Merge pull request #68 from step-security/int

Revert changes on failure

Author: varunsh-coder

.github/workflows/test.yml

@@ -10,20 +10,12 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
-    - uses: step-security/harden-runner@917f7d59f22e82a5ddcaef409923426fd7aa6327
-      with:
-        allowed-endpoints: 
-          beta.api.stepsecurity.io:443
-          codecov.io:443
-          github.com:443
-          proxy.golang.org:443
-          storage.googleapis.com:443
     - name: Checkout
       uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
     - name: Set up Go 
       uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8
       with:
         go-version: 1.17
     - name: Run coverage
-      run: sudo go test -coverprofile=coverage.txt -covermode=atomic
+      run: sudo CI=true go test -race -coverprofile=coverage.txt -covermode=atomic      
     - uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b

agent.go

@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"io"
 	"net/http"
 	"os"
 	"time"
@@ -47,7 +46,7 @@ type IPTables interface {
 // TODO: move all inputs into a struct
 func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 	dockerDNSServer DNSServer, iptables *Firewall, nflog AgentNflogger,
-	cmd Command, resolvdConfigPath, dockerDaemonConfigPath string, stdout io.Writer) error {
+	cmd Command, resolvdConfigPath, dockerDaemonConfigPath, tempDir string) error {
 
 	// Passed to each go routine, if anyone fails, the program fails
 	errc := make(chan error)
@@ -79,6 +78,32 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 	go startDNSServer(dnsProxy, hostDNSServer, errc)
 	go startDNSServer(dnsProxy, dockerDNSServer, errc) // this is for the docker bridge
 
+	if cmd == nil {
+		procMon := &ProcessMonitor{CorrelationId: config.CorrelationId, Repo: config.Repo, ApiClient: apiclient, WorkingDirectory: config.WorkingDirectory}
+		go procMon.MonitorProcesses(errc)
+		writeLog("started p monitor")
+	}
+
+	dnsConfig := DnsConfig{}
+
+	// Change DNS config on host, causes processes to use agent's DNS proxy
+	if err := dnsConfig.SetDNSServer(cmd, resolvdConfigPath, tempDir); err != nil {
+		writeLog(fmt.Sprintf("Error setting DNS server %v", err))
+		RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
+		return err
+	}
+
+	writeLog("updated resolved")
+
+	// Change DNS for docker, causes process in containers to use agent's DNS proxy
+	if err := dnsConfig.SetDockerDNSServer(cmd, dockerDaemonConfigPath, tempDir); err != nil {
+		writeLog(fmt.Sprintf("Error setting DNS server for docker %v", err))
+		RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
+		return err
+	}
+
+	writeLog("set docker config")
+
 	if len(config.Endpoints) == 0 {
 		netMonitor := NetworkMonitor{
 			CorrelationId: config.CorrelationId,
@@ -93,37 +118,15 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 		writeLog("before audit rules")
 
 		// Add logging to firewall, including NFLOG rules
-		if err := addAuditRules(iptables); err != nil {
+		if err := AddAuditRules(iptables); err != nil {
 			writeLog(fmt.Sprintf("Error adding firewall rules %v", err))
+			RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
 			return err
 		}
 
 		writeLog("added audit rules")
 	}
 
-	// TODO: If something did not work, revert settings
-	if cmd == nil {
-		procMon := &ProcessMonitor{CorrelationId: config.CorrelationId, Repo: config.Repo, ApiClient: apiclient, WorkingDirectory: config.WorkingDirectory}
-		go procMon.MonitorProcesses(errc)
-		writeLog("started p monitor")
-	}
-
-	// Change DNS config on host, causes processes to use agent's DNS proxy
-	if err := setDNSServer(cmd, resolvdConfigPath); err != nil {
-		writeLog(fmt.Sprintf("Error setting DNS server %v", err))
-		return err
-	}
-
-	writeLog("updated resolved")
-
-	// Change DNS for docker, causes process in containers to use agent's DNS proxy
-	if err := setDockerDNSServer(cmd, dockerDaemonConfigPath); err != nil {
-		writeLog(fmt.Sprintf("Error setting DNS server for docker %v", err))
-		return err
-	}
-
-	writeLog("set docker config")
-
 	// If allowed endpoints set, resolve them, and add to firewall
 	if len(config.Endpoints) > 0 {
 		var ipAddressEndpoints []ipAddressEndpoint
@@ -145,6 +148,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 			ipAddress, err := dnsProxy.getIPByDomain(endpoint.domainName)
 			if err != nil {
 				writeLog(fmt.Sprintf("Error resolving allowed domain %v", err))
+				RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
 				return err
 			}
 
@@ -154,15 +158,11 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 
 		if err := addBlockRulesForGitHubHostedRunner(ipAddressEndpoints); err != nil {
 			writeLog(fmt.Sprintf("Error setting firewall for allowed domains %v", err))
+			RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
 			return err
 		}
 	}
 
-	// Ask API to monitor the run
-	go apiclient.monitorRun(config.Repo, config.RunId)
-
-	writeLog("called monitor run")
-
 	writeLog("done")
 
 	// Write the status file
@@ -173,13 +173,31 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 		case <-ctx.Done():
 			return nil
 		case e := <-errc:
-			writeLog(e.Error())
+			writeLog(fmt.Sprintf("Error in Initialization %v", e))
+			RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
 			return e
 
 		}
 	}
 }
 
+func RevertChanges(iptables *Firewall, nflog AgentNflogger,
+	cmd Command, resolvdConfigPath, dockerDaemonConfigPath string, dnsConfig DnsConfig) {
+	err := RevertFirewallChanges(iptables)
+	if err != nil {
+		writeLog(fmt.Sprintf("Error in RevertChanges %v", err))
+	}
+	err = dnsConfig.RevertDNSServer(cmd, resolvdConfigPath)
+	if err != nil {
+		writeLog(fmt.Sprintf("Error in reverting DNS server changes %v", err))
+	}
+	err = dnsConfig.RevertDockerDNSServer(cmd, dockerDaemonConfigPath)
+	if err != nil {
+		writeLog(fmt.Sprintf("Error in reverting docker DNS server changes %v", err))
+	}
+	writeLog("Reverted changes")
+}
+
 func writeLog(message string) {
 	f, _ := os.OpenFile("/home/agent/agent.log",
 		os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)

agent_test.go

@@ -3,11 +3,12 @@ package main
 import (
 	"context"
 	"fmt"
+	"os"
+	"path"
 	"testing"
 	"time"
 
 	"github.com/florianl/go-nflog/v2"
-	"github.com/jarcoal/httpmock"
 )
 
 type mockDNSServer struct {
@@ -82,52 +83,8 @@ func (m *MockCommandWithError) Run() error {
 	return fmt.Errorf("failed to run command")
 }
 
-func TestRun(t *testing.T) {
-
-	ctx := context.Background()
-	ctx, cancel := context.WithCancel(ctx)
-	time.AfterFunc(2*time.Second, cancel)
-
-	httpmock.Activate()
-	defer httpmock.DeactivateAndReset()
-
-	httpmock.RegisterResponder("POST", fmt.Sprintf("%s/owner/repo/actions/runs/1287185438/monitor", agentApiBaseUrl),
-		httpmock.NewStringResponder(200, ""))
-
-	err := Run(ctx, "./testfiles/agent.json",
-		&mockDNSServer{}, &mockDNSServer{}, &Firewall{&MockIPTables{}},
-		&MockAgentNflogger{}, &MockCommand{}, createTempFileWithContents(""), createTempFileWithContents("{}"), nil)
-
-	if err != nil {
-		fmt.Printf("err: %v\n", err)
-		t.Fail()
-	}
-}
-
-func TestRunWithDNSFailure(t *testing.T) {
-
-	ctx := context.Background()
-	ctx, cancel := context.WithCancel(ctx)
-	time.AfterFunc(5*time.Second, cancel) // this should not be used, it should error out earlier
-
-	httpmock.Activate()
-	defer httpmock.DeactivateAndReset()
-
-	httpmock.RegisterResponder("POST", fmt.Sprintf("%s/owner/repo/actions/runs/1287185438/monitor", agentApiBaseUrl),
-		httpmock.NewStringResponder(200, ""))
-
-	err := Run(ctx, "./testfiles/agent.json",
-		&mockDNSServer{}, &mockDNSServerWithError{}, &Firewall{&MockIPTables{}},
-		&MockAgentNflogger{}, &MockCommand{}, createTempFileWithContents(""), createTempFileWithContents("{}"), nil)
-
-	// if 2 seconds pass
-	if err == nil {
-		t.Fail()
-	}
-
-}
-
-func TestRunWithCMDFailure(t *testing.T) {
+/*
+func TestRunWithNflogError(t *testing.T) {
 
 	ctx := context.Background()
 	ctx, cancel := context.WithCancel(ctx)
@@ -141,36 +98,86 @@ func TestRunWithCMDFailure(t *testing.T) {
 
 	err := Run(ctx, "./testfiles/agent.json",
 		&mockDNSServer{}, &mockDNSServer{}, &Firewall{&MockIPTables{}},
-		&MockAgentNflogger{}, &MockCommandWithError{}, createTempFileWithContents(""), createTempFileWithContents("{}"), nil)
+		&MockAgentNfloggerWithErr{}, &MockCommand{}, createTempFileWithContents(""), createTempFileWithContents("{}"), nil)
 
 	// if 2 seconds pass
 	if err == nil {
 		t.Fail()
 	}
 
 }
+*/
 
-/*
-func TestRunWithNflogError(t *testing.T) {
+func deleteTempFile(path string) {
+	os.Remove(path)
+}
 
+func getContext(seconds int) context.Context {
 	ctx := context.Background()
 	ctx, cancel := context.WithCancel(ctx)
-	time.AfterFunc(5*time.Second, cancel) // this should not be used, it should error out earlier
-
-	httpmock.Activate()
-	defer httpmock.DeactivateAndReset()
-
-	httpmock.RegisterResponder("POST", fmt.Sprintf("%s/owner/repo/actions/runs/1287185438/monitor", agentApiBaseUrl),
-		httpmock.NewStringResponder(200, ""))
+	time.AfterFunc(2*time.Second, cancel)
 
-	err := Run(ctx, "./testfiles/agent.json",
-		&mockDNSServer{}, &mockDNSServer{}, &Firewall{&MockIPTables{}},
-		&MockAgentNfloggerWithErr{}, &MockCommand{}, createTempFileWithContents(""), createTempFileWithContents("{}"), nil)
+	return ctx
+}
 
-	// if 2 seconds pass
-	if err == nil {
-		t.Fail()
+func TestRun(t *testing.T) {
+	type args struct {
+		ctxCancelDuration      int
+		configFilePath         string
+		hostDNSServer          DNSServer
+		dockerDNSServer        DNSServer
+		iptables               *Firewall
+		nflog                  AgentNflogger
+		cmd                    Command
+		resolvdConfigPath      string
+		dockerDaemonConfigPath string
+		ciTestOnly             bool
 	}
 
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{name: "success", args: args{ctxCancelDuration: 2, configFilePath: "./testfiles/agent.json", hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServer{},
+			iptables: &Firewall{&MockIPTables{}}, nflog: &MockAgentNflogger{}, cmd: &MockCommand{}, resolvdConfigPath: createTempFileWithContents(""),
+			dockerDaemonConfigPath: createTempFileWithContents("{}")}, wantErr: false},
+		{name: "success monitor process", args: args{ctxCancelDuration: 2, configFilePath: "./testfiles/agent.json", hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServer{},
+			iptables: &Firewall{&MockIPTables{}}, nflog: &MockAgentNflogger{}, cmd: nil, resolvdConfigPath: createTempFileWithContents(""),
+			dockerDaemonConfigPath: createTempFileWithContents("{}"), ciTestOnly: true}, wantErr: false},
+		{name: "success allowed endpoints", args: args{ctxCancelDuration: 2, configFilePath: "./testfiles/agent-allowed-endpoints.json",
+			hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServer{},
+			iptables: nil, nflog: &MockAgentNflogger{}, cmd: &MockCommand{}, resolvdConfigPath: createTempFileWithContents(""),
+			dockerDaemonConfigPath: createTempFileWithContents("{}"), ciTestOnly: true}, wantErr: false},
+		{name: "dns failure", args: args{ctxCancelDuration: 5, configFilePath: "./testfiles/agent.json", hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServerWithError{},
+			iptables: &Firewall{&MockIPTables{}}, nflog: &MockAgentNflogger{}, cmd: &MockCommand{}, resolvdConfigPath: createTempFileWithContents(""),
+			dockerDaemonConfigPath: createTempFileWithContents("{}")}, wantErr: true},
+		{name: "cmd failure", args: args{ctxCancelDuration: 5, configFilePath: "./testfiles/agent.json", hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServer{},
+			iptables: &Firewall{&MockIPTables{}}, nflog: &MockAgentNflogger{}, cmd: &MockCommandWithError{}, resolvdConfigPath: createTempFileWithContents(""),
+			dockerDaemonConfigPath: createTempFileWithContents("{}")}, wantErr: true},
+		{name: "nflog failure", args: args{ctxCancelDuration: 5, configFilePath: "./testfiles/agent.json", hostDNSServer: &mockDNSServer{}, dockerDNSServer: &mockDNSServer{},
+			iptables: &Firewall{&MockIPTables{}}, nflog: &MockAgentNfloggerWithErr{}, cmd: &MockCommand{}, resolvdConfigPath: createTempFileWithContents(""),
+			dockerDaemonConfigPath: createTempFileWithContents("{}")}, wantErr: true},
+	}
+	_, ciTest := os.LookupEnv("CI")
+	fmt.Printf("ci-test: %t\n", ciTest)
+	for _, tt := range tests {
+		if !tt.args.ciTestOnly || ciTest {
+			t.Run(tt.name, func(t *testing.T) {
+				tempDir := os.TempDir()
+				if err := Run(getContext(tt.args.ctxCancelDuration), tt.args.configFilePath, tt.args.hostDNSServer, tt.args.dockerDNSServer,
+					tt.args.iptables, tt.args.nflog, tt.args.cmd, tt.args.resolvdConfigPath, tt.args.dockerDaemonConfigPath, tempDir); (err != nil) != tt.wantErr {
+					t.Errorf("Run() error = %v, wantErr %v", err, tt.wantErr)
+				}
+
+				deleteTempFile(path.Join(tempDir, "resolved.conf"))
+				deleteTempFile(path.Join(tempDir, "daemon.json"))
+
+				if tt.args.ciTestOnly {
+					fmt.Printf("Reverting firewall changes\n")
+					RevertFirewallChanges(nil)
+				}
+			})
+		}
+	}
 }
-*/

apiclient.go

@@ -41,12 +41,6 @@ type ApiClient struct {
 
 const agentApiBaseUrl = "https://apiurl/v1"
 
-func (apiclient *ApiClient) monitorRun(repo, runid string) error {
-	url := fmt.Sprintf("%s/github/%s/actions/runs/%s/monitor", apiclient.APIURL, repo, runid)
-
-	return apiclient.sendApiRequest("POST", url, nil)
-}
-
 func (apiclient *ApiClient) sendDNSRecord(correlationId, repo, domainName, ipAddress string) error {
 
 	dnsRecord := &DNSRecord{}