Merge pull request #75 from step-security/feature-74

varunsh-coder · web-flow · commit 516e29df0856 · 2021-12-06T12:11:54.000-08:00
Add egress policy input
diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml
@@ -11,12 +11,16 @@ permissions: read-all
 
 jobs:
   analysis:
+    permissions:
+      actions: read # for ossf/scorecard-actions/analyze to check for publishing workflows
+      checks: read # for ossf/scorecard-actions/analyze to check for SAST tool in check runs
+      contents: read # for ossf/scorecard-actions/analyze to list releases
+      issues: read # for ossf/scorecard-actions/analyze to check if repo is maintained
+      pull-requests: read # for ossf/scorecard-actions/analyze to check if PRs are reviewed
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      statuses: read # for ossf/scorecard-actions/analyze to check for CI tests in PRs
     name: Scorecard analysis
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: write
-
     steps:
       - uses: step-security/harden-runner@917f7d59f22e82a5ddcaef409923426fd7aa6327
       - name: "Checkout code"
@@ -42,4 +46,4 @@ jobs:
       - name: "Upload SARIF results"
         uses: github/codeql-action/upload-sarif@e095058bfa09de8070f94e98f5dc059531bc6235
         with:
-          sarif_file: results.sarif
+          sarif_file: results.sarif
diff --git a/agent.go b/agent.go
@@ -10,7 +10,11 @@ import (
 	"github.com/florianl/go-nflog/v2"
 )
 
-const StepSecurityLogCorrelationPrefix = "Step Security Job Correlation ID:"
+const (
+	StepSecurityLogCorrelationPrefix = "Step Security Job Correlation ID:"
+	EgressPolicyAudit                = "audit"
+	EgressPolicyBlock                = "block"
+)
 
 type DNSServer interface {
 	ListenAndServe() error
@@ -104,7 +108,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 
 	writeLog("set docker config")
 
-	if len(config.Endpoints) == 0 {
+	if config.EgressPolicy == EgressPolicyAudit {
 		netMonitor := NetworkMonitor{
 			CorrelationId: config.CorrelationId,
 			Repo:          config.Repo,
@@ -125,10 +129,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 		}
 
 		writeLog("added audit rules")
-	}
-
-	// If allowed endpoints set, resolve them, and add to firewall
-	if len(config.Endpoints) > 0 {
+	} else if config.EgressPolicy == EgressPolicyBlock {
 		var ipAddressEndpoints []ipAddressEndpoint
 
 		writeLog(fmt.Sprintf("Allowed domains:%v", config.Endpoints))
diff --git a/config.go b/config.go
@@ -16,6 +16,7 @@ type config struct {
 	WorkingDirectory string
 	APIURL           string
 	Endpoints        []Endpoint
+	EgressPolicy     string
 }
 
 type Endpoint struct {
@@ -30,6 +31,7 @@ type configFile struct {
 	WorkingDirectory string `json:"working_directory"`
 	APIURL           string `json:"api_url"`
 	AllowedEndpoints string `json:"allowed_endpoints"`
+	EgressPolicy     string `json:"egress_policy"`
 }
 
 // init reads the config file for the agent and initializes config settings
@@ -51,6 +53,7 @@ func (c *config) init(configFilePath string) error {
 	c.WorkingDirectory = configFile.WorkingDirectory
 	c.APIURL = configFile.APIURL
 	c.Endpoints = parseEndpoints(configFile.AllowedEndpoints)
+	c.EgressPolicy = configFile.EgressPolicy
 	return nil
 }
 
diff --git a/testfiles/agent-allowed-endpoints.json b/testfiles/agent-allowed-endpoints.json
@@ -1,3 +1,8 @@
 {
-    "repo":"owner/repo","run_id":"1287185438","correlation_id":"d942cc6c-d349-49da-ad54-a1bf92538567", "api_url":"https://apiurl/v1", "allowed_endpoints":"github.com:443 www.google.com:443"
-}
+  "repo": "owner/repo",
+  "run_id": "1287185438",
+  "correlation_id": "d942cc6c-d349-49da-ad54-a1bf92538567",
+  "api_url": "https://apiurl/v1",
+  "allowed_endpoints": "github.com:443 www.google.com:443",
+  "egress_policy": "block"
+}
diff --git a/testfiles/agent.json b/testfiles/agent.json
@@ -1,3 +1,8 @@
 {
-    "repo":"owner/repo","run_id":"1287185438","correlation_id":"d942cc6c-d349-49da-ad54-a1bf92538567", "api_url":"https://apiurl/v1", "allowed_endpoints":""
-}
+  "repo": "owner/repo",
+  "run_id": "1287185438",
+  "correlation_id": "d942cc6c-d349-49da-ad54-a1bf92538567",
+  "api_url": "https://apiurl/v1",
+  "allowed_endpoints": "",
+  "egress_policy": "audit"
+}

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ type config struct {`
`16`	`16`	`WorkingDirectory string`
`17`	`17`	`APIURL string`
`18`	`18`	`Endpoints []Endpoint`
	`19`	`+ EgressPolicy string`
`19`	`20`	`}`
`20`	`21`
`21`	`22`	`type Endpoint struct {`
`@@ -30,6 +31,7 @@ type configFile struct {`
`30`	`31`	WorkingDirectory string `json:"working_directory"`
`31`	`32`	APIURL string `json:"api_url"`
`32`	`33`	AllowedEndpoints string `json:"allowed_endpoints"`
	`34`	+ EgressPolicy string `json:"egress_policy"`
`33`	`35`	`}`
`34`	`36`
`35`	`37`	`// init reads the config file for the agent and initializes config settings`
`@@ -51,6 +53,7 @@ func (c *config) init(configFilePath string) error {`
`51`	`53`	`c.WorkingDirectory = configFile.WorkingDirectory`
`52`	`54`	`c.APIURL = configFile.APIURL`
`53`	`55`	`c.Endpoints = parseEndpoints(configFile.AllowedEndpoints)`
	`56`	`+ c.EgressPolicy = configFile.EgressPolicy`
`54`	`57`	`return nil`
`55`	`58`	`}`
`56`	`59`