Merge pull request #67 from step-security/feature-56

Revert changes on failure

Author: varunsh-coder

.github/workflows/codeql-analysis.yml

@@ -37,7 +37,7 @@ jobs:
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:
-    - uses: step-security/harden-runner@7206db2ec98c5538323a6d70e51f965d55c11c87
+    - uses: step-security/harden-runner@917f7d59f22e82a5ddcaef409923426fd7aa6327
     - name: Checkout repository
       uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
 

.github/workflows/int.yml

@@ -13,7 +13,7 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
-    - uses: step-security/harden-runner@7206db2ec98c5538323a6d70e51f965d55c11c87
+    - uses: step-security/harden-runner@917f7d59f22e82a5ddcaef409923426fd7aa6327
       with:
        allowed-endpoints: 
         api.github.com:443

.github/workflows/release.yml

@@ -2,45 +2,38 @@ name: Release
 
 on:
   push:
-    branches:
-      - main
+    tags:
+      - '*'
 
 permissions: read-all
 
 jobs:
   release:
     permissions:
-      contents: read
+      contents: write
     runs-on: ubuntu-latest
     steps:
-    - uses: step-security/harden-runner@7206db2ec98c5538323a6d70e51f965d55c11c87
+    - uses: step-security/harden-runner@917f7d59f22e82a5ddcaef409923426fd7aa6327
       with:
-       allowed-endpoints: 
-        api.github.com:443
-        beta.api.stepsecurity.io:443
-        github.com:443
-        int.api.stepsecurity.io:443
-        pipelines.actions.githubusercontent.com:443
-        proxy.golang.org:443
-        step-security-agent.s3.us-west-2.amazonaws.com:443
-        storage.googleapis.com:443
-        sts.us-west-2.amazonaws.com:443
+        allowed-endpoints: 
+          agent.api.stepsecurity.io:443
+          api.github.com:443
+          github.com:443
+          goreleaser.com:443
+          objects.githubusercontent.com:443
+          proxy.golang.org:443
+          storage.googleapis.com:443
+          uploads.github.com:443
     - name: Checkout
       uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
     - name: Set up Go 
       uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8
       with:
-        go-version: 1.17
-    - run: go build -ldflags="-s -w" -o ./agent
-    - name: Configure aws credentials
-      uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e
+        go-version: 1.17    
+    - uses: goreleaser/goreleaser-action@5df302e5e9e4c66310a6b6493a8865b12c555af2
       with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        aws-region: us-west-2
-    - run: aws s3 cp ./agent s3://step-security-agent/refs/heads/int/agent --acl public-read
-    - name: Integration test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+        distribution: goreleaser
+        version: latest
+        args: release --rm-dist
       env:
-        PAT: ${{ secrets.PAT }}
-    - run: aws s3 cp ./agent s3://step-security-agent/refs/heads/agent/agent --acl public-read
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scorecard-analysis.yml

@@ -18,7 +18,7 @@ jobs:
       security-events: write
 
     steps:
-      - uses: step-security/harden-runner@7206db2ec98c5538323a6d70e51f965d55c11c87
+      - uses: step-security/harden-runner@917f7d59f22e82a5ddcaef409923426fd7aa6327
       - name: "Checkout code"
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
 

.github/workflows/test.yml

@@ -10,20 +10,12 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
-    - uses: step-security/harden-runner@7206db2ec98c5538323a6d70e51f965d55c11c87
-      with:
-        allowed-endpoints: 
-          beta.api.stepsecurity.io:443
-          codecov.io:443
-          github.com:443
-          proxy.golang.org:443
-          storage.googleapis.com:443
     - name: Checkout
       uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
     - name: Set up Go 
       uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8
       with:
         go-version: 1.17
     - name: Run coverage
-      run: sudo go test -coverprofile=coverage.txt -covermode=atomic
+      run: sudo CI=true go test -race -coverprofile=coverage.txt -covermode=atomic      
     - uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b

.goreleaser.yml

@@ -0,0 +1,21 @@
+# .goreleaser.yml
+builds:
+  # You can have multiple builds defined as a yaml list
+  -
+    # GOOS list to build for.
+    # For more info refer to: https://golang.org/doc/install/source#environment
+    # Defaults are darwin and linux.
+    goos:
+      - linux
+
+    # GOARCH to build for.
+    # For more info refer to: https://golang.org/doc/install/source#environment
+    # Defaults are 386, amd64 and arm64.
+    goarch:
+      - amd64
+
+    # Optionally override the matrix generation and specify only the final list of targets.
+    # Format is `{goos}_{goarch}` with optionally a suffix with `_{goarm}` or `_{gomips}`.
+    # This overrides `goos`, `goarch`, `goarm`, `gomips` and `ignores`.
+    targets:
+      - linux_amd64

agent.go

@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"io"
 	"net/http"
 	"os"
 	"time"
@@ -47,7 +46,7 @@ type IPTables interface {
 // TODO: move all inputs into a struct
 func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 	dockerDNSServer DNSServer, iptables *Firewall, nflog AgentNflogger,
-	cmd Command, resolvdConfigPath, dockerDaemonConfigPath string, stdout io.Writer) error {
+	cmd Command, resolvdConfigPath, dockerDaemonConfigPath, tempDir string) error {
 
 	// Passed to each go routine, if anyone fails, the program fails
 	errc := make(chan error)
@@ -79,6 +78,32 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 	go startDNSServer(dnsProxy, hostDNSServer, errc)
 	go startDNSServer(dnsProxy, dockerDNSServer, errc) // this is for the docker bridge
 
+	if cmd == nil {
+		procMon := &ProcessMonitor{CorrelationId: config.CorrelationId, Repo: config.Repo, ApiClient: apiclient, WorkingDirectory: config.WorkingDirectory}
+		go procMon.MonitorProcesses(errc)
+		writeLog("started p monitor")
+	}
+
+	dnsConfig := DnsConfig{}
+
+	// Change DNS config on host, causes processes to use agent's DNS proxy
+	if err := dnsConfig.SetDNSServer(cmd, resolvdConfigPath, tempDir); err != nil {
+		writeLog(fmt.Sprintf("Error setting DNS server %v", err))
+		RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
+		return err
+	}
+
+	writeLog("updated resolved")
+
+	// Change DNS for docker, causes process in containers to use agent's DNS proxy
+	if err := dnsConfig.SetDockerDNSServer(cmd, dockerDaemonConfigPath, tempDir); err != nil {
+		writeLog(fmt.Sprintf("Error setting DNS server for docker %v", err))
+		RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
+		return err
+	}
+
+	writeLog("set docker config")
+
 	if len(config.Endpoints) == 0 {
 		netMonitor := NetworkMonitor{
 			CorrelationId: config.CorrelationId,
@@ -93,37 +118,15 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 		writeLog("before audit rules")
 
 		// Add logging to firewall, including NFLOG rules
-		if err := addAuditRules(iptables); err != nil {
+		if err := AddAuditRules(iptables); err != nil {
 			writeLog(fmt.Sprintf("Error adding firewall rules %v", err))
+			RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
 			return err
 		}
 
 		writeLog("added audit rules")
 	}
 
-	// TODO: If something did not work, revert settings
-	if cmd == nil {
-		procMon := &ProcessMonitor{CorrelationId: config.CorrelationId, Repo: config.Repo, ApiClient: apiclient, WorkingDirectory: config.WorkingDirectory}
-		go procMon.MonitorProcesses(errc)
-		writeLog("started p monitor")
-	}
-
-	// Change DNS config on host, causes processes to use agent's DNS proxy
-	if err := setDNSServer(cmd, resolvdConfigPath); err != nil {
-		writeLog(fmt.Sprintf("Error setting DNS server %v", err))
-		return err
-	}
-
-	writeLog("updated resolved")
-
-	// Change DNS for docker, causes process in containers to use agent's DNS proxy
-	if err := setDockerDNSServer(cmd, dockerDaemonConfigPath); err != nil {
-		writeLog(fmt.Sprintf("Error setting DNS server for docker %v", err))
-		return err
-	}
-
-	writeLog("set docker config")
-
 	// If allowed endpoints set, resolve them, and add to firewall
 	if len(config.Endpoints) > 0 {
 		var ipAddressEndpoints []ipAddressEndpoint
@@ -145,6 +148,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 			ipAddress, err := dnsProxy.getIPByDomain(endpoint.domainName)
 			if err != nil {
 				writeLog(fmt.Sprintf("Error resolving allowed domain %v", err))
+				RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
 				return err
 			}
 
@@ -154,15 +158,11 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 
 		if err := addBlockRulesForGitHubHostedRunner(ipAddressEndpoints); err != nil {
 			writeLog(fmt.Sprintf("Error setting firewall for allowed domains %v", err))
+			RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
 			return err
 		}
 	}
 
-	// Ask API to monitor the run
-	go apiclient.monitorRun(config.Repo, config.RunId)
-
-	writeLog("called monitor run")
-
 	writeLog("done")
 
 	// Write the status file
@@ -173,13 +173,31 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 		case <-ctx.Done():
 			return nil
 		case e := <-errc:
-			writeLog(e.Error())
+			writeLog(fmt.Sprintf("Error in Initialization %v", e))
+			RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
 			return e
 
 		}
 	}
 }
 
+func RevertChanges(iptables *Firewall, nflog AgentNflogger,
+	cmd Command, resolvdConfigPath, dockerDaemonConfigPath string, dnsConfig DnsConfig) {
+	err := RevertFirewallChanges(iptables)
+	if err != nil {
+		writeLog(fmt.Sprintf("Error in RevertChanges %v", err))
+	}
+	err = dnsConfig.RevertDNSServer(cmd, resolvdConfigPath)
+	if err != nil {
+		writeLog(fmt.Sprintf("Error in reverting DNS server changes %v", err))
+	}
+	err = dnsConfig.RevertDockerDNSServer(cmd, dockerDaemonConfigPath)
+	if err != nil {
+		writeLog(fmt.Sprintf("Error in reverting docker DNS server changes %v", err))
+	}
+	writeLog("Reverted changes")
+}
+
 func writeLog(message string) {
 	f, _ := os.OpenFile("/home/agent/agent.log",
 		os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)