand{}, resolvdConfigPath: createTempFileWithContents(""),
 			dockerDaemonConfigPath: createTempFileWithContents("{}")}, wantErr: false},
+
 		{name: "success monitor process", args: args{ctxCancelDuration: 2, configFilePath: "./testfiles/agent.json", hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServer{},
 			iptables: &Firewall{&MockIPTables{}}, nflog: &MockAgentNflogger{}, cmd: nil, resolvdConfigPath: createTempFileWithContents(""),
 			dockerDaemonConfigPath: createTempFileWithContents("{}"), ciTestOnly: true}, wantErr: false},
+
 		{name: "success allowed endpoints", args: args{ctxCancelDuration: 2, configFilePath: "./testfiles/agent-allowed-endpoints.json",
+			hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServer{},
+			iptables: &Firewall{&MockIPTables{}}, nflog: &MockAgentNflogger{}, cmd: &MockCommand{}, resolvdConfigPath: createTempFileWithContents(""),
+			dockerDaemonConfigPath: createTempFileWithContents("{}")}, wantErr: false},
+
+		{name: "success allowed endpoints CI Test", args: args{ctxCancelDuration: 2, configFilePath: "./testfiles/agent-allowed-endpoints.json",
+			hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServer{},
+			iptables: nil, nflog: &MockAgentNflogger{}, cmd: &MockCommand{}, resolvdConfigPath: createTempFileWithContents(""),
+			dockerDaemonConfigPath: createTempFileWithContents("{}"), ciTestOnly: true}, wantErr: false},
+
+		{name: "success allowed endpoints DNS refresh CI Test", args: args{ctxCancelDuration: 60, configFilePath: "./testfiles/agent-allowed-endpoints.json",
 			hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServer{},
 			iptables: nil, nflog: &MockAgentNflogger{}, cmd: &MockCommand{}, resolvdConfigPath: createTempFileWithContents(""),
 			dockerDaemonConfigPath: createTempFileWithContents("{}"), ciTestOnly: true}, wantErr: false},
+
 		{name: "dns failure", args: args{ctxCancelDuration: 5, configFilePath: "./testfiles/agent.json", hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServerWithError{},
 			iptables: &Firewall{&MockIPTables{}}, nflog: &MockAgentNflogger{}, cmd: &MockCommand{}, resolvdConfigPath: createTempFileWithContents(""),
 			dockerDaemonConfigPath: createTempFileWithContents("{}")}, wantErr: true},
+
 		{name: "cmd failure", args: args{ctxCancelDuration: 5, configFilePath: "./testfiles/agent.json", hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServer{},
 			iptables: &Firewall{&MockIPTables{}}, nflog: &MockAgentNflogger{}, cmd: &MockCommandWithError{}, resolvdConfigPath: createTempFileWithContents(""),
 			dockerDaemonConfigPath: createTempFileWithContents("{}")}, wantErr: true},
+
 		{name: "nflog failure", args: args{ctxCancelDuration: 5, configFilePath: "./testfiles/agent.json", hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServer{},
 			iptables: &Firewall{&MockIPTables{}}, nflog: &MockAgentNfloggerWithErr{}, cmd: &MockCommand{}, resolvdConfigPath: createTempFileWithContents(""),
 			dockerDaemonConfigPath: createTempFileWithContents("{}")}, wantErr: true},