Merge pull request #69 from step-security/implicit-endpoints

Implicit endpoints

Author: varunsh-coder

agent.go

@@ -142,8 +142,8 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 
 		// Start network monitor
 		go netMonitor.MonitorNetwork(nflog, errc) // listens for NFLOG messages
-
-		for _, endpoint := range config.Endpoints {
+		endpoints := addImplicitEndpoints(config.Endpoints)
+		for _, endpoint := range endpoints {
 			// this will cause domain, IP mapping to be cached
 			ipAddress, err := dnsProxy.getIPByDomain(endpoint.domainName)
 			if err != nil {
@@ -181,6 +181,18 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 	}
 }
 
+func addImplicitEndpoints(endpoints []Endpoint) []Endpoint {
+	implicitEndpoints := []Endpoint{
+		{domainName: "agent.api.stepsecurity.io", port: 443},               // Should be implicit based on user feedback
+		{domainName: "pipelines.actions.githubusercontent.com", port: 443}, // GitHub
+		{domainName: "codeload.github.com", port: 443},                     // GitHub
+		{domainName: "token.actions.githubusercontent.com", port: 443},     // GitHub
+		{domainName: "vstoken.actions.githubusercontent.com", port: 443},   // GitHub
+	}
+
+	return append(endpoints, implicitEndpoints...)
+}
+
 func RevertChanges(iptables *Firewall, nflog AgentNflogger,
 	cmd Command, resolvdConfigPath, dockerDaemonConfigPath string, dnsConfig DnsConfig) {
 	err := RevertFirewallChanges(iptables)

testfiles/agent-allowed-endpoints.json

@@ -1,3 +1,3 @@
 {
-    "repo":"owner/repo","run_id":"1287185438","correlation_id":"d942cc6c-d349-49da-ad54-a1bf92538567", "api_url":"https://apiurl/v1", "allowed_endpoints":"github.com:443 pipelines.actions.githubusercontent.com:443"
+    "repo":"owner/repo","run_id":"1287185438","correlation_id":"d942cc6c-d349-49da-ad54-a1bf92538567", "api_url":"https://apiurl/v1", "allowed_endpoints":"github.com:443 www.google.com:443"
 }